1. Field of the Invention
The invention is directed to protection systems used to provide reliable automatic responses to abnormal conditions in complex processes, such as nuclear power plants, and to apparatus and a method for testing such protection systems. More specifically, it is directed to voted logic power circuits for such a protection system which can be used with normally energized or normally deenergized protection devices and to a tester which tests each switching component of the power circuit while maintaining the protection function.
2. Prior Art
Protection systems for complex processes monitor selected process parameters, such as temperatures, pressures and flows, and the status of various components such as whether a valve is open or closed or whether a pump is on or off, and provide automatic responses to measured values of the parameters and to detected status states of the components which require positive intervention to prevent, or to alleviate the effects of, abnormal process conditions. High reliability is an essential requirement for such a system. In order to enhance reliability, it is common practice to provide redundant sensors for each selected parameter and component status. It is also common practice to vote the responses of the redundant sensors, that is to require that a plurality, but not necessarily all, of the sensors, detect the abnormal condition before action is initiated in order to reduce the probability of a spurious actuation.
A nuclear power plant is one example of a complex process in which such a protection system is employed. The protection system in a nuclear power plant performs a plurality of functions. It can shutdown, or trip, the reactor if conditions warrant, or it can perform a number of engineered safeguard functions, such as opening or closing valves and turning on or off pumps or other components. Typically, the trip function involves deenergizing electromechanical jacks which normally hold control rods in a position withdrawn from the reactor core so that the rods reenter the core and cause it to go subcritical. The engineered safeguard functions may involve either deenergizing a load device which is normally energized or energizing a device which is normally deenergized. In a typical engineered safeguard function system, four redundant sensors are used to detect the selected parameters and/or status conditions. The response of each sensor is compared with a setpoint value to generate a digital signal which is referred to as a partial actuation signal since an indication from more than one sensor is required to actuate the safety component. The four partial actuation signals for each parameter or status condition are all fed to each of two identical, electrically isolated logic trains. Typically, this is accomplished by applying each partial actuation signal to the coil of a relay having one set of contacts in each logic train. Each logic train independently votes the partial actuation signals, such as two out of four, and generates an actuation signal. The two independently generated actuation signals are then applied to a power interface circuit which requires the presence of both actuation signals to actuate the load device, either a normally energized or normally deenergized component, to initiate the engineered safeguard function. Such a two out of two voting power interface can be disabled by a single failure in one of the two channels.
In testing these prior art protection systems, the sensor channels are tested individually one at a time by substituting test signals for the sensor signals. For safeguard functions in which the load can be momentarily actuated without adverse effects on the process, both logic trains are tested simultaneously which also tests the power interface. Where momentary actuation of the load cannot be tolerated, the logic trains are tested one at a time. In order to test the switches in the power interface, the switches are individually switched out of the power interface network and tested by a low impedance test circuit. Thus, the topography of the power interface circuit is changed to effect the test. With such a system then, the status of the components can only be checked by a specific test and there is no indication during operation of whether a component has failed or not.
A primary object of the present invention is to provide a protection system which is not disabled by a single failure even during testing.
Another important object of the invention is to provide such a system in which the same circuit topography can be used for both normally energized and normally deenergized switches.
Still another important object of the invention is to provide such a protection system in which the circuit topography does not have to be changed for testing.
Yet another important object of the invention is such a protection system which is continuously monitored for failures.