The present invention relates generally to automatic self-testing systems in industrial control systems, such as nuclear power plants, including automatic testing of safety control systems utilizing multi-sensor, multichannel redundant monitoring and control circuits.
Industrial control systems, including process control systems, will often include redundant monitoring and control paths to assure reliable operation. It is not uncommon to use a plurality of sensors to sense a single parameter and to process the output of the plural sensors through independent processing paths so that each path provides an output to a combinational logic array which, in turn, provides an output representative of the various processing paths. While "designed-in" redundancy assures a higher level of operational reliability, the various redundant paths and the related logic are themselves a potential failure source.
In the nuclear power industry, it is common to use several levels of redundancy to assure that a particular measurement is valid. In nuclear power plants, independent shut-down and safe-operation systems are dedicated to monitoring plant operation and evaluating numerous safety-related parameters. In the event one or more measured parameters indicate the existence of an unsafe condition, the shut-down system and/or the safe-operation system can automatically effect the appropriate remedial action. It is imperative that these safety control systems, known as plant protection systems, operate reliably, and, accordingly, it is imperative that all measured and sensed parameters be valid.
In the context of nuclear plant protection systems, it is not uncommon to measure a multitude of parameters related to plant operation. These parameters include, for example, temperatures, pressures, flow rates, power density, neutron flux, fluid levels, etc. Other functions of the plant protection system include the status-monitoring of various components including valves, pumps, motors, control devices, and generators.
Additionally, the plant protection system, under certain defined conditions, may initiate a reactor trip (RT), i.e., the rapid, controlled, and safe shut-down of the reactor. In the case of a pressurized light water reactor, the shut-down is often accomplished by the lowering of moderating control rods into the reactor core to cause the reactor to become sub-critical.
The practice of using redundant sensors and related processing circuitry (i.e., channels) is well known. Typically, three or four identical sensors may be used to monitor any given plant parameter or component status with each sensor outputting its measured value into an independent processing channel. While the use of multiple sensors and channels increases the probability that a measured value for a parameter is valid, the increased hardware also increases the probability that one of the redundant channels will experience an intra-channel failure that will produce an output in conflict with the other channels.
The prospect of an intra-channel failure has been addressed by comparing the output of all the redundant channels and providing an output that is based upon an arbitrary voting algorithm. For example, simple combinational logic devices, such as AND gates and OR gates, are used to accomplish the voting algorithm. In a two-out-of-four logic scheme, two or more of four independent sensor paths must be in agreement before the coincidence logic will yield an output to indicate a particular condition.