This invention relates generally to the in-place verification of the operation of a control system that includes time dependent state variables and is particularly directed to the verification of a protection system for a nuclear reactor power plant.
In the operation of plant process systems such as those involving pressures, temperatures, flows, and levels, the measured steady state and transient values of these state variables are utilized for the control and protection of the plant. A record of the values of these measurements made over a period of time can be used for locating and correcting system and equipment problems.
Control and protection systems monitor information from sensors or transducers that convert the values of process parameters like pressure, temperature, or flow into analog or digital signals taking on various forms like electrical, optical, or electromagnetic waves. Plant control and protection system circuitry is designed to react to these signals transmitted by the sensors so as to maximize plant efficiency and also to shut down the process if the values of the parameters approach an operating condition that may endanger personnel or equipment.
It is therefore very important that the control and protection circuitry be kept in close tolerance to design set points so that plant safety and efficiency are assured. This is especially critical for nuclear driven steam supply systems such as boiling water reactor (BWR) and pressurized water reactor (PWR) electric generating plants. Operation of these plants is closely regulated by such agencies as the Nuclear Regulatory Commission. Procedures for assuring that protection and control circuitry are within specified tolerances for the safe operation of a plant are closely followed. These procedures include periodic testing routines that specify exacting/precise measurement tolerances to conform to the allowable variance of the process parameter including transients.
A typical prior art sensor monitoring arrangement and method 10 is shown in simplified schematic and block diagram form in FIG. 1. The sensor monitoring arrangement 10, which is also known as an instrument loop, a process loop, a string, or a protection channel as used at a PWR electric generating plant, includes a transducer or sensor 12 installed at a location where the state variable is to be measured. The state variable being measured may be pressure, temperature, fluid level, fluid flow rate, etc. the transducer/sensor 12 includes a resistor 16 coupled to a power supply 14 in forming a first current loop 18. A first switch 20 may be coupled between the power supply 14 and the transducer/sensor 12 which converts the pressure, temperature, etc., value to an electric current signal. The power supply 14 establishes the electric current from the transducer/sensor 12 at a particular ambient signal level and a test point A is typically provided between the transducer/sensor and the power supply to allow for monitoring of the output signal from the transducer/sensor. The power supply 14 also typically converts the transducer/sensor output signal in terms of pounds per square inch (PSI), degrees Fahrenheit, etc., for the purpose of providing a visual indication, and in some cases an aural alert, of the signal level on a gauge or other visual display (not shown).
The power supply 14 is further coupled by means of a voltage loop 24 to a dynamic compensating circuit 30 that compensates for variations and transients in one of the aforementioned time dependent state variables. The dynamic compensating circuit 30 may provide either lead/lag, lead, lag, or proportional compensation, although only lead/lag compensation is considered in the following paragraphs for simplicity. The dynamic compensating circuit 30 is, in turn, coupled by means of a voltage loop 25 to a trip circuit 22. The trip circuit 22 provides a correction or shutdown signal to a protection system 28 when the signal level is outside of a predetermined window or range. A second switch 26 is typically coupled between the trip circuit 22 and the protection system 28 to allow for monitoring of the correction or shutdown signal output by the trip circuit at test point C. Although illustrated as being separate from the protection system 28 in FIG. 1 for purposes of the present discussion, the sensor monitoring arrangement 10 is generally considered to be within and a part of the protection system. For safety and reliability, it is common to install a plurality of transducer/sensors and associated protection loops for monitoring a particular process parameter in a nuclear reactor power generating station. The protection system 28 is typically activated when more than one of the sensors monitoring or protection circuits detects a predetermined minimum or maximum signal level for shutting down power generating station operation.
An important part of the process in a nuclear reactor power generating station is its ability to sense transients or excursions in the process parameters and to respond to the excursion by altering the signal level in the protection circuit in such a manner so as to accelerate the response of the protection circuit to a potentially hazardous condition. As an example, assume that a protection circuit is to be activated for a low pressure of 1800 psi where normal pressure is 2100 psi. Calibration of the protection circuitry for a normal pressure of 2100 psi might result in an output signal of 6.200 volts, with 3.200 volts for 1800 psi corresponding to the specified trip point and 4.200 volts used for resetting the trip circuit at 1900 psi. However, in the operation of a process system there is a distinct difference between a slow pressure change from a normal value of 2100 psi to 1800 psi and a precipitous drop in pressure over a relatively short time period. To compensate for this rapid change in a state variable, some protection systems, such as those typically employed in reactor power plants, include the dynamic compensating circuit 30 for changing the signal from the sensor so that it increases or decreases exponentially in relation to the rate of change of the signal from the sensor. For example, if the pressure were to drop from 2100 psi to 1900 psi very rapidly, the output from the dynamic compensating circuit might produce a signal voltage of less than 3.200 volts repesenting the 1800 psi trip point, resulting in a shutdown output from the trip circuit 22 and activation of the protection system 28. Later when the pressure levels off at 1900 psi, the signal voltage level at the output of the dynamic compensating circuit 30 would increase from the trip level to 4.200 volts and the trip circuit 22 would be reset.
The accurate calibration of these protection and control circuits is essential for the proper operation and may be critically important such as in a nuclear reactor power generating plant. Consequently, in-place checks are made of various portions of the process loop and protection system of the reactor power plant on a routine basis and each of the discrete circuit boards is calibrated, with some discrete circuit boards required to be removed from the control system and placed in a special test fixture. Specifications for the calibration of these circuits are very stringent, with narrow tolerances. For example, a normal trip point for a pressure may be specified at 1885 psi, but never lower than 1871 psi. Such tolerances at signal voltages in the range of zero to ten volts may require measurement accuracies on the order of 25 millivolts. This requires the use of highly accurate digital voltmeters with a technician recording the signal level at the time of trip as accurately as humanly possible.
Prior to the present invention, a simplified, typical in-place calibration check procedure for a protection or sensor monitoring arrangement 10 similar to that of FIG. 1 would be as follows: the first and second switches 20 and 26 would be opened, isolating the protection system 28 from the transducer/sensor 12 and the trip circuit 22. Great care is taken to ensure that the correction/protection monitoring circuit and its related switches are properly selected, since errors can result in the accidental tripping of the entire plant process. Once isolated and the dynamic compensation characteristic, a variable signal generator (not shown) is coupled to signal injection point B for generating a trip signal. The test signal is then manually varied from its normal value to a value beyond the trip point and is then returned to a value within the reset limit. In the above example for a reactor power plant, the signal generator would typically be varied from 6.200 volts to a value somewhat less than 3.200 volts and then increased above 4.200 volts. The values at trip and reset are judgmentally noted at test point C which is an LED on a card. The exact values at trip and reset are recorded by a technician using a digital voltmeter connected at test point C. To be within tolerance limits, these values must be 3.200.+-. channel allowable tolerance and 4.200.+-. allowable reset tolerance, respectively. The procedure described above would be performed with the dynamic compensating circuit 30 shorted out since there is no provision made to coordinate the measured values of the manually ramped signal provided by the signal generator with the signal provided to the dynamic compensating circuit and the tripping signal provided to the trip circuit 22. In order to perform a meaningful in-place test of the control/process system with the dynamic compensation circuit 30 in the circuit and not shorted out, the signal voltages must all be measured at precisely the same time and must be within a very narrow .+-. channel allowable tolerance of the designated value. In addition, the ramping signal must precisely match the operating characteristics of the dynamic compensating circuit 30.
One prior art approach for recording this operating data involves the use of strip charts where inked pens record the signal values. However, the width of these inked lines alone is normally greater than the allowable tolerance, making these instruments impractical in this application. Moreover, the dynamic compensating circuit 30 is maintained in specification by periodically removing it from the sensor monitoring circuit 10 and calibrating it on a special test fixture. However, this procedure does not allow for "in-place" verification of its correct operation. In addition, the time required for a complete check of the sensor monitoring circuit 10 and the protection system 28, even with the dynamic compensating circuit 30 shorted out, is approximately 30 minutes. Because of the large number of these sensor monitoring circuits in a typical power generating reactor station, this verification and calibration operation is essentially continuous. This is particularly the case when bench calibration of the dynamic compensating circuit 30 is performed, a procedure which must be carrried out even if it is not out of calibration, since prior art approaches do not afford "in-place" checking of this sub-system. Finally, as indicated above, a reduced number of sensors is available in "in service" plant protection during this vertification and calibration procedure for monitoring reactor operation. This reduction in the number of sensors during the in-place testing results in a corresponding reduction in the reliability and accuracy of the reactor protection system and increases the risk of an inadvertent trip of the plant process. It is, of course, desirable to maximize the safety factor and minimize the risk in such an environment by minimizing the time of testing.
The present invention overcomes the aforementioned limitations of the prior art by providing for the dynamic verification of the operation of a nuclear power reactor protection system which monitors time dependent state variables of a nuclear reactor power plant and minimizes the time necessary for this testing. The computer controlled verification system of the present invention is capable of verifying the operation of a transducer/sensor monitoring circuit in the protection system which includes a dynamic compensation circuit from input to output using an in-place test. The present invention more accurately measures transducer and protection system operation, reduces the time necessary for transducer and protection system verification, and verifies system operation by introducing a precisely controlled simulation signal.