{{#Wiki_filter:wnu-7306 NUCLEAR ENERGY SYSTEMS CLASS 3 REACTOR PROTECTION SYSTEM DIVERSITY ZN WESTINGHOUSE PRESSURIZED WATER REACTORS April 1969 Author: T.Q.T.Burnett Contributors:

J.W.Dorrycott A.C.Hall D.H.Risher APPROVED: S.ore, Manager Core Engineering Westinghouse Electric Corporation Nuclear Energy Systems Division P.O.Box 355 Pittsburgh, Pennsylvania 15230 9507180151 950707 PDR ADQCK 05000315 9 PDR<3RZ Restintthouse Electric Corp./

FOREWORD Over the past four years, considerable attention has been focused on design cx'iteria and methods of implementation for nuclear power plant protection systems.Of paxticular difficulty has been che"establishment of suitable criteria to deal with the problems of single and multiple failures, channel independence, Control and Proteccion System independence, and the'eviation of Protection System inputs..A key factor in this difficulty has b'een the conflict between the goal to minimize the number of redundant measurements fox'ny single process variable, with regaxd to the overall nuclear plane requirements, and the goal to establish a auucbnum degree of separation between the Protection System and the Control System.Obtaining an accurate and reliable measuxement of a particular process variable is one of the most difficult aspects of an instrumentacdon system.There are significant problems associated with the physical mounting of the measurement devices including optimum location, supporting structuxes, access to che equipment for maintenance, and protection against adverse environmental factors.In the case of nuclear power plants, there is also the problem of transmitting the signals fxom the containment to the control room equipment.

All of these factors provide arguments for minimizing the number of separate measuremencs.

Most of the functions performed by the plant Control System require the same process information as the Protection System.In these cases, Westinghouse provides Control System inputs from Protection System channels.The"Proposed IEEE Criteria for Nuclear Power Plant Protection Systems," IEEE No.279, permits this design approach, sub)ect to certain restrictions.

However, this proposed resolution was not unanimously accepted by members of other United States standards and regulatory agencies, in particular, USASX Sectional Committee N3 (N42), and the AEC-ACRS.Westinghouse held meetings with members of the AEC to clarify the Westinghouse design approach and to identify the additional design criteria applied by Westinghouse, which go beyond the proposed IEEE criteria.These additional criteria require separation and identification of control and protection equipment and the use of isolation devices to transmit signals from the Protection System to the Control System.It is the position of Westinghouse that these additional criteria offer a resolution to the'tated design conflict.Westinghouse has demonstrated by actual implementation of these criteria that a high degree of separation, including proper identification, can be achieved between Protection System equipment and Control System equipment.

More recently, the question of the failure mode changed from that of a single random failure to common-mode failure-a failure mode which would adversely affect all, redundant channels of a particular protective function in the Protection System.It is generally recognized that separation of control and protection does not provide defense against the common-mode failures.

The nuclear power plant Control and Protection System design employed by Westinghouse was evaluated in detail with respect to the commonmode failure and presented in a series of meetings to members of the AEC.This report documents the information transmitted in these meetings and provides a technical basis for the development of criteria for design of Protection Systems with adequate consideration for common-mode failures.The conclusion of Westinghouse based>upon actual experience, previous work, and reinforced by the results presented herein, is that design criteria for nuclear power plant protection systems should permit magnum effective use of process measurements both for control and protection functions including the use of Protection System measurements in the Control.System.Such criteria significantly enhance the designer's capability to provide a system with adequate capability to deal with the majority of common~ode failures t as well as to provide redundancy for critical control functions.

Consulting Engineer-Control Technology Vestinghouse design philosophy for Reactor Protection and Control Systems is to make maxiunaa use, for both protection and control functions, of a wide range of measurements.

The Protection and Control Systems are separate and identifiable.

The design approach permits not only redundancy of control, providing its own desirable increment to overall plant safety, but also provides a Protection System which continuously monitors numerous system variables by different means;i.e., protection system diversity.

The extent of Protection System diversity has been evaluated for a wide variety of postulated accidents.

In most cases, two or more=diverse pro-tective functions.

would terminate an accident before intolerable consequences could occur.  

teetiee 1 1.1 1.2 2 3 3.1 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.2 3.2.3., 3.2.2 3.3 TABLE OF CONTENTS Title ABSTRACT INTRODUCTION COMMONMODE FAILURES AND.DIVERSITY PROTECTION SYSTEM EVALUATION QjMMARY FUNCTIONAL DESCRIPTION, REACTOR CONTROL AND PROTECTION SYSTEM REACTOR PROTECTION SYSTEM GENERAL REACTOR TRIPS Manual Trip High Nuclear Power (Power Range)High Nuclear Power (Intermediate Range)High Nuclear Power (Source Range)Overtemperature 4T Trip Overpower 4T Trip'Low Pressure Trip High Pressure Trip High Pressurizer Water Level Trip Low Reactor Coolant Flow Safety In)ection System Actuation Trip (SIS)Turbine Trip Low Feedwater Flow Reactor Trip Low Steam Generator Water Level Trip PERMISSIVE CIRCUITS List of Permissive Circuits ROD STOPS Rod Stop List INDICATION Control Board Indicators and Recorder Central Board Annunciator Panel Control Board Status Panel STEAM DUMP CONTROL SYSTEM CONDENSER STEAM DUMP SYSTEM System Design Control System Load Refection Control Turbine Trip Control Pressure Control ATMOSPHERIC STEAM RELIEF SYSTEM REACTOR CONTROL The Temperature Chanel The Power Mismatch Channel The Pressure Channel The Rod Speed Program~Pa e iv 1>>1 l-l 1-5 2 1 3.1-1 3.1-1 3.1>>1 3.1-1 3.1-1 3.1-1 3.1-2 3.1-2 3.1-3 3.1-3 3.1-4 3.1W 3.1-5 3.1>>5 3.1-6 3.1-7 3.1-7 3.1-7 3.1-8 3.1-8 3.1-9 3.1-9 3.1-10 3.1-10 3.'1-10 3.1-11 3.2-1 3.2-1 3.2-1 3e2~3 3e2~3 3.2-4 3.2-5 3.2-6 3.3-1 3.3-1 3.3-1 3'~2 3~3 2 Seetiet 3,4'.5 3.5.1 3.5.2 3.5.3 4 4.1 4.2 4.3 4.4 4.4.1 4.4.2 4.4.3 4.4.4 4.4.5 4.4.6 5 5.l.5.1.1 5.1.2 5.1.3 5.1.4 5.2 5.2.1~5.2.2.;:!.5.3 5.3-1 5-3.2 TABLE OP CONTENTS (Cont'd)Title STEAM GENERATOR LEVEL CONTROL STEAM BREAK PROTECTION SYSTEM SAFETY INJECTION SYSTEM ACTUATION FEEDWATER LINE XSOLATION STEAM LINE ISOLATION PROTECTION AND CONTROL SYSTEMS DESXGN PRINCIPLES PROTECTION SYSTEM FUNCTIONAL DESIGN CONTROL SYSTEM PJNCTIONAL DESXGN CONTROL AND PROTECTION INTERRELATION SPECIFIC CONTROL AND PROTECTION INTERACTIONS NUCLEAR FLUX COOLANT TEMPERATURE PRESSURIZER PRESSURE Control of Rod Motion Pressure Control Low Pressure High Pressure PRESSURIZER LEVEL High Level Low Level STEAM GENERATOR WATER LEVEL FEEDWATER PLO..Feedwater Flow Steam Flow Level STEAM LINE PRESSURE ACCIDENT EVALUATXON ROD WITHDRAWAL ACCIDENT I PROBABLE CONSEOUENCES OF ACCIDENT PROBABILITY OF ACCIDENT MANUAL INTERVENTION DIVERSXTY OF REACTOR TRIPS LOSS OF FEEDWATER LOSS OF FEEDWATER-TRANSIENT ANALYSIS TYPXCAL SYSTEM DESIGN REOUIR1M2KS Auxiliary Feedwater System Main Steam and Feedwater Piping LOSS OF COOLANT PLOW ANALYSIS ZNTRODUCTION AND

~Pa e 3.4-1 3.5-1 3.5-1 3-5-1 3.5-1 4.1<<1 4.1-1 4.2-1 4.3-1 4.4-1 4.4-1 4e 4-2 4.4-3 4.4-3 4.M3 4.4-3 4.4-4 4.4-4 4.4-5 4.4-5 4.4>>6 4.4>>7 4.4-8 4.4-8 4.4-8 5.3.-1 5.1-1 5.1-2 5.1-4 5.1-4 5.1-6 5.2-1 5.2-2 5.2-4 5.2-4 5.2-6 5.3-1 5.3-1 5.3-1 5.3-2 5.3-2 5.3-2 5.3-3 5.3-3 5.3-4 1 4 C Sectice 5.3.3 5.3.4 5.3.5 5.4 5.4.1 5.4.2 5.4.3 5.5 5.5.1 5.5.2 5.5.3 5.5.4 5.6 5.7 5.8 5.9 5.10: 5.11 5.12 TABLE OF CONTENTS (Cont'd)Title MULTILOOP LOSS OF FLOW SINGLE LOOP LOSS OF FLOW LOCKED ROTOR ACCIDENT ROD EJECTION ANALYSIS INTRODUCTION AND

==SUMMARY==

CASES CONSIDERED IN DETAIL Zero Power Case Full Power End of Life Coze BACK-UP TRIP PROTECTION LOSS OF STEAM LOAD INTRODUCTION AND

 

 

 

 

pressurized water reactor plant, it is almost axiomatic that-.n a Large Pre s rturbation which encroaches on safety limits significantly affects~v pertur a For example, a reactivity excursion-such as accidental rod vt.th raw drawal-causes not only an increase in neutron flux and core power,~so an increase in coolant temperatures and in pressurizer pressure but and level.Reliable control is obviously'he best approach to plant safety.The prime, purpose of a control system is to limit excursions before protective action is necessary.

Since the control devices must be capable of Limiting excursions, they are also capable of causing an excursion-perhaps in the, opposite direction-if spuriously actuated.Failure of the Control System, either by not acting when needed, or acting when not needed, decreases the leve1 of safety.Redundancy-of control, where applicable, is therefore highly desirable.

Pressurizer pressure control is a prime example of efficient use of redundant measurements for safe operation via a reliable Control System.Two oower-operated pneumatic relief valves are provided to limit pressure excursions within the normal operating range.Although not essential to-safety, these valves increase safety margins for system overpressure

~overpressure protection is provided by the high pressure reactor trip~safety valves).Should either valve be actuated spuriously, however, p~tection against the reduction in pressure might also be required.2~2  

'P''h contro3.channels, derived form the four pressure protection

."-our pressure con t no sing3.e ins-hanne3.s, are use-el'ei when needed, nor can any single i Qt~t fail duce pressure to the point at which protection would be needed ressure channels are used to contro1 each valve.One pressure channel Mo pressure serves as an interlock, blocking the air supply to the valve on a low pressure a3.arm.Since the pneumatic valve requires air to open, thi's low pressure alarm closes the valve (if open)and holds it closed.In the absence of a low pressure alarm on the first channel, a high pressure alarm on the second channel opens the valve.."-rom the protection System viewpoint, the corollary to maxbaum usage of all measurements is that protection against any given accident is not necessarily confined to measurement of just one variable.Thus the reactivity excursion noted previously, the reactor trip on high pressurizer wager leve3, also provides a degree of protection, even though the basic purpose of this trip is to protect the pressurizer relief piping from water relief surge, through the safety valves.Since completely different.

types of measurement are used<<r neutron flux and pressurizer water level, diversity does exist in the Protection System.Lhe extent of such diversity is evaluated in Section 5 for a wide variety ot accidents.

In most cases, two or more diverse reactor trips terminate~accident before catastrophic consequences can occur.However, the second trip reached (the"backup")generally does not prevent the design satey limit from being exceeded.In this context, the design saiety 2-3 h

h as a DNg ratio of 1.30, is itself a highly conservative such~,.exceeding this limit does not imply intolerable consequences.

~one case evaluated-the hypothetical rod ejection accident-protection system em diversity could not be adequately demonstrated for the worst case.~eyer a rod ej ection is considered to be an extremely unlikely accident one caused by complete and instantaneous mechanical failure of a control rod pressure housing.Further, the probable consequences, as distinct from the worst case, are tolerable since most control rods are fully withdrawn from the core.Even those rods that remain inserted are seldom inserted to their insertion limits.."-or another type of accident-complete loss of feedwater-diversity of reactor trips does exist.Ho~ever, automatic actuation of the auxiliary feedwater system is not diverse for all of'he ways in which feedwater flow could be lost.For those cases, it is shown that manual actuation consti-rutes a reliable back-up to automatic actuation.

'P 7"I H t I 0 ILLUSTRATION OF CONT."d)L'lND PROTECTION DESIGN CONTROL SYSTEM l (Signal con~itionins, controllers,~I interlocks, and defeat switches)t.otection

{test signa.ague)(test r adout)~est CONTROL PROTECTION Channel'Sensor I\I Cabling and Penetrations

~I!P ewer Suoply!Isolation I;ihmplifier I Bistable l I (From other protection channels)".harm el Channel 2 3 f" 1 I In8icatio Channel 4 C C CJ o 4k IJ CO C IH g~g O Cl~+I cd 0 C cC CJ PROTECTION LOGIC a&CKS TRAIN TO REACTOR TRIP BREAKERS FIGURE 2-l  

~,'I 1"k 0 P CTIONAL DESCRIPTION REACTOR CONTROL AND PROTECTION SYSTEH~~CTIONAL REACTOR PROTECTION SYSTEH 3.1 3.1.1 GENERAL'r'1 and Protection Szstm functi~di , , based on the Robert Emmett Ginna Nuclear Station of the Rochester Gas and Electric Co.(RGBE).It is representative of Westinghouse design practice.All reactor trips meet the following criteria: a)A single fai1ure shall not negate a reactor trip b)All channels are capable of calibration and maintenance at power.3.1.2 REACTOR TRIPS 4 A resume of reactor trips, means of actuation and coincident circuit requirements is given in Table 3.1-1.i~fllnual Trig Depressing either of two manual push buttons on the main control board actuates a reactor trip.Hi h Nuclear Power (Power Ran e)Dual trip settings=are provided: 3.1 1

" ca.l\"1~  

)Low (approximately 25X)b)High (approximately 110X).The low setting can be manually blocked when power increases above P-10*(approximately 10X power)and is automatically reinstated when power decreases below P-10.These circuits trip the reactor when two of the four external ion chamber average flux signals are above the trip setpoint.Hi h Nuclear Power (Intermediate Ran e)This circuit trips the reactor when either of the two intermediate channels indicate above the trip setpoint, Et may be manual1y blocked when power is above P-10 and is automatically reset when power decreases-below P-10.Expected trip setpoint is 25X.HL h Nuclear Power (Source Ran e)This circuit trips the reactor when either of the two intermediate P range channels indicate above the trip setpoint.It may be manua11y blocked when two intermediate range channels reads a value above P-6 and is automatically reinstated when both intermediate range channels decrease below P-6.Trip setting is between P-6 and the maximum source range power level.*P-()designates a permissive circuit to block or activate a trip function.These circuits are defined in Section 3.1.3.

~Fj t yvertemoe temperature 4T Trio of this trip is to protect the core purpose o po , p ssure, temperature,'cion Two out~f four oop~For each channel per eactor c lative measure of reactor power and is compared with a continu ously calculated setpoint of the form: 4T~K+K xPressure-K x T>>f(4I)setpoint L 2 J avg~en the reactor coolant loop 4T exceeds the calculated setpoint, the r atfected channel is tripped.Zn the above equation, 4Z is the difference'between the top and bottom power-range ion chamber signals..This compensation signal automat-ically reduces the trip setpoint if adverse axial core power I distribution exists.Dynamic compensation of the T signal is avg also provided to compensate for instrument and piping delays between the reactor core and the'loop temperature sensors..A schematic representation of this circuit is shown on Figure 3.1-1.An illustration of the setpoint is shown on Figure 5.1-6.Overoower 4T Tri The purpose of this trip is to protect against excessive power (fuel<<d power density).Two-out-of-four trip logic is used;there are two channels per reactor coolant loop.3.1-3 i for each channel is calculated as: Ne setpoint tor e~K-K-T-K (T-T)-f(II)4 5 dt avg 6 avg avg~'quation>f (41)is the same function as used in the overtemperature equat o-serpo nt e tpoint equation.The term K5 compensates for the piping and instrument delay.The term K6 compensates for the change in density and heat t~ac ty o ity of water with temperature (T's the nominal T at full power).avg avg 6~th K and K are limited such that the rate and/or magnitude of T can avg only decrease the 4T trip setpoint from its normal value at full power.ected steady-state trip setpoint is llOX of the indicated hT at full poMer;i.e., llOX power.A schematic representation of this cricuit is shown on Figure 3.1-2.~Pressure Tri.he purpose of'this trip is to protect against excessive boiling in the core and to limit the pressure range in which coze DNB protection is required for the overtempezature aT zeactor trip.This circuit trips the:eactor on coincidence of twmf-four channels.It is automatically blocked below P-7.The expected setpoint is 1715 psig.-"-'-h Pressure Tri=he purpose of this trip is to protect against overpressure and to limit the es<<<<range in which core DNB protection is required of the overtemperature Wected setpoint is 2385 psig.-a<<circuit trips the reactor on coincidence of two~f-three channels.3.1-4  

~h Pressurizer Water Level Tri tzip provides a backup to the high pressure trip and also prevents the pzessuz zessuzizer safety and relief valves from relieving water for credible accident conditions.

Expected setpoint is 92X of span.This circuit trips the reactor on coincidence of two-of-three channels.Xt is automatically blocked.below P-7.Low Reactor Coolant Flow This circuit is provided to protect the core from DUB following a loss of coolant flow accident.The means of sensing a loss of coolant flow accident aze as follows: a)Measured low flow tn the reactor coolant piping b)Reactor coolant pump circuit breaker open c)Undervoltage on reactor coolant pump bus d)Underfrequency on reactor coolant pump bus The low flow trip signal is actuated by the coincidence of two-of-three signals per loop.Above P-7, reactor trip occurs for a loss of flow in both loops;above P-S, reactor trip occurs for a loss of few in either loop.Expected setpoint is 90K of indicated full flow.The reactor trip signal derived from reactor coolant pump breaker position is actuated by a single auxiliary contact'or each reactor coolant pump breaker.Trip logic is similar to the low flow trip;above P-7 reactor trip occurs for a"breaker open" signal from any two breakers;above P8.a signal fzom any one breaker actuates a reactor trip.  

~wg a~~V~~tor trip provides additonal reactor protection against~undervoltage reactor powers 4 coaplete loss o o~t pump buses as~d b oa Lcw voltage on o ected setpoint is 70Z of~crvoltage se a~t a r t j rapid decrease in electrical frequency can decelerate th~princip e, a~tor coolant pumps faster than a complete loss of power.An underfrequency condition on both reactor coolant buses, as sensed by either of two under>>frequency relays on'ach bus, trips the reactor and opens both reactor coolant pump circuit breakers.Expected setpoint is approximately 58 cps.a Safety Xn ection S stem Actuation Tri (SIS)"pon actuation of the Safety Infection System, the reactor fs tripped to decrease the severity of the accident condition.

The means of actuating the Safety In)ection System and thus tripping the reactor are as follows: l a)Low pressurizer pressure (1715 psig)in coincidence with low pressurizer water.level (5Z span).Any one of the three circuits La actuates the SIS.This function may be manually bypassed below 2000 psig.~Pressure (500 psig)in any steam line.A coincidence of two~f-three signals for any steam line actuates this function.This function can be manually bypassed when reactor coolant pr~ssure is below 2000 psig.c)"igh containment pressure (6 psig).A coincidence of two-of-three signals actuates the SIS.d)Manual Actuatj on f~~

Trio~trip sensed by loss of autostop oi 1 pressure or by turbine stop g turbine tr ps losure actuates a reactor trip during high power operation.

Trip<s~o~r-three for the autostop oil pressure switches and two~f-two pic is sor the stop valve position switches.This trip is in coincidence with~r~sszve ci~ssiye circuit P-7 (blocked below 10X power)and permissive circuit P-9~blocked below 50X power unless condenser steam dump is blocked).Low."-eedvater Plow Reactor Tri For either steam generator, low feedwater flow (compared to steam flow)in coincidence with low steam generator vater level actuates a reactor trip.'Ms protects the reactor against a sudden loss of heat sink.This condition is sensed for either steam generator if e'ither of: two steam flow~feedvater flov channels indicate a difference greater than a setpoint and either of tvo steam generator narrow-range level channels indicate less 6 than a setpoint.Expected setpoints are 0.7 x.10 lbs/hr and 30X of span respectively.

Low Steam Generator Water Level Tri~e purpose of this trip is to protect the reactor from a'1oss of heat sink-<<the case of a sustained steam/feedwater flow mismatch which is too ll<<actuate the low feedwater flow trip.~h~s~~-s trip is actuated on coincidence of two-of-three lov-lov level signals~n steam generator.

Expected setpoint, is 15X of narrow range level span-3.1-7  

/t 6.,.t;>)0 C 3>MQSSIVE CIRCUITS 3.'.3 p ously to permissive circuits Reference has been ma o k certain activities as well-~~its are use to ac'vfties.t of Permissive Circuits nunbnc Funccfnn Rod withdrawal stop on overpower (Automatic and manual)~Xn uc One~f-four high nuclear power (power range)*;one-of-two high nuclear power (intermediate range*l;one-of-four overtemperature AW;or one-of-four overpower AT*.Automatic rod with-drawal stop at low power.Automatic rod with-drawal stop on rod drop Selection of steam dump controller mode Permit manual block of source range high nuclear power trip One-of-one turbine first stage steam pressure I Oneof-four rapid decrease of nuclear power or rod bottom indication h Turbine trip signal One~f-two high intermediate range nuclear power allows manual block, twomf-two low intermediate range nuclear power automatically reinstates trip.~bypass on individual channels.."~y e~ally blocked if peanissive circuit P-10 is cleared.  

~ssive Circuits (Cont'd)t of Pe ss luabaa puaaaiaa~Xa ua permissive power (block various trips at low power)Block single primary loop loss of flow trip Block reactor trip on turbine trip Threemf-four low nuclear power and onemf-two low turbine impulse stage pressure Threeof-four low nuclear power Three~f-four low nuclear power and condenser steam dump avaQ-able (not locked out by high condenser pressure or by loss of both circulating water pumps)10 3.1.>>ROD STOPS Permit manual block of intermediate range power level trip and rod stop and low power range trip Two-of-four high nuclear power allows manual block, thre~f-four low nuclear power automatically reinstates the trips A complete list of rod stops is noted below.Rd Stop List Fuaaataa a)Rod drop b)Nuclear Overpower Actuation Si nal One~f-four rapid power range nuclear power decrease or any rod bottom signal Oneof-four high power range nuclear power or Rod Motion to be Blocked Automatic withdrawal (redundant, contacts)Automatic and manual withdrawal one-of-two high intermediate range nuclear power 3.1-9 t~g 4-top~st (Cont d)UjjCj:Xjjn c)iU.gh 4T Actuation Si nal One-of-four overpower 4T or one-of-four Rod Motion to be Blocked Automatic and manual withdrawal overtemperature 4T (Manual bypass on indi-vidual 4T channels)(Actuation of this rod stop initiates a continuous turbine load reduction until the actuation signal is'emoved)

.d)Low power e)T avg deviation One-ofmne low turbine impulse stage pressure One-of-four T devia-avg tion from average T avg Automatic withdrawal H Automatic withdrawal and insertion 3.1.5 LQXCATION F Control Board Xndicators and Recorder-All transmitted analog signals which actuate reactor trips, rod stops, oz permissive circuits are either indicated or recorded for every.channel-Also.variable trip setpoints (overpower 4T and overtemperature 4T)are icated or recorded for every channel.Central Board Annunciator Panel~y of the following conditions actuate an alarm: Reactor trip (first out annunciator) b).aztial reactortrip (any channel)~wi oz~i<<deviation of any control variable (pressure, T, pressurizer level avg'li nuclear power, and steam generator level)for any channel.3.1-10  

~>>~t'lvl%1~y W C~ns'r, zy~\~  

';t"o>.3oard Status Pm&status of each reactor trip'c" on the trip status panel'-'.channel is continuously displayed I status o f each permissive circuit is continuously displayed on th pe~sive stat panel~~'reactor trip channel;bypass is.continuously indicated on the hypos status pmn-'I 17~a 3.1-11 s P k

.,y ll+~~l IE~Tgtp I.fluuual 2.High nuclear flux CplHClUEHCY.

ClRCULTRY b lHTERIXKKS 1/2, no interlocks 2/4, no interlocks for high setting P-10 for low setting l.'ON 1 k l)1 S High and low setttngs;manual block and automatic reset of low setting 3.', lligh nuclear flux (inter>>mediate range)High nuclear flux (source range)1/2q P-10 I 2/4;no interlocks 2/4, no interlocks 2/4>blocked by P-7 2/3>no interlocks 2/3, blocked by P-7 5, Overtemperature LiT 6.Overpower hT 7.Low'ressure 8.9.High pressure High pressurizer water level 10a.Low Flop 10b.Pump breaker trip 10c.Undervoltage 10d.Underfrequency SIS actuation 12.Turbine trip 13, Low feedwater flow 14.Low-low S.G.water level 2/3 per loop~p 7~P>>S 1/1 per loop]P 7)P+S 1/2 t'1/2~P-7 1/2+1/2 P-7 1/3,.(low pressurizer pressure and low pressurizer level);2/3 Low pressure in any steam line;or 2/3 high containment pressure 2/3 autostop oil or 2/2 stop valves>P;7]P-9 1/2+1/2 per loop, (flow mismatch in coincidence with low leyel)2/3$per loop h 0 Tayg n>AYO K4 T38 8 AT setpoint 1 Comparator C3.C3 C 4 2/4 ogic hot T c Comparator Rod Stop 0~POWER AT CHANNEL (ONE CHANNEL OF FOUR SROHH)FIGURE 3.1-2 l.l CONTROL SYSTEH t am dumP are available:

condensex'umP and atmosPheric

<cle valve arrangement is shown on Figure 3-2-1-yq steam cy C0gDENSER S~QUMP SYSTEM Svs ea Desi steam lines are installed to dump steam from the steam generators directly co the condenser, bypassing the turbine.Connections with the steam mains axe downstream of the stea'm main isolation valves.ralves and LLnes are sized to pass 35X of turbine auuctunan calculated steam flow at full load steam pressure.Condenser steam dump performs three functions:

Following a sudden loss of load of up to 210 MRe{about 45X of=aximum calculated turbine load), condenser dump acts as an artificial load removing excess power and stored energy while the reactor power is decreased to match the xeduced turbine\In this manner, the condenser steam dump acts to prevent a reactor trip.Condenser steam dump, together with feedwater addition, removes stored energy in the Reactor Coolant System following a plant trip, bringing the plant ro equilibrium no load condition without 3.2-1 r o f the s team generator saf ety valves.It also maintains~tuation o 1 t at hot shutdown by removing residual heat.gg pJ.ant at ser steam dump is used for plant cooldown to cold shutdown.condenser ste~~er steam dump is used to improve operational flexibility.

For a plant trip may occur following a large load reduction if~le, ap an~4.user steam dump is not available.

~condenser steam dump system uses modulating, Unear-characteristics,~~crated valves (air to open).Their stroke time is approximately 5 aecaads.Xn addition, they can be tripped from the fully closed to tate fu11 open position within 3 seconds after receiving an input eLectric trip signal.While this trip signal exists, the valves are bahf~the fully open position.When the trip signal does not exist, che valve position is determined by a variable input electrical signal-For condenser protection, condenser steam dump is blocked by high~enser pressure.Other interlocks'described below)are used~~e same manner to avoid spurious operation.

~pur'<<ous actuation of steam dump may cause a plant trip In addition,'-the ralves stay open, an uncontrolled cooldown results.For these the steam dump control system is required to meet the criterion signal failure shall cause spurious actuation-3~2~2  

Control System al block diagram for the Condenser Steam Dump Control~e funct on Svstem is shown on Figure 3.2-2.Load Re ection Control."-or partial loss of turbine load, steam dump is controlled by the error signal between T and T f, where T is the average of four avg ref'vg reactor coolant average.temperatures and.T" is the progz~ed, se~ref, point for T as a function of turbine load.(These signals are the avg same as those used in the Reactor Control System.)Following a turbine load decrease, T is imm'ediately reset to a lower value, causing an ref error signal.If the error signal exceeds the deadband for the load.re)ection controller, the dump valves are modulated open.If the error signal exceeds the HI setpoint, a trip.signal is generated which rapidly opens four of the eight valves to their fully~~en position.At'he occurrence of a HZ-HI trip signal, all eight valves trip open.The distinction between modulating and tripping valves open is made because of the difference in required time for both of these actions.If valves are already modulated open corresponding to the error signal<<the time a trip open signal is generated, no additional trip action takes place.Sin~e the steam dump system requires a finite time to, act, an increase is to be expected.Lead/lag compensation for T increases avg avg 3~2 3 g f T on the error, thereby compensating f or the legs~gcect of l response and valve positioning.

s reactor power by control rod insertion.

reduces reac tpoint steam dump is redu appx'oaches avg valves are f ully seated M en ough to be handledoontroL system alone.~~d contra trol system also acting on the T-T f errox'ignal

~avg ref Ln order to prevent actuation of steam dump on small load perturbations, ,r a block is provided which prevents valve response to either the trip~modulate signal unless a turbine load reduction has occurred.AIl elcaents of this channel, including the turbine impulse chamber pressure tap, are independent of the steam dump control system described above.4 rate/lag unit in this channel generates an output proportional to~rare of decrease in turbine load;This output, when indicating a Load rejection gxeater than lOX step or 5X/mLnute ramp, removes the Once unblocked, this block is manually xeset.Minual-contxol of~team dump also removes this block.7uxb inc Tri Control~~e of the laxge heat capacity of the Reactox Coolant System and~~high T at full load the steam generator safety valves would avg~'~owing a turbine trip if there were no other means of removing ed heat.'ondenser steam dump and subcooled feedwater flow 3.2-4  

plant to thermal no-load equilibrium without~~ed to bring-lease to atmosphere.

e ea I e trip, monitored by loss of turbine autostop oil t e o he load re]ection steam dump controller is defeated and plant tr p trip controller becomes active.In the T control mode, avg r signal is T-T d'nd steam dump is proportional

~error s gn avg no-Load'he same error signal is used for on-off control of~fe~>>ter control valve, as described in 3.4, Steam Generator~L Control.As T.is reduced to its no>>load setpoint, steam'vg reduced and feedwater is shut off.As in the case of p load re)ection, if the error signal exceeds the HX setpoint, a trip asgaaL w generated which trips open four of the eight valves to their iull~pen position.At the occurrence of a HI-Hl trip signal, all~ght valves trip open.GeneraUy, the valves are not closed completely l~use of decay heat.No-load conditions are established within mo minutes.pressure Control'or><<g term removal of residual heat at hot shutdown, o~during plant it>rtup or cooldown, the plant operator can manually switch to steam der pressure control.In this control mode, condenser steam dump o maintain a preset pressure in the steam header.A manual~tion is provided so that the operator can ad)ust the setpoint~<<ssure or manually position the valves.3.2-5  

~pbbs j, S>H~ZC S~RELIEF SYSTEH steam relief valves are mounted on the steam mains upstream uoayher'c steam ves.At the set pre 4g~>o steam (about 1050 psig), f low calcu'c have provisgon f e s less than Z0 Provided to reduce d to permit a plant oold s'cedia dump is not available.

These functions are explained below.a)If a plant trip is caused by loss of condenser vacuum, condenser dump m bIocked.The'steam generator safety valves are available to remove stored energy from the Reactor Coolant System.Atmos-@heroic steam relief reduces the steam pressure below the safety valve set pressure within two minutes after the trip.This prevents'ontinuous chattering of the safety valves as residual beat m removed from the reactor.Plant coo]down is accomplished by steam dump.If condens<<dump not available, the atmospheric relief is adequate to cool d~to the temperature and pressure at which the residual heat removal system can be used.3.2-6  

C)Zn the event of a plant trip caused by an overpower/overtemperature condition or by a faU.ure in the feedwater system, the atmospheric steam dump provides additidhal relief capacity, reducing the pro-babDity of safety valve actuation.

Separate controllers are provided for the atmospheric dump valves on the two steam generators, permitting independent pressure regu-lation if the steam generators are isolated.3e 2~7 T cold AVG T~at 1 V2 Swl K3 P K2 AT setpoi t E Comparator 2 2]4 Logic 3 C 4 hot cold'/Comparator Rod Stop 0$EBTEMPEBATURE AT CHANNEL (ONE CHANNEL OF POUR SHOWN)P1GVRE 3.1-1 F~.~~'I rl EnM lEHEl/ATOR Nntrr.)VAl VN ISAtIM YAllg l J IOOla'nON VALVE BYPASS.VALVE HAIN FEEDWATEE kLN.IQ'AI.VL I IA)I AT I lNli Olla:K TO TURBINE CON1'AINMENT AUXILIARY FEEUHATER+P go I i CONDENSER STEAM DUMP VALVES<<TEAM IEHERATOR B MAIN FEEWATER TO CONDENSER AUXILIARY FEEOHATER Figure 3.2-1 STEAM CYCLE VALVE ARRAMEMENT I i

~en/LAG COMPENSATION STEAM DUMP)ER PRESSURE CONTROLLER r RATE+RESET AUTO"MAN STATION PROP.ANALOG SWITCH OPERA-TING ON TURBIHE TRIP SIGHAL STEAM DUMP SELECTOR SWITCH MODULATE COHDEHSER DUMP VALVES LEAD/LAG COMPENSATION

((<>>s).I Jf<Sgl+fg$)L TRZ I COmZROLIhR Hi-TURB ZHE TRIP INTER-LOCK LOGIC TURBINE-TRIP SIGNAL TRIP OPEH GROUP A VALVES OR TRIP OPEN GROUP A 8c B VAL~STEAM DUMP VALVES.TRIP OPEH ONLY IF UHBLOCK SIGNAL IS PRESENT (SEE BELOW)Hj E LOSS OF LOAD INTERLOCK r:J+A--ROPRIATE POSITION OH SKZCTOR SWITCH ZHTKGDCK Figure 3.2-2 CONDENSER STEAM EUMP CONTROL SC1HHE UHB LOCK STEAM DUMP VALVES SIGHAL TURBINE TRIP SIGNAL BYPASSES LOSS OF LOAD INTERLOCK AHD UHBLOCKS STEAM DUMP VALVES 1 f'V (Y+gpQ+g+q+gl Y f" Al+J 1l 3 3 REACTOR CONTROL The basic Reactor Control System consists of three channels, which are re temperature (T), powez'ismatch (QT-Q)and reactor coolant avg'x'essure (P)~The output'of these three channels is used to drive the control rods via the rod program.A schematic representation of the control system is given in Figure 3.3>>1.The functions of each of these channels are as foU.ows: a)To maintain the programmed T as accurately as possible avg b)To be responsive to load perturbations without causing undue movement and reactor trips c)To take corrective action in the case of large load changes if the pressure exceeds the limits of the noxma1 pressure control.The T erature Channel The temperature channel functions to maintain the programmed temperature

-(T)as accurately as possible.The main requirements of this channel avg are that it should be accuxate, stable and repeatable.

This is the dominant contx'ol channel in steady-state conditions.'he Power Mismatch Channel The power mismatch channels provide control stability and fast response t>>oad pertuxbations.

The output is proportional to the mismatch between turbine power and nucleax power.A high-pass filter in this channel ensures that steady-state calibration errors in the input power signals"as no effect on steady-state control.3.3-1  

.at I ,'g l~jl  

~other requirement of this channel is that its steady-state output should be zero even though a Axed offset in power signals may exist.The Pressure Channel This channel is provided to prevent large pressure changes foU.owing a large change in power.It retards the rate at which the controller changes T to its new programmed set point.(If T were to be changed avg avg too rapidly, pressurizer pressure contxol might not be able to maintain pressure within the normal operating range.)The pressure control channel has an adjustable deadband, so that only large pressure changes have an effect on rod motion.This channel is not required for initial plant.operation.

The Rod S eed Pro am The rod speed program is made up of four parts: ari adjustable deadband, a minimum speed, a proportional speed, and a maxLmum speed.The auucLannn speed is dictated by the mechanism design.A11 the other settings are ad)ustable.

Expected set points are+1.5 F for the deadband, and+5 F for amximum rod speed demand.The outputs from the three channe1s mentioned above feed into the summing amplifier associated with the rod program.3a3~2 Ijgg~gi 4t'~s~A)t l(~<lI>I l.(I~')F~As)u AVO l Turbine Im ulse Pressure~gS+1 Speed 4n+E T S t6S+1 0 ariable Gain+Pressurizer Pressure E tyS+1~88+1 Pressure Set oint REACTOR CONTROL SYSTEH Figure 3.3-'1  

~I~I 4 j~

CINERATOR LEVEL CONTROL M operation, the position of the main f eedwater control valve is ope 11ed by the three-element controller (feedwater flow, steam flow, At low loads a bypass control valve is used.>+tpoint o f the 1 evel contro 1 1 er is a f unct ion of load, programned ise with load between OX and-2OX load.A deviation alarm provides~ti~uous monitoring of the level channel used for contxol versus the programmed level.~>narrow-range level channels are indicated.

The wide-range level channel is recorded..he steam flow and feedwater flow signals aze supplied by either of two transmitters as selected by a contxol board mounted selector switch.The steam and feedwater flow signals used for control are recorded on a two pen recorder.":ollowing a turbine trip, automatic control of the feedwater valve is switched from the three mode level controller to on off T control.avg<1<<edwater control valves under automatic control are fully opened to admit auucbnum feedwater, then fully closed as no-load T avg approached to avoid excessive cooldown of the Reactor Coolant System.~<<1 contzol of feedwater control valve position is available at the ontrol board.This mode o f control overrides automatic contzol on either level or T avg 3.4-1 tO~+~~'"'=*4%-4'ft'%41''V~~k/+''t p i t' order to prevent excessive'moisture cazxyover caused by high steam~erator water lev~.a sig al of high water level ove~des a3.Other tzol and closes the feedwater control valve.The signal is obtained from coincidence of two-of-three level channeLs above a preset value.This override is automatically removed from the main control valves as the water level drops below Che set value.Manual reset is required for the bypass control valve.The signals affecting feedwater valve control, in increasing the order of priority, are listed below: a)Three-element level control or on-off T control (dependent on avg whethez or not'turbine is tripped)b)Manual control c)High level override (closes feedwater valves)d)Safety Injection System actuation (closes feedwater valves).A wide-range level channeL, calibrated for no-load conditions, fa provided co allow manual control at hot shutdown and is also useful at cold shutdown This channel includes a recorder.3.4-2  

~PROTECTION SYSTEM~~q BR IN JECTION SYSTEM ACTUATION QEEIY f actuating the Safety Injection System have been noted in o act Those particularly concerned with steam line break pro-~~4 3~~~a are low steam 1 ine pressure and hi gh containment pressure.~An are o low steam~steam line pressure signal is generated by the coincidence of~f three channels below approximately 500 psig for either steam line.~~high containment pressure signal is generated by the coincidence of~f-three channels above approximately ten per cent of containment

~ign pressure.3.5.2 FEEDWATER LINE ISOLATION Any safety infection signal isolates the main feedwater lines by closing all four main control valves, tripping the main feedwater pumps, and closing the pump discharge valves.3.5-3 STEAM LINE ISOLATION a)High steam flow in coincidence with any safety in)ection signa1 closes the isolation valve in that steam Une.One-out-of-two steam flow signals above a HI-HI~p p (approximately 120X of fuLl load steam flow)One-out-of-two steam flow signals above a HI trip point (approx-imately 20X of full load steam flow)in coincidence with two-out-of-four low T signals (below approximately 540'7)avg 3.5-1 ll IJ, J,=" 4~1'~~"J bi~e coincidence of tv~f-three high contaf.nment pressure signaLs Rctustion~

.OV<VD CONTROL SYSTEMS DESIGN PRINCIPLES PUNCTIONAL DESIGN p hi los oohy f or f unctional design Protection System is to derive p os on~re wirectly from the process variables of interest whenever possible.~oner, safety limit protection is assured independent of the ting acc'dent..~ertemperature high delta-T trip protects the core against Departure nucleate Boiling (DNB)for all combinations of pressure, temperature,~r.and axial power distribution.

Thus, this single trip prevents DNB!'r.-cd<<ithdrawal accidents, boron dilution, xenon oscillations, and cxcessire load variations.

Protection against other limits, such as excess ve power, density and system overpressure, is also provided by close~itorinz of the variable of direct interest.;c ce="ain cases, however, these general protection functions are not rapid enough, or complete enough, to assure protection against a specific accident, such as loss of coo~~nt flow.In these cases, specific trip functions are orovidec, such as reactor coolant pump bus undervoltage and reactor coolant~or ce""ain more cre"'ble transients, such as turbine trip, a reactor trip 4-s derived from the.nitiating event-even though safety limf.ts would not oe exceeded if a reac":=trip were delayed until an overpressure or over-tempera=ure rri" oc""red.1n this manner, undesirable excursions are preven=ed, rathe t"..sc terminated.

4.1-1 certain protective functions are provided primarily to ensure the F~~lly, ce ufng integrity of plant component and piping systems.Examples include-or trip on high pressurizer water level to protect safety valve relief.eac or@fan Co and reactor trip on loss of feedwater to any steam generator.(The@clear'oss of safety requirement is to prevent complete loss of heat sink;i.e., feedwater to all steam generators.)

."-or equipment design purposes, no distinction is made between the various categories of protection mentioned above.The same criteria and design oractice are appLied to all channels.Other alternatives are neither defensible nor practical, since all of these protective functions enhance nuclear safety and complement or supplement one another.:his approach requires an instrumentation system that measures, on a timely, accurate, and reLiable basis, dominate nuclear plant process variables.

instrument ranges, sensitivity, and time response must be selected consistent Wth the range and variation of each variable monitored.

Also, since many process variables are monitored, considerable overlap in protection functions is a natural consequence.

~l st'I~

CONTROL SYS~FUNCTIONAL DESIGN Power level and reactor coolant temperatures are controlled automatica3.l.y in a Westinghouse PWR Plant.The reactor is controlled to foU.ow any turbine load perturbation.

This is ideal for load frequency control.The automatic Reactor Control System, therefore, forms an essential part of the plant operation.

It is basically a regulating system which maintains proper steady-state operating conditions, thereby assuring adequate margins to trip settings for operational purposes and proper economic performance.

Other automatic control systems are pressurizer pressure and level control, feedwater control, and steam dump control.These systems are also essential to maintain normal operating conditions or to suppress excursions imposed by oaerational transients without recourse to protective action.As in the Protection System design, this requires an instrumentation system that\measures, on an accurate, timely, and reliable basis,'ominate nuclear plane process variables.

Theqe variables are, for the most part;the same as those required by the Protection System: loop temperatures, neutron flux;oressurizer pressure and level, steam generator level, steam flow and feedwater flow.In addition, the time response, instrument, span, and~~nsitivity requirements for measurement channels serving each of the two~y~tems are similar.As a result, primary sensor and transducing equipment that is acceptable for use with the Protection System should also be employed with the Control System.Failure of the Control System to act when needed, or spurious actuation when not needed, generates a need for protection.

The safest, plant is 4.2-L o niped to be one that requires the Least protection.

For this reason, well as the economic desirability of avoiding plant outages which could gave been prevented by proper control actions, every effort is made to ensure reliable control.Wherever practical, control interlocks and/or redundant control devices are provided to ensure that controL action takes olace when needed-but only when needed.Controller-induced excursions causedby a single sensor failure are largely eliminated in Westinghouse design practice.  

~g++S FEED PLOW L3 SF 1)Xg I PROP+INZEC I I I~I-, I I I I I I I I I PROP+INTEG I LEVEL CONTROL SYSTEM l I I I P I'2)FW Pl FW I I I PEEDWATER I CONTROL VALVE I ACTUATOR I I I~/7 t~Ji I t 2/3 HI LEVEL 2/3 LO-LO LEVEL I 2/2 I 1/2 LO FLOW LEGEND FWF-PEEDWATER PLOW TRANSMITTER SF-STEAM PLOW TRANSMITTER P-STEAH PRESSURE TRANSMITTER L-LEVEL TRANSMITTER I-ISOLATION AMPLIFIER h-DIPPERENCE AMPLIFIER X-MULTIPLIER EDWATER CONTROL REACTOR TRIP REACTOR TRIP VALVE CLOSURE AND AUX.FEED PL"IP START AND INDICATORS NOT SHOWN.STEAM GENERATOR LEVEL CONTROL AND PROTECTION SYSTEH FIGURE 4.2-1  

3 CONTROL AND PROTECTION INTERRELATION Aorrent Westinghouse PWR systems, the Protection and Control Systems are'n curren and distinct and are identified as such The Control System><<eer, is dependent on signals derived from the Protection System through isolation devices.However, there is no feedback from the Control System.o the Protection System.>e equipment design philosophy, illustrated on Figure 2-1, is that the Control System sensor is the output of the isolation amplifier.

By this orinciple, no components are shared-they are either part of the Protection System and are located and designed as such, or they are part of the Control System.This is a very important feature of the Westinghouse design, and permits a dividing line, both functionaUy and physically, to be drawn between control and protection.

It also ensures that, inadvertent or I deliberate changes to the Control System have no more effect on the Pro-I rection System than if the Control System contained independent sensors.The design requirement for the analog isolation amplifiers is to isolate the~<<tection System from any electrical faults which might occur in the<<<<rol System.Extensive tests were performed to demonstrate this'apability.

In these tests, shorts, grounds, and a-c and d-c voltages were applied to the amplifier output.Even though some of these tests were st<<ctive (i.e., destroyed the ability of the amplifier to produce a meaningful output signal), in no case was any perceptible disturbance fed ac" into the input circuit and hence to the protection System.4.3-1 0

The presence or absence of regulating control devices on the downstream side of the isolation amplifier has no effect on the isolation requirements.

The same equipment and design requirement would exist even if these signals were brought out of the Protection System merely for remote readout and data-logping purposes.Since channe1 isolation cannot be reliably main-tained on the control board or at the input terminals to a data-logger, an isolation device (amplifier or impedance network)in the protection channel represents the only feasible way to preserve protection channel independence.

Certain failures in the Protection System could conceivably negate a par-ticular channel of a protective function, simultaneously causing spurious control action that might, require protective action from that same function to prevent the excursion from exceeding design limits.Such possible failure is dealt with in accordance with the proposed standard,"Criteria<or Nuclear Power Plant Protection Systems", IEE No.279, Section 4.7, which requires that for such a fault, a second failure be assumed in the'Protection e In most cases in'which control is derived from protection, Westing-"se design meets this criterion by providing a two-out-of-four Protection System Loaic.For example, as shown in Figure 4.3-1,'a failure can be" s~ed in Protection Channel L which causes that channel to indicate high.defeats the low pressure reactor trip for the channel, and also may"e Pressure Control System (relief valves and spray)to rapidly reduce~assure.However, three of the pressure protection channels are left-.@ached t sure t P nd a reactor trip would automatically occur when any two of them T this additional redundancy is not necessary because such other cases, cannot cause the safety limits to be exceeded.This fact can canno illustrated by Figure 4.3-1.A loss of signal (low indication) bc assumed for Protection Channel 1.This defeats the high pressure bc assume or that channel and may also energize the pressurizer heaters, causing l~increase in pressure.If an independent failure is assumed in Channel 2, g glow nc cactor trip would occur when the pressure reached the high pressure trip~taint since only one of the three high pressure trip channels is left However, under this condition the safety valves on the pressurizer g<c~ore than adequate to ensure that the high pressure safety limit is not acceded.Section 4.4 discusses all such control and protection interactions for a mccific plant design.In that section, it is noted that numerous operational

-'cfenses against these failures exist in addition to the primary or"protection a'ade" defense.Many of these additional barriers to.an undesirable excursion N 4c'c made possible by making redundant information avaQ.able to the Control System.+c possibility of common-mode failure cannot be completely ruled out;it is<<<<eivable that all identical channels behave identically, but incorrectly.

.""-his case, the question of Control System dependence on the Protection em is irrelevant.

It has been recognized that little, if any, additional deere e<<<<of protection is achieved by having separate, but identical, instru-"t channels for control and protection.

Indeed, Westinghouse considers t separation in this manner actually deprives the protection System of 4.3-3  

e of the day-Sy&ay, hour-by-hour surveillance given to instrument chaels needed for routine plant operation.

A further, although often ggnored disadvantage of proliferation of identical channels, is the attendant increase in visual displays and information processing problems of significant oroportions.(Timely, accurate and complet~Lnformation readout is required by the IEEE criteria previously referenced.)'

frequently expressed concern is the need for assurance that the Protection System will not be inadvertently modified during the 40-year life of the plant, This is occasionally cited as an argument against control dependence on Protection System information Westinghouse completely agrees that every precaution must be taken to ensure adequate review of any future modification that could affect the Protection System.Such assurance can only be achieved by complete attention to details in Protection System design, operation and maintenance.

This must include I identifica'tion of system components on drawings and on tha equipment', documentation of the system design and design basis, and establishment of groups to review all proposed instrument changes that could affect'plant~safety or plant operations.

It is fallacious to believe that independent control adds to this assurance.

In fact, such independence could decrease the probability that a necessary correction to the Protection System will be Inadequacy of controller design requires correction to allow plant operation to proceed;inadequacy of protection is sometimes discovered only after an incident.4,3 4 Control System modifications may be required to improve plaat operation.

por encamp 1 e, a f i 1 ter may have to be added to achieve stabi lity.As a control modification, this would logically be performed in the Control Systm;i-e-7 downstream of the isolation dances separating the Control and Protection Systems.Physical separation and identification of equipment (separate racks for Control aad Protection Systems)and admini-strative precautions ensure that the logical route is, ia fact, the one used.Even advocates of complete independence between control and protection recognize the desirability and feasibility of using protection signals for non-protective functions...his introduces the possibility of thesesignals being diverted for other purposes unless a careful review and adherence to design bases is enforced.The division between control and protection is not always clear.This reflects difficulty in defining the function achieved, rather than in equipment design imnlementatioa.

Definitions that place all reacto'x" trip aad safeguards actuation instrumentation in the Protection System, and all automatic regulating instrumentation in the Control System, clearly leave many important items in between.Another definition advanced'is that the Control System is"all instrumentation which is not protection," and the Protection System is"that instrumentation which must work when needed (to prevent unacceptable consequences)." This latter defiaitioa has considerable merit for general discussions and is useful in Judging whether or not a particular item is a"protection" item or not.However, if taken as a rigid it is difficult to apply to all design details, as is showa below.4.3-5 P z example alarms and/or control room indications derived from protection hannel information are essential if the operator is to be properly and continuingly infoxmed of the Protection System status and the status of plant safety.As px'eviously noted, these alarms and indications aze required by the referenced IEEE criteria as a vital pazt of the Protection System.order to maintain protection channel isolation, Westinghouse equipment design practice associates remote indication with the output of the isolation device.Other functions, such as control interlocks (e.g., rod stops)are often highly desirable, and may even be essential to plant safety if a number of malfunctions or maloperations should occur simultaneously (i.e., beyond the normal design proundrules).

Westinghouse has used the term"supervisory" for that category of functions that.is neither clearly control or protection.(This is a functional I designation only, and does not imply a third category for equipment design.)Supervisory functions can be further subdivided into two types: those that are informative only (indicators, recorders, alarms, and data-logging);

and those which automatically act to arrest deteriorating conditions before protective action is needed.(This latter type has been texmedi"override", or"protective override.".)

Since the question is one of whether manual or automatic intervention is intended, the value of distinction is limited to failure mode analysis of automatic controllers.

4.3 6 N%&A t'9" r.l~r' westinghouse record.zes that each"supervisory" function must be considered on its own merits to determine if it should form part of the protection or the Control System.A complete list of protection, control, and"supervisory" functions is included in the Appendix.4.3-7  

~+m 8 w4':'l n 1' PROTECTION

~axWEL PROTECTION CHANNEL 2 PROTECTION CHANNEL 3 PROTECTION CHANNEL 4 PT i PQ~~~PC'~HI P R.T.t PC~LO P R.T.I I ISOL'.~~PC~HIP'.T.PC'OP~ISOL QPT" PQ PC'~HI P R.T.)PC LO P SOL gPT PgQ PC LO P R.T.SOL I r I L PRESSURE CONTROL SYST~I I I I I PRESSURE CONTROL SYSTEH (INCLUDES SIGNAL CONDITION-ING AND CONTROLLERS AND INTERLOCKS FOR HEATERS, SPRAYAND RELIEF VALVES)PT-PRESSURE TRANSHITTER PQ-POWER SUPPLY PC-CONTROLLER ISOL-ISOLATION AHP HI (LO)R.T.-HIGH (LOW)PRESSURE REACTOR TRIP PROTECTION SYSTEM COMPONENTS CONTROL SYSTEM CMPONENTS INDICATORS, AND RECORDERS ARE NOT SHOWN PRESSURIZER PRESSURE PROTECTION AND CONTROL SYSTEMS DESIGN FIGURE 4.3-1 th(O P'I 4 A4'g~

SPECIFIC CONTROL AND PROTECTION INTERACTIONS design basis for the Control and Protection System permits the use of fox both protection and control functions-Where this is done,>l equipment common to both the protection and control functions are classified as part of the Protection System.Isolation amplifiers prevent.a Control System failure from affecting the Protection System.In addition, Mhere failure of a Protection System component can cause a process excursion which requires protective action, the Pxotection System can withstand another, independent failure without loss of function.Generally, this is accomplished vith two-out-of-four trip logic.Also, wherever practical, provisions are included in the Control or Protection System to prevent a plant outage because of single failure of a sensor.The following discussion of specific control and protection interactions t is based on the design for the Robert Emmett Ginna Nuclear Station of the Rochester Gas and Electric Co.(RGE)-It is xepresentative of current Westinghouse design-practice.

4.4.l NUCLEAR FLUX Four powex range nuclear flux channels are pxovided for overpower protection.

so~<<ed outputs from all four channels are averaged for automatic control<od regulation of power.If any channel fails in such a way as to pxoduce~ow output, that channel is incapable of proper overpower protection-In p inciple, the same failure could cause rod withdrawal and overpower.

Two-"t<<-four overpower trip logic insures an overpower trip if needed, even"ith an independent failure in anothex channel.4'>>l ddition" the Contxol System responds only to rapid changes in indicated f1~.slow changes or drifts are overridden by the temperature control nuclear t i al.Also a rapid decrease of any nuclear f1~sig 1 block autistic xo w d withdrawal as part of the rod drop protection circuitry.

Finally, an overpower signal from any nuclear channel blocks automatic rod withdrawal.

The setpoint for this rod stop is below the xeactor txip setpoint.4.4.2 COOLANT TEMPERATURE Four temperature channels, each containing a Tavg and a 4T signal, are used for overtemperature-overpower protection.

Isolated outputs from all four T signals are, also averaged for automatic.

control rod regulation of avg power and temperature.

In principal, a spuriously low T signal from one.sensor would partially defeat this protection function and also cause rod withdrawal and overtemperature.

Twomut-of-four trip logic is used to insure that an overtemperature trip occurs, if needed, even with an indepen-dent failure in another channel.In addition, channel deviation alarms in the Control System block automatic<<d motion (insertion or withdrawal) if any Tav signal devtates significant3.y from the others.Automatic rod withdrawal blocks also occur if any on~f-<<ur nuclear channels indicates an overpower condition or if any oneof-four temperature channels indicates an overtemperature or overpower condition.

Finally, as shown in Section 14.3..2, of the RG&E Final Safety'Analysis Report, th<<ombination of trips on nuclear overpower, high pressurizer water level, nd high pressurizer pressure also serve to limit an excursion for any rate f reactivity insex'tion.

4.4-2 PRESSURIZER PRESSURE pressure channels are used for high and Low pressure protection and F for overpower-overtemperature protect i on.Isolated output signals f rom these channels also are used for pressure control and compensation signals for rod control.These are discussed separately below.Control of Rod Motion one of the pressure channels is used for rod control with a low pressure signal acting to withdraw rods.The discussion for coolant temperature is applicable; i.e., twowutwf-four logic for overpower-overtemperature protection as the primary protection, with backup from multiple rod stops and"backup" trip circuits.In addition, the pressure compensation signal is, Limited in the Control System such that failure of the pressure signa1 cannot cause more than about a LO'F change in T.This change can be avg accommodated at full power without a DNBR less.than L.30.t Finally, the pressurizer safety valves are adequately sized.to prevent system overpressure.

Pressure Control Low Pressure A spurious high pressure signal from one channel can cause low pressure by spurious actuation of spray and/or a relief valve.Additional redundancy is provided in the Protection System to insure underpressure protection;

<.e., two~ut~f-four low pressure reactor trip logic and one-out~f-three Logic for safety in)ection.(Safety in]ection is actuated on one-outmf-three coincident Low pressure and low leve1 signals.)4.4-3  

0 addition, i terlocl are Provided in th Pressure C t ol System such~t a relief.valve closes if either of two independent pressure channels i dicates low pressure.Spray reduces pressure at a lower rate, and some ti e is avaiLable for ooerator action (about three minutes at mmchnna spray-ate before a low pressure trip is required.)

The pressurizer heaters are incapable of overpressurizing the Reactor Coolant System.Maxinnm steam generation rate with heaters is about 7500 lbs/hr., compared with a total capacity of 576,000 Lbs/hr., for the two safety valves and a total capacity of 179,000 lbs/hr., for the two power-operated relief valves.Therefore, overpressure protection is not required for a pressure controL failure.Twomutmf-three high pressure trip Logic is used.Xn addition, either of the two relief valves can.easily maintain pressure below the high pressure trip point.The two relief valves are controlled by independent pressure channels, one of which is independent of the pressure channel used for heater contxol.Anally, the rate of pressure rise achievable with heaters is slow, and ample time and pressure alarms are available for operator action.4.4.4 PRESSURIZER LEVEL Three pressurizer level channels are used for high level reactor trip (2/3)and low level safety infection (1/3 logic level coincident with" Pressure).

Isolated output signals from these channeLs are used for volume control, increasing or decreasing water level.A level control 4.4-4  

'E l

;ailure could fill or empty the pressurizer at a sLow rate (on the order OE f half an hour or more).Irggh 18V81~reactor trip on pressurizer high level is provided to prevent rapid 4 thermaL expansions of reactor coolant fluid from fiLLing the pressurizer; the rapid change from high rates of steam relief to water relief can be damaging to the safety valves and the reLief piping and pressure relief tank.However, a Level control failure cannot actuate the safety valves because the high pressure reactor trip is set belo~the safety vaLve set pressure.With the slow rate of charging available, overshoot in pressure before the trip is effective is much less than the difference between reactor trip and safety valve set pressures.

Therefore, a control failure does not require Protection System action.Tn addition, ample time and.alarms are available for operator action.Law Level For control failures which tend to empty the pressurizer, one-out-of-three Logic for safety infection actuation on Low Level insuresithat the Protection Sy<<em can withstand an independent failure in another channel.<n additon, a signaL of low level from either of two independent level control channels isolates Letdown, thus preventing the loss of coolant.ampule time and alarms exist for operator action.4.4-$

gTEQf GENERATOR WATER LEVEL PESWATER PLOW before describing control and protection interaction for these channels, it is beneficial to review the Protection System basis for this instru-mentation The system is shown schematically in Pigux'e 4.4-L..The basic function of the reactor protection circuits associated with Low steam generator water level and low feedwater flow is to preserve the steam generator heat sink for removal of long term residuaL heat.Should a complete loss of feedwater occur with no protective action, P the steam generators would boil dry and cause an overtemperatur~verpressure excursion in the reactor coolant.Reactor trips on'emperature, pressure, and pressuri.e'er water level trip the plant before there is any damage to the core or Reactor Coolant System.However, residuaL heat after trip causes thermal expansion and discharge of the xeactor coolant to containment through the pressurizer relief valves.This would bxeach one of the barriers-.the Reactor CooLant System to release of fission products.Redundant emergency feedwater pumps are provided to prevent this.Reactor trips act before the steam generators are dry to xeduce the required capacity and starting time requirements of these pumps and to minimize the thermaL transient on the Reactor Coolant System and steam generators.

Xndependent tx'ip circuits are provided fox the two steam generators for the following reasons: a)Should severe mechanicaL damage occur to the feedwatsx'in'e to one s~eam generator, it is difficult to insure the functional integrity of level and flow instrumentation for that-unit.Por instance, a 4-4-6.

r~c-'c.'(l\1 I pipe break between the f eedwater f low element and the steam os]or p pe generator exator would cause high flow through the flow element.The rapid xessurization of the steam generator would drastically affect the depxessu ac elation between downcomer water level and steam generator water inven-However, the independent circuits on the second steam generator~e sufficient to actuate a reactor trip if needed.~j gt~r desirable to miabaize thermal transients on a steam generator for credible loss of feedwater accidents.

Coatxoller malfunctions caused by a Protection System failure affect only aoe steam genexator.

A1so, they do.not impair the capability of the main feedsrater system under either manual control or automatic T control.avg Hence, these failures are far from being the worst case with respect to core decay heat removal with the steam generators.

Frectvater Plow*Npu<<ous high signal from, the feedwater flow channel being used for control used cause a reduction in feedwater flow and prevent that channel from~ping.A reactor trip on low-low water level, independeqxt of indicated~<<er.low, insures a xeactor trip, if needed." t<<n.the three-element feedwater controller incorporates reset on~such that with expected gains, a rapid increase in the flow signal~d ca o>>y a 12-inch decrease in level before the controller xe-opened eedwat r valve.A slow increase in the feedwater signal would have no g4C+~~ect 4.4 7 CC 88K spurious low steam f low signal would have the same effect as a high ceedwater signal, discussed above.~r A spurious high water level signa1 from the protection channel used for cont ol tends to close the feedwater valve.This level channel is inde F Pendent of the level and flow channels used for reactor trip on low flow coincident with low level.a)A rapid increase in the level signal completely stops fee@rater flow and actuates a reactor trip on low feedwater flow coincident with low level.b)A slow drift in the level signal may not actuate a low feedwater signal.Since the level decrease is slow, the operator has time to respond to low level alarms.Since only one steam generator is affected, automatic protection is not mandatory and reactor trip..on two-out~f-three low-low level is acceptable.

4-4.6 STEAN LINE PRESSURE~<<three pressure channels per steam line are used for steam break Protection (twomutmf-three low pressure signals for any steam line actuates saf Bty in]ectj.on)

.One of these channels is used to control the Powermperated relief valve on that steam line.These valves.are typically t<<at 10K of the safety valve capacity A spurious high pressure signal C>>he channel used for control opens the re1ief valve and causes low~ure~This is a slow rate of steam release, evaluated as a credible 4.4-8 break in Section 14.2.5 of the RG&E Final Safety Analysis Report.~the analysis of steam breaks of this size, no credit is taken for the te~line pressure instrumentation-Safety injection is actuated by the oressurizer instrumentation.

Therefore, a control faire does not create for this protection, and two-out-of-three logic is acceptable.

~~~ATION e~DEWAL ACCT~Syst'~evaluation of the rod withdrawal accident is based System parameters, protection system, and expected reactivity

?The design basis for the Reactor Protection System to~tt~ts-care far rod withdrawal accidents is to trip the reactor ygececi 30 DNBR is reached in the hot channel.While diversity in trumentation is not a part af the design basis, the system~~idled does provide alarms, rod stops and control functions to~~t>e vithdrawal from proceeding to the trip point.Because of~~t effect of overpower on all the process variables, additional

~!unct~<as would act to terminate the excursion, but aot'necessarily

~e l.30.Extending the course of the accident, a DNBR of 1.0 in the.~+seeably" is arbitrarily selected as a Umit for a.second Level of ycecectian.(The"hot assembly" is essentia1ly the hot channel without a?Xueaaca for engineering hot channel factors.)No credit.'is taken for~!~ttening or Local,'void reactivity effects at overpower conditions.

~est pess&istic instrument error.and'set points are assumed for aLl I tea:tar wips.~iced averpawer is of serious concern because of the potential damage to De core d the Reactor Coolant System.Syst by either the high pressure reactor trip~sea M con)unction with any reactor~p at'ater lev ity for core damage+n Wta evalua uatian is zocused on this cance~'.L-L  

'~s prot tection against the rod withdrawal leading to undesirable conse-quences s is in considerable depth, and there are indeed multiple levels of Prate f ro'rection as listed below.Each of these levels could be independently

~idered adequate, diverse protection against an accident.Because the reactivity available by rod withdrawal is limited, only very rare cases could complete rod withdrawal cause core damage.A single trip function with redundant channels protects against this condition.

No diversity or separation is required.b)~u1tiple, diverse rod stops are provided such that no failure can cause a sustained automatic rod withdrawal.

Therefore, a reactor trip could be considered as backup protecti.on.

c)For"fast" excursions, two reactor trip functions prevent all but limited core damage.For"slow" excursions, manual action is an adequate backup to the automatic protection system.4)For all rod withdrawal accidents, ae least two reactor trip functions exist, either of which would again prevent all but limited core damage.Fault tree diagrams are shown on Figure 5.1-1 and 5 3.-2.5'l.l.PROBABLE CONSEQUENCES OP ACCIDENT The adequacy, or depth, of protection required for an accident should be measured against the probability of the accident and the probable consequences of the unprotected accident.The probable consequences are discussed here.The od tivity available is in (alize burnup mai,ntain e 5.1-2 s A distribution, and reduce ejected rod worths).The design allowance~er d st ro d insertion at full power is 0.1X for"bite" plus 0.4X for the man-euver g i.e., rod insertion may be anywhere from O.IX to 0.5X.~izh calculated values for moderator and power coefficients at beginning f core lif e*, 0.3X reactivity insertion is required to reach a hot assembly gggR p f 1.0.Also, af ter 20X core burnup, 0.5X insertion does not cause a hot assembly DNBR less than 1.0-Therefore, a random, complete rod withdrawal from design full power conditions with no protection has about probability of causing, DNBR less than 1.0.This is illustrated by Figure 5.1.3.Although the figure and the above discussion are based on full power, they are equally applicable to accidents starting from less than full power since the additional inserted rod worth is needed to achieve full power.However, it may not be practical to guarantee these conditions because allowances for calculation or measurement uncertainties can significantly affect the results..Figures 5-1-4.and 5.1.5 shows a"worst case" complete rod withdrawal at 25X.of cox'eI life from 102X power, nondnal T plus 4 F, and nominal pressure less avg 30 psi.Reactivity insertion is assumed to be 0.6X, or 0.5X x 1.2.(This 20X uncertainty could have been applied, to the reactivity coefficients-instead of the rod worth.)M~aum hot assembly DNBR is 0.91, or slightly less than the axbitrary limit of 1.0.The same transient at 6(X of core knife is shown fox comparison.

MfxdnnmL hot assembly DNBR is 1.4&.*R activity coef f icients based on Figures 3 Z.1-8 and 3.2.1 10 in Supplement 4 to the RGE PSAR, dated October 23, 1968.5.1-3  

'I'5.J I C 1 lete analysis, considering statistical variations in all uncertainties, A comp~d determine a more valid value or the probability of exceeding any vould liven sa s sf sty limit If this value were suf f iciently small, a comparatively

~a~i<<protection system might be justified.

2 PROEABII,ITY OF ACCZDENT~e design intent of the Reactor Control System is to block automatic~d withdrawal for any failure which can cause sustained rod withdrawaL.

~is is accomplished by rod stops on rapid nuclear flux decrease, T avg channel deviation, spurious rod motion, and subsequent rod stops on high AT or high flux.If rod stops were considered as independent protection, Protection System criteria would be applied.These rod stops would then be classified fuLLy as part of the Protection System for a rod withdrawal accident.5.l.3 MANUAL INTERVENTXON

!annual action is reliable backup to automatic protection provided that sufficient time exists for operator response.The time required depends n the alarms available, the nature of the problem, and the required action.igure 5.1-6 illustrates steadymtate core limits and several alarm points nd trip points.Alarms are intentionally quite close to the design operating conditions.

Other alarms such as high pressure would be reached during a transient.

These alarms are tabulated on Table 5.1-1.~though steam cycle heat removal may be the most Limiting steadymtate rest triction on reactor power, time is required to reach corresponding

~arms and trip paints.'(Far instance~it would take about two minutes st 110X reactor Power with steam generator saf ty vaLves blowing before a steam generator Low-low water leveL trip could be expected.)

For thi reason, this evaluation did not include these alarms and trips Figures 5.1-7 through 5.1-10 show the results of transient analysi far various reactivity insertion rates at beginning of core Life from~full power (102X, nominal T+4'F, noa~pressure less 30 psi avg from nominaL conditions at 80X power.A constant reactivity insertion rate with unlimited available reactivity is assumed.Hmdmea settings end instrument errors are assumed for the reactor trips, and nominaL set points for the alarms.(Note: the high 4T rod stops are taken as 3'F below their reactor trips rather than their nominal set points.)ror a reactivity insertion rate of 0.5 x.10 gk./sec,, (corresponding roughly to maxfxnun rod speed at average rod worth), a hot assembly DER of 1.0 is reached, in about.two minutes.During this time, there are alarms on high T, pressurizer pressure, and pressurizer Level, as well as rod stops and alarms on high flux and high 4T.Also, the steam safety.alves would be actuated.Mith the multiplicity of aLarms, i.t.-is easy to diagnose a ms)or overpower-avertemperature excursion.

<<expect operator intervention (manual trip)during this thea For fast ter reactivity insertion rates, reacto<trip on high nuclear flux is a reliable protection system barrier.Therefore, since the avertemperature

}11 h g 4T trip protects for all excursions, one could classify it as the principal protection barrier with"backup" from high nuclear flux in con-~un<<ian with manual action.5.1-5 DEITY OF REACTOR TRIPS e protection system design basis for the rod withdrawal accident for ore protection required that one trip function with redundant channels preven<event a minimum DNBR less than 1.30.This is accomplished with the<<ertemperature AT trip for slow reactivity excursions, and the high nuclear flux trip for fast excursions.

As shown by Figures 5.1-7 through 5.1-10, these two trips meet the design basis-The evaluation also shows that for all cases of sustained reactivity insertion for rates up to four times the maximka rate expected from rod withdrawal, any of the following prevent a hot assembly DNBR less than 1.0.a)High nuclear flux reactor trip b)High AT trip l.Overpower AT 2.Overtemperature AT c)High pressurizer level reactor trip plus high pressurizer pressure reactor trip.(Not valid for high reactivity insertion rates:,.from near full power.)This depth of protection cannot be expected for all accidents or for all plants.5.1-6 TABLE 5.1-1 ALARMS FOR ROD WITHDRAWAL

~arms which would be actuated for a spurious rod withdrawal accident~e eax'r M.l Power are listed below i the aPPro~te order i which they Alarm points assumed for the evaluation are listed.Initiating Fault*-Mose'failures which can cause a spurious control rod withdrawal are alarmed and, in general, automatic moeian prahibited.

These include-a)NXS flux rapid decrease (1/4)(5X in 5 seconds)b)T channel deviation (1/4)p5 F from average)avg c)Rod.control fault-rod motion with no demand Z.Seep Counter-audible clicks from step counter alerts operator eo rad motion.3.NIS PWR RANGE OVERPOWER ROD STOP+(1/4)(105X)4.AVG TAVG-T REF DEV (T 5'F from program)avg 5.PRESSURIZER HX PRESSURE (2350 psia)6.PRESSURIZER RELXEF LXNE HX TEMP (when power-operated relief valves open)7.REACTOR'OOL HX TAVG (1/4)(5'bove nominal T at full power)avg 8.PRESSURXZER LEVEL DEVIATION (5X abave progr:mamed level ae full power)9.AUTO TURBINE RUNBACK OVERPOWER AW (1/4)(3 F less chan high 4T trip paine)AUTO TURBINE RUNBACK OVERTEMP 4M (1/4)(3 F less than high AT trip point)Ll.Steam Generator Relief and Safety Valve Actuation-audible steam release eo atmosphere 12.STEAM GENERATOR LEVEL SET POINT DEVIATION PRESSURIZER SAFETY VALVE OUTLET HX TEMP (2500 psia)CHAHM.'L ALERT-as reactor trip paints are reached for each channel Capitalized word groupings represent engxaving on annunciator panels.REACTOR TRXPS FOR ROD WITHDRAWAL Th<<allowing tx'ip paints were assumed for the evaluation:

NIS POWER RANGE HIGH RANGE (2/4)(118X)2.OVERPOWER 4T (2/4)(118X of full pawer AT).OVERTEMPERATURE dT (2/4)(variable) 4~PRESSURIZER HX PRESSURE (2/3)(2400 psia)PRESSURXZER HI LEVEL (2/3)(95X of span)Alarm and Rod Stop PAULT TREE fOR ROD NITHDRANAL ACCIDENT AUIONATIC PROTECTION HEEDED INSUFFICIENT TI'lE fOR MANUAL PROTECTION NEEDED EXCESSIVE ROD NORTH INSERTED EARLY IN CORE LIPE SUSTAIllED ROD MITHDRAVAL HIGH TBQ'AT ROD STOt RICH POSER AT RDD STOt CONTINUOUS ROD llITHDRANAL REACTOR IN NANUAL CONIROL AIPIQIATIC CON THOL PAILURE (SEE PICURE 5+1 2)fICURE 5 1~1 w J4 S fltAOLI t~f ISA~~~VII~A441~~IIC C480fl4.tf&I (SRS PICURE$.1-1)PA I LURE CONTINUOUS ROD MITHDRAMAL COND IT1OH OR EVENT RPS~REACTOR PROTECTION STSTIH RCS~REACTOR CONTROI.SIST IHPROPER C1RCUIT IH RCS ROD'NITHDRAMAL SEC IHS 1HDl GATED TISIP ERATURE OD SPEED HTROLLER(RCS)

ROD MITHDRAMAL SEC IHS ALL T VG CHANHE (RtS)Oa THPROPER SET POINTS (RCS)AHD TURS INK LOAD SIC HAL OR tOMER HISHATCH CHAICIFL (RCS)AVG OD STOP ROD MITHDRAMAL SEC INS NIS ROD DROP ROD STOt AVIRAGE TAVG DECREASE INDICATED tRESSURE DECREASE DECREASE IN INDlCATED PLUZ OR NIS (RPS)QQNHEL (RtS)AY%E TAVG RCS RESSURE CHANNEL (RtS)RESSURE CHAHHEI.(RCS)FIGURE 5.1-2 INSERTED ROD WORTH AND REACTIVIXY REQUIRED TO REACH DNBR~1.0 IN HOT ASSEMBLY VERSUS CORE LIFE 1.5~~~-Reactivity Required To Reach Hot Assembly DNBR Of 1.0 (116.5X Power," T~~589, 2250 PSZA)From FuLL Power~~1 0 Region Where Protection Is.Required~I P 0.5 PP Max.Inserted Rod Worth~P'~(Bottom of Maneuvering Band)-': I 0 Min.~erted Rod Worth (Top of Maneuvering Band)-.0 20 40 60 80 100 X OF CORE LIFE FIGURE 5.1-3  

1 a 1.0 o.5 0 COMPLETE ROD WITHDRAWAL FROM MAXIMUM FULL POWER Ca/-----MIDDLE OF CORE LIFE INITIAL RATE~Oa9 X 10 6k/SeC.)i~I..I[~.'.".a...p....'.",.'I..

0'0 40.60 80 100 120 140 TIME, SECONDS 160 150~la~~140 UP 120~0~OW f eo 100 4<<: HI FLUX t ROD STOP.':;: i HI FLUX=.-.~aa~~0 20 40 60 80 100 120 140 TIME1 SECONDS 160 a~~ta 3 j dT mENTS (M.O L)620~aaa aa aa'~~I 600 tP HI POWER.HI'PORN'SHI TEMP.)HI TZMIP.""""'"IHi&"'"'-I-I""" dT ROD:dT TRIP:IAT ROD.":dT TRIP.":I: '::-:.::!!::":I=-i:I

.'i: 0......',.".'.-..'.~:.: '.....i:-..~jl laa':::a~"'g 580 560 540 IN~<<~~(~''i L I~1""~=-q--)~..'..."..'"::I.i::

T~+:Ii 52O 20 40 60 8O 100 120 140 160 TIME, SECONDS  

.t~C 0't-...:--0'I'>>I>>~~TRIP AND STEADY-STATE CORE LIMITS AND REACTOR.-.ALABM POINTS 160>>~~I f~:t->>~~i---.-ALARM POINTS--'...ROD STOP I>>>>>>y>>.',:.:..[~>>I J-.I>>~$~~>>-REACTOR TRIP~>>>>~~.I~.>>!WATER LEVEL TRIPI I'..I-HI PRESSURIZER

"-~-.-"-n 140~~~+o.~:>>~~p>>I-~~I i."I I i I~I.'STM.GEN.SAFETY VALVES..l I~~'-:I I P I.-}.I~>>>>>>/>>~('Tl~~>>I I~~~/>>120 110'>>,!I..pl".I.:.HX FLUX.HI AT p , i..:l~I~I.f.::..HI AT~PI~T l.'I>>I.~.~I..-.3.I" I'-.":l,*>>+100~.:::I ,~~~:'I~'I)HI FLUX~>>I~~~~~I I I~~~, LL NOM'l" I I>>l'~r I'NAL'-I tt 90~>>>>>>~>>I'Lis>>I>>~>>~~>>>>I~PLOW LIMIT I.'~HI PRESSURIZER WATER LEVFL: I i>~.I.i'HI AX 82400 PSIA~I~I 80 70>>~I>>~~~>>G fx AV I'.I.g.II~'I I.I I I>>I 7'~-HI TEMP.4T-HI POWER dT 540 560 580 INLET TEMPERATURE,'P 600 FIGURE 5.1-6 BEGINNING OF LIFE ROD WITHDRAWAL FROM l02X POWER MINIMUM DNBR;I 2.50 2.00.I sf I I sll'e ti~es sse Ie's~~Ill: W)I'tt I~,I es sg~~e r tet'I~I e I sl e e~f~I I I I I lift:ef II~I~I I~I~LEV I I I I s~Ie~~[,H lift fits sf''e~e's"''tel lift:n et 1 set.11 est I el Is I Isl-Its st sl" I i I I.I'Ill st I.'t pg SsuRE~elt'f<<s'st~~e'l$N~HI FLUX~~~'e I I.e II I fit""~I fl;e I Ref st f f I ft tile e s..-,il If l'I I I I I e ees.~~I I I I III'se tits (MAX ROD SPEED, MAX ROD WORTH)'-'Hl'LuX:.'-

I I~~II It~I I fet f I)e fl'l~el l.50\~I~s<<s'I~'s'I.s.e, lift'll I I I I~~I f I<<H I TEMP.AT.:-I e.~..Qtf'~II te ltf~''I eis lett et'I J~I'tl'I tees~~'I', Pt'1st"." Iflj j'l<<n-'HI POWER dT I I I I~f e'HI TBP e~~~~H':-'"''s s tt e~es't~tt~iles e e I sit',I's'tl~ss'II'etes wl f f''ts f~e: HI POWER AT f-, s'T-.I~~I I I~~,~~~I~I~'ll I~tie e I~Is~I I I~I HI POWER dT;t t I stts tsl;I I I I I!" I I I I.i'I s~'"<<tt''I'I I I test J s sr , 1':,I ee'.HI POWER hT;,~ie~stl I II'',;:.-.~HI LEVEL',&SIC(.,'I TEMP.AT!III~I I I st~III I~gt It lett el list e I Isle ss~e l.00 50 I stt Ole'~I e fl'S.G.~f" j:('OR HOT ASSEMBLY)i

..SAFETY>VALVES'-, el~I~t~~I I II tsii I I I III Ite I sl in t(f I I II et I n es II.,~'I ttl''I~I~I I~'.I f I le Ils e e I'il tfs sfts I*e'tts I~e~e~~~fit Ie s I+e te si~s es tees Is It'I (CORRESPONDS TO DNBR it'.e ,S If I''te<<I~I I I I i<<I I'':" I~', Ittl If ttf~~Itl sits e I I gtn I I~I<<I s'<<s.In~ss;Ij'I s e s l f I I I<<I I I I~~~Iltl fit 0.05 O.IO 0.25 0.5 L.O 2.0 4.0 Reactivity Insertion Rate, 10 6k/sec ALARM ROD STOP REACTOR TRIP"DESIGN" REACTOR TRIP CORE LIYiIT FIGURE 5.l-7 s

~e BEGXNNING OF LIFE ROD WITHDRAWAL FROM 102X POWER TIME OF EVENT lls tr I~1 r Is s st el ills I'I soI'tss~tl ss I I I I s I le ills lese s lt I" s I I~I I I~I L I 1~~s its sis ills i i I Ilsi 1111 I, s Ii se ts st 250 Ilsi I I:st il I see ss 200 vo 11'ie sst ssi ise ts t'I st I I~,s~~~I see s st Its;ii~I HI le,'ss.'I" so I~I I I I il I ts.;Ii~~I I~~~TEMP.dT'?.i HI LEVEL~'~ss As t'I I't~e s ss ss Jl1.'l'ssl'I s el ls'1 ss s I t I se I ss.'SO I li~l I;I II'~I" I'I t I~ss I~~~I s I'l"I li: s tt?e"s~~~'se I I, I~I~s JC I~~~<'ltll sl H Os I Is I I II I@i sl 1 I I~~d s DNBR HA~1.0~~s I~II sile ss~I 1 i'i i!i~r r II's 1st~i II s ssl sr~I sl I I s I I Ills IIIIIII.'~Ill ilr,.I I'~~~ALARM ROD STOP, REACTOR.TRXP"DESIGN" REACTOR TRXP CORE LXMIT s I'~I is I'1st ll r<o s II, ,I''I 100 50 IC'lls it i st, HI PRESSURE sill~1 s'is.tf I I~'il lt s'e ls s s"I'I'I',l ts I I I I ski'S'I I;1st ceil;I,~s ts sll I I'Ie~I i'i'st I.i.I es dT it I>>I s Ii I'.ss is st...~I I".II HI POWER.I Il''t s s I'~e~I I I sist J it 1 tl sll'I I il'a I s sl (MAX ROD SPEED,;MAX ROD WORTH);, 11 ss'It st e I I 1 t'I!1st Is I s'st its t'ss i~~~HX LEVEL lg-7:<~IL I 11 e I is~e ss Iss tl St sl I 1st 4 i I Jll I I*Ills r, q tt\se s~~~~'3 DNBR MIN~1.s s'I s's~s.r s't~~~I i I~~~I~s I s li s II~I I I li" I~: I~II s'1 I,'It'I Ij e s Is~st st I'sli e,'.'\l ls I.s~eli~I 1st I t ss I~t Vg is~p'l'sa~I II I t'l I s+II s t s gl s s Il.I Is~l I I s~~dT Ill tli~~I~I;Is ,se t s: I iHX TEMP ss I~s I I s I~I I~~>>Ie I~I ss sill I I I~sl 11 I I I I III.0.'05 0.10 0.25 0.5 1.0 2.0 4.0 REACTIVITY INSERTION RATE, 10 hK/SEC FIGURE 5.1-8  

, wt C BEGINNING OF LIFE ROD WITHDRAWAL FROM 80X POWER MXNIMUM DNBR s'AVG~sls~I ,I~iles Il~s~~~I~f~I HI FLUX~I.Ii~-,.~,r,<;'r:,HZ T':::" I'Ii I;II AVG I~s"(jest Qs I I I I s~I s q)AVG,I,~ei I s I I<<HI LEVEL.g..(PRESSURIZER) st i~HI POWER'~~ts I I isa'.'S.G.-:-SAFETY: 'ALVES-i.'>>-'-'IA gg'I,~~~I;s>>I'is I'"I')HI TEMP'~st.I~I,~'~~e~e sets ieii iis'Is's, te I ,~I-'-AT: I ls)~I~,~~~Ii'lte s I I I~I:~T'IM~~f$:.-';~~~si"I'P~~I I ee~I s e s~I I I L-r WER hT'X PRESSURE."NNR!!',tGMFI::"'.:l i I-I-~HI Po I>>ss II['tt'It'Ls I'i'DEVIATION I>>:f s~~s I I i~I I: I I ll I~I~I irpg e, s li (i~I~s ALARM ROD STOP REACTOR TRXP"DESIGN" REACTOR s>>>>see eels>>%TRXP'~~~~i~tl I II~~~~I'I Ills'e~I~.;Is II~e'HX FLGX~I I I~I.II<<Ii<<lit~CORRESP 1.0" I i I~I Is S~.I I I I I~i ss I~i'll il ONDS TO DNBR>LN HOT ASSEMBLY i:e~~~,i'sse I I II t s I~it e I I Ill ss's J I'el I~sli le',~ei~~~, (MAX.ROD SPEED,-.MAX.ROD WORTH)~It'tsi Iles~~~~i Iil~t~I;~I lls i'~I I~~s ,~~~~~~I s s s~I~, se ii e~~~s I~i i i~I II~I s le i.e~<<s'I e~s I 0 tls sill s s e'.III'Iii't'll'll'l el~il III lss O.OS O.1O O.ZS O.S 1.O 2.0 4.0 REACTIVITY INSERTION RATE, 10 8K/SEC FIGURE 5.1-9 W 4ol BEGINNXNG OF LIFE ROD WITHDRAWAL FROM 80/POWER o~TIME OF EVENT i~~o'tl ll-;-I-.':i'-::~G: "-HI PRESSURIZER';, LEVEL~.I~~~I I I It~-'rrr-I~i~i i~I~I~I" o I'.~I~I I o s.t l SAFEZY s-l~vALvEss I o~I~J'I I I Q1 ,~I, LEVEL~~~I ,I j"-,T',;I3

..'.",.'I PRESSURE'v Iso E li o.'I~~t sl'I I~'AVG;, I;:AT,:Lol

''ITJ~g HI PRESSURXZER,.

t: itlt!:I',.;I Illl li!i i~~'io~I~~HI TEMP 4T~o~I 41:,~o HX POWER 4T DNBR~1.0'.o~I I I L I'.~~i o~I: I I I!4 I I~I''-~J I i I I I I I~sill~I~I I'~~I~, I ls I~~~o~~~il:~ilt'~,~I o o~~~I DNBR~1.3'it'I~'t~~'~~(MAX, ROD SPEED,, MAX 4 ROD WORTH)~il, i s~I I: I I!II s Itts~o ALARM ROD STOP REACTOR TRIP"DESEGN" REACTOR TREE~~Ls slot Ills i il~Its~I I I I I~oil Io I~o~.L.l.J::::

4lt I~I I~~~I t~o 4~o~jilt!too io.,';:@goal: "i~I~o j>>!i is I oJ~I I I: I't s't.Il'"..I tlt!I~~st~o~~~E'X PRESS o, is>>I~~I I II III St I'~I.i I H%H&iti,'-',: HI FLUX'ot'is J tl~o~~I I~II I I I~I I~I~I: tl~~I I~~o!It~~" i li i~o~I~'~il>>io~~~I~~~itis sl 100 T AVC 50 olo~oo~I'!to'lli IID oi":i ri.~I I'~~o~I I I~4 I~'~I I~I I I I I*I~I~o o I o~I~~~~I I I lo~~I I 4I~o~I I~~t I~~~I~'iti,~!il I~I~o-:: ".:++I~.-..'i'il~o~I~~~~o~i is 4s i~!~l I~I~I~I i~oL~I~~~!iot~~I~~I~s~!I~till I ll I IQ~I l'~'io t!4 I I I~~;Is o I~I~I I i It I~I I~I HI POWER 4T~-:.';HI TEMP 4T I o~I It~I I~JA.I I i lot gi i It/lt!.~it'il io~I o~~i o ,is.,'I o i't~tl~'~s i~~sot!I loss I~SS"~'II: I:~-."I 0.05 0.10 0.25 0.5 1.0 2.0 4.0 Reactivity Insertion Rate, 10 6k/sec FIGURE 5.1-10 LPSS Op FEEDWATER>ring power operation, loss of feedwater to the steam generators is of potential concern because it affects the ability of the steam generators to rmove decay heat after trip The protection for thi accident consists of reactor trip and an auxiliary feedwater system.This evaluation describes the Control and Protection System instrumentation provided on a typical Westinghouse PWR Plant to directly monitor or control steam genitor water level.Loss of feedwater accidents without credit for this instrumentation are evaluated.

Typical Westinghouse design requirements for the auxiliary feedwater system are included.A typical 1456 MWt two-loop plant was selected for the transient analysis.A loss of feedwater accident to one steam generator is most severe on a two-loop plant.For a complete loss of feedwater, the transient per loop, is dependent on the normalized kinetic parameters; e.g., power (so the results shown here are representative for all plants currently under design.Zn all cases, diverse automatic reactor trips insure a plant trip before any core damage or system overpressure occurs.Manual actuation of the auxiliary feedwater system is considered an adequate backup to the automatic actuation.

There is sufficient time (24 minutes)and alarms to take credit for manual actuation.

<nteractions of steam generator level control and protection resulting C~rom random failure modes are presented in Section 4.2.5.Alarms actuated 5.2-1 or a complete loss of f eedwater accident are presented in Tab le 5.2-1'C-.suit trees for loss of feedwater accidents are presented in Figures C-2 l, 5.2-2,and 5.2-3.LOSS OF FEEDQATER-TRANSIENT ANALYSIS Several representative transient cases are evaluated for loss of feedwater accidents.

Figure 5.2-4 shows the transient resulting from complete loss of the steam flow control signal.As shown by the figure, the Level Control System restores water level such that only a temporary decrease in~ster level occurs.There is no approach to unsafe conditions or to any reactor trip set point.Figures 5.2-'5 and 5.2-6 illustrate a typical complete loss of feedwater"o one steam generator'of a two-loop plant.No credit was taken for reactor trips derived from the steam generator.

The loss of subcooled feedwater is reflected to the reactor as a small decrease in therma1 I load, causing the increase in pressure and temperature shown in the-irst minute.(The reactor was assumed to be in manual control with<<manual correction.)

One minute after the.loss of feedwater, the steam generator tubes begin to uncover, causing a rapid.pressure and temperature increase.If amchnum pressure control capacity (power operated relief valves)is available, the pressure rise is limited and a high pressure reactor trip does not result.A reactor trip on high pressurizer el occurs appro~tely two minutes after the loss of feedwater.

5.2-2 l r>

z inventory in the second steam generator is sufficient to bring Water plant to normal no>>load condi tions.There is no overpressure ox the p an of water from the Reactoz Coolant System.loss o figures,5.2-7 and 5.2-8 illustrate a worst case complete loss of feed>>water to all steam generators with no trip from steam generatox instxu>>~tation.A conservative evaluation is done for a high-power densi.ty p an lant typical of current PWR design g.456 MWt 2>>loop).No credit is taken for charging systems or for energy absorption by metal in the Reactor Coolant System.The results are considered to be extreme values rather than realistic conditions for an actual plant.The reactor trips on high pressurizer pressure about one minute after the loss of feed.Stored heat in the core continues to heat the reactor coolant and the pressurizer M.ls in about three minutes.Steam dump values open fuU.y under Tavg control and reduce steam line l I pressure.After about ten minutes, the Reactor Coolant System begins to boy., aa"h<<h time the x'eactor coolant pumps are assumed to cease adding energy to the coolant.Boiling causes a rapid increase in the volumetric surge rate, and system pressure rises until the volumetric expansion is balanced by safety value capacity for water zelief.(No credit was taken"or the power-operated relief values in this analysis.)

te&#x17d;generated in the core is assumed to fill the upper reactor vessel, e steam generators, and half of the coolant piping befoxe escaping to e px'essurizer.

During this four minute period, most of the reactor 5.2-3 e

olant fluid'is lost as water discharge through the pressurizer

>+sty valve.As steam is discharge through the pressurizer, pre measure decreases to the set pressure for the safety valves.After an additional ten minutes of boiling, (24 minutes after the loss of feedwater), the top of the core is nearly uncovered.

Xt was assumed that the Auxiliary Feedwater System was manually actuated at this time (push buttons on the control board)and 200 gpm auxiliary f eedwater per steam generator began immediately.

Qithin two minutes of starting auxiliary feedwater, the steam generator heat removal exceeds decay heat and reactor coolant~emperature and pressure rapidly decrease.5.2.2 TYPICAL SYSTEM 1ESIPil REQVIEEMENTS Auxiliarv Feedwater System To prevent release of reactor coolant through pressurizer safety valves i and to protect the core, a supply of high pressure feedwater must be provided for the removal of residual heat from the core by heat exchange in the steam generators when the main feedwater pumps cease to operate on blackout or because of fault conditions.

'yp<<al criteria for actuation of auxiliary feedwater is presented in iable 5 2-2 afety zequi.rement is to include two separate auxiliary feedwater y terna to ensure reliability of supply.One s'ystem utilixas a steam turbine driven auxfLiazy feedwater pump, ae urbine being connected such that steam can be supplied from some 5.2-4 t,  

~of the steam generators.

The flow rate, usually about 200 gpm nr steam generator, is, sufficient to maintain a milkman depth of water>r ste the steam generators.

ocher system utilizes two (2)reserve auxiliary f eedwater pumps, a~of about half the capacity of the steam driven.pump.How rate suf ficienc to ensure cooling of the system and to Prevent water discharge crom Reactor'oolant System xelief valves.The reserve auxiliary feed-vacex pumps normally are driven by prime movers using'source of energy other than steam from steam generators.

The head generated by the feedwater pumps is to be sufficient to ensure that feedwater can be pumped into the steam generacor when safety'valves are discharging.

Pumps axe capable of starting and delivering feedwater vithin two (2)minutes of the blackout or fault conditions requiring puup actuation.

>ie typical design basis for sizing auxiliary feedwater pumps is given by Table 5.2-3.Sources of water for auxiliary and reserve auxiliary feedwater pumps are duplicated or if convenient, triplicated.