Reactor protection system with automatic self-testing and diagnostic

US 5,586,156 A
Filed: 07/14/1995
Issued: 12/17/1996
Est. Priority Date: 07/14/1995
Status: Expired due to Fees

First Claim

Patent Images

1. A self-testing system for initiating safety action in response to monitoring of a critical parameter, comprising:

first through fourth sensors for independently detecting the value of a critical parameter and outputting first through fourth sensor readings respectively;

first through fourth division electronics respectively connected to said first through fourth sensors for processing said first through fourth sensor readings respectively and comprising respective means for outputting a safety actuation inhibition signal in response to said respective sensor reading being below a predetermined threshold voltage and terminating the output of said safety actuation inhibition signal in response to said respective sensor reading being above said predetermined threshold voltage; and

cross communication channels for interconnecting said first through fourth division electronics such that each one of said first through fourth division electronics receives the processed sensor readings from the other division electronics,wherein each of said first through fourth division electronics further comprises means for inputting a respective reference voltage in place of said respective sensor reading and means for detecting a difference in the response of one of said division electronics to its own reference voltage and the response of another of said division electronics to its own reference voltage.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A reactor protection system having four divisions, with quad redundant sensors for each scram parameter providing input to four independent microprocessor-based electronic chassis. Each electronic chassis acquires the scram parameter data from its own sensor, digitizes the information, and then transmits the sensor reading to the other three electronic chassis via optical fibers. To increase system availability and reduce false scrams, the reactor protection system employs two levels of voting on a need for reactor scram. The electronic chassis perform software divisional data processing, vote 2/3 with spare based upon information from all four sensors, and send the divisional scram signals to the hardware logic panel, which performs a 2/4 division vote on whether or not to initiate a reactor scram. Each chassis makes a divisional scram decision based on data from all sensors. Automatic detection and discrimination against failed sensors allows the reactor protection system to automatically enter a known state when sensor failures occur. Cross communication of sensor readings allows comparison of four theoretically "identical" values. This permits identification of sensor errors such as drift or malfunction. A diagnostic request for service is issued for errant sensor data. Automated self test and diagnostic monitoring, sensor input through output relay logic, virtually eliminate the need for manual surveillance testing. This provides an ability for each division to cross-check all divisions and to sense failures of the hardware logic.

58 Citations

View as Search Results

21 Claims

1. A self-testing system for initiating safety action in response to monitoring of a critical parameter, comprising:
- first through fourth sensors for independently detecting the value of a critical parameter and outputting first through fourth sensor readings respectively;
  
  first through fourth division electronics respectively connected to said first through fourth sensors for processing said first through fourth sensor readings respectively and comprising respective means for outputting a safety actuation inhibition signal in response to said respective sensor reading being below a predetermined threshold voltage and terminating the output of said safety actuation inhibition signal in response to said respective sensor reading being above said predetermined threshold voltage; and
  
  cross communication channels for interconnecting said first through fourth division electronics such that each one of said first through fourth division electronics receives the processed sensor readings from the other division electronics,wherein each of said first through fourth division electronics further comprises means for inputting a respective reference voltage in place of said respective sensor reading and means for detecting a difference in the response of one of said division electronics to its own reference voltage and the response of another of said division electronics to its own reference voltage.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The self-testing system as defined in claim 1, wherein each of said first through fourth division electronics further comprises multiplexer means for polling said respective sensor and a source of said respective reference voltage in sequence.
  - 3. The self-testing system as defined in claim 1, wherein each of said first through fourth division electronics further comprises means for respectively sampling the sensor readings from said first through fourth sensors, means for averaging said sampled sensor reading with a number of past sensor readings, and means for comparing the average sensor reading to predetermined sensor reasonability limits for indication of sensor failure.
  - 4. The self-testing system as defined in claim 3, wherein each of said first through fourth division electronics further comprises means for digitizing said sampled sensor reading, and means for appending a verification flag to said digitized sensor reading for transmission to other division electronics by way of said cross communication channels, said verification flag being a function of the results of the comparison of the current sensor reading to the predetermined sensor reasonability limits.
  - 5. The self-testing system as defined in claim 4, wherein each of said first through fourth division electronics further comprises means for issuing an error message in response to nonuniformity of valid sensor readings processed by different divisional electronics.
  - 6. The self-testing system as defined in claim 1, further comprising a hardware logic circuit connected to receive an output from each of said first through fourth division electronics, wherein said hardware logic circuit changes from a normal state to a safety actuation state in response to discontinuance of receipt of safety actuation inhibition signals from at least two of said first through fourth division electronics.
  - 7. The self-testing system as defined in claim 5, further comprising a safety actuator and an actuator power supply circuit, wherein said safety actuator is coupled to said actuator power supply circuit via said hardware logic circuit.

8. A self-testing system for initiating safety action in response to monitoring of a critical parameter, comprising:
- first through fourth means for monitoring said critical parameter;
  
  first through fourth division processing means for issuing first through fourth continuous safety actuation inhibition signals when said critical parameter does not exceed a predetermined threshold, and discontinuing said respective safety actuation inhibition signal when said critical parameter exceeds said predetermined threshold;
  
  a hardware logic circuit connected to receive an output from each of said first through fourth division processing means, wherein said hardware logic circuit changes from a normal state to a safety actuation state in response to discontinuance of said safety actuation inhibition signals by at least two of said first through fourth division processing means;
  
  a safety actuator;
  
  an actuator power supply circuit, wherein said safety actuator is coupled to said actuator power supply circuit via said hardware logic circuit; and
  
  means for detecting the state of said hardware logic circuit,wherein each of said first through fourth division processing means comprises means for diagnosing a fault state of said hardware logic circuit as a function of the output of said detecting means.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The self-testing system as defined in claim 8, wherein said state detecting means comprises a plurality of sensors for outputting a respective analog signal representing the state of a respective portion of said hardware logic circuit, and means for converting said plurality of analog signals into a corresponding plurality of digital signals making up a hardware logic state code, and said diagnosing means outputs a signal indicating the presence or absence of a fault in said hardware logic circuit in dependence on said hardware logic state code.
  - 10. The self-testing system as defined in claim 9, wherein said hardware logic circuit comprises first through fourth sets of circuit breakers each having an open state and a closed state and electrical connections for connecting the circuit breakers within each of said first through fourth sets in series, the state of the circuit breakers of said first through fourth sets being respectively controlled as a function of the signal output by said first through fourth division processing means respectively.
  - 11. The self-testing system as defined in claim 10, wherein said first division processing means further comprise testing means for terminating the output of a safety actuation inhibition signal to said first set of circuit breakers during a time when the second through fourth division processing means are outputting safety actuation inhibition signals to said second through fourth sets of circuit breakers respectively.
  - 12. The self-testing system as defined in claim 10, wherein said diagnosing means comprise a multiplicity of reference hardware logic state codes stored in read only memory.
  - 13. The self-testing system as defined in claim 10, wherein said circuit breakers are interconnected to form a current interruption logic circuit.
  - 14. The self-testing system as defined in claim 13, wherein said plurality of sensors comprise current sensors connected to different junction points between circuit breakers in said current interruption logic circuit for outputting a respective analog output signal as a function of the current at said respective junction point.
  - 15. The self-testing system as defined in claim 10, wherein said circuit breakers are interconnected to form a voltage make logic circuit.
  - 16. The self-testing system as defined in claim 15, wherein said plurality of sensors comprise voltage sensors connected across different circuit breakers in said voltage make logic circuit for outputting a respective analog output signal as a function of the voltage across said respective circuit breakers.

17. A self-testing reactor protection system for initiating a scram in a nuclear reactor in response to monitoring of a critical reactor parameter, comprising:
- first through fourth reactor parameter sensors for independently detecting the value of a critical reactor parameter and outputting first through fourth sensor readings respectively;
  
  first through fourth division electronics respectively connected to said first through fourth reactor parameter sensors for processing said first through fourth sensor readings respectively and comprising respective means for outputting a scram inhibition signal in response to said respective sensor reading being below a predetermined threshold voltage and terminating the output of said scram inhibition signal in response to said respective sensor reading being above said predetermined threshold voltage; and
  
  cross communication channels for interconnecting said first through fourth division electronics such that each one of said first through fourth division electronics receives the processed sensor readings from the other division electronics,wherein each of said first through fourth division electronics further comprises means for inputting a respective reference voltage greater than said predetermined threshold voltage in place of said respective sensor reading;
  
  means for outputting a scram inhibition signal despite the input of said respective reference voltage;
  
  means for detecting a difference in the response of one of said division electronics to its own reference voltage and the response of another of said division electronics to its own reference voltage; and
  
  means for issuing an error message in response to nonuniformity of the sensor readings processed by different divisional electronics.
- View Dependent Claims (18, 19, 20)
- - 18. The self-testing reactor protection system as defined in claim 17, further comprising:
    - a hardware logic circuit connected to receive an output from each of said first through fourth division electronics, wherein said hardware logic circuit changes from a normal state to a scram state in response to discontinuance of said scram inhibition signals by at least two of said first through fourth division electronics;
      
      a safety actuator for effecting a scram operation;
      
      an actuator power supply circuit, wherein said safety actuator is coupled to said actuator power supply circuit via said hardware logic circuit; and
      
      a plurality of hardware logic state sensors for detecting the state of said hardware logic circuit,wherein each of said first through fourth division electronics comprises means for diagnosing a fault state of said hardware logic circuit as a function of the output of said hardware logic state sensors.
  - 19. The self-testing reactor protection system as defined in claim 18, wherein said hardware logic circuit comprises first through fourth sets of circuit breakers each having an open state and a closed state and electrical connections for connecting the circuit breakers within each of said first through fourth sets in series, the state of the circuit breakers of said first through fourth sets being respectively controlled as a function of the signal output by said first through fourth division electronics respectively, wherein said first division processing means further comprise testing means for terminating the output of a scram inhibition signal to said first set of circuit breakers during a time when the second through fourth division processing means are outputting scram inhibition signals to said second through fourth sets of circuit breakers respectively.
  - 20. The self-testing reactor protection system as defined in claim 19, wherein each of said first through fourth division electronics further comprises multiplexer means for polling said respective reactor parameter sensor and said hardware logic state sensors in sequence, and means for preventing the activation of said testing means when active testing by another divisional electronics is detected.

21. A method for testing a system which initiates safety action in response to monitoring of a critical parameter, said system comprising:
- first through fourth sensors for independently detecting the value of a critical parameter and outputting first through fourth sensor readings respectively;
  
  first through fourth division electronics respectively connected to said first through fourth sensors for processing said first through fourth sensor readings respectively and comprising respective means for outputting a safety actuation inhibition signal in response to said respective sensor reading being below a respective predetermined threshold voltage and terminating the output of said safety actuation inhibition signal in response to said respective sensor reading being above said respective predetermined threshold voltage; and
  
  cross communication channels for interconnecting said first through fourth division electronics such that each one of said first through fourth division electronics receives the processed sensor readings from the other division electronics,wherein said method comprises the steps of;
  
  polling said first through fourth sensors in sequence once during each polling cycle;
  
  inputting a respective reference signal having a level in excess of said respective predetermined threshold level during each polling cycle, said reference voltage being treated as a sensor output;
  
  terminating the output of said respective safety actuation inhibition signal by a selected one of said first through fourth division electronics in response to said respective reference signal being in excess of said respective predetermined threshold level during a selected one of said polling cycles; and
  
  inhibiting the termination of the output of said respective safety actuation inhibition signal by the ones of said first through fourth division electronics other than said selected one in response to said respective reference signal being in excess of said respective predetermined threshold level.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
US Department of Energy (Government of the United States of America)
Original Assignee
General Electric Company
Inventors
Gaubatz, Donald C.
Primary Examiner(s)
Wasil, Daniel D.

Application Number

US08/502,337
Time in Patent Office

522 Days
Field of Search

376/215, 376/216, 376/217, 376/242, 376/259, 364/186, 364/550, 364/551.01, 364/570, 364/571.02, 364/579, 371/36
US Class Current

376/216
CPC Class Codes

G21C 17/00   Monitoring; Testing measuri...

G21D 3/001   Computer implemented control

Y02E 30/00   Energy generation of nuclea...

Y02E 30/30   Nuclear fission reactors

Reactor protection system with automatic self-testing and diagnostic

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Reactor protection system with automatic self-testing and diagnostic

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links