ML21278A191
Text
7.4 REGULATING SYSTEMS 7.4.1 REACTOR REGULATING SYSTEM 7.4.1.1 General The Reactor Regulating System (Figure 7-11) provides control signals which are used to provide a steam dump program and a pressurizer level setpoint program.
7.4.1.2 System Description A block diagram of the Reactor Regulating System is shown in Figure 7-11. The system consists of:
- a. Steam Dump Program Function Generator;
- b. Level Setpoint Function Generator;
- c. Tref Function Generator;
- d. Tavg - Tref Summer;
- e. Tavg - Tref Stability Compensation Unit;
- f. Turbine Power - Reactor Power Stability Compensation Unit; and,
- g. Pressurizer Pressure - Pressurizer Pressure Setpoint - Stability Compensation Unit.
The system includes the following inputs to each channel:
- a. Loop 1 Thot, Loop 2 Thot;
- b. Loop 1 Tcold, Loop 2 Tcold;
- c. Pressurizer pressure (disconnected);
- d. Neutron flux; and,
- e. First-stage turbine pressure.
The system develops the following outputs from each channel:
- a. Tref and Tavg signals to recorders;
- c. Deviation alarms for Tavg - Tref The Reactor Regulating System is used to provide a signal for pressurizer level setpoint, steam dump demand, and steam dump quick-opening. The operator has the ability to select between systems x or y with a selector switch. Each system is separate and independent of the other. The system functions to give controlling signals as the input parameters change. With a change in power level, the turbine first stage pressure will increase linearly with load. In each channel, a temperature programmer establishes the desired reactor coolant average temperature (T ref),
based on a power reference signal from first-stage turbine pressure. This Tref signal is summed with the Tavg signal to provide a signal which represents the error between the actual temperature and the programmed temperature (Et). If this deviation between Tavg and Tref should become too high, an alarm will be annunciated. This Tavg signal is used to provide a programmed level set-point for the pressurizer. The operational level of the pressurizer is programmed to increase with an increase in Tavg. This is done to accommodate plant load changes and transients in order to minimize changes in RCS volume.
The Tavg signal is also used to provide an analog output for steam dump demand and quick-opening (Figure 7-15). As Tavg increases, the signal to the steam dump CALVERT CLIFFS UFSAR 7.4-1 Rev. 47
control valve increases. The signal is proportional to the quantity (T avg-532F).
Should reactor power as determined by Tavg be in excess of predetermined power level as determined by Tavg prior to a trip, the steam dump quick-opening override bistable will cause quick opening of the steam dump and bypass valves at the time of the trip.
The operator may assume remote manual control of the atmospheric steam dumps from the alternate shutdown panel by aligning four hand transfer valves.
7.4.2 CONTROL ELEMENT DRIVE SYSTEM 7.4.2.1 Design Basis The reactor is controlled by reactivity adjustments with CEAs and with boric acid dissolved in the reactor coolant. Rapid changes in reactivity are compensated for or initiated by CEA movement. Long-term variations in reactivity due to fuel burnup and fission product concentration changes are controlled by adjusting the boric acid concentration. Since this rate of addition produces slow changes in reactor power level, operator action suffices to control the boron concentration change. The CEA groups provide a hot shutdown margin of at least 1% reactivity, even if the most reactive CEA is stuck out of the core. Interlocks require that the shutdown CEA group is within a predetermined permitted range before regulating groups can be withdrawn. An alarm and a motion inhibit are provided when further insertion of the regulating group of CEAs would reduce the amount of effective shutdown reactivity in the CEAs below specified limits.
Control element assembly movement is effected by the CEDMs (Chapter 3.0).
The CEDS transmits signals from the CEDS control panel to the coil power programmers, which develop the pulses for magnetic jack operation.
Control element assembly withdrawal will be prevented when a high power pretrip, high rate-of-change-of-power pretrip or thermal margin/low-pressure pretrip is present. All CEA motion is inhibited when CEA malposition limits are reached.
7.4.2.2 System Description A block diagram of the CEDS is shown in Figure 7-16.
The CEDS control panel is a selection panel. Three types of selections are made by this panel; control mode, CEA group, and the individual CEA within each group.
All selections are made by pressing the appropriate pushbutton switch. Upon selection, the switch will light and remain lit and selected until another selection within its scope is made. To operate, one selects one mode, one group, or one individual CEA if in manual individual mode. If not in manual individual then no individual CEA selection is made and only the group selection need be made.
Electrical interlocks are incorporated in each of these scopes of selection. This permits only one selection to be made in each scope. A new selection within any scope automatically cancels the previous selection.
There are four different operable modes of control of CEAs. Three of these modes, manual individual, manual group, and OFF apply to both types of CEAs.
All four operable modes, manual individual, manual group, manual sequential, and off, apply only to the regulating CEAs. For all cases manual control is used.
Automatic control of the regulating CEAs by the Reactor Regulating System is not used.
CALVERT CLIFFS UFSAR 7.4-2 Rev. 47
The upper and lower CEA group stops for the regulating and shutdown groups are provided by the CEA supervisory function of the plant computer to prevent the reactor from reaching undersirable conditions.
The CEDS contains design features that ensure the following actions:
- a. Insertion of the regulating CEAs within a predetermined permitted range before the shutdown groups are inserted;
- b. Simultaneous withdrawal of no more than two groups of CEAs;
- c. Proper sequential withdrawal of CEAs; and,
- d. Withdrawal of the shutdown CEAs to a predetermined permitted range before the regulating groups are withdrawn.
Three lines of defense are utilized to ensure that safety limits are not exceeded.
First, the reactor is operated under strict administrative controls which dictate the proper CEA movement. Second, alarms are provided to warn the operator if CEA movement is improper. The third line of defense consists of the functions and design features described below.
The plant computer CEA supervisory function operates CEA permissive contacts that feed the CEDM logic system. This design feature determines which group or groups of regulating CEAs will be moved in the manual sequential mode. The computer also generates alarms if its logic detects regulating CEA groups out-of-sequence (OOS), regulating group overlap violation, deviation of individual CEA positions within their group, or violation of pre-power and PDILs.
The setpoints of these alarms are chosen such that the operator is given sufficient time to take corrective action before a safety limit is reached without alarming for normally-occurring conditions.
If an equipment failure or operator error should cause any of these alarm conditions to be reached, another alarm is also received from the reed switch position indication system, described in Section 7.5.3.3. This second system, diverse in nature from the plant computer CEA supervisory function, provides the operator with continuous indication of the position of each individual CEA and provides alarms redundant to those supplied by the plant computer. In addition, this system provides actuation signals to the CEA motion inhibit circuitry which stops all manual CEA motion when an alarm setpoint is reached.
The actuator signals are computed from CEA position information from the reed switch position transducers for each CEA and a reactor power signal (for PDIL only). The actuation signals are contact openings that fail open upon loss of power. The actuation signals are "anded" with mode OFF and the composite signal is sent to the lift coil power switch for each CEA from contact multiplying relays. This signal to the lift coil power switch will stop any power from being applied to the lift coil, so that regardless of CEA control system motion demand, CEA motion is inhibited.
The CEA misalignment, group sequencing, group overlap, and total insertion that can occur at the alarm and motion inhibit limits discussed above are factored into the thermal margin and axial flux offset trips. Furthermore, no single failure of the CEDS, other than a CEA drop incident, will cause any of these CEA limits to be violated. As a result, no anticipated operational occurrence other than a CEA drop incident can result in any of these CEA limits being violated. In the case of the CALVERT CLIFFS UFSAR 7.4-3 Rev. 47
CEA drop, the analysis presented in Section 14.11 demonstrates that the resultant transient does not result in a violation of the fuel design limits and does not require a reactor trip.
Occasional operational failures of CEA position indication channels will be dealt with under the guidance of Generic Letter 91-18.
Additional prohibits are also provided to prohibit regulating group withdrawal and prevent the reactor from reaching undesirable conditions. These interlocks are summarized in Table 7-5.
Control element assembly speed is a function of the coil power programmer cycle speed and the CEA control system group speed setting.
The coil power programmer that sequences power signals to the magnetic jack coils of an individual CEA has an upper operating setting of 30" per minute for regulating CEAs, and 20" per minute for shutdown CEAs. This maximum speed would result only from a continuous demand for withdrawal from the CEA control system.
A continuous withdrawal signal from the CEA control system would result only during abnormal operating circumstances. The average speed of CEAs within the group is determined by the speed setting of the group programmer in the CEA control system. The upper bound of the speed setting of the group programmer is 50" per minute, but the normal operating speed setting of the group programmer is the same as that of the individual CEA coil power programmer. Maximum CEA speed is determined by the setting of the individual CEA coil power programmer, and this speed cannot be increased by a setting of the group programmer.
7.4.2.3 System Operation The CEAs are divided into the following groups:
- a. Shutdown: three groups; and,
- b. Regulating: five groups; Each CEA remains stationary except when a raise or lower signal is present. In response to a signal, the regulating CEAs move at a speed of 30" per minute. The shutdown CEAs move at a speed of 20" per minute.
The CEA position setpoints are shown on Figure 7-12.
The shutdown CEAs may be moved in the manual control mode only, with either individual or group movement. Movement of more than one shutdown group at any time is not possible. The shutdown CEAs must be withdrawn to within a predetermined permissible range of the upper limit before regulating group withdrawal is possible. A limit prevents group insertion of shutdown CEAs unless all regulating CEAs are within a predetermined permissible range of the lower limit.
Regulating CEAs may be moved in manual control by manual group or sequential group movement. Individual CEAs may be moved in manual control. Sequential group movement functions such that when the moving group reaches a programmed low (high) position, the next group begins inserting (withdrawing); the initial group stops upon reaching its lower (upper) limit. This procedure, applied successively to all regulating groups, allows a smooth and continuous rate-of-change of reactivity.
CALVERT CLIFFS UFSAR 7.4-4 Rev. 47
Under sequential group control, when the regulating groups reach the "prepower-dependent" insertion alarm point, this condition is annunciated. If sequential group insertion is continued, a "power-dependent" alarm point limit is reached, and a second alarm is initiated. These two programmed limits may be adjusted during the life of the plant and are provided to aid the operator in assuring adequate shutdown margin, limiting the reactivity worth of an ejected CEA, and maintaining the radial peaking within the limits which are factored into the monitoring and protective systems.
All CEAs are prevented from being withdrawn if either a high power pretrip, rate-of-change of power pretrip or thermal margin/low-pressure pretrip condition exists.
There is provision for manually bypassing the CEA motion inhibit circuitry at the CEDS operator's console. The manual bypass requires a minimum of two operator actions to accomplish the bypass. The group to be bypassed must be manually selected by the operator by depressing the pushbutton for that group. In addition to selecting the group to be bypassed, the operator must also depress the "CEA motion inhibit bypass" button to accomplish the bypass function. This pushbutton must be held depressed by the operator during the bypass operation, as release of this pushbutton will cause the bypass to be removed. Actuation of the "CEA motion inhibit bypass" pushbutton will cause an alarm at the main control board, thereby alerting the operator of the bypass.
7.4.3 REACTOR COOLANT PRESSURE REGULATING SYSTEM 7.4.3.1 Design Basis The reactor coolant pressure regulating system maintains system pressure within specified limits by the use of pressurizer heaters and spray valves. Pressurizer pressure sensors provide input to the system.
A high pressurizer pressure functions to open the pressurizer spray valves on a proportional basis, thereby reducing pressure. A low pressurizer pressure functions to energize heaters on a proportional or group basis to increase pressure. A high pressurizer level energizes the backup heaters in anticipation of a low-pressure transient; a low pressurizer water level deenergizes all heaters, for heater protection.
Two channels of control are provided and the controlling channel is selected by a switch. Manual control of the heaters and spray may be selected at any time.
7.4.3.2 System Design and Operation Two independent pressure channels provide suppressed range (1500 to 2500 psia) signals for control of the pressurizer heaters and spray valves. The output of either controller may be manually selected to perform the control function. During normal operation, a small group of heaters is proportionally controlled to maintain operating pressure. If the pressure falls below the proportional band, all of the backup heaters are energized. Above the normal operating range, the spray valves are proportionally opened to increase the spray flow rate as pressure rises. A small, continuous-spray flow is maintained through the spray lines at all times to keep the lines warm, to reduce thermal shock as the control valves open, and to ensure that the boric acid concentration in the coolant loops and pressurizer is in equilibrium.
Outputs from the two pressure control channels are recorded in the Control Room and provide independent high and low alarms.
CALVERT CLIFFS UFSAR 7.4-5 Rev. 47
The control and alarm pressure setpoints are shown in Figure 7-13.
7.4.3.3 System Evaluation Two independent channels are available for automatically regulating the pressurizer heaters and spray valves. Either channel may be used to control the pressure in the system, and the output from both channels is recorded in the Control Room. Independent high- and low-pressure alarms are provided. Control of two banks of back-up heaters can be assumed at the alternate shutdown panel.
7.4.4 PRESSURIZER LEVEL REGULATING SYSTEM 7.4.4.1 Design Basis Pressurizer level is maintained by the action of the chemical and volume control system (Section 9.1). The level setpoint is programmed as a function of coolant average temperature (Tavg). A low pressurizer level signal functions to reduce letdown flow proportionally and to start the nonoperating charging pumps. A high level indication functions to increase letdown flow proportionally by opening the letdown control valves and stopping all but one charging pump. There are two independent automatic control channels with channel selection by means of a manual control switch. Automatic control is normally used during operation, but manual control may be utilized at any time.
7.4.4.2 System Design and Operation The operating level of the pressurizer is programmed as a function of power to accommodate plant load changes and transients to minimize the changes in RCS volume (Figure 4-10).
The level programmer establishes a program level which is directly proportional to coolant average temperature over the operating range of Tavg. The average temperature signal used by the level programmer is the signal used by the Reactor Regulating System.
The level controller compares the measured and programmed level signals and generates a proportional signal for regulating the letdown control valves. In addition, the level controller functions to start or stop additional charging pumps at low or high level setpoints. The outputs of either of two automatic control channels may be selected by the operator for level control in addition to manual control.
Two independent level channels provide pressurizer level signals for two specific functions:
- a. A low level signal from either channel deenergizes all heaters; and,
- b. A high level signal from the controlling channel energizes the backup heaters.
7.4.4.3 System Evaluation Two separate and redundant level control systems are provided. The controllers are located in the Control Room. Both automatic and manual control of level is provided. Three charging pumps and two letdown control valves provide redundant means of increasing or decreasing reactor coolant inventory. The variable pressurizer level control program maintains the proper coolant inventory by means of discharge or addition as required during plant load changes.
CALVERT CLIFFS UFSAR 7.4-6 Rev. 47
7.4.5 FEEDWATER REGULATING SYSTEM 7.4.5.1 Design Basis The feedwater regulating system maintains SG downcomer level within acceptable limits by regulating the speed of the feedwater pumps and positioning the feedwater regulating valves, which control the feedwater to each SG (Figure 7-14A and Figure 7-14B). Steam flow, feedwater flow, and downcomer level are used in a three-element control configuration on each SG to maintain the desired level during steady state and transient operation above approximately 18% of main feedwater flow.
Manual control of feedwater flow may be selected by the operator at any time. In the event of a reactor trip, feedwater flow is automatically ramped down to approximately 3.8% of full load feedwater flow; this is approximately the flow required after a trip from full power to remove decay heat such that AFAS should not actuate and the time to RCS cooldown, without operator action, is maximized.
As downcomer level approaches its setpoint, automatic control of feedwater flow will be resumed to maintain downcomer level.
During abnormal conditions when a feedwater regulating valve malfunctions, the valve may be mechanically pinned to the manual operator in order to support safe operation or a controlled shutdown of the unit. In this case it may be necessary to manually secure main feedwater flow after a reactor or turbine trip if feedwater flow is excessive.
Following the identification of feedwater deficiencies in original industry MSLB accident analysis, the NRC issued IE Bulletin 80-04. This bulletin required all licensees of PWRs to review the containment pressure response analysis to determine if the potential for containment overpressure for MSLB inside containment included the impact of runout flow from the AFW System and the impact of other energy sources, such as continuation of feedwater or condensate flow. As a result of this bulletin, we installed a system where SGIS or CSAS will produce a trip of the main feedwater pumps, the heater drain pumps, and the condensate booster pumps, as well as closure of the main steam isolation and main feed isolation valves. This feature limits the peak containment pressure in the event of a steam line break inside containment by ensuring a prompt reduction in main feedwater flow to the affected SG.
Below approximately 18% of main feedwater flow, the feedwater controller automatically maintains SG downcomer level using the following inputs: SG level, wide range level and feedwater temperature. The feedwater controller uses these inputs to control the position of the feedwater main and bypass valve with the feedwater pumps operating to maintain a differential pressure across the feedwater regulating valves.
The low/high power mode is based upon feedwater flow being greater than a predefined setpoint which will be above the point where reliable steam and feedwater flow signals are available for use by the system.
7.4.5.2 System Design and Operation A block diagram of the feedwater control system for each unit is shown in Figure 7-14A and Figure 7-14B.
The low/high power mode is based upon the feedwater flow being greater than a predefined setpoint which will be above the point where reliable steam and feedwater flow signals are available for use by the system.
CALVERT CLIFFS UFSAR 7.4-7 Rev. 49
Automatic Mode The two SGs are operated in parallel. Each SG has a three-element controller using feedwater flow, steam flow, and downcomer level as inputs for level control above approximately 18% of main feedwater flow. The speed of the main feed pump turbines is controlled by pump speed demand, which is a function of main feedwater valve position demand, and is controlled at a speed which produces a relatively constant differential pressure across the main feedwater valve. Below approximately 18% of main feedwater flow, the position of the bypass feedwater valve is maintained using SG level, wide range SG level, and feedwater temperature. The speed of the main feed pump turbines is fixed at a minimum speed. At approximately 18% of main feedwater flow, the control is automatically transferred from low power control to the high power three-element control.
Manual speed control of each of the feedwater pump turbines can be accomplished from the Control Room.
Upon reactor trip, the main feedwater control valves are automatically closed and the feedwater bypass valves are automatically opened to approximately 3.8% of main feedwater valve flow, while the feedwater pumps are run back to the minimum speed.
Manual Mode Manual control of the feedwater regulating system may be selected at any power level. When in manual control, the operator in the Control Room can:
- a. Position each feedwater regulator control valve
- b. Open or close each feedwater stop valve
- c. Position each feedwater bypass regulating valve
- d. Control speed of feedwater pumps.
Auxiliary Feedwater Flow The operator can at any time control operation of the AFW pumps and position each AFW regulating valve. Remote control of AFW is available if control air is available, whereas if control air is lost, manual control would be accomplished at the turbine drive governor or at the regulating valve. Control of AFW may be assumed at the alternate shutdown panel provided air is available. Air from accumulators allows operation of the regulating valves for two hours after loss of instrument air.
7.4.5.3 System Evaluation Conventional three-element feedwater control is used with fail-as-is feedwater control valves. Manual override of the automatic control is always available.
Remote manual bypass valves and manual feedwater stop valves provide backup for feedwater valve failure.
7.4.6 STEAM DUMP AND TURBINE BYPASS SYSTEM 7.4.6.1 Design Basis The steam dump system is designed to provide a means of dissipating excess NSSS stored energy and sensible heat following a turbine trip without lifting the safety valves. Steam is discharged from the main steam lines to the atmosphere via the steam dump valves and to the condenser via the turbine bypass valves.
The steam dump and bypass valves are sized to prevent opening of the SG safety valves following a turbine trip at full load. The steam flow is regulated by the dump CALVERT CLIFFS UFSAR 7.4-8 Rev. 49
and bypass valves in response to Tavg and secondary pressure signals, respectively.
A block diagram of the steam dump and bypass system is shown in Figure 7-15.
Inputs to the system are Tavg, turbine trip signal, condenser vacuum, and main steam line pressure.
7.4.6.2 System Design and Operation Steam Dump Demand Signal The steam dump demand program is shown in Figure 7-15, Sheet 3. The purpose of this program is to modulate the steam dump valves as function of T avg.
At T, the steam dump valves are fully closed.
At T, steam dump valves are fully open.
A hysteresis is included in the program which requires Tavg to reach T in order to reopen the steam dump valves. This minimizes valve damage that would result from the steam dump valves operating too close to the shut seat.
Pressure Control Signal The pressure control program is shown in Figure 7-15, Sheet 3. The purpose of the program is to modulate the turbine bypass valves as a function of main steam header pressure. The controller normally operates in automatic, controlling at 900 psi. During turbine valve testing, and following detection of a turbine valve malfunction, the pressure setpoint is adjusted to just above SG pressure, and than returned to 900 psia after completion. During initial turbine loading, the controller is set to modulate. The controller setpoint can be adjusted in automatic as conditions may require, or it can be operated in manual. The turbine bypass valves operate sequentially as controller output increases. They are also interlocked with condenser vacuum such that they will remain shut on loss of vacuum.
Steam Dump Quick Opening Should a turbine trip occur when the plant is operating at a high temperature and power, the stored energy in the primary coolant system may be great enough that the steam dump area demand signal alone cannot open the dump valves fast enough to prevent lifting of the safety valves. Assuming condenser vacuum was not lost during the turbine trip, the RRS provides a contact closure output to the steam dump and bypass control system to quick open the valves following a turbine trip when Tavg is greater than a predetermined value (T). If the main condenser is unavailable due to loss of condenser vacuum, only the steam dump valves open following the turbine trip. When Tavg is reduced to < T, the "quick open" signal is removed. Assuming the main condenser is available, both the turbine bypass and steam dump valves will continue to dump steam until T avg is reduced to (T), at which point the steam dump valves close. A portion of the turbine bypass valves will modulate based on steam header pressure, as long as steam header pressure is greater than 900 psia. If T avg increases to T the steam dump valves will again open. If the main condenser is unavailable (turbine bypass valves closed), the steam dump valves will control Tavg between T and T.
CALVERT CLIFFS UFSAR 7.4-9 Rev. 49
7.4.6.3 System Evaluation The steam dump valves can be operated from either the Control Room or, aligning four hand transfer valves from the auxiliary shutdown panel. Automatic or manual control is provided for both turbine bypass and steam dump valves at their respective Control Room stations, and manual control of the steam dumps is provided at the auxiliary shutdown panel.
The total capacity of the system is sufficient to prevent lifting of the secondary steam safety valves following a simultaneous reactor-turbine trip at full power. The respective capacities of the steam dump and turbine bypass valves are 5% and 40% of total system steam flow at full power. The capacity of the dump valves is sufficient for plant cooldown in the event the condenser is not available.
Excessive cooldown of the RCS by the dump valves, when in automatic control is prevented by a narrow-range temperature signal. This signal has a minimum output corresponding to 535F, at which point the dump flow will be zero.
The turbine bypass system will limit the maximum steam pressure to approximately 905 psia during hot standby when the condenser is available.
Loss of power in the steam dump and bypass system will cause the valves to fail closed or remain closed. Depending on the failure, a component failure in the system will cause valves to either fail closed, remain closed, fail open, or remain open. The safety analyses for the excess load and loss of load events did not take credit for this system (Sections 14.4 and 14.5, respectively).
The steam dump and bypass system is powered from 120 Volt AC instrument Busses No. 11 and/or No. 12. Solenoids in the system are powered from 125 Volt DC Bus No. 11.
7.4.7 TURBINE GENERATOR CONTROL SYSTEM 7.4.7.1 Unit 1 Turbine Control System (General Electric)
Unit 1 turbine generator control system (or electrohydraulic control system) is designed to control steam flow to the turbine.
The control system consists of the following:
A. Steam Control Valves Four main stop valves are located in the main steam piping ahead of the control valves. The four control valves are mounted in a line on a common valve chest. The valve chest is separated from the turbine, and individual steam leads from the valve chest are provided for each control valve to inlet bowl sections of the high-pressure turbine. Steam leaving the high-pressure turbine enters the moisture separator reheaters (MSRs). Six combined reheat valves are provided downstream of the MSRs, one in each line supplying steam to the low-pressure turbines. The combined valves include an intercept valve and an intermediate stop valve.
The valve functions are described as follows:
Main Stop Valves: (four valves)
The main stop valves' primary function is to quickly shut off steam flow to the turbine under emergency conditions. One valve is provided with a CALVERT CLIFFS UFSAR 7.4-10 Rev. 49
bypass for slow warming and for pressurizing below the seat of the stop valves for opening.
Control Valves: (four valves)
The control valves control flow to the high-pressure turbine during normal operation.
Intercept Valves: (six valves, two per low pressure turbine)
The intercept valves are part of the combined reheat valves. These valves control steam flow from the moisture separate-reheaters to the three low pressure turbines.
Intermediate Stop Valves: (six valves, two per low pressure turbine)
The intermediate stop valves shut off steam flow from the MSRs to the three low pressure turbines under emergency conditions.
B. Hydraulic Trip System The hydraulic trip system consists of duplex electrical trip devices ETD-A and ETD-B, either of which can dump the emergency trip oil to drain.
ETD-A and ETD-B are identical hydraulic trip manifold solenoid valve assemblies. Geared and ganged inlet and outlet isolation valves allow either ETD-A or ETD-B to be isolated for service on line. However, both are in service during normal conditions. Each ETD has 3 solenoid valves connected in a 2 out of 3 (2/3) arrangement to allow for redundant operation with the testing of each solenoid valve one at a time. There are position indication switches, lights and pressure transmitters which provide the control system with diagnostic information for the ETDs. The ETDs receive high pressure hydraulic oil from the hydraulic power unit and puts out an emergency trip signal (ETS) pressure.
The ETS pressure is high when the trip system is reset and low (drain pressure) when the system is tripped causing the main stop, control, intercept and intermediate stop valves to close.
C. High-pressure Fluid System The hydraulic power unit supplies high-pressure fluid directly to the control pacs on the steam valves for opening and closing the valves, and to the trip devices in the trip and overspeed protection circuits.
D. Electrical Control System The electrical control system is a triple modular redundant (TMR) computer based system with triple voting I/O for all controlling devices.
- 1. Speed Control The speed control produces the speed error signal that is determined by comparing the actual speed with the desired speed of the turbine at steady-state conditions, or the ramped desired speed during startup.
Three speed probes and input circuits provide TMR redundancy for speed control. The system can continue to run with one of the probes in a failed state. During normal operation at rated speed, the speed error signal is essentially zero, regardless of load. The speed error signal continues to input to the load control unit.
CALVERT CLIFFS UFSAR 7.4-11 Rev. 49
- 2. Load Control Unit The prime purpose of the load control unit is to develop output signals to which steam flow for the control valves and intercept valves may be proportioned. These outputs are based on a proper combination of the speed error and load reference signal biased with the first stage pressure signal. The load reference signal is the desired load at rated speed and rated steam conditions and speed error signal is inputted from the speed control unit. When the generator is not on line, the load reference is, in effect, a speed vernier adjustment; it is, therefore, used for synchronizing the turbine.
- 3. Control Valve and Intercept Valve Flow Control Units The purpose of the valve flow control units is to produce the steam flows that are commanded by the load control unit. Due to the appreciable non-linear steam flow characteristic of the steam valve, the Mark VI turbine control software applies flow lift compensation curves.
- 4. Electrical Alarm and Trip System The electrical alarm and trip system provides the following electrical signals:
a) Trip and reset signals to the hydraulic trip system; b) Alarm information to the Mark VI operator displays and to the main control room annunciators; c) Sequence of Event information to the Mark VI data logger.
Any trip signal will de-energize the six primary trip relays which will initiate the following redundant trip actions:
- 1. de-energizing the three voting solenoid valves of the ETD-A;
- 2. de-energizing the three voting solenoid valves of the ETD-B.
Either one or both ETD-A or ETD-B will trip the system depending on the position of the geared isolation valve. The following is a list of Unit 1 turbine trips (Figure 8-7, Sheet 2):
- 1. Front Standard trip buttons at turbine front standard
- 2. Master trip buttons on 1C02
- 3. High exhaust hood temperature
- 4. Exhaust hood low vacuum
- 5. Hydraulic pressure low trip
- 6. Bearing oil low pressure
- 7. Main shaft oil pump low pressure
- 9. Loss of stator coolant
- 10. Axial thrust
- 11. Feedwater heater high level
- 12. SG high level (11 or 12) or reactor trip bus under-voltage
- 13. Emergency acceleration/deceleration
- 15. Emergency speed compared to Primary speed difference
- 16. Primary overspeed
- 17. Primary acceleration/deceleration
- 18. Unit protection
- 19. Power load unbalance Primary Overspeed Trip Primary overspeed is provided by a TMR controller with 3 magnetic speed probes.
If speed exceeds 110%, the six primary trip relays are de-energized to initiate a trip of ETD-A and ETD-B.
Emergency Overspeed Trip A separate TMR turbine protection module with 3 magnetic speed probes is used to provide emergency overspeed protection. If speed exceeds 111.5%, the six emergency trip relays are de-energized to initiate a (redundant) trip of ETD-A and ETD-B similar to the primary trip.
A reactor trip results from a turbine generator trip only when the system is operating above 15% of full power.
7.4.7.2 Unit 2 Turbine Control System (Westinghouse)
Unit 2 turbine generator control system or electrohydraulic governor control system is designed to control steam flow to the turbine.
The electrohydraulic system contains:
A. Steam Control Valves Steam enters at both ends of the steam chest through throttle valves to two individually-controlled governor valves. There are two steam chests, identical in construction, controlling steam to the high-pressure turbine, one being located on each side of the unit. Steam flows through the high-pressure turbine blading and then through the crossunder piping to the MSRs. Crossover pipes return the steam through the reheat stop and interceptor valves to the three low pressure turbines.
The valve functions are described as follows:
- 1. Throttle Valves: (four valves, two per steam chest)
The throttle valves control the steam flow to the high-pressure turbine during wide-range speed control until the throttle valve/governor valve transfer. The governor valves are full open in the wide-range speed control mode of operation just prior to throttle valve/governor valve transfer. If during throttle valve control an excessive speed condition was to exist, the governor valves will close in response. Both valves will close when actuated by the trip system.
- 2. Governor Valves: (four valves, two per steam chest)
Prior to synchronizing, a transfer is made from throttle valve to governor valve control. Speed and/or load is then controlled only by the governor valves. The throttle valves are wide open in this mode of operation. Both valves will close when actuated by the trip system.
CALVERT CLIFFS UFSAR 7.4-13 Rev. 50
- 3. Reheat Stop Valves: (eight valves, two per MSR)
The reheat stop valves are provided in each steam line between the MSR and the interceptor valve. The reheat stop valves purpose is to provide an additional safety device to prevent overspeeding of the turbine, should the interceptor valve fail to close when the overspeed trip condition exists.
- 4. Interceptor Valve: (six valves, two per low pressure turbine)
The interceptor valves are provided in each reheat steam line to limit flow of steam from the MSR to the low pressure turbine after a load rejection.
B. Hydraulic Trip System The hydraulic trip system consists of duplex electrical trip devices Overspeed Protection Control Testable Dump Manifold (OPC-TDM) with the OPC Check Valve Bypass Manifold (OPC-CB) and Emergency Trip Testable Dump Manifold (ET-TDM), either of which can dump the emergency trip fluid to a drain. The OPC-TDM and ET-TDM are identical hydraulic trip manifold solenoid valve assemblies, each of which consists of three pressure transmitters and three solenoids connected in a two-out-of-three (2/3) arrangement to allow redundant operation with testing capability of each solenoid valve one at a time. There are position indication switches, lights, and pressure transmitters which provide the Turbine Control System with diagnostic information for the TDMs. The TDMs receive high pressure hydraulic fluid from the hydraulic power unit and puts out an ETS pressure accordingly. The ETS pressure is high when the trip system is reset (pressurized header) and low (drain pressure) when the system is tripped. The fluid in the high-pressure trip header depressurizes to the drain, resulting in the throttle, governor, reheat stop, and intercept valves to close to shut down the turbine. The turbine overspeed trip protection function is accomplished via two diverse trip systems. The Diverse Overspeed Protection System function is configured to issue a trip command when two-out-of-three speed inputs exceeds the overspeed trip setpoint. The second system is the Ovation Speed Detector Module Trip, which issues a trip command when two-out-of-three speed inputs exceed the overspeed trip setpoints.
The OPC-CB allows the OPC-TDM to perform the OPC function on a load drop anticipatory signal or a 103% overspeed event and to also trip the ETS header on turbine trip event.
There are main turbine protective trip devices that function through Ovation or by external turbine trip inputs that provide direct contact operation for the ET-TDM (Figure 8-12, Sheet 2).
The external turbine trips require 125 Volt DC power to be available and energized on the following conditions:
- 1. deleted
- 2. Manual Trip Switch (2HS 8250);
- 3. deleted
- 4. Unit Protection Trips;
- 5. Feedwater heater high level (2LS 1446, 2LS 1447, 2LS 1452, 2LS 1453, 2LS 1448, 2LS 1449, 2LS 1454, 2LS 1455, 2LS 1450, 2LS 1451, 2LS 1456, 2LS 1457);
CALVERT CLIFFS UFSAR 7.4-14 Rev. 50
- 6. SG Nos. 21, 22 high level;
- 7. Reactor Trip Bus Undervoltage; and
- 8. Load rejection.
The following turbine trips do not require 125 Volt DC power to be available:
- 1. Manual Trip Switches 2HS 8251A and 2HS 8251B);
- 2. Overspeed Trip Diverse Overspeed Protection System;
- 3. Ovation Speed Detector Module Trip;
- 4. Low Condenser Vacuum (2-PT-8259A, 2-PT-8259B, 2-PT-8259C);
- 5. Thrust Bearing Oil Pressure (2-PT-8257A, 2-PT-8257B, 2-PT-8257C);
and
- 6. Low Bearing Oil Pressure (2-PT-8258A, 2-PT-8258B, 2-PT-8258C).
A reactor trip results from a turbine generator trip only when the system is above 15% power level.
The main turbine overspeed protection control OPC-TDM (2SV8236A, 2SV8236B, and 2SV8236C) de-energizes to open if the turbine speed exceeds 103% of rated speed. This will dump the high-pressure trip fluid from the governor and interceptor valves causing the valves to close. The closing of the governor valves and interceptor valves in response to a load loss impulse from the acceleration responsive auxiliary governor (103% of rated speed) will cause the turbine speed to decrease after the entrapped steam has been used. When the turbine speed is reduced slightly, the OPC-TDM will energize and the solenoid valve will close returning the unit to load control.
C. High-pressure Fluid Control System The function of the high-pressure fluid control system is to provide a motive force which positions the turbine steam valves in response to electronic commands from the controller, acting through the servo-actuators. The system is so arranged that one pump and one set of the various control components function while the duplicate set serves as a stand-by system.
The emergency trip fluid circuits are charged from the high-pressure fluid manifold through individual actuation mechanisms.
D. Electrical Control System The electrical control system is a redundant module computer based system with triple voting I/O for all controlling devices.
- 1. Speed Control Wide-range speed control is used during the phase of operation from turning gear to rated speed. The speed detector I/O modules receive a continuous turbine speed signal from three active speed probes mounted on a speed wheel. Initial speed control is by the throttle valve only with the governor valve wide open. Prior to synchronizing, a transfer is made from throttle valve control to governor valve control.
The throttle valves are then positioned wide open and speed is controlled only by the governor valves.
CALVERT CLIFFS UFSAR 7.4-15 Rev. 50
Once the turbine has reached synchronous speed, and the main generator breaker is closed, the control system changes from a speed controller to a load controller.
The system sums the load reference and the speed error signal and sends this signal to position the governor valves. For linear load response, the impulse pressure feedback is also switched to the load summing junction.
- 2. Load Control Initial Loading - Immediately after synchronization (generator breaker inputs closed), the target and reference loads are indicated in terms of megawatts or percent.
Frequency Loop - The frequency loop is placed into service automatically after synchronization. This loop is used for frequency participation to help correct off-normal system frequencies. Frequency control is not a closed loop controller. It is a proportional-only controller that adds a bias signal to the governor valve proportional to the speed deviation from 1800 RPM. The frequency loop can also be taken into and out-of-service as desired manually, while in any of the other load control modes (Megawatt Loop, Impulse Loop, or Operator Auto).
Megawatt Loop - maybe placed in-service with the following permissive satisfied:
- a. The turbine is in load control mode;
- b. The megawatt signal must be valid;
- c. At least one valve positioner module on one governor valve and one throttle valve in each steam chest must be functioning properly.
Impulse Loop - with the following permissive satisfied, the impulse loop can be placed in-service:
- a. The turbine is in load control mode;
- b. The impulse pressure signal must be valid;
- c. At least one valve positioner module on one governor valve and one throttle valve in each steam chest must be functioning properly.
Operator Auto (Open Loop) - If both the megawatt loop and impulse loop are out-of-service then the unit is in "open loop." The operator will set load target and load ramp rates. The governor valve demand will start the move in response to the GO command initiated by the Operators. The Operators can stop the power change or readjust the target or ramp rates, as desired.
- 3. Electrical Alarm and Trip System The electrical alarm and trip system provides the following electrical signals:
- a. Trip and reset signals to the hydraulic trip system;
- b. Alarm information to the Ovation operator's Human Machine Interface and to the main control room annunciators; CALVERT CLIFFS UFSAR 7.4-16 Rev. 50
- c. Sequence of event information to the Ovation historian.
Any trip signal will de-energize the six primary trip relays which will initiate the following redundant trip actions:
- a. de-energizing the three voting (2/3 logic) solenoid valves of the Operator Auto/OPC-TDM
- b. de-energizing the three voting (2/3 logic) solenoid valves of the ETS-TDM CALVERT CLIFFS UFSAR 7.4-17 Rev. 50
TABLE 7-5 PROHIBITS ON CEAs (MANUAL CONTROL MODE)
WITHDRAWAL PROHIBIT CONDITION Pretrip Overpower Dropped CEA High Startup Rate Pretrip (Between 10-4% and 15% power)
Thermal Margin/Low Pressure Pretrip MOTION INHIBIT CONDITION Regulating group OOS Individual CEA deviation Excessive regulating group overlap PDIL alarm Withdrawal of regulating groups prior to withdrawal of all shutdown CEAs to a predetermined permissible range Insertion of shutdown groups prior to insertion of all regulating CEAs to a predetermined permissible range INPUT SIGNAL SOURCES FOR THE WITHDRAWAL PROHIBITS RPS: Overpower Pretrip High Startup Rate Pretrip Thermal Margin/Low Pressure Pretrip Reed Switch Transmitter: Dropped CEA INPUT SIGNAL SOURCE FOR CEA MOTION INHIBIT Reed switch CEA Position Indication System CALVERT CLIFFS UFSAR 7.4-18 Rev. 50