DE19517164A1 - Redundant safety system for power plant - Google Patents

Abstract

The safety system has the measured operating parameter values supplied to 2 parallel processing channels, for comparison with threshold values, for initiating a safety function when the threshold values are exceeded. The difference values obtained by comparing the measured parameter values with one another and their positions in the permissible value range are determined for use as further criteria for initiating the safety function, eliminating the need for a further redundancy channel.

Description

The invention relates to a protection system according to the preamble of claim 1.

For controlling and regulating systems, of which a high ver redundancy systems are often required used. These are physical quantities recorded several times independently and the measured variables thereby formed fed in parallel channels to an evaluation logic that a protection trip based on a majority decision can cause. Known redundant systems are the so-called called mvn systems in which protection is triggered, with which the system is switched to a safe state becomes if of n measured values of the same physical measurand m are outside a permissible range or the Limit of the permissible range have walked. The allowable range can be from a lower one and / or an upper limit. Hereinafter regardless of whether a measured value exceeds the permissible range leaves up or down, the expression "limit over stride "is used.

In addition to the area of admissibility, there is a Valid range for the measured values, the z. B. with transmitters Current output is 4 to 20 mA. Measured values outside are obviously wrong and based on a mistake, e.g. B. a short circuit or wire break.

To increase the safety and availability of systems generally the values of n control the plants grounding mvn systems increased. With the number n of the measurement signal channels also increases the effort, apart from that it is often with increasing number of sensors it becomes more difficult to attach them so that they are the same  Record physical measurand.

The present invention the underlying task is therefore a redundant mvn system to create high availability with just a few channels the controlled system.

For a 2v2 system, this task is characterized by the resolved specified part of claim 1 measures. The Invention is based on the knowledge for triggering protection not just exceeding one or both limits as Criteria, but also the mutual rejection Measurement values and their relevance to validity area to be considered. It becomes a 2v2 system created with the same security as that of one 2v3 systems offers roughly the same availability.

Based on the drawing, the invention and Further developments and additions described and explained in more detail tert.

A 2v2 protection system is shown schematically in FIG .

Fig. 2 illustrates the function of an exemplary embodiment of the new system.

In Fig. 1 with MG11, MG12; MG21, MG22. . . Transducers are referred to, which form the same measured variable in pairs into measured values and therefore deliver the same measured values lying within a tolerance range in the case of undisturbed operation. These measured values are fed to a multiplexer and analog / digital converter ADU, which supplies a redundant pair of measured values MW1, MW2 to an evaluation logic ML for each measured variable. This also receives two validity limits GB1, GB2 for each measured variable, which indicate the validity range of the measured values. These are e.g. B. for sensors with current output the values 4 mA and 20 mA. A tolerance band TB is also specified, within which the measured values of a pair may differ from one another. For example, it is 5% of the upper limit of the measuring range or the upper limit of validity, for B. 1 mA. Furthermore, the evaluation logic ML is supplied with a limit value for each measurement variable, which determines the limit of the permissible measurement range. The evaluation logic outputs a signal MW for further processing, which is formed from the mean value of the pair of redundant measured values supplied, and a protection trigger signal AS.

In Fig. 2, the limits GB1, GB2 of the validity range of 20 mA and 4 mA are shown as solid straight lines and the limit value GW for the permissible measured values as a dashed horizontal line. The tolerance range TB by which the measured values may deviate from one another is illustrated as a hatched field. The measured values themselves are entered as circles in pairs one above the other. For the sake of clarity, they are not provided with reference symbols. Each pair represents a special case F1, F2. . . F7. The diagram AS in FIG. 2 illustrates the cases in which protection is triggered.

In the first case F1, both measured values lie within the tole ranzbandes TB and also in the admissible range GW-GB2. The The trigger signal is therefore "0". Both measured values increase, whereby their difference remains smaller than the tolerance band TB, so the upper measured value is first exceeded the limit value GW ten (case F2). A trigger signal has not yet been issued. This is only the case if both measured values are above the limit worth GW (case F3). Is a measured value outside the gül area of activity GB1-GB2 (F4, F5), it is for the majority decision not taken into account, and the protection trip depends solely on whether the other measured value is permitted range is (F4) or not (F5). The distance is the Measured values are larger than the tolerance band TB, but are both Measured values still within the admissible range GB1-GB2, none Protection trip (F6). However, if a measured value exceeds the Limit value GW, a trigger signal is given because one of the both readings are obviously wrong, but not he you can see which value is wrong (F7). Appropriately  protection is triggered after a waiting period in which It can be determined how quickly the limit value changes Measurement value exceeding GW changes. Physical measurands usually change slowly. For example, the maximum rate of change of a temperature by the maximum heating power, the heated mass and its specific heat limited. The temperature measured value changes faster, this indicates that he is wrong. To a waiting time it becomes the scope GB1-GB2 leave and the state is reached as in case F5, where no protection is triggered. The waiting time ver therefore prevents unnecessary protection tripping and thus increases the availability.

Claims (4)

1.Protection system with two measuring signal channels, which forms two measured values from the same measured variable, which are compared in an evaluation logic (ML) with a limit value (GW) and which, depending on the comparison result and a majority decision, emits a protection trigger signal, characterized by :
the protection trip signal (AS) is given,

• a) if both measured values (MW1, MW2) deviate from each other by less than a given amount (TB) and have exceeded the limit value (GW) for the protection tripping or
• b) if the two measured values (MW1, MW2) deviate from each other by more than the predetermined amount (TB) and at least one measured value has exceeded the limit value (GW) for the protection tripping or
• c) if one of the two measured values is outside a validity range (GB1-GB2) and the other has exceeded the limit value (GW) for the protection tripping.

2. Protection system according to claim 1, characterized records that in case b) the protection trip after a predetermined waiting time. 3. Protection system according to claim 1 or 2, characterized ge indicates that in cases a) and b) of funds value of the two measured values is formed and processed. 4. Protection system according to one of claims 1 to 3, characterized characterized in that in case c) of the validity range (GB1-GB2) measured value for further processing is used.