|
|
| Line 2: |
Line 2: |
| | number = ML17332A851 | | | number = ML17332A851 |
| | issue date = 04/30/1969 | | | issue date = 04/30/1969 |
| | title = RPS Diversity in Westinghouse Pwrs. | | | title = RPS Diversity in Westinghouse Pwrs |
| | author name = Burnett T, Dorrycott J, Risher D | | | author name = Burnett T, Dorrycott J, Risher D |
| | author affiliation = WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. | | | author affiliation = WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| Line 17: |
Line 17: |
|
| |
|
| =Text= | | =Text= |
| {{#Wiki_filter:wnu -7306 NUCLEAR ENERGY SYSTEMS CLASS 3 REACTOR PROTECTION SYSTEM DIVERSITY ZN WESTINGHOUSE PRESSURIZED WATER REACTORS April 1969 Author: T. Q. T. Burnett Contributors: J. W. Dorrycott A. C. Hall D. H. Risher APPROVED: | | {{#Wiki_filter:}} |
| S. ore, Manager Core Engineering Westinghouse Electric Corporation Nuclear Energy Systems Division P. O. Box 355 Pittsburgh, Pennsylvania 15230
| |
| <3RZ Restintthouse Electric Corp.
| |
| 9507180151 950707 PDR ADQCK 05000315 9 PDR /
| |
| | |
| FOREWORD Over the past four years, considerable attention has been focused on design cx'iteria and methods of implementation for nuclear power plant protection systems. Of paxticular difficulty has been che"establishment of suitable criteria to deal with the problems of single and multiple failures, channel independence, Control and Proteccion System independence, and the'eviation of Protection System inputs. .A key factor in this difficulty has b'een the conflict between the goal to minimize the number of redundant measurements fox'ny single process variable, with regaxd to the overall nuclear plane requirements, and the goal to establish a auucbnum degree of separation between the Protection System and the Control System.
| |
| Obtaining an accurate and reliable measuxement of a particular process variable is one of the most difficult aspects of an instrumentacdon system.
| |
| There are significant problems associated with the physical mounting of the measurement devices including optimum location, supporting structuxes, access to che equipment for maintenance, and protection against adverse environmental factors. In the case of nuclear power plants, there is also the problem of transmitting the signals fxom the containment to the control room equipment.
| |
| All of these factors provide arguments for minimizing the number of separate measuremencs.
| |
| | |
| Most of the functions performed by the plant Control System require the same process information as the Protection System. In these cases, Westinghouse provides Control System inputs from Protection System channels. The "Proposed IEEE Criteria for Nuclear Power Plant Protection Systems," IEEE No. 279, permits this design approach, sub)ect to certain restrictions. However, this proposed resolution was not unanimously accepted by members of other United States standards and regulatory agencies, in particular, USASX Sectional Committee N3 (N42), and the AEC-ACRS.
| |
| Westinghouse held meetings with members of the AEC to clarify the Westinghouse design approach and to identify the additional design criteria applied by Westinghouse, which go beyond the proposed IEEE criteria. These additional criteria require separation and identification of control and protection equipment and the use of isolation devices to transmit signals from the Protection System to the Control System. It is the position of Westinghouse that these additional criteria offer a resolution to the'tated design conflict. Westinghouse has demonstrated by actual implementation of these criteria that a high degree of separation, including proper identification, can be achieved between Protection System equipment and Control System equipment.
| |
| More recently, the question of the failure mode changed from that of a single random failure to common-mode failure - a failure mode which would adversely affect all, redundant channels of a particular protective function in the Protection System. It is generally recognized that separation of control and protection does not provide defense against the common-mode failures.
| |
| | |
| The nuclear power plant Control and Protection System design employed by Westinghouse was evaluated in detail with respect to the commonmode failure and presented in a series of meetings to members of the AEC. This report documents the information transmitted in these meetings and provides a technical basis for the development of criteria for design of Protection Systems with adequate consideration for common-mode failures.
| |
| The conclusion of Westinghouse based>upon actual experience, previous work, and reinforced by the results presented herein, is that design criteria for nuclear power plant protection systems should permit magnum effective use of process measurements both for control and protection functions including the use of Protection System measurements in the Control. System. Such criteria significantly enhance the designer's capability to provide a system with adequate capability to deal with the majority of common~ode failures t
| |
| as well as to provide redundancy for critical control functions.
| |
| J. M. Gallagher,'Jr.
| |
| Consulting Engineer - Control Technology
| |
| | |
| Vestinghouse design philosophy for Reactor Protection and Control Systems is to make maxiunaa use, for both protection and control functions, of a wide range of measurements. The Protection and Control Systems are separate and identifiable. The design approach permits not only redundancy of control, providing its own desirable increment to overall plant safety, but also provides a Protection System which continuously monitors numerous system variables by different means; i.e., protection system diversity.
| |
| The extent of Protection System diversity has been evaluated for a wide variety of postulated accidents. In most cases, two or more= diverse pro-tective functions. would terminate an accident before intolerable consequences could occur.
| |
| | |
| TABLE OF CONTENTS teetiee Title ~Pa e ABSTRACT iv INTRODUCTION 1>>1 1
| |
| 1.1 COMMONMODE FAILURES AND. DIVERSITY l-l 1.2 PROTECTION SYSTEM EVALUATION 1-5 2 QjMMARY 2 1 3 FUNCTIONAL DESCRIPTION, REACTOR CONTROL AND PROTECTION SYSTEM 3.1-1 3.1 REACTOR PROTECTION SYSTEM 3. 1-1 3.1.1 GENERAL 3.1>>1 3.1.2 REACTOR TRIPS 3.1-1 Manual Trip 3. 1-1 High Nuclear Power (Power Range) 3.1-1 High Nuclear Power (Intermediate Range) 3.1-2 High Nuclear Power (Source Range) 3.1-2 Overtemperature 4T Trip 3.1-3 Overpower 4T Trip 3.1-3
| |
| 'Low Pressure Trip 3.1-4 High Pressure Trip 3.1W High Pressurizer Water Level Trip 3.1-5 Low Reactor Coolant Flow 3.1>>5 Safety In)ection System Actuation Trip (SIS) 3.1-6 Turbine Trip 3.1-7 Low Feedwater Flow Reactor Trip 3.1-7 Low Steam Generator Water Level Trip 3.1-7 3.1.3 PERMISSIVE CIRCUITS 3.1-8 List of Permissive Circuits 3.1-8 3.1.4 ROD STOPS 3.1-9 Rod Stop List 3.1-9 3.1.5 INDICATION 3.1-10 Control Board Indicators and Recorder 3.1-10 Central Board Annunciator Panel 3.'1-10 Control Board Status Panel 3.1-11 3.2 STEAM DUMP CONTROL SYSTEM 3.2-1 3.2.3., CONDENSER STEAM DUMP SYSTEM 3.2-1 System Design 3.2-1 Control System 3e2~3 Load Refection Control 3e2~3 Turbine Trip Control 3.2-4 Pressure Control 3.2-5 3.2.2 ATMOSPHERIC STEAM RELIEF SYSTEM 3.2-6 3.3 REACTOR CONTROL 3.3-1 The Temperature Chanel 3.3-1 The Power Mismatch Channel 3.3-1 The Pressure Channel 3 '~2 The Rod Speed Program 3 ~3 2
| |
| | |
| TABLE OP CONTENTS (Cont'd)
| |
| Seetiet Title ~Pa e 3,4 STEAM GENERATOR LEVEL CONTROL 3.4-1
| |
| '.5 STEAM BREAK PROTECTION SYSTEM 3.5-1 3.5.1 SAFETY INJECTION SYSTEM ACTUATION 3.5-1 3.5.2 FEEDWATER LINE XSOLATION 3-5-1 3.5.3 STEAM LINE ISOLATION 3.5-1 4 PROTECTION AND CONTROL SYSTEMS DESXGN PRINCIPLES 4.1<<1 4.1 PROTECTION SYSTEM FUNCTIONAL DESIGN 4. 1-1 4.2 CONTROL SYSTEM PJNCTIONAL DESXGN 4.2-1 4.3 CONTROL AND PROTECTION INTERRELATION 4. 3-1 4.4 SPECIFIC CONTROL AND PROTECTION INTERACTIONS 4.4-1 4.4. 1 NUCLEAR FLUX 4. 4-1 4.4.2 COOLANT TEMPERATURE 4e 4-2 4.4.3 PRESSURIZER PRESSURE 4.4-3 Control of Rod Motion 4.4-3 Pressure Control 4.M3 Low Pressure 4.4-3 High Pressure 4.4-4 4.4.4 PRESSURIZER LEVEL 4. 4-4 High Level 4.4-5 Low Level 4.4-5 4.4.5 STEAM GENERATOR WATER LEVEL FEEDWATER PLO.. 4.4>>6 Feedwater Flow 4.4>>7 Steam Flow 4.4-8 Level 4.4-8 4.4.6 STEAM LINE PRESSURE 4.4-8 5 ACCIDENT EVALUATXON 5.3.-1 5.l. ROD WITHDRAWAL ACCIDENT I 5. 1-1 5.1.1 PROBABLE CONSEOUENCES OF ACCIDENT 5. 1-2 5.1.2 PROBABILITY OF ACCIDENT 5. 1-4 5.1.3 MANUAL INTERVENTION 5.1-4 5.1.4 DIVERSXTY OF REACTOR TRIPS 5. 1-6 5.2 LOSS OF FEEDWATER 5. 2-1 5.2.1 ~
| |
| LOSS OF FEEDWATER - TRANSIENT ANALYSIS 5. 2-2 5.2.2. TYPXCAL SYSTEM DESIGN REOUIR1M2KS 5.2-4 Auxiliary Feedwater System 5. 2-4 Main Steam and Feedwater Piping 5.2-6
| |
| ;:! . 5.3 LOSS OF COOLANT PLOW ANALYSIS 5.3-1 5.3-1 ZNTRODUCTION AND
| |
| | |
| ==SUMMARY==
| |
| 5.3-1 5-3.2 PROTECTION SYSTEM DESCRIPTXON 5.3-1 Low Reactor Coolant Plow 5.3-2 Reactor Coolant Pump Low Voltage 5.3-2 Reactor Coolant Pump Low Frequency 5.3-2 Pump Circuit Breaker Position 5.3-3 Overpower Delta-T Reactor Trip 5.3-3 Interlocks 5.3-4
| |
| | |
| 4 1 C
| |
| | |
| TABLE OF CONTENTS (Cont'd)
| |
| Sectice Title ~Pa e 5.3.3 MULTILOOP LOSS OF FLOW 5.3-4 5.3.4 SINGLE LOOP LOSS OF FLOW 5.3-6 5.3.5 LOCKED ROTOR ACCIDENT 5.3-7 5.4 ROD EJECTION ANALYSIS 5.4-1 5.
| |
| | |
| ==4.1 INTRODUCTION==
| |
| AND
| |
| | |
| ==SUMMARY==
| |
| : 5. 4-1 5.4.2 CASES CONSIDERED IN DETAIL 5.4-1 Zero Power Case 5.4 1 Full Power End of Life Coze 5.4-2 5.4.3 BACK-UP TRIP PROTECTION 5. 4-3 5.5 LOSS OF STEAM LOAD 5.5-1 5.
| |
| | |
| ==5.1 INTRODUCTION==
| |
| AND
| |
| | |
| ==SUMMARY==
| |
| 5.5-1 5.5.2 LOSS OF LOAD PROTECTION AND DESIGN CRITERIA 5.5-2 Steam Dump to Condenser 5.5-2 Pressurizer Pressure Relief 5.5-3 Steam System Pressure Relief 5.5-3 Direct Reactor Trip 5.5-3 High Pressurizer Pressure Trip 5,5~4 Overtemperature 4T 5.5W High Pressurizer Level Trip 5.5-4 5.5.3 EVALUATION OF'PROTECTION SYSTEM FOR LOSS OF LOAD 5.5-5 Initiation of Accident 5.5-5 Analysis and Discussion 5.5-7 5.
| |
| | |
| ==5.4 CONCLUSION==
| |
| S 5.5-9 5.6 ROD WITHDRAWAL DURING STARTUP 5.6 1 5.7 CONTROL ROD DROP 5. 7-1 5.8 ENGINEERED SAFEGUARDS ACTUATION 5. 8-1 5.9 CONTAINMENT PRESSURE PROTECTION 5. 9-1 5.10 EXCESSIVE MAD 5.10-1
| |
| : 5.11 EXCESSZVE FEEDWATER PLOW 5.11-1 5.12 STATION BLACKOUT 5.12-1 CONTROL AND PROTECTION FUNCTIONS
| |
| | |
| LIST OF FIGURES
| |
| ~Fg ure No.
| |
| 2-1 Illustration of Control and Protection Design
| |
| : 3. 1-1 Overtemperature dT Channel
| |
| : 3. 1-2 Overpower dT Channel
| |
| : 3. 2-1 Steam Cycle Valve Arrangement
| |
| : 3. 3-2 Condenser Steam Dump Control Scheme 3.3-1 Reactor Control System
| |
| : 4. 2-1 Steam Generator Level Contxol and Protection System
| |
| : 4. 3-1 Pressurizer Pressure Protection and Contxol Systems Design I
| |
| : 5. 1-1 Fault Tree fox Rod Withdrawal Accident
| |
| : 5. 1-2 Fault Tree for Rod Withdrawal Accident
| |
| : 5. 1-3 Inserted Rod Wox'th and Reactivity Required to Reach DNBR ~ 1.0 in Hot Assembly Versus Core Life
| |
| : 5. 1-4 Complete Rod Withdrawal from Maximum Full Power
| |
| : 5. 1-5 Complete Rod Withdrawal from Maximum Full Power
| |
| : 5. 1-6 Steady State Core Limits and Reactor Trip and Alarm Points
| |
| : 5. 1-7 Beginning of Life, Rod Withdrawal from 102X Power, Minimum DNBR
| |
| : 5. 1-8 Beginning of Life, Rod Withdrawal from 102X Power, Time of Event
| |
| : 5. 1-9 Beginning of Life, Rod Withdrawal from 80X Power, Resulting Minimum DNBR
| |
| : 5. 1-10 Beginning of Life, Rod Withdrawal from 80X Power, Time of Event 5 2-1 Fault Tree for Loss of Feedwater Flow 5 2 2. Fault Tree for Loss of Feedwater Flow
| |
| ~
| |
| : 5. 2-3 Fault Tree for Loss of Feedwater Flow
| |
| : 5. 2-4 Level Response to Loss of Steam Flow Signal
| |
| : 5. 2-5 Loss of Feedwater Flow to One Steam Generator at T ~ One Second, Typical Two-Loop Plant
| |
| : 5. 2-6 Loss of Feedwater Flow to One Steam Generator at T ~ One Second, Typical Two-Loop Plant
| |
| : 5. 2-7 Complete Loss of Feedwater
| |
| : 5. 2-8 Complete Loss of Feedwater
| |
| : 5. 2-9 Auxiliary Feedwater System Schematic, Two-Loop Plant
| |
| : 5. 3-I. Fault Tree for Multi-Loop Loss of Flow 5-3-2 Fault Tree for Single Loop Loss of Flow 5+3 3 Fault Tree for Locked Rotor Accident 5.3-4 Multi-Loop Loss of Flow, Typical Plant 5.3-5 Single Loop Loss of Flow, Two Loop Plant 5.3-6 Locked Rotor Loss of Flow, Two Loop Plant
| |
| | |
| ~ e+l y I A'I 'I' lh P l 0
| |
| V 0
| |
| | |
| LIST OF FIGURES (Cont'd)
| |
| Fi ure No-5.4-1 Zero Power End of Life Rod Ejection, No Trip
| |
| : 5. 4-2 Full Power End of Life Rod Ejection, No Trip 5.4-3 Illustration of Safety Limits and Trip Points for Rod Ejection Accidents, No Trip 5.4-4 Illustration of Transient Trajectories for Rod Ejection Accidents, With No Trip
| |
| : 5. 5-1 Fault Tree for Loss of Load Accident 5.5>>2 Fault Tree for Core Damage, Loss of Steam Load 5.5-3 Loss of Load Accident 5.6-1 Uncontrolled Rod Withdrawal from Subcritical, Fraction of Nuclear Power
| |
| : 5. 6-2 Uncontrolled Rod Withdrawal from Subcritical Condition, Temperature
| |
| : 5. 7-1. Response to a Dropped Control Rod 5.7 2 Response to a Dropped Control Rod
| |
| : 5. 8-1 Safety Injection Actuation Signal vs Break Area
| |
| | |
| ~ e mme ~ e ' ~ '%
| |
| q el t
| |
| * 4 9 ~
| |
| * t
| |
| : 1. INTRODUCTION p o ophy for Reactor Protection and Co ol tomaema xaum use for both protection and control functions of a wide range of measurements. This results in a broad spectrum of redundant protection and control functions. The design approach used permits all equipment components to be identified as protection or control and located accordingly, with electrical isolation and physical separation between them.
| |
| The design approach thus permits not only reduncancy of contx'ol, providing a significant and desirable increment to overall plant safety, but also provides a Protection System which continuously monitors numerous system vax'iables by different means; i.e., Protection System diversity.
| |
| Although the Protection System design basis requires only that random single failures not negate the Protection System, a considerable depth of protection is achieved by the Westinghouse design approach.
| |
| I Systems designers and re-viewers have xecently emphaaLzed the importance of achieving a suitable balance of design obfectives in regard to functional and equipment diversity.
| |
| of control and protection functions, testing, and surveillance to
| |
| "'nteraction
| |
| ~thieve a Protection System design that has adequate capability to cope with both random and systematic failure modes. (Systematic failures are also known as common-mode, or nonrandom failures.)
| |
| 1.1 COMMONWODE FAILURES AND DIVERSITY Common-mode, or systematic failures, are those that partially or completely prevent identical, instrument channels from performing their function-
| |
| | |
| p'
| |
| ~ . 4 * / I
| |
| | |
| dundancy is no t an answer to this tyPe o f failure, since all channels are
| |
| ~ed assume to be affected. Further, these failures cannot be evaluated by
| |
| ~bability pro ao analysis or reliability data; indeed, they are characterized by oversights or deficiencies which presumably would be corrected when first detected.
| |
| The general categories of common~ode failures are:
| |
| a) Functional deficiency - The variable being monitored does not provide the information intended during the course of an accident. This deficiency could be caused by the accident's following a different course
| |
| /
| |
| than calcu1ated by the designers, or by a change in the plant characteristics which changes the relation between the pxocess and the variable being monitored.
| |
| b) Maintenance error - This failure includes consistent miscalibration of all channels of a type, and also circuit modification ox repqir which inadvertently renders the channels functionally inoperative.'esign deficiency - Pailuxe of the equipment as installed to meet functional requirements. This could arise thxough unrecognized dependence on a single, common element., such as ventilation; by an unexpected charpcteristic (such as saturation or slow response) in all controllers of a type; or by the instrumentation being disabled as a result of the accident-d) ~<<mal catastrophe With proper isolation and separation between redundant channels, this is confined to ma)or disasters such as flood,
| |
| <<rthquake, fire, etc. Where separation is not complete, less drastic
| |
| ~vents can have the same result. For example, a falling ob)ect could conceivably sever all cables in a small area.
| |
| 1-2
| |
| | |
| t+ J ~ ~ N Considerable effort is being made in Reactor Protection Systems design prevent these common-mode failures, as illustrated by the examples below.
| |
| However remote, the possibility of a commonmode failure must nevertheless be considered. The likelihood of maintenance errors can be minimized by proper administrative procedures, identification of Protection System components, and complete documentation of the as-supplied Protection System, including the design basis. Design deficiencies can be largely. eliminated by equipment qualification testing and by caxeful review of all potential common elements.
| |
| Redundancy is an accepted defense against x'andom failures which affect only one component or channel at a time. Similarly, "cliversity is a defense against common~de failures which could affect multiple channels.
| |
| Such protective diversity can be achieved in either of two ways: equipment diversity, by providing different types of instrumentat'ion'to monitor the same variable, or functional diversity, by monitoring different plant variables. Functional diversity entails some degree of equipment diversity, P~rily with respect to sensors and setpoints. More importantly, however, functional diversity is not dependent on the calculated respense of any one "ariable during an accident. As a convex'se of this, functional diversity is more complex to demonstrate since the response of several variables must be analyzed for each type of accident evaluated.
| |
| The Westinghouse Pxotection System is therefore evaluated in this report with respect to functional divexsity. To demonstrate diversity where protective action is needed, it is necessary to show combinations of two or more of the 1-3
| |
| | |
| e 4
| |
| | |
| fo 1 lowing barriers" for each accident. Some of these are addressed to the need for protective action, rather than to the Instrumentation System itself . This is considered a reasonable approach to judging the adequacy of a Protection System.
| |
| a) Tolerable consequences for expected conditions - Although worst case" analysis might fail to prove that protection is not needed, the vast majority of cases may have acceptable consequences. Whether or not this is a suitable barrier depends on the probability of adverse conditions (such as excessive inserted rod worth) and the design and operating precautions taken to prevent them.
| |
| b) Low probability of accident - Probability of the initiating fault might be considered, but only in conjunction with the probable consequences.
| |
| That is, a loss-of-coolant accident does not require less protection t
| |
| than a loss of flow accident simply because it is less likely to occur.
| |
| c) Control interlocks - Rod stops or other devices which arrest or modify spurious control action short of reactor trip can be part of the Protection System. Protection System design standards, equipment testing, and Technical Specification limits would therefore be applied.
| |
| nual action - Manual action can be considered a reliable backup to automatic protection, depending on the accident rate, the complex ty the problem and corrective action, and the alarms and indication provided.
| |
| 1-4
| |
| | |
| Automatic reactor trip - Each accident may have a "principle" reactor trip associated with it.
| |
| .) BackuP reactor trip - A second reactor trip function of is an additional barrier.
| |
| In all but a few cases in the Westinghouse design, a specific reactor trip is not categorically either "principle" or "backup": it serves as the principle protection against some accidents, and as backup protection against others.
| |
| : 1. Z PROTECTION SYSTEM- EVALUATION An accident-by>>accident evaluation has been performed in order to evaluate the "depth" or degree of diversity provided by current Westinghouse design. As expected, diversity could not be demonstrated for all accidents. The xesults in genex'al, however, indicate a considerable degree of protection System divexsity.
| |
| The evaluation, reported in-.Section 5 of this report, analyzed each postulated
| |
| ~ccident without credit for protective action to the point at which one of the three following events occurs:
| |
| Inherent plant charactex'istics terminated the accident; b) The consequences are clearly intolex'able', or c) =<<<ting analytical methods are no longer valid (for example, system alculations cannot be perfoxmed with any degx'ee of confidence if severe core damage occurs).
| |
| 1-5
| |
| | |
| o evaluation, the tyne of this type amount of analytical rigor must be reduced Ka as con t on s become increasingly remote and safety lhaits are exceeded is because present technology cannot rigorously support assumptions as system behavior for these remote cases. In large part, this fact explains the reason why such conservative safety limits are selected for design purposes.
| |
| 1-6
| |
| | |
| I SL~5ARY tin house ou Reactor Control and Pro tection Systems the Control In the Westing System is 's seoarate seoara and distinct from the Protection Syst he P"orection Protect on System is independent of the Contro]
| |
| S"ste-"L is highly dependent upon signals derived from the Protectio S through isolation amplifiers; This interre].ationship is illust d in inure -1. he design of the Control and Protection Syst~ d th interactions between them are discussed in detail i Sectio d 4 of this report.
| |
| The design philosophy is to make maxianun usage, for both control and protection purposes, of all measurements of plant variables. For each variable monitored, the best type of equipment available is selected as the vehicle of measurement. Clearly, the requirements for measurements for control or protection purposes so nearly overlap that the optimum equipment for one purpose is also the optimum for the other,.
| |
| It's recognized by those responsible for Protection System design and review that little if any additional safety is achieved by utilizing independent, but identical, measurements for control and protection. In fa<<, it is Westinghouse's position that additional identical channels are seriously disadvantageous jn that more penetrations, maintenance, and control room readouts are required. por example, operator surveiU.ance of protection channels 'is necessarily diluted when plant operation is dependent on other indications.
| |
| | |
| -.n a pressurized Large Pre s water reactor plant, it is almost axiomatic that rturbation which encroaches on safety limits significantly affects
| |
| ~v pertur a For example, a reactivity excursion - such as accidental rod vt.th drawal raw - causes not only an increase in neutron flux and core power, but ~so an increase in coolant temperatures and in pressurizer pressure and level.
| |
| Reliable control is obviously'he best approach to plant safety. The prime, purpose of a control system is to limit excursions before protective action is necessary. Since the control devices must be capable of Limiting excursions, they are also capable of causing an excursion - perhaps in the, opposite direction - if spuriously actuated. Failure of the Control System, either by not acting when needed, or acting when not needed, decreases the leve1 of safety. Redundancy- of control, where applicable, is therefore highly desirable.
| |
| Pressurizer pressure control is a prime example of efficient use of redundant measurements for safe operation via a reliable Control System.
| |
| Two oower-operated pneumatic relief valves are provided to limit pressure excursions within the normal operating range. Although not essential to-safety, these valves increase safety margins for system overpressure
| |
| ~overpressure protection is provided by the high pressure reactor trip
| |
| ~ safety valves). Should either valve be actuated spuriously, however, p~tection against the reduction in pressure might also be required.
| |
| 2~2
| |
| | |
| 'P ' 'h
| |
| ."-our pressure concontro3. channels, derived form the four pressure protection
| |
| -hanne3.s, are use t no sing3.e ins
| |
| -el'ei when needed, nor can any single i Qt~t fail duce pressure to the point at which protection would be needed ressure channels are used to contro1 each valve.
| |
| Mo pressure One pressure channel serves as an interlock, blocking the air supply to the valve on a low pressure a3.arm. Since the pneumatic valve requires air to open, thi's low pressure alarm closes the valve (if open) and holds it closed. In the absence of a low pressure alarm on the first channel, a high pressure alarm on the second channel opens the valve.
| |
| ."-rom the protection System viewpoint, the corollary to maxbaum usage of all measurements is that protection against any given accident is not necessarily confined to measurement of just one variable. Thus the reactivity excursion noted previously, the reactor trip on high pressurizer wager leve3, also provides a degree of protection, even though the basic purpose of this trip is to protect the pressurizer relief piping from water relief surge, through the safety valves. Since completely different. types of measurement are used
| |
| <<r neutron flux and pressurizer water level, diversity does exist in the Protection System.
| |
| Lhe extent of such diversity is evaluated in Section 5 for a wide variety ot accidents. In most cases, two or more diverse reactor trips terminate
| |
| ~ accident before catastrophic consequences can occur. However, the second trip reached (the "backup" ) generally does not prevent the design satey limit from being exceeded. In this context, the design saiety 2-3
| |
| | |
| h suchh as a DNg ratio of 1.30, is itself a highly conservative
| |
| ~ , . exceeding this limit does not imply intolerable consequences.
| |
| ~ one case evaluated - the hypothetical rod ejection accident - protection systemem diversity could not be adequately demonstrated for the worst case.
| |
| ~eyer a rod ej ection is considered to be an extremely unlikely accident one caused by complete and instantaneous mechanical failure of a control rod pressure housing. Further, the probable consequences, as distinct from the worst case, are tolerable since most control rods are fully withdrawn from the core. Even those rods that remain inserted are seldom inserted to their insertion limits.
| |
| ."-or another type of accident - complete loss of feedwater - diversity of reactor trips does exist. Ho~ever, automatic actuation of the auxiliary feedwater system is not diverse for all of'he ways in which feedwater flow could be lost. For those cases, it is shown that manual actuation consti-rutes a reliable back-up to automatic actuation.
| |
| 2-4
| |
| | |
| 'P 7 "I H t
| |
| I 0
| |
| | |
| ILLUSTRATION OF CONT."d)L
| |
| 'lND PROTECTION DESIGN CONTROL SYSTEM l
| |
| (Signal con~itionins, controllers, ~
| |
| I interlocks, and defeat switches)
| |
| CONTROL (From other protection channels)
| |
| PROTECTION ".harm el Channel Channel Channel ' "2 3 4 f 1 In8icatio I Sensor t.otection I C
| |
| C
| |
| \ CJ I Cabling and o Penetrations 4k
| |
| ~
| |
| I
| |
| {test signa IJ
| |
| .ague) CO C IH
| |
| ! P ewer (test Suoply !
| |
| r adout) g Isolation ~g I ; ihmplifier I
| |
| ~ est O ~
| |
| Cl
| |
| +I Bistable l cd I 0cC C CJ PROTECTION LOGIC a&CKS TRAIN TO REACTOR TRIP BREAKERS FIGURE 2-l
| |
| | |
| 'I
| |
| ~,
| |
| 1 "k
| |
| 0 P
| |
| | |
| CTIONAL DESCRIPTION REACTOR CONTROL AND PROTECTION SYSTEH
| |
| ~~CTIONAL 3.1 REACTOR PROTECTION SYSTEH 3.1.1 GENERAL
| |
| 'r'1 and Protection Szstm functi~ d i, ,
| |
| based on the Robert Emmett Ginna Nuclear Station of the Rochester Gas and Electric Co. (RGBE). It is representative of Westinghouse design practice.
| |
| All reactor trips meet the following criteria:
| |
| a) A single fai1ure shall not negate a reactor trip b) All channels are capable of calibration and maintenance at power.
| |
| 3.1.2 REACTOR TRIPS 4
| |
| A resume of reactor trips, means of actuation and coincident circuit requirements is given in Table 3.1-1.
| |
| i~fllnual Trig Depressing either of two manual push buttons on the main control board actuates a reactor trip.
| |
| Hi h Nuclear Power (Power Ran e)
| |
| Dual trip settings= are provided:
| |
| 3.1 1
| |
| | |
| "l ca. \ "1 ~
| |
| ) Low (approximately 25X) b) High (approximately 110X) .
| |
| setting can be manually blocked when power increases above P-10*
| |
| The low (approximately 10X power) and is automatically reinstated when power decreases below P-10.
| |
| These circuits trip the reactor when two of the four external ion chamber average flux signals are above the trip setpoint.
| |
| Hi h Nuclear Power (Intermediate Ran e)
| |
| This circuit trips the reactor when either of the two intermediate channels indicate above the trip setpoint, Et may be manual1y blocked when power is above P-10 and is automatically reset when power decreases-below P-10. Expected trip setpoint is 25X.
| |
| HL h Nuclear Power (Source Ran e)
| |
| This circuit trips the reactor when either of the two intermediate P
| |
| range channels indicate above the trip setpoint. It may be manua11y blocked when two intermediate range channels reads a value above P-6 and is automatically reinstated when both intermediate range channels decrease below P-6. Trip setting is between P-6 and the maximum source range power level.
| |
| * P-( ) designates a permissive circuit to block or activate a trip function.
| |
| These circuits are defined in Section 3.1.3.
| |
| | |
| 4 ~ I'
| |
| ~Fj t
| |
| temperature 4T yvertemoe Trio purpose oof this trip is to protect the core po , p ssure, temperature,
| |
| 'cion Two out~ f four per eactor c oop ~ For each channel lative measure of reactor power and is compared with a continu ously calculated setpoint of the form:
| |
| 4T setpoint
| |
| ~KL +K2 xPressure-K J x T>>f(4I) avg
| |
| ~en the reactor coolant loop 4T exceeds the calculated setpoint, r
| |
| the atfected channel is tripped.
| |
| Zn the above equation, 4Z is the difference'between the top and bottom power-range ion chamber signals.. This compensation signal automat-ically reduces the trip setpoint if adverse axial core power signal is I
| |
| distribution exists. Dynamic compensation of the T avg also provided to compensate for instrument and piping delays between the reactor core and the 'loop temperature sensors..
| |
| A schematic representation of this circuit is shown on Figure 3.1-1.
| |
| An illustration of the setpoint is shown on Figure 5.1-6.
| |
| Overoower 4T Tri The purpose of this trip is to protect against excessive power (fuel
| |
| <<d power density). Two-out-of-four trip logic is used; there are two channels per reactor coolant loop.
| |
| 3.1-3
| |
| | |
| i Ne setpoint tor for eeach channel is calculated as:
| |
| ~K4 -K5 dt Tavg
| |
| -K 6 (T
| |
| avg
| |
| -Tavg )-f(II)
| |
| ~ 'quation>
| |
| equat o f (41) is the same function as used in the overtemperature
| |
| - serpo nt tpoint equation.
| |
| e The term K5 compensates for the piping and instrument t delay. The term K6 compensates for the change in density and heat
| |
| ~ac ity ty of o water with temperature (T's avg the nominal T avg at full power) .
| |
| ~th K and K 6
| |
| are limited such that the rate and/or magnitude of T avg can only decrease the 4T trip setpoint from its normal value at full power.
| |
| ected steady-state trip setpoint is llOX of the indicated hT at full poMer; i.e., llOX power.
| |
| A schematic representation of this cricuit is shown on Figure 3.1-2.
| |
| ~ Pressure Tri
| |
| .he purpose of'this trip is to protect against excessive boiling in the core and to limit the pressure range in which coze DNB protection is required for the overtempezature aT zeactor trip. This circuit trips the
| |
| :eactor on coincidence of twmf-four channels. It is automatically blocked below P-7. The expected setpoint is 1715 psig.
| |
| -"-'- h Pressure Tri
| |
| =he purpose of this trip is to protect against overpressure and to limit the es<<<< range in which core DNB protection is required of the overtemperature Wected setpoint is 2385 psig.
| |
| -a<< circuit trips the reactor on coincidence of two~f-three channels.
| |
| 3.1-4
| |
| | |
| ~ h Pressurizer Water Level Tri tzip provides a backup to the high pressure trip and also prevents the zessuzizer pzessuz safety and relief valves from relieving water for credible accident conditions. Expected setpoint is 92X of span.
| |
| This circuit trips the reactor on coincidence of two-of-three channels.
| |
| Xt is automatically blocked. below P-7.
| |
| Low Reactor Coolant Flow This circuit is provided to protect the core from DUB following a loss of coolant flow accident. The means of sensing a loss of coolant flow accident aze as follows:
| |
| a) Measured low flow tn the reactor coolant piping b) Reactor coolant pump circuit breaker open c) Undervoltage on reactor coolant pump bus d) Underfrequency on reactor coolant pump bus The low flow trip signal is actuated by the coincidence of two-of-three signals per loop. Above P-7, reactor trip occurs for a loss of flow in both loops; above P-S, reactor trip occurs for a loss of few in either loop. Expected setpoint is 90K of indicated full flow.
| |
| The reactor trip signal derived from reactor coolant pump breaker position is actuated by a single auxiliary contact'or each reactor coolant pump breaker. Trip logic is similar to the low flow trip; above P-7 reactor trip occurs for a "breaker open" signal from any two breakers; above P8.
| |
| a signal fzom any one breaker actuates a reactor trip.
| |
| | |
| trip provides additonal reactor protection against
| |
| ~ wg
| |
| ~ undervoltage reactor~~tor powers coaplete loss o
| |
| ~
| |
| a ~
| |
| V
| |
| ~
| |
| 4 oa Lcw voltage on o o~t pump buses as d b
| |
| ~crvoltage se ected setpoint is 70Z of
| |
| ~ princip e, a rapid decrease in electrical frequency can decelerate th a
| |
| ~tor coolant pumps faster than a complete loss of power. An underfrequency condition on both reactor coolant buses, as sensed by either of two under>>
| |
| ~ t jr a
| |
| t frequency relays on'ach bus, trips the reactor and opens both reactor coolant pump circuit breakers. Expected setpoint a
| |
| is approximately 58 cps.
| |
| Safety Xn ection S stem Actuation Tri (SIS)
| |
| "pon actuation of the Safety Infection System, the reactor fs tripped to decrease the severity of the accident condition. The means of actuating the Safety In)ection System and thus tripping the reactor are as follows:
| |
| l a) Low pressurizer pressure (1715 psig) in coincidence with low pressurizer water. level (5Z span). Any one of the three circuits La actuates the SIS. This function may be manually bypassed below 2000 psig.
| |
| ~ Pressure (500 psig) in any steam line. A coincidence of two~f-three signals for any steam line actuates this function.
| |
| This function can be manually bypassed when reactor coolant pr~ssure is below 2000 psig.
| |
| c) "igh containment pressure (6 psig). coincidence of two-of-three A
| |
| signals actuates the SIS.
| |
| d) Manual Actuatj on
| |
| | |
| f
| |
| ~ ~
| |
| | |
| Trio tr tripps sensed by loss of autostop oi1 pressure or by turbine stop g turbine
| |
| ~
| |
| losure actuates a reactor trip during high power operation. Trip pic is<s ~o~r-three for the autostop oil pressure switches and two~f-two sor the stop valve position switches. This trip is in coincidence with
| |
| ~ssiye circuit
| |
| ~r~sszve ci P-7 (blocked below 10X power) and permissive circuit P-9
| |
| ~blocked below 50X power unless condenser steam dump is blocked).
| |
| Low ."-eedvater Plow Reactor Tri For either steam generator, low feedwater flow (compared to steam flow) in coincidence with low steam generator vater level actuates a reactor trip.
| |
| 'Ms protects the reactor against a sudden loss of heat sink. This condition is sensed for either steam generator if e'ither of: two steam flow
| |
| ~ feedvater flov channels indicate a difference greater than a setpoint and either of tvo steam generator narrow-range level channels indicate less than a setpoint. Expected setpoints are 0.7 x. 10 6 lbs/hr and 30X of span respectively.
| |
| Low Steam Generator Water Level Tri
| |
| ~e purpose of this trip is to protect the reactor from a '1oss of heat sink
| |
| -<< the case of a sustained steam/feedwater flow mismatch which is too ll <<actuate the low feedwater flow trip.
| |
| ~~h~-ss trip is
| |
| ~
| |
| actuated on coincidence of two-of-three lov-lov level signals
| |
| ~
| |
| n steam generator. Expected setpoint, is 15X of narrow range level span-3.1-7
| |
| | |
| /t 6.,
| |
| .t
| |
| ;>)
| |
| 0 C
| |
| : 3. '.33 >MQSSIVE CIRCUITS ously to permissive circuits Reference has been ma p
| |
| - ~ ~its are use to o k certain activities as well ac 'vfties.
| |
| t of Permissive Circuits nunbnc Funccfnn ~Xn uc Rod withdrawal stop One~ f-four high nuclear on overpower (Automatic power (power range)*;
| |
| and manual) one-of-two high nuclear power (intermediate range* l; one-of-four overtemperature AW; or one-of-four overpower AT*.
| |
| Automatic rod with- One-of-one turbine first stage drawal stop at low steam pressure power.
| |
| I Automatic rod with- Oneof-four rapid decrease of drawal stop on rod nuclear power or rod bottom drop indication h
| |
| Selection of steam Turbine trip signal dump controller mode Permit manual block of One~f-two high intermediate source range high range nuclear power allows nuclear power trip manual block, twomf-two low intermediate range nuclear power automatically reinstates trip.
| |
| ."~y
| |
| ~ ~ ally e
| |
| bypass on individual channels.
| |
| blocked if peanissive circuit P-10 is cleared.
| |
| | |
| ~ '
| |
| ~ssive Circuits (Cont'd) t of Pe ss luabaa puaaaiaa ~Xa ua permissive power Threemf-four low nuclear power (block various trips and onemf-two low turbine at low power) impulse stage pressure Block single primary Threeof-four low nuclear loop loss of flow power trip Block reactor trip Three~f-four low nuclear power on turbine trip and condenser steam dump avaQ-able (not locked out by high condenser pressure or by loss of both circulating water pumps) 10 Permit manual block Two-of-four high nuclear power of intermediate range allows manual block, thre~f-power level trip and four low nuclear power rod stop and low automatically reinstates the power range trip trips 3.1.>> ROD STOPS A complete list of rod stops is noted below.
| |
| Rd Stop List Rod Motion Fuaaataa Actuation Si nal to be Blocked a) Rod drop One~f-four rapid power Automatic withdrawal range nuclear power (redundant, contacts) decrease or any rod bottom signal b) Nuclear Oneof-four high power Automatic and manual Overpower range nuclear power or withdrawal one-of-two high intermediate range nuclear power 3.1-9
| |
| | |
| t
| |
| ~ g
| |
| | |
| 4
| |
| -top ~st (Cont d)
| |
| Rod Motion UjjCj:Xjjn Actuation Si nal to be Blocked c) iU.gh 4T One-of-four overpower Automatic and manual 4T or one-of-four withdrawal overtemperature 4T (Manual bypass on indi-vidual 4T channels)
| |
| (Actuation of this rod stop initiates a continuous turbine load reduction until the actuation signal is'emoved) .
| |
| d) Low power One-ofmne low turbine Automatic withdrawal impulse stage pressure H
| |
| e) T One-of-four T devia- Automatic withdrawal avg avg deviation tion from average T avg and insertion 3.1.5 LQXCATION F
| |
| Control Board Xndicators and Recorder
| |
| -All transmitted analog signals which actuate reactor trips, rod stops, oz permissive circuits are either indicated or recorded for every. channel-Also. variable trip setpoints (overpower 4T and overtemperature 4T) are icated or recorded for every channel.
| |
| Central Board Annunciator Panel
| |
| ~y of the following conditions actuate an alarm:
| |
| Reactor trip (first out annunciator) b) .aztial reactor trip (any channel)
| |
| ~wi
| |
| ~i<<deviation oz level nuclear power, of any control variable (pressure, T, pressurizer level) for avg'li and steam generator any channel.
| |
| 3.1-10
| |
| | |
| ~ >>~ t 'lv l%1~ y W C ~ ns ' r, zy ~ \ ~
| |
| t"o>.3oard Status Pm&
| |
| status of each reactor trip channel is continuously displayed
| |
| 'c" I on the trip status panel'-'.
| |
| status o f each permissive circuit is continuously displayed on th pe~sive stat panel
| |
| ~~'reactor trip channel;bypass is. continuously indicated on the hypos status pmn-17
| |
| 'I
| |
| ~ a
| |
| : 3. 1-11
| |
| | |
| s P k
| |
| | |
| y ll+ ~
| |
| ~ l IE ~
| |
| Tgtp CplHClUEHCY. ClRCULTRY b lHTERIXKKS l.'ON 1 k l)1 S I. fluuual 1/2, no interlocks
| |
| : 2. High nuclear flux 2/4, no interlocks for high setting High and low setttngs; manual P-10 for low setting block and automatic reset of low setting 3.',
| |
| lligh nuclear flux (inter>> 1/2q P-10 mediate range)
| |
| High nuclear flux (source range) I 5, Overtemperature LiT 2/4; no interlocks
| |
| : 6. Overpower hT 2/4, no interlocks 7 . Low'ressure 2/4> blocked by P-7
| |
| : 8. High pressure 2/3> no interlocks
| |
| : 9. High pressurizer 2/3, blocked by P-7 water level 10a. Low Flop 2/3 per loop~ p 7~ P>>S 10b. Pump breaker trip 1/1 per loop] P 7) P+S 10c. Undervoltage t 1/2 '1/2~ P-7 10d. Underfrequency 1/2 + 1/2 P-7 SIS actuation 1/3,. (low pressurizer pressure and low pressurizer level); 2/3 Low pressure in any steam line; or 2/3 high containment pressure
| |
| : 12. Turbine trip 2/3 autostop oil or 2/2 stop valves>
| |
| P;7] P-9 13, Low feedwater flow 1/2 + 1/2 per loop, (flow mismatch in coincidence with low leyel)
| |
| : 14. Low-low S.G. water level 2/3$ per loop
| |
| | |
| AT setpoint 1 K4 C3.
| |
| Comparator 2/4 ogic 0
| |
| Tayg C3 C 4 h
| |
| n>
| |
| AYO T38 8
| |
| hot Rod Comparator Stop T
| |
| c 0~POWER AT CHANNEL (ONE CHANNEL OF FOUR SROHH)
| |
| FIGURE 3.1-2
| |
| | |
| l
| |
| .l
| |
| | |
| CONTROL SYSTEH t am dumP are available: condensex'umP and atmosPheric yq steam <cle cy valve arrangement is shown on Figure 3-2 C0gDENSER S~ QUMP SYSTEM Svs ea Desi steam lines are installed to dump steam from the steam generators directly co the condenser, bypassing the turbine. Connections with the steam mains axe downstream of the stea'm main isolation valves.
| |
| ralves and LLnes are sized to pass 35X of turbine auuctunan calculated steam flow at full load steam pressure.
| |
| Condenser steam dump performs three functions:
| |
| Following a sudden loss of load of up to 210 MRe {about 45X of
| |
| =aximum calculated turbine load), condenser dump acts as an artificial load removing excess power and stored energy while the reactor power is decreased to match the xeduced turbine
| |
| \
| |
| In this manner, the condenser steam dump acts to prevent a reactor trip.
| |
| Condenser steam dump, together with feedwater addition, removes stored energy in the Reactor Coolant System following a plant trip, bringing the plant ro equilibrium no load condition without 3.2-1
| |
| | |
| r
| |
| ~tuation o f the s team generator saf ety valves . It also maintains gg pJ.ant 1 t at hot shutdown by removing residual heat.
| |
| ser ste condenser steam dump is used for plant cooldown to cold shutdown.
| |
| ~~er steam dump is used to improve operational flexibility. For
| |
| ~le, an trip may occur following a large load reduction a plant ap if
| |
| ~4.user steam dump is not available.
| |
| ~ condenser steam dump system uses modulating, Unear-characteristics,
| |
| ~~crated valves (air to open). Their stroke time is approximately 5 aecaads. Xn addition, they can be tripped from the fully closed to tate fu11 open position within 3 seconds after receiving an input eLectric trip signal. While this trip signal exists, the valves are bahf ~ the fully open position. When the trip signal does not exist, che valve position is determined by a variable input electrical signal-For condenser protection, condenser steam dump is blocked by high
| |
| ~enser pressure. Other interlocks'described below) are used
| |
| ~ ~e same manner to avoid spurious operation.
| |
| ~pur'<<ous actuation of steam dump may cause a plant trip In addition,
| |
| '- the ralves stay open, an uncontrolled cooldown results. For these the steam dump control system is required to meet the criterion signal failure shall cause spurious actuation-3 ~ 2~2
| |
| | |
| Control System
| |
| ~e funct on al block diagram for the Condenser Steam Dump Control Svstem is shown on Figure 3.2-2.
| |
| Load Re ection Control
| |
| ."-or partial loss of turbine load, steam dump is controlled by the error signal between T avg and T ref'vg f, where T is is the average of four the progz~ed, se~
| |
| reactor coolant average. temperatures and
| |
| .T ref, point for Tavg as a function of turbine load. (These signals are the same as those used in the Reactor Control System.) Following a turbine load decrease, T ref is imm'ediately reset to a lower value, causing an error signal. If the error signal exceeds the deadband for the load.
| |
| re)ection controller, the dump valves are modulated open. If the error signal exceeds the HI setpoint, a trip. signal is generated which rapidly opens four of the eight valves to their fully~~en position.
| |
| At'he occurrence of a HZ-HI trip signal, all eight valves trip open.
| |
| The distinction between modulating and tripping valves open is made because of the difference in required time for both of these actions.
| |
| If valves are already modulated open corresponding to the error signal
| |
| << the time a trip open signal is generated, no additional trip action takes place.
| |
| Sin~e the steam dump system requires a finite time to, act, an increase avg is to be expected. Lead/lag compensation for T avg increases 3 ~2 3
| |
| | |
| ~gcect g off T on the error, thereby compensating for the legs l response and valve positioning.
| |
| - Treff errox'ignal
| |
| ~ ~d contratrol system ~ also acting on the Tavg reactor power by reducess reac control rod insertion. avg appx'oaches tpoint steam dump is redu valves are fully seated M en ough to be handled oontroL system alone.
| |
| Ln order to prevent actuation of steam dump on small load perturbations,
| |
| ,r a block is provided which prevents valve response to either the trip
| |
| ~ modulate signal unless a turbine load reduction has occurred. AIl elcaents of this channel, including the turbine impulse chamber pressure tap, are independent of the steam dump control system described above.
| |
| 4 rate/lag unit in this channel generates an output proportional to
| |
| ~ rare of decrease in turbine load; This output, when indicating a Load rejection gxeater than lOX step or 5X/mLnute ramp, removes the Once unblocked, this block is manually xeset. Minual- contxol of ~team dump also removes this block.
| |
| 7uxb inc Tri Control
| |
| ~~e of the laxge heat capacity of the Reactox Coolant System and
| |
| ~~ high T full load avg at the steam generator safety valves would
| |
| ~ '~owing a turbine trip if there were no other means of removing ed heat. 'ondenser steam dump and subcooled feedwater flow 3.2-4
| |
| | |
| plant to thermal no-load equilibrium without
| |
| ~ ~ed to bring
| |
| - e lease ea to atmosphere. I e trip, monitored by loss of turbine autostop oil thee load o re]ection steam dump controller is defeated and plant tr tripp controller becomes active. In the Tavg control mode,
| |
| ~ errorr ssignal gn is Tavg - T no-Load'he d'nd steam dump is proportional same error signal is used for on-off control of
| |
| ~ fe~>>ter control valve, as described in 3.4, Steam Generator
| |
| ~L Control. As T. is reduced to its no>>load setpoint, steam'vg reduced and feedwater is shut off. As in the case of p load re)ection, if the error signal exceeds the HX setpoint, a trip asgaaL w generated which trips open four of the eight valves to their iull~pen position. At the occurrence of a HI-Hl trip signal, all
| |
| ~ght valves trip open. GeneraUy, the valves are not closed completely l
| |
| ~use of decay heat. No-load conditions are established within mo minutes.
| |
| pressure Control
| |
| 'or ><<g term removal of residual heat at hot shutdown, o~ during plant it>rtup or cooldown, the plant operator can manually switch to steam der pressure control. In this control mode, condenser steam dump o maintain a preset pressure in the steam header. A manual
| |
| ~tion is provided so that the operator can ad)ust the setpoint
| |
| ~<<ssure or manually position the valves.
| |
| 3.2-5
| |
| | |
| ~ pbbs j,
| |
| | |
| S>H~ZC S~ RELIEF SYSTEH uoayher'c steam relief valves are mounted on the steam mains upstream ves. At the set pre 4g ~>o steam (about 1050 psig),
| |
| calcu'c flow have provisgon f e s less than Z0 Provided to reduce d to permit a plant oold dump is not available. These functions are explained below.s'cedia a) If a plant trip is caused by loss of condenser vacuum, condenser dump m bIocked. The 'steam generator safety valves are available to remove stored energy from the Reactor Coolant System. Atmos-
| |
| @heroic steam relief reduces the steam pressure below the safety valve set pressure within two minutes after the trip. This prevents'ontinuous chattering of the safety valves as residual beat m removed from the reactor.
| |
| Plant coo]down is accomplished by steam dump. If condens<<dump not available, the atmospheric relief is adequate to cool d~
| |
| to the temperature and pressure at which the residual heat removal system can be used.
| |
| 3.2-6
| |
| | |
| C) Zn the event of a plant trip caused by an overpower/overtemperature condition or by a faU.ure in the feedwater system, the atmospheric steam dump provides additidhal relief capacity, reducing the pro-babDity of safety valve actuation.
| |
| Separate controllers are provided for the atmospheric dump valves on the two steam generators, permitting independent pressure regu-lation if the steam generators are isolated.
| |
| 3e 2~7
| |
| | |
| AVG T~at 1 K3 V2 Swl T
| |
| cold P
| |
| K2 2
| |
| E AT setpoi t 2]4 Comparator Logic 3 C 4
| |
| hot Rod Comparator Stop cold /
| |
| 0$ EBTEMPEBATURE AT CHANNEL (ONE CHANNEL OF POUR SHOWN)
| |
| P1GVRE 3.1-1
| |
| | |
| . ~ ~
| |
| I F~
| |
| ISAtIM Nntrr YAllg
| |
| . VAl VN kLN.IQ'AI.VL
| |
| )
| |
| I IA)I AT I lNli rl EnM l J Olla:K VALVE lEHEl/ATOR IOOla'nON BYPASS .VALVE HAIN TO TURBINE FEEDWATEE AUXILIARY CON1'AINMENT FEEUHATER
| |
| +P go I i CONDENSER STEAM DUMP VALVES TO CONDENSER
| |
| <<TEAM IEHERATOR B
| |
| MAIN FEEWATER AUXILIARY FEEOHATER Figure 3.2-1 STEAM CYCLE VALVE ARRAMEMENT
| |
| | |
| I i
| |
| | |
| STEAM DUMP STEAM DUMP
| |
| )ER PRESSURE SELECTOR CONTROLLER SWITCH r
| |
| RATE +
| |
| RESET AUTO"MAN MODULATE STATION ANALOG COHDEHSER SWITCH DUMP OPERA- VALVES
| |
| ~en PROP .
| |
| /LAG TING ON COMPENSATION TURBIHE TRIP SIGHAL TURBINE-TRIP SIGNAL Hi-LEAD/LAG
| |
| (( <>> s).
| |
| COMPENSATION I Jf<Sgl+fg $ )
| |
| TURBZHE TRIP TRIP OPEH GROUP A VALVES INTER-LOCK OR TRIP OPEN GROUP A B VAL~
| |
| L LOGIC 8c STEAM DUMP VALVES.
| |
| TRZ TRIP OPEH ONLY IF I COmZROLIhR UHBLOCK SIGNAL IS PRESENT (SEE BELOW)
| |
| Hj E LOSS OF LOAD INTERLOCK r:J+ UHBLOCK STEAM DUMP VALVES SIGHAL A- - ROPRIATE POSITION OH SKZCTOR SWITCH ZHTKGDCK TURBINE TRIP SIGNAL BYPASSES LOSS OF LOAD INTERLOCK Figure 3.2-2 AHD UHBLOCKS STEAM CONDENSER STEAM EUMP CONTROL SC1HHE DUMP VALVES
| |
| | |
| 1 1l f 'V ( Y+gpQ+g+q+gl Y f " Al +J
| |
| | |
| 3 3 REACTOR CONTROL The basic Reactor Control System consists of three channels, which
| |
| - ) and reactor coolant avg ),
| |
| re temperature are (T powez'ismatch (QT Q (P) ~ The output 'of these three channels is used to drive
| |
| 'x'essure the control rods via the rod program. A schematic representation of the control system is given in Figure 3.3>>1.
| |
| The functions of each of these channels are as foU.ows:
| |
| a) To maintain the programmed Tavg as accurately as possible b) To be responsive to load perturbations without causing undue movement and reactor trips c) To take corrective action in the case of large load changes if the pressure exceeds the limits of the noxma1 pressure control.
| |
| The T erature Channel The temperature channel functions to maintain the programmed temperature
| |
| -(T as accurately as possible. The main requirements of this channel avg )
| |
| are that it should be accuxate, stable and repeatable. This is the dominant contx'ol channel in steady-state conditions.'he Power Mismatch Channel The power mismatch channels provide control stability and fast response t>>oad pertuxbations. The output is proportional to the mismatch between turbine power and nucleax power. A high-pass filter in this channel ensures that steady-state calibration errors in the input power signals "as no effect on steady-state control.
| |
| 3.3-1
| |
| | |
| . at I ,
| |
| g l~ jl
| |
| | |
| ~other requirement of this channel is that its steady-state output should be zero even though a Axed offset in power signals may exist.
| |
| The Pressure Channel This channel is provided to prevent large pressure changes foU.owing a large change in power. It retards the rate at which the controller changes T avg to its new programmed set point. (If Tavg were to be changed too rapidly, pressurizer pressure contxol might not be able to maintain pressure within the normal operating range.)
| |
| The pressure control channel has an adjustable deadband, so that only large pressure changes have an effect on rod motion.
| |
| This channel is not required for initial plant. operation.
| |
| The Rod S eed Pro am The rod speed program is made up of four parts: ari adjustable deadband, a minimum speed, a proportional speed, and a maxLmum speed. The auucLannn speed is dictated by the mechanism design. A11 the other settings are ad)ustable. Expected set points are + 1.5 F for the deadband, and + 5 F for amximum rod speed demand.
| |
| The outputs from the three channe1s mentioned above feed into the summing amplifier associated with the rod program.
| |
| 3a3~2
| |
| | |
| Ijgg~gi 4t'~ s
| |
| ~ A)t l(~<lI>I l.(I ~
| |
| ') F
| |
| ~As) u AVO l Turbine Im ulse Pressure
| |
| ~gS+1 Speed 4n
| |
| + 0 ariable Gain E
| |
| T t6S+
| |
| S 1 +
| |
| Pressurizer Pressure tyS+1 E
| |
| ~88 + 1 Pressure Set oint REACTOR CONTROL SYSTEH Figure 3.3-'1
| |
| | |
| ~ I ~ I 4 j ~
| |
| CONTROL M CINERATOR LEVEL operation, ope the position of the main feedwater control valve is 11ed by the three-element controller (feedwater flow, steam flow, At low loads a bypass control valve is used.
| |
| >+tpoint o f the 1 evel contro 11 er is a funct ion of load, programned ise with load between OX and- 2OX load. A deviation alarm provides
| |
| ~ti~uous monitoring of the level channel used for contxol versus the programmed level.
| |
| ~> narrow-range level channels are indicated. The wide-range level channel is recorded.
| |
| .he steam flow and feedwater flow signals aze supplied by either of two transmitters as selected by a contxol board mounted selector switch. The steam and feedwater flow signals used for control are recorded on a two pen recorder.
| |
| ":ollowing a turbine trip, automatic control of the feedwater valve is switched from the three mode level controller to on off Tavg control.
| |
| <1 <<edwater control valves under automatic control are fully opened to admit auucbnum feedwater, then fully closed as no-load T avg approached to avoid excessive cooldown of the Reactor Coolant System.
| |
| ~<<1 contzol of feedwater control valve position is available at the ontrol board. This mode o f control overrides automatic contzol on either level or T avg 3.4-1
| |
| | |
| tO ~ +~~' " ' =
| |
| * 4%- 4'ft'%41 ' 'V ~ ~ k / +' ' t p i t'
| |
| | |
| order to prevent excessive'moisture cazxyover caused by high steam
| |
| ~ erator water lev~. a sig al of high water level ove~des a3. Other tzol and closes the feedwater control valve. The signal is obtained from coincidence of two-of-three level channeLs above a preset value.
| |
| This override is automatically removed from the main control valves as the water level drops below Che set value. Manual reset is required for the bypass control valve.
| |
| The signals affecting feedwater valve control, in increasing the order of priority, are listed below:
| |
| a) Three-element level control or on-off T control (dependent on avg whethez or not'turbine is tripped) b) Manual control c) High level override (closes feedwater valves) d) Safety Injection System actuation (closes feedwater valves).
| |
| A wide-range level channeL, calibrated for no-load conditions, fa provided co allow manual control at hot shutdown and is also useful at cold shutdown This channel includes a recorder.
| |
| 3.4-2
| |
| | |
| ~~q BR ~ PROTECTION SYSTEM SYSTEM ACTUATION QEEIY INJECTION o f act actuating the Safety Injection System have been noted in Those particularly concerned with steam line break pro-
| |
| ~~4 3~ ~~a
| |
| ~An are low o steam 1 ine pressure and high containment pressure.
| |
| ~
| |
| low steam line pressure signal is generated by the coincidence of
| |
| ~ f three channels below approximately 500 psig for either steam line.
| |
| ~~ high containment pressure signal is generated by the coincidence of
| |
| ~f-three channels above approximately ten per cent of containment
| |
| ~ign pressure.
| |
| 3.5. 2 FEEDWATER LINE ISOLATION Any safety infection signal isolates the main feedwater lines by closing all four main control valves, tripping the main feedwater pumps, and closing the pump discharge valves.
| |
| 3.5-3 STEAM LINE ISOLATION a) High steam flow in coincidence with any safety in)ection signa1 closes the isolation valve in that steam Une.
| |
| One-out-of-two steam flow signals above a HI-HI ~p p (approximately 120X of fuLl load steam flow)
| |
| One-out-of-two steam flow signals above a HI trip point (approx-imately 20X of full load steam flow) in coincidence with two-out-of-four low T avg signals (below approximately 540'7) 3.5-1
| |
| | |
| ll IJ, J, ="
| |
| 4~1' ~ ~
| |
| "J
| |
| | |
| bi ~e coincidence of tv~f-three high contaf.nment pressure signaLs Rctustion~
| |
| 3.5-2
| |
| | |
| A '~
| |
| 8)
| |
| | |
| .OV <VD CONTROL SYSTEMS DESIGN PRINCIPLES PUNCTIONAL DESIGN os oohy p hi los p for functional design Protection System is to derive on ~wirectly re from the process variables of interest whenever possible.
| |
| ~oner, safety limit protection is assured independent of the ting acc'dent.
| |
| . ~ertemperature high delta-T trip protects the core against Departure nucleate Boiling (DNB) for all combinations of pressure, temperature,
| |
| ~r. and axial power distribution. Thus, this single trip prevents DNB
| |
| !'r .-cd <<ithdrawal accidents, boron dilution, xenon oscillations, and cxcessire load variations. Protection against other limits, such as excess ve power, density and system overpressure, is also provided by close
| |
| ~itorinz of the variable of direct interest.
| |
| ;c ce="ain cases, however, these general protection functions are not rapid enough, or complete enough, to assure protection against a specific accident, such as loss of coo~~nt flow. In these cases, specific trip functions are orovidec, such as reactor coolant pump bus undervoltage and reactor coolant
| |
| ~ or ce""ain more cre"'ble transients, such as turbine trip, a reactor trip
| |
| -s derived from the 4
| |
| .nitiating event even though safety limf.ts would not oe exceeded if a reac":= trip were delayed until an overpressure or over-tempera=ure rri" oc" "red. 1n this manner, undesirable excursions are preven=ed, rathe t"..sc terminated.
| |
| 4.1-1
| |
| | |
| F~~lly, certain ce protective functions are provided primarily to ensure the
| |
| @fan ufng integrity of plant component and piping systems. Examples include or trip on high pressurizer water level to protect safety valve relief
| |
| .eac -or Co and reactor trip on loss of feedwater to any steam generator. (The
| |
| @clear safety requirement is to prevent complete loss of heat sink; i.e.,
| |
| 'oss of feedwater to all steam generators.)
| |
| ."-or equipment design purposes, no distinction is made between the various categories of protection mentioned above. The same criteria and design oractice are appLied to all channels. Other alternatives are neither defensible nor practical, since all of these protective functions enhance nuclear safety and complement or supplement one another.
| |
| :his approach requires an instrumentation system that measures, on a timely, accurate, and reLiable basis, dominate nuclear plant process variables.
| |
| instrument ranges, sensitivity, and time response must be selected consistent Wth the range and variation of each variable monitored. Also, since many process variables are monitored, considerable overlap in protection functions is a natural consequence.
| |
| : 4. L-2
| |
| | |
| ~l st 'I ~
| |
| CONTROL SYS~ FUNCTIONAL DESIGN Power level and reactor coolant temperatures are controlled automatica3.l.y in a Westinghouse PWR Plant. The reactor is controlled to foU.ow any turbine load perturbation. This is ideal for load frequency control. The automatic Reactor Control System, therefore, forms an essential part of the plant operation. It is basically a regulating system which maintains proper steady-state operating conditions, thereby assuring adequate margins to trip settings for operational purposes and proper economic performance.
| |
| Other automatic control systems are pressurizer pressure and level control, feedwater control, and steam dump control. These systems are also essential to maintain normal operating conditions or to suppress excursions imposed by oaerational transients without recourse to protective action. As in the Protection System design, this requires an instrumentation system that
| |
| \
| |
| measures, on an accurate, timely, and reliable basis,'ominate nuclear plane process variables. Theqe variables are, for the most part; the same as those required by the Protection System: loop temperatures, neutron flux; oressurizer pressure and level, steam generator level, steam flow and feedwater flow. In addition, the time response, instrument, span, and
| |
| ~~nsitivity requirements for measurement channels serving each of the two
| |
| ~y~tems are similar. As a result, primary sensor and transducing equipment that is acceptable for use with the Protection System should also be employed with the Control System.
| |
| Failure of the Control System to act when needed, or spurious actuation when not needed, generates a need for protection. The safest, plant is 4.2-L
| |
| | |
| o niped to be one that requires the Least protection. For this reason, well as the economic desirability of avoiding plant outages which could gave been prevented by proper control actions, every effort is made to ensure reliable control. Wherever practical, control interlocks and/or redundant control devices are provided to ensure that controL action takes olace when needed - but only when needed. Controller-induced excursions causedby a single sensor failure are largely eliminated in Westinghouse design practice.
| |
| | |
| i.
| |
| FEED PLOW
| |
| ~ g++S SF FW FW L3 1 Pl P
| |
| LEVEL CONTROL 2)
| |
| SYSTEM l
| |
| I I I I I
| |
| )Xg PROP +
| |
| INZEC I I I
| |
| I I
| |
| ~
| |
| I -,
| |
| I I
| |
| I I
| |
| I I
| |
| PROP + I INTEG I
| |
| I I
| |
| I PEEDWATER I CONTROL VALVE I ACTUATOR I
| |
| I I ~ /7 t~ 1/2 LO Ji FLOW I
| |
| LEGEND t
| |
| FWF - PEEDWATER PLOW TRANSMITTER SF - STEAM PLOW TRANSMITTER P - STEAH PRESSURE TRANSMITTER 2/3 L - LEVEL TRANSMITTER 2/3 HI LO-LO I
| |
| I 2/2 I -
| |
| ISOLATION AMPLIFIER LEVEL h DIPPERENCE AMPLIFIER LEVEL X - MULTIPLIER EDWATER CONTROL REACTOR TRIP REACTOR TRIP VALVE CLOSURE AND AUX. FEED STEAM GENERATOR LEVEL CONTROL PL"IP START AND PROTECTION SYSTEH AND INDICATORS NOT SHOWN. FIGURE 4.2-1
| |
| | |
| Ao 3 CONTROL AND PROTECTION INTERRELATION rrent Westinghouse
| |
| 'n curren PWR systems, the Protection and Control Systems are and distinct and are identified as such The Control System
| |
| ><<eer, is dependent on signals derived from the Protection System through isolation devices. However, there is no feedback from the Control System
| |
| .o the Protection System.
| |
| >e equipment design philosophy, illustrated on Figure 2-1, is that the Control System sensor is the output of the isolation amplifier. By this orinciple, no components are shared - they are either part of the Protection System and are located and designed as such, or they are part of the Control System. This is a very important feature of the Westinghouse design, and permits a dividing line, both functionaUy and physically, to be drawn between control and protection. It also ensures that, inadvertent or I
| |
| deliberate changes to the Control System have no more effect on the Pro-I rection System than if the Control System contained independent sensors.
| |
| The design requirement for the analog isolation amplifiers is to isolate the
| |
| ~ <<tection System from any electrical faults which might occur in the
| |
| <<<<rol System. Extensive tests were performed to demonstrate this
| |
| 'apability. In these tests, shorts, grounds, and a-c and d-c voltages were applied to the amplifier output. Even though some of these tests were st<<ctive (i.e., destroyed the ability of the amplifier to produce a meaningful output signal), in no case was any perceptible disturbance fed ac" into the input circuit and hence to the protection System.
| |
| : 4. 3-1
| |
| | |
| 0 The presence or absence of regulating control devices on the downstream side of the isolation amplifier has no effect on the isolation requirements.
| |
| The same equipment and design requirement would exist even if these signals were brought out of the Protection System merely for remote readout and data-logping purposes. Since channe1 isolation cannot be reliably main-tained on the control board or at the input terminals to a data-logger, an isolation device (amplifier or impedance network) in the protection channel represents the only feasible way to preserve protection channel independence.
| |
| Certain failures in the Protection System could conceivably negate a par-ticular channel of a protective function, simultaneously causing spurious control action that might, require protective action from that same function to prevent the excursion from exceeding design limits. Such possible failure is dealt with in accordance with the proposed standard, "Criteria
| |
| <or Nuclear Power Plant Protection Systems", IEE No. 279, Section 4.7, which requires that for such a fault, a second failure be assumed in the'Protection e
| |
| In most cases in'which control is derived from protection, Westing-
| |
| "se design meets this criterion by providing a two-out-of-four Protection System Loaic. For example, as shown in Figure 4.3-1, 'a failure can be
| |
| " s~ed in Protection Channel L which causes that channel to indicate high.
| |
| defeats the low pressure reactor trip for the channel, and also may "e Pressure Control System (relief valves and spray) to rapidly reduce
| |
| ~assure. However, three of the pressure protection channels are left nd a reactor trip would automatically occur when any two of them
| |
| -.@ached t sure t P
| |
| | |
| T this additional redundancy is not necessary because such other cases, canno cause the safety cannot limits to be exceeded. This fact can bc illustrated by Figure 4.3-1. A loss of signal (low indication) assumed bc assume for Protection Channel 1. This defeats the high pressure or that channel and may also energize the pressurizer heaters, causing l~ increase g glow nc in pressure. If an independent failure is assumed in Channel 2, cactor trip would occur when the pressure reached the high pressure trip
| |
| ~taint since only one of the three high pressure trip channels is left However, under this condition the safety valves on the pressurizer g<c ~ore than adequate to ensure that the high pressure safety limit is not acceded.
| |
| Section 4.4 discusses all such control and protection interactions for a mccific plant design. In that section, it is noted that numerous operational
| |
| -'cfenses against these failures exist in addition to the primary or "protection a'ade" defense. Many of these additional barriers to.an undesirable excursion N
| |
| 4c'c made possible by making redundant information avaQ.able to the Control System.
| |
| +c possibility of common-mode failure cannot be completely ruled out; it is
| |
| <<<<eivable that all identical channels behave identically, but incorrectly.
| |
| ." "-his case, the question of Control System dependence on the Protection em is irrelevant. It has been recognized that little, if any, additional e<<<<
| |
| deere of protection is achieved by having separate, but identical, instru-
| |
| "t channels for control and protection. Indeed, Westinghouse considers t separation in this manner actually deprives the protection System of 4.3-3
| |
| | |
| e of the day-Sy&ay, hour-by-hour surveillance given to instrument chaels needed for routine plant operation. A further, although often ggnored disadvantage of proliferation of identical channels, is the attendant increase in visual displays and information processing problems of significant oroportions. (Timely, accurate and complet~Lnformation readout is required by the IEEE criteria previously referenced.)'
| |
| frequently expressed concern is the need for assurance that the Protection System will not be inadvertently modified during the 40-year life of the plant, This is occasionally cited as an argument against control dependence on Protection System information Westinghouse completely agrees that every precaution must be taken to ensure adequate review of any future modification that could affect the Protection System.
| |
| Such assurance can only be achieved by complete attention to details in Protection System design, operation and maintenance. This mustI include identifica'tion of system components on drawings and on tha equipment',
| |
| documentation of the system design and design basis, and establishment of groups to review all proposed instrument changes that could affect 'plant
| |
| ~safety or plant operations. It is fallacious to believe that independent control adds to this assurance. In fact, such independence could decrease the probability that a necessary correction to the Protection System will be Inadequacy of controller design requires correction to allow plant operation to proceed; inadequacy of protection is sometimes discovered only after an incident.
| |
| 4,3 4
| |
| | |
| Control System modifications may be required to improve plaat operation.
| |
| por encamp 1 e, a fi1 ter may have to be added to achieve stabi lity. As a control modification, this would logically be performed in the Control Systm; i-e-7 downstream of the isolation dances separating the Control and Protection Systems. Physical separation and identification of equipment (separate racks for Control aad Protection Systems) and admini-strative precautions ensure that the logical route is, ia fact, the one used.
| |
| Even advocates of complete independence between control and protection recognize the desirability and feasibility of using protection signals for non-protective functions...his introduces the possibility of thesesignals being diverted for other purposes unless a careful review and adherence to design bases is enforced.
| |
| The division between control and protection is not always clear. This reflects difficulty in defining the function achieved, rather than in equipment design imnlementatioa. Definitions that place all reacto'x" trip aad safeguards actuation instrumentation in the Protection System, and all automatic regulating instrumentation in the Control System, clearly leave many important items in between. Another definition advanced'is that the Control System is "all instrumentation which is not protection," and the Protection System is "that instrumentation which must work when needed (to prevent unacceptable consequences)." This latter defiaitioa has considerable merit for general discussions and is useful in Judging whether or not a particular item is a "protection" item or not. However, if taken as a rigid it is difficult to apply to all design details, as is showa below.
| |
| 4.3-5
| |
| | |
| P z example alarms and/or control room indications derived from protection hannel information are essential if the operator is to be properly and continuingly infoxmed of the Protection System status and the status of plant safety. As px'eviously noted, these alarms and indications aze required by the referenced IEEE criteria as a vital pazt of the Protection System.
| |
| order to maintain protection channel isolation, Westinghouse equipment design practice associates remote indication with the output of the isolation device.
| |
| Other functions, such as control interlocks (e.g., rod stops) are often highly desirable, and may even be essential to plant safety if a number of malfunctions or maloperations should occur simultaneously (i.e., beyond the normal design proundrules).
| |
| Westinghouse has used the term "supervisory" for that category of functions that .is neither clearly control or protection. (This is a functional I
| |
| designation only, and does not imply a third category for equipment design.)
| |
| Supervisory functions can be further subdivided into two types: those that are informative only (indicators, recorders, alarms, and data-logging);
| |
| and those which automatically act to arrest deteriorating conditions before protective action is needed. (This latter type has been texmedi"override",
| |
| or "protective override.".) Since the question is one of whether manual or automatic intervention is intended, the value of distinction is limited to failure mode analysis of automatic controllers.
| |
| 4.3 6
| |
| | |
| N%& A t '
| |
| 9" r.
| |
| l~r'
| |
| | |
| westinghouse record.zes that each "supervisory" function must be considered on its own merits to determine if it should form part of the protection or the Control System.
| |
| A complete list of protection, control, and "supervisory" functions is included in the Appendix.
| |
| 4.3-7
| |
| | |
| ~ +m 8 w4 ':' l n
| |
| 1
| |
| | |
| PROTECTION PROTECTION PROTECTION PROTECTION
| |
| ~axWEL CHANNEL CHANNEL CHANNEL 2 3 4 PT i QPT
| |
| " gPT PQ PQ PgQ PC
| |
| ~ '~HI P PC ~ HIP'.T.
| |
| PC '~HI P t
| |
| R.T.
| |
| ~ ~ ~ ~ R.T.
| |
| PC ~LO P PC'OP )PC LO P PC LO P R.T. R.T.
| |
| I I
| |
| ISOL'. SOL SOL
| |
| ~ISOL I
| |
| r I
| |
| L I I I I I PRESSURE CONTROL SYSTEH PRESSURE (INCLUDES SIGNAL CONDITION-CONTROL ING AND CONTROLLERS AND SYST~ INTERLOCKS FOR HEATERS, SPRAYAND RELIEF VALVES)
| |
| PT - PRESSURE TRANSHITTER PQ - POWER SUPPLY PC - CONTROLLER ISOL - ISOLATION AHP HI (LO) R.T. - HIGH (LOW) PRESSURE REACTOR TRIP PROTECTION SYSTEM COMPONENTS CONTROL SYSTEM CMPONENTS INDICATORS, AND RECORDERS ARE NOT SHOWN PRESSURIZER PRESSURE PROTECTION AND CONTROL SYSTEMS DESIGN FIGURE 4.3-1
| |
| | |
| th(O P'I 4 ~
| |
| SPECIFIC CONTROL AND PROTECTION INTERACTIONS design basis for the Control and Protection System permits the use of fox both protection and control functions- Where this is done,
| |
| >l equipment common to both the protection and control functions are classified as part of the Protection System. Isolation amplifiers prevent.
| |
| a Control System failure from affecting the Protection System. In addition, Mhere failure of a Protection System component can cause a process excursion which requires protective action, the Pxotection System can withstand another, independent failure without loss of function. Generally, this is accomplished vith two-out-of-four trip logic. Also, wherever practical, provisions are included in the Control or Protection System to prevent a plant outage because of single failure of a sensor.
| |
| The following discussion of specific control and protection interactions t
| |
| is based on the design for the Robert Emmett Ginna Nuclear Station of the Rochester Gas and Electric Co. (RGE) - It is xepresentative of current Westinghouse design-practice.
| |
| 4.4.l NUCLEAR FLUX Four powex range nuclear flux channels are pxovided for overpower protection.
| |
| so~<<ed outputs from all four channels are averaged for automatic control
| |
| <od regulation of power. If any channel fails in such a way as to pxoduce
| |
| ~ow output, that channel is incapable of proper overpower protection- In p inciple, the same failure could cause rod withdrawal and overpower. Two-
| |
| "t <<-four overpower trip logic insures an overpower trip if needed, even "ith an independent failure in anothex channel.
| |
| 4 '>>l
| |
| | |
| ddition the Contxol
| |
| " System responds only to rapid changes in indicated nuclear f1~.t slow changes or drifts are overridden by the temperature control i al. Also a rapid decrease of any nuclear f1~ sig 1 block autistic withdrawal as xo d w part of the rod drop protection circuitry. Finally, an overpower signal from any nuclear channel blocks automatic rod withdrawal.
| |
| The setpoint for this rod stop is below the xeactor txip setpoint.
| |
| 4.4. 2 COOLANT TEMPERATURE Four temperature channels, each containing a Tavg and a 4T signal, are used for overtemperature-overpower protection. Isolated outputs from all four Tavg signals are, also averaged for automatic. control rod regulation of power and temperature. In principal, a spuriously low T signal from one.
| |
| sensor would partially defeat this protection function and also cause rod withdrawal and overtemperature. Twomut-of-four trip logic is used to insure that an overtemperature trip occurs, if needed, even with an indepen-dent failure in another channel.
| |
| In addition, channel deviation alarms in the Control System block automatic
| |
| <<d motion (insertion or withdrawal) if any Tav signal devtates significant3.y from the others. Automatic rod withdrawal blocks also occur if any on~f-
| |
| <<ur nuclear channels indicates an overpower condition or if any oneof-four temperature channels indicates an overtemperature or overpower condition.
| |
| Finally, as shown in Section 14.3..2, of the RG&E Final Safety'Analysis Report, th<<ombination of trips on nuclear overpower, high pressurizer water level, nd high pressurizer pressure also serve to limit an excursion for any rate f reactivity insex'tion.
| |
| : 4. 4-2
| |
| | |
| PRESSURIZER PRESSURE F pressure channels are used for high and Low pressure protection and for overpower-overtemperature i protect on. Isolated output signals from these channels also are used for pressure control and compensation signals for rod control. These are discussed separately below.
| |
| Control of Rod Motion one of the pressure channels is used for rod control with a low pressure signal acting to withdraw rods. The discussion for coolant temperature is applicable; i.e., twowutwf-four logic for overpower-overtemperature protection as the primary protection, with backup from multiple rod stops and "backup" trip circuits. In addition, the pressure compensation signal is, Limited in the Control System such that failure of the pressure signa1 cannot cause more than about a LO'F change in T avg
| |
| . This change can be accommodated at full power without a DNBR less. than L.30. t Finally, the pressurizer safety valves are adequately sized. to prevent system overpressure.
| |
| Pressure Control Low Pressure A spurious high pressure signal from one channel can cause low pressure by spurious actuation of spray and/or a relief valve. Additional redundancy is provided in the Protection System to insure underpressure protection;
| |
| <.e., two~ut~f-four low pressure reactor trip logic and one-out~f-three Logic for safety in)ection. (Safety in]ection is actuated on one-outmf-three coincident Low pressure and low leve1 signals.)
| |
| 4.4-3
| |
| | |
| 0 addition, i terlocl are Provided in th Pressure C t ol System such
| |
| ~t a relief .valve closes if either of two independent pressure channels i dicates low pressure. Spray reduces pressure at a lower rate, and some ti e is avaiLable for ooerator action (about three minutes at mmchnna spray
| |
| -ate before a low pressure trip is required.)
| |
| The pressurizer heaters are incapable of overpressurizing the Reactor Coolant System. Maxinnm steam generation rate with heaters is about 7500 lbs/hr., compared with a total capacity of 576,000 Lbs/hr., for the two safety valves and a total capacity of 179,000 lbs/hr., for the two power-operated relief valves. Therefore, overpressure protection is not required for a pressure controL failure. Twomutmf-three high pressure trip Logic is used.
| |
| Xn addition, either of the two relief valves can. easily maintain pressure below the high pressure trip point. The two relief valves are controlled by independent pressure channels, one of which is independent of the pressure channel used for heater contxol. Anally, the rate of pressure rise achievable with heaters is slow, and ample time and pressure alarms are available for operator action.
| |
| 4.4.4 PRESSURIZER LEVEL Three pressurizer level channels are used for high level reactor trip (2/3) and low level safety infection (1/3 logic level coincident with "
| |
| Pressure). Isolated output signals from these channeLs are used for volume control, increasing or decreasing water level. A level control 4.4-4
| |
| | |
| 'E l
| |
| | |
| ;ailure could fillor empty the pressurizer at a sLow rate (on the order OEf half an hour or more).
| |
| Irggh 18V81
| |
| ~ reactor trip on pressurizer high level is provided to prevent rapid 4
| |
| thermaL expansions of reactor coolant fluid from fiLLing the pressurizer; the rapid change from high rates of steam relief to water relief can be damaging to the safety valves and the reLief piping and pressure relief tank. However, a Level control failure cannot actuate the safety valves because the high pressure reactor trip is set belo~ the safety vaLve set pressure. With the slow rate of charging available, overshoot in pressure before the trip is effective is much less than the difference between reactor trip and safety valve set pressures. Therefore, a control failure does not require Protection System action.
| |
| Tn addition, ample time and. alarms are available for operator action.
| |
| Law Level For control failures which tend to empty the pressurizer, one-out-of-three Logic for safety infection actuation on Low Level insuresithat the Protection Sy<<em can withstand an independent failure in another channel.
| |
| <n additon, a signaL of low level from either of two independent level control channels isolates Letdown, thus preventing the loss of coolant.
| |
| ampule time and alarms exist for operator action.
| |
| 4.4-$
| |
| | |
| gTEQf GENERATOR WATER LEVEL PESWATER PLOW before describing control and protection interaction for these channels, it is beneficial to review the Protection System basis for this instru-mentation The system is shown schematically in Pigux'e 4.4-L..
| |
| The basic function of the reactor protection circuits associated with Low steam generator water level and low feedwater flow is to preserve the steam generator heat sink for removal of long term residuaL heat.
| |
| Should a complete loss of feedwater occur with no protective action, boil dry P
| |
| the steam generators would and cause an overtemperatur~verpressure excursion in the reactor coolant. Reactor trips on'emperature, pressure, and pressuri.e'er water level trip the plant before there is any damage to the core or Reactor Coolant System. However, residuaL heat after trip causes thermal expansion and discharge of the xeactor coolant to containment through the pressurizer relief valves. This would bxeach one of the barriers -.
| |
| the Reactor CooLant System to release of fission products. Redundant emergency feedwater pumps are provided to prevent this. Reactor trips act before the steam generators are dry to xeduce the required capacity and starting time requirements of these pumps and to minimize the thermaL transient on the Reactor Coolant System and steam generators. Xndependent tx'ip circuits are provided fox the two steam generators for the following reasons:
| |
| a) Should severe mechanicaL damage occur to the feedwatsx'in'e to one s~eam generator, it is difficult to insure the functional integrity of level and flow instrumentation for that- unit. Por instance, a 4-4-6.
| |
| | |
| ~c-'c.' ( l \ 1 I
| |
| | |
| os]or pipe p pe break between the feedwater flow element and the steam exator would cause high flow through the flow element. The rapid generator xessurization depxessu of the steam generator would drastically affect the elation ac between downcomer water level and steam generator water inven-However, the independent circuits on the second steam generator
| |
| ~e sufficient to actuate a reactor trip if needed.
| |
| ~j gt ~r desirable to miabaize thermal transients on a steam generator for credible loss of feedwater accidents.
| |
| Coatxoller malfunctions caused by a Protection System failure affect only aoe steam genexator. A1so, they do. not impair the capability of the main feedsrater system under either manual control or automatic Tavg control.
| |
| Hence, these failures are far from being the worst case with respect to core decay heat removal with the steam generators.
| |
| Frectvater Plow
| |
| * Npu<<ous high signal from, the feedwater flow channel being used for control used cause a reduction in feedwater flow and prevent that channel from
| |
| ~ping. A reactor trip on low-low water level, independeqxt of indicated
| |
| ~<<er .low, insures a xeactor trip, if needed.
| |
| " t<<n. the three-element feedwater controller incorporates reset on
| |
| ~ such that with expected gains, a rapid increase in the flow signal
| |
| ~d ca o>>y a 12-inch decrease in level before the controller xe-opened eedwat r valve. A slow increase in the feedwater signal would have no g4C
| |
| +~~ect 4.4 7
| |
| | |
| CC 88K spurious low steam flow signal would have the same effect as a high ceedwater signal, discussed above.
| |
| ~r A spurious high water level signa1 from the protection channel used for cont ol tends to close the feedwater valve. This level channel is inde F
| |
| Pendent of the level and flow channels used for reactor trip on low flow coincident with low level.
| |
| a) A rapid increase in the level signal completely stops fee@rater flow and actuates a reactor trip on low feedwater flow coincident with low level.
| |
| b) A slow drift in the level signal may not actuate a low feedwater signal.
| |
| Since the level decrease is slow, the operator has time to respond to low level alarms. Since only one steam generator is affected, automatic protection is not mandatory and reactor trip..on two-out~f-three low-low level is acceptable.
| |
| 4-4.6 STEAN LINE PRESSURE
| |
| ~<< three pressure channels per steam line are used for steam break Protection (twomutmf-three low pressure signals for any steam line actuates saf Bty in]ectj.on) . One of these channels is used to control the Powermperated relief valve on that steam line. These valves .are typically t<< at 10K of the safety valve capacity A spurious high pressure signal C>>
| |
| he channel used for control opens the re1ief valve and causes low
| |
| ~ ure ~ This is a slow rate of steam release, evaluated as a credible 4.4-8
| |
| | |
| break in Section 14.2.5 of the RG&E Final Safety Analysis Report.
| |
| ~ the analysis of steam breaks of this size, no credit is taken for the te~ line pressure instrumentation- Safety injection is actuated by the oressurizer instrumentation. Therefore, a control faire does not create for this protection, and two-out-of-three logic is acceptable.
| |
| 4 ' g
| |
| | |
| ~ ~~ATION e
| |
| ~DEWAL ACCT~
| |
| Syst'~
| |
| System evaluation of the rod withdrawal accident is based parameters, protection system, and expected reactivity
| |
| ?
| |
| ~tt~ts- The design basis for the Reactor Protection System to ygececi care far rod withdrawal accidents is to trip the reactor 30 DNBR is reached in the hot channel. While diversity in trumentation is not a part af the design basis, the system
| |
| ~ ~idled does provide alarms, rod stops and control functions to
| |
| ~~t >e vithdrawal from proceeding to the trip point. Because of
| |
| ~~t effect of overpower on all the process variables, additional
| |
| ~ !unct~< as would act to terminate the excursion, but aot'necessarily
| |
| ~e l.30. Extending the course of the accident, a DNBR of 1.0 in the.
| |
| ~ +seeably" is arbitrarily selected as a Umit for a. second Level of ycecectian. (The "hot assembly" is essentia1ly the hot channel without a?Xueaaca for engineering hot channel factors.) No credit.'is taken for
| |
| ~!~ttening or Local,'void reactivity effects at overpower conditions.
| |
| ~ est pess&istic instrument error.and'set points are assumed I
| |
| for aLl tea:tar wips.
| |
| ~iced averpawer is of serious concern because of the potential damage to De core d the Reactor Coolant System. Syst by either the high pressure reactor trip
| |
| ~sea M con)unction with any reactor ~p at'ater lev ity for core damage + n Wta evalua uatian is zocused on this cance~'.L-L
| |
| | |
| the rod withdrawal leading to undesirable conse-
| |
| ~s prottection against quencess is in considerable depth, and there are indeed multiple levels ro'rection as listed below. Each of these levels could be independently off Prate
| |
| ~idered adequate, diverse protection against an accident.
| |
| Because the reactivity available by rod withdrawal is limited, only very rare cases could complete rod withdrawal cause core damage.
| |
| A single trip function with redundant channels protects against this condition. No diversity or separation is required.
| |
| b) ~u1tiple, diverse rod stops are provided such that no failure can cause a sustained automatic rod withdrawal. Therefore, a reactor trip could be considered as backup protecti.on.
| |
| c) For "fast" excursions, two reactor trip functions prevent all but limited core damage. For "slow" excursions, manual action is an adequate backup to the automatic protection system.
| |
| : 4) For all rod withdrawal accidents, ae least two reactor trip functions exist, either of which would again prevent all but limited core damage.
| |
| Fault tree diagrams are shown on Figure 5.1-1 and 5 3.-2.
| |
| 5'l.l. PROBABLE CONSEQUENCES OP ACCIDENT The adequacy, or depth, of protection required for an accident should be measured against the probability of the accident and the probable consequences of the unprotected accident. The probable consequences are discussed here.
| |
| The od tivity available is in
| |
| ( alize burnup mai,ntain e
| |
| 5.1-2
| |
| | |
| s A
| |
| | |
| and reduce ejected rod worths). The design allowance
| |
| ~er distribution, d st ro d insertion at full power is 0.1X for "bite" plus 0.4X for the man-i.e., rod insertion may be anywhere from O.IX to 0.5X.
| |
| euver g values for moderator and power coefficients at beginning
| |
| ~izh calculated f core life*, 0. 3X reactivity insertion is required to reach a hot assembly gggR p f 1. 0. Also, af ter 20X core burnup, 0. 5X insertion does not cause a hot assembly DNBR less than 1.0- Therefore, a random, complete rod withdrawal from design full power conditions with no protection has about probability of causing, DNBR less than 1.0. This is illustrated by Figure 5.1.3. Although the figure and the above discussion are based on full power, they are equally applicable to accidents starting from less than full power since the additional inserted rod worth is needed to achieve full power. However, it may not be practical to guarantee these conditions because allowances for calculation or measurement uncertainties can significantly affect the results.. Figures 5-1-4.
| |
| and 5.1.5 shows a "worst case" complete rod withdrawal at 25X.of cox'e I
| |
| life from 102X power, nondnal T avg plus 4 F, and nominal pressure less 30 psi. Reactivity insertion is assumed to be 0.6X, or 0.5X x 1.2.
| |
| (This 20X uncertainty could have been applied, to the reactivity coefficients-instead of the rod worth.) M~aum hot assembly DNBR is 0.91, or slightly less than the axbitrary limit of 1.0. The same transient at 6(X of core knife is shown fox comparison. MfxdnnmL hot assembly DNBR is 1.4&.
| |
| *R activity coef ficients based on Figures 3 Z. 1-8 and 3.2. 1 10 in Supplement 4 to the RGE PSAR, dated October 23, 1968.
| |
| 5.1-3
| |
| | |
| 'I'5 . I 1 J C
| |
| | |
| A comp lete analysis, considering statistical variations in all uncertainties,
| |
| ~d vould determine a more valid value or the probability of exceeding any liven ssasf sty limit If this value were suf ficiently small, a comparatively
| |
| ~
| |
| a~i <<protection system might be justified.
| |
| 2 PROEABII,ITY OF ACCZDENT
| |
| ~e design intent of the Reactor Control System is to block automatic
| |
| ~d withdrawal for any failure which can cause sustained rod withdrawaL.
| |
| ~is is accomplished by rod stops on rapid nuclear flux decrease, T avg channel deviation, spurious rod motion, and subsequent rod stops on high AT or high flux.
| |
| If rod stops were considered as independent protection, Protection System criteria would be applied. These rod stops would then be classified fuLLy as part of the Protection System for a rod withdrawal accident.
| |
| 5.l. 3 MANUAL INTERVENTXON
| |
| !annual action is reliable backup to automatic protection provided that sufficient time exists for operator response. The time required depends n the alarms available, the nature of the problem, and the required action.
| |
| igure 5.1-6 illustrates steadymtate core limits and several alarm points nd trip points. Alarms are intentionally quite close to the design operating conditions. Other alarms such as high pressure would be reached during a transient. These alarms are tabulated on Table 5.1-1.
| |
| ~though steam cycle heat removal may be the most Limiting steadymtate resttriction on reactor power, time is required to reach corresponding
| |
| | |
| ~arms and trip paints. '(Far instance~ it would take about two minutes st 110X reactor Power with steam generator saf ty vaLves blowing before a steam generator Low-low water leveL trip could be expected.) For thi reason, this evaluation did not include these alarms and trips Figures 5.1-7 through 5.1-10 show the results of transient analysi far various reactivity insertion rates at beginning of core Life from ~
| |
| full power (102X, nominal T avg
| |
| +4'F, noa~ pressure less 30 psi from nominaL conditions at 80X power. A constant reactivity insertion rate with unlimited available reactivity is assumed. Hmdmea settings end instrument errors are assumed for the reactor trips, and nominaL set points for the alarms. (Note: the high 4T rod stops are taken as 3'F below their reactor trips rather than their nominal set points.)
| |
| ror a reactivity insertion rate of 0.5 x. 10 gk./sec,, (corresponding roughly to maxfxnun rod speed at average rod worth), a hot assembly DER of 1.0 is reached, in about. two minutes. During this time, there are alarms on high T, pressurizer pressure, and pressurizer Level, as well as rod stops and alarms on high flux and high 4T. Also, the steam safety
| |
| .alves would be actuated. Mith the multiplicity of aLarms, i.t.-is easy to diagnose a ms)or overpower-avertemperature excursion. Xt is reasonable
| |
| <<expect operator intervention (manual trip) during this thea For fastter reactivity insertion rates, reacto< trip on high nuclear flux is a reliable protection system barrier. Therefore, since the avertemperature
| |
| }11g h 4T trip protects for all excursions, one could classify it as the principal protection barrier with "backup" from high nuclear flux in con-
| |
| ~un<<ian with manual action.
| |
| 5.1-5
| |
| | |
| DEITY OF REACTOR TRIPS e
| |
| protection system design basis for the rod withdrawal accident for ore protection required that one trip function with redundant channels
| |
| <event a minimum preven DNBR less than 1.30. This is accomplished with the
| |
| <<ertemperature AT trip for slow reactivity excursions, and the high nuclear flux trip for fast excursions. As shown by Figures 5.1-7 through 5.1-10, these two trips meet the design basis-The evaluation also shows that for all cases of sustained reactivity insertion for rates up to four times the maximka rate expected from rod withdrawal, any of the following prevent a hot assembly DNBR less than 1.0.
| |
| a) High nuclear flux reactor trip b) High AT trip
| |
| : l. Overpower AT
| |
| : 2. Overtemperature AT c) High pressurizer level reactor trip plus high pressurizer pressure reactor trip. (Not valid for high reactivity insertion rates:,.
| |
| from near full power.)
| |
| This depth of protection cannot be expected for all accidents or for all plants.
| |
| 5.1-6
| |
| | |
| TABLE 5.1-1 ALARMS FOR ROD WITHDRAWAL
| |
| ~e ~arms which would be actuated for a spurious rod withdrawal accident eax'r M.l Power are listed below i the aPPro~te order i which they Alarm points assumed for the evaluation are listed.
| |
| Initiating Fault* - Mose 'failures which can cause a spurious control rod withdrawal are alarmed and, in general, automatic moeian prahibited.
| |
| These include-a) NXS flux rapid decrease (1/4) (5X in 5 seconds) b) Tavg channel deviation (1/4) p5 F from average) c) Rod.control fault - rod motion with no demand Z. Seep Counter - audible clicks from step counter alerts operator eo rad motion.
| |
| : 3. NIS PWR RANGE OVERPOWER ROD STOP+ (1/4) (105X)
| |
| : 4. AVG TAVG -T REF DEV (T 5'F from program) avg
| |
| : 5. PRESSURIZER HX PRESSURE (2350 psia)
| |
| : 6. PRESSURIZER RELXEF LXNE HX TEMP (when power-operated relief valves open)
| |
| : 7. REACTOR'OOL HX TAVG (1/4) (5'bove nominal T avg at full power)
| |
| : 8. PRESSURXZER LEVEL DEVIATION (5X abave progr:mamed level ae full power)
| |
| : 9. AUTO TURBINE RUNBACK OVERPOWER AW (1/4) (3 F less chan high 4T trip paine)
| |
| AUTO TURBINE RUNBACK OVERTEMP 4M (1/4) (3 F less than high AT trip point)
| |
| Ll. Steam Generator Relief and Safety Valve Actuation - audible steam release eo atmosphere
| |
| : 12. STEAM GENERATOR LEVEL SET POINT DEVIATION PRESSURIZER SAFETY VALVE OUTLET HX TEMP (2500 psia)
| |
| CHAHM.'L ALERT - as reactor trip paints are reached for each channel Capitalized word groupings represent engxaving on annunciator panels.
| |
| REACTOR TRXPS FOR ROD WITHDRAWAL Th<<allowing tx'ip paints were assumed for the evaluation:
| |
| NIS POWER RANGE HIGH RANGE (2/4) (118X)
| |
| : 2. OVERPOWER 4T (2/4) (118X of full pawer AT).
| |
| OVERTEMPERATURE dT (2/4) (variable) 4~ PRESSURIZER HX PRESSURE (2/3) (2400 psia)
| |
| PRESSURXZER HI LEVEL (2/3) (95X of span)
| |
| Alarm and Rod Stop
| |
| | |
| PAULT TREE fOR ROD NITHDRANAL ACCIDENT AUIONATIC PROTECTION HEEDED INSUFFICIENT TI'lE fOR MANUAL PROTECTION NEEDED EXCESSIVE ROD EARLY IN CORE NORTH INSERTED LIPE SUSTAIllED ROD MITHDRAVAL HIGH TBQ' AT ROD STOt RICH POSER AT RDD STOt CONTINUOUS ROD llITHDRANAL REACTOR IN NANUAL CONIROL AIPIQIATIC CON THOL PAILURE (SEE PICURE 5+1 2) fICURE 5 1~1
| |
| | |
| w J4 t~f ISA ~ ~ ~ VII~A441~
| |
| ~IIC C480fl4. tf&I S fltAOLI (SRS PICURE $ .1-1)
| |
| CONTINUOUS ROD PA I LURE MITHDRAMAL COND IT1OH OR EVENT ROD 'NITHDRAMAL RPS ~ REACTOR PROTECTION SEC IHS STSTIH RCS ~ REACTOR CONTROI. SIST OD SPEED HTROLLER(RCS)
| |
| IHPROPER C1RCUIT IH RCS 1HDl GATED TISIP ERATURE ROD MITHDRAMAL SEC IHS THPROPER SET ALL T CHANHE Oa AHD VG POINTS (RCS)
| |
| (RtS)
| |
| TURS INK LOAD tOMER HISHATCH OR SIC HAL CHAICIFL (RCS)
| |
| AVG ROD MITHDRAMAL OD STOP SEC INS NIS ROD DROP ROD STOt AVIRAGE TAVG INDICATED DECREASE tRESSURE DECREASE DECREASE IN INDlCATED PLUZ OR QQNHEL RESSURE RESSURE NIS (RPS) AY% E TAVG CHANNEL (RtS) CHAHHEI. (RCS)
| |
| (RtS) RCS FIGURE 5.1-2
| |
| | |
| INSERTED ROD WORTH AND REACTIVIXY REQUIRED TO REACH DNBR ~ 1.0 IN HOT ASSEMBLY VERSUS CORE LIFE Reactivity Required ~ ~ ~
| |
| To Reach Hot Assembly DNBR Of 1.0 (116.5X Power,"
| |
| T~ ~ 589, 2250 PSZA) 1.5 From FuLL Power ~ ~
| |
| P 1 0 I Region Where
| |
| ~
| |
| Protection Is.
| |
| Required PP Max. Inserted Rod Worth 0.5 ' ~
| |
| (Bottom of Maneuvering Band)-':
| |
| ~P I
| |
| Min. ~erted Rod Worth 0 (Top of Maneuvering Band) .
| |
| 0 20 40 60 80 100 X OF CORE LIFE FIGURE 5.1-3
| |
| | |
| COMPLETE ROD WITHDRAWAL FROM MAXIMUM FULL POWER Ca /
| |
| 1.0
| |
| --- MIDDLE OF CORE LIFE INITIAL RATE ~ Oa9 X 10 6k/SeC.)
| |
| o.5 i~I..
| |
| I .'.". a...p... .'.",.'I..
| |
| '0
| |
| ~
| |
| 0 [
| |
| 0 40 . 60 80 100 120 140 160 1
| |
| a TIME, SECONDS 150 ~ la ~ ~
| |
| ~ ~
| |
| 140 UP : HI FLUX t ROD STOP.':;: i 120
| |
| ~ OW
| |
| ~0 HI FLUX =.-.
| |
| ~ aa f eo 100 4<<
| |
| 0 20 40 60 80 100 120 140 160 TIME1 SECONDS tP ~ jl laa HI POWER. HI 'PORN'SHI TEMP.) HI TZMIP.""""'"IHi&"'"'-I-I"""
| |
| dT ROD:dT TRIP:IAT ROD .":dT TRIP .":I: '::-:.::!!::":I=-i:I .'i: ':::a ~ "'g 0 ...... ',.".'. - ..'.~:.: '..... 3 i:-..j dT mENTS (M.O L )
| |
| ~ ta 620
| |
| ~ aaa aa aa
| |
| ~I
| |
| '~
| |
| 600 a~
| |
| 580 IN 560
| |
| ~ << ~
| |
| ~ (
| |
| ~ ''
| |
| i L I ~
| |
| 1""
| |
| 540
| |
| ~ =- q-- )
| |
| ~
| |
| .. '..."..'"::I.i:: T~+:Ii 52O 20 40 60 8O 100 120 140 160 TIME, SECONDS
| |
| | |
| . t STEADY-STATE 0 't-...:
| |
| ~ C
| |
| -0' I
| |
| ~
| |
| ~ CORE LIMITS AND REACTOR .-.
| |
| '>> I TRIP AND ALABM POINTS y i- --.- ALARM POINTS
| |
| [
| |
| 160
| |
| ~ $ ~ ~ >>
| |
| ~
| |
| I HI
| |
| ~
| |
| ~
| |
| PRESSURIZER
| |
| ~
| |
| J-.
| |
| I
| |
| "-~ -.-
| |
| I
| |
| ~ .
| |
| '..I-I
| |
| '... ROD REACTOR n
| |
| STOP TRIP
| |
| ! WATER LEVEL TRIPI
| |
| ~
| |
| I
| |
| ~
| |
| >> I f~
| |
| :t- ~ ~
| |
| p>> I~
| |
| ~ ~ ~
| |
| I.'STM. GEN.
| |
| I SAFETY VALVES
| |
| +o. ~: ..l 140 ~ ~
| |
| - ~ ~
| |
| I "I i. I I i
| |
| ~ ~
| |
| ~ ~
| |
| ~ ~ />>
| |
| I P
| |
| ' -:I I I. -}. I
| |
| ~ >>>> >> ~ (
| |
| 'Tl >>
| |
| I~
| |
| /
| |
| HX FLUX. *>>
| |
| +
| |
| 120 HI AT i.. :l I p ,
| |
| ..pl
| |
| ". I.:.
| |
| ~
| |
| I ~
| |
| I . f .:: .. . .
| |
| ~ ~
| |
| I I.. "-.3.I'- I HI AT
| |
| ~
| |
| PI
| |
| ~
| |
| .":l,
| |
| '-I 110 T l.'I
| |
| ~
| |
| .:::I HI FLUX
| |
| ~>>
| |
| :'I ~ 'I I
| |
| ~ ~ ~
| |
| ) ~ ~ ~ ~ ~
| |
| LL I ,
| |
| I I~ ~ ~
| |
| 100
| |
| 'l"
| |
| ~ >>>>
| |
| >>~ >>
| |
| NOM I
| |
| I>> l'~ r I
| |
| 'NAL PLOW LIMIT .I .i' > ~
| |
| tt 90 I
| |
| .' HI AX I' ~ ~
| |
| Lis>> I~ 82400 PSIA I I
| |
| I>>
| |
| ~
| |
| HI PRESSURIZER
| |
| ~>> ~ ~
| |
| WATER LEVFL : I i I
| |
| ~ >>
| |
| '.I.g II .
| |
| 80 >> ~
| |
| AVG fx '
| |
| HI TEMP.
| |
| >> ~
| |
| 4T I ~ 'II.
| |
| ~~
| |
| I II I HI POWER dT 7
| |
| 70 540 560 580 600 INLET TEMPERATURE, 'P FIGURE 5.1-6
| |
| | |
| ;I BEGINNING OF LIFE ROD WITHDRAWAL FROM l02X POWER MINIMUM DNBR II II lift:ef lift fits lift:n f f I ft tile elt 2.50 I sf II ~ et e s..-,il 'f <<s'st I I sg ~ sf'' ~e 1 If l
| |
| 's"'
| |
| e
| |
| 'I I I sll'e ti ~e set. I I e ees. ~
| |
| es I I ' 11 I I I I III 'se tits
| |
| ~ es sse ~ tel ~
| |
| I ~ est Its st (MAX ROD SPEED, ~ II I fet Ie ' s r tet 'I e I I el sl" .I' sl Is I iII Ill MAX ROD
| |
| ~ I st I WORTH)'-'Hl'LuX:.'-
| |
| 2.00. I ~ I Isl- .'t I I ~ f I)e
| |
| ~ ~
| |
| ' l e
| |
| N ~ e I I.e Ill: W
| |
| ~ II fit e ~ I ~
| |
| e
| |
| )I'tt f LEV ~ ~
| |
| pg I HI
| |
| ~
| |
| FLUX el I ~ ~ fl;e I ~,I
| |
| ~
| |
| I I I I s ~ Ie [,H SsuRE ~ ~ I Ref st It ~ I fl'l
| |
| ~
| |
| \ ~ I~ 'I. s.e, I I I I ~ ~ I Qtf' te
| |
| ''I ~ I ~ tie ~ I lift 'll f I ltf eis I I ~ Is I I ~ I gt
| |
| 'll I !III ss s<<s
| |
| ~ 's 'I
| |
| <<H I TEMP. -I e AT
| |
| . ~ ..
| |
| ~ II lett et'I J
| |
| ~
| |
| ~
| |
| I 'tl'I I
| |
| I ~
| |
| ~ ~
| |
| e HI POWER dT; t t I
| |
| ~ III st ~ III It lett l.50 ' II'etes wl f I tees ~ ~ 'I', Pt' s'T-. .i ' test stts tsl;I I!" I I I I I I I f'
| |
| ss
| |
| 'ts f ~ e I I I~ f e 'HI TBP I s sr "<<tt''I ' I I el
| |
| : HI POWER AT f-, e ~ ~ H
| |
| ':-'"'' s iles e e I s ~
| |
| J
| |
| , 1':,I ee
| |
| '.HI POWER hT;, list
| |
| ~e
| |
| ". " Iflj HI j 'l POWER dT 1st
| |
| << n -'
| |
| ~ ~
| |
| t tt
| |
| ~
| |
| ~
| |
| s tt es' e I tl sit
| |
| ',I' s
| |
| I ~ ~
| |
| ~
| |
| ie II'',;:.
| |
| stl
| |
| ~
| |
| &SIC(
| |
| HI LEVEL ',
| |
| .,'I TEMP. AT e I l.00
| |
| ~
| |
| I stt I
| |
| ~ ~ I ~, ~ ~ I If I'' I~ I <<I I~ Isle (CORRESPONDS TO DNBR Ole' ~ e te << s'<<s .In ~
| |
| fl' it'.e ss S.G.~f" Itl ;Ij' HOT ASSEMBLY)i j:('OR ,S ~
| |
| Is tsii I I I III I ~ t ~ ~ el ~ .. SAFETY Ite I I II > VALVES'-, in sits I sl I n t( f et I I ttl'
| |
| 'I ~ I I I II es II., ~ ' I I I i<< s
| |
| ~ II ~ . I* e 'tts I 50 I I ~ e ~ e ~ ~ te I ~ e gtn e l
| |
| f I le Ils tfs ~ fit Ie si ~
| |
| '':" I I I e s es I f e I sfts s I+e tees Is I ~ ', I
| |
| 'il II << I I I I~ ~ ~ Iltl fit It'I Ittl If ttf ~
| |
| 0.05 O.IO 0.25 0.5 L.O 2.0 4.0 Reactivity Insertion Rate, 10 6k/sec ALARM ROD STOP REACTOR TRIP "DESIGN" REACTOR TRIP CORE LIYiIT FIGURE 5.l-7 s
| |
| | |
| ~ e BEGXNNING OF LIFE ROD WITHDRAWAL FROM 102X POWER TIME OF EVENT lls I, tr
| |
| ~s I s s I le its Ii
| |
| ~1 Is r s I I I I
| |
| ills sis i i se ts I s ~
| |
| st st el 'tss lt I ~ I L ills I'I ~ tl ills I" I 1 ~ I so ss IIII lese s Ilsi 1111 250 I:st il ss Ilsi I I see IIII li: s il "s I~
| |
| 11'ie sst I ;Ii ~ tt?e ssi ts. ~ I I ~~~ 'se JC IIIIIII.'~Ill ilr, . I I' I I, s
| |
| ~ ~ ~
| |
| I~ I ~ ~ ~ ~ ~
| |
| HI TEMP. dT ALARM le,'ss. II ' ~
| |
| 'I" so '?.
| |
| I " I'I ~
| |
| < 'ltll sl ROD STOP, I~ i HI LEVEL ' REACTOR. TRXP s I 200 ~ ~ ss t I~ I Is '~
| |
| I ise ts t' t~e I t I se I I I II I@i sl "DESIGN" REACTOR TRXP I~
| |
| t'I st II s ss .'SO I H
| |
| I'is II ~,s ' li ~ l I; I ss CORE LXMIT 1st ll As Os ss ~ I r<
| |
| ~ ~ ss II sile 1 i' i i!i o ss
| |
| 'Iel ls s I ~ 1
| |
| ~ rr ~i s
| |
| 's
| |
| 'l
| |
| ~ I see Jl1 d I I II II ~ I s
| |
| II, s st .'l '1 s s ~~s ~ ~ s sl ,I''I Its; ii 'ssl ss I DNBR HA ~ 1.0 1st ssl vo ~ I IC'lls
| |
| ~ ~ I "I Il''t r, sr IIs I I Ills
| |
| ~ 1.'3 it i st, I q tt\ se s ~ ~ ~ ~
| |
| s HI s
| |
| DNBR 1 PRESSURE MIN li s
| |
| ~ 1 s sill I '
| |
| Ii
| |
| ~ s J it I ss e I I sist 1 tl sll' ~ ~ II ~
| |
| is st... ~ I I ~I II I li" il'a (MAX ROD SPEED,;
| |
| ".II HI POWER.
| |
| I I
| |
| s I ~:
| |
| ski' sl MAX ROD WORTH);,
| |
| dT S
| |
| 100 it I>> I s'I ~ I s'
| |
| is .tf 'I I I s t 'I! 11 ss 'It i ~ ~ ~ I st e II sl s 's ~
| |
| i I s'st 1 I 11 e St ~
| |
| I,'
| |
| II ~ 'il ;1st HX LEVEL I ~ II 'I lt '
| |
| e s
| |
| ls ceil ts
| |
| ; I, 1st Is lg- IL is I r I It Ij 7:< ~e 1st
| |
| ~s s. ~ ~
| |
| s s sll I I'Ie ~
| |
| 4 i Jll "I'I' ~ I ss I I
| |
| I',l i'i'st I. i. its Iss s't ~
| |
| s I ts I I I I t tl 50 I I es 'ss I
| |
| * Ills s
| |
| ~ l s~~ I ~
| |
| I. s ~ eli s s I I e
| |
| Vg I s ss >> Ie s
| |
| iHX TEMP dT s I Is ~
| |
| Ill tli I~
| |
| st I 'sli st ~ I 1st I t ss
| |
| ~
| |
| p' is l 'sa ~
| |
| +II t
| |
| s s Il.
| |
| ;Is
| |
| ~
| |
| ,se
| |
| ~ I t s: I I s I I ~ I ss I I sill t'l gl I Is ~ I I e,'. '\l ~ ~ I ~ sl 11 ls I ~ t I II I IIII III
| |
| .0.'05 0.10 0.25 0.5 1.0 2.0 4.0 REACTIVITY INSERTION RATE, 10 hK/SEC FIGURE 5.1-8
| |
| | |
| , wt C
| |
| BEGINNING OF LIFE ROD WITHDRAWAL FROM 80X POWER MXNIMUM DNBR II['tt'It'LsI' i' s' I DEVIATION ~ sls I>>
| |
| ~
| |
| AVG :f
| |
| ,I ~ iles s
| |
| ~f
| |
| ~ ~
| |
| ~ I I Il ~
| |
| HI FLUX s~ ~
| |
| s
| |
| ~
| |
| I I ~ I~
| |
| I AVG I~ I' ~ I. Ii ~ e, I I s Ii -,. ~,r,< ':::"
| |
| I i I:
| |
| ~
| |
| I Is ~ I
| |
| ;II
| |
| ; 'r:,HZ T Qs
| |
| "(jest I
| |
| I I ll irpgli q) AVG,I, s
| |
| I s Iei
| |
| ~
| |
| s I I <<
| |
| HI LEVEL.g .. ALARM ROD STOP
| |
| '.-:'S.G.SAFETY (PRESSURIZER)
| |
| HI gg POWER'~
| |
| ' I,
| |
| ~ ~ I
| |
| ~
| |
| ~ts II isa st i ~
| |
| ~
| |
| ( i ~
| |
| REACTOR TRXP "DESIGN" REACTOR I ~'
| |
| I, ~ ' is '
| |
| s>>>>see eels>> %
| |
| 'ALVES- ;s>>
| |
| I I st. ~~
| |
| TRXP
| |
| : e ~e sets ~ ~ ~ ~ i ~ tl
| |
| ' i.
| |
| >>-'-'IA te
| |
| '"I')HI TEMP' ieii iis'Is's, I
| |
| ls) '- AT: I I
| |
| ~ ~ II ~
| |
| hT'X
| |
| ~ I ~, ~ , ~
| |
| ~
| |
| I I I I I ~~ Ii 'lte
| |
| ~ ~
| |
| f
| |
| ~ I: ~T'IM ~
| |
| s si
| |
| ~
| |
| I "I I'I ee
| |
| ~ ~
| |
| I
| |
| 'P I I s~ I
| |
| :.-'; ~
| |
| ~ I s e s
| |
| ~
| |
| Ills ' e L-r PRESSURE. ~ I~
| |
| i -I- I HI Po WER I>>
| |
| .;Is
| |
| ~ "NNR!!',tGMFI::"'.:l II
| |
| ~
| |
| ss ~
| |
| Iil ~ ~ ~~ I FLGX~
| |
| ~
| |
| I.
| |
| 'HX ~~, (MAX. ROD SPEED,-
| |
| ~
| |
| s e s I I I~ II << Ii<< lit i:e . IlesMAX. ROD WORTH) ~ ~ t~ I;
| |
| ~ CORRESP ONDS TO DNBR> 1.0" sse I I II t ss's
| |
| ~ It 'tsi I
| |
| ~ ~ i i' lls
| |
| ~ I LN HOT ASSEMBLY ~~
| |
| J
| |
| 'el ~ I I~ ~s I Is ~
| |
| I III S ~. ~,i' I ,~
| |
| I ~ i
| |
| 'll il ss s I ~ it
| |
| ', sli ei
| |
| 'll'll'l I i I ~ I ~ i e II Ill le ~
| |
| s ~ I ~ , se ii e ~ ~~s I ~ i sill s e '.
| |
| III' el i.e ~ s Iii't
| |
| ~ il I II 'I s
| |
| << III lss i i ~ ~ I s le e ~ s I 0 tls O.OS O.1O O.ZS O.S 1.O 2.0 4.0 REACTIVITY INSERTION RATE, 10 8K/SEC FIGURE 5.1-9
| |
| | |
| W 4ol BEGINNXNG OF LIFE ROD WITHDRAWAL FROM 80/ POWER o ~
| |
| TIME OF EVENT tl ~ . I ll ~
| |
| ~
| |
| ~
| |
| II I ~
| |
| ALARM I I" ROD STOP
| |
| -;-I .':i'-:: G: "- I It
| |
| ~
| |
| ~
| |
| ~ o I '.
| |
| REACTOR TRIP HI PRESSURIZER';, -'rrr ~ I~
| |
| "DESEGN" REACTOR TREE LEVEL -I
| |
| ~ i I Io s. t t: itlt!:I ~ ~ o ~ I ~
| |
| i i ~ i ~ ~ ',.; I i : I ~ I ~, ~ il: ~
| |
| l SAFEZY
| |
| ~
| |
| J'I Illl 'io li!i I
| |
| I I I!4 ilt' I I Q1 ~ ~ ~ I ~ I''-
| |
| I ls s-l~vALvEss I o , ~ I, ~ o~
| |
| I i i ~ ~ I ~ HI TEMP 4T I 41:,
| |
| ~ I ~
| |
| I J
| |
| I I I ~ ~
| |
| ~,
| |
| ~ o'
| |
| ~
| |
| ~ 'AVG;,
| |
| g HI PRESSURXZER,.
| |
| I;:AT,:Lol HX POWER 4T
| |
| ~o o
| |
| sill I I ~
| |
| ~ o
| |
| ~ I
| |
| ''ITJ
| |
| ~ ~
| |
| I I
| |
| LEVEL L I'. I I'
| |
| ~ ~
| |
| I
| |
| ~ ~
| |
| ~1.0
| |
| 'I DNBR I j"-,T',;I3 ..'.", . ,I o o ~~ ~ I
| |
| ~
| |
| PRESSURE 'v ~(MAX, ROD SPEED,, I: I I !II sl' ~ ~ Iso MAX4 ROD WORTH) t E li DNBR ~ 1.3 ~
| |
| il, i s II o.'I 'it'I ~ 't ~ ~ ' ~ ~ I s Itts ~ o I't I II
| |
| 'ot Io I s't o ~ ~ ~
| |
| ~~ ~ ~ ~ I .L.l.J:::: oJ ~
| |
| I Ls t~o 4lt I~I .Il'"..I !It ~"
| |
| Its 4 ~o ~ I I: tlt !I ~
| |
| ~ I jilt j>> ~ ~ ~ ~~ st ~ o i li i ~o
| |
| 'is ~ I slot il ~ I !too I !i PRESS E'X o, I I I ~ I I ~ ~ il>>
| |
| H%H&iti,'-',: is>> I ~
| |
| "i io.,';:@
| |
| ~
| |
| I I I ~
| |
| goal:
| |
| HI FLUX I: tl io Ills I~ ~
| |
| I I ~ I II III St J tl ~ I I ~ ~ ~ ~ ~~ I
| |
| ' itis sl i oil o ~ ~ o is I ~ I I ~ I .i I ~ o ~ ~~
| |
| tl '
| |
| ~ ~ II iot ~ ~s ~ l' ' io ~ ~
| |
| 100 ~ I ~ I !I ~ t!4 ~ s i ~
| |
| olo I I ~ ~ ~ till ~
| |
| I I I ~ ~; Is ~ sot !I
| |
| "~
| |
| loss
| |
| ~ I I llI I I ~ SS I: ~ -."I I i I
| |
| 'II:
| |
| I lo ~ o ~ ~
| |
| T ~o I ~
| |
| I I i It i AVC ~ oo 4 I I lot gi i io ~
| |
| ~
| |
| I~' ~ I I ~ o It/ lt!. it'ilI I'!to'lli IID I oi":i ri. I ~ I ~
| |
| 4T ~-:
| |
| 50 '
| |
| ~ II ' ~
| |
| ~o
| |
| ~
| |
| I
| |
| ~ ~ ~
| |
| I ~
| |
| iti, il IQ HI POWER
| |
| ~ I o ~ ~
| |
| i i't
| |
| ,is.
| |
| I ~ I I I I I I 4I o ~
| |
| ~
| |
| I I
| |
| .';HI TEMP 4T ~ I o
| |
| * I I ~~~
| |
| ~ I ~ ~
| |
| i o~ It ~ ,'I o o o ~ I~ -:: ".:++ is ~ oL ~ ~ I I o ~ I ~ ~ o 4s
| |
| ~ ~ i~ ~ I ~ I I~
| |
| t I ~ I~ .-.. 'i'il ! ~ l I ~ ~ ! JA.I I 0.05 0.10 0.25 0.5 1.0 2.0 4.0 Reactivity Insertion Rate, 10 6k/sec FIGURE 5.1-10
| |
| | |
| LPSS Op FEEDWATER
| |
| > ring power operation, loss of feedwater to the steam generators is of potential concern because it affects the ability of the steam generators to rmove decay heat after trip The protection for thi accident consists of reactor trip and an auxiliary feedwater system.
| |
| This evaluation describes the Control and Protection System instrumentation provided on a typical Westinghouse PWR Plant to directly monitor or control steam genitor water level. Loss of feedwater accidents without credit for this instrumentation are evaluated. Typical Westinghouse design requirements for the auxiliary feedwater system are included.
| |
| A typical 1456 MWt two-loop plant was selected for the transient analysis. A loss of feedwater accident to one steam generator is most severe on a two-loop plant. For a complete loss of feedwater, the transient is dependent on the normalized kinetic parameters; e.g., power
| |
| (
| |
| per loop, so the results shown here are representative for all plants currently under design.
| |
| Zn all cases, diverse automatic reactor trips insure a plant trip before any core damage or system overpressure occurs. Manual actuation of the auxiliary feedwater system is considered an adequate backup to the automatic actuation. There is sufficient time (24 minutes) and alarms to take credit for manual actuation.
| |
| <nteractions of steam generator level control and protection resulting C
| |
| ~rom random failure modes are presented in Section 4.2.5. Alarms actuated 5.2-1
| |
| | |
| or a complete loss of feedwater accident are presented in Tab le 5 .2-1
| |
| 'C
| |
| -.suit trees for loss of feedwater accidents are presented in Figures C
| |
| - 2 l, 5.2-2,and 5.2-3.
| |
| LOSS OF FEEDQATER - TRANSIENT ANALYSIS Several representative transient cases are evaluated for loss of feedwater accidents. Figure 5.2-4 shows the transient resulting from complete loss of the steam flow control signal. As shown by the figure, the Level Control System restores water level such that only a temporary decrease in ~ster level occurs. There is no approach to unsafe conditions or to any reactor trip set point.
| |
| Figures 5.2-'5 and 5.2-6 illustrate a typical complete loss of feedwater "o one steam generator 'of a two-loop plant. No credit was taken for reactor trips derived from the steam generator. The loss of subcooled feedwater is reflected to the reactor as a small decrease in therma1 I
| |
| load, causing the increase in pressure and temperature shown in the
| |
| -irst minute. (The reactor was assumed to be in manual control with
| |
| << manual correction.) One minute after the. loss of feedwater, the steam generator tubes begin to uncover, causing a rapid. pressure and temperature increase. If amchnum pressure control capacity (power operated relief valves) is available, the pressure rise is limited and a high pressure reactor trip does not result. A reactor trip on high pressurizer el occurs appro~tely two minutes after the loss of feedwater.
| |
| 5.2-2
| |
| | |
| l r>
| |
| | |
| Waterz inventory in the second steam generator is sufficient to bring the plant p an to normal no>>load condi tions . There is no overpressure ox loss ofo water from the Reactoz Coolant System.
| |
| figures,5.2-7 and 5.2-8 illustrate a worst case complete loss of feed>>
| |
| water to all steam generators with no trip from steam generatox instxu>>
| |
| ~tation. A conservative evaluation is done for a high-power densi.ty p an typical of current lant PWR design g.456 MWt 2>>loop). No credit is taken for charging systems or for energy absorption by metal in the Reactor Coolant System. The results are considered to be extreme values rather than realistic conditions for an actual plant.
| |
| The reactor trips on high pressurizer pressure about one minute after the loss of feed. Stored heat in the core continues to heat the reactor coolant and the pressurizer M.ls in about three minutes.
| |
| Steam dump values open fuU.y under Tavg control and reduce l steam line I
| |
| pressure.
| |
| After about ten minutes, the Reactor Coolant System begins to boy., aa "h<<h time the x'eactor coolant pumps are assumed to cease adding energy to the coolant. Boiling causes a rapid increase in the volumetric surge rate, and system pressure rises until the volumetric expansion is balanced by safety value capacity for water zelief. (No credit was taken "or the power-operated relief values in this analysis.)
| |
| te' generated in the core is assumed to fillthe upper reactor vessel, e steam generators, and half of the coolant piping befoxe escaping to e px'essurizer. During this four minute period, most of the reactor 5.2-3
| |
| | |
| e olant fluid'is lost as water discharge through the pressurizer
| |
| >+sty valve. As steam is discharge through the pressurizer, measure pre decreases to the set pressure for the safety valves.
| |
| After an additional ten minutes of boiling, (24 minutes after the loss of feedwater), the top of the core is nearly uncovered. Xt was assumed that the Auxiliary Feedwater System was manually actuated at this time (push buttons on the control board) and 200 gpm auxiliary feedwater per steam generator began immediately. Qithin two minutes of starting auxiliary feedwater, the steam generator heat removal exceeds decay heat and reactor coolant~emperature and pressure rapidly decrease.
| |
| 5.2.2 TYPICAL SYSTEM 1ESIPil REQVIEEMENTS Auxiliarv Feedwater System To prevent release of reactor coolant through pressurizer safety valves i
| |
| and to protect the core, a supply of high pressure feedwater must be provided for the removal of residual heat from the core by heat exchange in the steam generators when the main feedwater pumps cease to operate on blackout or because of fault conditions.
| |
| 'yp<<al criteria for actuation of auxiliary feedwater is presented in iable 5 2-2 afety zequi.rement is to include two separate auxiliary feedwater y terna to ensure reliability of supply.
| |
| 'ystem utilixas One s a steam turbine driven auxfLiazy feedwater pump, ae urbine being connected such that steam can be supplied from some
| |
| : 5. 2-4
| |
| | |
| t, nr ~ of the steam generators. The flow rate, usually about 200 gpm
| |
| >r stesteam generator, is, sufficient to maintain a milkman depth of water the steam generators.
| |
| ocher system utilizes two (2) reserve auxiliary feedwater pumps, a~ of about half the capacity of the steam driven. pump. How rate suf ficienc to ensure cooling of the system and to Prevent water discharge crom Reactor'oolant System xelief valves. The reserve auxiliary feed-vacex pumps normally are driven by prime movers using' source of energy other than steam from steam generators.
| |
| The head generated by the feedwater pumps is to be sufficient to ensure that feedwater can be pumped into the steam generacor when safety 'valves are discharging. Pumps axe capable of starting and delivering feedwater vithin two (2) minutes of the blackout or fault conditions requiring puup actuation.
| |
| >ie typical design basis for sizing auxiliary feedwater pumps is given by Table 5.2-3.
| |
| Sources of water for auxiliary and reserve auxiliary feedwater pumps are duplicated or if convenient, triplicated. Ordinarily, wager is
| |
| '}rawn from a condensate storage tank containing water of normal purity,
| |
| '<<may be drawn through emergency connections from other sources such
| |
| ~ city water, well water, fix~+in water, service water, etc., to obt ain a supply under sufficient pressure to satisfy auxiliary feed>>
| |
| pump suction requirements under emergency conditions.
| |
| 5.2-5
| |
| | |
| (
| |
| from the auxiliary pumps is delivered to the steam generators
| |
| ~pter pape pip elines separate from the main feed pipel ines . Pip elines are
| |
| ~~Jv spaced spa to assure that a single fault does not prevent feedwater
| |
| ~e whole of the auxiliary feedwater system (water supply, piping, diesel generators, etc.) must be "Class I" seismic design standard.+
| |
| pggp+ I
| |
| ~ Steam and Feedwater Pi in
| |
| < iailure of any main steam or feedwater line or malfunction of a valve
| |
| ~tel].ed the"ein or any consequential damage must not reduce flow capability if >e auxiliary (emergency) feedwater system, render inoperable any
| |
| ~eered safeguard service (i.e., controls, electric cables, containment aeM4 g piping, etc.), initiate a loss-of-coolant accident, cause failure if any other steam or feedwater line, result in the containment pressure exceeding the design value or impair its impermeability and integrity.
| |
| I
| |
| > steam and feedwater lines together with their supports and structures
| |
| ~<<en each steam generator and their associated isolation valves are to "Class l" seismic design standard.*
| |
| expression "Class I" used in this context is defined in e
| |
| oe sign of Nuclear Power Reactors against Earthquakes" in a document
| |
| ~titled "Behaviour of Structures During Earthquakes" Appendix A, by Housner, professor of Civil Engineering', California Institute of
| |
| , ~""oology. Pasadena, California. Published by American Society of
| |
| "-+1 Engineers - Engineering Mechanics Division. (October 1959 EM4)
| |
| : 5. 2-6
| |
| | |
| TABLE 5.2-1
| |
| ~S ACTUATED FOR A CO%'LETE LOSS OF FEEDWATER ACCIDENT Cause of fault (in general, any condition causing a complete loss of feedwater causes an alarm)
| |
| : 2. Low feedwater flow (partial reactor trip, two channels per steam generator)
| |
| Steam generator level deviation (one per steam generator)
| |
| Low steam generator level (partial reactor trip, in coincidence with 2. above, two channels per steam generator) a
| |
| : 5. Low-low steam generator level (reactor trip, thr'ee channels per steam generator)
| |
| : 6. Automatic control rod motion
| |
| : 7. T avg deviation
| |
| : 8. High T avg (3 or 4 channels)
| |
| : 9. Pressurizer level deviation LO. High pressurizer pressure (two channels)
| |
| : 11. Pressurizer relief line high temperature l
| |
| High pressurizer pressure reactor trip Note: It is assumed that the- turbine and reactor are tripped on high pressurizer pressure.
| |
| Pressurizer safety valve outlet high temperature
| |
| ~4 'igh pressurizer level reactor trip Low steam line pressure (not on all plants)
| |
| ~6 ~ Pressurizer relief tank liquid high temperature
| |
| ~7 'ressurizer relief tank high pressure
| |
| ~8 'ressurizer relief tank high level 19.~ High containment pressure (safety injection actuation, at about lO~ of design pressure) 10 Low pressurizer level (partial safety in)ection actuation)
| |
| | |
| TABLE 5.2-2 TYPICAL CRITERIA FOR AUXILIARY FEEDVATER ACTUATION Motor"Qxiven P s Low-low level in any steam generator starts both pumps.
| |
| action requires the same bistables and relay logic as used for the reactor trfp. (2/3 circuitry for any steam generator) .
| |
| b) Opening of both feedwater pump circuit breakers staxts both pumps (1/1 + 1/1 logic).
| |
| c) Safety injection sequence d) Manual.
| |
| Turbine-Driven P a) Low-low level in two steam generators. (Same circuitry as I.A. above) b) Loss of voltage on both 4KV buses (1/1+ 1/1 logic) c) Manual.
| |
| : 3. General Criteria a) All three pumps are to have independent starting circuits such that no single failure prevents mire than one pump from starting.
| |
| b) Instxmentation and logic circuits for la and 2a must meet the single-failure cxiterion fox actuation and be capable of testing at po~er. Compatibility with reactor trip circuit testing is also required.
| |
| c) Spurious actuation due to unusual failures is tolerable, but routine testing of reactor trip circuits should not cause spurious starts.
| |
| | |
| COMPLETE ROD WITHDRAWAL FROM MAX.
| |
| HJLL POWER
| |
| -- BBCINNZNC OF CORE LIFE 400 :-":.'-.='::.
| |
| / HZ PRESS URE ALARM
| |
| -,'tL.'-':4:-:1::!! t:::il::-::rWI'.='= Qptftt!ti.
| |
| MIDDLE OF CORE LIFE
| |
| !r.'L "
| |
| 0 0 20 40 60 80 100 120 140 160 TIMEN SECONDS HI LEVEL ~a I fl P~&l 800 4
| |
| & NN aW i5 0 40 60 80 100 120 140 160 TIMEN SECONDS
| |
| 'Wa .IB N ~
| |
| 2.0 HOT QQLNNEL:1-WOO I ~
| |
| 1.5 t~IVPfPt NC1 BBBMILY 1.0 .- DNBR MIN.
| |
| :~ 1.30 0.5 0
| |
| tll ')"
| |
| 20 '0 60 80 100 120 140 1 0 TIME, SECONDS
| |
| | |
| TABLE 5.2>>2 d) Instrumentation and logic for lb and 2b should be considered as operational signals for economic (not public safety) protec-tion, (SimQ.ar to reactor trip on reactor coolant pump circuit breaker opening) .
| |
| e) As Engineered Safeguards components, the actuation circuitry for auxiliary feedvater actuation shall meet all appU.cable IEEE Design Criteria.
| |
| | |
| e' TABLE 5.2-3 CAL DESIGN BASIS FOR SIZING AUXILLQE FEEDWATER'PUMPS I ~~DRIVEN PUMPS
| |
| ~
| |
| steam~riven pump capacity is adequate to maintain at least lp feet of water in all steam generators in the event of loss of station power from normal full power operation. No credit is
| |
| ~owed for motor-driven pump capacity.
| |
| ~OR-DRIVEN PUMPS
| |
| 'I Each moto~ven pump, by itself,. is 'adequate to prevent water relief from the pressurizer relief valves under the following as sump tions.
| |
| a) Plant trip occurs frommaachnun steadymtate power and temperature.
| |
| conditions.
| |
| b) All steam generators are at their low low leve1 trip points at the time of trip.
| |
| c) No credit is taken for any additional sources of feedwater after trip (station blackout assumed.)
| |
| d) At least half, but not all of the steam generators are supplied.
| |
| with amcLliary feedwater.
| |
| e) Natural circulation exists in the Reactor Coolant System.
| |
| 0 No credit is taken for charging or letdown from the Reactor Coolant System.
| |
| g) Applicable starting delays and feedwater pipe purging times are used.
| |
| | |
| '.m
| |
| ~ I' l
| |
| ~O FAULT TRtt FOR IDSS Ol'IB+STIR F(DM CORE SECIHS To UNCOVER INSUffo S Iol gURCINC CAT. A TIKE (ilo NIH.)
| |
| NAHUAL f ll Ao 0 0 $ o NANUAL TINE A,F,M,S, (o lo NIN.)
| |
| RCS HEATS OH DECAT HEAT M Oo AUTO, A. F.M.S.
| |
| STATION ALL SoCo'S Dtf (Stt FICURR Sot I RoTo ON H'lo FREE HOTEl HI. FREES. R.T. NAT bt HECSSSART TO =
| |
| FREVBIT STSTtà OVER TRESSURE OIlltt SoCo'$ bCS HFATS Q(FTT SoC TURES RECIN To UNCOVER IO IO IXIOL IO I I. OIO. IIOII OOI. IIIOII MIO I. OIO. IOI OOO OOO LOM SoCo LEVEL
| |
| ~M SINo NIS NANUAL REACTOR IRIF-AND IP SLUM LOSS Or RAPID lOSS OF LEVEL LEVtL AbbbtVIATIOHS LOSS OF RCS ~ REACIOR COOLANf STSTEN SoCo LEVEL RT REACIOR IRIF S. I SAftff IlQECTION Fo Mo ftEDMATER REACIOR AT FMRo AofoMoSo AUIILIART FoMo START MITH IHSUFF. F.M Sooo~ STEAN CENtRATOR NJ4 NOIOR DRIVEN OR NECRANICAL FAULT AUTO. C(NIROL ELECTRICAL fAULT LOSS Of FELID FAULT (Stt FICURR Sot I)
| |
| | |
| pan.T Tace poa ross op pcaeATca nuu SER Flcuac S.I-I AUTQtATIC CONTRO ELECTRICAL fhULT LOSS Of f.M.
| |
| FAULT SUCTION I
| |
| 2/> Hl. LEVEL IHCOHPLETE S.le RQQIHIHG F.Mo CLOSES F.M. VLV SIGQ- H$ R.T.
| |
| MHAN~
| |
| I LOOP LOSS Of COOIAHF FLOV RE-f.M. VALVE CLOSE EI CONTROL fAULT REACTOR AT BILL POllER S. CEN. LEVEL RFACIOR AT RE-CONTROLLER fAUL OR DUCID FOlXR I PLPIP L.O. F.M.- 4 EV. RUS FAILURE LOSS OF COH-TNFROFER cxTe (ELEC. FAULT) ONE SUS OENSATE tUHPS IN CONTROLLER I ~
| |
| lie OR SS OF HTR. DRAB fLBP LO. SIN. fLOM Rl fEED BOll HI LEVEL INDICA-C T OH T OH TION (R,t.S.) AILURE OF COH-EHSATE RYPASS Ab baEVIATIONS R.T. - REACTOR Tait S.l. -,SAfETT IHIECTION R.t.S. - REACTOR PROTECTION STSTEH fAILURE CONDITION f.M. - FEEDMATER Aaf.M.S. - AUXILIARY f.M. START fIGURE 5.2-2,
| |
| | |
| ~ ~
| |
| FAULT TREE POR LOSS OF PEEDWATER PLOW SEE FIGURE 5.2-1 STATION BLACKOUT WITH LOSS OF PEED STM. GEN. LO-LO LEVEL A.F.W.S.
| |
| LOSS OP LEVEL IN STM. GEN.
| |
| F.W PUMP BKR. 4 KV UNDERVOLT MOTOR A.F.W S STEAM A.F.W S.
| |
| (LOSS OP REACTOR COOLANT FMW REQUIRES 2963)IATE REACTOR TRIP)
| |
| COMPLETE LOSS OF 4 RV SYMBOLS ABBREVIATIONS F.W. - PEED WATER A..P.W.S. - AUXILIARY P.W. STAR]
| |
| FIGURE 5.2-3
| |
| | |
| lt F F
| |
| | |
| LEVEL RESPONSE TO LOSS OF STER %AN SIGNAL PROP + INTEGRAL PROP + INTEGRAL K + 1 1S K
| |
| 2
| |
| + T 1
| |
| S PHEOMATIC POSITIONER POSITION Q NORMALIZED STEhK FLOQ 8
| |
| PLOW W
| |
| 8 Qf NOHHAIZZED PEEDWATER Qf K <<1 fe -1 T 1
| |
| -200sec K ~ 10 T ~ 200 sec 2 2
| |
| ~ -" FEED%TER VALVE
| |
| ~
| |
| POLLY OPEN
| |
| ~ ~ 4 ~
| |
| ~ ~ ~
| |
| ]
| |
| ~ ~ - ~ ~
| |
| I
| |
| ~ - I l ~
| |
| ~ ~
| |
| 10 10 20 20
| |
| ~, 30 SECONDS 30 40 40 50'0 50 60
| |
| ~ ~ ~ ~
| |
| ~ ~
| |
| ~ ~
| |
| ~
| |
| I'
| |
| ~ W
| |
| ~
| |
| ~ ~
| |
| ~ ~
| |
| I .~~o FZGaaE 5.2-4
| |
| | |
| LOSS OF FEEDQATER TO ONE STEAM GENERATOR AT T ~ ONE SECOND TYPXCAL TWO-LOOP PLANT 2600 2200 W =LL:
| |
| ~
| |
| ~ t 1800 ~ I t
| |
| ~ ~
| |
| 1400 800
| |
| ~ ~ ~
| |
| 600 PRESSURIZER .
| |
| LEVEL HEACTOR TRXP-'
| |
| 400 ~ t
| |
| ~t 200
| |
| ~ ~
| |
| '25,,dao
| |
| ~ ~ 4 ~~ ~ ~
| |
| 50,00 25,Oej 40 80 120 160 200 MME, SECONDS FIGURE 5.2-5
| |
| | |
| LOSS OF FEEDWATER TO ONE STEhH GENERATOR AT T ~ ONE SECOND" 640 ~ l I ~ E ~ ~ ~ I
| |
| :". I: A. ~ I ~
| |
| 'I 620
| |
| ~
| |
| ~
| |
| " ..:.::.-. ~:
| |
| ~ ~ ~ ~ ~
| |
| 600 E"'3'-'- =
| |
| ~ ~
| |
| 580 ~ ~:
| |
| 500
| |
| .L-- ..:4.P':: ll=.
| |
| 540 S
| |
| 500 1.0
| |
| .8 COEE POWER
| |
| ~~
| |
| '-:=..
| |
| .6 i -.:) "'TOTAL GEN.
| |
| ~ 2 0 40 80 120 160 200
| |
| ~, SECONDS FIGURE 5 2-6
| |
| | |
| l~
| |
| Q2IPLETE LOSS OF PEEDWATER
| |
| << ~ ~
| |
| I ~
| |
| 0 ~ I
| |
| ~ ~~ ~
| |
| I e e
| |
| e i ! i~ : . . i'.
| |
| I ~
| |
| ~ I
| |
| ~ I ~ I I
| |
| >> ~
| |
| e ~
| |
| ~
| |
| ~
| |
| 'I ~~
| |
| 0 500 1000 1500 F00 TIME SECONDS I~ I r~~
| |
| I, t ':I e'e t ~ ~
| |
| ' ~
| |
| (
| |
| I:::: J<<i I~
| |
| I.<< ~
| |
| ~
| |
| 50 n I.. ~:: (r
| |
| ~
| |
| ' i:..( I~.
| |
| I
| |
| ~
| |
| I
| |
| ~ ~
| |
| 'I'~
| |
| e ~ e ~
| |
| I . ~ e I.e I '
| |
| e I~ I ~
| |
| 0 0 500 00 1500 3.0 TIME SECOR)S
| |
| ~ I STEhM PLOW
| |
| ' TO PRESSURIZER I(i WhTER BKZEF j I
| |
| (*'
| |
| e 2e5 2.0 STEhM RELIEF HZ PRESS
| |
| -'-'I'<<'U-TRZP
| |
| -'KCEIES BOILIHG IHS
| |
| ~ e ..
| |
| . COHDENSATZOS BOILS II....j; -.-:i:<<; ';;,I I-:;:
| |
| ~
| |
| ~:.
| |
| 0'0 10 00 1500
| |
| ~ ~
| |
| :~ I I : 4 J<< ~
| |
| ::. i . -. ~~
| |
| .:::.. :: LI I
| |
| I
| |
| ~:- BOTLTHG I~
| |
| 200 f
| |
| ~
| |
| t WhTER R1KXEF:: .-.; hei ~
| |
| g~i'.I: . I~ . ~i .:. '"::.:.ll'. I I I (:-:
| |
| ~
| |
| ~,
| |
| 100 .II I."I e
| |
| "".,: hIEZLZhRT PEH
| |
| " 'HsSRS ga i:I I. ':j ~
| |
| e 0
| |
| 0 500 1000 1500 TIME AFZER LOSS OF PEED, SECONDS PIGUBE 5 2 7
| |
| | |
| CQHFLEZE LOSS OF PEEDWATEK
| |
| ~+
| |
| o 600
| |
| ) $ 50 0 500 1000 1500 TZHE, SECONDS 10QO la 8QQ 6QQ .
| |
| '0 gQQ Q
| |
| 0 500 1000 1500 2000 TIME, SECONDS
| |
| | |
| AUXILIARYFEHNATER SYSTEM SCHEMATIC 2 LOOP PLANT Motor Operated Valve M Pneumatica11y L O. Locked Open Operated Valve Manual Valve (normally open) I,~
| |
| MOTOR OPERAL~
| |
| STOP CHECK VALVE Condensate CHECK VALVE Prom Alternate Water Supply Manual Valve (normally closed) ~
| |
| Storage (CLASS I)
| |
| Tank CLASS IXi CLASS I L 0. LO L.O.
| |
| Motor Motor Drive Turbine Drive f Drive Prom Main Peedwater System SG B
| |
| -"rom Main Peedwater System FIGURE 5.2 9
| |
| | |
| 4*
| |
| OF COOT ~i - ~
| |
| OW ANALYSIS LO OSS c~3 I INTRODUCTIOÃ ~SD
| |
| | |
| ==SUMMARY==
| |
| | |
| ~
| |
| eaten tthee reactor is ~ the power range of operation, loss of coolant flow potential conce-n. Without suf ficient flow, DNB and clad failure
| |
| ~d quickly occur.
| |
| estinghouse PWR's, constant-speed pumps supply coolant flow. Plow is egulated or otherwise varied. High-inertia flywheels are mounted on each.
| |
| so that flow dec=eases ovex' period o f time (typically 12 seconds to f flow) following a loss of power to the pump motor. This flow coast-ioMn allows for Protection System tMe delays and remova1 of stored heat in xbe fueL. Subsequent decay heat is removed by natural circulation.
| |
| Diverse, redundant protection circuits are provided to protect against all possible loss of flow accidents. These protection circuits axe evaluated this report for multiloop loss of flow, single loop loss of;flow, and
| |
| ~othetical pumo seizure. Although design Limits might be exceeded, the onsequences are found to be tolerable in all cases even if any one protection circuit failed to per orm its function.
| |
| -3. Z PROTECTION SYSTRf DESCRIPTION erous reactor trf.p circuits provide core protection for a Loss of flow
| |
| ~c-"ident. These trips are:
| |
| reactor'oolant flow, Reactor coolant pump bus Low voltage, Reactor coolant pump bus Low frequency, Reactor coolant pump bx'esker position, Overpower Delta-T.
| |
| 5.3-L
| |
| | |
| percept for the overpower Delta-T trip, all trips are blocked below 10X power.
| |
| Low Reactor Coolant Flow Three redundant flow channels are provided for each loop. At high power, loss of flow in any loop, as sensed by two of the three channels, actuates a reactor trip. The set point for this trip is typically at 90X of normal indicated flow.
| |
| At lower power (typically 50X, 65X, and 75X for 2, 3, and 4-loop plants respectively) loss of flow in any two loops actuates trip. The same flow set point and 2/3 logic is used as for the single loop low flow trip.
| |
| Reactor Coolant Pump Low Volta e In order to insure that total loss of pump power does not violate the core design limits, a reactor trip is actuated by low voltage on thy, reactor I
| |
| coolant pump buses. The design requirement is to meet the single-failure criterion for complete loss'of pump power. The trip logic is generally such that loss of power on any two buses causes a reactor trip.
| |
| Typical set points for this trip are in the range of 60X to 80X~of normal voltage.
| |
| Reactor Coolant Punm Low Fre uenc The reactor coolant pumps are provided with flywheels to increase their rotating inertia. This provides forced circulation for some period of time after a loss of power. It is conceivable that a rapid system fre-quency decrease would slow the pumps down faster than for a loss of power.
| |
| 5.3-2
| |
| | |
| Therefore, an undhrfzequency reactor tirp is provided. The trip logic is identical to that used fox the undexvoltage reactox trip. In addition to tripping the reactor, underfxequency also trips open the reactor coolant Pump circuit breakers to maintain effective flywheel inertia.
| |
| Typical setpoints for this txip are in the range of 56 - 58 cps.
| |
| p Circuit Breaker Position A reactor trip dezived from auxiliary contacts on the reactor coolant pump circuit breaker affords additional safety mazgin for the most Likely causes of loss of flow. Trip logic is shear to that used fox the low flow'rip; i.e., opening of any breaker, as indicated by a position contact, actuates a zeactor trip at high power, and opening of any two breakers at reduced power actuates a trip.
| |
| Ove ower Delta>>T Reactor Tri This trip circuit is designed to protect the core against overpower transients. However, since Delta>>T increases as flow decreases, it also provides backup protection for loss of flow accidents. On a two-loop plant, two Delta-T channels per loop are pxovided; one channel per loop U provided on thx'ee- and four-loop plants. For aLL plants, trip of two channels trips the reactor. During steady-state operation, the trip set-Point for these channels is in the range of llOX to 120X of the normal Delta-T indicated at full power. This setpoint is automatically reduced
| |
| <<r increasing temperature (x'ate of change of T avg )
| |
| to compensate for piping delays. (However, the setpoint is not increased for decreasing T avg
| |
| .) Since avg also increases following a loss of flow accident, the Delta-T set-5.3-3
| |
| | |
| 4@i'4. a*A'4" pooint decreases at. the same time as Delta-T increases. This significantly decreases the trip delay time.
| |
| ggarlacks
| |
| ~cept for the overpower Delta-T reactor trip, the loss of flow protection trips are blocked at low power. This interlock is in itself redundant and diverse, in that the trip signal is passed. if either 2/4 nuclear channels indicate above 10X or if 2/2 turbine load signals indicate above 10X.
| |
| Single loop loss of flow trips from low flow and circuit breaker position are blocked at reduced power. (The trip is passed if 2/4 nuclear channels indicate above a preset, power.) Since these two trips share a common, nonMiverse interlock, they should not be considered as. completely diverse protection functions.
| |
| 5.3.3 MULTILOOP LOSS OF FLOW I
| |
| A fault tree for a multi-loop loss of flow accident is shown, on Figure 5.3-1.
| |
| Only electrical faults can cause all pumps to fail simultaneously, and the undervoltage and underfrequency reactor trips provide direct protection against these faults. The low flow reactor trip circuits provide backup protection for this accident, and they do not necessarily insure a minimum DNB ratio greater than 1.30.
| |
| Figure 5.3-4 illustrates the transient resulting from a complete loss of flow accident representative of high power density plants currently under design. The solid lines represent the design case, with reactor trip on undervoltage. The dashed lines illustrate the calculated transient if this reactor trip is neglected.
| |
| 5.3-4
| |
| | |
| ~ese caalculations c are done by standard design methods, with the usual sssump<< tions for safety analysis; e.g., the most adverse steady-state rating conditions at the time of trip.
| |
| opera
| |
| ~e accaccident is relatively rapid, with a DNB ratio of 1.3 in..the hot channel reached in about two seconds. It is not appropriate, therefore, gp ssume assum any manual corrective action. Also, the minimum DNB ratio is reached at the time the hot spot heat flux begins to decrease. There is little transient overshoot except for reactor trip time delays.
| |
| The undervoltage trip ii the design protection for this accident, and it meets the requirement that, the minimum DNB ratio does not fall below 1.30. Less restrictive requirements would be imposed on a backup trip.
| |
| A minimum allowable DNB ratio of 1.0 in the hot assembly, could be selected on the basis that this would insure that core damage, if it occurred at, all, would be limited to a very small fraction of the coze. (The peaking factors in the hot assembly are essentially those in the hot channel gthout al1owance for engineering subfactors.) Alternately, a hot-spot clad melting limit could be imposed for this accident on the backup protection.
| |
| With either requirement, Protection System diversity exLsts.
| |
| The low flow reactor trip point is reached at 1.8 seconds, assaying a 3Z error in the set point (trip point at 87X flow). Although the hot channel minimum DNB ratio is somewhat below 1.3, the hot assembly minimum DNB ratio is still well above 1.0. If DNB should occur at the
| |
| >>t spot, the transition boiling correlation'ndicates that peak clad temperature would be in the neighborhood of 1000'F, and no clad damage is expected. (See results for single 1oop loss of flow.)
| |
| 5.3-5
| |
| | |
| Nee De D ta- transient is calculated for this lta-T case. Because of piping trument delays a trip signal would not be generated until about
| |
| ~d instrume geconnds after the loss of flow. The effect of rate compensation on is to reduce the trip set point. Even with this longer trip delay, ave die peaak clad temperature is not expected to exceed 1500'F, we11 below
| |
| <he melting point. Therefore, three levels of protection exist for a
| |
| ~nltiloop loss of flow accident..
| |
| 5.3,4 SINGLE LOOP LOSS OF FLOE A Eault tree for a single loop loss of flow accident is shown on Figure 5.3-2.
| |
| Vote that loss of power to one bus is the only credible way this accident can occur without an immediate trip from the pump circuit breaker. {An open circuit in the pump motor is a highly unlikely fault, and is shown r
| |
| Eor the sake of completeness.) The circuit breaker trip is therefore classed as a backup, or anticipatory, trip.
| |
| I Figure 5.3-5 illustrates the transient resulting from a single-loop loss ot flow accident in a high-power density, two-loop plant. The transient h
| |
| is less severe in a three or four-loop plant.
| |
| The low-flow reactor trip is the design protection for this accident,
| |
| <nd it meets the design requirement of minimum hot channel DNB ratio uo less than 1.30.
| |
| If the accident is caused by loss of bus voltage, and no credit is taken Eor the low flow reactor trip, the hot channel DNB ratio would be less than 1.3. However, a reactor trip on high Delta-T would terminate the 5.3-6
| |
| | |
| icc ident before 18B occurs in a significant percentage of the core.
| |
| sag pssumI that the hot spot goes into DNB at the time the hot spot DNB
| |
| +t j o is L. 30, and assigning a conservative additional instrument delay of rat p 9 sec to the Delta-T trip, a peak hot spot clad temperature (on the inner clad surface) of appro~tely 1300'F is calculated using a transition boiling correlation.
| |
| Only the Delta-T S transient for the active loop is shown on Figure 5.3-5.
| |
| For the dead loop, Delta-T increases somewhat more rapidly. On a two-loop plant, two Delta-T channels exist on each loop, so a reactor trip is expected earlier than is shown.
| |
| Ia summary: For a single loop loss of flow accident, Protection System ddversdty does seder. At least tso, and generally three, dndspendent levels of protection exist.
| |
| 5.3.5 LOCKED ROTOR ACCIDENT The hypothetical'case of an instantaneous pump seizure. has been 'evaluated
| |
| <o determine whether diversity exists. The fault tree is shown on Figure 5.3-3.
| |
| If this accident occurs when the reactor is at high power, the core design limits are exceeded independent of any protective action. The design requirement for this accident is to prevent any consequential failure of
| |
| <he Reactor Coolant System. Failure could be caused by high system pressure.
| |
| Also, systems calculations cannot be done with confidence if gross core damage occurs. For this reason, core conditions are evaluated.
| |
| 5.3-7
| |
| | |
| The transient for a hypothetica1 locked rotor accident is shown on Figure 5.3-6. .Flow through the Reactor Coolant System is rapidly reduced, Leading to a reactor trip on a low-flow signal. Following the trip, heat stored in the fuel rods continues to pass into the core coolant, causing the coolant to expand. At the same time, heat transfer to the shell side p f the steam generator is reduced, first because the reduced flow resuLts in a decreased tube side film coefficient and then because the reactor coolant, in the tubes cools down while the shell side temperature increases (turbine steam flow is reduced to zero upon plant trip). The rapid expansion of the coolant in the reactor core, combined with the reduced heat transfer in the steam generator, causes an insurge into the pressurizer and a pressure increase throughout the Reactor Coolant System. The insurge into the pressurizer compresses the steam volume, actuates the automatic Spray System, opens the power~perated relief valves, and opens the pressurizer safety vaLves, in that sequence. The two power-'operated relief valves are designed for reLiable operation and would be expected to function properly during the accident. However, for conservatism, their pressure-reducing effect is not included in the analysis.
| |
| With no protection, a peak reactor coolant pressure of approximately 3050 psia would be reached about. 3.5 seconds after the pump seizes. After this time, fluid, mixing and increased heat transfer in the active steam generator tend to reduce the pressurizer surge rate, and the pressurizer safety valves reduce pressure. (During the peak, the pressurizer surge rate may slightly exceed the pressurizer safety valve capacity, but pressurizer pressure does not significantly exceed the safety valve set 5.3-8
| |
| | |
| ><assure p lus Us aU.owance for accumulation.) Although the normal code-allowable pressure oof 2750 psia is exceeded foz this accident, the peak pressure is below thee ultimate u strength of all members of the Reactor CooLant System by an approxximatea factor of two. Therefore, the Reactor Coolant System would z'ega jn intact o In the core, clad melting at the.hot spot inner clad surface begins at.
| |
| 24 seconds. After this time, system calculations are uncertain.
| |
| The reactor trip set. point for the redundant low flow instrumentation on the affected loop is reached within 0.1 seconds. Assuming DNB at 0.1 seconds, and. a conservative trip delay (2 seconds befoze the nuclear flux is reduced to 80X), the peak clad temperature is approximately 1%0'P and is reached at 4.5 seconds. Other calculated results for this case are peak system pressure of 2800 psia and less than 20K of the fuel. rods with a k
| |
| calculated DNB ratio of 1.0 or less.
| |
| Neglecting this trip, a high pressurizer pressure trip point would be C
| |
| reached at about 1.5 seconds,'nd a high Delta<<T trip (from the active loop) would be reached at about 4.5 seconds. The peak clad temperature for these cases would be 1750 and 1950 for the high pressure and high Delta>>T trips respectively. Since these values are well below the melting point, no gross cLad failure is expected.
| |
| In summary: For the hypothetical locked rotor accident, core design Limits may be exceeded. However, three independent, diverse levels of protection exist, any of which would insure that the Reactor Coolant System boundary is not violated.
| |
| 5.3-9
| |
| | |
| FAULT TREE FOR MULTZLOOP LOSS OF FLOW PROBABLE GROSS CORE DAMAGE HI 4T SLS R.T.
| |
| COND XTIO POSSIBLE CORE DAMAGE FAXL'ORE LOW PLOW R.T.
| |
| DESIGN CORE LIMITS EXCEEDED L.O;F. LOSS OF FLOW (DNBR < 1.30)
| |
| R.T. - REACTOR TRIP R.C.P. REACTOR COOLANT PUMP REACTOR
| |
| .AT HXGH
| |
| ~~POWER ~
| |
| ALL LOOP L.O.F.
| |
| WXTH NO IMMEDIATE R.T OR UNDER BKR.
| |
| VOLTAGE OPEN R T. R.T.
| |
| LOW FREQUEHCY SIMULTANEOUS SIMULTANEOUS ON LOSS OF R.C. P. BKR.
| |
| ALL BUSES POWER OPTING
| |
| ."IGURE 5.3-1
| |
| | |
| FAULT TREE IOR SIICLE UM)t lOSS OF FMQ tRObhhLK CROSS CORE NHhCI Nl AT R.T.
| |
| CONDITION CORK DKSICN LINITS KICKKDKD UN FLON R>>T>>.
| |
| L>>O>>F ~ MSS OF FLON CORK DNSR>>l 3 R>>T>> ~ REACTOR IRIt R>>C>>t ii RKACFOR COOIANT FUNt hfACIOR AT RICiR FOMER'llCLE LOOt L>>O>> (I) REACTOR'NOFFKTION SISTIIl NO INNKDIA (2) ELECTRICAL thOFKCTION STETS)I SINCLE UXlt R C lAl5$ OF bUS FAULT PARR SKR OFKN R>>E, SUS FAULT IO (I) ntKN SKR. a TSKF AKD SKR IO OPENS TRIP !KACIOR (2)
| |
| R>>C>>P>> bKR>> Ot IC>>P>> OPEN CKT>> R>>C>>t>> QIORT CKT SUS FAULT INC PI&et $ 3>>>>2
| |
| | |
| ~ q I
| |
| I i
| |
| | |
| ROTOR ACCIDENT FAULT TREE FOR LOCKED PROBABLE GROSS CORE DAMAGE HI dT R.T.
| |
| HI PRESSURE R.T.
| |
| PROBABLE CORE DAMAGE LOW FLOW R.T.
| |
| CORE DESIGN LIMITS EXCEEDED SYMBOLS REACTOR AT HIGH POWER CONDITIO R.C.P. MECHANI FAIISRE (LOCKED ROTOR)
| |
| R.T. - REACTOR TRIP R.C. P. - REACTOR COOLANT PUMP FIGURE 5.3-3
| |
| | |
| h Pt ~ >a' Es KULTI~P LOSS OP PLOW, TYPIChL PL@K
| |
| 'I
| |
| ~ t
| |
| ,pe HOT SPOT CORE HKLT FLUX FLOW 'UNDEKVOLThaK 80 lzazH..
| |
| NUCLEhR a 70 POWER PO {meZRVOLTaCZ
| |
| ,TRIP) 60
| |
| ~ I~
| |
| a: t I
| |
| 50
| |
| )i HOT I(
| |
| MXH. DHB RATIO =
| |
| ASSMLY '-- )
| |
| ~
| |
| fe l.6 ~
| |
| J 1.2 L00 0
| |
| | |
| SIC LOOP 100 LOSS OP Klà 2-UNp MT 90 80
| |
| ~0 70 DEAD:
| |
| LOOP OW 50 1.8 :.:. i HIM. DMS RATIO j ~ I~
| |
| ROT ASSZ8BLY 1.4 1.0 1400 NO TRIP 1200 aoo TRXP ~
| |
| * I ON LOW PLOW
| |
| ~ \
| |
| ~
| |
| .~
| |
| ~
| |
| 120 TRXP POISE
| |
| ~ ~
| |
| HX 4T- =-
| |
| DELTh T ...TRZP I u.p NO TRIP ~
| |
| (ACTIVE LNP TRZP PolllT 100 0 1 2 '3 4 5 6 7 8 9 10
| |
| ~ jj&la 'e ht TPVr tmTP C 0 C
| |
| | |
| LOCKED ROTOR, LOSS OP HOW 2 LOOP PLANT
| |
| ~ ~
| |
| ..i I I
| |
| ACTXVZ MOP ~ ~ ~ ~
| |
| F00 ~ ~~
| |
| ~
| |
| * SO
| |
| ~ ~
| |
| 60 CORE PL(M
| |
| ~ ~ ~ I]JJ ~ ~ ~ ~ w ~
| |
| 40
| |
| ~ I I ~ 'I
| |
| ~ ~
| |
| DEAD LOOP ~ ~ ~
| |
| 20
| |
| ~ 0
| |
| ':.l I ~ ~ ~
| |
| 5 6 3000
| |
| 'o '.I'.
| |
| ~ I zsoo
| |
| ~ ~
| |
| ~ >>
| |
| l-
| |
| ~
| |
| ~ ~
| |
| S
| |
| ~
| |
| ~ ~
| |
| 'NO TRIP OJ REACTOR f 2600 COOLANT LOP FL(N TRIP SYSTEH 2400 PRESSURIZER
| |
| ~ ~
| |
| ~ o ~
| |
| ~ ~
| |
| ~ ~ ~ \ ~
| |
| 2200
| |
| '0 TIHE, SECONDS 3000 '
| |
| I
| |
| ~
| |
| I I I fI ~ ~
| |
| I. TIHE OF REACTOR. NO TRIP -=
| |
| 2500 J~+>> (SEC)
| |
| ~ e
| |
| ~
| |
| t 2000 I
| |
| ~~ ~ ~ \
| |
| 'l
| |
| ~
| |
| e
| |
| ~
| |
| l )
| |
| 44
| |
| ~
| |
| ~ i I ~ I F500 H 2
| |
| ~ ~
| |
| ~ ~
| |
| ~ I ~
| |
| ~
| |
| I I
| |
| L lOQO I
| |
| ~%
| |
| ~ ~
| |
| ~ ~ << I 500 2
| |
| TIHE AFTER PUHP SEIZURE, SECONDS
| |
| | |
| 0 ROD JUNCTION ANALYSIS ji4 r:.'.-
| |
| INTRODUCTION AND
| |
| | |
| ==SUMMARY==
| |
| t~
| |
| e
| |
| * 5 4~ ~ ~ = ~
| |
| vl ~
| |
| Ie
| |
| ~e pzzimary protection for a rod ejection accident is a reactor trip on
| |
| ~ighh nuclear nuc flux. The nuclear flux instzumentation is made up of four ce>p eletely separate sensors and channels, and reactor trip is actuated if any two channels indicate high power. Analysis has been conducted to determine the consequences of a hypothetical failure of all the nuclear channels coupled with a hypothetical rod ejection accident.
| |
| Analysis, made on the basis of the Ginna Nuclear Plant of Rochester Gas a Electric Co. (RGB), indicate that in the majority of rod ejection cases I
| |
| ~,
| |
| no protection is required (for example, ejection of a zod from its normally-expected position). It is further shown that the Delta-T trip provides an acceptable second level of defense for some cases. However, protection can not be demonstrated for some of the more severe full power cases.
| |
| Protection may in fact exist, but it is not possible to positively demonstrate this with the currently available models.
| |
| An analysis of the available trip has been made, and is compared with an I
| |
| arbitrary clad limit of 2750'F and an arbitrary pressure Vms of 3000'psi.
| |
| Two detailed cases are presented: a severe case from zero power end of core life, and a moderate case from full power end of core life. No reactor trip has been assumed for either case.
| |
| 5.4.2 CASES CONSIDERED IN DETAIL Zero Power Case The case considered represents a zod ejection accident for an end of life core.
| |
| The assumed ejected zod worth and hot channel factor aze 1.0X6k and 12.5 respectively.
| |
| | |
| ~ting power transient and hot spot temperatures are detailed in
| |
| ~~ result 5.4-1.
| |
| F
| |
| ~+ fina 1 ssteady power level is conservatively assumed to be 15X of full
| |
| ~er. This power level is lower than the value which one might normally
| |
| ~q)ect foz a rod reactivity insertion of 1.0<k>> owing to the high feedback i
| |
| ueig hting factors- {The large hot channel factors results in a large power n<e in the hot spot, where the statistical weight is high). The prompt yzst results in a reactivity undershoot which, combined with the shortage of delayed neutrons, temporarily fozces the power to a value below equilibrium condition. The power level is assumed to ramp up to 15X at 5 seconds after e]ection>> although calculations indicated that it would take much longer to reach this power level.
| |
| The plotted hot spot temperatures indicate that equilibrium conditions can be sustained. Zt is therefore concluded that no protection is required for this accident.
| |
| Zn general, the ejected rod worths and hot channel factors arq lower for the beginning of life zero power cases, and therefore the consequences are expected to be, somewhat less severe.
| |
| Full Power End of Life Case The case presented is for a rod ejection accident occurring at the end of core life with an e5ected rod worth of 0.336k and a hot channel factor of 3 '3. The power transients and hot spot temperatures are detailed in Figure 5.4-2. The equilibrium power level is 112X of full power.
| |
| 5.4-2
| |
| | |
| 0 pe k cladding temperature of 2950'F occurs some 50 seconds after ge
| |
| ,ection Under equilibrium conditions, some 50X by volume of the hot 0]
| |
| ~~c ue is melted.
| |
| fuel A reactor trip'n overpower Delta-T occurs at 6 recon s, limiting clad temperature to about 2400'. This case represents evere
| |
| ~ <eve accident, but is not intended to represent a limit.
| |
| > ~~lar rod ejection accident, occurring at the beginning of life, auld result in an equilibrium power level of about 12SX of full power, ith an equilibrium cladding temperature of the order 3100'F to 3200'F.
| |
| 5.4.3 BACK<<UP TRIP PROTECTION The most limiting cases occur at or near full power. The protection System is examined to determine under what circumstances a trip signal would terminate a rod ejection accident at full power. The results of the study are illustrated in Figure 5.4-3.
| |
| The graph is a plot of total excess nuclear energy addition versus time.
| |
| Steady full power operation results in a locus covering the hd~ontal axis.
| |
| The nuclear flux trip is represented by a straight line of gradient 0.18,,
| |
| corresponding to a power'level of 118X Note that this line is an upper and its position is in fact dependent on the power versus time shape.
| |
| This is a general, but not important, effect for the lines plot~ed.
| |
| A rise in nuclear power produces a pressure surge. However, the effect is attenuated by the heat transfer time constant, of the fuel (of the order of 4 seconds), and the possible relieving effect of the hole in the vessel head and relieving capacity of the power-operated relief valves.
| |
| The high pressure trip could not be expected for any rod ejection accident.
| |
| 5.4-3
| |
| | |
| The high Delta-T trip furnishes a backup trip for any severe rod e)ection zcccident. Except in the most severe cases, it Limits the clad temperatuxe pp ] ess than 2750'F. Transport delays in the coolant loop delay the trip for several seconds.
| |
| Also plotted on the graph axe two arbitrary limit lines. They are respectively I
| |
| a clad Limit of 2750 F* and a Coolant System pressure of 3000 psi. Both ~ I .
| |
| r pl
| |
| ~ S these Limits have been arbitrarily selected and are not intended to represent physical Limits. A power burst of some six full power seconds at time zero I
| |
| results in both these 1lmits being reached some two to.three seconds later. This is not a physically reliable condition for any Westinghouse reactor.
| |
| Figure 5.4-4 shows the power transients for rod ejection accidents occurring at end of core life for various ejected xod worths. fr f
| |
| t I
| |
| 1
| |
| + These Lines are based on stead~tate and transient hot channel factors of 3.23.
| |
| 5.4W
| |
| | |
| j ZERO POWER EHD OF LIFE ROD EJECTION, NO TRIP
| |
| ~ HjjCLjj&R POjjE& VS ~
| |
| ~ 1 T2$ =
| |
| ~ ~ ~
| |
| ~
| |
| "::?
| |
| ~
| |
| 4 ~ 1.0X F ~ 12.S I i.: A
| |
| ~ ~
| |
| M~ -- &vmbols 6k: Change in reactiviey EHERGT INPUT UP TO F:T. Total heat flux peald.ng O.S SECONDS ~ 1.70 F.P.S fact or at h ot spo t 30
| |
| : :. FPS: Full power seconds
| |
| ~ ' 20
| |
| ~ ~
| |
| i ~ i&
| |
| (
| |
| ~ i ~
| |
| 10 &
| |
| ~~
| |
| .=~::i I:.-:i i &
| |
| ~ &- ~
| |
| ) & 'i ~~ ~
| |
| 0 2 4 6 8 10 12 14 16 TQK, SECONDS
| |
| : HOT SPOT VS. TIHE =-"-.
| |
| ~ ~ ~
| |
| 4000
| |
| : FUEL AVG.
| |
| I~ ~ ~
| |
| L~e:::3Z & &
| |
| 2000 1 ~
| |
| - ~
| |
| ~ ~ ~ ~
| |
| ~
| |
| ~~ - . -::-.
| |
| 1008 0 4 6 S 10 12 14 16 18 TIME, SECONDS FIGURE S.4-1
| |
| | |
| PULL POWER END OP LIFE ROD EJECTION, NO TRIP
| |
| >~ ~
| |
| T m '3 leak 0.33 P ~ 23 I~
| |
| :='UCLEAR POWER VS. TIME ~
| |
| r ~
| |
| ~
| |
| ~Sba III Sk: Change in Reactivity T
| |
| i.-: L P:q Total Heat Flux Peaking Factor at Hot Spot
| |
| ~. ~
| |
| 4 5 TIME, SECONDS HOT SPOT TEMPSULTURE VS+ TZME ':.-.-,:- =--'-'-
| |
| 'Melting) r.
| |
| , ~ ~ IIII ~ II~~ rI ~ 4s
| |
| ~ I
| |
| ~ ~ ~
| |
| PURL AVG
| |
| '"I
| |
| ~ ~
| |
| ~~ ~ W
| |
| ':.I:I Ii
| |
| ':'LAD OUT ~
| |
| M.: ~
| |
| .. ~ ' ~
| |
| .. ~
| |
| T r
| |
| I:
| |
| ~
| |
| ~
| |
| PEAK CLAD SURFACE TEMP. ''-
| |
| ~ 2950'P AT 50 SEC.
| |
| 50X (HY VOLUME) OF 'cCL i '.. "
| |
| MELTS
| |
| ~ ~
| |
| IP'
| |
| .V. ~
| |
| :...~- =-'i::!=-'i;:, i-.--
| |
| 2 4 6 S 10 12 14 16 TIME, SECONDS PIGURI'.4-2
| |
| | |
| 0 P
| |
| | |
| e Full Power End of Life T ~
| |
| F 3.23 xa
| |
| ~ +\
| |
| 8 7
| |
| 6 4 C~
| |
| 8p~
| |
| 3 pi 2 0 2 3 4 5 6 7 8 9 l0 TIME, SECONDS
| |
| ~~TOM OF
| |
| '~< ROD SkFEXY GZHZTS AND TRIP POINTS EJECTION 'ACCIDENTS, HO TRIP represents the locus of points at which trio would terminate the accident represeecs laces ar sefery lfrsirs
| |
| | |
| FULL POWER END OP LIPS ROB EHKTION WH33RK TRIP CO 4l 5
| |
| CD
| |
| ~ CC3 CO
| |
| ~ ~
| |
| C
| |
| ~ 2 e 0.33
| |
| ~~I 1
| |
| ~l 0 0 10.
| |
| TIME, SECOHDS Wte: 0.4X Qc'represents a practical Bait
| |
| :ar fuIl pcwer ceses.
| |
| ~
| |
| ROD EJECTION ACCIDEHTS 'QXXH N)
| |
| THXP,'IGURE 5.4~
| |
| | |
| I 0
| |
| | |
| LOSS OF STEAM LOAD Vp
| |
| ', 5,5.1 XNTRODUCTION AND SUHHARY loss of steam load may be caused which norma21y follows a turbine control valves following a by closing trip signal; of the turbine stop valves, by closing of the turbine rejection of electrical load; or by steam isolation following a Reactor protection System signal. The consequences of a loss of steam load are a rapidly increasing Steam System pressure and Reactor Coolant System temperature and pressure due to the loss of heat sink.
| |
| Protection instrumentation is provided to immediately trip the reactor following a turbine trip signal. A. steam line isolation signal is normally accompanied by a safety infection signal and also results in a reactor trip. Following a re)ection of electrical load, a Steam Dump
| |
| ~
| |
| ".%'ystem acts to prevent reactor trip by automatic steam dump to the con-,
| |
| denser. (Up to 100X load rejection can be handled by some 'planes-) Xf the load re)ection great1y exceeds the steam dump capacity, or if the Steam Dump System should fail to operate, a reactor trip may occur on high pressure. Redundant protective instrumentation and conservative design of pressure relief devices assures the safety of the plant for a large load rejection without recourse to Automatic Rod Control, Pressurizer Pressure Control, or Steam Dump Control Systems.
| |
| 5.5-1
| |
| | |
| In this report, the Protection System is examined to see if diverse rotection px'o exists for a complete loss of load without direct reactor trip. Diversity is found to exist to protect the Reactor Coolant System and reactor coxe.
| |
| 5.5.2 LOSS OF LOAD PROTECTION AND DESIGN CRITERIA The reactor is pxotected for loss of load by:
| |
| a) Steam dump to'ondenser (actuated by the Contxol System) b) Pressurizer pressure relief (safety valves and powez~perated reLief valves) c) Steam System pressure relief (safety valves and power-operated relief .valves)')
| |
| Direct reactor trip (on turbine trip) e) High pressurizer- pressure trip f) Overtemperatuze 4T trip g) High pressurizer level trip.
| |
| Steam D to Condenser The Steam Dump System acts automatically upon sensing a loss of load greater than a preset amount. The steam dump valves are then either modulated or tripped open until the Reactor Coolant System temperatuxe reaches the new programmed load reference temperature. The reactor power is reduced by control rod, insertion during this time. Zn case of a turbine trip or reactor trip, the steam dump is actuated and con-trolled on a preset uo-load reference temperatuze.
| |
| The Steam Dump Control System is described in Section 3.2.
| |
| 5.5-2
| |
| | |
| 0 t
| |
| Pressurizer Pressure Relief The pressurizer safety valves are sized to match the maxfmnnn volumetric surge rate associated with a complete loss of load without steam dump or a direct reactor trip. This is not dependent on pxessurizer pressure control. The pressurizer safety valves therefore completely protect the Reactor Coolant System against ovexpressure, independent of the high pressure reactor trip.
| |
| The relief valves are sized to prevent actuation of the high pressure trip when the steam dump and rod drive systems work, and the required steam reLLef is within the capacity of the Steam Dump System.
| |
| Steam S stem Pressure Relief The Steam System safety valves pass 100Z of ma~man calculated turbine steam flow, at the safety valve set pressure plus accumulation. This allows the plant to accept a 100Z load re]ection without reactor txip or steam dump without ovexpressurizing the Steam System.. Xn addition, relief valves set to open at a lower pressure are also provided, and axe typically sized at about lOZ of the safety valve capacity.
| |
| Direct Reactor Tri The most common cause of a loss of load is a turbine-generator trip.
| |
| Zn the event of such a trip, the turbine stop valves close. A turbine 5.5-3
| |
| | |
| trip sensed bye 2/3 low auto-scop oil pressure or 2/2 stop valve closure results in a reactor trip if the reactor is at high power. The purpose o f these triPs is to mizdzMe the thermal transient snd steam dumP requirements for these relatively frequent plant transients.
| |
| Hi h Pressurizer Pressure Tri There is a reactor trip on 2/3 high pressurizer pressure, generally set to 2400 psia, or slightly above the pressurizer power operated relief valve setting and below the pressurizer safety valve opening pressure.
| |
| Overt erature dT The purpose of this trip is to protect the core against any combination of reactor coolant temperature, power or pressure which could cause I
| |
| DNS. Trip logic is 2/4 for 2. and 4-loop plants snd 2/3 for 3-loop plants.
| |
| Hi h Pressurizer Level Tri This trip acts to prevent water discharge from the pressurizer safety valves. Logic is 2/3.
| |
| 5.5W
| |
| | |
| 5.5.3 EVALELKON OF PROTECTION SYSTEM FOR LOSS OF LOAD A complete loss of load without steam dump and without a direct reactor trip is evaluated to find if diverse protection exists to prevent a hazard to the integrity of the plant through overpressurization or The transient investigated for current, high power density
| |
| 'NB.
| |
| was a
| |
| \
| |
| '../'.".lant, t~
| |
| and no credit was taken for power reduction due to automatic control rod motion or moderator temperature coefficient.
| |
| /'
| |
| Initiation of Accident Figure 5.5.1 shows a fault tree for a loss of load without steam dump, with the reactor at high power and ao direct reactor trip.
| |
| One way a 1088 of load can occur is by closing of the turbine stop valves following a turbine trip signal or by hydraulic fluid pressure failure {the valves are held open by hydraulic fluid) - However, one and. possibly two trips must then fail in order to prevent an immediate reactor trip.
| |
| Another possible failure mode is a turbine runback caused by, the throttle valves closing. This could be initiated by a rod drop, an overpower or overtemperature 4T signal, by an actual or spurious loss of electrical load signal, or by a failure in the turbine controller and load limit system. A spurious rod drop signal would normally decrease the turbine load by a fixed small percentage of full load. The control 5.5-5
| |
| | |
| alve could close completely only if an improper circuit exists in the controller. Similarly, an overpower or overtemperature 4T signal coxmally causes a step load .decrease of SX every 30 seconds; and only in the case of a simultaneous failure ox improper circuit in the controller could there be insufficient time for the operator to take notice. Ef the turbine runback is caused by an overpower or overtemperature 4T protection System failure, the failure could only be in the safe direction; that is, the error or failure would be in the direction to cause a reactor trip.
| |
| A third possible path for a loss of load is through steam line isolation.
| |
| This may occur either through a loss of air supply to the isolation valves, or by a spurious or real isolation signa1 from the Reactor Protection System.
| |
| As a result of the loss of steam flow. to the turbine by any hf the three paths outlined above, the Steam Dump System is activated. However, no 1
| |
| credit can be taken for this following steam line isolation, since, the dump valves are downstream of the isolation valves. For all three paths, the resulting decrease in first stage turbine impulse pressure causes automatic reactox'ower reduction by control rod insertion. Even if the reactor is in manual control, the moderator coefficient of reactivity is generally negative and would cause a power decrease as temperatures increase.
| |
| : 5. 5-6
| |
| | |
| 0 I
| |
| i)
| |
| ~ ~
| |
| | |
| 'C The fault tree shown on Figure 5.5.1 indicates that, in most cases, a fault could cause a complete loss of load with no steam dump or reactor power decrease only if one ox more simultaneous failures of the Control or Protection System also xesuLted. However, the following analysis is based on a complete loss of steam load without steam dump, reactor contxol, or direct reactor trip.
| |
| it"
| |
| ~ >> I' Anal sis and Discussion
| |
| ~ ~I I
| |
| 'II I Figure 5.5.3 shows the results of a transient analysis for a complete loss of load without steam dump. The results 'show that'he safety valves capacity of the Steam System is..sufficient to LixQt the pressure l ''
| |
| rise to less than LUO psia, even without a reactor trip. The Reactor
| |
| >> Coolant System T avg transient is shown for a high pressurizer pressure or high pressurizer level reactor trip, as well as for no txip.
| |
| I Actuation of the Steam System safety valves restores the reactor heat
| |
| \
| |
| s~ and causes a decxease in the rate of rise of the reactor coolant average tempexature. Without a reactor trip, T avg would eventually come
| |
| , ~
| |
| into equilibrium when the required heat dissipation at the suety valve set pressure is reached.
| |
| The Reactor CooLant System pressure transient is also depicted. in Figure 5.5.3. The effect of the pressurizer power operated relief valves is felt slightly above their set pressure of 2350 psia. Since the required 5.5-7
| |
| | |
| 4 e
| |
| | |
| relief for a &61 loss of load without steam dump far exceeds the relief valve capacity, the pressure continues to rise to the safety valve set pressure of 2500 psia. The opening of the pressurizer safety valves, and the restoration of the secondary sink by steam relief, limits the Reactor Coolant System pressure rise. The surge rate decreases as the rate of rise of T decreases, and eventually the pressure decreases to avg the relief valve opening pressure. The transient is also shown for the high pressurizer pressure and leve1 reactor trips. The power operated relief valves delay the reaching of the high pressure reactor trip setpoint by about 2 seconds.
| |
| The lower graph in Figure 5.5.3 shows the aduinnxm (hot channel) DNB transient. For the first few seconds, the DNB ratio rises due to the increasing system pressure, while piping delays cause the core inlet temperature to remain constant. Two trips, the high pressure and overtemperature hT reactor trips, prevent the core design limf.ts from being exceeded. Rate compensation on T,avg'he which. is included in overtemperature dT trip, would actually cause the trip setpoint-to be reached much sooner than is depicted in the figure. The high pressurizer water level reactor trip is inadequate to prevent the core from exceeding the design limits. However, the minimum DNB ratio in the hot assembly for a high level trip is above 1.0 and would assure that core damage, if it occured at all, would be limited to a small fraction of the core. A conservative setpoint was assumed for the high level trip.
| |
| 5.5-8
| |
| | |
| 0 A fault tree for the accident, leading to core damage, is shown in Pigure 5.5.2.
| |
| 5.
| |
| | |
| ==5.4 CONCLUSION==
| |
| S This accident is not considered 1Qcely since in most of the incidents which could cause it, one or more simultaneous failures of control or protection instrumentation must also occur. In addition, at any time.
| |
| other than early in. core Life, the large negative moderator coefficient would cause the accident to be self limiting and give much better results than depicted in this analysis. However, if the accident were to occur, diversity does exist in that three different levels of protection are avail,able.
| |
| 5.5-9
| |
| | |
| ,I h
| |
| | |
| " g<<<<j SJSNfs<<ls<<s<<<<<<<<<<<<u~<<"<<<<<<<<.<<<<<<NSJSSR<<j~R<<g@N<<'JJ@
| |
| ,, <<,lt, fIQJRS 5.5 2 Oj R Ts OR S D<<s NO ROD JIFION CFOR N MANUAL CONIIJOL 4
| |
| TURSINE STOP vvx. v""
| |
| fTKAM LIbE TURRINE COÃIROL ISOIATION, NO VALVES CLO.E, NO AUTO. S,D, AUTO. S.D, AIR SUPPLI ACIUAL OR SCOP VALVE R<<T<<
| |
| LOAD LIMIT SIUFIQJS LOSS Oj EJECT ~ LOAD IJJSS OF TURBINE EXCESSIVE
| |
| .SR IIQiCENCV FIUID CONIROLIA3 RUNS'X NJRIQJF ICOIA IMISOPER AND hlJTOGIOP f
| |
| TION IGNAI '<<ITN CRT R.T<<
| |
| QJT REAClOR TRIP SBJRIQJS F<<OD REAL OR SIURIQJG LOSS DP AUIOSIOP DROP EIGJIAL OVIRPOLJER OR OVER PIJJID REACIOR I%REC-CONDITIOJI TION SISIIJ'.
| |
| IAJGIC FAULTs OR I
| |
| FA JJJRI POSITION ANT SJRBINE NUCL<< INST<< ROD i TRIP SIGNAL SISTIIl FAIIJJRE INDICATION R.T. RKACIOR TRIP K.C, - ST& QJJJP I NIGH TAV NIGH AT FIGURE 5.5-1
| |
| , S)1, SAINT INJECFICN ~ SCFEJ Anf Slsaa IIos Isolalloa ~ ISJ<<al Is also
| |
| @castor tcIP sISJnal. Theccfcea> ooIF loSto
| |
| ~
| |
| FAULT TREE IOR j INN 0 llRD ACCII<<ENI clccoll falllls shool4 Lc coas14ctc4 ~
| |
| | |
| 5 ' ~
| |
| a~
| |
| 1 1
| |
| | |
| FAULT TREE FOR CORE DAMAGE LOSS OF STEAM LOAD Probable Gross Core Damage CONDITION High Pressurize AND Level R.T.
| |
| Core Design Limits Exceeded Overtemperature AT R.T.
| |
| R.T. REACTOR TRIP S.D. - STEAM DUMP S.I. - SAFETY INJECTION i
| |
| High Prdssure RiT Loss of Load, No SeD~ or POUer Decrease Early in Core Life Loss of Load, No Direct R.T. or S.D., No Rod Insertion (See Figure 5.5-1) FIGURE 5.5-2
| |
| | |
| LOSS OP LOAD ACCIDENT 1200
| |
| ~ ~ I
| |
| - l 1000 STEAM SYSTEM PRESSURE '
| |
| ~
| |
| 1
| |
| ~ te ~ -) .':
| |
| ~
| |
| ~ ~ I I ~ I~ ~
| |
| 800 ~ ~
| |
| ~
| |
| /~ I l ".
| |
| 600
| |
| ~ I
| |
| ." REACTOR COOLANT SYSTEM PRESSURE
| |
| ~ I I:-:
| |
| 2600 I ~ t
| |
| ~ ~
| |
| ~ ~ ~ ~
| |
| ~ i~
| |
| 2500 2400 2300 J'. '''l"''IGH HIGH PRESSURE
| |
| " REACTOR TRIP I l.'.!. (
| |
| ~ ) .'
| |
| I I
| |
| 'O REACTOR t'
| |
| TRIP ."'
| |
| LEVEL TRIP zzoo
| |
| ~
| |
| I 6zo (
| |
| REACTOR COOLANT T VG
| |
| ~ )
| |
| l'- i= I' ~
| |
| .- .NO TRIP
| |
| ~ ~ I~ ' t. (
| |
| 600 HIGH LEVEL
| |
| -'EACTOR TRIP f..
| |
| ~ ~ ~
| |
| ~ ~
| |
| I 580 )
| |
| ~
| |
| ~
| |
| ~ . HIGH PRESSURE. -' ~ I REACTOR TRIP 560 HIGH PRESSURE ".:-. ~ I EEACTOR TRIP ~ ~ I
| |
| ~ ~
| |
| I 1 8 I
| |
| ~
| |
| g
| |
| 'VERHK'ERATURE .L .-
| |
| . AT REACTOR TRIP 1.6 1.4 i'IGH LEVEL
| |
| ~ 'EA,CTOR TRIP -'
| |
| 5 ~ ~
| |
| 1.2 L.'
| |
| UNB RATIO
| |
| .NO 1.0 L
| |
| ~ 4 ~
| |
| ~)
| |
| .8 0 10 20 30 40 50 SECONDS FIGURE 5.5-3
| |
| | |
| 0 I,
| |
| | |
| 5,6 ROD WITHDRAWAB DURING STARTUP Normal startup procedure is by control rod withdrawal under manual control.
| |
| ~function of the rod contxol system or operator error can cause a reactivity excuxsion with a resultant rapid increase in power.
| |
| Rod withdrawal accidents ia the power range are evaluated in Section 5.1.
| |
| For these accidents, the power increase is approximately linear for a linear increase in reactivity. For accidents starting from very, low power (staxtup x'ange), the neutron flux may increase by many decades before there is significant Doppler feedback..
| |
| The nuclear power response to a continuous reactivity insertion from the startup range is characterised by a very fast rise terminated by the reac-tivity feedback effect of the negative fuel temperature coefficient (Doppler effect). This self limitiag effect is of prime importance during a startup accident since it. limits the power to a tolerable level prior Ito external protective action. After the initial power burst, the nuclear power is momentarily xeduced aad then if the accident is not terminated, the nucl'ear power increases again but at a much slower rate.
| |
| Protection against startup accidents is provided by diverse types of neutron-monitoring instrumentatioa: source range, intermediate range, and power range channels. Ma)or differences in the ion chamber and cixcuit design exist between the intermediate and power range channels. The source xaage uses a neutron sensor of a different principle: proportional counter rather than ionization chamber.
| |
| 5-6-L
| |
| | |
| ~ '4 4
| |
| Should continuous control rod withdrawal be initiated and assuming the source and intermediate range alarms and indications are ignored, the transient will be terminated by any of the following automatic protective actions.
| |
| a) Source range flux level trip - actuated when either of two independent.
| |
| source range channels indicates a flux level above a preselected, manually ad]ustable value.. This trip function may be manually bypassed when either intermediate range flux channel indicates a flux level g
| |
| It is
| |
| ~
| |
| above the source range cutoff power level. automatically rein-stated when both intermediate range channels indicate a flux level
| |
| ~<<
| |
| belo~ the source range cutoff power level.
| |
| ~<<
| |
| b) Intermediate range rod stop - actuated when either of two independent intermediate range channels indicates a flux level above a preselected, manually ad)ustable value. This rod stop may be manually bypassed when two out of the four power range channels indicate a power level above approximately ten per cent power. It is automatically reinstated when three of the four power range channels are below this value.
| |
| c) Intermediate range flux level trip - actuated when either of two independent intermediate range channels indicates a flux level above a preselected, manually ad]ustable value. This trip function is manually bypassed when two of the four power range channels are reading above approximately ten per cent power and is automatically reinstated when three of the four channels indicate a power level below this value.
| |
| d) Power range flux level trip (low setting) - actuated when two out of the four power range channels indicate a power level above approxima tel y 25 per cent. This trip function may be manually bypassed when two of the
| |
| : 5. 6>>2
| |
| | |
| II
| |
| '0
| |
| | |
| four power range channels indicate a power level above approximately ten per cent power and is automatically xeinstated when three of the four channels indicate a power level below this value.
| |
| e) Power range flux level trip (high setting) - actuated when two out of the four power range channels indicate a'power level above a preset setpoint. This trip function is always active.
| |
| Since all protective actions in the above list are based on level set points, I
| |
| rather than rate set points, protection is not dependent upon having a rapid rate of power increase.
| |
| The standard startup accident analysis reported in Safety Analysis Reports takes credit fox only the power range protection. Howevex, the intermediate range hfgh flux reactor trip is always in service below lOX power, and would also serve to terminate the accident. Further,. any accident starting from a subcritical condition would be terminated by the high source range
| |
| 'I xeactor trip. Therefore, Protection System deversity exists for startup accidents.
| |
| Figures 5.6-1 and 5.6-2 show the calculated transient response of nuclear flux and fuel temperatuxes for a startup accident with a high rate of xeactivity insex tion.
| |
| 5.6-3
| |
| | |
| 0
| |
| ~I 10
| |
| ~ I I I Uncontrolled Rod Qithdrawal Prom a Subcritical Condition Praction of Nuclear Power a ~ +1 x 10 6k/ F W
| |
| a f < lxlp 5 o 6k/P
| |
| ~ ~
| |
| Reactivity Insertion Rate ~ 8 x 10 6k/sec k0 ~1.
| |
| -1 10' 0
| |
| ~ t ~
| |
| I 10 10 8
| |
| 0
| |
| ~ ~ ~ I I ~
| |
| W o
| |
| 8 o
| |
| o W
| |
| 0 g M 10 10-3 5 il pl li ko o
| |
| C Cl o
| |
| Oe 10
| |
| ~u
| |
| ~
| |
| g ~
| |
| 10 10 10 0 10 20 25 30 Time, Seconds FlGVRE 5. 6-1
| |
| | |
| 4
| |
| ~ <<((I
| |
| -" ~
| |
| ( 1000 Uncontrolled Rod MithdraMal Prom a Subcritical Condition Temperature 70 4 Puel 4 6k/'P
| |
| .(.<<<< ag <<+1 x 10 5 4V,~~ o = -1 x 10 6k/'P 900 f Reactivitg Insertion Rate Clad I(are << 8 x 10 Lk/sec J>
| |
| ~w<<( i' k0 << l. 65
| |
| (<<
| |
| <<M>>
| |
| 800 14 60 o
| |
| (4 l0 700 Core Mater c
| |
| e
| |
| '0 oj 55 600 50 500 45 10 1.L 18 22 26 30 6
| |
| Time, Seconds FIGURE 5. 6-2
| |
| | |
| 5 7 CONTROL ROD DROP De-energixing a drive mechanism causes a full>>length control rod to fall into the core. (Part-length rods fail "as-is" when de-energized.) This causes an immediate decrease in coxe power, most noticeable in the region of the dropped rod. Xf the average coze power is returned to its original valve, most of the core would be at a higher power density because of the local depxession in the region of the dropped rod.
| |
| During the initial design fox the current generation of Westinghouse PWR's, the increase in hot channel factors for a dropped zod was not known. Zt was therefore assumed that DNB might xesult if the core were allowed to return to full power following a zod drop. Protective circuits were design-ed accordingly and classified as part of the Protection System. The design requirement for this protective function was to insure that, follmrtng a dynamic rod drop, the xeactor would not zeturn to a power leve3 high enough I
| |
| to cause a DNB ratio less than 1.30., Mechanisms which would tend to restore r
| |
| initial core power are.noxmal automatic control and plant cooldown with a negative moderator coefficient.
| |
| However, recent physics analysis for malpositioned control rods has shown that, in every case for an insezted rod, full power operation would not cause a DNB ratio less than 1.30. Because the local power decrease causes a general power increase throughout the rest of the core, the increase in hot channel factors is Usted to approximately 15'x less, depending on core size. With x'espect to DNB, this is equivalent to 15X overpower. Core DNB'esign
| |
| : 5. 7-1
| |
| | |
| ~
| |
| ~~
| |
| E margins of this magnitude must exist at full power to allow for operational transients and instrumentation errors. In additon, for plants presently near completion, it has been found that inserted rod hot channel .
| |
| factors do not even exceed the design hot channel factors.
| |
| Since the consequences of a dynamic rod drop are tolerable, the following ff discussion of rod drop protection is somewhat academic.
| |
| Rod drop protection diversity has been provided, both in the means of detection and in the means of actuating protection. Redundancy. was more readily obtained by diverse instrumentation than by independent, but identical, channels. A rod drop signal is generated by either of the following:
| |
| a) A =rapid decrease in indicated nuclear flux from any one of the four power range nuclear instrument channels b) Rod bottom indication from any one of the rod position indicators when the associated rod bank is not on the bottom.
| |
| One-out-of-four logic for the nuclear channels is used'because it was not known whether more than one channel would respond to the dropped rod.
| |
| Therefore, redundancy is not claimed.
| |
| Protective action is directed toward inhibiting those mechanisms which would otherwise cause the reactor to return to its initial power level, i..e., automatic rod withdrawal and load demand with a negative moderator temperature coefficient. Again, since the magnitude of the hot channel factor increase was not known, it was assumed that both mechanisms would have to be inhibited.
| |
| : 5. 7-2
| |
| | |
| Redundant rod stop contacts are provided to block normal automatic control rod withdrawal. Manual rod withdrawal is not blocked since it is necessary to withdraw the dropped rod. Turbine load reduction is accomplished through redundant channels. Most plants are supplied with electro-hydrauLLc (E-H) control systems for the turbine. The turbine runback is activated by the following~ either of which reduces or restricts turbine control valve position and steam load.
| |
| a) Reduction of the load refezence setpoint of the turbine,E-H.,
| |
| controller by a preset amount. This is accomplished by zeducing the set point at constant rate (200X/min.) for a preset time with
| |
| : a. time delay relay.
| |
| b) Reduction of the turbine load. limit to a preset value. The load limit (a clamp on the voltage signal controlling the turbine control valve position) is reduced until turbine thermal load as I) sensed by either of two turbine impulse pressure'channels is below a preset value.
| |
| Following plant startup tests to verify that the DNB ratio is greater than 1.30 at full power with a dropped rod, it is intended to adjust the turbine runback for operational requirements. That is, the automatic load reduction would be large enough such that, with reasonable operator action, an orderly manual plant shutdown can be accomplished, rather than a reactor trip on low pressurizer pressure.
| |
| Fi.gures 5.7-1 and 5.7-2 show the transient response of nuclear plant variables to a rod drop with turbine runback.
| |
| 5.7-3
| |
| | |
| 1.U f
| |
| =~ C
| |
| ~:I -I.
| |
| Response to a Dropped RCCA
| |
| ~ ~
| |
| .9 I I.',.
| |
| of.North -2.3 x,10 6k l With a Power Cutback of 25 i:
| |
| ll Percent of Nominal I~
| |
| ~ - I. ~
| |
| ..l .,
| |
| ~ -3.5 x 10 bk/ 7'-'
| |
| I ~ ~ ~
| |
| ~ ~ t
| |
| .8 ~ >>1.65 x 10 6k/Z'.
| |
| ~ t~ 4 ~ ~
| |
| ~
| |
| r
| |
| .7
| |
| ~ ~
| |
| ~
| |
| :H ~ ~
| |
| ~
| |
| I~
| |
| I
| |
| ~ ~ ~ t
| |
| ~ t 1.0
| |
| ~ I~
| |
| ~ '
| |
| 0 ' I t
| |
| .9 ~ ~ I
| |
| >~
| |
| t ~ I ~
| |
| ~ ':I "
| |
| ' tt 0C K t ~ I ~ I
| |
| .8' {
| |
| I he Q ~ ~
| |
| E
| |
| ~ t ltt
| |
| ~
| |
| I ~ ~
| |
| 8 ~ 7 ~ l
| |
| ~ ~ ~ I ~ I t ~
| |
| I~
| |
| 2400 t~
| |
| ~ -I~ t ~ I
| |
| ~ ~ t ~ ~
| |
| ~ ~ ~ '{ ~ t 2300 ~ ~ ~
| |
| ~ pk ::.- ~
| |
| I I
| |
| 2200 ~
| |
| ~ "-I
| |
| ~ ~
| |
| 2100 40 80 120 160 200
| |
| | |
| 0 4 ~
| |
| | |
| I~~ I I ~
| |
| 0'I. t t0~ I I 0~
| |
| --}t ~ *
| |
| ~ ~ ~ ~
| |
| ~ L0
| |
| ~
| |
| ~ ~
| |
| ~ ~ I 0
| |
| ~ ~ ~ ~
| |
| ~ 'I ~ 0 ~ 0t ~ ~ 0t
| |
| ~ ~ ~~ I L 00 00 580 0
| |
| Q ~
| |
| I~ 00 ~ >>
| |
| ~>
| |
| ~ 0 I
| |
| ~ ~ ~ l 0
| |
| ~ IQ
| |
| ~ ~ t~
| |
| 0<<
| |
| LL I
| |
| 'If0 578 ~
| |
| ~0 ~ 00 ~ II ~ I'='
| |
| I 0 I L00 ~ I 0 ~
| |
| ~ r 576 ~ 0
| |
| ~ I 0 ~
| |
| 0:..
| |
| to a Dropped
| |
| ~
| |
| ~
| |
| 565 Response I
| |
| Q I~ RCCA of Woph
| |
| -203 x 10 6k with a 0
| |
| Power Cutback of 25 00 Percent of Nominal J
| |
| ~ ~
| |
| 4~
| |
| 560
| |
| ~,
| |
| 0 0
| |
| ~ I J0 I 555 ~
| |
| fQ M ~ ~ ~
| |
| C4 o 4a t 00
| |
| ~ I ~
| |
| 't
| |
| ~ '
| |
| 550 U
| |
| ~ M
| |
| =I ~ ~ ~
| |
| ~ ~
| |
| ~ ~ ~ ~
| |
| O 1.0 H 0 0
| |
| M ,9 00 g ~ >> ~ ~
| |
| I
| |
| ~ 0
| |
| ~
| |
| ,8 L~
| |
| ~ 00' ~ 0 ~ ~ ~ ~ ~ ~ I
| |
| ~ ~
| |
| .7 40 80 120 160 200 TDK, SECONDS
| |
| | |
| 5~8 ENGINEERED SAFEGUARDS ACTUATION Actuation of auxiliary feedwater is discussed in Section 5.2. Engineered safeguards for containment pressure protection are discussed in Section 5.9.
| |
| Actuation of Emergency Core Cooling for loss of coolant protection is discussed in this section.
| |
| For loss of coolant protection, a safety in]ection signal is generated by either of two diverse sets of automatic signals:
| |
| a) Coincident low pzessure and water leve1 in the pressurizer; b) High containment pzessure.
| |
| Both sets of signals are redundant and meet all protection System design criteria.
| |
| The signals derived from the pressurixer indicate that reactor coolant is being lost well before the core is uncovered. Reactor coolant blowdown also increases containment pressure. Set points'for high can-tainment pressure are typically about 10X of contaiaamt design pressure.
| |
| This set point is reached well before the core uncovers.
| |
| Figure 5.8-1 shows the results of a calculation for a representative plant for the complete range of break sixes. Zt shows that either the pressurixer or the containment signal initiate safety in)ection l-l/2 minutes or more before the core would be otherwise uncovered. (For large breaks>
| |
| passive accumulator system supplies water and delays the time. at which active core cooling is required.) This analysis included the effects of containment heat sinks and fan coolers in delaying the time at which the containment high pressure signal is reached.
| |
| 5.8>>1
| |
| | |
| SAFETY INJECTION ACTUATION SIG:NL VS BREAK AREA 1000 ~ l 4 o ~ << ~, ~ ~ I ~ } le I+ I' <<
| |
| ~
| |
| ~ ~ ~
| |
| ~
| |
| 'T iI }.o I I I l ~ ~
| |
| I ~
| |
| r o,
| |
| on e*
| |
| o I I~ ~~~ ~ ~ ~
| |
| r ~ <<
| |
| >>v ~
| |
| ~t t ~ ~
| |
| tt rl I tt<<
| |
| ~ ~ "tt '-: Range of Protection of I }
| |
| I
| |
| - (;I
| |
| :.: Passive Accumulator System ~
| |
| ~ ~
| |
| I ae
| |
| ~ o ~~ 'I
| |
| ~ v ~ ~ o ~~
| |
| ~ ~ o oo 0 ~
| |
| r, ~ tt ~ \ ~ v
| |
| }'"--t
| |
| ~
| |
| 1}: ~ ~
| |
| :ii} '." tI ~ ~ ~ ~ <<
| |
| I <<I I I
| |
| ' >> \
| |
| ~ ~ ~
| |
| t 4 V ~ I ~ ~ I '
| |
| ~
| |
| ~ I It ~ ! Ia. <<to ~ ~
| |
| ~ ~
| |
| 100 ' ' ~ ~ } I ~ o
| |
| ~ ~ ~ ~ ~ I~ ~
| |
| I P tl ~ to ~ I <<
| |
| ~~ I~ II ~ ~ ~ I ~ ~ .) ~
| |
| I I O * ~
| |
| o~
| |
| ~ << 7>> ~ >> ~
| |
| I ~~
| |
| ~ t ~ I ~ I~ ~ ~~ lne ce Uncavel Case Ndd LNe Sadecv ln eccdcn)j hC 'o Plane
| |
| ~o
| |
| ~ ~
| |
| o
| |
| <<o
| |
| ~ ~ ~
| |
| ~ <<
| |
| e ~ o<<
| |
| v pt t I
| |
| ''' \
| |
| o
| |
| ~ ~ ~ ~ ~
| |
| ~ I ~ ~ I ~ I
| |
| ~ I ~ Itz I:TI ~ I ~ ~ ~ ~ I 10 <<'I 'I '
| |
| ~ ~ ~~ ~ ~ ~ ~ I " I I..... ~ ~
| |
| }~ ~ ~ ~ ~ I ~ I I Time to Reach Lou Pres- ~ ~ "I<< I I: surizer Pressure and ~
| |
| i -.', I ~ PI ~
| |
| )
| |
| }
| |
| Level Signal
| |
| =.1-I:i
| |
| ~
| |
| 'I t ~ ~ ~
| |
| jjjr"
| |
| ~ ~
| |
| I lel f<< ~ ~~ I~
| |
| ~
| |
| I ~
| |
| i Time to Reach Pigh
| |
| ~
| |
| Containment Pressure '<<l
| |
| ~
| |
| ~
| |
| Signal
| |
| ~
| |
| \
| |
| ~
| |
| l ~ ~ ~ v I<<j ~
| |
| 'ii l \ ~
| |
| 4 0.1
| |
| : 0. 01 ~ 6" 10" DAUEa:.
| |
| BREAK SIZE (Fi )
| |
| FIGUPE 5.8-1
| |
| | |
| ~ V 5 9 CONTAINMENT PRESSURE PROTECTION Typical westinghouse dry concaiament plants are equipped with faa cooler unics aad spray systems. These are provided to reduce the contaiamenc pressure eo to esseatially atmospheric following a loss of coolant accident or a steam line break accident inside the containmeac.
| |
| The containment is designed to withstand the eoeal blowdown of the Reactor Coolant Syscem or a steam generator wieh no dependence on ehe aceive safe-guards. The active safeguards are, however, aueomatically actuated following che accident. The pr9nary containment safeguards are the fan cooler units and their cooling water supply which aze actuated by the safety injection signal which is generated by:
| |
| a) Coincident low pressurizer pzessure and waeer level in the pressurizer b) Ri.gh containment pressure (approximately lOX of design pressure).
| |
| The backup contaiameac safeguard, ch'e coneaiamene Spray 9ystem, is accuaeed by a high containmenc pzessure signal when the concainmenc pressure reaches appxoximacely 50X of che design value. Automatic spray actuation uses six concainmenc pressuze channels, in 2/3 2/3 logic. The Spxay System can also be actuated manually.
| |
| Only 2 ouc of 4 fan cooliag units for two or three loop plants and 3 ouc of S cooling units for four loop plaacs are necessary eo limit the containmene pressuxe below design even considering ehac the Emergency Core Cooling Syseem is .unable co suppxess boiling in ehe core, and ehe core decay heac energy continues co be added to ehe containmenc in the form of steam.
| |
| 5.9-1
| |
| | |
| The operation of only one of the spray pumps is required in order for the Spray System to supplement the heat removal capabiU.ty of the fan cooling units to provide a margin for effects from metalmater or other chemical reactions that could occur as a consequence of failure of Emergency Core Cooling Systems.
| |
| Since either fans or sprays are adequate, and diverse signals are used to actuate the fans,.the Protection System is diverse for actuation of con-tainment pressure protection.
| |
| 5.9-2
| |
| | |
| 5.3.0 EXCESSIVE LOAD Excessive load is one means which could cause excessive core power
| |
| ~
| |
| rgb generation. As distinct from the ovezpower~vertemperature accident
| |
| ~ a+& discussed in Section 5.3. (Rod Withdrawal at Power), reactor coolant temperature, pressuze, and pressurizer water level would not increase.
| |
| vf" f'>
| |
| Reactor power follows turbine load, both by contxol design intent and the inherently negative moderator coefficient. An increase in load above design is therefoxe of potential concern.
| |
| Diverse overpower protection is provided by Reactor Protection System.,
| |
| These aze the ovezpower delta-T and the nuclear overpower reactor txips-Since the accident is initiated from the secondary plant, the reactor I
| |
| coolant loop temperatures respond before the core coolant temperature.
| |
| Piping lags applicable to the rod withdrawal accident are therefore not
| |
| ! applicable to an excessive load accident, and either the delta-T or-the nuclear overpower trip protects the core for any rate or magnitude load I
| |
| increase.
| |
| 5.10-1
| |
| | |
| p P
| |
| | |
| 'C 5.11 EXCESSXVE FEEDWATER FLOW An excessive feedwater flow accident is primarily of concern to the turbine (high water level Xn the steam generator leads to excessive moisture carryover and potentia1 turbine damage).'ith respect to nuclear protection, however, excessive feedwater flow (or feedwater temperature decrease) is seen as an excessive thermal load, and the discussion in Section 5.10 is applicable.
| |
| | |
| 5 12 STATION BLACKOUT A station blackout, or loss of aU. a-c power to the station auxiliaries, results from loss of incoming station a~ power coincident with a plant trip. Numerous reactor trip signals would be generated, such as turbine trip, low coolant flow, low gpedwater flow, etc. This is not important however, since the loss of a-c power deenezgizes the zod control power
| |
| 'upply, and the control rods fall into the core, even if no reactor trip signal is generated.
| |
| Natural circulation of reactor coolant transfers reactor decay heat from the coze to the steam generators. Since steam generator steam pressure is automatically controlled by the power-operated steam line relief valves (with backup from the steam line safety valves, if necessazy), the only requirement for maintaining hot shutdown conditions is to Apply feedwater to the steam generatozs.
| |
| The auxiLiary feedwater system is discussed in Section 5.2, Loss of Feedwater.
| |
| As noted in that section, the loss of a~ power starts all a~iazy pumps-A diverse automatic actuation signal - steam generator low water level - is also provided. Further, the energy sources for the auxiliary feedwater pumps are. themselves diverse (steam-driven pumps and motor-driven pumps energized from the diesel-generator), such that faQ.uze to actuate an energy source does not prevent auxiliary feedwater.
| |
| 5.12-1
| |
| | |
| APPENDIX CONTROL AND PROTECTION FUNCTIONS reactor con'tro 1 and protection functions perf ormed from each process
| |
| ~eter in the present Westinghouse design are Mmlated below. Pro-e~tion functions are listed first, and control functions listed last.
| |
| u~ny functions '. g-, indication, alarms and interlocks, are not clearly either control or protection. ~
| |
| These are classified as "supervisory" unc talons ~
| |
| In the left margin, all functions are listed as P, S or C, showing pro-tection, supervisory or control;-
| |
| i%JCLEAR INSTRUMENTATION 1,.3. Power Range 1.2 Intermediate Range 1.3 Source Range
| |
| 'W ~ REACTOR COOLANT SYSTEM PARAMETERS Z.l Reactor Coolanr, Temperature (4T, T avg )
| |
| 2-2 Pressurizer Pressure 2.3 Pressurizer Water Level 2.4 Reactor Coolant Flow 3~ STEAM GENERATOR PARA%.'TERS 3.l Steam Generator Water Level 3.2 Feedwater Flow 3.3 Steam Plow 3 4 Steam Line Pressure 3 S Steam Header Pressure
| |
| | |
| V PARAMETERS Oo m Turbine First Stage Steam Pressure Turbine Auto Stop Oil Pressure Turbine Stop Valve Position
| |
| ~ASTROL ROD POSITION 5.1 Bank Position
| |
| ).Z Individual Rod Position
| |
| ~. CONTAINMENT PRESSURE gZCZRICAL PARAMZERS 7'.1 Reactor Coolant Pump Bus 7.2 Reactor Coolant Pump Breaker Position 7.3 F edwater Pump Power A-2
| |
| | |
| gJCLEAR ZNSTRUMENTATION SYSTBt power Range - (linear indication in power range of operation).
| |
| P 1. Overpower reactor trip (high range) - rapid detection of fast overpower excursions during power operation.
| |
| P 2. Overpower reactor trip (low range) - protection during low power plant operation.
| |
| p 3. Top-to-bottom flux tilt bias of 4T reactor trip set points-reduce DNB protection limits to offset effects of hot channel factors. (Both high dT reactor trips), see 2.1, 1&3 P 4. Reactor trip permissives
| |
| : a. Permit single loop loss of flow trip at high power.
| |
| : b. Permit reactor trip on turbine trip at high power.
| |
| : c. Permit "at-power" trips during power operation.
| |
| : d. Defeat, manual block of low range and &termediate range overpower trips at low power.
| |
| : e. Lock out source range high voltage supply during power operation.
| |
| S 5. Rod drop detection - rod stop and turbine runback to maintain DNB margins.
| |
| 6- Overpower rod stop. - stop a power excursion caused by rod withdrawal.
| |
| : 7. Overpower alarm (for equipment purposes, this function is combined with the overpower rod stop).
| |
| : 8. Control room indication and recording (including top-to bottom difference).
| |
| Channel deviation alarm - detect channel failure, detect flux tilts.
| |
| : 10. Top-to<<bottom flux tilt bias of dT rod stop and turbine runback set points (see 2-1, 264).
| |
| A 3
| |
| | |
| Automatic control rod motion - provide stable reactor control and rapid response.
| |
| gntermediate Ran e - (Logarithmic scale for power range and upper startup range) p
| |
| '. High level reactor trip - prevent power increase into power range unless power range channels are indicating.
| |
| p 2. Defeat manual block of source range high level trip - low intermediate range indication rearms source range trip.
| |
| S 3. High leve1 rod stop - prevents excessive withdrawal of control rods during low power operation.
| |
| S 4. Control room indicating and recording.
| |
| S 5. Startup rate indication.
| |
| P . l. High leveL reactor trip prevent startup accident from source range; prevent power increase into intermediate range unless intermediate range channels are indicating.
| |
| S 2. High count rate alarms - warn of approach to cripicality.
| |
| S'. Control room indication and audible count. range.
| |
| S 4..Startup rate indication.
| |
| A-4
| |
| | |
| ~ N
| |
| : c. s gP't "K5
| |
| | |
| <<<CTOR COOLANT SYSTEM PARAMETER or Coolant Tem eraeure (4T-T )
| |
| avg Overeemperature high 4T reactor trip - prevent core DNB (set point calculated from T , pressure, and nuclear axial tilt). avg'lux
| |
| : 2. Overtemperacure high 4T rod stop and turbine cueback-maintain operating margin eo DNB (set point is a fixed margin below reactor trip set point).
| |
| : 3. Overpower high 4T reactor ezip >> prevent high power density (see point calculaeed from nuclear flux tile)i
| |
| : 4. Overpower high 4T rod scop and turbine runback - maintain operating power density (see point is a fixed margin below reactor trip set point).
| |
| S 5. Channel deviation alarms deeect channel failures, detect abnormal process candieions.
| |
| S 6. Control room indication and recording.
| |
| S 7. Control rod insertion limit alarm - maintain reactiviey shutdown margin; maintain low ejected rod worth; maintain
| |
| , uniform core burnup.
| |
| In addition to the above functions for 4T and T, avg'vg is also T
| |
| used f0 r.
| |
| : 8. Low T avg alarm (interlocked with high scesm flow for steam line isolation) - steam break protection.
| |
| : 9. High T alarm.
| |
| avg
| |
| : 10. T avg channel deviation rod scop (of automatic motion)-
| |
| prevent spurious rod withdrawal or insertion.
| |
| : 11. T avg deviation alarm - deviacion fram programmed setpoinc.
| |
| | |
| Automatic control rod motion - control core powex'o main>>
| |
| tain programmed tempex'ature.
| |
| 13 ~ Steam dump control (condenser steam dump) - remove excess energy from reactor coolant.
| |
| : 14. Feedwater valve control - control addition to subcooled water to steam generators following a plant trip.
| |
| : 15. Pressurizer level programming - determine level setpoint to minimize charging and letdown changes during load changes.
| |
| : 2. 2 Pressurizer Pressure p 1. High pressure reactor trip - maintain pressure in AT protection range; provide overpressure backup to safety valves.
| |
| P 2. Low pressure reactor trip - maintain pressure in 4T protection range.
| |
| P 3. Low pressure safeguax'ds actuation - actuate loss of coolant protection.
| |
| P 4. High pressuxe defeat of safeguards actuation manual block-I.
| |
| automatically renave manual block as operating pressure is approached.
| |
| P 5- Compensate overtemperature AT reactor trip setpoint - core DNB pzotection.
| |
| : 6. Compensate qvertemperature T rod stop and. turbine runback setpoint - maintain operating margin to DNB.
| |
| Control room indication and recording.
| |
| 8 High-low pressure alarms.
| |
| Low pressure relief valve interlock - close relief valves on low pressure to avoid accidental loss of coolant.
| |
| /
| |
| : 10. Pxessure control (on-off heaters, vaziable heatexs, spray, and x'elief valve actuation) - maintain normal operating pressure.
| |
| A-6
| |
| | |
| F
| |
| : 11. Compensation signal for automatic control rod motion-improve reactor control response.
| |
| 2.3 Pressurizer Water Level - (This variable measures reactor coolant fluid inventory and mean temperature).
| |
| P 1. High level reactor trip - prevent water discharge (an relief piping damage) through safety valves following rapid insurge.
| |
| P 2. Low level safegnards actuation - indication of loss of reactor coolant.
| |
| S 3. Control room indication and recording.
| |
| S 4. High-low level alarms.
| |
| S 5. Low level heater cutoff - prevent energizing heaters when uncovered (equipment protection).
| |
| S 6. Low level letdown isolation prevent loss of coolant by excessive letdown.
| |
| High-low level deviation alarm - deviation from level set-point.
| |
| C 8. Charging pump speed control - maintain progranmN.d water level.
| |
| C 9. High level deviation heater a'ctuation - heat subcooled water insurge.
| |
| 2.4 Reactor Coolant F P 1. Low flow reactor trip - prevent core DNB.
| |
| S 2. Control room indication-A-7
| |
| | |
| P 3 ST~ GENERATOR PRtAK'.TERS Steam Generator Water Level - (This variable is a measure of water inventory in steam generators).
| |
| p l. Low-low water level reactor trip and auxiliary feedwater pump start - protect steam generators; preserve normal heat sink for removal of early decay heat.
| |
| p 2. Low level reactor trip (coincident with low feedwater flow)-
| |
| provide rapid protection against a complete loss of feedwater flow.
| |
| S 3. High level feedwater control valve override - close feed-water valve to prevent excessive moisture carryover and turbine damage.
| |
| S 4. High-low level. alarms.
| |
| S 5. Control room indication and recording.
| |
| S 6. Level deviation alarm - deviation from programmed level.
| |
| C 7. Feedwater valve control - maintain desired steam generator level. l
| |
| : 3. 2 Feedwater Flow P 1. Low feedwater flow reactor trip (coincident with low steam generator water level) - provide rapid protection against complete loss of feedwater flow.
| |
| S 2. Control room indication and recording.
| |
| C 3. Feedwater valve control >> provide stable control of steam generator level.
| |
| 3.3 ~Se ~F1 ow P . 1. Set point for low feedwater flow reactor trip (see 3.2.1 above).
| |
| P 2. High steam flow steam line isolation - steam break protection.
| |
| | |
| 't V 4 S 3~ Control room indication and recording.
| |
| C 4 Feedwater valve control - provide rapid res'ponse gf cgntzot for steam generator level.
| |
| 3.4 Steam Line Pressure > ~ ,
| |
| W/!-
| |
| P 1. Low pressure (or tuic differential pressure) safe~d actuation - steam break protection P,C 2. Compensation of steam flow channels - provide accurate signal of steam flow.
| |
| S 3~ Low steam pressure alarm.
| |
| S 4. Control room indication and recording.
| |
| C .5. Control of steam line relief valves - minimize actuation g f safety valves.
| |
| 3.5 Steam Header Pressure C 1. Contzol steam dump to condenser.
| |
| S 2. Control zoom indication
| |
| | |
| ,F TUgBXNE PARAMETERS Turbine First Sta e Steam Pressure - (This variable is proportional to turbine steam load).
| |
| p l. Reactor trip permissives - pexmits "at-power" reactor trips above minimum turbine load.
| |
| p 2. Steam line isolation - determines set point for high steam flow for steam break protection.
| |
| S 3. Control room indication.
| |
| S 4. Low power block of automatic control rod withdrawal-prevents unstable reactor control.
| |
| S 5. Steam dump interlock - prevents operation of steam dump to condenser unless a rapid loss of load has occurred.
| |
| C 6. T avg program - determines set point for T avg in control rod and steam bypass control systems.
| |
| C 7. Steam generator level program - determine set point for level in feedwater control system.
| |
| 4.2 Turbine Auto-Sto Oil Pressure - (Presence or absence of oil pressure indicates'trip or non-trip condition of turbine).
| |
| : 1. Reactor trip - prevent temperature-pressure excursion in reactor coolant from loss of steam load.
| |
| C 2. Steam bypass control - selects mode of contxol.
| |
| : 3. Feedwater control - selects mode of control, steam generator water level or T avg 4~ 3 Turbine Sto Valve Position used as backup to autostop oil pressure fox reactor trip signal.
| |
| | |
| CO~OL ROD POSITION Bank Position - (SteP counters)
| |
| Bank insertion limit alarm (set point determined from and 4T) - maintain reactivity shutdown margins; avg maintain acceptable core power distribution.
| |
| S 2, Bank withdrawal limf.t alarm - warn operator that control rods are nearing the end of their useful travel.
| |
| S 3, Control zoom indication and recording 5.Z Individual Rod Position (LVDT)
| |
| S l. Rod position 'deviation alarm - warn of possible rod malpositioning.
| |
| S Z. Rod bottom rod drop detection - rod stop and turbine runback to maintain DNB margins.
| |
| S 3. Control zoom indication and recording=
| |
| | |
| CPNTAZgKNT PRESSURE p l. High containment pressure safeguards actuation and reactor trip - protection against small steam breaks, backup protection for loss of coolant accidents and large steam breaks.-
| |
| P 2. High containment pressure steam line isolation p 3. High containment pressure spray actuation.
| |
| S 4. Control room indication.
| |
| A>> 12
| |
| | |
| ELECTRICAL SYSTEM VARIABLES Resistor Coolant Pump Bus P l. Underyoltage reactor trip - protection against multi-loop loss of flow.
| |
| p 2i Underfrequency reactor trip and RCP breaker opening - prevent rapid system frequency opening - prevent rapid system. fre-quency decrease from braking RCP.
| |
| 7.2 Reactor Coolant Pump Breaker Position (contacts)
| |
| P 1. Reactor trip on breaker opening - backup.to low flow protection for loss of flow.
| |
| 7.3 Feedwater Power P l. Auxiliary feedwater system actuation (feedwater pump breaker position and/or bus voltage) - backup feedwater protection for loss of feedwater.
| |
| A-l3
| |
| | |
| ATTACHMENT 8 TO AEP:NRC'1184H2 RESPONSE TO ITEM 8 DEFENSE-IN-DEPTH EVALUATION PERFORMED FOR THE REACTOR PROTECTION AND CONTROL PROCESS INSTRUMENTATION REPLACEMENT PROJECT}}
| |
