Revision as of 07:01, 29 June 2018

Text

RPS Diversity in Westinghouse Pwrs.
	ML17332A851
Person / Time
Site:	Cook
Issue date:	04/30/1969
From:	BURNETT T W, DORRYCOTT J W, RISHER D H; WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:	;
Shared Package
ML17332A849	List: ML17332A848; ML17332A850; ML17332A851; ML17334B552;
References
	WCAP-7306, NUDOCS 9507180151
	Download: ML17332A851 (276)
	v • d • e

{{#Wiki_filter:wnu-7306NUCLEARENERGYSYSTEMSCLASS3REACTORPROTECTION SYSTEMDIVERSITY ZNWESTINGHOUSE PRESSURIZED WATERREACTORSApril1969Author:T.Q.T.BurnettContributors: J.W.Dorrycott A.C.HallD.H.RisherAPPROVED: S.ore,ManagerCoreEngineering Westinghouse ElectricCorporation NuclearEnergySystemsDivisionP.O.Box355Pittsburgh, Pennsylvania 152309507180151 950707PDRADQCK050003159PDR<3RZRestintthouse ElectricCorp./ FOREWORDOverthepastfouryears,considerable attention hasbeenfocusedondesigncx'iteria andmethodsofimplementation fornuclearpowerplantprotection systems.Ofpaxticular difficulty hasbeenche"establishment ofsuitablecriteriatodealwiththeproblemsofsingleandmultiplefailures, channelindependence, ControlandProteccion Systemindependence, andthe'eviation ofProtection Systeminputs..Akeyfactorinthisdifficulty hasb'eentheconflictbetweenthegoaltominimizethenumberofredundant measurements fox'nysingleprocessvariable, withregaxdtotheoverallnuclearplanerequirements, andthegoaltoestablish aauucbnumdegreeofseparation betweentheProtection SystemandtheControlSystem.Obtaining anaccurateandreliablemeasuxement ofaparticular processvariableisoneofthemostdifficult aspectsofaninstrumentacdon system.Therearesignificant problemsassociated withthephysicalmountingofthemeasurement devicesincluding optimumlocation, supporting structuxes, accesstocheequipment formaintenance, andprotection againstadverseenvironmental factors.Inthecaseofnuclearpowerplants,thereisalsotheproblemoftransmitting thesignalsfxomthecontainment tothecontrolroomequipment. Allofthesefactorsprovidearguments forminimizing thenumberofseparatemeasuremencs. Mostofthefunctions performed bytheplantControlSystemrequirethesameprocessinformation astheProtection System.Inthesecases,Westinghouse providesControlSysteminputsfromProtection Systemchannels. The"Proposed IEEECriteriaforNuclearPowerPlantProtection Systems," IEEENo.279,permitsthisdesignapproach, sub)ecttocertainrestrictions. However,thisproposedresolution wasnotunanimously acceptedbymembersofotherUnitedStatesstandards andregulatory

agencies, inparticular, USASXSectional Committee N3(N42),andtheAEC-ACRS.

Westinghouse heldmeetingswithmembersoftheAECtoclarifytheWestinghouse designapproachandtoidentifytheadditional designcriteriaappliedbyWestinghouse, whichgobeyondtheproposedIEEEcriteria. Theseadditional criteriarequireseparation andidentification ofcontrolandprotection equipment andtheuseofisolation devicestotransmitsignalsfromtheProtection SystemtotheControlSystem.ItisthepositionofWestinghouse thattheseadditional criteriaofferaresolution tothe'tated designconflict. Westinghouse hasdemonstrated byactualimplementation ofthesecriteriathatahighdegreeofseparation, including properidentification, canbeachievedbetweenProtection Systemequipment andControlSystemequipment. Morerecently, thequestionofthefailuremodechangedfromthatofasinglerandomfailuretocommon-mode failure-afailuremodewhichwouldadversely affectall,redundant channelsofaparticular protective functionintheProtection System.Itisgenerally recognized thatseparation ofcontrolandprotection doesnotprovidedefenseagainstthecommon-mode failures. ThenuclearpowerplantControlandProtection SystemdesignemployedbyWestinghouse wasevaluated indetailwithrespecttothecommonmode failureandpresented inaseriesofmeetingstomembersoftheAEC.Thisreportdocuments theinformation transmitted inthesemeetingsandprovidesatechnical basisforthedevelopment ofcriteriafordesignofProtection Systemswithadequateconsideration forcommon-mode failures. Theconclusion ofWestinghouse based>upon actualexperience, previouswork,andreinforced bytheresultspresented herein,isthatdesigncriteriafornuclearpowerplantprotection systemsshouldpermitmagnumeffective useofprocessmeasurements bothforcontrolandprotection functions including theuseofProtection Systemmeasurements intheControl.System.Suchcriteriasignificantly enhancethedesigner's capability toprovideasystemwithadequatecapability todealwiththemajorityofcommon~ode failurestaswellastoprovideredundancy forcriticalcontrolfunctions. J.M.Gallagher,'Jr. Consulting Engineer-ControlTechnology Vestinghouse designphilosophy forReactorProtection andControlSystemsistomakemaxiunaause,forbothprotection andcontrolfunctions, ofawiderangeofmeasurements. TheProtection andControlSystemsareseparateandidentifiable. Thedesignapproachpermitsnotonlyredundancy ofcontrol,providing itsowndesirable increment tooverallplantsafety,butalsoprovidesaProtection Systemwhichcontinuously monitorsnumeroussystemvariables bydifferent means;i.e.,protection systemdiversity. TheextentofProtection Systemdiversity hasbeenevaluated forawidevarietyofpostulated accidents. Inmostcases,twoormore=diversepro-tectivefunctions. wouldterminate anaccidentbeforeintolerable consequences couldoccur.

teetiee11.11.2233.13.1.13.1.23.1.33.1.43.1.53.23.2.3.,3.2.23.3TABLEOFCONTENTSTitleABSTRACTINTRODUCTION COMMONMODE FAILURESAND.DIVERSITY PROTECTION SYSTEMEVALUATION QjMMARYFUNCTIONAL DESCRIPTION, REACTORCONTROLANDPROTECTION SYSTEMREACTORPROTECTION SYSTEMGENERALREACTORTRIPSManualTripHighNuclearPower(PowerRange)HighNuclearPower(Intermediate Range)HighNuclearPower(SourceRange)Overtemperature 4TTripOverpower 4TTrip'LowPressureTripHighPressureTripHighPressurizer WaterLevelTripLowReactorCoolantFlowSafetyIn)ection SystemActuation Trip(SIS)TurbineTripLowFeedwater FlowReactorTripLowSteamGenerator WaterLevelTripPERMISSIVE CIRCUITSListofPermissive CircuitsRODSTOPSRodStopListINDICATION ControlBoardIndicators andRecorderCentralBoardAnnunciator PanelControlBoardStatusPanelSTEAMDUMPCONTROLSYSTEMCONDENSER STEAMDUMPSYSTEMSystemDesignControlSystemLoadRefection ControlTurbineTripControlPressureControlATMOSPHERIC STEAMRELIEFSYSTEMREACTORCONTROLTheTemperature ChanelThePowerMismatchChannelThePressureChannelTheRodSpeedProgram~Paeiv1>>1l-l1-5213.1-13.1-13.1>>13.1-13.1-13.1-13.1-23.1-23.1-33.1-33.1-43.1W3.1-53.1>>53.1-63.1-73.1-73.1-73.1-83.1-83.1-93.1-93.1-103.1-103.'1-103.1-113.2-13.2-13.2-13e2~33e2~33.2-43.2-53.2-63.3-13.3-13.3-13'~23~32 Seetiet3,4'.53.5.13.5.23.5.344.14.24.34.44.4.14.4.24.4.34.4.44.4.54.4.655.l.5.1.15.1.25.1.35.1.45.25.2.1~5.2.2.;:!.5.35.3-15-3.2TABLEOPCONTENTS(Cont'd)TitleSTEAMGENERATOR LEVELCONTROLSTEAMBREAKPROTECTION SYSTEMSAFETYINJECTION SYSTEMACTUATION FEEDWATER LINEXSOLATION STEAMLINEISOLATION PROTECTION ANDCONTROLSYSTEMSDESXGNPRINCIPLES PROTECTION SYSTEMFUNCTIONAL DESIGNCONTROLSYSTEMPJNCTIONAL DESXGNCONTROLANDPROTECTION INTERRELATION SPECIFICCONTROLANDPROTECTION INTERACTIONS NUCLEARFLUXCOOLANTTEMPERATURE PRESSURIZER PRESSUREControlofRodMotionPressureControlLowPressureHighPressurePRESSURIZER LEVELHighLevelLowLevelSTEAMGENERATOR WATERLEVELFEEDWATER PLO..Feedwater FlowSteamFlowLevelSTEAMLINEPRESSUREACCIDENTEVALUATXON RODWITHDRAWAL ACCIDENTIPROBABLECONSEOUENCES OFACCIDENTPROBABILITY OFACCIDENTMANUALINTERVENTION DIVERSXTY OFREACTORTRIPSLOSSOFFEEDWATER LOSSOFFEEDWATER -TRANSIENT ANALYSISTYPXCALSYSTEMDESIGNREOUIR1M2KS Auxiliary Feedwater SystemMainSteamandFeedwater PipingLOSSOFCOOLANTPLOWANALYSISZNTRODUCTION ANDSUMMARYPROTECTION SYSTEMDESCRIPTXON LowReactorCoolantPlowReactorCoolantPumpLowVoltageReactorCoolantPumpLowFrequency PumpCircuitBreakerPositionOverpower Delta-TReactorTripInterlocks ~Pae3.4-13.5-13.5-13-5-13.5-14.1<<14.1-14.2-14.3-14.4-14.4-14e4-24.4-34.4-34.M34.4-34.4-44.4-44.4-54.4-54.4>>64.4>>74.4-84.4-84.4-85.3.-15.1-15.1-25.1-45.1-45.1-65.2-15.2-25.2-45.2-45.2-65.3-15.3-15.3-15.3-25.3-25.3-25.3-35.3-35.3-4 14C Sectice5.3.35.3.45.3.55.45.4.15.4.25.4.35.55.5.15.5.25.5.35.5.45.65.75.85.95.10:5.115.12TABLEOFCONTENTS(Cont'd)TitleMULTILOOP LOSSOFFLOWSINGLELOOPLOSSOFFLOWLOCKEDROTORACCIDENTRODEJECTIONANALYSISINTRODUCTION ANDSUMMARYCASESCONSIDERED INDETAILZeroPowerCaseFullPowerEndofLifeCozeBACK-UPTRIPPROTECTION LOSSOFSTEAMLOADINTRODUCTION ANDSUMMARYLOSSOFLOADPROTECTION ANDDESIGNCRITERIASteamDumptoCondenser Pressurizer PressureReliefSteamSystemPressureReliefDirectReactorTripHighPressurizer PressureTripOvertemperature 4THighPressurizer LevelTripEVALUATION OF'PROTECTION SYSTEMFORLOSSOFLOADInitiation ofAccidentAnalysisandDiscussion CONCLUSIONS RODWITHDRAWAL DURINGSTARTUPCONTROLRODDROPENGINEERED SAFEGUARDS ACTUATION CONTAINMENT PRESSUREPROTECTION EXCESSIVE MADEXCESSZVE FEEDWATER PLOWSTATIONBLACKOUTCONTROLANDPROTECTION FUNCTIONS ~Pae5.3-45.3-65.3-75.4-15.4-15.4-15.415.4-25.4-35.5-15.5-15.5-25.5-25.5-35.5-35.5-35,5~45.5W5.5-45.5-55.5-55.5-75.5-95.615.7-15.8-15.9-15.10-15.11-15.12-1

LISTOFFIGURES~FgureNo.2-1Illustration ofControlandProtection Design3.1-13.1-23.2-13.3-23.3-1Overtemperature dTChannelOverpower dTChannelSteamCycleValveArrangement Condenser SteamDumpControlSchemeReactorControlSystem4.2-14.3-15.1-15.1-25.1-35.1-45.1-55.1-65.1-75.1-85.1-95.1-1052-1522.~5.2-35.2-45.2-55.2-65.2-75.2-85.2-95.3-I.5-3-25+335.3-45.3-55.3-6SteamGenerator LevelContxolandProtection SystemPressurizer PressureProtection andContxolSystemsDesignIFaultTreefoxRodWithdrawal AccidentFaultTreeforRodWithdrawal AccidentInsertedRodWox'thandReactivity RequiredtoReachDNBR~1.0inHotAssemblyVersusCoreLifeCompleteRodWithdrawal fromMaximumFullPowerCompleteRodWithdrawal fromMaximumFullPowerSteadyStateCoreLimitsandReactorTripandAlarmPointsBeginning ofLife,RodWithdrawal from102XPower,MinimumDNBRBeginning ofLife,RodWithdrawal from102XPower,TimeofEventBeginning ofLife,RodWithdrawal from80XPower,Resulting MinimumDNBRBeginning ofLife,RodWithdrawal from80XPower,TimeofEventFaultTreeforLossofFeedwater FlowFaultTreeforLossofFeedwater FlowFaultTreeforLossofFeedwater FlowLevelResponsetoLossofSteamFlowSignalLossofFeedwater FlowtoOneSteamGenerator atT~OneSecond,TypicalTwo-LoopPlantLossofFeedwater FlowtoOneSteamGenerator atT~OneSecond,TypicalTwo-LoopPlantCompleteLossofFeedwater CompleteLossofFeedwater Auxiliary Feedwater SystemSchematic, Two-LoopPlantFaultTreeforMulti-Loop LossofFlowFaultTreeforSingleLoopLossofFlowFaultTreeforLockedRotorAccidentMulti-Loop LossofFlow,TypicalPlantSingleLoopLossofFlow,TwoLoopPlantLockedRotorLossofFlow,TwoLoopPlant ~e+lyIA'I'I'lhPl0V0 LISTOFFIGURES(Cont'd)FiureNo-5.4-15.4-25.4-35.4-45.5-15.5>>25.5-35.6-15.6-25.7-1.5.725.8-1ZeroPowerEndofLifeRodEjection, NoTripFullPowerEndofLifeRodEjection, NoTripIllustration ofSafetyLimitsandTripPointsforRodEjectionAccidents, NoTripIllustration ofTransient Trajectories forRodEjectionAccidents, WithNoTripFaultTreeforLossofLoadAccidentFaultTreeforCoreDamage,LossofSteamLoadLossofLoadAccidentUncontrolled RodWithdrawal fromSubcritical, FractionofNuclearPowerUncontrolled RodWithdrawal fromSubcritical Condition, Temperature ResponsetoaDroppedControlRodResponsetoaDroppedControlRodSafetyInjection Actuation SignalvsBreakArea ~emme~e'~'%qelt*49~*t 1.INTRODUCTION poophyforReactorProtection andCooltomaemaxaumuseforbothprotection andcontrolfunctions ofawiderangeofmeasurements. Thisresultsinabroadspectrumofredundant protection andcontrolfunctions. Thedesignapproachusedpermitsallequipment components tobeidentified asprotection orcontrolandlocatedaccordingly, withelectrical isolation andphysicalseparation betweenthem.Thedesignapproachthuspermitsnotonlyreduncancy ofcontx'ol, providing asignificant anddesirable increment tooverallplantsafety,butalsoprovidesaProtection Systemwhichcontinuously monitorsnumeroussystemvax'iables bydifferent means;i.e.,Protection Systemdiversity. AlthoughtheProtection SystemdesignbasisrequiresonlythatrandomsinglefailuresnotnegatetheProtection System,aconsiderable depthofprotection IisachievedbytheWestinghouse designapproach. Systemsdesigners andre-viewershavexecentlyemphaaLzed theimportance ofachieving asuitablebalanceofdesignobfectives inregardtofunctional andequipment diversity. "'nteraction ofcontrolandprotection functions, testing,andsurveillance to~thieveaProtection Systemdesignthathasadequatecapability tocopewithbothrandomandsystematic failuremodes.(Systematic failuresarealsoknownascommon-mode, ornonrandom failures.) 1.1COMMONWODE FAILURESANDDIVERSITY Common-mode, orsystematic

failures, arethosethatpartially orcompletely preventidentical, instrument channelsfromperforming theirfunction-p'~.4*/I dundancyisnotananswertothistyPeoffailure,sinceallchannelsareassume~edtobeaffected.

Further,thesefailurescannotbeevaluated byproao~bability analysisorreliability data;indeed,theyarecharacterized byoversights ordeficiencies whichpresumably wouldbecorrected whenfirstdetected. Thegeneralcategories ofcommon~ode failuresare:a)Functional deficiency -Thevariablebeingmonitored doesnotprovidetheinformation intendedduringthecourseofanaccident. Thisdeficiency couldbecausedbytheaccident's following adifferent course/thancalcu1ated bythedesigners, orbyachangeintheplantcharacteristics whichchangestherelationbetweenthepxocessandthevariablebeingmonitored. b)Maintenance error-Thisfailureincludesconsistent miscalibration ofallchannelsofatype,andalsocircuitmodification oxrepqirwhichinadvertently rendersthechannelsfunctionally inoperative.'esign deficiency -Pailuxeoftheequipment asinstalled tomeetfunctional requirements. Thiscouldarisethxoughunrecognized dependence onasingle,commonelement., suchasventilation; byanunexpected charpcteristic (suchassaturation orslowresponse) inallcontrollers ofatype;orbytheinstrumentation beingdisabledasaresultoftheaccident-d)~<<malcatastrophe -Withproperisolation andseparation betweenredundant

channels, thisisconfinedtoma)ordisasters suchasflood,<<rthquake, fire,etc.Whereseparation isnotcomplete, lessdrastic~ventscanhavethesameresult.Forexample,afallingob)ectcouldconceivably severallcablesinasmallarea.1-2 t+J~~N Considerable effortisbeingmadeinReactorProtection Systemsdesignpreventthesecommon-mode

failures, asillustrated bytheexamplesbelow.Howeverremote,thepossibility ofacommonmode failuremustnevertheless beconsidered.

Thelikelihood ofmaintenance errorscanbeminimized byproperadministrative procedures, identificationofProtection Systemcomponents, andcompletedocumentation oftheas-supplied Protection System,including thedesignbasis.Designdeficiencies canbelargely.eliminated byequipment qualification testingandbycaxefulreviewofallpotential commonelements. Redundancy isanaccepteddefenseagainstx'andomfailureswhichaffectonlyonecomponent orchannelatatime.Similarly, "cliversity isadefenseagainstcommon~de failureswhichcouldaffectmultiplechannels. Suchprotective diversity canbeachievedineitheroftwoways:equipment diversity, byproviding different typesofinstrumentat'ion'to monitorthesamevariable, orfunctional diversity, bymonitoring different plantvariables. Functional diversity entailssomedegreeofequipment diversity, P~rilywithrespecttosensorsandsetpoints. Moreimportantly, however,functional diversity isnotdependent onthecalculated respenseofanyone"ariableduringanaccident. Asaconvex'se ofthis,functional diversity ismorecomplextodemonstrate sincetheresponseofseveralvariables mustbeanalyzedforeachtypeofaccidentevaluated. TheWestinghouse Pxotection Systemistherefore evaluated inthisreportwithrespecttofunctional divexsity. Todemonstrate diversity whereprotective actionisneeded,itisnecessary toshowcombinations oftwoormoreofthe1-3 e4 fo1lowingbarriers" foreachaccident. Someoftheseareaddressed totheneedforprotective action,ratherthantotheInstrumentation Systemitself.Thisisconsidered areasonable approachtojudgingtheadequacyofaProtection System.a)Tolerable consequences forexpectedconditions -Althoughcase"analysismightfailtoprovethatprotection isnotvastmajorityofcasesmayhaveacceptable consequences. worstneeded,theWhetherornotthisisasuitablebarrierdependsontheprobability ofadverseconditions (suchasexcessive insertedrodworth)andthedesignandoperating precautions takentopreventthem.b)Lowprobability ofaccident-Probability oftheinitiating faultmightbeconsidered, butonlyinconjunction withtheprobableconsequences. Thatis,aloss-of-coolant accidentdoesnotrequirelessprotection tthanalossofflowaccidentsimplybecauseitislesslikelytooccur.c)Controlinterlocks -RodstopsorotherdeviceswhicharrestormodifyspuriouscontrolactionshortofreactortripcanbepartoftheProtection System.Protection Systemdesignstandards, equipment testing,andTechnical Specification limitswouldtherefore beapplied.nualaction-Manualactioncanbeconsidered areliablebackuptoautomatic protection, depending ontheaccidentrate,thecomplextytheproblemandcorrective action,andthealarmsandindication provided. 1-4

Automatic reactortrip-Eachaccidentmayhavea"principle" reactortripassociated withit..)BackuPreactortrip-Asecondreactortripfunctionofisanadditional barrier.InallbutafewcasesintheWestinghouse design,aspecificreactortripisnotcategorically either"principle" or"backup": itservesastheprinciple protection againstsomeaccidents, andasbackupprotection againstothers.1.ZPROTECTION SYSTEM-EVALUATION Anaccident-by>>accident evaluation hasbeenperformed inordertoevaluatethe"depth"ordegreeofdiversity providedbycurrentWestinghouse design.Asexpected, diversity couldnotbedemonstrated forallaccidents. Thexesultsingenex'al, however,indicateaconsiderable degreeofprotection Systemdivexsity. Theevaluation, reportedin-.Section 5ofthisreport,analyzedeachpostulated ~ccidentwithoutcreditforprotective actiontothepointatwhichoneofthethreefollowing eventsoccurs:Inherentplantcharactex'istics terminated theaccident; b)Theconsequences areclearlyintolex'able', orc)=<<<tinganalytical methodsarenolongervalid(forexample,systemalculations cannotbeperfoxmed withanydegx'eeofconfidence ifseverecoredamageoccurs).1-5 tyneofevaluation, theamountofanalytical rigormustbereducedKathistypeoascontonsbecomeincreasingly remoteandsafetylhaitsareexceededisbecausepresenttechnology cannotrigorously supportassumptions assystembehaviorfortheseremotecases.Inlargepart,thisfactexplainsthereasonwhysuchconservative safetylimitsareselectedfordesignpurposes. 1-6 I SL~5ARYIntheWestingoutinhouseReactorControlandProtectionSystemstheControlSystemisseoara'sseoarateanddistinctfromtheProtection SystP"orection Systemisindependent oftheContro]heProtectonS"ste-"Lishighlydependent uponsignalsderivedfromtheProtectio Sthroughisolation amplifiers; Thisinterre].ationship isillustdininure-1.hedesignoftheControlandProtection Syst~dthinteractions betweenthemarediscussed indetailiSectio'd4ofthisreport.Thedesignphilosophy istomakemaxianunusage,forbothcontrolandprotection

purposes, ofallmeasurements ofplantvariables.

Foreachvariablemonitored, thebesttypeofequipment available isselectedasthevehicleofmeasurement. Clearly,therequirements formeasurements forcontrolorprotection purposessonearlyoverlapthattheoptimumequipment foronepurposeisalsotheoptimumfortheother,.It'srecognized bythoseresponsible forProtection Systemdesignandreviewthatlittleifanyadditional safetyisachievedbyutilizing independent, butidentical, measurements forcontrolandprotection. Infa<<,itisWestinghouse's positionthatadditional identical channelsareseriously disadvantageous jnthatmorepenetrations, maintenance, andcontrolroomreadoutsarerequired. porexample,operatorsurveiU.ance ofprotection channels'isnecessarily dilutedwhenplantoperation isdependent onotherindications.

pressurized waterreactorplant,itisalmostaxiomatic that-.naLargePresrturbation whichencroaches onsafetylimitssignificantly affects~vperturaForexample,areactivity excursion -suchasaccidental rodvt.thrawdrawal-causesnotonlyanincreaseinneutronfluxandcorepower,~soanincreaseincoolanttemperatures andinpressurizer pressurebutandlevel.Reliablecontrolisobviously'he bestapproachtoplantsafety.Theprime,purposeofacontrolsystemistolimitexcursions beforeprotective actionisnecessary. SincethecontroldevicesmustbecapableofLimitingexcursions, theyarealsocapableofcausinganexcursion -perhapsinthe,oppositedirection -ifspuriously actuated. FailureoftheControlSystem,eitherbynotactingwhenneeded,oractingwhennotneeded,decreases theleve1ofsafety.Redundancy-ofcontrol,whereapplicable, istherefore highlydesirable. Pressurizer pressurecontrolisaprimeexampleofefficient useofredundant measurements forsafeoperation viaareliableControlSystem.Twooower-operated pneumatic reliefvalvesareprovidedtolimitpressureexcursions withinthenormaloperating range.Althoughnotessential to-safety,thesevalvesincreasesafetymarginsforsystemoverpressure ~overpressure protection isprovidedbythehighpressurereactortrip~safetyvalves).Shouldeithervalvebeactuatedspuriously, however,p~tection againstthereduction inpressuremightalsoberequired. 2~2 'Ph contro3.channels, derivedformthefourpressureprotection ."-ourpressurecontnosing3.eins-hanne3.s, areuse-el'eiwhenneeded,norcananysingleiQt~tfailducepressuretothepointatwhichprotection wouldbeneededressurechannelsareusedtocontro1eachvalve.OnepressurechannelMopressureservesasaninterlock, blockingtheairsupplytothevalveonalowpressurea3.arm.Sincethepneumatic valverequiresairtoopen,thi'slowpressurealarmclosesthevalve(ifopen)andholdsitclosed.Intheabsenceofalowpressurealarmonthefirstchannel,ahighpressurealarmonthesecondchannelopensthevalve.."-romtheprotection Systemviewpoint, thecorollary tomaxbaumusageofallmeasurements isthatprotection againstanygivenaccidentisnotnecessarily confinedtomeasurement ofjustonevariable. Thusthereactivity excursion notedpreviously, thereactortriponhighpressurizer wagerleve3,alsoprovidesadegreeofprotection, eventhoughthebasicpurposeofthistripistoprotectthepressurizer reliefpipingfromwaterreliefsurge,throughthesafetyvalves.Sincecompletely different. typesofmeasurement areused<<rneutronfluxandpressurizer waterlevel,diversity doesexistintheProtection System.Lheextentofsuchdiversity isevaluated inSection5forawidevarietyotaccidents. Inmostcases,twoormorediversereactortripsterminate ~accidentbeforecatastrophic consequences canoccur.However,thesecondtripreached(the"backup")generally doesnotpreventthedesignsateylimitfrombeingexceeded. Inthiscontext,thedesignsaiety2-3 h hasaDNgratioof1.30,isitselfahighlyconservative such~,.exceeding thislimitdoesnotimplyintolerable consequences. ~onecaseevaluated -thehypothetical rodejectionaccident-protection systememdiversity couldnotbeadequately demonstrated fortheworstcase.~eyerarodejectionisconsidered tobeanextremely unlikelyaccidentonecausedbycompleteandinstantaneous mechanical failureofacontrolrodpressurehousing.Further,theprobableconsequences, asdistinctfromtheworstcase,aretolerable sincemostcontrolrodsarefullywithdrawn fromthecore.Eventhoserodsthatremaininsertedareseldominsertedtotheirinsertion limits.."-oranothertypeofaccident-completelossoffeedwater -diversity ofreactortripsdoesexist.Ho~ever,automatic actuation oftheauxiliary feedwater systemisnotdiverseforallof'hewaysinwhichfeedwater flowcouldbelost.Forthosecases,itisshownthatmanualactuation consti-rutesareliableback-uptoautomatic actuation. 2-4 'P7"IHtI0 ILLUSTRATION OFCONT."d)L 'lNDPROTECTION DESIGNCONTROLSYSTEMl(Signalcon~itionins, controllers, ~Iinterlocks, anddefeatswitches) t.otection {testsigna.ague)(testradout)~estCONTROLPROTECTION Channel'SensorI\ICablingandPenetrations ~I!PewerSuoply!Isolation I;ihmplifier IBistablelI(Fromotherprotection channels) ".harmelChannel23f"1IIn8icatio Channel4CCCJo4kIJCOCIHg~gOCl~+Icd0CcCCJPROTECTION LOGICa&CKSTRAINTOREACTORTRIPBREAKERSFIGURE2-l ~,'I1"k0P CTIONALDESCRIPTION REACTORCONTROLANDPROTECTION SYSTEH~~CTIONAL REACTORPROTECTION SYSTEH3.13.1.1GENERAL'r'1andProtection Szstmfuncti~di,,basedontheRobertEmmettGinnaNuclearStationoftheRochester GasandElectricCo.(RGBE).Itisrepresentative ofWestinghouse designpractice. Allreactortripsmeetthefollowing criteria: a)Asinglefai1ureshallnotnegateareactortripb)Allchannelsarecapableofcalibration andmaintenance atpower.3.1.2REACTORTRIPS4Aresumeofreactortrips,meansofactuation andcoincident circuitrequirements isgiveninTable3.1-1.i~fllnual TrigDepressing eitheroftwomanualpushbuttonsonthemaincontrolboardactuatesareactortrip.HihNuclearPower(PowerRane)Dualtripsettings= areprovided: 3.11 "ca.l\"1~ )Low(approximately 25X)b)High(approximately 110X).Thelowsettingcanbemanuallyblockedwhenpowerincreases aboveP-10*(approximately 10Xpower)andisautomatically reinstated whenpowerdecreases belowP-10.Thesecircuitstripthereactorwhentwoofthefourexternalionchamberaveragefluxsignalsareabovethetripsetpoint. HihNuclearPower(Intermediate Rane)Thiscircuittripsthereactorwheneitherofthetwointermediate channelsindicateabovethetripsetpoint, Etmaybemanual1yblockedwhenpowerisaboveP-10andisautomatically resetwhenpowerdecreases-below P-10.Expectedtripsetpointis25X.HLhNuclearPower(SourceRane)Thiscircuittripsthereactorwheneitherofthetwointermediate Prangechannelsindicateabovethetripsetpoint. Itmaybemanua11yblockedwhentwointermediate rangechannelsreadsavalueaboveP-6andisautomatically reinstated whenbothintermediate rangechannelsdecreasebelowP-6.TripsettingisbetweenP-6andthemaximumsourcerangepowerlevel.*P-()designates apermissive circuittoblockoractivateatripfunction. ThesecircuitsaredefinedinSection3.1.3. 4~I' ~Fjtyvertemoe temperature 4TTrioofthistripistoprotectthecorepurposeopo,pssure,temperature, 'cionTwoout~ffouroop~Foreachchannelpereactorclativemeasureofreactorpowerandiscomparedwithacontinuouslycalculated setpointoftheform:4T~K+KxPressure-K xT>>f(4I)setpointL2Javg~enthereactorcoolantloop4Texceedsthecalculated

setpoint, theratfectedchannelistripped.Zntheaboveequation, 4Zisthedifference'between thetopandbottompower-range ionchambersignals..

Thiscompensation signalautomat-icallyreducesthetripsetpointifadverseaxialcorepowerIdistribution exists.Dynamiccompensation oftheTsignalisavgalsoprovidedtocompensate forinstrument andpipingdelaysbetweenthereactorcoreandthe'looptemperature sensors.. Aschematic representation ofthiscircuitisshownonFigure3.1-1.Anillustration ofthesetpointisshownonFigure5.1-6.Overoower 4TTriThepurposeofthistripistoprotectagainstexcessive power(fuel<<dpowerdensity). Two-out-of-four triplogicisused;therearetwochannelsperreactorcoolantloop.3.1-3 iforeachchanneliscalculated as:Nesetpointtore~K-K-T-K(T-T)-f(II)45dtavg6avgavg~'quation> f(41)isthesamefunctionasusedintheovertemperature equato-serpontetpointequation. ThetermK5compensates forthepipingandinstrument delay.ThetermK6compensates forthechangeindensityandheatt~actyoityofwaterwithtemperature (T'sthenominalTatfullpower).avgavg6~thKandKarelimitedsuchthattherateand/ormagnitude ofTcanavgonlydecreasethe4Ttripsetpointfromitsnormalvalueatfullpower.ectedsteady-state tripsetpointisllOXoftheindicated hTatfullpoMer;i.e.,llOXpower.Aschematic representation ofthiscricuitisshownonFigure3.1-2.~PressureTri.hepurposeof'thistripistoprotectagainstexcessive boilinginthecoreandtolimitthepressurerangeinwhichcozeDNBprotection isrequiredfortheovertempezature aTzeactortrip.Thiscircuittripsthe:eactoroncoincidence oftwmf-four channels. Itisautomatically blockedbelowP-7.Theexpectedsetpointis1715psig.-"-'-hPressureTri=hepurposeofthistripistoprotectagainstoverpressure andtolimitthees<<<<rangeinwhichcoreDNBprotection isrequiredoftheovertemperature Wectedsetpointis2385psig.-a<<circuittripsthereactoroncoincidence oftwo~f-three channels. 3.1-4 ~hPressurizer WaterLevelTritzipprovidesabackuptothehighpressuretripandalsopreventsthepzessuzzessuzizer safetyandreliefvalvesfromrelieving waterforcredibleaccidentconditions. Expectedsetpointis92Xofspan.Thiscircuittripsthereactoroncoincidence oftwo-of-three channels. Xtisautomatically blocked.belowP-7.LowReactorCoolantFlowThiscircuitisprovidedtoprotectthecorefromDUBfollowing alossofcoolantflowaccident. Themeansofsensingalossofcoolantflowaccidentazeasfollows:a)Measuredlowflowtnthereactorcoolantpipingb)Reactorcoolantpumpcircuitbreakeropenc)Undervoltage onreactorcoolantpumpbusd)Underfrequency onreactorcoolantpumpbusThelowflowtripsignalisactuatedbythecoincidence oftwo-of-three signalsperloop.AboveP-7,reactortripoccursforalossofflowinbothloops;aboveP-S,reactortripoccursforalossoffewineitherloop.Expectedsetpointis90Kofindicated fullflow.Thereactortripsignalderivedfromreactorcoolantpumpbreakerpositionisactuatedbyasingleauxiliary contact'or eachreactorcoolantpumpbreaker.Triplogicissimilartothelowflowtrip;aboveP-7reactortripoccursfora"breakeropen"signalfromanytwobreakers; aboveP8.asignalfzomanyonebreakeractuatesareactortrip. ~wga~~V~~tortripprovidesadditonal reactorprotection against~undervoltage reactorpowers4coapletelossoo~tpumpbusesas~dboaLcwvoltageonoectedsetpointis70Zof~crvoltage sea~tartjrapiddecreaseinelectrical frequency candecelerate th~principe,a~torcoolantpumpsfasterthanacompletelossofpower.Anunderfrequency condition onbothreactorcoolantbuses,assensedbyeitheroftwounder>>frequency relayson'achbus,tripsthereactorandopensbothreactorcoolantpumpcircuitbreakers. Expectedsetpointisapproximately 58cps.aSafetyXnectionSstemActuation Tri(SIS)"ponactuation oftheSafetyInfection System,thereactorfstrippedtodecreasetheseverityoftheaccidentcondition. Themeansofactuating theSafetyIn)ection Systemandthustrippingthereactorareasfollows:la)Lowpressurizer pressure(1715psig)incoincidence withlowpressurizer water.level(5Zspan).AnyoneofthethreecircuitsLaactuatestheSIS.Thisfunctionmaybemanuallybypassedbelow2000psig.~Pressure(500psig)inanysteamline.Acoincidence oftwo~f-three signalsforanysteamlineactuatesthisfunction. Thisfunctioncanbemanuallybypassedwhenreactorcoolantpr~ssureisbelow2000psig.c)"ighcontainment pressure(6psig).Acoincidence oftwo-of-three signalsactuatestheSIS.d)ManualActuatjon f~~ Trio~tripsensedbylossofautostopoi1pressureorbyturbinestopgturbinetrpslosureactuatesareactortripduringhighpoweroperation. Trip<s~o~r-three fortheautostopoilpressureswitchesandtwo~f-two picissorthestopvalvepositionswitches. Thistripisincoincidence with~r~sszveci~ssiyecircuitP-7(blockedbelow10Xpower)andpermissive circuitP-9~blockedbelow50Xpowerunlesscondenser steamdumpisblocked). Low."-eedvater PlowReactorTriForeithersteamgenerator, lowfeedwater flow(compared tosteamflow)incoincidence withlowsteamgenerator vaterlevelactuatesareactortrip.'Msprotectsthereactoragainstasuddenlossofheatsink.Thiscondition issensedforeithersteamgenerator ife'itherof:twosteamflow~feedvater flovchannelsindicateadifference greaterthanasetpointandeitheroftvosteamgenerator narrow-range levelchannelsindicateless6thanasetpoint. Expectedsetpoints are0.7x.10lbs/hrand30Xofspanrespectively. LowSteamGenerator WaterLevelTri~epurposeofthistripistoprotectthereactorfroma'1ossofheatsink-<<thecaseofasustained steam/feedwater flowmismatchwhichistooll<<actuatethelowfeedwater flowtrip.~h~s~~-stripisactuatedoncoincidence oftwo-of-three lov-lovlevelsignals~nsteamgenerator. Expectedsetpoint, is15Xofnarrowrangelevelspan-3.1-7 /t6.,.t;>)0C 3>MQSSIVECIRCUITS3.'.3pouslytopermissive circuitsReference hasbeenmaokcertainactivities aswell-~~itsareusetoac'vfties.tofPermissive CircuitsnunbncFunccfnnRodwithdrawal stoponoverpower (Automatic andmanual)~XnucOne~f-fourhighnuclearpower(powerrange)*;one-of-two highnuclearpower(intermediate range*l;one-of-four overtemperature AW;orone-of-four overpower AT*.Automatic rodwith-drawalstopatlowpower.Automatic rodwith-drawalstoponroddropSelection ofsteamdumpcontroller modePermitmanualblockofsourcerangehighnuclearpowertripOne-of-one turbinefirststagesteampressureIOneof-four rapiddecreaseofnuclearpowerorrodbottomindication hTurbinetripsignalOne~f-two highintermediate rangenuclearpowerallowsmanualblock,twomf-two lowintermediate rangenuclearpowerautomatically reinstates trip.~bypassonindividual channels. ."~ye~allyblockedifpeanissive circuitP-10iscleared. ~' ~ssiveCircuits(Cont'd)tofPessluabaapuaaaiaa~Xauapermissive power(blockvarioustripsatlowpower)BlocksingleprimarylooplossofflowtripBlockreactortriponturbinetripThreemf-four lownuclearpowerandonemf-two lowturbineimpulsestagepressureThreeof-four lownuclearpowerThree~f-four lownuclearpowerandcondenser steamdumpavaQ-able(notlockedoutbyhighcondenser pressureorbylossofbothcirculating waterpumps)103.1.>>RODSTOPSPermitmanualblockofintermediate rangepowerleveltripandrodstopandlowpowerrangetripTwo-of-four highnuclearpowerallowsmanualblock,thre~f-fourlownuclearpowerautomatically reinstates thetripsAcompletelistofrodstopsisnotedbelow.RdStopListFuaaataaa)Roddropb)NuclearOverpower Actuation SinalOne~f-four rapidpowerrangenuclearpowerdecreaseoranyrodbottomsignalOneof-four highpowerrangenuclearpowerorRodMotiontobeBlockedAutomatic withdrawal (redundant, contacts) Automatic andmanualwithdrawal one-of-two highintermediate rangenuclearpower3.1-9 t~g 4-top~st(Contd)UjjCj:Xjjn c)iU.gh4TActuation SinalOne-of-four overpower 4Torone-of-four RodMotiontobeBlockedAutomatic andmanualwithdrawal overtemperature 4T(Manualbypassonindi-vidual4Tchannels) (Actuation ofthisrodstopinitiates acontinuous turbineloadreduction untiltheactuation signalis'emoved) .d)Lowpowere)Tavgdeviation One-ofmne lowturbineimpulsestagepressureOne-of-four Tdevia-avgtionfromaverageTavgAutomatic withdrawal HAutomatic withdrawal andinsertion 3.1.5LQXCATION FControlBoardXndicators andRecorder-Alltransmitted analogsignalswhichactuatereactortrips,rodstops,ozpermissive circuitsareeitherindicated orrecordedforevery.channel-Also.variabletripsetpoints (overpower 4Tandovertemperature 4T)areicatedorrecordedforeverychannel.CentralBoardAnnunciator Panel~yofthefollowing conditions actuateanalarm:Reactortrip(firstoutannunciator) b).aztialreactortrip(anychannel)~wioz~i<<deviation ofanycontrolvariable(pressure, T,pressurizer levelavg'linuclearpower,andsteamgenerator level)foranychannel.3.1-10 ~>>~t'lvl%1~yWC~ns'r,zy~\~ ';t"o>.3oard StatusPm&statusofeachreactortrip'c"onthetripstatuspanel'-'. channeliscontinuously displayed Istatusofeachpermissive circuitiscontinuously displayed onthpe~sivestatpanel~~'reactor tripchannel;bypass is.continuously indicated onthehyposstatuspmn-'I17~a3.1-11 sPk .,yll+~~lIE~TgtpI.fluuual2.HighnuclearfluxCplHClUEHCY. ClRCULTRY blHTERIXKKS 1/2,nointerlocks 2/4,nointerlocks forhighsettingP-10forlowsettingl.'ON1kl)1SHighandlowsetttngs; manualblockandautomatic resetoflowsetting3.',llighnuclearflux(inter>>mediaterange)Highnuclearflux(sourcerange)1/2qP-10I2/4;nointerlocks 2/4,nointerlocks 2/4>blockedbyP-72/3>nointerlocks 2/3,blockedbyP-75,Overtemperature LiT6.Overpower hT7.Low'ressure 8.9.HighpressureHighpressurizer waterlevel10a.LowFlop10b.Pumpbreakertrip10c.Undervoltage 10d.Underfrequency SISactuation 12.Turbinetrip13,Lowfeedwater flow14.Low-lowS.G.waterlevel2/3perloop~p7~P>>S1/1perloop]P7)P+S1/2t'1/2~P-71/2+1/2P-71/3,.(lowpressurizer pressureandlowpressurizer level);2/3Lowpressureinanysteamline;or2/3highcontainment pressure2/3autostopoilor2/2stopvalves>P;7]P-91/2+1/2perloop,(flowmismatchincoincidence withlowleyel)2/3$perloop h0Taygn>AYOK4T388ATsetpoint1Comparator C3.C3C42/4ogichotTcComparator RodStop0~POWERATCHANNEL(ONECHANNELOFFOURSROHH)FIGURE3.1-2 l.l CONTROLSYSTEHtamdumPareavailable: condensex'umP andatmosPheric <clevalvearrangement isshownonFigure3-2-1-yqsteamcyC0gDENSER S~QUMPSYSTEMSvseaDesisteamlinesareinstalled todumpsteamfromthesteamgenerators directlycothecondenser, bypassing theturbine.Connections withthesteammainsaxedownstream ofthestea'mmainisolation valves.ralvesandLLnesaresizedtopass35Xofturbineauuctunan calculated steamflowatfullloadsteampressure. Condenser steamdumpperformsthreefunctions: Following asuddenlossofloadofupto210MRe{about45Xof=aximumcalculated turbineload),condenser dumpactsasanartificial loadremovingexcesspowerandstoredenergywhilethereactorpowerisdecreased tomatchthexeducedturbine\Inthismanner,thecondenser steamdumpactstopreventareactortrip.Condenser steamdump,togetherwithfeedwater

addition, removesstoredenergyintheReactorCoolantSystemfollowing aplanttrip,bringingtheplantroequilibrium noloadcondition without3.2-1 rofthesteamgenerator safetyvalves.Italsomaintains

~tuationo1tathotshutdownbyremovingresidualheat.ggpJ.antatsersteamdumpisusedforplantcooldowntocoldshutdown. condenser ste~~ersteamdumpisusedtoimproveoperational flexibility. Foraplanttripmayoccurfollowing alargeloadreduction if~le,apan~4.usersteamdumpisnotavailable. ~condenser steamdumpsystemusesmodulating, Unear-characteristics, ~~cratedvalves(airtoopen).Theirstroketimeisapproximately 5aecaads.Xnaddition, theycanbetrippedfromthefullyclosedtotatefu11openpositionwithin3secondsafterreceiving aninputeLectrictripsignal.Whilethistripsignalexists,thevalvesarebahf~thefullyopenposition. Whenthetripsignaldoesnotexist,chevalvepositionisdetermined byavariableinputelectrical signal-Forcondenser protection, condenser steamdumpisblockedbyhigh~enserpressure. Otherinterlocks'described below)areused~~esamemannertoavoidspuriousoperation. ~pur'<<ous actuation ofsteamdumpmaycauseaplanttripInaddition, '-theralvesstayopen,anuncontrolled cooldownresults.Forthesethesteamdumpcontrolsystemisrequiredtomeetthecriterion signalfailureshallcausespuriousactuation-3~2~2

ControlSystemalblockdiagramfortheCondenser SteamDumpControl~efunctonSvstemisshownonFigure3.2-2.LoadReectionControl."-orpartiallossofturbineload,steamdumpiscontrolled bytheerrorsignalbetweenTandTf,whereTistheaverageoffouravgref'vgreactorcoolantaverage.temperatures and.T"istheprogz~ed, se~ref,pointforTasafunctionofturbineload.(ThesesignalsaretheavgsameasthoseusedintheReactorControlSystem.)Following aturbineloaddecrease, Tisimm'ediately resettoalowervalue,causinganreferrorsignal.Iftheerrorsignalexceedsthedeadbandfortheload.re)ection controller, thedumpvalvesaremodulated open.IftheerrorsignalexceedstheHIsetpoint, atrip.signalisgenerated whichrapidlyopensfouroftheeightvalvestotheirfully~~en position. At'heoccurrence ofaHZ-HItripsignal,alleightvalvestripopen.Thedistinction betweenmodulating andtrippingvalvesopenismadebecauseofthedifference inrequiredtimeforbothoftheseactions.Ifvalvesarealreadymodulated opencorresponding totheerrorsignal<<thetimeatripopensignalisgenerated, noadditional tripactiontakesplace.Sin~ethesteamdumpsystemrequiresafinitetimeto,act,anincreaseistobeexpected. Lead/lagcompensation forTincreases avgavg3~23 gfTontheerror,therebycompensating forthelegs~gcectoflresponseandvalvepositioning. sreactorpowerbycontrolrodinsertion. reducesreactpointsteamdumpisreduappx'oaches avgvalvesarefullyseatedMenoughtobehandledoontroLsystemalone.~~dcontratrolsystemalsoactingontheT-Tferrox'ignal ~avgrefLnordertopreventactuation ofsteamdumponsmallloadperturbations, ,rablockisprovidedwhichpreventsvalveresponsetoeitherthetrip~modulatesignalunlessaturbineloadreduction hasoccurred. AIlelcaentsofthischannel,including theturbineimpulsechamberpressuretap,areindependent ofthesteamdumpcontrolsystemdescribed above.4rate/lagunitinthischannelgenerates anoutputproportional to~rareofdecreaseinturbineload;Thisoutput,whenindicating aLoadrejection gxeaterthanlOXstepor5X/mLnute ramp,removestheOnceunblocked, thisblockismanuallyxeset.Minual-contxolof~teamdumpalsoremovesthisblock.7uxbincTriControl~~eofthelaxgeheatcapacityoftheReactoxCoolantSystemand~~highTatfullloadthesteamgenerator safetyvalveswouldavg~'~owingaturbinetripiftherewerenoothermeansofremovingedheat.'ondenser steamdumpandsubcooled feedwater flow3.2-4

planttothermalno-loadequilibrium without~~edtobring-leasetoatmosphere. eeaIetrip,monitored bylossofturbineautostopoilteoheloadre]ection steamdumpcontroller isdefeatedandplanttrptripcontroller becomesactive.IntheTcontrolmode,avgrsignalisT-Td'ndsteamdumpisproportional ~errorsgnavgno-Load'he sameerrorsignalisusedforon-offcontrolof~fe~>>tercontrolvalve,asdescribed in3.4,SteamGenerator ~LControl.AsT.isreducedtoitsno>>loadsetpoint, steam'vgreducedandfeedwater isshutoff.Asinthecaseofploadre)ection, iftheerrorsignalexceedstheHXsetpoint, atripasgaaLwgenerated whichtripsopenfouroftheeightvalvestotheiriull~penposition. Attheoccurrence ofaHI-Hltripsignal,all~ghtvalvestripopen.GeneraUy, thevalvesarenotclosedcompletely l~useofdecayheat.No-loadconditions areestablished withinmominutes.pressureControl'or><<gtermremovalofresidualheatathotshutdown, o~duringplantit>rtuporcooldown, theplantoperatorcanmanuallyswitchtosteamderpressurecontrol.Inthiscontrolmode,condenser steamdumpomaintainapresetpressureinthesteamheader.Amanual~tionisprovidedsothattheoperatorcanad)ustthesetpoint~<<ssureormanuallypositionthevalves.3.2-5 ~pbbsj, S>H~ZCS~RELIEFSYSTEHsteamreliefvalvesaremountedonthesteammainsupstreamuoayher'c steamves.Atthesetpre4g~>osteam(about1050psig),flowcalcu'chaveprovisgon feslessthanZ0Providedtoreducedtopermitaplantoolds'cediadumpisnotavailable. Thesefunctions areexplained below.a)Ifaplanttripiscausedbylossofcondenser vacuum,condenser dumpmbIocked.The'steamgenerator safetyvalvesareavailable toremovestoredenergyfromtheReactorCoolantSystem.Atmos-@heroicsteamreliefreducesthesteampressurebelowthesafetyvalvesetpressurewithintwominutesafterthetrip.Thisprevents'ontinuous chattering ofthesafetyvalvesasresidualbeatmremovedfromthereactor.Plantcoo]downisaccomplished bysteamdump.Ifcondens<<dump notavailable, theatmospheric reliefisadequatetocoold~tothetemperature andpressureatwhichtheresidualheatremovalsystemcanbeused.3.2-6

C)Zntheeventofaplanttripcausedbyanoverpower/overtemperature condition orbyafaU.ureinthefeedwater system,theatmospheric steamdumpprovidesadditidhal reliefcapacity, reducingthepro-babDityofsafetyvalveactuation. Separatecontrollers areprovidedfortheatmospheric dumpvalvesonthetwosteamgenerators, permitting independent pressureregu-lationifthesteamgenerators areisolated. 3e2~7 TcoldAVGT~at1V2SwlK3PK2ATsetpoitEComparator 22]4Logic3C4hotcold'/Comparator RodStop0$EBTEMPEBATURE ATCHANNEL(ONECHANNELOFPOURSHOWN)P1GVRE3.1-1 F~.~~'IrlEnMlEHEl/ATOR Nntrr.)VAlVNISAtIMYAllglJIOOla'nON VALVEBYPASS.VALVEHAINFEEDWATEE kLN.IQ'AI.VL IIA)IATIlNliOlla:KTOTURBINECON1'AINMENT AUXILIARY FEEUHATER +PgoIiCONDENSER STEAMDUMPVALVES<<TEAMIEHERATOR BMAINFEEWATERTOCONDENSER AUXILIARY FEEOHATER Figure3.2-1STEAMCYCLEVALVEARRAMEMENT Ii ~en/LAGCOMPENSATION STEAMDUMP)ERPRESSURECONTROLLER rRATE+RESETAUTO"MANSTATIONPROP.ANALOGSWITCHOPERA-TINGONTURBIHETRIPSIGHALSTEAMDUMPSELECTORSWITCHMODULATECOHDEHSER DUMPVALVESLEAD/LAGCOMPENSATION ((<>>s).IJf<Sgl+fg $)LTRZICOmZROLIhR Hi-TURBZHETRIPINTER-LOCKLOGICTURBINE-TRIP SIGNALTRIPOPEHGROUPAVALVESORTRIPOPENGROUPA8cBVAL~STEAMDUMPVALVES.TRIPOPEHONLYIFUHBLOCKSIGNALISPRESENT(SEEBELOW)HjELOSSOFLOADINTERLOCK r:J+A--ROPRIATEPOSITIONOHSKZCTORSWITCHZHTKGDCKFigure3.2-2CONDENSER STEAMEUMPCONTROLSC1HHEUHBLOCKSTEAMDUMPVALVESSIGHALTURBINETRIPSIGNALBYPASSESLOSSOFLOADINTERLOCK AHDUHBLOCKSSTEAMDUMPVALVES 1f'V(Y+gpQ+g+q+gl Yf"Al+J1l 33REACTORCONTROLThebasicReactorControlSystemconsistsofthreechannels, whichareretemperature (T),powez'ismatch (QT-Q)andreactorcoolantavg'x'essure (P)~Theoutput'ofthesethreechannelsisusedtodrivethecontrolrodsviatherodprogram.Aschematic representation ofthecontrolsystemisgiveninFigure3.3>>1.Thefunctions ofeachofthesechannelsareasfoU.ows:a)Tomaintaintheprogrammed Tasaccurately aspossibleavgb)Toberesponsive toloadperturbations withoutcausingunduemovementandreactortripsc)Totakecorrective actioninthecaseoflargeloadchangesifthepressureexceedsthelimitsofthenoxma1pressurecontrol.TheTeratureChannelThetemperature channelfunctions tomaintaintheprogrammed temperature -(T)asaccurately aspossible. Themainrequirements ofthischannelavgarethatitshouldbeaccuxate, stableandrepeatable. Thisisthedominantcontx'olchannelinsteady-state conditions.'he PowerMismatchChannelThepowermismatchchannelsprovidecontrolstability andfastresponset>>oadpertuxbations. Theoutputisproportional tothemismatchbetweenturbinepowerandnucleaxpower.Ahigh-pass filterinthischannelensuresthatsteady-state calibration errorsintheinputpowersignals"asnoeffectonsteady-state control.3.3-1 .atI,'gl~jl ~otherrequirement ofthischannelisthatitssteady-state outputshouldbezeroeventhoughaAxedoffsetinpowersignalsmayexist.ThePressureChannelThischannelisprovidedtopreventlargepressurechangesfoU.owing alargechangeinpower.Itretardstherateatwhichthecontroller changesTtoitsnewprogrammed setpoint.(IfTweretobechangedavgavgtoorapidly,pressurizer pressurecontxolmightnotbeabletomaintainpressurewithinthenormaloperating range.)Thepressurecontrolchannelhasanadjustable

deadband, sothatonlylargepressurechangeshaveaneffectonrodmotion.Thischannelisnotrequiredforinitialplant.operation.

TheRodSeedProamTherodspeedprogramismadeupoffourparts:ariadjustable

deadband, aminimumspeed,aproportional speed,andamaxLmumspeed.TheauucLannn speedisdictatedbythemechanism design.A11theothersettingsaread)ustable.

Expectedsetpointsare+1.5Fforthedeadband, and+5Fforamximumrodspeeddemand.Theoutputsfromthethreechanne1smentioned abovefeedintothesummingamplifier associated withtherodprogram.3a3~2 Ijgg~gi4t'~s~A)tl(~

Il.(I~')F~As)uAVOlTurbineImulsePressure~gS+1Speed4n+ETSt6S+10ariableGain+Pressurizer PressureEtyS+1~88+1PressureSetointREACTORCONTROLSYSTEHFigure3.3-'1 ~I~I4j~ CINERATOR LEVELCONTROLMoperation, thepositionofthemainfeedwatercontrolvalveisope11edbythethree-element controller (feedwater flow,steamflow,Atlowloadsabypasscontrolvalveisused.>+tpointofthe1evelcontro11erisafunctionofload,programned isewithloadbetweenOXand-2OXload.Adeviation alarmprovides~ti~uousmonitoring ofthelevelchannelusedforcontxolversustheprogrammed level.~>narrow-range levelchannelsareindicated. Thewide-range levelchannelisrecorded. .hesteamflowandfeedwater flowsignalsazesuppliedbyeitheroftwotransmitters asselectedbyacontxolboardmountedselectorswitch.Thesteamandfeedwater flowsignalsusedforcontrolarerecordedonatwopenrecorder. ":ollowing aturbinetrip,automatic controlofthefeedwater valveisswitchedfromthethreemodelevelcontroller toonoffTcontrol.avg<1<<edwatercontrolvalvesunderautomatic controlarefullyopenedtoadmitauucbnumfeedwater, thenfullyclosedasno-loadTavgapproached toavoidexcessive cooldownoftheReactorCoolantSystem.~<<1contzoloffeedwater controlvalvepositionisavailable attheontrolboard.Thismodeofcontroloverrides automatic contzoloneitherlevelorTavg3.4-1 tO~+~~'"'=*4%-4'ft'%41V~~k/+tpit' ordertopreventexcessive'moisture cazxyover causedbyhighsteam~eratorwaterlev~.asigalofhighwaterlevelove~desa3.Othertzolandclosesthefeedwater controlvalve.Thesignalisobtainedfromcoincidence oftwo-of-three levelchanneLsaboveapresetvalue.Thisoverrideisautomatically removedfromthemaincontrolvalvesasthewaterleveldropsbelowChesetvalue.Manualresetisrequiredforthebypasscontrolvalve.Thesignalsaffecting feedwater valvecontrol,inincreasing theorderofpriority, arelistedbelow:a)Three-element levelcontroloron-offTcontrol(dependent onavgwhethezornot'turbine istripped)b)Manualcontrolc)Highleveloverride(closesfeedwater valves)d)SafetyInjection Systemactuation (closesfeedwater valves).Awide-range levelchanneL,calibrated forno-loadconditions, faprovidedcoallowmanualcontrolathotshutdownandisalsousefulatcoldshutdownThischannelincludesarecorder. 3.4-2 ~PROTECTION SYSTEM~~qBRINJECTIONSYSTEMACTUATION QEEIYfactuating theSafetyInjection SystemhavebeennotedinoactThoseparticularly concerned withsteamlinebreakpro-~~43~~~aarelowsteam1inepressureandhighcontainment pressure. ~Anareolowsteam~steamlinepressuresignalisgenerated bythecoincidence of~fthreechannelsbelowapproximately 500psigforeithersteamline.~~highcontainment pressuresignalisgenerated bythecoincidence of~f-threechannelsaboveapproximately tenpercentofcontainment ~ignpressure. 3.5.2FEEDWATER LINEISOLATION Anysafetyinfection signalisolatesthemainfeedwater linesbyclosingallfourmaincontrolvalves,trippingthemainfeedwater pumps,andclosingthepumpdischarge valves.3.5-3STEAMLINEISOLATION a)Highsteamflowincoincidence withanysafetyin)ection signa1closestheisolation valveinthatsteamUne.One-out-of-two steamflowsignalsaboveaHI-HI~pp(approximately 120XoffuLlloadsteamflow)One-out-of-two steamflowsignalsaboveaHItrippoint(approx-imately20Xoffullloadsteamflow)incoincidence withtwo-out-of-four lowTsignals(belowapproximately 540'7)avg3.5-1 llIJ,J,="4~1'~~"J bi~ecoincidence oftv~f-three highcontaf.nment pressuresignaLsRctustion~ 3.5-2 A'~8) .OV<VDCONTROLSYSTEMSDESIGNPRINCIPLES PUNCTIONAL DESIGNphilosoohyforfunctional designProtection Systemistoderiveposon~rewirectlyfromtheprocessvariables ofinterestwheneverpossible. ~oner,safetylimitprotection isassuredindependent ofthetingacc'dent. .~ertemperature highdelta-TtripprotectsthecoreagainstDeparture nucleateBoiling(DNB)forallcombinations ofpressure, temperature, ~r.andaxialpowerdistribution. Thus,thissingletrippreventsDNB!'r.-cd<<ithdrawal accidents, borondilution, xenonoscillations, andcxcessire loadvariations. Protection againstotherlimits,suchasexcessvepower,densityandsystemoverpressure, isalsoprovidedbyclose~itorinzofthevariableofdirectinterest.

cce="aincases,however,thesegeneralprotection functions arenotrapidenough,orcompleteenough,toassureprotection againstaspecificaccident, suchaslossofcoo~~ntflow.Inthesecases,specifictripfunctions areorovidec, suchasreactorcoolantpumpbusundervoltage andreactorcoolant~orce""ainmorecre"'bletransients, suchasturbinetrip,areactortrip4-sderivedfromthe.nitiating event-eventhoughsafetylimf.tswouldnotoeexceededifareac": =tripweredelayeduntilanoverpressure orover-tempera=ure rri"oc""red.1nthismanner,undesirable excursions arepreven=ed, rathet"..scterminated.

4.1-1 certainprotective functions areprovidedprimarily toensuretheF~~lly,ceufngintegrity ofplantcomponent andpipingsystems.Examplesinclude-ortriponhighpressurizer waterleveltoprotectsafetyvalverelief.eacor@fanCoandreactortriponlossoffeedwater toanysteamgenerator. (The@clear'ossofsafetyrequirement istopreventcompletelossofheatsink;i.e.,feedwater toallsteamgenerators.) ."-orequipment designpurposes, nodistinction ismadebetweenthevariouscategories ofprotection mentioned above.ThesamecriteriaanddesignoracticeareappLiedtoallchannels. Otheralternatives areneitherdefensible norpractical, sincealloftheseprotective functions enhancenuclearsafetyandcomplement orsupplement oneanother.:hisapproachrequiresaninstrumentation systemthatmeasures, onatimely,accurate, andreLiablebasis,dominatenuclearplantprocessvariables. instrument ranges,sensitivity, andtimeresponsemustbeselectedconsistent Wththerangeandvariation ofeachvariablemonitored. Also,sincemanyprocessvariables aremonitored, considerable overlapinprotection functions isanaturalconsequence. 4.L-2 ~lst'I~ CONTROLSYS~FUNCTIONAL DESIGNPowerlevelandreactorcoolanttemperatures arecontrolled automatica3.l.y inaWestinghouse PWRPlant.Thereactoriscontrolled tofoU.owanyturbineloadperturbation. Thisisidealforloadfrequency control.Theautomatic ReactorControlSystem,therefore, formsanessential partoftheplantoperation. Itisbasically aregulating systemwhichmaintains propersteady-state operating conditions, therebyassuringadequatemarginstotripsettingsforoperational purposesandpropereconomicperformance. Otherautomatic controlsystemsarepressurizer pressureandlevelcontrol,feedwater control,andsteamdumpcontrol.Thesesystemsarealsoessential tomaintainnormaloperating conditions ortosuppressexcursions imposedbyoaerational transients withoutrecoursetoprotective action.AsintheProtection Systemdesign,thisrequiresaninstrumentation systemthat\measures, onanaccurate, timely,andreliablebasis,'ominate nuclearplaneprocessvariables. Theqevariables are,forthemostpart;thesameasthoserequiredbytheProtection System:looptemperatures, neutronflux;oressurizer pressureandlevel,steamgenerator level,steamflowandfeedwater flow.Inaddition, thetimeresponse, instrument, span,and~~nsitivity requirements formeasurement channelsservingeachofthetwo~y~temsaresimilar.Asaresult,primarysensorandtransducing equipment thatisacceptable forusewiththeProtection SystemshouldalsobeemployedwiththeControlSystem.FailureoftheControlSystemtoactwhenneeded,orspuriousactuation whennotneeded,generates aneedforprotection. Thesafest,plantis4.2-L onipedtobeonethatrequirestheLeastprotection. Forthisreason,wellastheeconomicdesirability ofavoidingplantoutageswhichcouldgavebeenprevented bypropercontrolactions,everyeffortismadetoensurereliablecontrol.Whereverpractical, controlinterlocks and/orredundant controldevicesareprovidedtoensurethatcontroLactiontakesolacewhenneeded-butonlywhenneeded.Controller-induced excursions causedby asinglesensorfailurearelargelyeliminated inWestinghouse designpractice.

i.

~g++SFEEDPLOWL3SF1)XgIPROP+INZECIII~I-,IIIIIIIIIPROP+INTEGILEVELCONTROLSYSTEMlIIIPI'2)FWPlFWIIIPEEDWATER ICONTROLVALVEIACTUATORIII~/7t~JiIt2/3HILEVEL2/3LO-LOLEVELI2/2I1/2LOFLOWLEGENDFWF-PEEDWATER PLOWTRANSMITTER SF-STEAMPLOWTRANSMITTER P-STEAHPRESSURETRANSMITTER L-LEVELTRANSMITTER I-ISOLATION AMPLIFIER h-DIPPERENCE AMPLIFIER X-MULTIPLIER EDWATERCONTROLREACTORTRIPREACTORTRIPVALVECLOSUREANDAUX.FEEDPL"IPSTARTANDINDICATORS NOTSHOWN.STEAMGENERATOR LEVELCONTROLANDPROTECTION SYSTEHFIGURE4.2-1 3CONTROLANDPROTECTION INTERRELATION AorrentWestinghouse PWRsystems,theProtection andControlSystemsare'ncurrenanddistinctandareidentified assuchTheControlSystem><<eer,isdependent onsignalsderivedfromtheProtection Systemthroughisolation devices.However,thereisnofeedbackfromtheControlSystem.otheProtection System.>eequipment designphilosophy, illustrated onFigure2-1,isthattheControlSystemsensoristheoutputoftheisolation amplifier. Bythisorinciple, nocomponents areshared-theyareeitherpartoftheProtection Systemandarelocatedanddesignedassuch,ortheyarepartoftheControlSystem.Thisisaveryimportant featureoftheWestinghouse design,andpermitsadividingline,bothfunctionaUy andphysically, tobedrawnbetweencontrolandprotection. Italsoensuresthat,inadvertent orIdeliberate changestotheControlSystemhavenomoreeffectonthePro-IrectionSystemthaniftheControlSystemcontained independent sensors.Thedesignrequirement fortheanalogisolation amplifiers istoisolatethe~<<tectionSystemfromanyelectrical faultswhichmightoccurinthe<<<<rolSystem.Extensive testswereperformed todemonstrate this'apability. Inthesetests,shorts,grounds,anda-candd-cvoltageswereappliedtotheamplifier output.Eventhoughsomeofthesetestswerest<<ctive(i.e.,destroyed theabilityoftheamplifier toproduceameaningful outputsignal),innocasewasanyperceptible disturbance fedac"intotheinputcircuitandhencetotheprotection System.4.3-1 0 Thepresenceorabsenceofregulating controldevicesonthedownstream sideoftheisolation amplifier hasnoeffectontheisolation requirements. Thesameequipment anddesignrequirement wouldexistevenifthesesignalswerebroughtoutoftheProtection Systemmerelyforremotereadoutanddata-logping purposes. Sincechanne1isolation cannotbereliablymain-tainedonthecontrolboardorattheinputterminals toadata-logger, anisolation device(amplifier orimpedance network)intheprotection channelrepresents theonlyfeasiblewaytopreserveprotection channelindependence. CertainfailuresintheProtection Systemcouldconceivably negateapar-ticularchannelofaprotective

function, simultaneously causingspuriouscontrolactionthatmight,requireprotective actionfromthatsamefunctiontopreventtheexcursion fromexceeding designlimits.Suchpossiblefailureisdealtwithinaccordance withtheproposedstandard, "Criteria

<orNuclearPowerPlantProtection Systems", IEENo.279,Section4.7,whichrequiresthatforsuchafault,asecondfailurebeassumedinthe'Protection eInmostcasesin'whichcontrolisderivedfromprotection, Westing-"sedesignmeetsthiscriterion byproviding atwo-out-of-four Protection SystemLoaic.Forexample,asshowninFigure4.3-1,'afailurecanbe"s~edinProtection ChannelLwhichcausesthatchanneltoindicatehigh.defeatsthelowpressurereactortripforthechannel,andalsomay"ePressureControlSystem(reliefvalvesandspray)torapidlyreduce~assure.However,threeofthepressureprotection channelsareleft-.@achedtsuretPndareactortripwouldautomatically occurwhenanytwoofthem Tthisadditional redundancy isnotnecessary becausesuchothercases,cannotcausethesafetylimitstobeexceeded. Thisfactcancannoillustrated byFigure4.3-1.Alossofsignal(lowindication) bcassumedforProtection Channel1.Thisdefeatsthehighpressurebcassumeorthatchannelandmayalsoenergizethepressurizer heaters,causingl~increaseinpressure. Ifanindependent failureisassumedinChannel2,gglownccactortripwouldoccurwhenthepressurereachedthehighpressuretrip~taintsinceonlyoneofthethreehighpressuretripchannelsisleftHowever,underthiscondition thesafetyvalvesonthepressurizer g<c~orethanadequatetoensurethatthehighpressuresafetylimitisnotacceded.Section4.4discusses allsuchcontrolandprotection interactions foramccificplantdesign.Inthatsection,itisnotedthatnumerousoperational -'cfenses againstthesefailuresexistinadditiontotheprimaryor"protection a'ade"defense.Manyoftheseadditional barriersto.anundesirable excursion N4c'cmadepossiblebymakingredundant information avaQ.able totheControlSystem.+cpossibility ofcommon-mode failurecannotbecompletely ruledout;itis<<<<eivable thatallidentical channelsbehaveidentically, butincorrectly. .""-hiscase,thequestionofControlSystemdependence ontheProtection emisirrelevant. Ithasbeenrecognized thatlittle,ifany,additional deeree<<<<ofprotection isachievedbyhavingseparate, butidentical, instru-"tchannelsforcontrolandprotection. Indeed,Westinghouse considers tseparation inthismanneractuallydeprivestheprotection Systemof4.3-3 eoftheday-Sy&ay, hour-by-hour surveillance giventoinstrument chaelsneededforroutineplantoperation. Afurther,althoughoftenggnoreddisadvantage ofproliferation ofidentical

channels, istheattendant increaseinvisualdisplaysandinformation processing problemsofsignificant oroportions.

(Timely,accurateandcomplet~Lnformation readoutisrequiredbytheIEEEcriteriapreviously referenced.)' frequently expressed concernistheneedforassurance thattheProtection Systemwillnotbeinadvertently modifiedduringthe40-yearlifeoftheplant,Thisisoccasionally citedasanargumentagainstcontroldependence onProtection Systeminformation Westinghouse completely agreesthateveryprecaution mustbetakentoensureadequatereviewofanyfuturemodification thatcouldaffecttheProtection System.Suchassurance canonlybeachievedbycompleteattention todetailsinProtection Systemdesign,operation andmaintenance. ThismustincludeIidentifica'tion ofsystemcomponents ondrawingsandonthaequipment', documentation ofthesystemdesignanddesignbasis,andestablishment ofgroupstoreviewallproposedinstrument changesthatcouldaffect'plant~safetyorplantoperations. Itisfallacious tobelievethatindependent controladdstothisassurance. Infact,suchindependence coulddecreasetheprobability thatanecessary correction totheProtection SystemwillbeInadequacy ofcontroller designrequirescorrection toallowplantoperation toproceed;inadequacy ofprotection issometimes discovered onlyafteranincident. 4,34 ControlSystemmodifications mayberequiredtoimproveplaatoperation. porencamp1e,afi1termayhavetobeaddedtoachievestability.Asacontrolmodification, thiswouldlogically beperformed intheControlSystm;i-e-7downstream oftheisolation dancesseparating theControlandProtection Systems.Physicalseparation andidentification ofequipment (separate racksforControlaadProtection Systems)andadmini-strativeprecautions ensurethatthelogicalrouteis,iafact,theoneused.Evenadvocates ofcompleteindependence betweencontrolandprotection recognize thedesirability andfeasibility ofusingprotection signalsfornon-protective functions...his introduces thepossibility ofthesesignals beingdivertedforotherpurposesunlessacarefulreviewandadherence todesignbasesisenforced. Thedivisionbetweencontrolandprotection isnotalwaysclear.Thisreflectsdifficulty indefiningthefunctionachieved, ratherthaninequipment designimnlementatioa. Definitions thatplaceallreacto'x" tripaadsafeguards actuation instrumentation intheProtection System,andallautomatic regulating instrumentation intheControlSystem,clearlyleavemanyimportant itemsinbetween.Anotherdefinition advanced'is thattheControlSystemis"allinstrumentation whichisnotprotection," andtheProtection Systemis"thatinstrumentation whichmustworkwhenneeded(topreventunacceptable consequences)." Thislatterdefiaitioa hasconsiderable meritforgeneraldiscussions andisusefulinJudgingwhetherornotaparticular itemisa"protection" itemornot.However,iftakenasarigiditisdifficult toapplytoalldesigndetails,asisshowabelow.4.3-5 Pzexamplealarmsand/orcontrolroomindications derivedfromprotection hannelinformation areessential iftheoperatoristobeproperlyandcontinuingly infoxmedoftheProtection Systemstatusandthestatusofplantsafety.Aspx'eviously noted,thesealarmsandindications azerequiredbythereferenced IEEEcriteriaasavitalpaztoftheProtection System.ordertomaintainprotection channelisolation, Westinghouse equipment designpracticeassociates remoteindication withtheoutputoftheisolation device.Otherfunctions, suchascontrolinterlocks (e.g.,rodstops)areoftenhighlydesirable, andmayevenbeessential toplantsafetyifanumberofmalfunctions ormaloperations shouldoccursimultaneously (i.e.,beyondthenormaldesignproundrules). Westinghouse hasusedtheterm"supervisory" forthatcategoryoffunctions that.isneitherclearlycontrolorprotection. (Thisisafunctional Idesignation only,anddoesnotimplyathirdcategoryforequipment design.)Supervisory functions canbefurthersubdivided intotwotypes:thosethatareinformative only(indicators, recorders, alarms,anddata-logging); andthosewhichautomatically acttoarrestdeteriorating conditions beforeprotective actionisneeded.(Thislattertypehasbeentexmedi"override", or"protective override.".) Sincethequestionisoneofwhethermanualorautomatic intervention isintended, thevalueofdistinction islimitedtofailuremodeanalysisofautomatic controllers. 4.36 N%&At'9"r.l~r' westinghouse record.zes thateach"supervisory" functionmustbeconsidered onitsownmeritstodetermine ifitshouldformpartoftheprotection ortheControlSystem.Acompletelistofprotection, control,and"supervisory" functions isincludedintheAppendix. 4.3-7 ~+m8w4':'ln1' PROTECTION ~axWELPROTECTION CHANNEL2PROTECTION CHANNEL3PROTECTION CHANNEL4PTiPQ~~~PC'~HIPR.T.tPC~LOPR.T.IIISOL'.~~PC~HIP'.T.PC'OP~ISOLQPT"PQPC'~HIPR.T.)PCLOPSOLgPTPgQPCLOPR.T.SOLIrILPRESSURECONTROLSYST~IIIIIPRESSURECONTROLSYSTEH(INCLUDES SIGNALCONDITION-INGANDCONTROLLERS ANDINTERLOCKS FORHEATERS,SPRAYAND RELIEFVALVES)PT-PRESSURETRANSHITTER PQ-POWERSUPPLYPC-CONTROLLER ISOL-ISOLATION AHPHI(LO)R.T.-HIGH(LOW)PRESSUREREACTORTRIPPROTECTION SYSTEMCOMPONENTS CONTROLSYSTEMCMPONENTS INDICATORS, ANDRECORDERS ARENOTSHOWNPRESSURIZER PRESSUREPROTECTION ANDCONTROLSYSTEMSDESIGNFIGURE4.3-1 th(OP'I4A4'g~ SPECIFICCONTROLANDPROTECTION INTERACTIONS designbasisfortheControlandProtection Systempermitstheuseoffoxbothprotection andcontrolfunctions-Wherethisisdone,>lequipment commontoboththeprotection andcontrolfunctions areclassified aspartoftheProtection System.Isolation amplifiers prevent.aControlSystemfailurefromaffecting theProtection System.Inaddition, MherefailureofaProtection Systemcomponent cancauseaprocessexcursion whichrequiresprotective action,thePxotection Systemcanwithstand another,independent failurewithoutlossoffunction. Generally, thisisaccomplished vithtwo-out-of-four triplogic.Also,whereverpractical, provisions areincludedintheControlorProtection Systemtopreventaplantoutagebecauseofsinglefailureofasensor.Thefollowing discussion ofspecificcontrolandprotection interactions tisbasedonthedesignfortheRobertEmmettGinnaNuclearStationoftheRochester GasandElectricCo.(RGE)-Itisxepresentative ofcurrentWestinghouse design-practice. 4.4.lNUCLEARFLUXFourpowexrangenuclearfluxchannelsarepxovidedforoverpower protection. so~<<edoutputsfromallfourchannelsareaveragedforautomatic control<odregulation ofpower.Ifanychannelfailsinsuchawayastopxoduce~owoutput,thatchannelisincapable ofproperoverpower protection-Inpinciple,thesamefailurecouldcauserodwithdrawal andoverpower. Two-"t<<-fouroverpower triplogicinsuresanoverpower tripifneeded,even"ithanindependent failureinanothexchannel.4'>>l ddition"theContxolSystemrespondsonlytorapidchangesinindicated f1~.slowchangesordriftsareoverridden bythetemperature controlnucleartial.Alsoarapiddecreaseofanynuclearf1~sig1blockautisticxowdwithdrawal aspartoftheroddropprotection circuitry. Finally,anoverpower signalfromanynuclearchannelblocksautomatic rodwithdrawal. Thesetpointforthisrodstopisbelowthexeactortxipsetpoint. 4.4.2COOLANTTEMPERATURE Fourtemperature

channels, eachcontaining aTavganda4Tsignal,areusedforovertemperature-overpower protection.

IsolatedoutputsfromallfourTsignalsare,alsoaveragedforautomatic. controlrodregulation ofavgpowerandtemperature. Inprincipal, aspuriously lowTsignalfromone.sensorwouldpartially defeatthisprotection functionandalsocauserodwithdrawal andovertemperature. Twomut-of-four triplogicisusedtoinsurethatanovertemperature tripoccurs,ifneeded,evenwithanindepen-dentfailureinanotherchannel.Inaddition, channeldeviation alarmsintheControlSystemblockautomatic <<dmotion(insertion orwithdrawal) ifanyTavsignaldevtatessignificant3.y fromtheothers.Automatic rodwithdrawal blocksalsooccurifanyon~f-<<urnuclearchannelsindicates anoverpower condition orifanyoneof-four temperature channelsindicates anovertemperature oroverpower condition. Finally,asshowninSection14.3..2,oftheRG&EFinalSafety'Analysis Report,th<<ombination oftripsonnuclearoverpower, highpressurizer waterlevel,ndhighpressurizer pressurealsoservetolimitanexcursion foranyratefreactivity insex'tion. 4.4-2 PRESSURIZER PRESSUREpressurechannelsareusedforhighandLowpressureprotection andFforoverpower-overtemperature protection.Isolatedoutputsignalsfromthesechannelsalsoareusedforpressurecontrolandcompensation signalsforrodcontrol.Thesearediscussed separately below.ControlofRodMotiononeofthepressurechannelsisusedforrodcontrolwithalowpressuresignalactingtowithdrawrods.Thediscussion forcoolanttemperature isapplicable; i.e.,twowutwf-four logicforoverpower-overtemperature protection astheprimaryprotection, withbackupfrommultiplerodstopsand"backup"tripcircuits. Inaddition, thepressurecompensation signalis,LimitedintheControlSystemsuchthatfailureofthepressuresigna1cannotcausemorethanaboutaLO'FchangeinT.Thischangecanbeavgaccommodated atfullpowerwithoutaDNBRless.thanL.30.tFinally,thepressurizer safetyvalvesareadequately sized.topreventsystemoverpressure. PressureControlLowPressureAspurioushighpressuresignalfromonechannelcancauselowpressurebyspuriousactuation ofsprayand/orareliefvalve.Additional redundancy isprovidedintheProtection Systemtoinsureunderpressure protection; <.e.,two~ut~f-four lowpressurereactortriplogicandone-out~f-three Logicforsafetyin)ection. (Safetyin]ection isactuatedonone-outmf-threecoincident Lowpressureandlowleve1signals.) 4.4-3 0addition, iterloclareProvidedinthPressureCtolSystemsuch~tarelief.valveclosesifeitheroftwoindependent pressurechannelsidicateslowpressure. Sprayreducespressureatalowerrate,andsometieisavaiLable forooeratoraction(aboutthreeminutesatmmchnnaspray-atebeforealowpressuretripisrequired.) Thepressurizer heatersareincapable ofoverpressurizing theReactorCoolantSystem.Maxinnmsteamgeneration ratewithheatersisabout7500lbs/hr.,comparedwithatotalcapacityof576,000Lbs/hr.,forthetwosafetyvalvesandatotalcapacityof179,000lbs/hr.,forthetwopower-operated reliefvalves.Therefore, overpressure protection isnotrequiredforapressurecontroLfailure.Twomutmf-three highpressuretripLogicisused.Xnaddition, eitherofthetworeliefvalvescan.easilymaintainpressurebelowthehighpressuretrippoint.Thetworeliefvalvesarecontrolled byindependent pressurechannels, oneofwhichisindependent ofthepressurechannelusedforheatercontxol.Anally,therateofpressureriseachievable withheatersisslow,andampletimeandpressurealarmsareavailable foroperatoraction.4.4.4PRESSURIZER LEVELThreepressurizer levelchannelsareusedforhighlevelreactortrip(2/3)andlowlevelsafetyinfection (1/3logiclevelcoincident with"Pressure). IsolatedoutputsignalsfromthesechanneLsareusedforvolumecontrol,increasing ordecreasing waterlevel.Alevelcontrol4.4-4 'El

ailurecouldfilloremptythepressurizer atasLowrate(ontheorderOEfhalfanhourormore).Irggh18V81~reactortriponpressurizer highlevelisprovidedtopreventrapid4thermaLexpansions ofreactorcoolantfluidfromfiLLingthepressurizer; therapidchangefromhighratesofsteamrelieftowaterreliefcanbedamagingtothesafetyvalvesandthereLiefpipingandpressurerelieftank.However,aLevelcontrolfailurecannotactuatethesafetyvalvesbecausethehighpressurereactortripissetbelo~thesafetyvaLvesetpressure.

Withtheslowrateofchargingavailable, overshoot inpressurebeforethetripiseffective ismuchlessthanthedifference betweenreactortripandsafetyvalvesetpressures. Therefore, acontrolfailuredoesnotrequireProtection Systemaction.Tnaddition, ampletimeand.alarmsareavailable foroperatoraction.LawLevelForcontrolfailureswhichtendtoemptythepressurizer, one-out-of-three Logicforsafetyinfection actuation onLowLevelinsuresithat theProtection Sy<<emcanwithstand anindependent failureinanotherchannel.<nadditon,asignaLoflowlevelfromeitheroftwoindependent levelcontrolchannelsisolatesLetdown,thuspreventing thelossofcoolant.ampuletimeandalarmsexistforoperatoraction.4.4-$ gTEQfGENERATOR WATERLEVELPESWATERPLOWbeforedescribing controlandprotection interaction forthesechannels, itisbeneficial toreviewtheProtection Systembasisforthisinstru-mentation Thesystemisshownschematically inPigux'e4.4-L..Thebasicfunctionofthereactorprotection circuitsassociated withLowsteamgenerator waterlevelandlowfeedwater flowistopreservethesteamgenerator heatsinkforremovaloflongtermresiduaLheat.Shouldacompletelossoffeedwater occurwithnoprotective action,Pthesteamgenerators wouldboildryandcauseanovertemperatur~verpressure excursion inthereactorcoolant.Reactortripson'emperature,

pressure, andpressuri.e'er waterleveltriptheplantbeforethereisanydamagetothecoreorReactorCoolantSystem.However,residuaLheataftertripcausesthermalexpansion anddischarge ofthexeactorcoolanttocontainment throughthepressurizer reliefvalves.Thiswouldbxeachoneofthebarriers-.theReactorCooLantSystemtoreleaseoffissionproducts.

Redundant emergency feedwater pumpsareprovidedtopreventthis.Reactortripsactbeforethesteamgenerators aredrytoxeducetherequiredcapacityandstartingtimerequirements ofthesepumpsandtominimizethethermaLtransient ontheReactorCoolantSystemandsteamgenerators. Xndependent tx'ipcircuitsareprovidedfoxthetwosteamgenerators forthefollowing reasons:a)ShouldseveremechanicaL damageoccurtothefeedwatsx'in'e toones~eamgenerator, itisdifficult toinsurethefunctional integrity oflevelandflowinstrumentation forthat-unit.Porinstance, a4-4-6. r~c-'c.'(l\1I pipebreakbetweenthefeedwaterflowelementandthesteamos]orppegenerator exatorwouldcausehighflowthroughtheflowelement.Therapidxessurization ofthesteamgenerator woulddrastically affectthedepxessuacelationbetweendowncomer waterlevelandsteamgenerator waterinven-However,theindependent circuitsonthesecondsteamgenerator ~esufficient toactuateareactortripifneeded.~jgt~rdesirable tomiabaizethermaltransients onasteamgenerator forcrediblelossoffeedwater accidents. Coatxoller malfunctions causedbyaProtection Systemfailureaffectonlyaoesteamgenexator. A1so,theydo.notimpairthecapability ofthemainfeedsrater systemundereithermanualcontrolorautomatic Tcontrol.avgHence,thesefailuresarefarfrombeingtheworstcasewithrespecttocoredecayheatremovalwiththesteamgenerators. Frectvater Plow*Npu<<oushighsignalfrom,thefeedwater flowchannelbeingusedforcontrolusedcauseareduction infeedwater flowandpreventthatchannelfrom~ping.Areactortriponlow-lowwaterlevel,independeqxt ofindicated ~<<er.low,insuresaxeactortrip,ifneeded."t<<n.thethree-element feedwater controller incorporates reseton~suchthatwithexpectedgains,arapidincreaseintheflowsignal~dcao>>ya12-inchdecreaseinlevelbeforethecontroller xe-opened eedwatrvalve.Aslowincreaseinthefeedwater signalwouldhavenog4C+~~ect4.47 CC88Kspuriouslowsteamflowsignalwouldhavethesameeffectasahighceedwater signal,discussed above.~rAspurioushighwaterlevelsigna1fromtheprotection channelusedforcontoltendstoclosethefeedwater valve.ThislevelchannelisindeFPendentofthelevelandflowchannelsusedforreactortriponlowflowcoincident withlowlevel.a)Arapidincreaseinthelevelsignalcompletely stopsfee@rater flowandactuatesareactortriponlowfeedwater flowcoincident withlowlevel.b)Aslowdriftinthelevelsignalmaynotactuatealowfeedwater signal.Sincetheleveldecreaseisslow,theoperatorhastimetorespondtolowlevelalarms.Sinceonlyonesteamgenerator isaffected, automatic protection isnotmandatory andreactortrip..ontwo-out~f-threelow-lowlevelisacceptable. 4-4.6STEANLINEPRESSURE~<<threepressurechannelspersteamlineareusedforsteambreakProtection (twomutmf-three lowpressuresignalsforanysteamlineactuatessafBtyin]ectj.on) .OneofthesechannelsisusedtocontrolthePowermperated reliefvalveonthatsteamline.Thesevalves.aretypically t<<at10KofthesafetyvalvecapacityAspurioushighpressuresignalC>>hechannelusedforcontrolopensthere1iefvalveandcauseslow~ure~Thisisaslowrateofsteamrelease,evaluated asacredible4.4-8 breakinSection14.2.5oftheRG&EFinalSafetyAnalysisReport.~theanalysisofsteambreaksofthissize,nocreditistakenforthete~linepressureinstrumentation-Safetyinjection isactuatedbytheoressurizer instrumentation. Therefore, acontrolfairedoesnotcreateforthisprotection, andtwo-out-of-three logicisacceptable. 4'g ~~~ATIONe~DEWALACCT~Syst'~evaluation oftherodwithdrawal accidentisbasedSystemparameters, protection system,andexpectedreactivity ?ThedesignbasisfortheReactorProtection Systemto~tt~ts-carefarrodwithdrawal accidents istotripthereactorygececi30DNBRisreachedinthehotchannel.Whilediversity intrumentation isnotapartafthedesignbasis,thesystem~~idleddoesprovidealarms,rodstopsandcontrolfunctions to~~t>evithdrawal fromproceeding tothetrippoint.Becauseof~~teffectofoverpower onalltheprocessvariables, additional ~!unct~<aswouldacttoterminate theexcursion, butaot'necessarily ~el.30.Extending thecourseoftheaccident, aDNBRof1.0inthe.~+seeably" isarbitrarily selectedasaUmitfora.secondLevelofycecectian. (The"hotassembly" isessentia1ly thehotchannelwithouta?Xueaaca forengineering hotchannelfactors.) Nocredit.'is takenfor~!~ttening orLocal,'void reactivity effectsatoverpower conditions. ~estpess&istic instrument error.and'set pointsareassumedforaLlItea:tarwips.~icedaverpawer isofseriousconcernbecauseofthepotential damagetoDecoredtheReactorCoolantSystem.Systbyeitherthehighpressurereactortrip~seaMcon)unction withanyreactor~pat'aterlevityforcoredamage+nWtaevaluauatianiszocusedonthiscance~'.L-L '~sprottectionagainsttherodwithdrawal leadingtoundesirable conse-quencessisinconsiderable depth,andthereareindeedmultiplelevelsofPratefro'rection aslistedbelow.Eachoftheselevelscouldbeindependently ~ideredadequate, diverseprotection againstanaccident. Becausethereactivity available byrodwithdrawal islimited,onlyveryrarecasescouldcompleterodwithdrawal causecoredamage.Asingletripfunctionwithredundant channelsprotectsagainstthiscondition. Nodiversity orseparation isrequired. b)~u1tiple, diverserodstopsareprovidedsuchthatnofailurecancauseasustained automatic rodwithdrawal. Therefore, areactortripcouldbeconsidered asbackupprotecti.on. c)For"fast"excursions, tworeactortripfunctions preventallbutlimitedcoredamage.For"slow"excursions, manualactionisanadequatebackuptotheautomatic protection system.4)Forallrodwithdrawal accidents, aeleasttworeactortripfunctions exist,eitherofwhichwouldagainpreventallbutlimitedcoredamage.FaulttreediagramsareshownonFigure5.1-1and53.-2.5'l.l.PROBABLECONSEQUENCES OPACCIDENTTheadequacy, ordepth,ofprotection requiredforanaccidentshouldbemeasuredagainsttheprobability oftheaccidentandtheprobableconsequences oftheunprotected accident. Theprobableconsequences arediscussed here.Theodtivityavailable isin(alizeburnupmai,ntain e5.1-2 sA distribution, andreduceejectedrodworths).Thedesignallowance ~erdstrodinsertion atfullpoweris0.1Xfor"bite"plus0.4Xfortheman-euvergi.e.,rodinsertion maybeanywherefromO.IXto0.5X.~izhcalculated valuesformoderator andpowercoefficients atbeginning fcorelife*,0.3Xreactivity insertion isrequiredtoreachahotassemblygggRpf1.0.Also,after20Xcoreburnup,0.5Xinsertion doesnotcauseahotassemblyDNBRlessthan1.0-Therefore, arandom,completerodwithdrawal fromdesignfullpowerconditions withnoprotection hasaboutprobability ofcausing,DNBRlessthan1.0.Thisisillustrated byFigure5.1.3.Althoughthefigureandtheabovediscussion arebasedonfullpower,theyareequallyapplicable toaccidents startingfromlessthanfullpowersincetheadditional insertedrodworthisneededtoachievefullpower.However,itmaynotbepractical toguarantee theseconditions becauseallowances forcalculation ormeasurement uncertainties cansignificantly affecttheresults.. Figures5-1-4.and5.1.5showsa"worstcase"completerodwithdrawal at25X.ofcox'eIlifefrom102Xpower,nondnalTplus4F,andnominalpressurelessavg30psi.Reactivity insertion isassumedtobe0.6X,or0.5Xx1.2.(This20Xuncertainty couldhavebeenapplied,tothereactivity coefficients-insteadoftherodworth.)M~aumhotassemblyDNBRis0.91,orslightlylessthantheaxbitrary limitof1.0.Thesametransient at6(Xofcoreknifeisshownfoxcomparison. MfxdnnmLhotassemblyDNBRis1.4&.*RactivitycoefficientsbasedonFigures3Z.1-8and3.2.110inSupplement 4totheRGEPSAR,datedOctober23,1968.5.1-3 'I'5.JIC1 leteanalysis, considering statistical variations inalluncertainties, Acomp~ddetermine amorevalidvalueortheprobability ofexceeding anyvouldlivensassfstylimitIfthisvalueweresufficientlysmall,acomparatively ~a~i<<protection systemmightbejustified. 2PROEABII,ITY OFACCZDENT~edesignintentoftheReactorControlSystemistoblockautomatic ~dwithdrawal foranyfailurewhichcancausesustained rodwithdrawaL. ~isisaccomplished byrodstopsonrapidnuclearfluxdecrease, Tavgchanneldeviation, spuriousrodmotion,andsubsequent rodstopsonhighATorhighflux.Ifrodstopswereconsidered asindependent protection, Protection Systemcriteriawouldbeapplied.Theserodstopswouldthenbeclassified fuLLyaspartoftheProtection Systemforarodwithdrawal accident. 5.l.3MANUALINTERVENTXON !annualactionisreliablebackuptoautomatic protection providedthatsufficient timeexistsforoperatorresponse. Thetimerequireddependsnthealarmsavailable, thenatureoftheproblem,andtherequiredaction.igure5.1-6illustrates steadymtate corelimitsandseveralalarmpointsndtrippoints.Alarmsareintentionally quiteclosetothedesignoperating conditions. Otheralarmssuchashighpressurewouldbereachedduringatransient. Thesealarmsaretabulated onTable5.1-1.~thoughsteamcycleheatremovalmaybethemostLimitingsteadymtate resttrictiononreactorpower,timeisrequiredtoreachcorresponding ~armsandtrippaints.'(Farinstance~ itwouldtakeabouttwominutesst110XreactorPowerwithsteamgenerator saftyvaLvesblowingbeforeasteamgenerator Low-lowwaterleveLtripcouldbeexpected.) Forthireason,thisevaluation didnotincludethesealarmsandtripsFigures5.1-7through5.1-10showtheresultsoftransient analysifarvariousreactivity insertion ratesatbeginning ofcoreLifefrom~fullpower(102X,nominalT+4'F,noa~pressureless30psiavgfromnominaLconditions at80Xpower.Aconstantreactivity insertion ratewithunlimited available reactivity isassumed.Hmdmeasettingsendinstrument errorsareassumedforthereactortrips,andnominaLsetpointsforthealarms.(Note:thehigh4Trodstopsaretakenas3'Fbelowtheirreactortripsratherthantheirnominalsetpoints.)rorareactivity insertion rateof0.5x.10gk./sec,, (corresponding roughlytomaxfxnunrodspeedataveragerodworth),ahotassemblyDERof1.0isreached,inabout.twominutes.Duringthistime,therearealarmsonhighT,pressurizer

pressure, andpressurizer Level,aswellasrodstopsandalarmsonhighfluxandhigh4T.Also,thesteamsafety.alveswouldbeactuated.

Miththemultiplicity ofaLarms,i.t.-iseasytodiagnoseams)oroverpower-avertemperature excursion. Xtisreasonable <<expectoperatorintervention (manualtrip)duringthistheaForfastterreactivity insertion rates,reacto<triponhighnuclearfluxisareliableprotection systembarrier.Therefore, sincetheavertemperature }11hg4Ttripprotectsforallexcursions, onecouldclassifyitastheprincipal protection barrierwith"backup"fromhighnuclearfluxincon-~un<<ianwithmanualaction.5.1-5 DEITYOFREACTORTRIPSeprotection systemdesignbasisfortherodwithdrawal accidentfororeprotection requiredthatonetripfunctionwithredundant channelspreven<eventaminimumDNBRlessthan1.30.Thisisaccomplished withthe<<ertemperature ATtripforslowreactivity excursions, andthehighnuclearfluxtripforfastexcursions. AsshownbyFigures5.1-7through5.1-10,thesetwotripsmeetthedesignbasis-Theevaluation alsoshowsthatforallcasesofsustained reactivity insertion forratesuptofourtimesthemaximkarateexpectedfromrodwithdrawal, anyofthefollowing preventahotassemblyDNBRlessthan1.0.a)Highnuclearfluxreactortripb)HighATtripl.Overpower AT2.Overtemperature ATc)Highpressurizer levelreactortripplushighpressurizer pressurereactortrip.(Notvalidforhighreactivity insertion rates:,.fromnearfullpower.)Thisdepthofprotection cannotbeexpectedforallaccidents orforallplants.5.1-6 TABLE5.1-1ALARMSFORRODWITHDRAWAL ~armswhichwouldbeactuatedforaspuriousrodwithdrawal accident~eeax'rM.lPowerarelistedbelowitheaPPro~teorderiwhichtheyAlarmpointsassumedfortheevaluation arelisted.Initiating Fault*-Mose'failures whichcancauseaspuriouscontrolrodwithdrawal arealarmedand,ingeneral,automatic moeianprahibited. Theseinclude-a)NXSfluxrapiddecrease(1/4)(5Xin5seconds)b)Tchanneldeviation (1/4)p5Ffromaverage)avgc)Rod.control fault-rodmotionwithnodemandZ.SeepCounter-audibleclicksfromstepcounteralertsoperatoreoradmotion.3.NISPWRRANGEOVERPOWER RODSTOP+(1/4)(105X)4.AVGTAVG-TREFDEV(T5'Ffromprogram)avg5.PRESSURIZER HXPRESSURE(2350psia)6.PRESSURIZER RELXEFLXNEHXTEMP(whenpower-operated reliefvalvesopen)7.REACTOR'OOL HXTAVG(1/4)(5'bovenominalTatfullpower)avg8.PRESSURXZER LEVELDEVIATION (5Xabaveprogr:mamed levelaefullpower)9.AUTOTURBINERUNBACKOVERPOWER AW(1/4)(3Flesschanhigh4Ttrippaine)AUTOTURBINERUNBACKOVERTEMP4M(1/4)(3FlessthanhighATtrippoint)Ll.SteamGenerator ReliefandSafetyValveActuation -audiblesteamreleaseeoatmosphere 12.STEAMGENERATOR LEVELSETPOINTDEVIATION PRESSURIZER SAFETYVALVEOUTLETHXTEMP(2500psia)CHAHM.'LALERT-asreactortrippaintsarereachedforeachchannelCapitalized wordgroupings represent engxaving onannunciator panels.REACTORTRXPSFORRODWITHDRAWAL Th<<allowing tx'ippaintswereassumedfortheevaluation: NISPOWERRANGEHIGHRANGE(2/4)(118X)2.OVERPOWER 4T(2/4)(118XoffullpawerAT).OVERTEMPERATURE dT(2/4)(variable) 4~PRESSURIZER HXPRESSURE(2/3)(2400psia)PRESSURXZER HILEVEL(2/3)(95Xofspan)AlarmandRodStop PAULTTREEfORRODNITHDRANAL ACCIDENTAUIONATIC PROTECTION HEEDEDINSUFFICIENT TI'lEfORMANUALPROTECTION NEEDEDEXCESSIVE RODNORTHINSERTEDEARLYINCORELIPESUSTAIllED RODMITHDRAVAL HIGHTBQ'ATRODSTOtRICHPOSERATRDDSTOtCONTINUOUS RODllITHDRANAL REACTORINNANUALCONIROLAIPIQIATIC CONTHOLPAILURE(SEEPICURE5+12)fICURE51~1 wJ4 SfltAOLIt~fISA~~~VII~A441~~IICC480fl4.tf&I(SRSPICURE$.1-1)PAILURECONTINUOUS RODMITHDRAMAL CONDIT1OHOREVENTRPS~REACTORPROTECTION STSTIHRCS~REACTORCONTROI.SISTIHPROPERC1RCUITIHRCSROD'NITHDRAMAL SECIHS1HDlGATEDTISIPERATUREODSPEEDHTROLLER(RCS) RODMITHDRAMAL SECIHSALLTVGCHANHE(RtS)OaTHPROPERSETPOINTS(RCS)AHDTURSINKLOADSICHALORtOMERHISHATCHCHAICIFL(RCS)AVGODSTOPRODMITHDRAMAL SECINSNISRODDROPRODSTOtAVIRAGETAVGDECREASEINDICATED tRESSUREDECREASEDECREASEININDlCATED PLUZORNIS(RPS)QQNHEL(RtS)AY%ETAVGRCSRESSURECHANNEL(RtS)RESSURECHAHHEI.(RCS)FIGURE5.1-2 INSERTEDRODWORTHANDREACTIVIXY REQUIREDTOREACHDNBR~1.0INHOTASSEMBLYVERSUSCORELIFE1.5~~~-Reactivity RequiredToReachHotAssemblyDNBROf1.0(116.5XPower,"T~~589,2250PSZA)FromFuLLPower~~10RegionWhereProtection Is.Required~IP0.5PPMax.InsertedRodWorth~P'~(BottomofManeuvering Band)-':I0Min.~ertedRodWorth(TopofManeuvering Band)-.020406080100XOFCORELIFEFIGURE5.1-3 1a1.0o.50COMPLETERODWITHDRAWAL FROMMAXIMUMFULLPOWERCa/-----MIDDLEOFCORELIFEINITIALRATE~Oa9X106k/SeC.)i~I..I[~.'.".a...p....'.",.'I.. 0'040.6080100120140TIME,SECONDS160150~la~~140UP120~0~OWfeo1004<<:HIFLUXtRODSTOP.':;: iHIFLUX=.-.~aa~~020406080100120140TIME1SECONDS160a~~ta3jdTmENTS(M.OL)620~aaaaaaa'~~I600tPHIPOWER.HI'PORN'SHI TEMP.)HITZMIP.""""'"IHi&"'"'-I-I""" dTROD:dTTRIP:IATROD.":dTTRIP.":I:'::-:.::!!::":I=-i:I .'i:0......',.".'.-..'.~:.:'.....i:-..~jllaa':::a~"'g580560540IN~<<~~(~iLI~1""~=-q--)~..'..."..'"::I.i:: T~+:Ii52O2040608O100120140160TIME,SECONDS .t~C0't-...:--0'I'>>I>>~~TRIPANDSTEADY-STATE CORELIMITSANDREACTOR.-.ALABMPOINTS160>>~~If~:t->>~~i---.-ALARMPOINTS--'...RODSTOPI>>>>>>y>>.',:.:..[~>>IJ-.I>>~$~~>>-REACTORTRIP~>>>>~~.I~.>>!WATERLEVELTRIPII'..I-HIPRESSURIZER "-~-.-"-n140~~~+o.~:>>~~p>>I-~~Ii."IIiI~I.'STM.GEN.SAFETYVALVES..lI~~'-:IIPI.-}.I~>>>>>>/>>~('Tl~~>>II~~~/>>120110'>>,!I..pl".I.:.HXFLUX.HIATp,i..:l~I~I.f.::..HIAT~PI~Tl.'I>>I.~.~I..-.3.I"I'-.":l,*>>+100~.:::I,~~~:'I~'I)HIFLUX~>>I~~~~~III~~~,LLNOM'l"II>>l'~rI'NAL'-Itt90~>>>>>>~>>I'Lis>>I>>~>>~~>>>>I~PLOWLIMITI.'~HIPRESSURIZER WATERLEVFL:Ii>~.I.i'HIAX82400PSIA~I~I8070>>~I>>~~~>>GfxAVI'.I.g.II~'II.III>>I7'~-HITEMP.4T-HIPOWERdT540560580INLETTEMPERATURE, 'P600FIGURE5.1-6 BEGINNING OFLIFERODWITHDRAWAL FROMl02XPOWERMINIMUMDNBR;I2.502.00.IsfIIsll'eti~essseIe's~~Ill:W)I'ttI~,Iessg~~ertet'I~IeIslee~f~IIIIIlift:efII~I~II~I~LEVIIIIs~Ie~~[,Hliftfitssfe~e's"tellift:net1set.11estIelIsIIsl-Itsstsl"IiII.I'IllstI.'tpgSsuRE~elt'f<<s'st~~e'l$N~HIFLUX~~~'eII.eIIIfit""~Ifl;eIRefstffIfttilees..-,ilIfl'IIIIIeees.~~IIIIIII'setits(MAXRODSPEED,MAXRODWORTH)'-'Hl'LuX:.'- II~~IIIt~IIfetfI)efl'l~ell.50\~I~s<<s'I~'s'I.s.e,lift'llIIII~~IfI<<HITEMP.AT.:-Ie.~..Qtf'~IIteltf~Ieislettet'IJ~I'tl'Itees~~'I',Pt'1st"."Ifljj'l<<n-'HIPOWERdTIIII~fe'HITBPe~~~~H':-'"sstte~es't~tt~ileseeIsit',I's'tl~ss'II'eteswlfftsf~e:HIPOWERATf-,s'T-.I~~III~~,~~~I~I~'llI~tieeI~Is~III~IHIPOWERdT;ttIsttstsl;IIIII!"IIII.i'Is~'"<<ttI'IIItestJssr,1':,Iee'.HIPOWERhT;,~ie~stlIII,;:.-.~HILEVEL',&SIC(.,'ITEMP.AT!III~IIIst~IIII~gtItlettellisteIIsless~el.0050IsttOle'~Iefl'S.G.~f"j:('ORHOTASSEMBLY)i ..SAFETY>VALVES'-, el~I~t~~IIIItsiiIIIIIIIteIslint(fIIIIetInesII.,~'IttlI~I~II~'.IfIleIlseeI'iltfssftsI*e'ttsI~e~e~~~fitIesI+etesi~sesteesIsIt'I(CORRESPONDS TODNBRit'.e,SIfIte<<I~IIIIi<<II:"I~',IttlIfttf~~ItlsitseIIgtnII~I<<Is'<<s.In~ss;Ij'IseslfIII<<IIII~~~Iltlfit0.05O.IO0.250.5L.O2.04.0Reactivity Insertion Rate,106k/secALARMRODSTOPREACTORTRIP"DESIGN"REACTORTRIPCORELIYiITFIGURE5.l-7s ~eBEGXNNING OFLIFERODWITHDRAWAL FROM102XPOWERTIMEOFEVENTllstrI~1rIssstelillsI'IsoI'tss~tlssIIIIsIleillslesesltI"sII~III~ILI1~~sitssisillsiiIIlsi1111I,sIisetsst250IlsiII:stilIseess200vo11'iesstssiisetst'IstII~,s~~~IseesstIts;ii~IHIle,'ss.'I"soI~IIIIilIts.;Ii~~II~~~TEMP.dT'?.iHILEVEL~'~ssAst'II't~esssssJl1.'l'ssl'Isells'1sssItIseIss.'SOIli~lI;III'~I"I'ItI~ssI~~~IsI'l"Ili:stt?e"s~~~'seII,I~I~sJCI~~~<'ltllslHOsIIsIIIII@isl1II~~dsDNBRHA~1.0~~sI~IIsiless~I1i'ii!i~rrII's1st~iIIssslsr~IslIIsIIIllsIIIIIII.'~Ill ilr,.II'~~~ALARMRODSTOP,REACTOR.TRXP"DESIGN"REACTORTRXPCORELXMITsI'~IisI'1stllr<osII,,II10050IC'llsitist,HIPRESSUREsill~1s'is.tfII~'illts'elsss"I'I'I',ltsIIIIski'S'II;1stceil;I,~stssllII'Ie~Ii'i'stI.i.IesdTitI>>IsIiI'.ssisst...~II".IIHIPOWER.IIltssI'~e~IIIsistJit1tlsll'IIil'aIssl(MAXRODSPEED,;MAXRODWORTH);,11ss'ItsteII1t'I!1stIsIs'stitst'ssi~~~HXLEVELlg-7:<~ILI11eIis~essIsstlStslI1st4iIJllII*Illsr,qtt\ses~~~~'3DNBRMIN~1.ss'Is's~s.rs't~~~IiI~~~I~sIslisII~IIIli"I~:I~IIs'1I,'It'IIjesIs~ststI'slie,'.'\llsI.s~eli~I1stItssI~tVgis~p'l'sa~IIIIt'lIs+IIstsglssIl.IIs~lIIs~~dTIlltli~~I~I;Is,sets:IiHXTEMPssI~sIIsI~II~~>>IeI~IsssillIII~sl11IIIIIII.0.'050.100.250.51.02.04.0REACTIVITY INSERTION RATE,10hK/SECFIGURE5.1-8 ,wtCBEGINNING OFLIFERODWITHDRAWAL FROM80XPOWERMXNIMUMDNBRs'AVG~sls~I,I~ilesIl~s~~~I~f~IHIFLUX~I.Ii~-,.~,r,<;'r:,HZT':::"I'IiI;IIAVGI~s"(jestQsIIIIs~Isq)AVG,I,~eiIsII<<HILEVEL.g..(PRESSURIZER) sti~HIPOWER'~~tsIIisa'.'S.G.-:-SAFETY:'ALVES-i.'>>-'-'IAgg'I,~~~I;s>>I'isI'"I')HITEMP'~st.I~I,~'~~e~esetsieiiiis'Is's, teI,~I-'-AT:Ils)~I~,~~~Ii'ltesIII~I:~T'IM~~f$:.-';~~~si"I'P~~IIee~Ises~IIIL-rWERhT'XPRESSURE. "NNR!!',tGMFI::"'.:l iI-I-~HIPoI>>ssII['tt'It'Ls I'i'DEVIATION I>>:fs~~sIIi~II:IIllI~I~Iirpge,sli(i~I~sALARMRODSTOPREACTORTRXP"DESIGN"REACTORs>>>>seeeels>>%TRXP'~~~~i~tlIII~~~~I'IIlls'e~I~.;IsII~e'HXFLGX~III~I.II<<Ii<<lit~CORRESP1.0"IiI~IIsS~.IIIII~issI~i'llilONDSTODNBR>LNHOTASSEMBLYi:e~~~,i'sseIIIItsI~iteIIIllss'sJI'elI~slile',~ei~~~,(MAX.RODSPEED,-.MAX.RODWORTH)~It'tsiIles~~~~iIil~t~I;~Illsi'~II~~s,~~~~~~Isss~I~,seiie~~~sI~iii~III~Islei.e~<<s'Ie~sI0tlssillsse'.III'Iii't'll'll'lel~ilIIIlssO.OSO.1OO.ZSO.S1.O2.04.0REACTIVITY INSERTION RATE,108K/SECFIGURE5.1-9 W4olBEGINNXNG OFLIFERODWITHDRAWAL FROM80/POWERo~TIMEOFEVENTi~~o'tlll-;-I-.':i'-:: ~G:"-HIPRESSURIZER';, LEVEL~.I~~~IIIIt~-'rrr-I~i~ii~I~I~I"oI'.~I~IIos.tlSAFEZYs-l~vALvEss Io~I~J'IIIQ1,~I,LEVEL~~~I,Ij"-,T',;I3 ..'.",.'IPRESSURE'vIsoElio.'I~~tsl'II~'AVG;,I;:AT,:Lol ITJ~gHIPRESSURXZER,. t:itlt!:I',.;IIlllli!ii~~'io~I~~HITEMP4T~o~I41:,~oHXPOWER4TDNBR~1.0'.o~IIILI'.~~io~I:III!4II~I-~JIiIIIII~sill~I~II'~~I~,IlsI~~~o~~~il:~ilt'~,~Ioo~~~IDNBR~1.3'it'I~'t~~'~~(MAX,RODSPEED,,MAX4RODWORTH)~il,is~II:II!IIsItts~oALARMRODSTOPREACTORTRIP"DESEGN"REACTORTREE~~LsslotIllsiil~Its~IIIII~oilIoI~o~.L.l.J:::: 4ltI~II~~~It~o4~o~jilt!tooio.,';:@goal:"i~I~oj>>!iisIoJ~III:I'ts't.Il'"..Itlt!I~~st~o~~~E'XPRESSo,is>>I~~IIIIIIIStI'~I.iIH%H&iti,'-',: HIFLUX'ot'isJtl~o~~II~IIIII~II~I~I:tl~~II~~o!It~~"ilii~o~I~'~il>>io~~~I~~~itissl100TAVC50olo~oo~I'!to'lli IIDoi":iri.~II'~~o~III~4I~'~II~IIIII*I~I~ooIo~I~~~~IIIlo~~II4I~o~II~~tI~~~I~'iti,~!ilI~I~o-::".:++I~.-..'i'il~o~I~~~~o~iis4si~!~lI~I~I~Ii~oL~I~~~!iot~~I~~I~s~!I~tillIllIIQ~Il'~'iot!4III~~;IsoI~I~IIiItI~II~IHIPOWER4T~-:.';HITEMP4TIo~IIt~II~JA.IIilotgiiIt/lt!.~it'ilio~Io~~io,is.,'Ioi't~tl~'~si~~sot!IlossI~SS"~'II:I:~-."I0.050.100.250.51.02.04.0Reactivity Insertion Rate,106k/secFIGURE5.1-10 LPSSOpFEEDWATER >ringpoweroperation, lossoffeedwater tothesteamgenerators isofpotential concernbecauseitaffectstheabilityofthesteamgenerators tormovedecayheataftertripTheprotection forthiaccidentconsistsofreactortripandanauxiliary feedwater system.Thisevaluation describes theControlandProtection Systeminstrumentation providedonatypicalWestinghouse PWRPlanttodirectlymonitororcontrolsteamgenitorwaterlevel.Lossoffeedwater accidents withoutcreditforthisinstrumentation areevaluated. TypicalWestinghouse designrequirements fortheauxiliary feedwater systemareincluded. Atypical1456MWttwo-loopplantwasselectedforthetransient analysis. Alossoffeedwater accidenttoonesteamgenerator ismostsevereonatwo-loopplant.Foracompletelossoffeedwater, thetransient perloop,isdependent onthenormalized kineticparameters; e.g.,power(sotheresultsshownherearerepresentative forallplantscurrently underdesign.Znallcases,diverseautomatic reactortripsinsureaplanttripbeforeanycoredamageorsystemoverpressure occurs.Manualactuation oftheauxiliary feedwater systemisconsidered anadequatebackuptotheautomatic actuation. Thereissufficient time(24minutes)andalarmstotakecreditformanualactuation. <nteractions ofsteamgenerator levelcontrolandprotection resulting C~romrandomfailuremodesarepresented inSection4.2.5.Alarmsactuated5.2-1 oracompletelossoffeedwateraccidentarepresented inTable5.2-1'C-.suittreesforlossoffeedwater accidents arepresented inFiguresC-2l,5.2-2,and 5.2-3.LOSSOFFEEDQATER -TRANSIENT ANALYSISSeveralrepresentative transient casesareevaluated forlossoffeedwater accidents. Figure5.2-4showsthetransient resulting fromcompletelossofthesteamflowcontrolsignal.Asshownbythefigure,theLevelControlSystemrestoreswaterlevelsuchthatonlyatemporary decreasein~sterleveloccurs.Thereisnoapproachtounsafeconditions ortoanyreactortripsetpoint.Figures5.2-'5and5.2-6illustrate atypicalcompletelossoffeedwater "oonesteamgenerator 'ofatwo-loopplant.Nocreditwastakenforreactortripsderivedfromthesteamgenerator. Thelossofsubcooled feedwater isreflected tothereactorasasmalldecreaseintherma1Iload,causingtheincreaseinpressureandtemperature showninthe-irstminute.(Thereactorwasassumedtobeinmanualcontrolwith<<manualcorrection.) Oneminuteafterthe.lossoffeedwater, thesteamgenerator tubesbegintouncover,causingarapid.pressureandtemperature increase. Ifamchnumpressurecontrolcapacity(poweroperatedreliefvalves)isavailable, thepressureriseislimitedandahighpressurereactortripdoesnotresult.Areactortriponhighpressurizer eloccursappro~tely twominutesafterthelossoffeedwater. 5.2-2 lr> zinventory inthesecondsteamgenerator issufficient tobringWaterplanttonormalno>>loadconditions.Thereisnooverpressure oxthepanofwaterfromtheReactozCoolantSystem.lossofigures,5.2-7 and5.2-8illustrate aworstcasecompletelossoffeed>>watertoallsteamgenerators withnotripfromsteamgeneratox instxu>>~tation.Aconservative evaluation isdoneforahigh-power densi.typanlanttypicalofcurrentPWRdesigng.456MWt2>>loop).Nocreditistakenforchargingsystemsorforenergyabsorption bymetalintheReactorCoolantSystem.Theresultsareconsidered tobeextremevaluesratherthanrealistic conditions foranactualplant.Thereactortripsonhighpressurizer pressureaboutoneminuteafterthelossoffeed.Storedheatinthecorecontinues toheatthereactorcoolantandthepressurizer M.lsinaboutthreeminutes.SteamdumpvaluesopenfuU.yunderTavgcontrolandreducesteamlinelIpressure. Afterabouttenminutes,theReactorCoolantSystembeginstoboy.,aa"h<<htimethex'eactorcoolantpumpsareassumedtoceaseaddingenergytothecoolant.Boilingcausesarapidincreaseinthevolumetric surgerate,andsystempressurerisesuntilthevolumetric expansion isbalancedbysafetyvaluecapacityforwaterzelief.(Nocreditwastaken"orthepower-operated reliefvaluesinthisanalysis.) teŽgenerated inthecoreisassumedtofilltheupperreactorvessel,esteamgenerators, andhalfofthecoolantpipingbefoxeescapingtoepx'essurizer. Duringthisfourminuteperiod,mostofthereactor5.2-3 e olantfluid'islostaswaterdischarge throughthepressurizer >+styvalve.Assteamisdischarge throughthepressurizer, premeasuredecreases tothesetpressureforthesafetyvalves.Afteranadditional tenminutesofboiling,(24minutesafterthelossoffeedwater), thetopofthecoreisnearlyuncovered. XtwasassumedthattheAuxiliary Feedwater Systemwasmanuallyactuatedatthistime(pushbuttonsonthecontrolboard)and200gpmauxiliary feedwaterpersteamgenerator beganimmediately. Qithintwominutesofstartingauxiliary feedwater, thesteamgenerator heatremovalexceedsdecayheatandreactorcoolant~emperature andpressurerapidlydecrease. 5.2.2TYPICALSYSTEM1ESIPilREQVIEEMENTS Auxiliarv Feedwater SystemTopreventreleaseofreactorcoolantthroughpressurizer safetyvalvesiandtoprotectthecore,asupplyofhighpressurefeedwater mustbeprovidedfortheremovalofresidualheatfromthecorebyheatexchangeinthesteamgenerators whenthemainfeedwater pumpsceasetooperateonblackoutorbecauseoffaultconditions. 'yp<<alcriteriaforactuation ofauxiliary feedwater ispresented iniable52-2afetyzequi.rement istoincludetwoseparateauxiliary feedwater yternatoensurereliability ofsupply.Ones'ystemutilixasasteamturbinedrivenauxfLiazy feedwater pump,aeurbinebeingconnected suchthatsteamcanbesuppliedfromsome5.2-4 t, ~ofthesteamgenerators. Theflowrate,usuallyabout200gpmnrsteamgenerator, is,sufficient tomaintainamilkmandepthofwater>rstethesteamgenerators. ochersystemutilizestwo(2)reserveauxiliary feedwaterpumps,a~ofabouthalfthecapacityofthesteamdriven.pump.HowratesufficienctoensurecoolingofthesystemandtoPreventwaterdischarge cromReactor'oolant Systemxeliefvalves.Thereserveauxiliary feed-vacexpumpsnormallyaredrivenbyprimemoversusing'sourceofenergyotherthansteamfromsteamgenerators. Theheadgenerated bythefeedwater pumpsistobesufficient toensurethatfeedwater canbepumpedintothesteamgeneracor whensafety'valvesaredischarging. Pumpsaxecapableofstartinganddelivering feedwater vithintwo(2)minutesoftheblackoutorfaultconditions requiring puupactuation. >ietypicaldesignbasisforsizingauxiliary feedwater pumpsisgivenbyTable5.2-3.Sourcesofwaterforauxiliary andreserveauxiliary feedwater pumpsareduplicated orifconvenient, triplicated. Ordinarily, wageris'}rawnfromacondensate storagetankcontaining waterofnormalpurity,'<<maybedrawnthroughemergency connections fromothersourcessuch~citywater,wellwater,fix~+inwater,servicewater,etc.,toobtainasupplyundersufficient pressuretosatisfyauxiliary feed>>"-pumpsuctionrequirements underemergency conditions. 5.2-5 ( fromtheauxiliary pumpsisdelivered tothesteamgenerators ~pterpipelinesseparatefromthemainfeedpipelines.Pipelinesarepapespacedtoassurethatasinglefaultdoesnotpreventfeedwater ~~Jvspa~ewholeoftheauxiliary feedwater system(watersupply,piping,dieselgenerators, etc.)mustbe"ClassI"seismicdesignstandard.+ pggp+I~SteamandFeedwater Piin<iailureofanymainsteamorfeedwater lineormalfunction ofavalve~tel].edthe"einoranyconsequential damagemustnotreduceflowcapability if>eauxiliary (emergency) feedwater system,renderinoperable any~eeredsafeguard service(i.e.,controls, electriccables,containment aeM4gpiping,etc.),initiatealoss-of-coolant

accident, causefailureifanyothersteamorfeedwater line,resultinthecontainment pressureexceeding thedesignvalueorimpairitsimpermeability andintegrity.

I>steamandfeedwater linestogetherwiththeirsupportsandstructures ~<<eneachsteamgenerator andtheirassociated isolation valvesareto-"'"Classl"seismicdesignstandard.* eoeexpression "ClassI"usedinthiscontextisdefinedinsignofNuclearPowerReactorsagainstEarthquakes" inadocument~titled"Behaviour ofStructures DuringEarthquakes" AppendixA,byHousner,professor ofCivilEngineering', California Institute of,~""oology.

Pasadena, California.

Published byAmericanSocietyof"-+1Engineers -Engineering Mechanics Division. (October1959EM4)5.2-6 TABLE5.2-1~SACTUATEDFORACO%'LETELOSSOFFEEDWATER ACCIDENTCauseoffault(ingeneral,anycondition causingacompletelossoffeedwater causesanalarm)2.Lowfeedwater flow(partialreactortrip,twochannelspersteamgenerator) Steamgenerator leveldeviation (onepersteamgenerator) Lowsteamgenerator level(partialreactortrip,incoincidence with2.above,twochannelspersteamgenerator) a5.Low-lowsteamgenerator level(reactortrip,thr'eechannelspersteamgenerator) 6.Automatic controlrodmotion7.Tdeviation avg8.HighT(3or4channels) avg9.Pressurizer leveldeviation LO.Highpressurizer pressure(twochannels) 11.Pressurizer relieflinehightemperature lHighpressurizer pressurereactortripNote:Itisassumedthatthe-turbineandreactoraretrippedonhighpressurizer pressure. Pressurizer safetyvalveoutlethightemperature ~4'ighpressurizer levelreactortripLowsteamlinepressure(notonallplants)~6~Pressurizer relieftankliquidhightemperature ~7'ressurizer relieftankhighpressure~8'ressurizer relieftankhighlevel19.~Highcontainment pressure(safetyinjection actuation, ataboutlO~ofdesignpressure) 10Lowpressurizer level(partialsafetyin)ection actuation) TABLE5.2-2TYPICALCRITERIAFORAUXILIARY FEEDVATER ACTUATION Motor"Qxiven PsLow-lowlevelinanysteamgenerator startsbothpumps.actionrequiresthesamebistables andrelaylogicasusedforthereactortrfp.(2/3circuitry foranysteamgenerator) .b)Openingofbothfeedwater pumpcircuitbreakersstaxtsbothpumps(1/1+1/1logic).c)Safetyinjection sequenced)Manual.Turbine-Driven Pa)Low-lowlevelintwosteamgenerators. (Samecircuitry asI.A.above)b)Lossofvoltageonboth4KVbuses(1/1+1/1logic)c)Manual.3.GeneralCriteriaa)Allthreepumpsaretohaveindependent startingcircuitssuchthatnosinglefailurepreventsmirethanonepumpfromstarting. b)Instxmentation andlogiccircuitsforlaand2amustmeetthesingle-failure cxiterion foxactuation andbecapableoftestingatpo~er.Compatibility withreactortripcircuittestingisalsorequired. c)Spuriousactuation duetounusualfailuresistolerable, butroutinetestingofreactortripcircuitsshouldnotcausespuriousstarts. 4000HZPRESS/ALARM:-":.'-.='::. -,'tL.'-':4:-:1::!! t:::il::-::rW I'.='=Qptftt!ti.!r.'L"COMPLETERODWITHDRAWAL FROMMAX.HJLLPOWERBBCINNZNC URE-----MIDDLEOFOFCORELIFECORELIFE020406080TIMENSECONDS1001201401608004&NNaWi50HILEVEL406080IflP~&l~a100120140160TIMENSECONDS2.01.51.00.5'Wa.IBt~IVPfPt.-DNBRMIN.:~1.30tll')"HOTQQLNNEL:1-WOOI~NC1BBBMILY-N~020'0608010012014010TIME,SECONDS TABLE5.2>>2d)Instrumentation andlogicforlband2bshouldbeconsidered asoperational signalsforeconomic(notpublicsafety)protec-tion,(SimQ.artoreactortriponreactorcoolantpumpcircuitbreakeropening).e)AsEngineered Safeguards components, theactuation circuitry forauxiliary feedvater actuation shallmeetallappU.cable IEEEDesignCriteria. e'TABLE5.2-3CALDESIGNBASISFORSIZINGAUXILLQEFEEDWATER'PUMPS ~~DRIVENPUMPSI~steam~riven pumpcapacityisadequatetomaintainatleastlpfeetofwaterinallsteamgenerators intheeventoflossofstationpowerfromnormalfullpoweroperation. Nocreditis~owedformotor-driven pumpcapacity. ~OR-DRIVEN PUMPS'IEachmoto~venpump,byitself,.is'adequate topreventwaterrelieffromthepressurizer reliefvalvesunderthefollowing assumptions.a)Planttripoccursfrommaachnun steadymtate powerandtemperature. conditions. b)Allsteamgenerators areattheirlowlowleve1trippointsatthetimeoftrip.c)Nocreditistakenforanyadditional sourcesoffeedwater aftertrip(stationblackoutassumed.) d)Atleasthalf,butnotallofthesteamgenerators aresupplied. withamcLliary feedwater. e)Naturalcirculation existsintheReactorCoolantSystem.0NocreditistakenforchargingorletdownfromtheReactorCoolantSystem.g)Applicable startingdelaysandfeedwater pipepurgingtimesareused. FAULTTRttFORIDSSOl'IB+STIR F(DM'.m~I'l~OCORESECIHSToUNCOVERINSUffoSIolgURCINCCAT.ANAHUALAof0ll0$oTIKE(iloNIH.)NANUALA,F,M,S,TINE(oloNIN.)RCSHEATSOHDECATHEATMOoAUTO,A.F.M.S.ALLSoCo'SDtfSTATION(SttFICURRSotIRoToONH'loFREEOIllttSoCo'$Q(FTTbCSHFATSSoCTURESRECINToUNCOVERHOTElHI.FREES.R.T.NATbtHECSSSART TO=FREVBITSTSTtÃOVERTRESSUREIOIOIXIOLIOII.OIO.IIOIIOOI.IIIOIIMIOI.OIO.IOIOOOOOOLOMSoCoLEVELNANUALREACTORANDIRIF-~MSINoNISIPSLUMLOSSOrLEVELRAPIDlOSSOFLEVtLLOSSOFSoCoLEVELREACIORATFMRoMITHIHSUFF.F.MORAbbbtVIATIOHS RCS~REACIORCOOLANfSTSTENRTREACIORIRIFS.ISAftffIlQECTION FoMoftEDMATER AofoMoSoAUIILIART FoMoSTARTSooo~STEANCENtRATOR NJ4NOIORDRIVENNECRANICAL FAULTAUTO.C(NIROLFAULTELECTRICAL fAULTLOSSOfFELID(SttFICURRSotI) pan.TTacepoarossoppcaeATcanuuSERFlcuacS.I-IAUTQtATIC CONTROFAULTELECTRICAL fhULTLOSSOff.M.SUCTION2/>Hl.LEVELCLOSESF.M.VLVIHCOHPLETE S.leSIGQ-H$R.T.IRQQIHIHGF.MoMHAN~f.M.VALVECLOSEEICONTROLfAULTILOOPLOSSOfCOOIAHFFLOVRE-REACTORATBILLPOllERS.CEN.LEVELCONTROLLER fAULORRFACIORATRE-DUCIDFOlXRTNFROFERcxTeINCONTROLLER IPLPIPL.O.F.M.-(ELEC.FAULT)4EV.RUSFAILUREONESUSLOSSOFCOH-OENSATEtUHPSORI~lieSSOFHTR.DRABfLBPLO.SIN.fLOMRlfEEDBOllCTOHTOHHILEVELINDICA-TION(R,t.S.)AILUREOFCOH-EHSATERYPASSAbbaEVIATIONSfAILURECONDITION R.T.-REACTORTaitS.l.-,SAfETTIHIECTION R.t.S.-REACTORPROTECTION STSTEHf.M.-FEEDMATER Aaf.M.S.-AUXILIARY f.M.STARTfIGURE5.2-2, ~~FAULTTREEPORLOSSOFPEEDWATER PLOWSEEFIGURE5.2-1STATIONBLACKOUTWITHLOSSOFPEEDSTM.GEN.LO-LOLEVELA.F.W.S.LOSSOPLEVELINSTM.GEN.F.WPUMPBKR.MOTORA.F.WS4KVUNDERVOLT STEAMA.F.WS.(LOSSOPREACTORCOOLANTFMWREQUIRES2963)IATE REACTORTRIP)COMPLETELOSSOF4RVSYMBOLSABBREVIATIONS F.W.-PEEDWATERA..P.W.S. -AUXILIARY P.W.STAR]FIGURE5.2-3 ltFF LEVELRESPONSETOLOSSOFSTER%ANSIGNALPROP+INTEGRALK+-11SPROP+INTEGRALK+-12TSPHEOMATIC POSITIONER POSITIONW8QfQNORMALIZED STEhKFLOQ8QfNOHHAIZZED PEEDWATER PLOW-1K<<1feT-200sec1K~10T~200sec22l~~-"FEED%TERVALVE~POLLYOPEN~~~]~~~~4~-~~~--I-I~~1010202030~,SECONDS3040405050'060~~~~~~~~I'~~W~~~~~I.~~oFZGaaE5.2-4 LOSSOFFEEDQATER TOONESTEAMGENERATOR ATT~ONESECONDTYPXCALTWO-LOOPPLANT260022001800~W~It=LL:~t1400~~800600400~t~~~PRESSURIZER .LEVELHEACTORTRXP-'~t200'25,,dao~~50,0025,Oej~~4~~~~4080120160200MME,SECONDSFIGURE5.2-5 LOSSOFFEEDWATER TOONESTEhHGENERATOR ATT~ONESECOND"640:".I:~lI~E~~~IA.~I~'I620"..:.:-:.-.~~~-:600~~~~~E"'3'-'-=580~~:~~500540.L--..:4.P':: ll=.S'5001.0.8-COEE~-POWER'-:=..~.6i-.:)"ŽTOTALGEN.~204080120160200~,SECONDSFIGURE52-6 l~ 'te'e00F0050003.02e52.0200100ga00Q2IPLETELOSSOFPEEDWATER <<~~I~~I~~~~Ieeei!i~:..i'.I~~I~II~I>>~e~~~'I~~5001000TIMESECONDS1500I~Ir~~I,t':I~~~('I~I::::J<<i~~I.<<nI..~::~(r'i:..('I~.I~'I'~~I~e~e~I.~eI~eI~I.eI'00TIMESECOR)S5001500STEhMPLOW'TOPRESSURIZER ~II(iWhTERBKZEFjIe(*'STEhMRELIEFIHSBOILIHG.COHDENSATZOS ~HZPRESSTRZP-'KCEIESBOILS~:...II....j;-.-:i:<<;';;,II-:;:-'-'I'<<'U- ~e0'0001500~~:~II:4J<<~::.i.-.~~10.:::.."::LIIIIt~~:-BOTLTHGf~WhTERR1KXEF::.-.;hei~.:.'"::.:.ll'. Ig~i'.I:.III."Ie.I~.~iII(:-:~~,"".,:hIEZLZhRT PEH"'HsSRSi:II.':j~e10005001500TIMEAFZERLOSSOFPEED,SECONDSPIGUBE527 CQHFLEZELOSSOFPEEDWATEK ~+o600)$5005001000-1500TZHE,SECONDS10QOla8QQ6QQ.'0gQQQ0500100015002000TIME,SECONDS AUXILIARY FEHNATERSYSTEMSCHEMATIC 2LOOPPLANTMotorOperatedValveMPneumatica11y LO.LockedOpenOperatedValveManualValve(normally open)I,~MOTOROPERAL~CHECKVALVESTOPCHECKVALVECondensate StorageTankManualValve(normally closed)~PromAlternate WaterSupply(CLASSI)CLASSIXiCLASSIL0.LOL.O.MotorDriveTurbinefDriveMotorDrivePromMainPeedwater SystemSGB-"romMainPeedwater SystemFIGURE5.29 4* OSSOFCOOT~i-~OWANALYSISLOINTRODUCTIOÃ ~SDSUMMARYc~3~Ithereactoris~thepowerrangeofoperation, lossofcoolantfloweatentepotential conce-n.Withoutsufficientflow,DNBandcladfailure~dquicklyoccur.estinghouse PWR's,constant-speed pumpssupplycoolantflow.Plowisegulatedorotherwise varied.High-inertia flywheels aremountedoneach.sothatflowdec=eases ovex'periodoftime(typically 12secondstofflow)following alossofpowertothepumpmotor.Thisflowcoast-ioMnallowsforProtection SystemtMedelaysandremova1ofstoredheatinxbefueL.Subsequent decayheatisremovedbynaturalcirculation. Diverse,redundant protection circuitsareprovidedtoprotectagainstallpossiblelossofflowaccidents. Theseprotection circuitsaxeevaluated thisreportformultiloop lossofflow,singlelooplossof;flow,and~othetical pumoseizure.AlthoughdesignLimitsmightbeexceeded, theonsequences arefoundtobetolerable inallcasesevenifanyoneprotection circuitfailedtoperormitsfunction. -3.ZPROTECTION SYSTRfDESCRIPTION erousreactortrf.pcircuitsprovidecoreprotection foraLossofflow~c-"ident. Thesetripsare:reactor'oolant flow,ReactorcoolantpumpbusLowvoltage,ReactorcoolantpumpbusLowfrequency, Reactorcoolantpumpbx'eskerposition, Overpower Delta-T.5.3-L perceptfortheoverpower Delta-Ttrip,alltripsareblockedbelow10Xpower.LowReactorCoolantFlowThreeredundant flowchannelsareprovidedforeachloop.Athighpower,lossofflowinanyloop,assensedbytwoofthethreechannels, actuatesareactortrip.Thesetpointforthistripistypically at90Xofnormalindicated flow.Atlowerpower(typically 50X,65X,and75Xfor2,3,and4-loopplantsrespectively) lossofflowinanytwoloopsactuatestrip.Thesameflowsetpointand2/3logicisusedasforthesinglelooplowflowtrip.ReactorCoolantPumpLowVoltaeInordertoinsurethattotallossofpumppowerdoesnotviolatethecoredesignlimits,areactortripisactuatedbylowvoltageonthy,reactorIcoolantpumpbuses.Thedesignrequirement istomeetthesingle-failure criterion forcompleteloss'ofpumppower.Thetriplogicisgenerally suchthatlossofpoweronanytwobusescausesareactortrip.Typicalsetpointsforthistripareintherangeof60Xto80X~ofnormalvoltage.ReactorCoolantPunmLowFreuencThereactorcoolantpumpsareprovidedwithflywheels toincreasetheirrotatinginertia.Thisprovidesforcedcirculation forsomeperiodoftimeafteralossofpower.Itisconceivable thatarapidsystemfre-quencydecreasewouldslowthepumpsdownfasterthanforalossofpower.5.3-2 Therefore, anundhrfzequency reactortirpisprovided. Thetriplogicisidentical tothatusedfoxtheundexvoltage reactoxtrip.Inadditiontotrippingthereactor,underfxequency alsotripsopenthereactorcoolantPumpcircuitbreakerstomaintaineffective flywheelinertia.Typicalsetpoints forthistxipareintherangeof56-58cps.pCircuitBreakerPositionAreactortripdezivedfromauxiliary contactsonthereactorcoolantpumpcircuitbreakeraffordsadditional safetymazginforthemostLikelycausesoflossofflow.Triplogicissheartothatusedfoxthelowflow'rip; i.e.,openingofanybreaker,asindicated byapositioncontact,actuatesazeactortripathighpower,andopeningofanytwobreakersatreducedpoweractuatesatrip.OveowerDelta>>TReactorTriThistripcircuitisdesignedtoprotectthecoreagainstoverpower transients. However,sinceDelta>>Tincreases asflowdecreases, italsoprovidesbackupprotection forlossofflowaccidents. Onatwo-loopplant,twoDelta-Tchannelsperlooparepxovided; onechannelperloopUprovidedonthx'ee-andfour-loop plants.ForaLLplants,tripoftwochannelstripsthereactor.Duringsteady-state operation, thetripset-PointforthesechannelsisintherangeofllOXto120XofthenormalDelta-Tindicated atfullpower.Thissetpointisautomatically reduced<<rincreasing temperature (x'ateofchangeofT)tocompensate forpipingavgdelays.(However, thesetpointisnotincreased fordecreasing T.)Sinceavgalsoincreases following alossofflowaccident, theDelta-Tset-avg5.3-3 4@i'4.a*A'4" poointdecreases at.thesametimeasDelta-Tincreases. Thissignificantly decreases thetripdelaytime.ggarlacks ~ceptfortheoverpower Delta-Treactortrip,thelossofflowprotection tripsareblockedatlowpower.Thisinterlock isinitselfredundant anddiverse,inthatthetripsignalispassed.ifeither2/4nuclearchannelsindicateabove10Xorif2/2turbineloadsignalsindicateabove10X.Singlelooplossofflowtripsfromlowflowandcircuitbreakerpositionareblockedatreducedpower.(Thetripispassedif2/4nuclearchannelsindicateaboveapreset,power.)Sincethesetwotripsshareacommon,nonMiverse interlock, theyshouldnotbeconsidered as.completely diverseprotection functions. 5.3.3MULTILOOP LOSSOFFLOWIAfaulttreeforamulti-loop lossofflowaccidentisshown,onFigure5.3-1.Onlyelectrical faultscancauseallpumpstofailsimultaneously, andtheundervoltage andunderfrequency reactortripsprovidedirectprotection againstthesefaults.Thelowflowreactortripcircuitsprovidebackupprotection forthisaccident, andtheydonotnecessarily insureaminimumDNBratiogreaterthan1.30.Figure5.3-4illustrates thetransient resulting fromacompletelossofflowaccidentrepresentative ofhighpowerdensityplantscurrently underdesign.Thesolidlinesrepresent thedesigncase,withreactortriponundervoltage. Thedashedlinesillustrate thecalculated transient ifthisreactortripisneglected. 5.3-4 alculations aredonebystandarddesignmethods,withtheusual~esecactionsforsafetyanalysis; e.g.,themostadversesteady-state sssump<<operaratingconditions atthetimeoftrip.accidentisrelatively rapid,withaDNBratioof1.3in..thehot~eaccchannelreachedinabouttwoseconds.Itisnotappropriate, therefore, gpassumssumeanymanualcorrective action.Also,theminimumDNBratioisreachedatthetimethehotspotheatfluxbeginstodecrease. Thereislittletransient overshoot exceptforreactortriptimedelays.Theundervoltage tripiithedesignprotection forthisaccident, anditmeetstherequirement that,theminimumDNBratiodoesnotfallbelow1.30.Lessrestrictive requirements wouldbeimposedonabackuptrip.Aminimumallowable DNBratioof1.0inthehotassembly, couldbeselectedonthebasisthatthiswouldinsurethatcoredamage,ifitoccurredat,all,wouldbelimitedtoaverysmallfractionofthecoze.(Thepeakingfactorsinthehotassemblyareessentially thoseinthehotchannelgthoutal1owance forengineering subfactors.) Alternately, ahot-spotcladmeltinglimitcouldbeimposedforthisaccidentonthebackupprotection. Witheitherrequirement, Protection Systemdiversity exLsts.Thelowflowreactortrippointisreachedat1.8seconds,assayinga3Zerrorinthesetpoint(trippointat87Xflow).AlthoughthehotchannelminimumDNBratioissomewhatbelow1.3,thehotassemblyminimumDNBratioisstillwellabove1.0.IfDNBshouldoccuratthe>>tspot,thetransition boilingcorrelation'ndicates thatpeakcladtemperature wouldbeintheneighborhood of1000'F,andnocladdamageisexpected. (Seeresultsforsingle1ooplossofflow.)5.3-5 NeDeta-eDlta-Ttransient iscalculated forthiscase.Becauseofpiping~dinstrumetrumentdelaysatripsignalwouldnotbegenerated untilaboutgeconndsafterthelossofflow.Theeffectofratecompensation onistoreducethetripsetpoint.Evenwiththislongertripdelay,avediepeaakcladtemperature isnotexpectedtoexceed1500'F,we11below<hemeltingpoint.Therefore, threelevelsofprotection existfora~nltiloop lossofflowaccident.. 5.3,4SINGLELOOPLOSSOFFLOEAEaulttreeforasinglelooplossofflowaccidentisshownonFigure5.3-2.Votethatlossofpowertoonebusistheonlycrediblewaythisaccidentcanoccurwithoutanimmediate tripfromthepumpcircuitbreaker.{Anopencircuitinthepumpmotorisahighlyunlikelyfault,andisshownrEorthesakeofcompleteness.) Thecircuitbreakertripistherefore classedasabackup,oranticipatory, trip.IFigure5.3-5illustrates thetransient resulting fromasingle-loop lossotflowaccidentinahigh-power density,two-loopplant.Thetransient hislesssevereinathreeorfour-loop plant.Thelow-flowreactortripisthedesignprotection forthisaccident, <nditmeetsthedesignrequirement ofminimumhotchannelDNBratiouolessthan1.30.Iftheaccidentiscausedbylossofbusvoltage,andnocreditistakenEorthelowflowreactortrip,thehotchannelDNBratiowouldbelessthan1.3.However,areactortriponhighDelta-Twouldterminate the5.3-6 iccidentbefore18Boccursinasignificant percentage ofthecore.pssumIsagthatthehotspotgoesintoDNBatthetimethehotspotDNBrato+tjoisL.30,andassigning aconservative additional instrument delayofp9sectotheDelta-Ttrip,apeakhotspotcladtemperature (ontheinnercladsurface)ofappro~tely 1300'Fiscalculated usingatransition boilingcorrelation. OnlytheDelta-Ttransient fortheactiveloopisshownonFigure5.3-5.SForthedeadloop,Delta-Tincreases somewhatmorerapidly.Onatwo-loopplant,twoDelta-Tchannelsexistoneachloop,soareactortripisexpectedearlierthanisshown.Iasummary:Forasinglelooplossofflowaccident, Protection Systemddversdty doesseder.Atleasttso,andgenerally three,dndspendent levelsofprotection exist.5.3.5LOCKEDROTORACCIDENTThehypothetical'case ofaninstantaneous pumpseizure.hasbeen'evaluated <odetermine whetherdiversity exists.ThefaulttreeisshownonFigure5.3-3.Ifthisaccidentoccurswhenthereactorisathighpower,thecoredesignlimitsareexceededindependent ofanyprotective action.Thedesignrequirement forthisaccidentistopreventanyconsequential failureof<heReactorCoolantSystem.Failurecouldbecausedbyhighsystempressure. Also,systemscalculations cannotbedonewithconfidence ifgrosscoredamageoccurs.Forthisreason,coreconditions areevaluated. 5.3-7 Thetransient forahypothetica1 lockedrotoraccidentisshownonFigure5.3-6..FlowthroughtheReactorCoolantSystemisrapidlyreduced,Leadingtoareactortriponalow-flowsignal.Following thetrip,heatstoredinthefuelrodscontinues topassintothecorecoolant,causingthecoolanttoexpand.Atthesametime,heattransfertotheshellsidepfthesteamgenerator isreduced,firstbecausethereducedflowresuLtsinadecreased tubesidefilmcoefficient andthenbecausethereactorcoolant,inthetubescoolsdownwhiletheshellsidetemperature increases (turbinesteamflowisreducedtozerouponplanttrip).Therapidexpansion ofthecoolantinthereactorcore,combinedwiththereducedheattransferinthesteamgenerator, causesaninsurgeintothepressurizer andapressureincreasethroughout theReactorCoolantSystem.Theinsurgeintothepressurizer compresses thesteamvolume,actuatestheautomatic SpraySystem,opensthepower~perated reliefvalves,andopensthepressurizer safetyvaLves,inthatsequence. Thetwopower-'operated reliefvalvesaredesignedforreLiableoperation andwouldbeexpectedtofunctionproperlyduringtheaccident. However,forconservatism, theirpressure-reducingeffectisnotincludedintheanalysis. Withnoprotection, apeakreactorcoolantpressureofapproximately 3050psiawouldbereachedabout.3.5secondsafterthepumpseizes.Afterthistime,fluid,mixingandincreased heattransferintheactivesteamgenerator tendtoreducethepressurizer surgerate,andthepressurizer safetyvalvesreducepressure. (Duringthepeak,thepressurizer surgeratemayslightlyexceedthepressurizer safetyvalvecapacity, butpressurizer pressuredoesnotsignificantly exceedthesafetyvalveset5.3-8 lusaU.owance foraccumulation.) Althoughthenormalcode-allowable ><assurepUspressureoof2750psiaisexceededfozthisaccident, thepeakpressureisbelowteuheultimatestrengthofallmembersoftheReactorCooLantSystembyanapproxaximatefactoroftwo.Therefore, theReactorCoolantSystemwouldz'egajnintactoInthecore,cladmeltingatthe.hotspotinnercladsurfacebeginsat.24seconds.Afterthistime,systemcalculations areuncertain. Thereactortripset.pointfortheredundant lowflowinstrumentation ontheaffectedloopisreachedwithin0.1seconds.AssumingDNBat0.1seconds,and.aconservative tripdelay(2secondsbefozethenuclearfluxisreducedto80X),thepeakcladtemperature isapproximately 1%0'Pandisreachedat4.5seconds.Othercalculated resultsforthiscasearepeaksystempressureof2800psiaandlessthan20Kofthefuel.rodswithakcalculated DNBratioof1.0orless.Neglecting thistrip,ahighpressurizer pressuretrippointwouldbeCreachedatabout1.5seconds,'nd ahighDelta<<Ttrip(fromtheactiveloop)wouldbereachedatabout4.5seconds.Thepeakcladtemperature forthesecaseswouldbe1750and1950forthehighpressureandhighDelta>>Ttripsrespectively. Sincethesevaluesarewellbelowthemeltingpoint,nogrosscLadfailureisexpected. Insummary:Forthehypothetical lockedrotoraccident, coredesignLimitsmaybeexceeded. However,threeindependent, diverselevelsofprotection exist,anyofwhichwouldinsurethattheReactorCoolantSystemboundaryisnotviolated. 5.3-9 FAULTTREEFORMULTZLOOP LOSSOFFLOWPROBABLEGROSSCOREDAMAGESLSHI4TR.T.CONDXTIOPOSSIBLECOREDAMAGEFAXL'ORELOWPLOWR.T.L.O;F.-LOSSOFFLOWR.T.-REACTORTRIPR.C.P.-REACTORCOOLANTPUMPDESIGNCORELIMITSEXCEEDED(DNBR<1.30)REACTOR.ATHXGH~~POWER~ALLLOOPL.O.F.WXTHNOIMMEDIATE R.TORUNDERVOLTAGERT.BKR.OPENR.T.LOWFREQUEHCY ONALLBUSESSIMULTANEOUS LOSSOFPOWERSIMULTANEOUS R.C.P.BKR.OPTING."IGURE5.3-1 FAULTTREEIORSIICLEUM)tlOSSOFFMQtRObhhLKCROSSCORENHhCICONDITION NlATR.T.CORKDKSICNLINITSKICKKDKDUNFLONR>>T>>.L>>O>>F~MSSOFFLONR>>T>>~REACTORIRItR>>C>>tiiRKACFORCOOIANTFUNtCORKDNSR>>l3hfACIORATRICiRFOMER'llCLE LOOtL>>O>>NOINNKDIA(I)REACTOR'NOFFKTION SISTIIl(2)ELECTRICAL thOFKCTION STETS)ISINCLEUXltRCFAULTlAl5$OFbUSPARRSKROFKNR>>E,(I)SUSFAULTIOntKNSKR.aTSKFAKDSKRIOOPENSTRIP!KACIOR(2)R>>C>>P>>bKR>>OtINCIC>>P>>OPENCKT>>R>>C>>t>>QIORTCKTSUSFAULTPI&et$3>>>>2 ~qIIi FAULTTREEFORLOCKEDROTORACCIDENTPROBABLEGROSSCOREDAMAGEHIdTR.T.HIPRESSURER.T.PROBABLECOREDAMAGELOWFLOWR.T.COREDESIGNLIMITSEXCEEDEDSYMBOLSCONDITIOREACTORATHIGHPOWERR.C.P.MECHANIFAIISRE(LOCKEDROTOR)R.T.-REACTORTRIPR.C.P.-REACTORCOOLANTPUMPFIGURE5.3-3 hPt~>a' EsKULTI~PLOSSOPPLOW,TYPIChLPL@K'I~t80a706050COREFLOWPONUCLEhRPOWER{meZRVOLTaCZ ,TRIP)HOTSPOTHKLTFLUX'UNDEKVOLThaK lzazH..,pe~I~a:tIl.6HOTASSMLY'--MXH.DHBRATIO=)iI()~fe~J1.2L000 10090SICLOOPLOSSOPKlÃ2-UNpMT80~070OWDEAD:LOOP501.8:.:.iHIM.DMSRATIOj~I~1.4ROTASSZ8BLY-1.014001200NOTRIPaooTRXPONLOWPLOW~*I*~\120u.pDELThTTRXPPOISEHX4T-=-...TRZP.~NOTRIP~~~~I~100(ACTIVELNP-TRZPPolllT012'345678910~jj&la'ehtTPVrtmTPC0C LOCKEDROTOR,LOSSOPHOW2LOOPPLANT~~F00SOI..i~~~ACTXVZMOPI~~~~~*60~~COREPL(M~~~I]JJ~~~~w~40203000zsoo~~DEADLOOP':.lI~~~~>>~l-~~I~~~'I~I~~~~05'oS~6'.I'.~IOJ26002400~~REACTORfCOOLANTSYSTEHPRESSURIZER 'NOTRIPLOPFL(NTRIP~~2200'03000~o~~~~~~TIHE,SECONDS\~2500J~+>>~efI~~~III.I'ITIHEOFREACTOR.NOTRIP-=(SEC)2000e44F500H2lOQO500~~~~~~~~l~iII~%t~IL~~~\)~~~I~~'lI~~<<II~I2TIHEAFTERPUHPSEIZURE,SECONDS 0 RODJUNCTIONANALYSISji4INTRODUCTION ANDSUMMARY54~zimaryprotection forarodejectionaccidentisareactortripon~epz~ighnuchnuclearflux.Thenuclearfluxinstzumentation ismadeupoffource>peletelyseparatesensorsandchannels, andreactortripisactuatedifanytwochannelsindicatehighpower.Analysishasbeenconducted tor:.'.-e*t~~~=~vl~Iedetermine theconsequences ofahypothetical failureofallthenuclearchannelscoupledwithahypothetical rodejectionaccident.

Analysis, madeonthebasisoftheGinnaNuclearPlantofRochester GasaElectricCo.(RGB),indicatethatinthemajorityofrodejectioncasesnoprotection isrequired(forexample,ejectionofazodfromitsnormally-expectedposition).

ItisfurthershownthattheDelta-TtripprovidesI~,anacceptable secondlevelofdefenseforsomecases.However,protection cannotbedemonstrated forsomeofthemoreseverefullpowercases.Protection mayinfactexist,butitisnotpossibletopositively demonstrate thiswiththecurrently available models.Ananalysisoftheavailable triphasbeenmade,andiscomparedwithanIarbitrary cladlimitof2750'Fandanarbitrary pressureVmsof3000'psi. Twodetailedcasesarepresented: aseverecasefromzeropowerendofcorelife,andamoderatecasefromfullpowerendofcorelife.Noreactortriphasbeenassumedforeithercase.5.4.2CASESCONSIDERED INDETAILZeroPowerCaseThecaseconsidered represents azodejectionaccidentforanendoflifecore.Theassumedejectedzodworthandhotchannelfactoraze1.0X6kand12.5respectively. ~tingpowertransient andhotspottemperatures aredetailedin~~resultF5.4-1.1steadypowerlevelisconservatively assumedtobe15Xoffull~+finasThispowerlevelislowerthanthevaluewhichonemightnormally~er.~q)ectfozarodreactivity insertion of1.0<k>>owingtothehighfeedbackueigihtingfactors-{Thelargehotchannelfactorsresultsinalargepowern<einthehotspot,wherethestatistical weightishigh).Thepromptyzstresultsinareactivity undershoot which,combinedwiththeshortageofdelayedneutrons, temporarily fozcesthepowertoavaluebelowequilibrium condition. Thepowerlevelisassumedtorampupto15Xat5secondsaftere]ection>> althoughcalculations indicated thatitwouldtakemuchlongertoreachthispowerlevel.Theplottedhotspottemperatures indicatethatequilibrium conditions canbesustained. Ztistherefore concluded thatnoprotection isrequiredforthisaccident. Zngeneral,theejectedrodworthsandhotchannelfactorsarqlowerforthebeginning oflifezeropowercases,andtherefore theconsequences areexpectedtobe,somewhatlesssevere.FullPowerEndofLifeCaseThecasepresented isforarodejectionaccidentoccurring attheendofcorelifewithane5ectedrodworthof0.336kandahotchannelfactorof3'3.Thepowertransients andhotspottemperatures aredetailedinFigure5.4-2.Theequilibrium powerlevelis112Xoffullpower.5.4-2 0 kcladdingtemperature of2950'Foccurssome50secondsaftergepeUnderequilibrium conditions, some50Xbyvolumeofthehot,ection0]fuelismelted.Areactortrip'noverpower Delta-Toccursat6~~cuelimitingcladtemperature toabout2400'.Thiscaserepresents recons,evereaccident, butisnotintendedtorepresent alimit.~<eve>~~larrodejectionaccident, occurring atthebeginning oflife,auldresultinanequilibrium powerlevelofabout12SXoffullpower,ithanequilibrium claddingtemperature oftheorder3100'Fto3200'F.5.4.3BACK<<UPTRIPPROTECTION Themostlimitingcasesoccuratornearfullpower.Theprotection Systemisexaminedtodetermine underwhatcircumstances atripsignalwouldterminate arodejectionaccidentatfullpower.Theresultsofthestudyareillustrated inFigure5.4-3.Thegraphisaplotoftotalexcessnuclearenergyadditionversustime.Steadyfullpoweroperation resultsinalocuscoveringthehd~ontalaxis.Thenuclearfluxtripisrepresented byastraightlineofgradient0.18,,corresponding toapower'level of118XNotethatthislineisanupperanditspositionisinfactdependent onthepowerversustimeshape.Thisisageneral,butnotimportant, effectforthelinesplot~ed.Ariseinnuclearpowerproducesapressuresurge.However,theeffectisattenuated bytheheattransfertimeconstant, ofthefuel(oftheorderof4seconds), andthepossiblerelieving effectoftheholeinthevesselheadandrelieving capacityofthepower-operated reliefvalves.Thehighpressuretripcouldnotbeexpectedforanyrodejectionaccident. 5.4-3 ThehighDelta-Ttripfurnishes abackuptripforanysevererode)ectionzcccident.Exceptinthemostseverecases,itLimitsthecladtemperatuxe pp]essthan2750'F.Transport delaysinthecoolantloopdelaythetripforseveralseconds.Alsoplottedonthegraphaxetwoarbitrary limitlines.Theyarerespectively acladLimitof2750F*andaCoolantSystempressureof3000psi.BoththeseLimitshavebeenarbitrarily selectedandarenotintendedtorepresent I~I-.rpl~SphysicalLimits.Apowerburstofsomesixfullpowersecondsattimezeroresultsinboththese1lmitsbeingreachedsometwoto.threesecondsIlater.Thisisnotaphysically reliablecondition foranyWestinghouse reactor.Figure5.4-4showsthepowertransients forrodejectionaccidents occurring atendofcorelifeforvariousejectedxodworths.frftI1+TheseLinesarebasedonstead~tate andtransient hotchannelfactorsof3.23.5.4W jZEROPOWEREHDOFLIFERODEJECTION, NOTRIP&~~~HjjCLjj&R POjjE&VS~T2$=~1~~~Ii.:A~~4~1.0XF~12.S"::?3020M~--EHERGTINPUTUPTOO.SSECONDS~1.70F.P.Sfact::.FPS:Fullotspopowerseconds~'-9-&vmbols6k:Changeinreactiviey T.F:Totalheatfluxpeald.ngoratht10~~~i~~~i~i&(&.=~::iI:.-:ii&~~~~&--~)&'i0246810121416TQK,SECONDS:HOTSPOTVS.TIHE=-"-.~~~4000:FUELAVG.-I~~~L~e:::3Z&&":&&20001~-~~-~~~~~~~-.-::-.1008046S1012141618TIME,SECONDSFIGURES.4-1 PULLPOWERENDOPLIFERODEJECTION, NOTRIPI~>~~:='UCLEAR POWERVS.TIME~leak0.33Pm'3~23Tr~~'i.-:L~SbaIIISk:ChangeinReactivity P:TotalHeatFluxPeakingFactorTqatHotSpot~.~45TIME,SECONDSting).~II~~rI~4sr,~~IIII~IHOTSPOTTEMPSULTURE VS+TZME':.-.-,:- 'Mel=--'-'-~~~PURLAVGI:~r~~~'"I~~~WM.:~..~'~..':'LADOUT~T':.I:I~Ii~~IP'PEAKCLADSURFACETEMP.--:~2950'PAT50SEC.50X(HYVOLUME)OF'cCLi'.."MELTS.V.~:.-..~-=-'i::!=-'i;:, i-.--'246S10121416TIME,SECONDSPIGURI'.4-2 0P eFullPowerEndofLifeF~3.23Txa~+\87643pi2C~8p~023456789l0TIME,SECONDS~~TOMOFSkFEXYGZHZTSANDTRIPPOINTS'~<RODEJECTION'ACCIDENTS, HOTRIP-represents thelocusofpointsatwhichtriowouldterminate theaccidentrepreseecs lacesarseferylfrsirs FULLPOWERENDOPLIPSROBEHKTIONWH33RKTRIPCO4l5CD~CC3CO~~C~2~~I1~l0010.e0.33TIME,SECOHDSWte:0.4XQc'represents apractical Bait:arfuIlpcwerceses.~RODEJECTIONACCIDEHTS 'QXXHN)THXP,'IGURE 5.4~ I0 LOSSOFSTEAMLOAD5,5.1XNTRODUCTION ANDSUHHARYVp'<<,',lossofsteamloadmaybecausedbyclosingoftheturbinestopvalves,whichnorma21yfollowsaturbinetripsignal;byclosingoftheturbinecontrolvalvesfollowing arejection ofelectrical load;orbysteamisolation following aReactorprotection Systemsignal.Theconsequences <<ofalossofsteamloadarearapidlyincreasing SteamSystempressureandReactorCoolantSystemtemperature andpressureduetothelossofheatsink.Protection instrumentation isprovidedtoimmediately tripthereactorfollowing aturbinetripsignal.A.steamlineisolation signalisnormallyaccompanied byasafetyinfection signalandalsoresultsinareactortrip.Following are)ection ofelectrical load,aSteamDump<<~"".%'ystem actstopreventreactortripbyautomatic steamdumptothecon-,denser.(Upto100Xloadrejection canbehandledbysome'planes-) Xftheloadre)ection great1yexceedsthesteamdumpcapacity, oriftheSteamDumpSystemshouldfailtooperate,areactortripmayoccuronhighpressure. Redundant protective instrumentation andconservative designofpressurereliefdevicesassuresthesafetyoftheplantforalargeloadrejection withoutrecoursetoAutomatic RodControl,Pressurizer PressureControl,orSteamDumpControlSystems.5.5-1 Inthisreport,theProtection Systemisexaminedtoseeifdiversepx'orotection existsforacompletelossofloadwithoutdirectreactortrip.Diversity isfoundtoexisttoprotecttheReactorCoolantSystemandreactorcoxe.5.5.2LOSSOFLOADPROTECTION ANDDESIGNCRITERIAThereactorispxotected forlossofloadby:a)Steamdumpto'ondenser (actuated bytheContxolSystem)b)c)Pressurizer pressurerelief(safetyvalvesandpowez~perated reLiefvalves)SteamSystempressurerelief(safetyvalvesandpower-operated relief.valves)') Directreactortrip(onturbinetrip)e)Highpressurizer-pressuretripf)Overtemperatuze 4Ttripg)Highpressurizer leveltrip.SteamDtoCondenser TheSteamDumpSystemactsautomatically uponsensingalossofloadgreaterthanapresetamount.Thesteamdumpvalvesaretheneithermodulated ortrippedopenuntiltheReactorCoolantSystemtemperatuxe reachesthenewprogrammed loadreference temperature. Thereactorpowerisreducedbycontrolrod,insertion duringthistime.Zncaseofaturbinetriporreactortrip,thesteamdumpisactuatedandcon-trolledonapresetuo-loadreference temperatuze. TheSteamDumpControlSystemisdescribed inSection3.2.5.5-2 0 tPressurizer PressureReliefThepressurizer safetyvalvesaresizedtomatchthemaxfmnnnvolumetric surgerateassociated withacompletelossofloadwithoutsteamdumporadirectreactortrip.Thisisnotdependent onpxessurizer pressurecontrol.Thepressurizer safetyvalvestherefore completely protecttheReactorCoolantSystemagainstovexpressure, independent ofthehighpressurereactortrip.Thereliefvalvesaresizedtopreventactuation ofthehighpressuretripwhenthesteamdumpandroddrivesystemswork,andtherequiredsteamreLLefiswithinthecapacityoftheSteamDumpSystem.SteamSstemPressureReliefTheSteamSystemsafetyvalvespass100Zofma~mancalculated turbinesteamflow,atthesafetyvalvesetpressureplusaccumulation. Thisallowstheplanttoaccepta100Zloadre]ection withoutreactortxiporsteamdumpwithoutovexpressurizing theSteamSystem..Xnaddition, reliefvalvessettoopenatalowerpressurearealsoprovided, andaxetypically sizedataboutlOZofthesafetyvalvecapacity. DirectReactorTriThemostcommoncauseofalossofloadisaturbine-generator trip.Zntheeventofsuchatrip,theturbinestopvalvesclose.Aturbine5.5-3 tripsensedbye2/3lowauto-scop oilpressureor2/2stopvalveclosureresultsinareactortripifthereactorisathighpower.ThepurposeofthesetriPsistomizdzMethethermaltransient sndsteamdumPrequirements fortheserelatively frequentplanttransients. HihPressurizer PressureTriThereisareactortripon2/3highpressurizer

pressure, generally setto2400psia,orslightlyabovethepressurizer poweroperatedreliefvalvesettingandbelowthepressurizer safetyvalveopeningpressure.

OverteraturedTThepurposeofthistripistoprotectthecoreagainstanycombination ofreactorcoolanttemperature, powerorpressurewhichcouldcauseIDNS.Triplogicis2/4for2.and4-loopplantssnd2/3for3-loopplants.HihPressurizer LevelTriThistripactstopreventwaterdischarge fromthepressurizer safetyvalves.Logicis2/3.5.5W 5.5.3EVALELKON OFPROTECTION SYSTEMFORLOSSOFLOADAcompletelossofloadwithoutsteamdumpandwithoutadirectreactortripisevaluated tofindifdiverseprotection existstopreventahazardtotheintegrity oftheplantthroughoverpressurization or'NB.Thetransient wasinvestigated foracurrent,highpowerdensity\lant,andnocreditwastakenforpowerreduction duetoautomatic '../'.".t~controlrodmotionormoderator temperature coefficient. /'Initiation ofAccidentFigure5.5.1showsafaulttreeforalossofloadwithoutsteamdump,withthereactorathighpowerandaodirectreactortrip.Onewaya1088ofloadcanoccurisbyclosingoftheturbinestopvalvesfollowing aturbinetripsignalorbyhydraulic fluidpressurefailure{thevalvesareheldopenbyhydraulic fluid)-However,oneand.possiblytwotripsmustthenfailinordertopreventanimmediate reactortrip.Anotherpossiblefailuremodeisaturbinerunbackcausedby,thethrottlevalvesclosing.Thiscouldbeinitiated byaroddrop,anoverpower orovertemperature 4Tsignal,byanactualorspuriouslossofelectrical loadsignal,orbyafailureintheturbinecontroller andloadlimitsystem.Aspuriousroddropsignalwouldnormallydecreasetheturbineloadbyafixedsmallpercentage offullload.Thecontrol5.5-5 alvecouldclosecompletely onlyifanimpropercircuitexistsinthecontroller. Similarly, anoverpower orovertemperature 4Tsignalcoxmallycausesastepload.decrease ofSXevery30seconds;andonlyinthecaseofasimultaneous failureoximpropercircuitinthecontroller couldtherebeinsufficient timefortheoperatortotakenotice.Eftheturbinerunbackiscausedbyanoverpower orovertemperature 4Tprotection Systemfailure,thefailurecouldonlybeinthesafedirection; thatis,theerrororfailurewouldbeinthedirection tocauseareactortrip.Athirdpossiblepathforalossofloadisthroughsteamlineisolation. Thismayoccureitherthroughalossofairsupplytotheisolation valves,orbyaspuriousorrealisolation signa1fromtheReactorProtection System.Asaresultofthelossofsteamflow.totheturbinebyanyhfthethreepathsoutlinedabove,theSteamDumpSystemisactivated. However,no1creditcanbetakenforthisfollowing steamlineisolation, since,thedumpvalvesaredownstream oftheisolation valves.Forallthreepaths,theresulting decreaseinfirststageturbineimpulsepressurecausesautomatic reactox'ower reduction bycontrolrodinsertion. Evenifthereactorisinmanualcontrol,themoderator coefficient ofreactivity isgenerally negativeandwouldcauseapowerdecreaseastemperatures increase. 5.5-6 0Ii)~~ 'CThefaulttreeshownonFigure5.5.1indicates that,inmostcases,afaultcouldcauseacompletelossofloadwithnosteamdumporreactorit"~>>I'powerdecreaseonlyifoneoxmoresimultaneous failuresoftheControlorProtection SystemalsoxesuLted. However,thefollowing analysisisbasedonacompletelossofsteamloadwithoutsteamdump,reactorcontxol,ordirectreactortrip.AnalsisandDiscussion Figure5.5.3showstheresultsofatransient analysisforacompletelossofloadwithoutsteamdump.Theresults'showthat'hesafety~~II'III>>valvescapacityoftheSteamSystemis..sufficient toLixQtthepressurelrisetolessthanLUOpsia,evenwithoutareactortrip.TheReactorCoolantSystemT.transient isshownforahighpressurizer pressureavgorhighpressurizer levelreactortrip,aswellasfornotxip.IActuation oftheSteamSystemsafetyvalvesrestoresthereactorheat\s~andcausesadecxeaseintherateofriseofthereactorcoolantaveragetempexature. Withoutareactortrip,Twouldeventually comeavgintoequilibrium whentherequiredheatdissipation atthesuetyvalve,~setpressureisreached.TheReactorCooLantSystempressuretransient isalsodepicted. inFigure5.5.3.Theeffectofthepressurizer poweroperatedreliefvalvesisfeltslightlyabovetheirsetpressureof2350psia.Sincetherequired5.5-7 4e relieffora&61lossofloadwithoutsteamdumpfarexceedsthereliefvalvecapacity, thepressurecontinues torisetothesafetyvalvesetpressureof2500psia.Theopeningofthepressurizer safetyvalves,andtherestoration ofthesecondary sinkbysteamrelief,limitstheReactorCoolantSystempressurerise.Thesurgeratedecreases astherateofriseofTdecreases, andeventually thepressuredecreases toavgthereliefvalveopeningpressure. Thetransient isalsoshownforthehighpressurizer pressureandleve1reactortrips.Thepoweroperatedreliefvalvesdelaythereachingofthehighpressurereactortripsetpointbyabout2seconds.ThelowergraphinFigure5.5.3showstheaduinnxm(hotchannel)DNBtransient. Forthefirstfewseconds,theDNBratiorisesduetotheincreasing systempressure, whilepipingdelayscausethecoreinlettemperature toremainconstant. Twotrips,thehighpressureandovertemperature hTreactortrips,preventthecoredesignlimf.tsfrombeingexceeded. Ratecompensation onT,which.isincludedinavg'heovertemperature dTtrip,wouldactuallycausethetripsetpoint-tobereachedmuchsoonerthanisdepictedinthefigure.Thehighpressurizer waterlevelreactortripisinadequate topreventthecorefromexceeding thedesignlimits.However,theminimumDNBratiointhehotassemblyforahighleveltripisabove1.0andwouldassurethatcoredamage,ifitoccuredatall,wouldbelimitedtoasmallfractionofthecore.Aconservative setpointwasassumedforthehighleveltrip.5.5-8 0 Afaulttreefortheaccident, leadingtocoredamage,isshowninPigure5.5.2.5.

5.4CONCLUSION

S Thisaccidentisnotconsidered 1Qcelysinceinmostoftheincidents whichcouldcauseit,oneormoresimultaneous failuresofcontrolorprotection instrumentation mustalsooccur.Inaddition, atanytime.otherthanearlyin.coreLife,thelargenegativemoderator coefficient wouldcausetheaccidenttobeselflimitingandgivemuchbetterresultsthandepictedinthisanalysis. However,iftheaccidentweretooccur,diversity doesexistinthatthreedifferent levelsofprotection areavail,able. 5.5-9 ,Ih SJSNfs<<ls<<s<<<<<<<<<<<<u~<<"<<<<<<<<.<<<<<<NSJSSR<<j~R<<g@N<<'JJ@ "g<<<<j,,<<,lt,fIQJRS5.52OjRTsORSD<<sNORODJIFIONCFORNMANUALCONIIJOL<<<<4fTKAMLIbEISOIATION, NOTURRINECOÃIROLVALVESCLO.E,NOTURSINESTOPvvx.v""AIRSUPPLIAUTO.S,D,AUTO.S.D,LOADLIMITACIUALORSIUFIQJSLOSSOjEJECT~LOADSCOPVALVER<<T<<TURBINECONIROLIA3 .SREXCESSIVE RUNS'XIJJSSOFIIQiCENCV FIUIDNJRIQJFICOIATIONfIGNAI'<<ITNQJTREAClORTRIPIMISOPERCRTANDhlJTOGIOP R.T<<CONDITIOJI FAIJJJRIREACIORI%REC-TIONSISIIJ'.IAJGICFAULTsSBJRIQJSF<<ODDROPEIGJIALREALORSIURIQJGOVIRPOLJEROROVERORLOSSDPAUIOSIOPPIJJIDNUCL<<INST<<SISTIIlRODPOSITIONINDICATION iFAIIJJREANTSJRBINETRIPSIGNALR.T.RKACIORTRIPK.C,-ST&QJJJP,S)1,SAINTINJECFICN I~SCFEJAnfSlsaaIIosIsolalloa ~ISJ<<alIsalso~@castortcIPsISJnal.Theccfcea> ooIFloStoclccollfallllsshool4Lccoas14ctc4 ~NIGHTAVNIGHATFIGURE5.5-1FAULTTREEIORINN0jllRDACCII<<ENI ,5'~a~'11 FAULTTREEFORCOREDAMAGELOSSOFSTEAMLOADCONDITION ProbableGrossCoreDamageANDHighPressurize LevelR.T.CoreDesignLimitsExceededR.T.-REACTORTRIPS.D.-STEAMDUMPS.I.-SAFETYINJECTION Overtemperature ATR.T.iHighPrdssureRiTLossofLoad,NoSeD~orPOUerDecreaseEarlyinCoreLifeLossofLoad,NoDirectR.T.orS.D.,NoRodInsertion (SeeFigure5.5-1)FIGURE5.5-2 120010008006002600250024002300zzoo6zo600580560181.61.451.21.0.80LOSSOPLOADACCIDENT~~Il-~1-STEAMSYSTEMPRESSURE'-)~.':~te~~~II~I~~~~I~/~l".~I."REACTORCOOLANTSYSTEMPRESSUREI:-:~It~~I~~~~~~i~'OTRIP."'HIGHPRESSURE"REACTORTRIPJ'.'l"IGH LEVELREACTORTRIP~).'Il.'.!.(IIt'~Il'-i=(REACTORCOOLANTTVGI'~~).-.NO~~I~'t.TRIP(HIGHLEVEL-'EACTORTRIPf..~~~~~I~)~.HIGHPRESSURE. -'REACTORTRIP~~IHIGHPRESSURE".:-.EEACTORTRIP~I~~~gI.L.-~~II'VERHK'ERATURE .ATREACTORTRIPi'IGHLEVEL'EA,CTORTRIP-'~~~L.'UNBRATIO.NOL~4~~)2030405010SECONDSFIGURE5.5-3 0I, 5,6RODWITHDRAWAB DURINGSTARTUPNormalstartupprocedure isbycontrolrodwithdrawal undermanualcontrol.~function oftherodcontxolsystemoroperatorerrorcancauseareactivity excuxsion witharesultant rapidincreaseinpower.Rodwithdrawal accidents iathepowerrangeareevaluated inSection5.1.Fortheseaccidents, thepowerincreaseisapproximately linearforalinearincreaseinreactivity. Foraccidents startingfromvery,lowpower(staxtupx'ange),theneutronfluxmayincreasebymanydecadesbeforethereissignificant Dopplerfeedback.. Thenuclearpowerresponsetoacontinuous reactivity insertion fromthestartuprangeischaracterised byaveryfastriseterminated bythereac-tivityfeedbackeffectofthenegativefueltemperature coefficient (Dopplereffect).Thisselflimitiageffectisofprimeimportance duringastartupIaccidentsinceit.limitsthepowertoatolerable levelpriortoexternalprotective action.Aftertheinitialpowerburst,thenuclearpowerismomentarily xeducedaadtheniftheaccidentisnotterminated, thenucl'earpowerincreases againbutatamuchslowerrate.Protection againststartupaccidents isprovidedbydiversetypesofneutron-monitoring instrumentatioa: sourcerange,intermediate range,andpowerrangechannels. Ma)ordifferences intheionchamberandcixcuitdesignexistbetweentheintermediate andpowerrangechannels. Thesourcexaageusesaneutronsensorofadifferent principle: proportional counterratherthanionization chamber.5-6-L ~'44Shouldcontinuous controlrodwithdrawal beinitiated andassumingthesourceandintermediate rangealarmsandindications areignored,thetransient willbeterminated byanyofthefollowing automatic protective actions.a)Sourcerangefluxleveltrip-actuatedwheneitheroftwoindependent. sourcerangechannelsindicates afluxlevelaboveapreselected, ~g~<<manuallyad]ustable value..Thistripfunctionmaybemanuallybypassedwheneitherintermediate rangefluxchannelindicates afluxlevelabovethesourcerangecutoffpowerlevel.Itisautomatically rein-statedwhenbothintermediate rangechannelsindicateafluxlevelbelo~thesourcerangecutoffpowerlevel.~<<b)Intermediate rangerodstop-actuatedwheneitheroftwoindependent <<intermediate rangechannelsindicates afluxlevelaboveapreselected, manuallyad)ustable value.Thisrodstopmaybemanuallybypassedwhentwooutofthefourpowerrangechannelsindicateapowerlevelaboveapproximately tenpercentpower.Itisautomatically reinstated whenthreeofthefourpowerrangechannelsarebelowthisvalue.c)Intermediate rangefluxleveltrip-actuatedwheneitheroftwoindependent intermediate rangechannelsindicates afluxlevelaboveapreselected, manuallyad]ustable value.Thistripfunctionismanuallybypassedwhentwoofthefourpowerrangechannelsarereadingaboveapproximately tenpercentpowerandisautomatically reinstated whenthreeofthefourchannelsindicateapowerlevelbelowthisvalue.d)Powerrangefluxleveltrip(lowsetting)-actuatedwhentwooutofthefourpowerrangechannelsindicateapowerlevelaboveapproxima ytel25percent.Thistripfunctionmaybemanuallybypassedwhentwoofthe5.6>>2 II'0 fourpowerrangechannelsindicateapowerlevelaboveapproximately tenpercentpowerandisautomatically xeinstated whenthreeofthefourchannelsindicateapowerlevelbelowthisvalue.e)Powerrangefluxleveltrip(highsetting)-actuatedwhentwooutofthefourpowerrangechannelsindicatea'powerlevelaboveapresetsetpoint. Thistripfunctionisalwaysactive.Sinceallprotective actionsintheabovelistarebasedonlevelsetpoints,Iratherthanratesetpoints,protection isnotdependent uponhavingarapidrateofpowerincrease. ThestandardstartupaccidentanalysisreportedinSafetyAnalysisReportstakescreditfoxonlythepowerrangeprotection. Howevex,theintermediate rangehfghfluxreactortripisalwaysinservicebelowlOXpower,andwouldalsoservetoterminate theaccident. Further,. anyaccidentstartingfromasubcritical condition wouldbeterminated bythehighsourcerange'Ixeactortrip.Therefore, Protection Systemdeversity existsforstartupaccidents. Figures5.6-1and5.6-2showthecalculated transient responseofnuclearfluxandfueltemperatuxes forastartupaccidentwithahighrateofxeactivity insextion.5.6-3 0 ~I1010'~III~~Uncontrolled RodQithdrawal PromaSubcritical Condition PractionofNuclearPowera~+1x106k/FW5oa<lxlp6k/PfReactivity Insertion Rate~8x106k/seck~1.00-1~t~I108W0gM10plillikoCoOe10g~~~I~~I~1080Wooo10-35oCl~u101001020251030Time,SecondsFlGVRE5.6-1 4~<<((I-"~(4<<<<.(.<<<<4V,~~I(areJ>~w<<(i'(<<<<M>>1000900PuelCladUncontrolled RodMithdraMal PromaSubcritical Condition Temperature 4ag<<+1x1056k/'Po=-1x106k/'PReactivitg Insertion Ratef<<8x10Lk/seck<<l.07065800700CoreMater14o(4l0ce'0oj605560050500456101.L18222630'Time,SecondsFIGURE5.6-2 57CONTROLRODDROPDe-energixing adrivemechanism causesafull>>length controlrodtofallintothecore.(Part-length rodsfail"as-is"whende-energized.) Thiscausesanimmediate decreaseincoxepower,mostnoticeable intheregionofthedroppedrod.Xftheaveragecozepowerisreturnedtoitsoriginalvalve,mostofthecorewouldbeatahigherpowerdensitybecauseofthelocaldepxession intheregionofthedroppedrod.Duringtheinitialdesignfoxthecurrentgeneration ofWestinghouse PWR's,theincreaseinhotchannelfactorsforadroppedzodwasnotknown.Ztwastherefore assumedthatDNBmightxesultifthecorewereallowedtoreturntofullpowerfollowing azoddrop.Protective circuitsweredesign-edaccordingly andclassified aspartoftheProtection System.Thedesignrequirement forthisprotective functionwastoinsurethat,follmrtng adynamicroddrop,thexeactorwouldnotzeturntoapowerleve3highenoughItocauseaDNBratiolessthan1.30.,Mechanisms whichwouldtendtorestorerinitialcorepowerare.noxmal automatic controlandplantcooldownwithanegativemoderator coefficient. However,recentphysicsanalysisformalpositioned controlrodshasshownthat,ineverycaseforaninseztedrod,fullpoweroperation wouldnotcauseaDNBratiolessthan1.30.Becausethelocalpowerdecreasecausesageneralpowerincreasethroughout therestofthecore,theincreaseinhotchannelfactorsisUstedtoapproximately 15'xless,depending oncoresize.Withx'especttoDNB,thisisequivalent to15Xoverpower. CoreDNB'esign 5.7-1 ~~~Emarginsofthismagnitude mustexistatfullpowertoallowforoperational transients andinstrumentation errors.Inadditon,forplantspresently nearcompletion, ithasbeenfoundthatinsertedrodhotchannel.factorsdonotevenexceedthedesignhotchannelfactors.Sincetheconsequences ofadynamicroddroparetolerable, thefollowing ffdiscussion ofroddropprotection issomewhatacademic. Roddropprotection diversity hasbeenprovided, bothinthemeansofdetection andinthemeansofactuating protection. Redundancy. wasmorereadilyobtainedbydiverseinstrumentation thanbyindependent, butidentical, channels. Aroddropsignalisgenerated byeitherofthefollowing: a)A=rapiddecreaseinindicated nuclearfluxfromanyoneofthefourpowerrangenuclearinstrument channelsb)Rodbottomindication fromanyoneoftherodpositionindicators whentheassociated rodbankisnotonthebottom.One-out-of-four logicforthenuclearchannelsisused'because itwasnotknownwhethermorethanonechannelwouldrespondtothedroppedrod.Therefore, redundancy isnotclaimed.Protective actionisdirectedtowardinhibiting thosemechanisms whichwouldotherwise causethereactortoreturntoitsinitialpowerlevel,i..e.,automatic rodwithdrawal andloaddemandwithanegativemoderator temperature coefficient. Again,sincethemagnitude ofthehotchannelfactorincreasewasnotknown,itwasassumedthatbothmechanisms wouldhavetobeinhibited. 5.7-2 Redundant rodstopcontactsareprovidedtoblocknormalautomatic controlrodwithdrawal. Manualrodwithdrawal isnotblockedsinceitisnecessary towithdrawthedroppedrod.Turbineloadreduction isaccomplished throughredundant channels. Mostplantsaresuppliedwithelectro-hydrauLLc (E-H)controlsystemsfortheturbine.Theturbinerunbackisactivated bythefollowing~ eitherofwhichreducesorrestricts turbinecontrolvalvepositionandsteamload.a)Reduction oftheloadrefezence setpointoftheturbine,E-H., controller byapresetamount.Thisisaccomplished byzeducingthesetpointatconstantrate(200X/min.) forapresettimewitha.timedelayrelay.b)Reduction oftheturbineload.limittoapresetvalue.Theloadlimit(aclamponthevoltagesignalcontrolling theturbinecontrolvalveposition) isreduceduntilturbinethermalloadasI)sensedbyeitheroftwoturbineimpulsepressure'channels isbelowapresetvalue.Following plantstartupteststoverifythattheDNBratioisgreaterthan1.30atfullpowerwithadroppedrod,itisintendedtoadjusttheturbinerunbackforoperational requirements. Thatis,theautomatic loadreduction wouldbelargeenoughsuchthat,withreasonable operatoraction,anorderlymanualplantshutdowncanbeaccomplished, ratherthanareactortriponlowpressurizer pressure. Fi.gures5.7-1and5.7-2showthetransient responseofnuclearplantvariables toaroddropwithturbinerunback.5.7-3

lllr1.U.9.8.7~t~~-I.I~~I.',.f=~CI~:I~-I.~~~t4~~~~~~:H'ResponsetoaDroppedRCCAof.North-2.3x,106kWithaPowerCutbackof25PercentofNominal~-3.5x10bk/7'-'~>>1.65x106k/Z'.~~II~~i:I~..l.,~~~~~t~t1.000CKheQE8.9.8'~~7~t>~tl~tttI~~~I'~':I-"'I~l~'t{~~~I~~ttI~I~~II24002300~pk~~~~~~~~~It~~-I~tt~~~'{::.-~II~~I~It~~~t22002100~~~"-I~I4080120160200 04~ ~'III~~I~~0~~~~~~~~~~~0t~0'I.tt0~~~II0~I0~~--}t~*L0~>>0t'If0580578576IL00~IQ0Q~~~I0~r~0~~0<<I~000~0~I~~It~LL~00L0000~>>~>I~I0~~0I~~~lI~~-I'='~I~0:..00J~565IQ0~0I~ResponsetoaDroppedRCCAofWoph-203x106kwithaPowerCutbackof25PercentofNominal~~5604~~,004a0~t0't~'fQMC4o555550U~M~IJ0=I~I~~~I~~~~~~OH1.0~~0~~M00g,9~>>~~0I~~0,8L~~00'~0~~~~~~I~~.74080120160200TDK,SECONDS

5~8ENGINEERED SAFEGUARDS ACTUATION Actuation ofauxiliary feedwater isdiscussed inSection5.2.Engineered safeguards forcontainment pressureprotection arediscussed inSection5.9.Actuation ofEmergency CoreCoolingforlossofcoolantprotection isdiscussed inthissection.Forlossofcoolantprotection, asafetyin]ection signalisgenerated byeitheroftwodiversesetsofautomatic signals:a)Coincident lowpzessureandwaterleve1inthepressurizer; b)Highcontainment pzessure. Bothsetsofsignalsareredundant andmeetallprotection Systemdesigncriteria. Thesignalsderivedfromthepressurixer indicatethatreactorcoolantisbeinglostwellbeforethecoreisuncovered. Reactorcoolantblowdownalsoincreases containment pressure. Setpoints'for highcan-tainmentpressurearetypically about10Xofcontaiaamt designpressure. Thissetpointisreachedwellbeforethecoreuncovers. Figure5.8-1showstheresultsofacalculation forarepresentative plantforthecompleterangeofbreaksixes.Ztshowsthateitherthepressurixer orthecontainment signalinitiatesafetyin)ection l-l/2minutesormorebeforethecorewouldbeotherwise uncovered. (Forlargebreaks>passiveaccumulator systemsupplieswateranddelaysthetime.atwhichactivecorecoolingisrequired.) Thisanalysisincludedtheeffectsofcontainment heatsinksandfancoolersindelayingthetimeatwhichthecontainment highpressuresignalisreached.5.8>>1 SAFETYINJECTION ACTUATION SIG:NLVSBREAKAREA10004o~I+I'~'T~~~iI}.o~l<<~,~~IIIIl~~I~~<<~~}lero,one*oIrI~~~~~<<~t~~>>v~ttt~I~"ttrltt<<~~~I}'-:RangeofProtection ofI:.:PassiveAccumulator System-(;I~IaeI4V100~~ooo1}:<<II~I~~IPtl~~I'~I'<<~~>>:ii}'."~IIt~~I~II~~~}I~~~~~I~~~v0~~r,~!Ia.~o~~~tt~\~v}'"--ttI~~~~\~~t<<to~o~to~~~I'I~~o~~~~~<<~~~~I<<.)~oIIOIhC10o~~t~<<'oo~I~~I~Itz~~<<'I''I~'I.....~TimetoReachLouPres-I:-surizerPressureandLevelSignal7>>~~~~\~~~~~~>>~~~~I~I~~~~<<o~<<e~o<<vpttI:TI~I~~*~I~I~I~~~~I~~I"I~}~~~~~~~i-.',I~PI~'~I"I<<I~II~)}=.1-I:ilneceUncavelCaseNddPlaneLNeSadecvlneccdcn)j~o~~~\f<<~~~~~I~~ItI~lel~~~'I~~jjjr"~~iTimetoReachPighContainment PressureSignal'<<ll~~~vI<<j~0.01'iil\~40.1~6"10"DAUEa:.BREAKSIZE(Fi)FIGUPE5.8-1 ~V 59CONTAINMENT PRESSUREPROTECTION Typicalwestinghouse dryconcaiament plantsareequippedwithfaacoolerunicsaadspraysystems.Theseareprovidedtoreducethecontaiamenc pressureeotoesseatially atmospheric following alossofcoolantaccidentorasteamlinebreakaccidentinsidethecontainmeac. Thecontainment isdesignedtowithstand theeoealblowdownoftheReactorCoolantSyscemorasteamgenerator wiehnodependence oneheaceivesafe-guards.Theactivesafeguards are,however,aueomatically actuatedfollowing cheaccident. Thepr9narycontainment safeguards arethefancoolerunitsandtheircoolingwatersupplywhichazeactuatedbythesafetyinjection signalwhichisgenerated by:a)Coincident lowpressurizer pzessureandwaeerlevelinthepressurizer b)Ri.ghcontainment pressure(approximately lOXofdesignpressure). Thebackupcontaiameac safeguard, ch'econeaiamene Spray9ystem,isaccuaeedbyahighcontainmenc pzessuresignalwhentheconcainmenc pressurereachesappxoximacely 50Xofchedesignvalue.Automatic sprayactuation usessixconcainmenc pressuzechannels, in2/32/3logic.TheSpxaySystemcanalsobeactuatedmanually. Only2oucof4fancooliagunitsfortwoorthreeloopplantsand3oucofScoolingunitsforfourloopplaacsarenecessary eolimitthecontainmene pressuxebelowdesignevenconsidering ehactheEmergency CoreCoolingSyseemis.unablecosuppxessboilinginehecore,andehecoredecayheacenergycontinues cobeaddedtoehecontainmenc intheformofsteam.5.9-1

Theoperation ofonlyoneofthespraypumpsisrequiredinorderfortheSpraySystemtosupplement theheatremovalcapabiU.ty ofthefancoolingunitstoprovideamarginforeffectsfrommetalmater orotherchemicalreactions thatcouldoccurasaconsequence offailureofEmergency CoreCoolingSystems.Sinceeitherfansorspraysareadequate, anddiversesignalsareusedtoactuatethefans,.the Protection Systemisdiverseforactuation ofcon-tainmentpressureprotection. 5.9-2 5.3.0EXCESSIVE LOAD~rgb~a+&vf"f'>Excessive loadisonemeanswhichcouldcauseexcessive corepowergeneration. Asdistinctfromtheovezpower~vertemperature accidentdiscussed inSection5.3.(RodWithdrawal atPower),reactorcoolanttemperature,

pressuze, andpressurizer waterlevelwouldnotincrease.

Reactorpowerfollowsturbineload,bothbycontxoldesignintentandtheinherently negativemoderator coefficient. Anincreaseinloadabovedesignistherefoxe ofpotential concern.Diverseoverpower protection isprovidedbyReactorProtection System.,Theseazetheovezpower delta-Tandthenuclearoverpower reactortxips-Sincetheaccidentisinitiated fromthesecondary plant,thereactorIcoolantlooptemperatures respondbeforethecorecoolanttemperature. !IPipinglagsapplicable totherodwithdrawal accidentaretherefore notapplicable toanexcessive loadaccident, andeitherthedelta-Tor-thenuclearoverpower tripprotectsthecoreforanyrateormagnitude loadincrease. 5.10-1 pP 'C5.11EXCESSXVE FEEDWATER FLOWAnexcessive feedwater flowaccidentisprimarily ofconcerntotheturbine(highwaterlevelXnthesteamgenerator leadstoexcessive moisturecarryover andpotentia1 turbinedamage).'ith respecttonuclearprotection, however,excessive feedwater flow(orfeedwater temperature decrease) isseenasanexcessive thermalload,andthediscussion inSection5.10isapplicable.

512STATIONBLACKOUTAstationblackout, orlossofaU.a-cpowertothestationauxiliaries, resultsfromlossofincomingstationa~powercoincident withaplanttrip.Numerousreactortripsignalswouldbegenerated, suchasturbinetrip,lowcoolantflow,lowgpedwater flow,etc.Thisisnotimportant however,sincethelossofa-cpowerdeenezgizes thezodcontrolpower'upply,andthecontrolrodsfallintothecore,evenifnoreactortripsignalisgenerated. Naturalcirculation ofreactorcoolanttransfers reactordecayheatfromthecozetothesteamgenerators. Sincesteamgenerator steampressureisautomatically controlled bythepower-operated steamlinereliefvalves(withbackupfromthesteamlinesafetyvalves,ifnecessazy), theonlyrequirement formaintaining hotshutdownconditions istoApplyfeedwater tothesteamgeneratozs. TheauxiLiary feedwater systemisdiscussed inSection5.2,LossofFeedwater. Asnotedinthatsection,thelossofa~powerstartsalla~iazypumps-Adiverseautomatic actuation signal-steamgenerator lowwaterlevel-isalsoprovided. Further,theenergysourcesfortheauxiliary feedwater pumpsare.themselves diverse(steam-driven pumpsandmotor-driven pumpsenergized fromthediesel-generator), suchthatfaQ.uzetoactuateanenergysourcedoesnotpreventauxiliary feedwater. 5.12-1

APPENDIXCONTROLANDPROTECTION FUNCTIONS reactorcon'tro1andprotection functions performedfromeachprocess~eterinthepresentWestinghouse designareMmlatedbelow.Pro-e~tionfunctions arelistedfirst,andcontrolfunctions listedlast.u~nyfunctions '.g-,indication, alarmsandinterlocks, arenotclearlyeithercontrolorprotection. ~Theseareclassified as"supervisory" unctalons~Intheleftmargin,allfunctions arelistedasP,SorC,showingpro-tection,supervisory orcontrol;- i%JCLEARINSTRUMENTATION 1,.3.PowerRange1.2Intermediate Range1.3SourceRange'W~REACTORCOOLANTSYSTEMPARAMETERS Z.lReactorCoolanr,Temperature (4T,T)avg2-2Pressurizer Pressure2.3Pressurizer WaterLevel2.4ReactorCoolantFlow3~STEAMGENERATOR PARA%.'TERS 3.lSteamGenerator WaterLevel3.2Feedwater Flow3.3SteamPlow34SteamLinePressure3SSteamHeaderPressure VPARAMETERS TurbineFirstStageSteamPressureOomTurbineAutoStopOilPressureTurbineStopValvePosition~ASTROLRODPOSITION5.1BankPosition).ZIndividual RodPosition~.CONTAINMENT PRESSUREgZCZRICAL PARAMZERS 7'.1ReactorCoolantPumpBus7.2ReactorCoolantPumpBreakerPosition7.3FedwaterPumpPowerA-2

gJCLEARZNSTRUMENTATION SYSTBtpowerRange-(linearindication inpowerrangeofoperation). P1.Overpower reactortrip(highrange)-rapiddetection offastoverpower excursions duringpoweroperation. P2.Overpower reactortrip(lowrange)-protection duringlowpowerplantoperation. p3.Top-to-bottom fluxtiltbiasof4Treactortripsetpoints-reduceDNBprotection limitstooffseteffectsofhotchannelfactors.(BothhighdTreactortrips),see2.1,1&3P4.Reactortrippermissives a.Permitsinglelooplossofflowtripathighpower.b.Permitreactortriponturbinetripathighpower.c.Permit"at-power" tripsduringpoweroperation. d.Defeat,manualblockoflowrangeand&termediate rangeoverpower tripsatlowpower.e.Lockoutsourcerangehighvoltagesupplyduringpoweroperation. S5.Roddropdetection -rodstopandturbinerunbacktomaintainDNBmargins.6-Overpower rodstop.-stopapowerexcursion causedbyrodwithdrawal. 7.Overpower alarm(forequipment

purposes, thisfunctioniscombinedwiththeoverpower rodstop).8.Controlroomindication andrecording (including top-tobottomdifference).

Channeldeviation alarm-detectchannelfailure,detectfluxtilts.10.Top-to<<bottom fluxtiltbiasofdTrodstopandturbinerunbacksetpoints(see2-1,264).A3

Automatic controlrodmotion-providestablereactorcontrolandrapidresponse. gntermediate Rane-(Logarithmic scaleforpowerrangeandupperstartuprange)p'.Highlevelreactortrip-preventpowerincreaseintopowerrangeunlesspowerrangechannelsareindicating. p2.Defeatmanualblockofsourcerangehighleveltrip-lowintermediate rangeindication rearmssourcerangetrip.S3.Highleve1rodstop-preventsexcessive withdrawal ofcontrolrodsduringlowpoweroperation. S4.Controlroomindicating andrecording. S5.Startuprateindication. P.l.HighleveLreactortrip-preventstartupaccidentfromsourcerange;preventpowerincreaseintointermediate rangeunlessintermediate rangechannelsareindicating. S2.Highcountratealarms-warnofapproachtocripicality. S'.Controlroomindication andaudiblecount.range.S4..Startup rateindication. A-4 ~Nc.sgP't"K5 <<<CTORCOOLANTSYSTEMPARAMETER orCoolantTemeraeure(4T-T)avgOvereemperature high4Treactortrip-preventcoreDNB(setpointcalculated fromT,pressure, andnuclearavg'luxaxialtilt).2.Overtemperacure high4Trodstopandturbinecueback-maintainoperating margineoDNB(setpointisafixedmarginbelowreactortripsetpoint).3.Overpower high4Treactorezip>>preventhighpowerdensity(seepointcalculaeed fromnuclearfluxtile)i4.Overpower high4Trodscopandturbinerunback-maintainoperating powerdensity(seepointisafixedmarginbelowreactortripsetpoint).S5.Channeldeviation alarms-deeectchannelfailures, detectabnormalprocesscandieions. S6.Controlroomindication andrecording. S7.Controlrodinsertion limitalarm-maintainreactiviey shutdownmargin;maintainlowejectedrodworth;maintain,uniformcoreburnup.fr.8.LowTalarm(interlocked withhighscesmflowforsteamavglineisolation) -steambreakprotection. Inadditiontotheabovefunctions for4TandT,Tisalsoavg'vgused09.HighTalarm.avg10.Tchanneldeviation rodscop(ofautomatic motion)-avgpreventspuriousrodwithdrawal orinsertion. 11.Tdeviation alarm-deviacion framprogrammed setpoinc. avg

Automatic controlrodmotion-controlcorepowex'omain>>tainprogrammed tempex'ature. 13~Steamdumpcontrol(condenser steamdump)-removeexcessenergyfromreactorcoolant.14.Feedwater valvecontrol-controladditiontosubcooled watertosteamgenerators following aplanttrip.15.Pressurizer levelprogramming -determine levelsetpointtominimizechargingandletdownchangesduringloadchanges.2.2Pressurizer Pressurep1.Highpressurereactortrip-maintainpressureinATprotection range;provideoverpressure backuptosafetyvalves.P2.Lowpressurereactortrip-maintainpressurein4Tprotection range.P3.Lowpressuresafeguax'ds actuation -actuatelossofcoolantprotection. P4.Highpressuxedefeatofsafeguards actuation manualblock-I.automatically renavemanualblockasoperating pressureisapproached. P5-Compensate overtemperature ATreactortripsetpoint-coreDNBpzotection. 6.Compensate qvertemperature Trodstopand.turbinerunbacksetpoint-maintainoperating margintoDNB.Controlroomindication andrecording. 8High-lowpressurealarms.Lowpressurereliefvalveinterlock -closereliefvalveson10.lowpressuretoavoidaccidental lossofcoolant./Pxessurecontrol(on-offheaters,vaziableheatexs,spray,andx'eliefvalveactuation) -maintainnormaloperating pressure. A-6 F 11.Compensation signalforautomatic controlrodmotion-improvereactorcontrolresponse. 2.3Pressurizer WaterLevel-(Thisvariablemeasuresreactorcoolantfluidinventory andmeantemperature). P1.Highlevelreactortrip-preventwaterdischarge (anreliefpipingdamage)throughsafetyvalvesfollowing rapidinsurge.P2.Lowlevelsafegnards actuation -indication oflossofreactorcoolant.S3.Controlroomindication andrecording. S4.High-lowlevelalarms.S5.Lowlevelheatercutoff-preventenergizing heaterswhenuncovered (equipment protection). S6.Lowlevelletdownisolation -preventlossofcoolantbyexcessive letdown.C8.High-lowleveldeviation alarm-deviation fromlevelset-point.Chargingpumpspeedcontrol-maintainprogranmN.d waterlevel.C9.Highleveldeviation heatera'ctuation -heatsubcooled waterinsurge.2.4ReactorCoolantFP1.Lowflowreactortrip-preventcoreDNB.S2.Controlroomindication-A-7 P 3ST~GENERATOR PRtAK'.TERS SteamGenerator WaterLevel-(Thisvariableisameasureofwaterinventory insteamgenerators). pl.Low-lowwaterlevelreactortripandauxiliary feedwater pumpstart-protectsteamgenerators; preservenormalheatsinkforremovalofearlydecayheat.p2.Lowlevelreactortrip(coincident withlowfeedwater flow)-providerapidprotection againstacompletelossoffeedwaterflow.S3.Highlevelfeedwater controlvalveoverride-closefeed-watervalvetopreventexcessive moisturecarryover andturbinedamage.S4.High-lowlevel.alarms.S5.Controlroomindication andrecording. S6.Leveldeviation alarm-deviation fromprogrammed level.C7.Feedwater valvecontrol-maintaindesiredsteamgenerator level.l3.2Feedwater FlowP1.Lowfeedwater flowreactortrip(coincident withlowsteamgenerator waterlevel)-providerapidprotection againstcompletelossoffeedwater flow.S2.Controlroomindication andrecording. C3.Feedwater valvecontrol>>providestablecontrolofsteamgenerator level.3.3~Se~F1owP.1.Setpointforlowfeedwater flowreactortrip(see3.2.1above).P2.Highsteamflowsteamlineisolation -steambreakprotection. 'tV4 S3~C4Controlroomindication andrecording. Feedwater valvecontrol-providerapidres'ponse gfcgntzotforsteamgenerator level.3.4SteamLinePressure>~,W/!-P1.Lowpressure(ortuicdifferential pressure) safe~dactuation -steambreakprotection P,C2.Compensation ofsteamflowchannels-provideaccuratesignalofsteamflow.S3~S4.C.5.Lowsteampressurealarm.Controlroomindication andrecording. Controlofsteamlinereliefvalves-minimizeactuation gfsafetyvalves.3.5SteamHeaderPressureC1.Contzolsteamdumptocondenser. S2.Controlzoomindication ,F TUgBXNEPARAMETERS TurbineFirstStaeSteamPressure-(Thisvariableisproportional toturbinesteamload).pl.Reactortrippermissives -pexmits"at-power" reactortripsaboveminimumturbineload.p2.Steamlineisolation -determines setpointforhighsteamflowforsteambreakprotection. S3.Controlroomindication. S4.Lowpowerblockofautomatic controlrodwithdrawal-preventsunstablereactorcontrol.S5.Steamdumpinterlock -preventsoperation ofsteamdumptocondenser unlessarapidlossofloadhasoccurred. C6.Tprogram-determines setpointforTincontrolavgavgrodandsteambypasscontrolsystems.C7.Steamgenerator levelprogram-determine setpointforlevelinfeedwater controlsystem.4.2TurbineAuto-StoOilPressure-(Presence orabsenceofoilpressureindicates'trip ornon-tripcondition ofturbine). 1.Reactortrip-preventtemperature-pressure excursion inreactorcoolantfromlossofsteamload.C2.Steambypasscontrol-selectsmodeofcontxol.3.Feedwater control-selectsmodeofcontrol,steamgenerator waterlevelorTavg4~3TurbineStoValvePosition-usedasbackuptoautostopoilpressurefoxreactortripsignal. CO~OLRODPOSITIONBankPosition-(StePcounters) Bankinsertion limitalarm(setpointdetermined fromand4T)-maintainreactivity shutdownmargins;avgmaintainacceptable corepowerdistribution. S2,Bankwithdrawal limf.talarm-warnoperatorthatcontrolrodsarenearingtheendoftheirusefultravel.S3,Controlzoomindication andrecording 5.ZIndividual RodPosition(LVDT)Sl.Rodposition'deviation alarm-warnofpossiblerodmalpositioning. SZ.Rodbottomroddropdetection -rodstopandturbinerunbacktomaintainDNBmargins.S3.Controlzoomindication andrecording= CPNTAZgKNT PRESSUREpl.Highcontainment pressuresafeguards actuation andreactortrip-protection againstsmallsteambreaks,backupprotection forlossofcoolantaccidents andlargesteambreaks.-P2.Highcontainment pressuresteamlineisolation p3.Highcontainment pressuresprayactuation. S4.Controlroomindication. A>>12 ELECTRICAL SYSTEMVARIABLES ResistorCoolantPumpBusPl.Underyoltage reactortrip-protection againstmulti-loop lossofflow.p2iUnderfrequency reactortripandRCPbreakeropening-preventrapidsystemfrequency opening-preventrapidsystem.fre-quencydecreasefrombrakingRCP.7.2ReactorCoolantPumpBreakerPosition(contacts) P1.Reactortriponbreakeropening-backup.to lowflowprotection forlossofflow.7.3Feedwater PowerPl.Auxiliary feedwater systemactuation (feedwater pumpbreakerpositionand/orbusvoltage)-backupfeedwater protection forlossoffeedwater. A-l3 ATTACHMENT 8TOAEP:NRC'1184H2 RESPONSETOITEM8DEFENSE-IN-DEPTH EVALUATION PERFORMED FORTHEREACTORPROTECTION ANDCONTROLPROCESSINSTRUMENTATION REPLACEMENT PROJECT}}

ML17332A851: Difference between revisions

Revision as of 07:01, 29 June 2018

Text

5.4CONCLUSION

Navigation menu

ML17332A851: Difference between revisions

Revision as of 07:01, 29 June 2018

Text

5.4CONCLUSION

Navigation menu

Search