Similar Documents at Cook |
|---|
|
Text
{{#Wiki_filter:wnu-7306NUCLEARENERGYSYSTEMSCLASS3REACTORPROTECTIONSYSTEMDIVERSITYZNWESTINGHOUSEPRESSURIZEDWATERREACTORSApril1969Author:T.Q.T.BurnettContributors:J.W.DorrycottA.C.HallD.H.RisherAPPROVED:S.ore,ManagerCoreEngineeringWestinghouseElectricCorporationNuclearEnergySystemsDivisionP.O.Box355Pittsburgh,Pennsylvania152309507180151950707PDRADQCK050003159PDR<3RZRestintthouseElectricCorp./
FOREWORDOverthepastfouryears,considerableattentionhasbeenfocusedondesigncx'iteriaandmethodsofimplementationfornuclearpowerplantprotectionsystems.Ofpaxticulardifficultyhasbeenche"establishmentofsuitablecriteriatodealwiththeproblemsofsingleandmultiplefailures,channelindependence,ControlandProteccionSystemindependence,andthe'eviationofProtectionSysteminputs..Akeyfactorinthisdifficultyhasb'eentheconflictbetweenthegoaltominimizethenumberofredundantmeasurementsfox'nysingleprocessvariable,withregaxdtotheoverallnuclearplanerequirements,andthegoaltoestablishaauucbnumdegreeofseparationbetweentheProtectionSystemandtheControlSystem.Obtaininganaccurateandreliablemeasuxementofaparticularprocessvariableisoneofthemostdifficultaspectsofaninstrumentacdonsystem.Therearesignificantproblemsassociatedwiththephysicalmountingofthemeasurementdevicesincludingoptimumlocation,supportingstructuxes,accesstocheequipmentformaintenance,andprotectionagainstadverseenvironmentalfactors.Inthecaseofnuclearpowerplants,thereisalsotheproblemoftransmittingthesignalsfxomthecontainmenttothecontrolroomequipment.Allofthesefactorsprovideargumentsforminimizingthenumberofseparatemeasuremencs.
MostofthefunctionsperformedbytheplantControlSystemrequirethesameprocessinformationastheProtectionSystem.Inthesecases,WestinghouseprovidesControlSysteminputsfromProtectionSystemchannels.The"ProposedIEEECriteriaforNuclearPowerPlantProtectionSystems,"IEEENo.279,permitsthisdesignapproach,sub)ecttocertainrestrictions.However,thisproposedresolutionwasnotunanimouslyacceptedbymembersofotherUnitedStatesstandardsandregulatoryagencies,inparticular,USASXSectionalCommitteeN3(N42),andtheAEC-ACRS.WestinghouseheldmeetingswithmembersoftheAECtoclarifytheWestinghousedesignapproachandtoidentifytheadditionaldesigncriteriaappliedbyWestinghouse,whichgobeyondtheproposedIEEEcriteria.TheseadditionalcriteriarequireseparationandidentificationofcontrolandprotectionequipmentandtheuseofisolationdevicestotransmitsignalsfromtheProtectionSystemtotheControlSystem.ItisthepositionofWestinghousethattheseadditionalcriteriaofferaresolutiontothe'tateddesignconflict.Westinghousehasdemonstratedbyactualimplementationofthesecriteriathatahighdegreeofseparation,includingproperidentification,canbeachievedbetweenProtectionSystemequipmentandControlSystemequipment.Morerecently,thequestionofthefailuremodechangedfromthatofasinglerandomfailuretocommon-modefailure-afailuremodewhichwouldadverselyaffectall,redundantchannelsofaparticularprotectivefunctionintheProtectionSystem.Itisgenerallyrecognizedthatseparationofcontrolandprotectiondoesnotprovidedefenseagainstthecommon-modefailures.
ThenuclearpowerplantControlandProtectionSystemdesignemployedbyWestinghousewasevaluatedindetailwithrespecttothecommonmodefailureandpresentedinaseriesofmeetingstomembersoftheAEC.ThisreportdocumentstheinformationtransmittedinthesemeetingsandprovidesatechnicalbasisforthedevelopmentofcriteriafordesignofProtectionSystemswithadequateconsiderationforcommon-modefailures.TheconclusionofWestinghousebased>uponactualexperience,previouswork,andreinforcedbytheresultspresentedherein,isthatdesigncriteriafornuclearpowerplantprotectionsystemsshouldpermitmagnumeffectiveuseofprocessmeasurementsbothforcontrolandprotectionfunctionsincludingtheuseofProtectionSystemmeasurementsintheControl.System.Suchcriteriasignificantlyenhancethedesigner'scapabilitytoprovideasystemwithadequatecapabilitytodealwiththemajorityofcommon~odefailurestaswellastoprovideredundancyforcriticalcontrolfunctions.J.M.Gallagher,'Jr.ConsultingEngineer-ControlTechnology VestinghousedesignphilosophyforReactorProtectionandControlSystemsistomakemaxiunaause,forbothprotectionandcontrolfunctions,ofawiderangeofmeasurements.TheProtectionandControlSystemsareseparateandidentifiable.Thedesignapproachpermitsnotonlyredundancyofcontrol,providingitsowndesirableincrementtooverallplantsafety,butalsoprovidesaProtectionSystemwhichcontinuouslymonitorsnumeroussystemvariablesbydifferentmeans;i.e.,protectionsystemdiversity.TheextentofProtectionSystemdiversityhasbeenevaluatedforawidevarietyofpostulatedaccidents.Inmostcases,twoormore=diversepro-tectivefunctions.wouldterminateanaccidentbeforeintolerableconsequencescouldoccur.
teetiee11.11.2233.13.1.13.1.23.1.33.1.43.1.53.23.2.3.,3.2.23.3TABLEOFCONTENTSTitleABSTRACTINTRODUCTIONCOMMONMODEFAILURESAND.DIVERSITYPROTECTIONSYSTEMEVALUATIONQjMMARYFUNCTIONALDESCRIPTION,REACTORCONTROLANDPROTECTIONSYSTEMREACTORPROTECTIONSYSTEMGENERALREACTORTRIPSManualTripHighNuclearPower(PowerRange)HighNuclearPower(IntermediateRange)HighNuclearPower(SourceRange)Overtemperature4TTripOverpower4TTrip'LowPressureTripHighPressureTripHighPressurizerWaterLevelTripLowReactorCoolantFlowSafetyIn)ectionSystemActuationTrip(SIS)TurbineTripLowFeedwaterFlowReactorTripLowSteamGeneratorWaterLevelTripPERMISSIVECIRCUITSListofPermissiveCircuitsRODSTOPSRodStopListINDICATIONControlBoardIndicatorsandRecorderCentralBoardAnnunciatorPanelControlBoardStatusPanelSTEAMDUMPCONTROLSYSTEMCONDENSERSTEAMDUMPSYSTEMSystemDesignControlSystemLoadRefectionControlTurbineTripControlPressureControlATMOSPHERICSTEAMRELIEFSYSTEMREACTORCONTROLTheTemperatureChanelThePowerMismatchChannelThePressureChannelTheRodSpeedProgram~Paeiv1>>1l-l1-5213.1-13.1-13.1>>13.1-13.1-13.1-13.1-23.1-23.1-33.1-33.1-43.1W3.1-53.1>>53.1-63.1-73.1-73.1-73.1-83.1-83.1-93.1-93.1-103.1-103.'1-103.1-113.2-13.2-13.2-13e2~33e2~33.2-43.2-53.2-63.3-13.3-13.3-13'~23~32 Seetiet3,4'.53.5.13.5.23.5.344.14.24.34.44.4.14.4.24.4.34.4.44.4.54.4.655.l.5.1.15.1.25.1.35.1.45.25.2.1~5.2.2.;:!.5.35.3-15-3.2TABLEOPCONTENTS(Cont'd)TitleSTEAMGENERATORLEVELCONTROLSTEAMBREAKPROTECTIONSYSTEMSAFETYINJECTIONSYSTEMACTUATIONFEEDWATERLINEXSOLATIONSTEAMLINEISOLATIONPROTECTIONANDCONTROLSYSTEMSDESXGNPRINCIPLESPROTECTIONSYSTEMFUNCTIONALDESIGNCONTROLSYSTEMPJNCTIONALDESXGNCONTROLANDPROTECTIONINTERRELATIONSPECIFICCONTROLANDPROTECTIONINTERACTIONSNUCLEARFLUXCOOLANTTEMPERATUREPRESSURIZERPRESSUREControlofRodMotionPressureControlLowPressureHighPressurePRESSURIZERLEVELHighLevelLowLevelSTEAMGENERATORWATERLEVELFEEDWATERPLO..FeedwaterFlowSteamFlowLevelSTEAMLINEPRESSUREACCIDENTEVALUATXONRODWITHDRAWALACCIDENTIPROBABLECONSEOUENCESOFACCIDENTPROBABILITYOFACCIDENTMANUALINTERVENTIONDIVERSXTYOFREACTORTRIPSLOSSOFFEEDWATERLOSSOFFEEDWATER-TRANSIENTANALYSISTYPXCALSYSTEMDESIGNREOUIR1M2KSAuxiliaryFeedwaterSystemMainSteamandFeedwaterPipingLOSSOFCOOLANTPLOWANALYSISZNTRODUCTIONANDSUMMARYPROTECTIONSYSTEMDESCRIPTXONLowReactorCoolantPlowReactorCoolantPumpLowVoltageReactorCoolantPumpLowFrequencyPumpCircuitBreakerPositionOverpowerDelta-TReactorTripInterlocks~Pae3.4-13.5-13.5-13-5-13.5-14.1<<14.1-14.2-14.3-14.4-14.4-14e4-24.4-34.4-34.M34.4-34.4-44.4-44.4-54.4-54.4>>64.4>>74.4-84.4-84.4-85.3.-15.1-15.1-25.1-45.1-45.1-65.2-15.2-25.2-45.2-45.2-65.3-15.3-15.3-15.3-25.3-25.3-25.3-35.3-35.3-4 14C Sectice5.3.35.3.45.3.55.45.4.15.4.25.4.35.55.5.15.5.25.5.35.5.45.65.75.85.95.10:5.115.12TABLEOFCONTENTS(Cont'd)TitleMULTILOOPLOSSOFFLOWSINGLELOOPLOSSOFFLOWLOCKEDROTORACCIDENTRODEJECTIONANALYSISINTRODUCTIONANDSUMMARYCASESCONSIDEREDINDETAILZeroPowerCaseFullPowerEndofLifeCozeBACK-UPTRIPPROTECTIONLOSSOFSTEAMLOADINTRODUCTIONANDSUMMARYLOSSOFLOADPROTECTIONANDDESIGNCRITERIASteamDumptoCondenserPressurizerPressureReliefSteamSystemPressureReliefDirectReactorTripHighPressurizerPressureTripOvertemperature4THighPressurizerLevelTripEVALUATIONOF'PROTECTIONSYSTEMFORLOSSOFLOADInitiationofAccidentAnalysisandDiscussionCONCLUSIONSRODWITHDRAWALDURINGSTARTUPCONTROLRODDROPENGINEEREDSAFEGUARDSACTUATIONCONTAINMENTPRESSUREPROTECTIONEXCESSIVEMADEXCESSZVEFEEDWATERPLOWSTATIONBLACKOUTCONTROLANDPROTECTIONFUNCTIONS~Pae5.3-45.3-65.3-75.4-15.4-15.4-15.415.4-25.4-35.5-15.5-15.5-25.5-25.5-35.5-35.5-35,5~45.5W5.5-45.5-55.5-55.5-75.5-95.615.7-15.8-15.9-15.10-15.11-15.12-1
LISTOFFIGURES~FgureNo.2-1IllustrationofControlandProtectionDesign3.1-13.1-23.2-13.3-23.3-1OvertemperaturedTChannelOverpowerdTChannelSteamCycleValveArrangementCondenserSteamDumpControlSchemeReactorControlSystem4.2-14.3-15.1-15.1-25.1-35.1-45.1-55.1-65.1-75.1-85.1-95.1-1052-1522.~5.2-35.2-45.2-55.2-65.2-75.2-85.2-95.3-I.5-3-25+335.3-45.3-55.3-6SteamGeneratorLevelContxolandProtectionSystemPressurizerPressureProtectionandContxolSystemsDesignIFaultTreefoxRodWithdrawalAccidentFaultTreeforRodWithdrawalAccidentInsertedRodWox'thandReactivityRequiredtoReachDNBR~1.0inHotAssemblyVersusCoreLifeCompleteRodWithdrawalfromMaximumFullPowerCompleteRodWithdrawalfromMaximumFullPowerSteadyStateCoreLimitsandReactorTripandAlarmPointsBeginningofLife,RodWithdrawalfrom102XPower,MinimumDNBRBeginningofLife,RodWithdrawalfrom102XPower,TimeofEventBeginningofLife,RodWithdrawalfrom80XPower,ResultingMinimumDNBRBeginningofLife,RodWithdrawalfrom80XPower,TimeofEventFaultTreeforLossofFeedwaterFlowFaultTreeforLossofFeedwaterFlowFaultTreeforLossofFeedwaterFlowLevelResponsetoLossofSteamFlowSignalLossofFeedwaterFlowtoOneSteamGeneratoratT~OneSecond,TypicalTwo-LoopPlantLossofFeedwaterFlowtoOneSteamGeneratoratT~OneSecond,TypicalTwo-LoopPlantCompleteLossofFeedwaterCompleteLossofFeedwaterAuxiliaryFeedwaterSystemSchematic,Two-LoopPlantFaultTreeforMulti-LoopLossofFlowFaultTreeforSingleLoopLossofFlowFaultTreeforLockedRotorAccidentMulti-LoopLossofFlow,TypicalPlantSingleLoopLossofFlow,TwoLoopPlantLockedRotorLossofFlow,TwoLoopPlant
~e+lyIA'I'I'lhPl0V0 LISTOFFIGURES(Cont'd)FiureNo-5.4-15.4-25.4-35.4-45.5-15.5>>25.5-35.6-15.6-25.7-1.5.725.8-1ZeroPowerEndofLifeRodEjection,NoTripFullPowerEndofLifeRodEjection,NoTripIllustrationofSafetyLimitsandTripPointsforRodEjectionAccidents,NoTripIllustrationofTransientTrajectoriesforRodEjectionAccidents,WithNoTripFaultTreeforLossofLoadAccidentFaultTreeforCoreDamage,LossofSteamLoadLossofLoadAccidentUncontrolledRodWithdrawalfromSubcritical,FractionofNuclearPowerUncontrolledRodWithdrawalfromSubcriticalCondition,TemperatureResponsetoaDroppedControlRodResponsetoaDroppedControlRodSafetyInjectionActuationSignalvsBreakArea
~emme~e'~'%qelt*49~*t 1.INTRODUCTIONpoophyforReactorProtectionandCooltomaemaxaumuseforbothprotectionandcontrolfunctionsofawiderangeofmeasurements.Thisresultsinabroadspectrumofredundantprotectionandcontrolfunctions.Thedesignapproachusedpermitsallequipmentcomponentstobeidentifiedasprotectionorcontrolandlocatedaccordingly,withelectricalisolationandphysicalseparationbetweenthem.Thedesignapproachthuspermitsnotonlyreduncancyofcontx'ol,providingasignificantanddesirableincrementtooverallplantsafety,butalsoprovidesaProtectionSystemwhichcontinuouslymonitorsnumeroussystemvax'iablesbydifferentmeans;i.e.,ProtectionSystemdiversity.AlthoughtheProtectionSystemdesignbasisrequiresonlythatrandomsinglefailuresnotnegatetheProtectionSystem,aconsiderabledepthofprotectionIisachievedbytheWestinghousedesignapproach.Systemsdesignersandre-viewershavexecentlyemphaaLzedtheimportanceofachievingasuitablebalanceofdesignobfectivesinregardtofunctionalandequipmentdiversity."'nteractionofcontrolandprotectionfunctions,testing,andsurveillanceto~thieveaProtectionSystemdesignthathasadequatecapabilitytocopewithbothrandomandsystematicfailuremodes.(Systematicfailuresarealsoknownascommon-mode,ornonrandomfailures.)1.1COMMONWODEFAILURESANDDIVERSITYCommon-mode,orsystematicfailures,arethosethatpartiallyorcompletelypreventidentical,instrumentchannelsfromperformingtheirfunction-p'~.4*/I dundancyisnotananswertothistyPeoffailure,sinceallchannelsareassume~edtobeaffected.Further,thesefailurescannotbeevaluatedbyproao~babilityanalysisorreliabilitydata;indeed,theyarecharacterizedbyoversightsordeficiencieswhichpresumablywouldbecorrectedwhenfirstdetected.Thegeneralcategoriesofcommon~odefailuresare:a)Functionaldeficiency-Thevariablebeingmonitoreddoesnotprovidetheinformationintendedduringthecourseofanaccident.Thisdeficiencycouldbecausedbytheaccident'sfollowingadifferentcourse/thancalcu1atedbythedesigners,orbyachangeintheplantcharacteristicswhichchangestherelationbetweenthepxocessandthevariablebeingmonitored.b)Maintenanceerror-Thisfailureincludesconsistentmiscalibrationofallchannelsofatype,andalsocircuitmodificationoxrepqirwhichinadvertentlyrendersthechannelsfunctionallyinoperative.'esigndeficiency-Pailuxeoftheequipmentasinstalledtomeetfunctionalrequirements.Thiscouldarisethxoughunrecognizeddependenceonasingle,commonelement.,suchasventilation;byanunexpectedcharpcteristic(suchassaturationorslowresponse)inallcontrollersofatype;orbytheinstrumentationbeingdisabledasaresultoftheaccident-d)~<<malcatastrophe-Withproperisolationandseparationbetweenredundantchannels,thisisconfinedtoma)ordisasterssuchasflood,<<rthquake,fire,etc.Whereseparationisnotcomplete,lessdrastic~ventscanhavethesameresult.Forexample,afallingob)ectcouldconceivablyseverallcablesinasmallarea.1-2 t+J~~N ConsiderableeffortisbeingmadeinReactorProtectionSystemsdesignpreventthesecommon-modefailures,asillustratedbytheexamplesbelow.Howeverremote,thepossibilityofacommonmodefailuremustneverthelessbeconsidered.Thelikelihoodofmaintenanceerrorscanbeminimizedbyproperadministrativeprocedures,identificationofProtectionSystemcomponents,andcompletedocumentationoftheas-suppliedProtectionSystem,includingthedesignbasis.Designdeficienciescanbelargely.eliminatedbyequipmentqualificationtestingandbycaxefulreviewofallpotentialcommonelements.Redundancyisanaccepteddefenseagainstx'andomfailureswhichaffectonlyonecomponentorchannelatatime.Similarly,"cliversityisadefenseagainstcommon~defailureswhichcouldaffectmultiplechannels.Suchprotectivediversitycanbeachievedineitheroftwoways:equipmentdiversity,byprovidingdifferenttypesofinstrumentat'ion'tomonitorthesamevariable,orfunctionaldiversity,bymonitoringdifferentplantvariables.Functionaldiversityentailssomedegreeofequipmentdiversity,P~rilywithrespecttosensorsandsetpoints.Moreimportantly,however,functionaldiversityisnotdependentonthecalculatedrespenseofanyone"ariableduringanaccident.Asaconvex'seofthis,functionaldiversityismorecomplextodemonstratesincetheresponseofseveralvariablesmustbeanalyzedforeachtypeofaccidentevaluated.TheWestinghousePxotectionSystemisthereforeevaluatedinthisreportwithrespecttofunctionaldivexsity.Todemonstratediversitywhereprotectiveactionisneeded,itisnecessarytoshowcombinationsoftwoormoreofthe1-3 e4 fo1lowingbarriers"foreachaccident.Someoftheseareaddressedtotheneedforprotectiveaction,ratherthantotheInstrumentationSystemitself.ThisisconsideredareasonableapproachtojudgingtheadequacyofaProtectionSystem.a)Tolerableconsequencesforexpectedconditions-Althoughcase"analysismightfailtoprovethatprotectionisnotvastmajorityofcasesmayhaveacceptableconsequences.worstneeded,theWhetherornotthisisasuitablebarrierdependsontheprobabilityofadverseconditions(suchasexcessiveinsertedrodworth)andthedesignandoperatingprecautionstakentopreventthem.b)Lowprobabilityofaccident-Probabilityoftheinitiatingfaultmightbeconsidered,butonlyinconjunctionwiththeprobableconsequences.Thatis,aloss-of-coolantaccidentdoesnotrequirelessprotectiontthanalossofflowaccidentsimplybecauseitislesslikelytooccur.c)Controlinterlocks-RodstopsorotherdeviceswhicharrestormodifyspuriouscontrolactionshortofreactortripcanbepartoftheProtectionSystem.ProtectionSystemdesignstandards,equipmenttesting,andTechnicalSpecificationlimitswouldthereforebeapplied.nualaction-Manualactioncanbeconsideredareliablebackuptoautomaticprotection,dependingontheaccidentrate,thecomplextytheproblemandcorrectiveaction,andthealarmsandindicationprovided.1-4
Automaticreactortrip-Eachaccidentmayhavea"principle"reactortripassociatedwithit..)BackuPreactortrip-Asecondreactortripfunctionofisanadditionalbarrier.InallbutafewcasesintheWestinghousedesign,aspecificreactortripisnotcategoricallyeither"principle"or"backup":itservesastheprincipleprotectionagainstsomeaccidents,andasbackupprotectionagainstothers.1.ZPROTECTIONSYSTEM-EVALUATIONAnaccident-by>>accidentevaluationhasbeenperformedinordertoevaluatethe"depth"ordegreeofdiversityprovidedbycurrentWestinghousedesign.Asexpected,diversitycouldnotbedemonstratedforallaccidents.Thexesultsingenex'al,however,indicateaconsiderabledegreeofprotectionSystemdivexsity.Theevaluation,reportedin-.Section5ofthisreport,analyzedeachpostulated~ccidentwithoutcreditforprotectiveactiontothepointatwhichoneofthethreefollowingeventsoccurs:Inherentplantcharactex'isticsterminatedtheaccident;b)Theconsequencesareclearlyintolex'able',orc)=<<<tinganalyticalmethodsarenolongervalid(forexample,systemalculationscannotbeperfoxmedwithanydegx'eeofconfidenceifseverecoredamageoccurs).1-5 tyneofevaluation,theamountofanalyticalrigormustbereducedKathistypeoascontonsbecomeincreasinglyremoteandsafetylhaitsareexceededisbecausepresenttechnologycannotrigorouslysupportassumptionsassystembehaviorfortheseremotecases.Inlargepart,thisfactexplainsthereasonwhysuchconservativesafetylimitsareselectedfordesignpurposes.1-6 I
SL~5ARYIntheWestingoutinhouseReactorControlandProtectionSystemstheControlSystemisseoara'sseoarateanddistinctfromtheProtectionSystP"orectionSystemisindependentoftheContro]heProtectonS"ste-"LishighlydependentuponsignalsderivedfromtheProtectioSthroughisolationamplifiers;Thisinterre].ationshipisillustdininure-1.hedesignoftheControlandProtectionSyst~dthinteractionsbetweenthemarediscussedindetailiSectio'd4ofthisreport.Thedesignphilosophyistomakemaxianunusage,forbothcontrolandprotectionpurposes,ofallmeasurementsofplantvariables.Foreachvariablemonitored,thebesttypeofequipmentavailableisselectedasthevehicleofmeasurement.Clearly,therequirementsformeasurementsforcontrolorprotectionpurposessonearlyoverlapthattheoptimumequipmentforonepurposeisalsotheoptimumfortheother,.It'srecognizedbythoseresponsibleforProtectionSystemdesignandreviewthatlittleifanyadditionalsafetyisachievedbyutilizingindependent,butidentical,measurementsforcontrolandprotection.Infa<<,itisWestinghouse'spositionthatadditionalidenticalchannelsareseriouslydisadvantageousjnthatmorepenetrations,maintenance,andcontrolroomreadoutsarerequired.porexample,operatorsurveiU.anceofprotectionchannels'isnecessarilydilutedwhenplantoperationisdependentonotherindications.
pressurizedwaterreactorplant,itisalmostaxiomaticthat-.naLargePresrturbationwhichencroachesonsafetylimitssignificantlyaffects~vperturaForexample,areactivityexcursion-suchasaccidentalrodvt.thrawdrawal-causesnotonlyanincreaseinneutronfluxandcorepower,~soanincreaseincoolanttemperaturesandinpressurizerpressurebutandlevel.Reliablecontrolisobviously'hebestapproachtoplantsafety.Theprime,purposeofacontrolsystemistolimitexcursionsbeforeprotectiveactionisnecessary.SincethecontroldevicesmustbecapableofLimitingexcursions,theyarealsocapableofcausinganexcursion-perhapsinthe,oppositedirection-ifspuriouslyactuated.FailureoftheControlSystem,eitherbynotactingwhenneeded,oractingwhennotneeded,decreasestheleve1ofsafety.Redundancy-ofcontrol,whereapplicable,isthereforehighlydesirable.PressurizerpressurecontrolisaprimeexampleofefficientuseofredundantmeasurementsforsafeoperationviaareliableControlSystem.Twooower-operatedpneumaticreliefvalvesareprovidedtolimitpressureexcursionswithinthenormaloperatingrange.Althoughnotessentialto-safety,thesevalvesincreasesafetymarginsforsystemoverpressure~overpressureprotectionisprovidedbythehighpressurereactortrip~safetyvalves).Shouldeithervalvebeactuatedspuriously,however,p~tectionagainstthereductioninpressuremightalsoberequired.2~2
'Ph contro3.channels,derivedformthefourpressureprotection."-ourpressurecontnosing3.eins-hanne3.s,areuse-el'eiwhenneeded,norcananysingleiQt~tfailducepressuretothepointatwhichprotectionwouldbeneededressurechannelsareusedtocontro1eachvalve.OnepressurechannelMopressureservesasaninterlock,blockingtheairsupplytothevalveonalowpressurea3.arm.Sincethepneumaticvalverequiresairtoopen,thi'slowpressurealarmclosesthevalve(ifopen)andholdsitclosed.Intheabsenceofalowpressurealarmonthefirstchannel,ahighpressurealarmonthesecondchannelopensthevalve.."-romtheprotectionSystemviewpoint,thecorollarytomaxbaumusageofallmeasurementsisthatprotectionagainstanygivenaccidentisnotnecessarilyconfinedtomeasurementofjustonevariable.Thusthereactivityexcursionnotedpreviously,thereactortriponhighpressurizerwagerleve3,alsoprovidesadegreeofprotection,eventhoughthebasicpurposeofthistripistoprotectthepressurizerreliefpipingfromwaterreliefsurge,throughthesafetyvalves.Sincecompletelydifferent.typesofmeasurementareused<<rneutronfluxandpressurizerwaterlevel,diversitydoesexistintheProtectionSystem.LheextentofsuchdiversityisevaluatedinSection5forawidevarietyotaccidents.Inmostcases,twoormorediversereactortripsterminate~accidentbeforecatastrophicconsequencescanoccur.However,thesecondtripreached(the"backup")generallydoesnotpreventthedesignsateylimitfrombeingexceeded.Inthiscontext,thedesignsaiety2-3 h
hasaDNgratioof1.30,isitselfahighlyconservativesuch~,.exceedingthislimitdoesnotimplyintolerableconsequences.~onecaseevaluated-thehypotheticalrodejectionaccident-protectionsystememdiversitycouldnotbeadequatelydemonstratedfortheworstcase.~eyerarodejectionisconsideredtobeanextremelyunlikelyaccidentonecausedbycompleteandinstantaneousmechanicalfailureofacontrolrodpressurehousing.Further,theprobableconsequences,asdistinctfromtheworstcase,aretolerablesincemostcontrolrodsarefullywithdrawnfromthecore.Eventhoserodsthatremaininsertedareseldominsertedtotheirinsertionlimits.."-oranothertypeofaccident-completelossoffeedwater-diversityofreactortripsdoesexist.Ho~ever,automaticactuationoftheauxiliaryfeedwatersystemisnotdiverseforallof'hewaysinwhichfeedwaterflowcouldbelost.Forthosecases,itisshownthatmanualactuationconsti-rutesareliableback-uptoautomaticactuation.2-4
'P7"IHtI0 ILLUSTRATIONOFCONT."d)L'lNDPROTECTIONDESIGNCONTROLSYSTEMl(Signalcon~itionins,controllers,~Iinterlocks,anddefeatswitches)t.otection{testsigna.ague)(testradout)~estCONTROLPROTECTIONChannel'SensorI\ICablingandPenetrations~I!PewerSuoply!IsolationI;ihmplifierIBistablelI(Fromotherprotectionchannels)".harmelChannel23f"1IIn8icatioChannel4CCCJo4kIJCOCIHg~gOCl~+Icd0CcCCJPROTECTIONLOGICa&CKSTRAINTOREACTORTRIPBREAKERSFIGURE2-l
~,'I1"k0P CTIONALDESCRIPTIONREACTORCONTROLANDPROTECTIONSYSTEH~~CTIONALREACTORPROTECTIONSYSTEH3.13.1.1GENERAL'r'1andProtectionSzstmfuncti~di,,basedontheRobertEmmettGinnaNuclearStationoftheRochesterGasandElectricCo.(RGBE).ItisrepresentativeofWestinghousedesignpractice.Allreactortripsmeetthefollowingcriteria:a)Asinglefai1ureshallnotnegateareactortripb)Allchannelsarecapableofcalibrationandmaintenanceatpower.3.1.2REACTORTRIPS4Aresumeofreactortrips,meansofactuationandcoincidentcircuitrequirementsisgiveninTable3.1-1.i~fllnualTrigDepressingeitheroftwomanualpushbuttonsonthemaincontrolboardactuatesareactortrip.HihNuclearPower(PowerRane)Dualtripsettings=areprovided:3.11 "ca.l\"1~
)Low(approximately25X)b)High(approximately110X).ThelowsettingcanbemanuallyblockedwhenpowerincreasesaboveP-10*(approximately10Xpower)andisautomaticallyreinstatedwhenpowerdecreasesbelowP-10.Thesecircuitstripthereactorwhentwoofthefourexternalionchamberaveragefluxsignalsareabovethetripsetpoint.HihNuclearPower(IntermediateRane)Thiscircuittripsthereactorwheneitherofthetwointermediatechannelsindicateabovethetripsetpoint,Etmaybemanual1yblockedwhenpowerisaboveP-10andisautomaticallyresetwhenpowerdecreases-belowP-10.Expectedtripsetpointis25X.HLhNuclearPower(SourceRane)ThiscircuittripsthereactorwheneitherofthetwointermediatePrangechannelsindicateabovethetripsetpoint.Itmaybemanua11yblockedwhentwointermediaterangechannelsreadsavalueaboveP-6andisautomaticallyreinstatedwhenbothintermediaterangechannelsdecreasebelowP-6.TripsettingisbetweenP-6andthemaximumsourcerangepowerlevel.*P-()designatesapermissivecircuittoblockoractivateatripfunction.ThesecircuitsaredefinedinSection3.1.3.
4~I'
~Fjtyvertemoetemperature4TTrioofthistripistoprotectthecorepurposeopo,pssure,temperature,'cionTwoout~ffouroop~Foreachchannelpereactorclativemeasureofreactorpowerandiscomparedwithacontinuouslycalculatedsetpointoftheform:4T~K+KxPressure-KxT>>f(4I)setpointL2Javg~enthereactorcoolantloop4Texceedsthecalculatedsetpoint,theratfectedchannelistripped.Zntheaboveequation,4Zisthedifference'betweenthetopandbottompower-rangeionchambersignals..Thiscompensationsignalautomat-icallyreducesthetripsetpointifadverseaxialcorepowerIdistributionexists.DynamiccompensationoftheTsignalisavgalsoprovidedtocompensateforinstrumentandpipingdelaysbetweenthereactorcoreandthe'looptemperaturesensors..AschematicrepresentationofthiscircuitisshownonFigure3.1-1.AnillustrationofthesetpointisshownonFigure5.1-6.Overoower4TTriThepurposeofthistripistoprotectagainstexcessivepower(fuel<<dpowerdensity).Two-out-of-fourtriplogicisused;therearetwochannelsperreactorcoolantloop.3.1-3 iforeachchanneliscalculatedas:Nesetpointtore~K-K-T-K(T-T)-f(II)45dtavg6avgavg~'quation>f(41)isthesamefunctionasusedintheovertemperatureequato-serpontetpointequation.ThetermK5compensatesforthepipingandinstrumentdelay.ThetermK6compensatesforthechangeindensityandheatt~actyoityofwaterwithtemperature(T'sthenominalTatfullpower).avgavg6~thKandKarelimitedsuchthattherateand/ormagnitudeofTcanavgonlydecreasethe4Ttripsetpointfromitsnormalvalueatfullpower.ectedsteady-statetripsetpointisllOXoftheindicatedhTatfullpoMer;i.e.,llOXpower.AschematicrepresentationofthiscricuitisshownonFigure3.1-2.~PressureTri.hepurposeof'thistripistoprotectagainstexcessiveboilinginthecoreandtolimitthepressurerangeinwhichcozeDNBprotectionisrequiredfortheovertempezatureaTzeactortrip.Thiscircuittripsthe:eactoroncoincidenceoftwmf-fourchannels.ItisautomaticallyblockedbelowP-7.Theexpectedsetpointis1715psig.-"-'-hPressureTri=hepurposeofthistripistoprotectagainstoverpressureandtolimitthees<<<<rangeinwhichcoreDNBprotectionisrequiredoftheovertemperatureWectedsetpointis2385psig.-a<<circuittripsthereactoroncoincidenceoftwo~f-threechannels.3.1-4
~hPressurizerWaterLevelTritzipprovidesabackuptothehighpressuretripandalsopreventsthepzessuzzessuzizersafetyandreliefvalvesfromrelievingwaterforcredibleaccidentconditions.Expectedsetpointis92Xofspan.Thiscircuittripsthereactoroncoincidenceoftwo-of-threechannels.Xtisautomaticallyblocked.belowP-7.LowReactorCoolantFlowThiscircuitisprovidedtoprotectthecorefromDUBfollowingalossofcoolantflowaccident.Themeansofsensingalossofcoolantflowaccidentazeasfollows:a)Measuredlowflowtnthereactorcoolantpipingb)Reactorcoolantpumpcircuitbreakeropenc)Undervoltageonreactorcoolantpumpbusd)UnderfrequencyonreactorcoolantpumpbusThelowflowtripsignalisactuatedbythecoincidenceoftwo-of-threesignalsperloop.AboveP-7,reactortripoccursforalossofflowinbothloops;aboveP-S,reactortripoccursforalossoffewineitherloop.Expectedsetpointis90Kofindicatedfullflow.Thereactortripsignalderivedfromreactorcoolantpumpbreakerpositionisactuatedbyasingleauxiliarycontact'oreachreactorcoolantpumpbreaker.Triplogicissimilartothelowflowtrip;aboveP-7reactortripoccursfora"breakeropen"signalfromanytwobreakers;aboveP8.asignalfzomanyonebreakeractuatesareactortrip.
~wga~~V~~tortripprovidesadditonalreactorprotectionagainst~undervoltagereactorpowers4coapletelossoo~tpumpbusesas~dboaLcwvoltageonoectedsetpointis70Zof~crvoltagesea~tartjrapiddecreaseinelectricalfrequencycandecelerateth~principe,a~torcoolantpumpsfasterthanacompletelossofpower.Anunderfrequencyconditiononbothreactorcoolantbuses,assensedbyeitheroftwounder>>frequencyrelayson'achbus,tripsthereactorandopensbothreactorcoolantpumpcircuitbreakers.Expectedsetpointisapproximately58cps.aSafetyXnectionSstemActuationTri(SIS)"ponactuationoftheSafetyInfectionSystem,thereactorfstrippedtodecreasetheseverityoftheaccidentcondition.ThemeansofactuatingtheSafetyIn)ectionSystemandthustrippingthereactorareasfollows:la)Lowpressurizerpressure(1715psig)incoincidencewithlowpressurizerwater.level(5Zspan).AnyoneofthethreecircuitsLaactuatestheSIS.Thisfunctionmaybemanuallybypassedbelow2000psig.~Pressure(500psig)inanysteamline.Acoincidenceoftwo~f-threesignalsforanysteamlineactuatesthisfunction.Thisfunctioncanbemanuallybypassedwhenreactorcoolantpr~ssureisbelow2000psig.c)"ighcontainmentpressure(6psig).Acoincidenceoftwo-of-threesignalsactuatestheSIS.d)ManualActuatjon f~~
Trio~tripsensedbylossofautostopoi1pressureorbyturbinestopgturbinetrpslosureactuatesareactortripduringhighpoweroperation.Trip<s~o~r-threefortheautostopoilpressureswitchesandtwo~f-twopicissorthestopvalvepositionswitches.Thistripisincoincidencewith~r~sszveci~ssiyecircuitP-7(blockedbelow10Xpower)andpermissivecircuitP-9~blockedbelow50Xpowerunlesscondensersteamdumpisblocked).Low."-eedvaterPlowReactorTriForeithersteamgenerator,lowfeedwaterflow(comparedtosteamflow)incoincidencewithlowsteamgeneratorvaterlevelactuatesareactortrip.'Msprotectsthereactoragainstasuddenlossofheatsink.Thisconditionissensedforeithersteamgeneratorife'itherof:twosteamflow~feedvaterflovchannelsindicateadifferencegreaterthanasetpointandeitheroftvosteamgeneratornarrow-rangelevelchannelsindicateless6thanasetpoint.Expectedsetpointsare0.7x.10lbs/hrand30Xofspanrespectively.LowSteamGeneratorWaterLevelTri~epurposeofthistripistoprotectthereactorfroma'1ossofheatsink-<<thecaseofasustainedsteam/feedwaterflowmismatchwhichistooll<<actuatethelowfeedwaterflowtrip.~h~s~~-stripisactuatedoncoincidenceoftwo-of-threelov-lovlevelsignals~nsteamgenerator.Expectedsetpoint,is15Xofnarrowrangelevelspan-3.1-7
/t6.,.t;>)0C 3>MQSSIVECIRCUITS3.'.3pouslytopermissivecircuitsReferencehasbeenmaokcertainactivitiesaswell-~~itsareusetoac'vfties.tofPermissiveCircuitsnunbncFunccfnnRodwithdrawalstoponoverpower(Automaticandmanual)~XnucOne~f-fourhighnuclearpower(powerrange)*;one-of-twohighnuclearpower(intermediaterange*l;one-of-fourovertemperatureAW;orone-of-fouroverpowerAT*.Automaticrodwith-drawalstopatlowpower.Automaticrodwith-drawalstoponroddropSelectionofsteamdumpcontrollermodePermitmanualblockofsourcerangehighnuclearpowertripOne-of-oneturbinefirststagesteampressureIOneof-fourrapiddecreaseofnuclearpowerorrodbottomindicationhTurbinetripsignalOne~f-twohighintermediaterangenuclearpowerallowsmanualblock,twomf-twolowintermediaterangenuclearpowerautomaticallyreinstatestrip.~bypassonindividualchannels.."~ye~allyblockedifpeanissivecircuitP-10iscleared.
~'
~ssiveCircuits(Cont'd)tofPessluabaapuaaaiaa~Xauapermissivepower(blockvarioustripsatlowpower)BlocksingleprimarylooplossofflowtripBlockreactortriponturbinetripThreemf-fourlownuclearpowerandonemf-twolowturbineimpulsestagepressureThreeof-fourlownuclearpowerThree~f-fourlownuclearpowerandcondensersteamdumpavaQ-able(notlockedoutbyhighcondenserpressureorbylossofbothcirculatingwaterpumps)103.1.>>RODSTOPSPermitmanualblockofintermediaterangepowerleveltripandrodstopandlowpowerrangetripTwo-of-fourhighnuclearpowerallowsmanualblock,thre~f-fourlownuclearpowerautomaticallyreinstatesthetripsAcompletelistofrodstopsisnotedbelow.RdStopListFuaaataaa)Roddropb)NuclearOverpowerActuationSinalOne~f-fourrapidpowerrangenuclearpowerdecreaseoranyrodbottomsignalOneof-fourhighpowerrangenuclearpowerorRodMotiontobeBlockedAutomaticwithdrawal(redundant,contacts)Automaticandmanualwithdrawalone-of-twohighintermediaterangenuclearpower3.1-9 t~g 4-top~st(Contd)UjjCj:Xjjnc)iU.gh4TActuationSinalOne-of-fouroverpower4Torone-of-fourRodMotiontobeBlockedAutomaticandmanualwithdrawalovertemperature4T(Manualbypassonindi-vidual4Tchannels)(Actuationofthisrodstopinitiatesacontinuousturbineloadreductionuntiltheactuationsignalis'emoved).d)Lowpowere)TavgdeviationOne-ofmnelowturbineimpulsestagepressureOne-of-fourTdevia-avgtionfromaverageTavgAutomaticwithdrawalHAutomaticwithdrawalandinsertion3.1.5LQXCATIONFControlBoardXndicatorsandRecorder-Alltransmittedanalogsignalswhichactuatereactortrips,rodstops,ozpermissivecircuitsareeitherindicatedorrecordedforevery.channel-Also.variabletripsetpoints(overpower4Tandovertemperature4T)areicatedorrecordedforeverychannel.CentralBoardAnnunciatorPanel~yofthefollowingconditionsactuateanalarm:Reactortrip(firstoutannunciator)b).aztialreactortrip(anychannel)~wioz~i<<deviationofanycontrolvariable(pressure,T,pressurizerlevelavg'linuclearpower,andsteamgeneratorlevel)foranychannel.3.1-10
~>>~t'lvl%1~yWC~ns'r,zy~\~
';t"o>.3oardStatusPm&statusofeachreactortrip'c"onthetripstatuspanel'-'.channeliscontinuouslydisplayedIstatusofeachpermissivecircuitiscontinuouslydisplayedonthpe~sivestatpanel~~'reactortripchannel;bypassis.continuouslyindicatedonthehyposstatuspmn-'I17~a3.1-11 sPk
.,yll+~~lIE~TgtpI.fluuual2.HighnuclearfluxCplHClUEHCY.ClRCULTRYblHTERIXKKS1/2,nointerlocks2/4,nointerlocksforhighsettingP-10forlowsettingl.'ON1kl)1SHighandlowsetttngs;manualblockandautomaticresetoflowsetting3.',llighnuclearflux(inter>>mediaterange)Highnuclearflux(sourcerange)1/2qP-10I2/4;nointerlocks2/4,nointerlocks2/4>blockedbyP-72/3>nointerlocks2/3,blockedbyP-75,OvertemperatureLiT6.OverpowerhT7.Low'ressure8.9.HighpressureHighpressurizerwaterlevel10a.LowFlop10b.Pumpbreakertrip10c.Undervoltage10d.UnderfrequencySISactuation12.Turbinetrip13,Lowfeedwaterflow14.Low-lowS.G.waterlevel2/3perloop~p7~P>>S1/1perloop]P7)P+S1/2t'1/2~P-71/2+1/2P-71/3,.(lowpressurizerpressureandlowpressurizerlevel);2/3Lowpressureinanysteamline;or2/3highcontainmentpressure2/3autostopoilor2/2stopvalves>P;7]P-91/2+1/2perloop,(flowmismatchincoincidencewithlowleyel)2/3$perloop h0Taygn>AYOK4T388ATsetpoint1ComparatorC3.C3C42/4ogichotTcComparatorRodStop0~POWERATCHANNEL(ONECHANNELOFFOURSROHH)FIGURE3.1-2 l.l CONTROLSYSTEHtamdumPareavailable:condensex'umPandatmosPheric<clevalvearrangementisshownonFigure3-2-1-yqsteamcyC0gDENSERS~QUMPSYSTEMSvseaDesisteamlinesareinstalledtodumpsteamfromthesteamgeneratorsdirectlycothecondenser,bypassingtheturbine.Connectionswiththesteammainsaxedownstreamofthestea'mmainisolationvalves.ralvesandLLnesaresizedtopass35Xofturbineauuctunancalculatedsteamflowatfullloadsteampressure.Condensersteamdumpperformsthreefunctions:Followingasuddenlossofloadofupto210MRe{about45Xof=aximumcalculatedturbineload),condenserdumpactsasanartificialloadremovingexcesspowerandstoredenergywhilethereactorpowerisdecreasedtomatchthexeducedturbine\Inthismanner,thecondensersteamdumpactstopreventareactortrip.Condensersteamdump,togetherwithfeedwateraddition,removesstoredenergyintheReactorCoolantSystemfollowingaplanttrip,bringingtheplantroequilibriumnoloadconditionwithout3.2-1 rofthesteamgeneratorsafetyvalves.Italsomaintains~tuationo1tathotshutdownbyremovingresidualheat.ggpJ.antatsersteamdumpisusedforplantcooldowntocoldshutdown.condenserste~~ersteamdumpisusedtoimproveoperationalflexibility.Foraplanttripmayoccurfollowingalargeloadreductionif~le,apan~4.usersteamdumpisnotavailable.~condensersteamdumpsystemusesmodulating,Unear-characteristics,~~cratedvalves(airtoopen).Theirstroketimeisapproximately5aecaads.Xnaddition,theycanbetrippedfromthefullyclosedtotatefu11openpositionwithin3secondsafterreceivinganinputeLectrictripsignal.Whilethistripsignalexists,thevalvesarebahf~thefullyopenposition.Whenthetripsignaldoesnotexist,chevalvepositionisdeterminedbyavariableinputelectricalsignal-Forcondenserprotection,condensersteamdumpisblockedbyhigh~enserpressure.Otherinterlocks'describedbelow)areused~~esamemannertoavoidspuriousoperation.~pur'<<ousactuationofsteamdumpmaycauseaplanttripInaddition,'-theralvesstayopen,anuncontrolledcooldownresults.Forthesethesteamdumpcontrolsystemisrequiredtomeetthecriterionsignalfailureshallcausespuriousactuation-3~2~2
ControlSystemalblockdiagramfortheCondenserSteamDumpControl~efunctonSvstemisshownonFigure3.2-2.LoadReectionControl."-orpartiallossofturbineload,steamdumpiscontrolledbytheerrorsignalbetweenTandTf,whereTistheaverageoffouravgref'vgreactorcoolantaverage.temperaturesand.T"istheprogz~ed,se~ref,pointforTasafunctionofturbineload.(ThesesignalsaretheavgsameasthoseusedintheReactorControlSystem.)Followingaturbineloaddecrease,Tisimm'ediatelyresettoalowervalue,causinganreferrorsignal.Iftheerrorsignalexceedsthedeadbandfortheload.re)ectioncontroller,thedumpvalvesaremodulatedopen.IftheerrorsignalexceedstheHIsetpoint,atrip.signalisgeneratedwhichrapidlyopensfouroftheeightvalvestotheirfully~~enposition.At'heoccurrenceofaHZ-HItripsignal,alleightvalvestripopen.Thedistinctionbetweenmodulatingandtrippingvalvesopenismadebecauseofthedifferenceinrequiredtimeforbothoftheseactions.Ifvalvesarealreadymodulatedopencorrespondingtotheerrorsignal<<thetimeatripopensignalisgenerated,noadditionaltripactiontakesplace.Sin~ethesteamdumpsystemrequiresafinitetimeto,act,anincreaseistobeexpected.Lead/lagcompensationforTincreasesavgavg3~23 gfTontheerror,therebycompensatingforthelegs~gcectoflresponseandvalvepositioning.sreactorpowerbycontrolrodinsertion.reducesreactpointsteamdumpisreduappx'oachesavgvalvesarefullyseatedMenoughtobehandledoontroLsystemalone.~~dcontratrolsystemalsoactingontheT-Tferrox'ignal~avgrefLnordertopreventactuationofsteamdumponsmallloadperturbations,,rablockisprovidedwhichpreventsvalveresponsetoeitherthetrip~modulatesignalunlessaturbineloadreductionhasoccurred.AIlelcaentsofthischannel,includingtheturbineimpulsechamberpressuretap,areindependentofthesteamdumpcontrolsystemdescribedabove.4rate/lagunitinthischannelgeneratesanoutputproportionalto~rareofdecreaseinturbineload;Thisoutput,whenindicatingaLoadrejectiongxeaterthanlOXstepor5X/mLnuteramp,removestheOnceunblocked,thisblockismanuallyxeset.Minual-contxolof~teamdumpalsoremovesthisblock.7uxbincTriControl~~eofthelaxgeheatcapacityoftheReactoxCoolantSystemand~~highTatfullloadthesteamgeneratorsafetyvalveswouldavg~'~owingaturbinetripiftherewerenoothermeansofremovingedheat.'ondensersteamdumpandsubcooledfeedwaterflow3.2-4
planttothermalno-loadequilibriumwithout~~edtobring-leasetoatmosphere.eeaIetrip,monitoredbylossofturbineautostopoilteoheloadre]ectionsteamdumpcontrollerisdefeatedandplanttrptripcontrollerbecomesactive.IntheTcontrolmode,avgrsignalisT-Td'ndsteamdumpisproportional~errorsgnavgno-Load'hesameerrorsignalisusedforon-offcontrolof~fe~>>tercontrolvalve,asdescribedin3.4,SteamGenerator~LControl.AsT.isreducedtoitsno>>loadsetpoint,steam'vgreducedandfeedwaterisshutoff.Asinthecaseofploadre)ection,iftheerrorsignalexceedstheHXsetpoint,atripasgaaLwgeneratedwhichtripsopenfouroftheeightvalvestotheiriull~penposition.AttheoccurrenceofaHI-Hltripsignal,all~ghtvalvestripopen.GeneraUy,thevalvesarenotclosedcompletelyl~useofdecayheat.No-loadconditionsareestablishedwithinmominutes.pressureControl'or><<gtermremovalofresidualheatathotshutdown,o~duringplantit>rtuporcooldown,theplantoperatorcanmanuallyswitchtosteamderpressurecontrol.Inthiscontrolmode,condensersteamdumpomaintainapresetpressureinthesteamheader.Amanual~tionisprovidedsothattheoperatorcanad)ustthesetpoint~<<ssureormanuallypositionthevalves.3.2-5
~pbbsj, S>H~ZCS~RELIEFSYSTEHsteamreliefvalvesaremountedonthesteammainsupstreamuoayher'csteamves.Atthesetpre4g~>osteam(about1050psig),flowcalcu'chaveprovisgonfeslessthanZ0Providedtoreducedtopermitaplantoolds'cediadumpisnotavailable.Thesefunctionsareexplainedbelow.a)Ifaplanttripiscausedbylossofcondenservacuum,condenserdumpmbIocked.The'steamgeneratorsafetyvalvesareavailabletoremovestoredenergyfromtheReactorCoolantSystem.Atmos-@heroicsteamreliefreducesthesteampressurebelowthesafetyvalvesetpressurewithintwominutesafterthetrip.Thisprevents'ontinuouschatteringofthesafetyvalvesasresidualbeatmremovedfromthereactor.Plantcoo]downisaccomplishedbysteamdump.Ifcondens<<dumpnotavailable,theatmosphericreliefisadequatetocoold~tothetemperatureandpressureatwhichtheresidualheatremovalsystemcanbeused.3.2-6
C)Zntheeventofaplanttripcausedbyanoverpower/overtemperatureconditionorbyafaU.ureinthefeedwatersystem,theatmosphericsteamdumpprovidesadditidhalreliefcapacity,reducingthepro-babDityofsafetyvalveactuation.Separatecontrollersareprovidedfortheatmosphericdumpvalvesonthetwosteamgenerators,permittingindependentpressureregu-lationifthesteamgeneratorsareisolated.3e2~7 TcoldAVGT~at1V2SwlK3PK2ATsetpoitEComparator22]4Logic3C4hotcold'/ComparatorRodStop0$EBTEMPEBATUREATCHANNEL(ONECHANNELOFPOURSHOWN)P1GVRE3.1-1 F~.~~'IrlEnMlEHEl/ATORNntrr.)VAlVNISAtIMYAllglJIOOla'nONVALVEBYPASS.VALVEHAINFEEDWATEEkLN.IQ'AI.VLIIA)IATIlNliOlla:KTOTURBINECON1'AINMENTAUXILIARYFEEUHATER+PgoIiCONDENSERSTEAMDUMPVALVES<<TEAMIEHERATORBMAINFEEWATERTOCONDENSERAUXILIARYFEEOHATERFigure3.2-1STEAMCYCLEVALVEARRAMEMENT Ii
~en/LAGCOMPENSATIONSTEAMDUMP)ERPRESSURECONTROLLERrRATE+RESETAUTO"MANSTATIONPROP.ANALOGSWITCHOPERA-TINGONTURBIHETRIPSIGHALSTEAMDUMPSELECTORSWITCHMODULATECOHDEHSERDUMPVALVESLEAD/LAGCOMPENSATION((<>>s).IJf<Sgl+fg$)LTRZICOmZROLIhRHi-TURBZHETRIPINTER-LOCKLOGICTURBINE-TRIPSIGNALTRIPOPEHGROUPAVALVESORTRIPOPENGROUPA8cBVAL~STEAMDUMPVALVES.TRIPOPEHONLYIFUHBLOCKSIGNALISPRESENT(SEEBELOW)HjELOSSOFLOADINTERLOCKr:J+A--ROPRIATEPOSITIONOHSKZCTORSWITCHZHTKGDCKFigure3.2-2CONDENSERSTEAMEUMPCONTROLSC1HHEUHBLOCKSTEAMDUMPVALVESSIGHALTURBINETRIPSIGNALBYPASSESLOSSOFLOADINTERLOCKAHDUHBLOCKSSTEAMDUMPVALVES 1f'V(Y+gpQ+g+q+glYf"Al+J1l 33REACTORCONTROLThebasicReactorControlSystemconsistsofthreechannels,whichareretemperature(T),powez'ismatch(QT-Q)andreactorcoolantavg'x'essure(P)~Theoutput'ofthesethreechannelsisusedtodrivethecontrolrodsviatherodprogram.AschematicrepresentationofthecontrolsystemisgiveninFigure3.3>>1.ThefunctionsofeachofthesechannelsareasfoU.ows:a)TomaintaintheprogrammedTasaccuratelyaspossibleavgb)Toberesponsivetoloadperturbationswithoutcausingunduemovementandreactortripsc)Totakecorrectiveactioninthecaseoflargeloadchangesifthepressureexceedsthelimitsofthenoxma1pressurecontrol.TheTeratureChannelThetemperaturechannelfunctionstomaintaintheprogrammedtemperature-(T)asaccuratelyaspossible.Themainrequirementsofthischannelavgarethatitshouldbeaccuxate,stableandrepeatable.Thisisthedominantcontx'olchannelinsteady-stateconditions.'hePowerMismatchChannelThepowermismatchchannelsprovidecontrolstabilityandfastresponset>>oadpertuxbations.Theoutputisproportionaltothemismatchbetweenturbinepowerandnucleaxpower.Ahigh-passfilterinthischannelensuresthatsteady-statecalibrationerrorsintheinputpowersignals"asnoeffectonsteady-statecontrol.3.3-1
.atI,'gl~jl
~otherrequirementofthischannelisthatitssteady-stateoutputshouldbezeroeventhoughaAxedoffsetinpowersignalsmayexist.ThePressureChannelThischannelisprovidedtopreventlargepressurechangesfoU.owingalargechangeinpower.ItretardstherateatwhichthecontrollerchangesTtoitsnewprogrammedsetpoint.(IfTweretobechangedavgavgtoorapidly,pressurizerpressurecontxolmightnotbeabletomaintainpressurewithinthenormaloperatingrange.)Thepressurecontrolchannelhasanadjustabledeadband,sothatonlylargepressurechangeshaveaneffectonrodmotion.Thischannelisnotrequiredforinitialplant.operation.TheRodSeedProamTherodspeedprogramismadeupoffourparts:ariadjustabledeadband,aminimumspeed,aproportionalspeed,andamaxLmumspeed.TheauucLannnspeedisdictatedbythemechanismdesign.A11theothersettingsaread)ustable.Expectedsetpointsare+1.5Fforthedeadband,and+5Fforamximumrodspeeddemand.Theoutputsfromthethreechanne1smentionedabovefeedintothesummingamplifierassociatedwiththerodprogram.3a3~2 Ijgg~gi4t'~s~A)tl(~
Il.(I~')F~As)uAVOlTurbineImulsePressure~gS+1Speed4n+ETSt6S+10ariableGain+PressurizerPressureEtyS+1~88+1PressureSetointREACTORCONTROLSYSTEHFigure3.3-'1
~I~I4j~
CINERATORLEVELCONTROLMoperation,thepositionofthemainfeedwatercontrolvalveisope11edbythethree-elementcontroller(feedwaterflow,steamflow,Atlowloadsabypasscontrolvalveisused.>+tpointofthe1evelcontro11erisafunctionofload,programnedisewithloadbetweenOXand-2OXload.Adeviationalarmprovides~ti~uousmonitoringofthelevelchannelusedforcontxolversustheprogrammedlevel.~>narrow-rangelevelchannelsareindicated.Thewide-rangelevelchannelisrecorded..hesteamflowandfeedwaterflowsignalsazesuppliedbyeitheroftwotransmittersasselectedbyacontxolboardmountedselectorswitch.Thesteamandfeedwaterflowsignalsusedforcontrolarerecordedonatwopenrecorder.":ollowingaturbinetrip,automaticcontrolofthefeedwatervalveisswitchedfromthethreemodelevelcontrollertoonoffTcontrol.avg<1<<edwatercontrolvalvesunderautomaticcontrolarefullyopenedtoadmitauucbnumfeedwater,thenfullyclosedasno-loadTavgapproachedtoavoidexcessivecooldownoftheReactorCoolantSystem.~<<1contzoloffeedwatercontrolvalvepositionisavailableattheontrolboard.ThismodeofcontroloverridesautomaticcontzoloneitherlevelorTavg3.4-1 tO~+~~'"'=*4%-4'ft'%41V~~k/+tpit' ordertopreventexcessive'moisturecazxyovercausedbyhighsteam~eratorwaterlev~.asigalofhighwaterlevelove~desa3.Othertzolandclosesthefeedwatercontrolvalve.Thesignalisobtainedfromcoincidenceoftwo-of-threelevelchanneLsaboveapresetvalue.ThisoverrideisautomaticallyremovedfromthemaincontrolvalvesasthewaterleveldropsbelowChesetvalue.Manualresetisrequiredforthebypasscontrolvalve.Thesignalsaffectingfeedwatervalvecontrol,inincreasingtheorderofpriority,arelistedbelow:a)Three-elementlevelcontroloron-offTcontrol(dependentonavgwhethezornot'turbineistripped)b)Manualcontrolc)Highleveloverride(closesfeedwatervalves)d)SafetyInjectionSystemactuation(closesfeedwatervalves).Awide-rangelevelchanneL,calibratedforno-loadconditions,faprovidedcoallowmanualcontrolathotshutdownandisalsousefulatcoldshutdownThischannelincludesarecorder.3.4-2
~PROTECTIONSYSTEM~~qBRINJECTIONSYSTEMACTUATIONQEEIYfactuatingtheSafetyInjectionSystemhavebeennotedinoactThoseparticularlyconcernedwithsteamlinebreakpro-~~43~~~aarelowsteam1inepressureandhighcontainmentpressure.~Anareolowsteam~steamlinepressuresignalisgeneratedbythecoincidenceof~fthreechannelsbelowapproximately500psigforeithersteamline.~~highcontainmentpressuresignalisgeneratedbythecoincidenceof~f-threechannelsaboveapproximatelytenpercentofcontainment~ignpressure.3.5.2FEEDWATERLINEISOLATIONAnysafetyinfectionsignalisolatesthemainfeedwaterlinesbyclosingallfourmaincontrolvalves,trippingthemainfeedwaterpumps,andclosingthepumpdischargevalves.3.5-3STEAMLINEISOLATIONa)Highsteamflowincoincidencewithanysafetyin)ectionsigna1closestheisolationvalveinthatsteamUne.One-out-of-twosteamflowsignalsaboveaHI-HI~pp(approximately120XoffuLlloadsteamflow)One-out-of-twosteamflowsignalsaboveaHItrippoint(approx-imately20Xoffullloadsteamflow)incoincidencewithtwo-out-of-fourlowTsignals(belowapproximately540'7)avg3.5-1 llIJ,J,="4~1'~~"J bi~ecoincidenceoftv~f-threehighcontaf.nmentpressuresignaLsRctustion~3.5-2 A'~8)
.OV<VDCONTROLSYSTEMSDESIGNPRINCIPLESPUNCTIONALDESIGNphilosoohyforfunctionaldesignProtectionSystemistoderiveposon~rewirectlyfromtheprocessvariablesofinterestwheneverpossible.~oner,safetylimitprotectionisassuredindependentofthetingacc'dent..~ertemperaturehighdelta-TtripprotectsthecoreagainstDeparturenucleateBoiling(DNB)forallcombinationsofpressure,temperature,~r.andaxialpowerdistribution.Thus,thissingletrippreventsDNB!'r.-cd<<ithdrawalaccidents,borondilution,xenonoscillations,andcxcessireloadvariations.Protectionagainstotherlimits,suchasexcessvepower,densityandsystemoverpressure,isalsoprovidedbyclose~itorinzofthevariableofdirectinterest.;cce="aincases,however,thesegeneralprotectionfunctionsarenotrapidenough,orcompleteenough,toassureprotectionagainstaspecificaccident,suchaslossofcoo~~ntflow.Inthesecases,specifictripfunctionsareorovidec,suchasreactorcoolantpumpbusundervoltageandreactorcoolant~orce""ainmorecre"'bletransients,suchasturbinetrip,areactortrip4-sderivedfromthe.nitiatingevent-eventhoughsafetylimf.tswouldnotoeexceededifareac":=tripweredelayeduntilanoverpressureorover-tempera=urerri"oc""red.1nthismanner,undesirableexcursionsarepreven=ed,rathet"..scterminated.4.1-1 certainprotectivefunctionsareprovidedprimarilytoensuretheF~~lly,ceufngintegrityofplantcomponentandpipingsystems.Examplesinclude-ortriponhighpressurizerwaterleveltoprotectsafetyvalverelief.eacor@fanCoandreactortriponlossoffeedwatertoanysteamgenerator.(The@clear'ossofsafetyrequirementistopreventcompletelossofheatsink;i.e.,feedwatertoallsteamgenerators.)."-orequipmentdesignpurposes,nodistinctionismadebetweenthevariouscategoriesofprotectionmentionedabove.ThesamecriteriaanddesignoracticeareappLiedtoallchannels.Otheralternativesareneitherdefensiblenorpractical,sincealloftheseprotectivefunctionsenhancenuclearsafetyandcomplementorsupplementoneanother.:hisapproachrequiresaninstrumentationsystemthatmeasures,onatimely,accurate,andreLiablebasis,dominatenuclearplantprocessvariables.instrumentranges,sensitivity,andtimeresponsemustbeselectedconsistentWththerangeandvariationofeachvariablemonitored.Also,sincemanyprocessvariablesaremonitored,considerableoverlapinprotectionfunctionsisanaturalconsequence.4.L-2
~lst'I~
CONTROLSYS~FUNCTIONALDESIGNPowerlevelandreactorcoolanttemperaturesarecontrolledautomatica3.l.yinaWestinghousePWRPlant.ThereactoriscontrolledtofoU.owanyturbineloadperturbation.Thisisidealforloadfrequencycontrol.TheautomaticReactorControlSystem,therefore,formsanessentialpartoftheplantoperation.Itisbasicallyaregulatingsystemwhichmaintainspropersteady-stateoperatingconditions,therebyassuringadequatemarginstotripsettingsforoperationalpurposesandpropereconomicperformance.Otherautomaticcontrolsystemsarepressurizerpressureandlevelcontrol,feedwatercontrol,andsteamdumpcontrol.Thesesystemsarealsoessentialtomaintainnormaloperatingconditionsortosuppressexcursionsimposedbyoaerationaltransientswithoutrecoursetoprotectiveaction.AsintheProtectionSystemdesign,thisrequiresaninstrumentationsystemthat\measures,onanaccurate,timely,andreliablebasis,'ominatenuclearplaneprocessvariables.Theqevariablesare,forthemostpart;thesameasthoserequiredbytheProtectionSystem:looptemperatures,neutronflux;oressurizerpressureandlevel,steamgeneratorlevel,steamflowandfeedwaterflow.Inaddition,thetimeresponse,instrument,span,and~~nsitivityrequirementsformeasurementchannelsservingeachofthetwo~y~temsaresimilar.Asaresult,primarysensorandtransducingequipmentthatisacceptableforusewiththeProtectionSystemshouldalsobeemployedwiththeControlSystem.FailureoftheControlSystemtoactwhenneeded,orspuriousactuationwhennotneeded,generatesaneedforprotection.Thesafest,plantis4.2-L onipedtobeonethatrequirestheLeastprotection.Forthisreason,wellastheeconomicdesirabilityofavoidingplantoutageswhichcouldgavebeenpreventedbypropercontrolactions,everyeffortismadetoensurereliablecontrol.Whereverpractical,controlinterlocksand/orredundantcontroldevicesareprovidedtoensurethatcontroLactiontakesolacewhenneeded-butonlywhenneeded.Controller-inducedexcursionscausedbyasinglesensorfailurearelargelyeliminatedinWestinghousedesignpractice.
- i.
~g++SFEEDPLOWL3SF1)XgIPROP+INZECIII~I-,IIIIIIIIIPROP+INTEGILEVELCONTROLSYSTEMlIIIPI'2)FWPlFWIIIPEEDWATERICONTROLVALVEIACTUATORIII~/7t~JiIt2/3HILEVEL2/3LO-LOLEVELI2/2I1/2LOFLOWLEGENDFWF-PEEDWATERPLOWTRANSMITTERSF-STEAMPLOWTRANSMITTERP-STEAHPRESSURETRANSMITTERL-LEVELTRANSMITTERI-ISOLATIONAMPLIFIERh-DIPPERENCEAMPLIFIERX-MULTIPLIEREDWATERCONTROLREACTORTRIPREACTORTRIPVALVECLOSUREANDAUX.FEEDPL"IPSTARTANDINDICATORSNOTSHOWN.STEAMGENERATORLEVELCONTROLANDPROTECTIONSYSTEHFIGURE4.2-1
3CONTROLANDPROTECTIONINTERRELATIONAorrentWestinghousePWRsystems,theProtectionandControlSystemsare'ncurrenanddistinctandareidentifiedassuchTheControlSystem><<eer,isdependentonsignalsderivedfromtheProtectionSystemthroughisolationdevices.However,thereisnofeedbackfromtheControlSystem.otheProtectionSystem.>eequipmentdesignphilosophy,illustratedonFigure2-1,isthattheControlSystemsensoristheoutputoftheisolationamplifier.Bythisorinciple,nocomponentsareshared-theyareeitherpartoftheProtectionSystemandarelocatedanddesignedassuch,ortheyarepartoftheControlSystem.ThisisaveryimportantfeatureoftheWestinghousedesign,andpermitsadividingline,bothfunctionaUyandphysically,tobedrawnbetweencontrolandprotection.Italsoensuresthat,inadvertentorIdeliberatechangestotheControlSystemhavenomoreeffectonthePro-IrectionSystemthaniftheControlSystemcontainedindependentsensors.Thedesignrequirementfortheanalogisolationamplifiersistoisolatethe~<<tectionSystemfromanyelectricalfaultswhichmightoccurinthe<<<<rolSystem.Extensivetestswereperformedtodemonstratethis'apability.Inthesetests,shorts,grounds,anda-candd-cvoltageswereappliedtotheamplifieroutput.Eventhoughsomeofthesetestswerest<<ctive(i.e.,destroyedtheabilityoftheamplifiertoproduceameaningfuloutputsignal),innocasewasanyperceptibledisturbancefedac"intotheinputcircuitandhencetotheprotectionSystem.4.3-1 0
Thepresenceorabsenceofregulatingcontroldevicesonthedownstreamsideoftheisolationamplifierhasnoeffectontheisolationrequirements.ThesameequipmentanddesignrequirementwouldexistevenifthesesignalswerebroughtoutoftheProtectionSystemmerelyforremotereadoutanddata-logpingpurposes.Sincechanne1isolationcannotbereliablymain-tainedonthecontrolboardorattheinputterminalstoadata-logger,anisolationdevice(amplifierorimpedancenetwork)intheprotectionchannelrepresentstheonlyfeasiblewaytopreserveprotectionchannelindependence.CertainfailuresintheProtectionSystemcouldconceivablynegateapar-ticularchannelofaprotectivefunction,simultaneouslycausingspuriouscontrolactionthatmight,requireprotectiveactionfromthatsamefunctiontopreventtheexcursionfromexceedingdesignlimits.Suchpossiblefailureisdealtwithinaccordancewiththeproposedstandard,"Criteria<orNuclearPowerPlantProtectionSystems",IEENo.279,Section4.7,whichrequiresthatforsuchafault,asecondfailurebeassumedinthe'ProtectioneInmostcasesin'whichcontrolisderivedfromprotection,Westing-"sedesignmeetsthiscriterionbyprovidingatwo-out-of-fourProtectionSystemLoaic.Forexample,asshowninFigure4.3-1,'afailurecanbe"s~edinProtectionChannelLwhichcausesthatchanneltoindicatehigh.defeatsthelowpressurereactortripforthechannel,andalsomay"ePressureControlSystem(reliefvalvesandspray)torapidlyreduce~assure.However,threeofthepressureprotectionchannelsareleft-.@achedtsuretPndareactortripwouldautomaticallyoccurwhenanytwoofthem Tthisadditionalredundancyisnotnecessarybecausesuchothercases,cannotcausethesafetylimitstobeexceeded.ThisfactcancannoillustratedbyFigure4.3-1.Alossofsignal(lowindication)bcassumedforProtectionChannel1.Thisdefeatsthehighpressurebcassumeorthatchannelandmayalsoenergizethepressurizerheaters,causingl~increaseinpressure.IfanindependentfailureisassumedinChannel2,gglownccactortripwouldoccurwhenthepressurereachedthehighpressuretrip~taintsinceonlyoneofthethreehighpressuretripchannelsisleftHowever,underthisconditionthesafetyvalvesonthepressurizerg<c~orethanadequatetoensurethatthehighpressuresafetylimitisnotacceded.Section4.4discussesallsuchcontrolandprotectioninteractionsforamccificplantdesign.Inthatsection,itisnotedthatnumerousoperational-'cfensesagainstthesefailuresexistinadditiontotheprimaryor"protectiona'ade"defense.Manyoftheseadditionalbarriersto.anundesirableexcursionN4c'cmadepossiblebymakingredundantinformationavaQ.abletotheControlSystem.+cpossibilityofcommon-modefailurecannotbecompletelyruledout;itis<<<<eivablethatallidenticalchannelsbehaveidentically,butincorrectly..""-hiscase,thequestionofControlSystemdependenceontheProtectionemisirrelevant.Ithasbeenrecognizedthatlittle,ifany,additionaldeeree<<<<ofprotectionisachievedbyhavingseparate,butidentical,instru-"tchannelsforcontrolandprotection.Indeed,WestinghouseconsiderstseparationinthismanneractuallydeprivestheprotectionSystemof4.3-3
eoftheday-Sy&ay,hour-by-hoursurveillancegiventoinstrumentchaelsneededforroutineplantoperation.Afurther,althoughoftenggnoreddisadvantageofproliferationofidenticalchannels,istheattendantincreaseinvisualdisplaysandinformationprocessingproblemsofsignificantoroportions.(Timely,accurateandcomplet~LnformationreadoutisrequiredbytheIEEEcriteriapreviouslyreferenced.)'frequentlyexpressedconcernistheneedforassurancethattheProtectionSystemwillnotbeinadvertentlymodifiedduringthe40-yearlifeoftheplant,ThisisoccasionallycitedasanargumentagainstcontroldependenceonProtectionSysteminformationWestinghousecompletelyagreesthateveryprecautionmustbetakentoensureadequatereviewofanyfuturemodificationthatcouldaffecttheProtectionSystem.SuchassurancecanonlybeachievedbycompleteattentiontodetailsinProtectionSystemdesign,operationandmaintenance.ThismustincludeIidentifica'tionofsystemcomponentsondrawingsandonthaequipment',documentationofthesystemdesignanddesignbasis,andestablishmentofgroupstoreviewallproposedinstrumentchangesthatcouldaffect'plant~safetyorplantoperations.Itisfallacioustobelievethatindependentcontroladdstothisassurance.Infact,suchindependencecoulddecreasetheprobabilitythatanecessarycorrectiontotheProtectionSystemwillbeInadequacyofcontrollerdesignrequirescorrectiontoallowplantoperationtoproceed;inadequacyofprotectionissometimesdiscoveredonlyafteranincident.4,34 ControlSystemmodificationsmayberequiredtoimproveplaatoperation.porencamp1e,afi1termayhavetobeaddedtoachievestability.Asacontrolmodification,thiswouldlogicallybeperformedintheControlSystm;i-e-7downstreamoftheisolationdancesseparatingtheControlandProtectionSystems.Physicalseparationandidentificationofequipment(separateracksforControlaadProtectionSystems)andadmini-strativeprecautionsensurethatthelogicalrouteis,iafact,theoneused.Evenadvocatesofcompleteindependencebetweencontrolandprotectionrecognizethedesirabilityandfeasibilityofusingprotectionsignalsfornon-protectivefunctions...hisintroducesthepossibilityofthesesignalsbeingdivertedforotherpurposesunlessacarefulreviewandadherencetodesignbasesisenforced.Thedivisionbetweencontrolandprotectionisnotalwaysclear.Thisreflectsdifficultyindefiningthefunctionachieved,ratherthaninequipmentdesignimnlementatioa.Definitionsthatplaceallreacto'x"tripaadsafeguardsactuationinstrumentationintheProtectionSystem,andallautomaticregulatinginstrumentationintheControlSystem,clearlyleavemanyimportantitemsinbetween.Anotherdefinitionadvanced'isthattheControlSystemis"allinstrumentationwhichisnotprotection,"andtheProtectionSystemis"thatinstrumentationwhichmustworkwhenneeded(topreventunacceptableconsequences)."ThislatterdefiaitioahasconsiderablemeritforgeneraldiscussionsandisusefulinJudgingwhetherornotaparticularitemisa"protection"itemornot.However,iftakenasarigiditisdifficulttoapplytoalldesigndetails,asisshowabelow.4.3-5 Pzexamplealarmsand/orcontrolroomindicationsderivedfromprotectionhannelinformationareessentialiftheoperatoristobeproperlyandcontinuinglyinfoxmedoftheProtectionSystemstatusandthestatusofplantsafety.Aspx'eviouslynoted,thesealarmsandindicationsazerequiredbythereferencedIEEEcriteriaasavitalpaztoftheProtectionSystem.ordertomaintainprotectionchannelisolation,Westinghouseequipmentdesignpracticeassociatesremoteindicationwiththeoutputoftheisolationdevice.Otherfunctions,suchascontrolinterlocks(e.g.,rodstops)areoftenhighlydesirable,andmayevenbeessentialtoplantsafetyifanumberofmalfunctionsormaloperationsshouldoccursimultaneously(i.e.,beyondthenormaldesignproundrules).Westinghousehasusedtheterm"supervisory"forthatcategoryoffunctionsthat.isneitherclearlycontrolorprotection.(ThisisafunctionalIdesignationonly,anddoesnotimplyathirdcategoryforequipmentdesign.)Supervisoryfunctionscanbefurthersubdividedintotwotypes:thosethatareinformativeonly(indicators,recorders,alarms,anddata-logging);andthosewhichautomaticallyacttoarrestdeterioratingconditionsbeforeprotectiveactionisneeded.(Thislattertypehasbeentexmedi"override",or"protectiveoverride.".)Sincethequestionisoneofwhethermanualorautomaticinterventionisintended,thevalueofdistinctionislimitedtofailuremodeanalysisofautomaticcontrollers.4.36 N%&At'9"r.l~r' westinghouserecord.zesthateach"supervisory"functionmustbeconsideredonitsownmeritstodetermineifitshouldformpartoftheprotectionortheControlSystem.Acompletelistofprotection,control,and"supervisory"functionsisincludedintheAppendix.4.3-7
~+m8w4':'ln1' PROTECTION~axWELPROTECTIONCHANNEL2PROTECTIONCHANNEL3PROTECTIONCHANNEL4PTiPQ~~~PC'~HIPR.T.tPC~LOPR.T.IIISOL'.~~PC~HIP'.T.PC'OP~ISOLQPT"PQPC'~HIPR.T.)PCLOPSOLgPTPgQPCLOPR.T.SOLIrILPRESSURECONTROLSYST~IIIIIPRESSURECONTROLSYSTEH(INCLUDESSIGNALCONDITION-INGANDCONTROLLERSANDINTERLOCKSFORHEATERS,SPRAYANDRELIEFVALVES)PT-PRESSURETRANSHITTERPQ-POWERSUPPLYPC-CONTROLLERISOL-ISOLATIONAHPHI(LO)R.T.-HIGH(LOW)PRESSUREREACTORTRIPPROTECTIONSYSTEMCOMPONENTSCONTROLSYSTEMCMPONENTSINDICATORS,ANDRECORDERSARENOTSHOWNPRESSURIZERPRESSUREPROTECTIONANDCONTROLSYSTEMSDESIGNFIGURE4.3-1 th(OP'I4A4'g~
SPECIFICCONTROLANDPROTECTIONINTERACTIONSdesignbasisfortheControlandProtectionSystempermitstheuseoffoxbothprotectionandcontrolfunctions-Wherethisisdone,>lequipmentcommontoboththeprotectionandcontrolfunctionsareclassifiedaspartoftheProtectionSystem.Isolationamplifiersprevent.aControlSystemfailurefromaffectingtheProtectionSystem.Inaddition,MherefailureofaProtectionSystemcomponentcancauseaprocessexcursionwhichrequiresprotectiveaction,thePxotectionSystemcanwithstandanother,independentfailurewithoutlossoffunction.Generally,thisisaccomplishedvithtwo-out-of-fourtriplogic.Also,whereverpractical,provisionsareincludedintheControlorProtectionSystemtopreventaplantoutagebecauseofsinglefailureofasensor.ThefollowingdiscussionofspecificcontrolandprotectioninteractionstisbasedonthedesignfortheRobertEmmettGinnaNuclearStationoftheRochesterGasandElectricCo.(RGE)-ItisxepresentativeofcurrentWestinghousedesign-practice.4.4.lNUCLEARFLUXFourpowexrangenuclearfluxchannelsarepxovidedforoverpowerprotection.so~<<edoutputsfromallfourchannelsareaveragedforautomaticcontrol<odregulationofpower.Ifanychannelfailsinsuchawayastopxoduce~owoutput,thatchannelisincapableofproperoverpowerprotection-Inpinciple,thesamefailurecouldcauserodwithdrawalandoverpower.Two-"t<<-fouroverpowertriplogicinsuresanoverpowertripifneeded,even"ithanindependentfailureinanothexchannel.4'>>l ddition"theContxolSystemrespondsonlytorapidchangesinindicatedf1~.slowchangesordriftsareoverriddenbythetemperaturecontrolnucleartial.Alsoarapiddecreaseofanynuclearf1~sig1blockautisticxowdwithdrawalaspartoftheroddropprotectioncircuitry.Finally,anoverpowersignalfromanynuclearchannelblocksautomaticrodwithdrawal.Thesetpointforthisrodstopisbelowthexeactortxipsetpoint.4.4.2COOLANTTEMPERATUREFourtemperaturechannels,eachcontainingaTavganda4Tsignal,areusedforovertemperature-overpowerprotection.IsolatedoutputsfromallfourTsignalsare,alsoaveragedforautomatic.controlrodregulationofavgpowerandtemperature.Inprincipal,aspuriouslylowTsignalfromone.sensorwouldpartiallydefeatthisprotectionfunctionandalsocauserodwithdrawalandovertemperature.Twomut-of-fourtriplogicisusedtoinsurethatanovertemperaturetripoccurs,ifneeded,evenwithanindepen-dentfailureinanotherchannel.Inaddition,channeldeviationalarmsintheControlSystemblockautomatic<<dmotion(insertionorwithdrawal)ifanyTavsignaldevtatessignificant3.yfromtheothers.Automaticrodwithdrawalblocksalsooccurifanyon~f-<<urnuclearchannelsindicatesanoverpowerconditionorifanyoneof-fourtemperaturechannelsindicatesanovertemperatureoroverpowercondition.Finally,asshowninSection14.3..2,oftheRG&EFinalSafety'AnalysisReport,th<<ombinationoftripsonnuclearoverpower,highpressurizerwaterlevel,ndhighpressurizerpressurealsoservetolimitanexcursionforanyratefreactivityinsex'tion.4.4-2 PRESSURIZERPRESSUREpressurechannelsareusedforhighandLowpressureprotectionandFforoverpower-overtemperatureprotection.Isolatedoutputsignalsfromthesechannelsalsoareusedforpressurecontrolandcompensationsignalsforrodcontrol.Thesearediscussedseparatelybelow.ControlofRodMotiononeofthepressurechannelsisusedforrodcontrolwithalowpressuresignalactingtowithdrawrods.Thediscussionforcoolanttemperatureisapplicable;i.e.,twowutwf-fourlogicforoverpower-overtemperatureprotectionastheprimaryprotection,withbackupfrommultiplerodstopsand"backup"tripcircuits.Inaddition,thepressurecompensationsignalis,LimitedintheControlSystemsuchthatfailureofthepressuresigna1cannotcausemorethanaboutaLO'FchangeinT.ThischangecanbeavgaccommodatedatfullpowerwithoutaDNBRless.thanL.30.tFinally,thepressurizersafetyvalvesareadequatelysized.topreventsystemoverpressure.PressureControlLowPressureAspurioushighpressuresignalfromonechannelcancauselowpressurebyspuriousactuationofsprayand/orareliefvalve.AdditionalredundancyisprovidedintheProtectionSystemtoinsureunderpressureprotection;<.e.,two~ut~f-fourlowpressurereactortriplogicandone-out~f-threeLogicforsafetyin)ection.(Safetyin]ectionisactuatedonone-outmf-threecoincidentLowpressureandlowleve1signals.)4.4-3
0addition,iterloclareProvidedinthPressureCtolSystemsuch~tarelief.valveclosesifeitheroftwoindependentpressurechannelsidicateslowpressure.Sprayreducespressureatalowerrate,andsometieisavaiLableforooeratoraction(aboutthreeminutesatmmchnnaspray-atebeforealowpressuretripisrequired.)ThepressurizerheatersareincapableofoverpressurizingtheReactorCoolantSystem.Maxinnmsteamgenerationratewithheatersisabout7500lbs/hr.,comparedwithatotalcapacityof576,000Lbs/hr.,forthetwosafetyvalvesandatotalcapacityof179,000lbs/hr.,forthetwopower-operatedreliefvalves.Therefore,overpressureprotectionisnotrequiredforapressurecontroLfailure.Twomutmf-threehighpressuretripLogicisused.Xnaddition,eitherofthetworeliefvalvescan.easilymaintainpressurebelowthehighpressuretrippoint.Thetworeliefvalvesarecontrolledbyindependentpressurechannels,oneofwhichisindependentofthepressurechannelusedforheatercontxol.Anally,therateofpressureriseachievablewithheatersisslow,andampletimeandpressurealarmsareavailableforoperatoraction.4.4.4PRESSURIZERLEVELThreepressurizerlevelchannelsareusedforhighlevelreactortrip(2/3)andlowlevelsafetyinfection(1/3logiclevelcoincidentwith"Pressure).IsolatedoutputsignalsfromthesechanneLsareusedforvolumecontrol,increasingordecreasingwaterlevel.Alevelcontrol4.4-4
'El
- ailurecouldfilloremptythepressurizeratasLowrate(ontheorderOEfhalfanhourormore).Irggh18V81~reactortriponpressurizerhighlevelisprovidedtopreventrapid4thermaLexpansionsofreactorcoolantfluidfromfiLLingthepressurizer;therapidchangefromhighratesofsteamrelieftowaterreliefcanbedamagingtothesafetyvalvesandthereLiefpipingandpressurerelieftank.However,aLevelcontrolfailurecannotactuatethesafetyvalvesbecausethehighpressurereactortripissetbelo~thesafetyvaLvesetpressure.Withtheslowrateofchargingavailable,overshootinpressurebeforethetripiseffectiveismuchlessthanthedifferencebetweenreactortripandsafetyvalvesetpressures.Therefore,acontrolfailuredoesnotrequireProtectionSystemaction.Tnaddition,ampletimeand.alarmsareavailableforoperatoraction.LawLevelForcontrolfailureswhichtendtoemptythepressurizer,one-out-of-threeLogicforsafetyinfectionactuationonLowLevelinsuresithattheProtectionSy<<emcanwithstandanindependentfailureinanotherchannel.<nadditon,asignaLoflowlevelfromeitheroftwoindependentlevelcontrolchannelsisolatesLetdown,thuspreventingthelossofcoolant.ampuletimeandalarmsexistforoperatoraction.4.4-$
gTEQfGENERATORWATERLEVELPESWATERPLOWbeforedescribingcontrolandprotectioninteractionforthesechannels,itisbeneficialtoreviewtheProtectionSystembasisforthisinstru-mentationThesystemisshownschematicallyinPigux'e4.4-L..ThebasicfunctionofthereactorprotectioncircuitsassociatedwithLowsteamgeneratorwaterlevelandlowfeedwaterflowistopreservethesteamgeneratorheatsinkforremovaloflongtermresiduaLheat.Shouldacompletelossoffeedwateroccurwithnoprotectiveaction,Pthesteamgeneratorswouldboildryandcauseanovertemperatur~verpressureexcursioninthereactorcoolant.Reactortripson'emperature,pressure,andpressuri.e'erwaterleveltriptheplantbeforethereisanydamagetothecoreorReactorCoolantSystem.However,residuaLheataftertripcausesthermalexpansionanddischargeofthexeactorcoolanttocontainmentthroughthepressurizerreliefvalves.Thiswouldbxeachoneofthebarriers-.theReactorCooLantSystemtoreleaseoffissionproducts.Redundantemergencyfeedwaterpumpsareprovidedtopreventthis.ReactortripsactbeforethesteamgeneratorsaredrytoxeducetherequiredcapacityandstartingtimerequirementsofthesepumpsandtominimizethethermaLtransientontheReactorCoolantSystemandsteamgenerators.Xndependenttx'ipcircuitsareprovidedfoxthetwosteamgeneratorsforthefollowingreasons:a)ShouldseveremechanicaLdamageoccurtothefeedwatsx'in'etoones~eamgenerator,itisdifficulttoinsurethefunctionalintegrityoflevelandflowinstrumentationforthat-unit.Porinstance,a4-4-6.
r~c-'c.'(l\1I pipebreakbetweenthefeedwaterflowelementandthesteamos]orppegeneratorexatorwouldcausehighflowthroughtheflowelement.Therapidxessurizationofthesteamgeneratorwoulddrasticallyaffectthedepxessuacelationbetweendowncomerwaterlevelandsteamgeneratorwaterinven-However,theindependentcircuitsonthesecondsteamgenerator~esufficienttoactuateareactortripifneeded.~jgt~rdesirabletomiabaizethermaltransientsonasteamgeneratorforcrediblelossoffeedwateraccidents.CoatxollermalfunctionscausedbyaProtectionSystemfailureaffectonlyaoesteamgenexator.A1so,theydo.notimpairthecapabilityofthemainfeedsratersystemundereithermanualcontrolorautomaticTcontrol.avgHence,thesefailuresarefarfrombeingtheworstcasewithrespecttocoredecayheatremovalwiththesteamgenerators.FrectvaterPlow*Npu<<oushighsignalfrom,thefeedwaterflowchannelbeingusedforcontrolusedcauseareductioninfeedwaterflowandpreventthatchannelfrom~ping.Areactortriponlow-lowwaterlevel,independeqxtofindicated~<<er.low,insuresaxeactortrip,ifneeded."t<<n.thethree-elementfeedwatercontrollerincorporatesreseton~suchthatwithexpectedgains,arapidincreaseintheflowsignal~dcao>>ya12-inchdecreaseinlevelbeforethecontrollerxe-openedeedwatrvalve.Aslowincreaseinthefeedwatersignalwouldhavenog4C+~~ect4.47 CC88Kspuriouslowsteamflowsignalwouldhavethesameeffectasahighceedwatersignal,discussedabove.~rAspurioushighwaterlevelsigna1fromtheprotectionchannelusedforcontoltendstoclosethefeedwatervalve.ThislevelchannelisindeFPendentofthelevelandflowchannelsusedforreactortriponlowflowcoincidentwithlowlevel.a)Arapidincreaseinthelevelsignalcompletelystopsfee@raterflowandactuatesareactortriponlowfeedwaterflowcoincidentwithlowlevel.b)Aslowdriftinthelevelsignalmaynotactuatealowfeedwatersignal.Sincetheleveldecreaseisslow,theoperatorhastimetorespondtolowlevelalarms.Sinceonlyonesteamgeneratorisaffected,automaticprotectionisnotmandatoryandreactortrip..ontwo-out~f-threelow-lowlevelisacceptable.4-4.6STEANLINEPRESSURE~<<threepressurechannelspersteamlineareusedforsteambreakProtection(twomutmf-threelowpressuresignalsforanysteamlineactuatessafBtyin]ectj.on).OneofthesechannelsisusedtocontrolthePowermperatedreliefvalveonthatsteamline.Thesevalves.aretypicallyt<<at10KofthesafetyvalvecapacityAspurioushighpressuresignalC>>hechannelusedforcontrolopensthere1iefvalveandcauseslow~ure~Thisisaslowrateofsteamrelease,evaluatedasacredible4.4-8 breakinSection14.2.5oftheRG&EFinalSafetyAnalysisReport.~theanalysisofsteambreaksofthissize,nocreditistakenforthete~linepressureinstrumentation-Safetyinjectionisactuatedbytheoressurizerinstrumentation.Therefore,acontrolfairedoesnotcreateforthisprotection,andtwo-out-of-threelogicisacceptable.4'g
~~~ATIONe~DEWALACCT~Syst'~evaluationoftherodwithdrawalaccidentisbasedSystemparameters,protectionsystem,andexpectedreactivity?ThedesignbasisfortheReactorProtectionSystemto~tt~ts-carefarrodwithdrawalaccidentsistotripthereactorygececi30DNBRisreachedinthehotchannel.Whilediversityintrumentationisnotapartafthedesignbasis,thesystem~~idleddoesprovidealarms,rodstopsandcontrolfunctionsto~~t>evithdrawalfromproceedingtothetrippoint.Becauseof~~teffectofoverpoweronalltheprocessvariables,additional~!unct~<aswouldacttoterminatetheexcursion,butaot'necessarily~el.30.Extendingthecourseoftheaccident,aDNBRof1.0inthe.~+seeably"isarbitrarilyselectedasaUmitfora.secondLevelofycecectian.(The"hotassembly"isessentia1lythehotchannelwithouta?Xueaacaforengineeringhotchannelfactors.)Nocredit.'istakenfor~!~tteningorLocal,'voidreactivityeffectsatoverpowerconditions.~estpess&isticinstrumenterror.and'setpointsareassumedforaLlItea:tarwips.~icedaverpawerisofseriousconcernbecauseofthepotentialdamagetoDecoredtheReactorCoolantSystem.Systbyeitherthehighpressurereactortrip~seaMcon)unctionwithanyreactor~pat'aterlevityforcoredamage+nWtaevaluauatianiszocusedonthiscance~'.L-L
'~sprottectionagainsttherodwithdrawalleadingtoundesirableconse-quencessisinconsiderabledepth,andthereareindeedmultiplelevelsofPratefro'rectionaslistedbelow.Eachoftheselevelscouldbeindependently~ideredadequate,diverseprotectionagainstanaccident.Becausethereactivityavailablebyrodwithdrawalislimited,onlyveryrarecasescouldcompleterodwithdrawalcausecoredamage.Asingletripfunctionwithredundantchannelsprotectsagainstthiscondition.Nodiversityorseparationisrequired.b)~u1tiple,diverserodstopsareprovidedsuchthatnofailurecancauseasustainedautomaticrodwithdrawal.Therefore,areactortripcouldbeconsideredasbackupprotecti.on.c)For"fast"excursions,tworeactortripfunctionspreventallbutlimitedcoredamage.For"slow"excursions,manualactionisanadequatebackuptotheautomaticprotectionsystem.4)Forallrodwithdrawalaccidents,aeleasttworeactortripfunctionsexist,eitherofwhichwouldagainpreventallbutlimitedcoredamage.FaulttreediagramsareshownonFigure5.1-1and53.-2.5'l.l.PROBABLECONSEQUENCESOPACCIDENTTheadequacy,ordepth,ofprotectionrequiredforanaccidentshouldbemeasuredagainsttheprobabilityoftheaccidentandtheprobableconsequencesoftheunprotectedaccident.Theprobableconsequencesarediscussedhere.Theodtivityavailableisin(alizeburnupmai,ntaine5.1-2 sA distribution,andreduceejectedrodworths).Thedesignallowance~erdstrodinsertionatfullpoweris0.1Xfor"bite"plus0.4Xfortheman-euvergi.e.,rodinsertionmaybeanywherefromO.IXto0.5X.~izhcalculatedvaluesformoderatorandpowercoefficientsatbeginningfcorelife*,0.3XreactivityinsertionisrequiredtoreachahotassemblygggRpf1.0.Also,after20Xcoreburnup,0.5XinsertiondoesnotcauseahotassemblyDNBRlessthan1.0-Therefore,arandom,completerodwithdrawalfromdesignfullpowerconditionswithnoprotectionhasaboutprobabilityofcausing,DNBRlessthan1.0.ThisisillustratedbyFigure5.1.3.Althoughthefigureandtheabovediscussionarebasedonfullpower,theyareequallyapplicabletoaccidentsstartingfromlessthanfullpowersincetheadditionalinsertedrodworthisneededtoachievefullpower.However,itmaynotbepracticaltoguaranteetheseconditionsbecauseallowancesforcalculationormeasurementuncertaintiescansignificantlyaffecttheresults..Figures5-1-4.and5.1.5showsa"worstcase"completerodwithdrawalat25X.ofcox'eIlifefrom102Xpower,nondnalTplus4F,andnominalpressurelessavg30psi.Reactivityinsertionisassumedtobe0.6X,or0.5Xx1.2.(This20Xuncertaintycouldhavebeenapplied,tothereactivitycoefficients-insteadoftherodworth.)M~aumhotassemblyDNBRis0.91,orslightlylessthantheaxbitrarylimitof1.0.Thesametransientat6(Xofcoreknifeisshownfoxcomparison.MfxdnnmLhotassemblyDNBRis1.4&.*RactivitycoefficientsbasedonFigures3Z.1-8and3.2.110inSupplement4totheRGEPSAR,datedOctober23,1968.5.1-3
'I'5.JIC1 leteanalysis,consideringstatisticalvariationsinalluncertainties,Acomp~ddetermineamorevalidvalueortheprobabilityofexceedinganyvouldlivensassfstylimitIfthisvalueweresufficientlysmall,acomparatively~a~i<<protectionsystemmightbejustified.2PROEABII,ITYOFACCZDENT~edesignintentoftheReactorControlSystemistoblockautomatic~dwithdrawalforanyfailurewhichcancausesustainedrodwithdrawaL.~isisaccomplishedbyrodstopsonrapidnuclearfluxdecrease,Tavgchanneldeviation,spuriousrodmotion,andsubsequentrodstopsonhighATorhighflux.Ifrodstopswereconsideredasindependentprotection,ProtectionSystemcriteriawouldbeapplied.TheserodstopswouldthenbeclassifiedfuLLyaspartoftheProtectionSystemforarodwithdrawalaccident.5.l.3MANUALINTERVENTXON!annualactionisreliablebackuptoautomaticprotectionprovidedthatsufficienttimeexistsforoperatorresponse.Thetimerequireddependsnthealarmsavailable,thenatureoftheproblem,andtherequiredaction.igure5.1-6illustratessteadymtatecorelimitsandseveralalarmpointsndtrippoints.Alarmsareintentionallyquiteclosetothedesignoperatingconditions.Otheralarmssuchashighpressurewouldbereachedduringatransient.ThesealarmsaretabulatedonTable5.1-1.~thoughsteamcycleheatremovalmaybethemostLimitingsteadymtateresttrictiononreactorpower,timeisrequiredtoreachcorresponding
~armsandtrippaints.'(Farinstance~itwouldtakeabouttwominutesst110XreactorPowerwithsteamgeneratorsaftyvaLvesblowingbeforeasteamgeneratorLow-lowwaterleveLtripcouldbeexpected.)Forthireason,thisevaluationdidnotincludethesealarmsandtripsFigures5.1-7through5.1-10showtheresultsoftransientanalysifarvariousreactivityinsertionratesatbeginningofcoreLifefrom~fullpower(102X,nominalT+4'F,noa~pressureless30psiavgfromnominaLconditionsat80Xpower.Aconstantreactivityinsertionratewithunlimitedavailablereactivityisassumed.Hmdmeasettingsendinstrumenterrorsareassumedforthereactortrips,andnominaLsetpointsforthealarms.(Note:thehigh4Trodstopsaretakenas3'Fbelowtheirreactortripsratherthantheirnominalsetpoints.)rorareactivityinsertionrateof0.5x.10gk./sec,,(correspondingroughlytomaxfxnunrodspeedataveragerodworth),ahotassemblyDERof1.0isreached,inabout.twominutes.Duringthistime,therearealarmsonhighT,pressurizerpressure,andpressurizerLevel,aswellasrodstopsandalarmsonhighfluxandhigh4T.Also,thesteamsafety.alveswouldbeactuated.MiththemultiplicityofaLarms,i.t.-iseasytodiagnoseams)oroverpower-avertemperatureexcursion.Xtisreasonable<<expectoperatorintervention(manualtrip)duringthistheaForfastterreactivityinsertionrates,reacto<triponhighnuclearfluxisareliableprotectionsystembarrier.Therefore,sincetheavertemperature}11hg4Ttripprotectsforallexcursions,onecouldclassifyitastheprincipalprotectionbarrierwith"backup"fromhighnuclearfluxincon-~un<<ianwithmanualaction.5.1-5 DEITYOFREACTORTRIPSeprotectionsystemdesignbasisfortherodwithdrawalaccidentfororeprotectionrequiredthatonetripfunctionwithredundantchannelspreven<eventaminimumDNBRlessthan1.30.Thisisaccomplishedwiththe<<ertemperatureATtripforslowreactivityexcursions,andthehighnuclearfluxtripforfastexcursions.AsshownbyFigures5.1-7through5.1-10,thesetwotripsmeetthedesignbasis-Theevaluationalsoshowsthatforallcasesofsustainedreactivityinsertionforratesuptofourtimesthemaximkarateexpectedfromrodwithdrawal,anyofthefollowingpreventahotassemblyDNBRlessthan1.0.a)Highnuclearfluxreactortripb)HighATtripl.OverpowerAT2.OvertemperatureATc)Highpressurizerlevelreactortripplushighpressurizerpressurereactortrip.(Notvalidforhighreactivityinsertionrates:,.fromnearfullpower.)Thisdepthofprotectioncannotbeexpectedforallaccidentsorforallplants.5.1-6 TABLE5.1-1ALARMSFORRODWITHDRAWAL~armswhichwouldbeactuatedforaspuriousrodwithdrawalaccident~eeax'rM.lPowerarelistedbelowitheaPPro~teorderiwhichtheyAlarmpointsassumedfortheevaluationarelisted.InitiatingFault*-Mose'failureswhichcancauseaspuriouscontrolrodwithdrawalarealarmedand,ingeneral,automaticmoeianprahibited.Theseinclude-a)NXSfluxrapiddecrease(1/4)(5Xin5seconds)b)Tchanneldeviation(1/4)p5Ffromaverage)avgc)Rod.controlfault-rodmotionwithnodemandZ.SeepCounter-audibleclicksfromstepcounteralertsoperatoreoradmotion.3.NISPWRRANGEOVERPOWERRODSTOP+(1/4)(105X)4.AVGTAVG-TREFDEV(T5'Ffromprogram)avg5.PRESSURIZERHXPRESSURE(2350psia)6.PRESSURIZERRELXEFLXNEHXTEMP(whenpower-operatedreliefvalvesopen)7.REACTOR'OOLHXTAVG(1/4)(5'bovenominalTatfullpower)avg8.PRESSURXZERLEVELDEVIATION(5Xabaveprogr:mamedlevelaefullpower)9.AUTOTURBINERUNBACKOVERPOWERAW(1/4)(3Flesschanhigh4Ttrippaine)AUTOTURBINERUNBACKOVERTEMP4M(1/4)(3FlessthanhighATtrippoint)Ll.SteamGeneratorReliefandSafetyValveActuation-audiblesteamreleaseeoatmosphere12.STEAMGENERATORLEVELSETPOINTDEVIATIONPRESSURIZERSAFETYVALVEOUTLETHXTEMP(2500psia)CHAHM.'LALERT-asreactortrippaintsarereachedforeachchannelCapitalizedwordgroupingsrepresentengxavingonannunciatorpanels.REACTORTRXPSFORRODWITHDRAWALTh<<allowingtx'ippaintswereassumedfortheevaluation:NISPOWERRANGEHIGHRANGE(2/4)(118X)2.OVERPOWER4T(2/4)(118XoffullpawerAT).OVERTEMPERATUREdT(2/4)(variable)4~PRESSURIZERHXPRESSURE(2/3)(2400psia)PRESSURXZERHILEVEL(2/3)(95Xofspan)AlarmandRodStop PAULTTREEfORRODNITHDRANALACCIDENTAUIONATICPROTECTIONHEEDEDINSUFFICIENTTI'lEfORMANUALPROTECTIONNEEDEDEXCESSIVERODNORTHINSERTEDEARLYINCORELIPESUSTAIllEDRODMITHDRAVALHIGHTBQ'ATRODSTOtRICHPOSERATRDDSTOtCONTINUOUSRODllITHDRANALREACTORINNANUALCONIROLAIPIQIATICCONTHOLPAILURE(SEEPICURE5+12)fICURE51~1 wJ4 SfltAOLIt~fISA~~~VII~A441~~IICC480fl4.tf&I(SRSPICURE$.1-1)PAILURECONTINUOUSRODMITHDRAMALCONDIT1OHOREVENTRPS~REACTORPROTECTIONSTSTIHRCS~REACTORCONTROI.SISTIHPROPERC1RCUITIHRCSROD'NITHDRAMALSECIHS1HDlGATEDTISIPERATUREODSPEEDHTROLLER(RCS)RODMITHDRAMALSECIHSALLTVGCHANHE(RtS)OaTHPROPERSETPOINTS(RCS)AHDTURSINKLOADSICHALORtOMERHISHATCHCHAICIFL(RCS)AVGODSTOPRODMITHDRAMALSECINSNISRODDROPRODSTOtAVIRAGETAVGDECREASEINDICATEDtRESSUREDECREASEDECREASEININDlCATEDPLUZORNIS(RPS)QQNHEL(RtS)AY%ETAVGRCSRESSURECHANNEL(RtS)RESSURECHAHHEI.(RCS)FIGURE5.1-2 INSERTEDRODWORTHANDREACTIVIXYREQUIREDTOREACHDNBR~1.0INHOTASSEMBLYVERSUSCORELIFE1.5~~~-ReactivityRequiredToReachHotAssemblyDNBROf1.0(116.5XPower,"T~~589,2250PSZA)FromFuLLPower~~10RegionWhereProtectionIs.Required~IP0.5PPMax.InsertedRodWorth~P'~(BottomofManeuveringBand)-':I0Min.~ertedRodWorth(TopofManeuveringBand)-.020406080100XOFCORELIFEFIGURE5.1-3
1a1.0o.50COMPLETERODWITHDRAWALFROMMAXIMUMFULLPOWERCa/-----MIDDLEOFCORELIFEINITIALRATE~Oa9X106k/SeC.)i~I..I[~.'.".a...p....'.",.'I..0'040.6080100120140TIME,SECONDS160150~la~~140UP120~0~OWfeo1004<<:HIFLUXtRODSTOP.':;:iHIFLUX=.-.~aa~~020406080100120140TIME1SECONDS160a~~ta3jdTmENTS(M.OL)620~aaaaaaa'~~I600tPHIPOWER.HI'PORN'SHITEMP.)HITZMIP.""""'"IHi&"'"'-I-I"""dTROD:dTTRIP:IATROD.":dTTRIP.":I:'::-:.::!!::":I=-i:I.'i:0......',.".'.-..'.~:.:'.....i:-..~jllaa':::a~"'g580560540IN~<<~~(~iLI~1""~=-q--)~..'..."..'"::I.i::T~+:Ii52O2040608O100120140160TIME,SECONDS
.t~C0't-...:--0'I'>>I>>~~TRIPANDSTEADY-STATECORELIMITSANDREACTOR.-.ALABMPOINTS160>>~~If~:t->>~~i---.-ALARMPOINTS--'...RODSTOPI>>>>>>y>>.',:.:..[~>>IJ-.I>>~$~~>>-REACTORTRIP~>>>>~~.I~.>>!WATERLEVELTRIPII'..I-HIPRESSURIZER"-~-.-"-n140~~~+o.~:>>~~p>>I-~~Ii."IIiI~I.'STM.GEN.SAFETYVALVES..lI~~'-:IIPI.-}.I~>>>>>>/>>~('Tl~~>>II~~~/>>120110'>>,!I..pl".I.:.HXFLUX.HIATp,i..:l~I~I.f.::..HIAT~PI~Tl.'I>>I.~.~I..-.3.I"I'-.":l,*>>+100~.:::I,~~~:'I~'I)HIFLUX~>>I~~~~~III~~~,LLNOM'l"II>>l'~rI'NAL'-Itt90~>>>>>>~>>I'Lis>>I>>~>>~~>>>>I~PLOWLIMITI.'~HIPRESSURIZERWATERLEVFL:Ii>~.I.i'HIAX82400PSIA~I~I8070>>~I>>~~~>>GfxAVI'.I.g.II~'II.III>>I7'~-HITEMP.4T-HIPOWERdT540560580INLETTEMPERATURE,'P600FIGURE5.1-6 BEGINNINGOFLIFERODWITHDRAWALFROMl02XPOWERMINIMUMDNBR;I2.502.00.IsfIIsll'eti~essseIe's~~Ill:W)I'ttI~,Iessg~~ertet'I~IeIslee~f~IIIIIlift:efII~I~II~I~LEVIIIIs~Ie~~[,Hliftfitssfe~e's"tellift:net1set.11estIelIsIIsl-Itsstsl"IiII.I'IllstI.'tpgSsuRE~elt'f<<s'st~~e'l$N~HIFLUX~~~'eII.eIIIfit""~Ifl;eIRefstffIfttilees..-,ilIfl'IIIIIeees.~~IIIIIII'setits(MAXRODSPEED,MAXRODWORTH)'-'Hl'LuX:.'-II~~IIIt~IIfetfI)efl'l~ell.50\~I~s<<s'I~'s'I.s.e,lift'llIIII~~IfI<<HITEMP.AT.:-Ie.~..Qtf'~IIteltf~Ieislettet'IJ~I'tl'Itees~~'I',Pt'1st"."Ifljj'l<<n-'HIPOWERdTIIII~fe'HITBPe~~~~H':-'"sstte~es't~tt~ileseeIsit',I's'tl~ss'II'eteswlfftsf~e:HIPOWERATf-,s'T-.I~~III~~,~~~I~I~'llI~tieeI~Is~III~IHIPOWERdT;ttIsttstsl;IIIII!"IIII.i'Is~'"<<ttI'IIItestJssr,1':,Iee'.HIPOWERhT;,~ie~stlIII,;:.-.~HILEVEL',&SIC(.,'ITEMP.AT!III~IIIst~IIII~gtItlettellisteIIsless~el.0050IsttOle'~Iefl'S.G.~f"j:('ORHOTASSEMBLY)i..SAFETY>VALVES'-,el~I~t~~IIIItsiiIIIIIIIteIslint(fIIIIetInesII.,~'IttlI~I~II~'.IfIleIlseeI'iltfssftsI*e'ttsI~e~e~~~fitIesI+etesi~sesteesIsIt'I(CORRESPONDSTODNBRit'.e,SIfIte<<I~IIIIi<<II:"I~',IttlIfttf~~ItlsitseIIgtnII~I<<Is'<<s.In~ss;Ij'IseslfIII<<IIII~~~Iltlfit0.05O.IO0.250.5L.O2.04.0ReactivityInsertionRate,106k/secALARMRODSTOPREACTORTRIP"DESIGN"REACTORTRIPCORELIYiITFIGURE5.l-7s
~eBEGXNNINGOFLIFERODWITHDRAWALFROM102XPOWERTIMEOFEVENTllstrI~1rIssstelillsI'IsoI'tss~tlssIIIIsIleillslesesltI"sII~III~ILI1~~sitssisillsiiIIlsi1111I,sIisetsst250IlsiII:stilIseess200vo11'iesstssiisetst'IstII~,s~~~IseesstIts;ii~IHIle,'ss.'I"soI~IIIIilIts.;Ii~~II~~~TEMP.dT'?.iHILEVEL~'~ssAst'II't~esssssJl1.'l'ssl'Isells'1sssItIseIss.'SOIli~lI;III'~I"I'ItI~ssI~~~IsI'l"Ili:stt?e"s~~~'seII,I~I~sJCI~~~<'ltllslHOsIIsIIIII@isl1II~~dsDNBRHA~1.0~~sI~IIsiless~I1i'ii!i~rrII's1st~iIIssslsr~IslIIsIIIllsIIIIIII.'~Illilr,.II'~~~ALARMRODSTOP,REACTOR.TRXP"DESIGN"REACTORTRXPCORELXMITsI'~IisI'1stllr<osII,,II10050IC'llsitist,HIPRESSUREsill~1s'is.tfII~'illts'elsss"I'I'I',ltsIIIIski'S'II;1stceil;I,~stssllII'Ie~Ii'i'stI.i.IesdTitI>>IsIiI'.ssisst...~II".IIHIPOWER.IIltssI'~e~IIIsistJit1tlsll'IIil'aIssl(MAXRODSPEED,;MAXRODWORTH);,11ss'ItsteII1t'I!1stIsIs'stitst'ssi~~~HXLEVELlg-7:<~ILI11eIis~essIsstlStslI1st4iIJllII*Illsr,qtt\ses~~~~'3DNBRMIN~1.ss'Is's~s.rs't~~~IiI~~~I~sIslisII~IIIli"I~:I~IIs'1I,'It'IIjesIs~ststI'slie,'.'\llsI.s~eli~I1stItssI~tVgis~p'l'sa~IIIIt'lIs+IIstsglssIl.IIs~lIIs~~dTIlltli~~I~I;Is,sets:IiHXTEMPssI~sIIsI~II~~>>IeI~IsssillIII~sl11IIIIIII.0.'050.100.250.51.02.04.0REACTIVITYINSERTIONRATE,10hK/SECFIGURE5.1-8
,wtCBEGINNINGOFLIFERODWITHDRAWALFROM80XPOWERMXNIMUMDNBRs'AVG~sls~I,I~ilesIl~s~~~I~f~IHIFLUX~I.Ii~-,.~,r,<;'r:,HZT':::"I'IiI;IIAVGI~s"(jestQsIIIIs~Isq)AVG,I,~eiIsII<<HILEVEL.g..(PRESSURIZER)sti~HIPOWER'~~tsIIisa'.'S.G.-:-SAFETY:'ALVES-i.'>>-'-'IAgg'I,~~~I;s>>I'isI'"I')HITEMP'~st.I~I,~'~~e~esetsieiiiis'Is's,teI,~I-'-AT:Ils)~I~,~~~Ii'ltesIII~I:~T'IM~~f$:.-';~~~si"I'P~~IIee~Ises~IIIL-rWERhT'XPRESSURE."NNR!!',tGMFI::"'.:liI-I-~HIPoI>>ssII['tt'It'LsI'i'DEVIATIONI>>:fs~~sIIi~II:IIllI~I~Iirpge,sli(i~I~sALARMRODSTOPREACTORTRXP"DESIGN"REACTORs>>>>seeeels>>%TRXP'~~~~i~tlIII~~~~I'IIlls'e~I~.;IsII~e'HXFLGX~III~I.II<<Ii<<lit~CORRESP1.0"IiI~IIsS~.IIIII~issI~i'llilONDSTODNBR>LNHOTASSEMBLYi:e~~~,i'sseIIIItsI~iteIIIllss'sJI'elI~slile',~ei~~~,(MAX.RODSPEED,-.MAX.RODWORTH)~It'tsiIles~~~~iIil~t~I;~Illsi'~II~~s,~~~~~~Isss~I~,seiie~~~sI~iii~III~Islei.e~<<s'Ie~sI0tlssillsse'.III'Iii't'll'll'lel~ilIIIlssO.OSO.1OO.ZSO.S1.O2.04.0REACTIVITYINSERTIONRATE,108K/SECFIGURE5.1-9 W4olBEGINNXNGOFLIFERODWITHDRAWALFROM80/POWERo~TIMEOFEVENTi~~o'tlll-;-I-.':i'-::~G:"-HIPRESSURIZER';,LEVEL~.I~~~IIIIt~-'rrr-I~i~ii~I~I~I"oI'.~I~IIos.tlSAFEZYs-l~vALvEssIo~I~J'IIIQ1,~I,LEVEL~~~I,Ij"-,T',;I3..'.",.'IPRESSURE'vIsoElio.'I~~tsl'II~'AVG;,I;:AT,:LolITJ~gHIPRESSURXZER,.t:itlt!:I',.;IIlllli!ii~~'io~I~~HITEMP4T~o~I41:,~oHXPOWER4TDNBR~1.0'.o~IIILI'.~~io~I:III!4II~I-~JIiIIIII~sill~I~II'~~I~,IlsI~~~o~~~il:~ilt'~,~Ioo~~~IDNBR~1.3'it'I~'t~~'~~(MAX,RODSPEED,,MAX4RODWORTH)~il,is~II:II!IIsItts~oALARMRODSTOPREACTORTRIP"DESEGN"REACTORTREE~~LsslotIllsiil~Its~IIIII~oilIoI~o~.L.l.J::::4ltI~II~~~It~o4~o~jilt!tooio.,';:@goal:"i~I~oj>>!iisIoJ~III:I'ts't.Il'"..Itlt!I~~st~o~~~E'XPRESSo,is>>I~~IIIIIIIStI'~I.iIH%H&iti,'-',:HIFLUX'ot'isJtl~o~~II~IIIII~II~I~I:tl~~II~~o!It~~"ilii~o~I~'~il>>io~~~I~~~itissl100TAVC50olo~oo~I'!to'lliIIDoi":iri.~II'~~o~III~4I~'~II~IIIII*I~I~ooIo~I~~~~IIIlo~~II4I~o~II~~tI~~~I~'iti,~!ilI~I~o-::".:++I~.-..'i'il~o~I~~~~o~iis4si~!~lI~I~I~Ii~oL~I~~~!iot~~I~~I~s~!I~tillIllIIQ~Il'~'iot!4III~~;IsoI~I~IIiItI~II~IHIPOWER4T~-:.';HITEMP4TIo~IIt~II~JA.IIilotgiiIt/lt!.~it'ilio~Io~~io,is.,'Ioi't~tl~'~si~~sot!IlossI~SS"~'II:I:~-."I0.050.100.250.51.02.04.0ReactivityInsertionRate,106k/secFIGURE5.1-10 LPSSOpFEEDWATER>ringpoweroperation,lossoffeedwatertothesteamgeneratorsisofpotentialconcernbecauseitaffectstheabilityofthesteamgeneratorstormovedecayheataftertripTheprotectionforthiaccidentconsistsofreactortripandanauxiliaryfeedwatersystem.ThisevaluationdescribestheControlandProtectionSysteminstrumentationprovidedonatypicalWestinghousePWRPlanttodirectlymonitororcontrolsteamgenitorwaterlevel.Lossoffeedwateraccidentswithoutcreditforthisinstrumentationareevaluated.TypicalWestinghousedesignrequirementsfortheauxiliaryfeedwatersystemareincluded.Atypical1456MWttwo-loopplantwasselectedforthetransientanalysis.Alossoffeedwateraccidenttoonesteamgeneratorismostsevereonatwo-loopplant.Foracompletelossoffeedwater,thetransientperloop,isdependentonthenormalizedkineticparameters;e.g.,power(sotheresultsshownherearerepresentativeforallplantscurrentlyunderdesign.Znallcases,diverseautomaticreactortripsinsureaplanttripbeforeanycoredamageorsystemoverpressureoccurs.Manualactuationoftheauxiliaryfeedwatersystemisconsideredanadequatebackuptotheautomaticactuation.Thereissufficienttime(24minutes)andalarmstotakecreditformanualactuation.<nteractionsofsteamgeneratorlevelcontrolandprotectionresultingC~romrandomfailuremodesarepresentedinSection4.2.5.Alarmsactuated5.2-1 oracompletelossoffeedwateraccidentarepresentedinTable5.2-1'C-.suittreesforlossoffeedwateraccidentsarepresentedinFiguresC-2l,5.2-2,and5.2-3.LOSSOFFEEDQATER-TRANSIENTANALYSISSeveralrepresentativetransientcasesareevaluatedforlossoffeedwateraccidents.Figure5.2-4showsthetransientresultingfromcompletelossofthesteamflowcontrolsignal.Asshownbythefigure,theLevelControlSystemrestoreswaterlevelsuchthatonlyatemporarydecreasein~sterleveloccurs.Thereisnoapproachtounsafeconditionsortoanyreactortripsetpoint.Figures5.2-'5and5.2-6illustrateatypicalcompletelossoffeedwater"oonesteamgenerator'ofatwo-loopplant.Nocreditwastakenforreactortripsderivedfromthesteamgenerator.Thelossofsubcooledfeedwaterisreflectedtothereactorasasmalldecreaseintherma1Iload,causingtheincreaseinpressureandtemperatureshowninthe-irstminute.(Thereactorwasassumedtobeinmanualcontrolwith<<manualcorrection.)Oneminuteafterthe.lossoffeedwater,thesteamgeneratortubesbegintouncover,causingarapid.pressureandtemperatureincrease.Ifamchnumpressurecontrolcapacity(poweroperatedreliefvalves)isavailable,thepressureriseislimitedandahighpressurereactortripdoesnotresult.Areactortriponhighpressurizereloccursappro~telytwominutesafterthelossoffeedwater.5.2-2 lr>
zinventoryinthesecondsteamgeneratorissufficienttobringWaterplanttonormalno>>loadconditions.ThereisnooverpressureoxthepanofwaterfromtheReactozCoolantSystem.lossofigures,5.2-7and5.2-8illustrateaworstcasecompletelossoffeed>>watertoallsteamgeneratorswithnotripfromsteamgeneratoxinstxu>>~tation.Aconservativeevaluationisdoneforahigh-powerdensi.typanlanttypicalofcurrentPWRdesigng.456MWt2>>loop).NocreditistakenforchargingsystemsorforenergyabsorptionbymetalintheReactorCoolantSystem.Theresultsareconsideredtobeextremevaluesratherthanrealisticconditionsforanactualplant.Thereactortripsonhighpressurizerpressureaboutoneminuteafterthelossoffeed.StoredheatinthecorecontinuestoheatthereactorcoolantandthepressurizerM.lsinaboutthreeminutes.SteamdumpvaluesopenfuU.yunderTavgcontrolandreducesteamlinelIpressure.Afterabouttenminutes,theReactorCoolantSystembeginstoboy.,aa"h<<htimethex'eactorcoolantpumpsareassumedtoceaseaddingenergytothecoolant.Boilingcausesarapidincreaseinthevolumetricsurgerate,andsystempressurerisesuntilthevolumetricexpansionisbalancedbysafetyvaluecapacityforwaterzelief.(Nocreditwastaken"orthepower-operatedreliefvaluesinthisanalysis.)teŽgeneratedinthecoreisassumedtofilltheupperreactorvessel,esteamgenerators,andhalfofthecoolantpipingbefoxeescapingtoepx'essurizer.Duringthisfourminuteperiod,mostofthereactor5.2-3 e
olantfluid'islostaswaterdischargethroughthepressurizer>+styvalve.Assteamisdischargethroughthepressurizer,premeasuredecreasestothesetpressureforthesafetyvalves.Afteranadditionaltenminutesofboiling,(24minutesafterthelossoffeedwater),thetopofthecoreisnearlyuncovered.XtwasassumedthattheAuxiliaryFeedwaterSystemwasmanuallyactuatedatthistime(pushbuttonsonthecontrolboard)and200gpmauxiliaryfeedwaterpersteamgeneratorbeganimmediately.Qithintwominutesofstartingauxiliaryfeedwater,thesteamgeneratorheatremovalexceedsdecayheatandreactorcoolant~emperatureandpressurerapidlydecrease.5.2.2TYPICALSYSTEM1ESIPilREQVIEEMENTSAuxiliarvFeedwaterSystemTopreventreleaseofreactorcoolantthroughpressurizersafetyvalvesiandtoprotectthecore,asupplyofhighpressurefeedwatermustbeprovidedfortheremovalofresidualheatfromthecorebyheatexchangeinthesteamgeneratorswhenthemainfeedwaterpumpsceasetooperateonblackoutorbecauseoffaultconditions.'yp<<alcriteriaforactuationofauxiliaryfeedwaterispresentediniable52-2afetyzequi.rementistoincludetwoseparateauxiliaryfeedwateryternatoensurereliabilityofsupply.Ones'ystemutilixasasteamturbinedrivenauxfLiazyfeedwaterpump,aeurbinebeingconnectedsuchthatsteamcanbesuppliedfromsome5.2-4 t,
~ofthesteamgenerators.Theflowrate,usuallyabout200gpmnrsteamgenerator,is,sufficienttomaintainamilkmandepthofwater>rstethesteamgenerators.ochersystemutilizestwo(2)reserveauxiliaryfeedwaterpumps,a~ofabouthalfthecapacityofthesteamdriven.pump.HowratesufficienctoensurecoolingofthesystemandtoPreventwaterdischargecromReactor'oolantSystemxeliefvalves.Thereserveauxiliaryfeed-vacexpumpsnormallyaredrivenbyprimemoversusing'sourceofenergyotherthansteamfromsteamgenerators.Theheadgeneratedbythefeedwaterpumpsistobesufficienttoensurethatfeedwatercanbepumpedintothesteamgeneracorwhensafety'valvesaredischarging.Pumpsaxecapableofstartinganddeliveringfeedwatervithintwo(2)minutesoftheblackoutorfaultconditionsrequiringpuupactuation.>ietypicaldesignbasisforsizingauxiliaryfeedwaterpumpsisgivenbyTable5.2-3.Sourcesofwaterforauxiliaryandreserveauxiliaryfeedwaterpumpsareduplicatedorifconvenient,triplicated.Ordinarily,wageris'}rawnfromacondensatestoragetankcontainingwaterofnormalpurity,'<<maybedrawnthroughemergencyconnectionsfromothersourcessuch~citywater,wellwater,fix~+inwater,servicewater,etc.,toobtainasupplyundersufficientpressuretosatisfyauxiliaryfeed>>"-pumpsuctionrequirementsunderemergencyconditions.5.2-5
(
fromtheauxiliarypumpsisdeliveredtothesteamgenerators~pterpipelinesseparatefromthemainfeedpipelines.Pipelinesarepapespacedtoassurethatasinglefaultdoesnotpreventfeedwater~~Jvspa~ewholeoftheauxiliaryfeedwatersystem(watersupply,piping,dieselgenerators,etc.)mustbe"ClassI"seismicdesignstandard.+pggp+I~SteamandFeedwaterPiin<iailureofanymainsteamorfeedwaterlineormalfunctionofavalve~tel].edthe"einoranyconsequentialdamagemustnotreduceflowcapabilityif>eauxiliary(emergency)feedwatersystem,renderinoperableany~eeredsafeguardservice(i.e.,controls,electriccables,containmentaeM4gpiping,etc.),initiatealoss-of-coolantaccident,causefailureifanyothersteamorfeedwaterline,resultinthecontainmentpressureexceedingthedesignvalueorimpairitsimpermeabilityandintegrity.I>steamandfeedwaterlinestogetherwiththeirsupportsandstructures~<<eneachsteamgeneratorandtheirassociatedisolationvalvesareto-"'"Classl"seismicdesignstandard.*eoeexpression"ClassI"usedinthiscontextisdefinedinsignofNuclearPowerReactorsagainstEarthquakes"inadocument~titled"BehaviourofStructuresDuringEarthquakes"AppendixA,byHousner,professorofCivilEngineering',CaliforniaInstituteof,~""oology.Pasadena,California.PublishedbyAmericanSocietyof"-+1Engineers-EngineeringMechanicsDivision.(October1959EM4)5.2-6
TABLE5.2-1~SACTUATEDFORACO%'LETELOSSOFFEEDWATERACCIDENTCauseoffault(ingeneral,anyconditioncausingacompletelossoffeedwatercausesanalarm)2.Lowfeedwaterflow(partialreactortrip,twochannelspersteamgenerator)Steamgeneratorleveldeviation(onepersteamgenerator)Lowsteamgeneratorlevel(partialreactortrip,incoincidencewith2.above,twochannelspersteamgenerator)a5.Low-lowsteamgeneratorlevel(reactortrip,thr'eechannelspersteamgenerator)6.Automaticcontrolrodmotion7.Tdeviationavg8.HighT(3or4channels)avg9.PressurizerleveldeviationLO.Highpressurizerpressure(twochannels)11.PressurizerrelieflinehightemperaturelHighpressurizerpressurereactortripNote:Itisassumedthatthe-turbineandreactoraretrippedonhighpressurizerpressure.Pressurizersafetyvalveoutlethightemperature~4'ighpressurizerlevelreactortripLowsteamlinepressure(notonallplants)~6~Pressurizerrelieftankliquidhightemperature~7'ressurizerrelieftankhighpressure~8'ressurizerrelieftankhighlevel19.~Highcontainmentpressure(safetyinjectionactuation,ataboutlO~ofdesignpressure)10Lowpressurizerlevel(partialsafetyin)ectionactuation)
TABLE5.2-2TYPICALCRITERIAFORAUXILIARYFEEDVATERACTUATIONMotor"QxivenPsLow-lowlevelinanysteamgeneratorstartsbothpumps.actionrequiresthesamebistablesandrelaylogicasusedforthereactortrfp.(2/3circuitryforanysteamgenerator).b)Openingofbothfeedwaterpumpcircuitbreakersstaxtsbothpumps(1/1+1/1logic).c)Safetyinjectionsequenced)Manual.Turbine-DrivenPa)Low-lowlevelintwosteamgenerators.(SamecircuitryasI.A.above)b)Lossofvoltageonboth4KVbuses(1/1+1/1logic)c)Manual.3.GeneralCriteriaa)Allthreepumpsaretohaveindependentstartingcircuitssuchthatnosinglefailurepreventsmirethanonepumpfromstarting.b)Instxmentationandlogiccircuitsforlaand2amustmeetthesingle-failurecxiterionfoxactuationandbecapableoftestingatpo~er.Compatibilitywithreactortripcircuittestingisalsorequired.c)Spuriousactuationduetounusualfailuresistolerable,butroutinetestingofreactortripcircuitsshouldnotcausespuriousstarts.
4000HZPRESS/ALARM:-":.'-.='::.-,'tL.'-':4:-:1::!!t:::il::-::rWI'.='=Qptftt!ti.!r.'L"COMPLETERODWITHDRAWALFROMMAX.HJLLPOWERBBCINNZNCURE-----MIDDLEOFOFCORELIFECORELIFE020406080TIMENSECONDS1001201401608004&NNaWi50HILEVEL406080IflP~&l~a100120140160TIMENSECONDS2.01.51.00.5'Wa.IBt~IVPfPt.-DNBRMIN.:~1.30tll')"HOTQQLNNEL:1-WOOI~NC1BBBMILY-N~020'0608010012014010TIME,SECONDS TABLE5.2>>2d)Instrumentationandlogicforlband2bshouldbeconsideredasoperationalsignalsforeconomic(notpublicsafety)protec-tion,(SimQ.artoreactortriponreactorcoolantpumpcircuitbreakeropening).e)AsEngineeredSafeguardscomponents,theactuationcircuitryforauxiliaryfeedvateractuationshallmeetallappU.cableIEEEDesignCriteria.
e'TABLE5.2-3CALDESIGNBASISFORSIZINGAUXILLQEFEEDWATER'PUMPS~~DRIVENPUMPSI~steam~rivenpumpcapacityisadequatetomaintainatleastlpfeetofwaterinallsteamgeneratorsintheeventoflossofstationpowerfromnormalfullpoweroperation.Nocreditis~owedformotor-drivenpumpcapacity.~OR-DRIVENPUMPS'IEachmoto~venpump,byitself,.is'adequatetopreventwaterrelieffromthepressurizerreliefvalvesunderthefollowingassumptions.a)Planttripoccursfrommaachnunsteadymtatepowerandtemperature.conditions.b)Allsteamgeneratorsareattheirlowlowleve1trippointsatthetimeoftrip.c)Nocreditistakenforanyadditionalsourcesoffeedwateraftertrip(stationblackoutassumed.)d)Atleasthalf,butnotallofthesteamgeneratorsaresupplied.withamcLliaryfeedwater.e)NaturalcirculationexistsintheReactorCoolantSystem.0NocreditistakenforchargingorletdownfromtheReactorCoolantSystem.g)Applicablestartingdelaysandfeedwaterpipepurgingtimesareused.
FAULTTRttFORIDSSOl'IB+STIRF(DM'.m~I'l~OCORESECIHSToUNCOVERINSUffoSIolgURCINCCAT.ANAHUALAof0ll0$oTIKE(iloNIH.)NANUALA,F,M,S,TINE(oloNIN.)RCSHEATSOHDECATHEATMOoAUTO,A.F.M.S.ALLSoCo'SDtfSTATION(SttFICURRSotIRoToONH'loFREEOIllttSoCo'$Q(FTTbCSHFATSSoCTURESRECINToUNCOVERHOTElHI.FREES.R.T.NATbtHECSSSARTTO=FREVBITSTSTtÃOVERTRESSUREIOIOIXIOLIOII.OIO.IIOIIOOI.IIIOIIMIOI.OIO.IOIOOOOOOLOMSoCoLEVELNANUALREACTORANDIRIF-~MSINoNISIPSLUMLOSSOrLEVELRAPIDlOSSOFLEVtLLOSSOFSoCoLEVELREACIORATFMRoMITHIHSUFF.F.MORAbbbtVIATIOHSRCS~REACIORCOOLANfSTSTENRTREACIORIRIFS.ISAftffIlQECTIONFoMoftEDMATERAofoMoSoAUIILIARTFoMoSTARTSooo~STEANCENtRATORNJ4NOIORDRIVENNECRANICALFAULTAUTO.C(NIROLFAULTELECTRICALfAULTLOSSOfFELID(SttFICURRSotI)
pan.TTacepoarossoppcaeATcanuuSERFlcuacS.I-IAUTQtATICCONTROFAULTELECTRICALfhULTLOSSOff.M.SUCTION2/>Hl.LEVELCLOSESF.M.VLVIHCOHPLETES.leSIGQ-H$R.T.IRQQIHIHGF.MoMHAN~f.M.VALVECLOSEEICONTROLfAULTILOOPLOSSOfCOOIAHFFLOVRE-REACTORATBILLPOllERS.CEN.LEVELCONTROLLERfAULORRFACIORATRE-DUCIDFOlXRTNFROFERcxTeINCONTROLLERIPLPIPL.O.F.M.-(ELEC.FAULT)4EV.RUSFAILUREONESUSLOSSOFCOH-OENSATEtUHPSORI~lieSSOFHTR.DRABfLBPLO.SIN.fLOMRlfEEDBOllCTOHTOHHILEVELINDICA-TION(R,t.S.)AILUREOFCOH-EHSATERYPASSAbbaEVIATIONSfAILURECONDITIONR.T.-REACTORTaitS.l.-,SAfETTIHIECTIONR.t.S.-REACTORPROTECTIONSTSTEHf.M.-FEEDMATERAaf.M.S.-AUXILIARYf.M.STARTfIGURE5.2-2,
~~FAULTTREEPORLOSSOFPEEDWATERPLOWSEEFIGURE5.2-1STATIONBLACKOUTWITHLOSSOFPEEDSTM.GEN.LO-LOLEVELA.F.W.S.LOSSOPLEVELINSTM.GEN.F.WPUMPBKR.MOTORA.F.WS4KVUNDERVOLTSTEAMA.F.WS.(LOSSOPREACTORCOOLANTFMWREQUIRES2963)IATEREACTORTRIP)COMPLETELOSSOF4RVSYMBOLSABBREVIATIONSF.W.-PEEDWATERA..P.W.S.-AUXILIARYP.W.STAR]FIGURE5.2-3 ltFF LEVELRESPONSETOLOSSOFSTER%ANSIGNALPROP+INTEGRALK+-11SPROP+INTEGRALK+-12TSPHEOMATICPOSITIONERPOSITIONW8QfQNORMALIZEDSTEhKFLOQ8QfNOHHAIZZEDPEEDWATERPLOW-1K<<1feT-200sec1K~10T~200sec22l~~-"FEED%TERVALVE~POLLYOPEN~~~]~~~~4~-~~~--I-I~~1010202030~,SECONDS3040405050'060~~~~~~~~I'~~W~~~~~I.~~oFZGaaE5.2-4 LOSSOFFEEDQATERTOONESTEAMGENERATORATT~ONESECONDTYPXCALTWO-LOOPPLANT260022001800~W~It=LL:~t1400~~800600400~t~~~PRESSURIZER.LEVELHEACTORTRXP-'~t200'25,,dao~~50,0025,Oej~~4~~~~4080120160200MME,SECONDSFIGURE5.2-5 LOSSOFFEEDWATERTOONESTEhHGENERATORATT~ONESECOND"640:".I:~lI~E~~~IA.~I~'I620"..:.:-:.-.~~~-:600~~~~~E"'3'-'-=580~~:~~500540.L--..:4.P'::ll=.S'5001.0.8-COEE~-POWER'-:=..~.6i-.:)"ŽTOTALGEN.~204080120160200~,SECONDSFIGURE52-6 l~
'te'e00F0050003.02e52.0200100ga00Q2IPLETELOSSOFPEEDWATER<<~~I~~I~~~~Ieeei!i~:..i'.I~~I~II~I>>~e~~~'I~~5001000TIMESECONDS1500I~Ir~~I,t':I~~~('I~I::::J<<i~~I.<<nI..~::~(r'i:..('I~.I~'I'~~I~e~e~I.~eI~eI~I.eI'00TIMESECOR)S5001500STEhMPLOW'TOPRESSURIZER~II(iWhTERBKZEFjIe(*'STEhMRELIEFIHSBOILIHG.COHDENSATZOS~HZPRESSTRZP-'KCEIESBOILS~:...II....j;-.-:i:<<;';;,II-:;:-'-'I'<<'U-~e0'0001500~~:~II:4J<<~::.i.-.~~10.:::.."::LIIIIt~~:-BOTLTHGf~WhTERR1KXEF::.-.;hei~.:.'"::.:.ll'.Ig~i'.I:.III."Ie.I~.~iII(:-:~~,"".,:hIEZLZhRTPEH"'HsSRSi:II.':j~e10005001500TIMEAFZERLOSSOFPEED,SECONDSPIGUBE527 CQHFLEZELOSSOFPEEDWATEK~+o600)$5005001000-1500TZHE,SECONDS10QOla8QQ6QQ.'0gQQQ0500100015002000TIME,SECONDS AUXILIARYFEHNATERSYSTEMSCHEMATIC2LOOPPLANTMotorOperatedValveMPneumatica11yLO.LockedOpenOperatedValveManualValve(normallyopen)I,~MOTOROPERAL~CHECKVALVESTOPCHECKVALVECondensateStorageTankManualValve(normallyclosed)~PromAlternateWaterSupply(CLASSI)CLASSIXiCLASSIL0.LOL.O.MotorDriveTurbinefDriveMotorDrivePromMainPeedwaterSystemSGB-"romMainPeedwaterSystemFIGURE5.29 4*
OSSOFCOOT~i-~OWANALYSISLOINTRODUCTIOÃ~SDSUMMARYc~3~Ithereactoris~thepowerrangeofoperation,lossofcoolantfloweatentepotentialconce-n.Withoutsufficientflow,DNBandcladfailure~dquicklyoccur.estinghousePWR's,constant-speedpumpssupplycoolantflow.Plowisegulatedorotherwisevaried.High-inertiaflywheelsaremountedoneach.sothatflowdec=easesovex'periodoftime(typically12secondstofflow)followingalossofpowertothepumpmotor.Thisflowcoast-ioMnallowsforProtectionSystemtMedelaysandremova1ofstoredheatinxbefueL.Subsequentdecayheatisremovedbynaturalcirculation.Diverse,redundantprotectioncircuitsareprovidedtoprotectagainstallpossiblelossofflowaccidents.Theseprotectioncircuitsaxeevaluatedthisreportformultilooplossofflow,singlelooplossof;flow,and~otheticalpumoseizure.AlthoughdesignLimitsmightbeexceeded,theonsequencesarefoundtobetolerableinallcasesevenifanyoneprotectioncircuitfailedtoperormitsfunction.-3.ZPROTECTIONSYSTRfDESCRIPTIONerousreactortrf.pcircuitsprovidecoreprotectionforaLossofflow~c-"ident.Thesetripsare:reactor'oolantflow,ReactorcoolantpumpbusLowvoltage,ReactorcoolantpumpbusLowfrequency,Reactorcoolantpumpbx'eskerposition,OverpowerDelta-T.5.3-L
perceptfortheoverpowerDelta-Ttrip,alltripsareblockedbelow10Xpower.LowReactorCoolantFlowThreeredundantflowchannelsareprovidedforeachloop.Athighpower,lossofflowinanyloop,assensedbytwoofthethreechannels,actuatesareactortrip.Thesetpointforthistripistypicallyat90Xofnormalindicatedflow.Atlowerpower(typically50X,65X,and75Xfor2,3,and4-loopplantsrespectively)lossofflowinanytwoloopsactuatestrip.Thesameflowsetpointand2/3logicisusedasforthesinglelooplowflowtrip.ReactorCoolantPumpLowVoltaeInordertoinsurethattotallossofpumppowerdoesnotviolatethecoredesignlimits,areactortripisactuatedbylowvoltageonthy,reactorIcoolantpumpbuses.Thedesignrequirementistomeetthesingle-failurecriterionforcompleteloss'ofpumppower.Thetriplogicisgenerallysuchthatlossofpoweronanytwobusescausesareactortrip.Typicalsetpointsforthistripareintherangeof60Xto80X~ofnormalvoltage.ReactorCoolantPunmLowFreuencThereactorcoolantpumpsareprovidedwithflywheelstoincreasetheirrotatinginertia.Thisprovidesforcedcirculationforsomeperiodoftimeafteralossofpower.Itisconceivablethatarapidsystemfre-quencydecreasewouldslowthepumpsdownfasterthanforalossofpower.5.3-2
Therefore,anundhrfzequencyreactortirpisprovided.Thetriplogicisidenticaltothatusedfoxtheundexvoltagereactoxtrip.Inadditiontotrippingthereactor,underfxequencyalsotripsopenthereactorcoolantPumpcircuitbreakerstomaintaineffectiveflywheelinertia.Typicalsetpointsforthistxipareintherangeof56-58cps.pCircuitBreakerPositionAreactortripdezivedfromauxiliarycontactsonthereactorcoolantpumpcircuitbreakeraffordsadditionalsafetymazginforthemostLikelycausesoflossofflow.Triplogicissheartothatusedfoxthelowflow'rip;i.e.,openingofanybreaker,asindicatedbyapositioncontact,actuatesazeactortripathighpower,andopeningofanytwobreakersatreducedpoweractuatesatrip.OveowerDelta>>TReactorTriThistripcircuitisdesignedtoprotectthecoreagainstoverpowertransients.However,sinceDelta>>Tincreasesasflowdecreases,italsoprovidesbackupprotectionforlossofflowaccidents.Onatwo-loopplant,twoDelta-Tchannelsperlooparepxovided;onechannelperloopUprovidedonthx'ee-andfour-loopplants.ForaLLplants,tripoftwochannelstripsthereactor.Duringsteady-stateoperation,thetripset-PointforthesechannelsisintherangeofllOXto120XofthenormalDelta-Tindicatedatfullpower.Thissetpointisautomaticallyreduced<<rincreasingtemperature(x'ateofchangeofT)tocompensateforpipingavgdelays.(However,thesetpointisnotincreasedfordecreasingT.)Sinceavgalsoincreasesfollowingalossofflowaccident,theDelta-Tset-avg5.3-3 4@i'4.a*A'4" poointdecreasesat.thesametimeasDelta-Tincreases.Thissignificantlydecreasesthetripdelaytime.ggarlacks~ceptfortheoverpowerDelta-Treactortrip,thelossofflowprotectiontripsareblockedatlowpower.Thisinterlockisinitselfredundantanddiverse,inthatthetripsignalispassed.ifeither2/4nuclearchannelsindicateabove10Xorif2/2turbineloadsignalsindicateabove10X.Singlelooplossofflowtripsfromlowflowandcircuitbreakerpositionareblockedatreducedpower.(Thetripispassedif2/4nuclearchannelsindicateaboveapreset,power.)Sincethesetwotripsshareacommon,nonMiverseinterlock,theyshouldnotbeconsideredas.completelydiverseprotectionfunctions.5.3.3MULTILOOPLOSSOFFLOWIAfaulttreeforamulti-looplossofflowaccidentisshown,onFigure5.3-1.Onlyelectricalfaultscancauseallpumpstofailsimultaneously,andtheundervoltageandunderfrequencyreactortripsprovidedirectprotectionagainstthesefaults.Thelowflowreactortripcircuitsprovidebackupprotectionforthisaccident,andtheydonotnecessarilyinsureaminimumDNBratiogreaterthan1.30.Figure5.3-4illustratesthetransientresultingfromacompletelossofflowaccidentrepresentativeofhighpowerdensityplantscurrentlyunderdesign.Thesolidlinesrepresentthedesigncase,withreactortriponundervoltage.Thedashedlinesillustratethecalculatedtransientifthisreactortripisneglected.5.3-4 alculationsaredonebystandarddesignmethods,withtheusual~esecactionsforsafetyanalysis;e.g.,themostadversesteady-statesssump<<operaratingconditionsatthetimeoftrip.accidentisrelativelyrapid,withaDNBratioof1.3in..thehot~eaccchannelreachedinabouttwoseconds.Itisnotappropriate,therefore,gpassumssumeanymanualcorrectiveaction.Also,theminimumDNBratioisreachedatthetimethehotspotheatfluxbeginstodecrease.Thereislittletransientovershootexceptforreactortriptimedelays.Theundervoltagetripiithedesignprotectionforthisaccident,anditmeetstherequirementthat,theminimumDNBratiodoesnotfallbelow1.30.Lessrestrictiverequirementswouldbeimposedonabackuptrip.AminimumallowableDNBratioof1.0inthehotassembly,couldbeselectedonthebasisthatthiswouldinsurethatcoredamage,ifitoccurredat,all,wouldbelimitedtoaverysmallfractionofthecoze.(Thepeakingfactorsinthehotassemblyareessentiallythoseinthehotchannelgthoutal1owanceforengineeringsubfactors.)Alternately,ahot-spotcladmeltinglimitcouldbeimposedforthisaccidentonthebackupprotection.Witheitherrequirement,ProtectionSystemdiversityexLsts.Thelowflowreactortrippointisreachedat1.8seconds,assayinga3Zerrorinthesetpoint(trippointat87Xflow).AlthoughthehotchannelminimumDNBratioissomewhatbelow1.3,thehotassemblyminimumDNBratioisstillwellabove1.0.IfDNBshouldoccuratthe>>tspot,thetransitionboilingcorrelation'ndicatesthatpeakcladtemperaturewouldbeintheneighborhoodof1000'F,andnocladdamageisexpected.(Seeresultsforsingle1ooplossofflow.)5.3-5 NeDeta-eDlta-Ttransientiscalculatedforthiscase.Becauseofpiping~dinstrumetrumentdelaysatripsignalwouldnotbegenerateduntilaboutgeconndsafterthelossofflow.Theeffectofratecompensationonistoreducethetripsetpoint.Evenwiththislongertripdelay,avediepeaakcladtemperatureisnotexpectedtoexceed1500'F,we11below<hemeltingpoint.Therefore,threelevelsofprotectionexistfora~nltilooplossofflowaccident..5.3,4SINGLELOOPLOSSOFFLOEAEaulttreeforasinglelooplossofflowaccidentisshownonFigure5.3-2.Votethatlossofpowertoonebusistheonlycrediblewaythisaccidentcanoccurwithoutanimmediatetripfromthepumpcircuitbreaker.{Anopencircuitinthepumpmotorisahighlyunlikelyfault,andisshownrEorthesakeofcompleteness.)Thecircuitbreakertripisthereforeclassedasabackup,oranticipatory,trip.IFigure5.3-5illustratesthetransientresultingfromasingle-looplossotflowaccidentinahigh-powerdensity,two-loopplant.Thetransienthislesssevereinathreeorfour-loopplant.Thelow-flowreactortripisthedesignprotectionforthisaccident,<nditmeetsthedesignrequirementofminimumhotchannelDNBratiouolessthan1.30.Iftheaccidentiscausedbylossofbusvoltage,andnocreditistakenEorthelowflowreactortrip,thehotchannelDNBratiowouldbelessthan1.3.However,areactortriponhighDelta-Twouldterminatethe5.3-6 iccidentbefore18Boccursinasignificantpercentageofthecore.pssumIsagthatthehotspotgoesintoDNBatthetimethehotspotDNBrato+tjoisL.30,andassigningaconservativeadditionalinstrumentdelayofp9sectotheDelta-Ttrip,apeakhotspotcladtemperature(ontheinnercladsurface)ofappro~tely1300'Fiscalculatedusingatransitionboilingcorrelation.OnlytheDelta-TtransientfortheactiveloopisshownonFigure5.3-5.SForthedeadloop,Delta-Tincreasessomewhatmorerapidly.Onatwo-loopplant,twoDelta-Tchannelsexistoneachloop,soareactortripisexpectedearlierthanisshown.Iasummary:Forasinglelooplossofflowaccident,ProtectionSystemddversdtydoesseder.Atleasttso,andgenerallythree,dndspendentlevelsofprotectionexist.5.3.5LOCKEDROTORACCIDENTThehypothetical'caseofaninstantaneouspumpseizure.hasbeen'evaluated<odeterminewhetherdiversityexists.ThefaulttreeisshownonFigure5.3-3.Ifthisaccidentoccurswhenthereactorisathighpower,thecoredesignlimitsareexceededindependentofanyprotectiveaction.Thedesignrequirementforthisaccidentistopreventanyconsequentialfailureof<heReactorCoolantSystem.Failurecouldbecausedbyhighsystempressure.Also,systemscalculationscannotbedonewithconfidenceifgrosscoredamageoccurs.Forthisreason,coreconditionsareevaluated.5.3-7 Thetransientforahypothetica1lockedrotoraccidentisshownonFigure5.3-6..FlowthroughtheReactorCoolantSystemisrapidlyreduced,Leadingtoareactortriponalow-flowsignal.Followingthetrip,heatstoredinthefuelrodscontinuestopassintothecorecoolant,causingthecoolanttoexpand.Atthesametime,heattransfertotheshellsidepfthesteamgeneratorisreduced,firstbecausethereducedflowresuLtsinadecreasedtubesidefilmcoefficientandthenbecausethereactorcoolant,inthetubescoolsdownwhiletheshellsidetemperatureincreases(turbinesteamflowisreducedtozerouponplanttrip).Therapidexpansionofthecoolantinthereactorcore,combinedwiththereducedheattransferinthesteamgenerator,causesaninsurgeintothepressurizerandapressureincreasethroughouttheReactorCoolantSystem.Theinsurgeintothepressurizercompressesthesteamvolume,actuatestheautomaticSpraySystem,opensthepower~peratedreliefvalves,andopensthepressurizersafetyvaLves,inthatsequence.Thetwopower-'operatedreliefvalvesaredesignedforreLiableoperationandwouldbeexpectedtofunctionproperlyduringtheaccident.However,forconservatism,theirpressure-reducingeffectisnotincludedintheanalysis.Withnoprotection,apeakreactorcoolantpressureofapproximately3050psiawouldbereachedabout.3.5secondsafterthepumpseizes.Afterthistime,fluid,mixingandincreasedheattransferintheactivesteamgeneratortendtoreducethepressurizersurgerate,andthepressurizersafetyvalvesreducepressure.(Duringthepeak,thepressurizersurgeratemayslightlyexceedthepressurizersafetyvalvecapacity,butpressurizerpressuredoesnotsignificantlyexceedthesafetyvalveset5.3-8 lusaU.owanceforaccumulation.)Althoughthenormalcode-allowable><assurepUspressureoof2750psiaisexceededfozthisaccident,thepeakpressureisbelowteuheultimatestrengthofallmembersoftheReactorCooLantSystembyanapproxaximatefactoroftwo.Therefore,theReactorCoolantSystemwouldz'egajnintactoInthecore,cladmeltingatthe.hotspotinnercladsurfacebeginsat.24seconds.Afterthistime,systemcalculationsareuncertain.Thereactortripset.pointfortheredundantlowflowinstrumentationontheaffectedloopisreachedwithin0.1seconds.AssumingDNBat0.1seconds,and.aconservativetripdelay(2secondsbefozethenuclearfluxisreducedto80X),thepeakcladtemperatureisapproximately1%0'Pandisreachedat4.5seconds.Othercalculatedresultsforthiscasearepeaksystempressureof2800psiaandlessthan20Kofthefuel.rodswithakcalculatedDNBratioof1.0orless.Neglectingthistrip,ahighpressurizerpressuretrippointwouldbeCreachedatabout1.5seconds,'ndahighDelta<<Ttrip(fromtheactiveloop)wouldbereachedatabout4.5seconds.Thepeakcladtemperatureforthesecaseswouldbe1750and1950forthehighpressureandhighDelta>>Ttripsrespectively.Sincethesevaluesarewellbelowthemeltingpoint,nogrosscLadfailureisexpected.Insummary:Forthehypotheticallockedrotoraccident,coredesignLimitsmaybeexceeded.However,threeindependent,diverselevelsofprotectionexist,anyofwhichwouldinsurethattheReactorCoolantSystemboundaryisnotviolated.5.3-9 FAULTTREEFORMULTZLOOPLOSSOFFLOWPROBABLEGROSSCOREDAMAGESLSHI4TR.T.CONDXTIOPOSSIBLECOREDAMAGEFAXL'ORELOWPLOWR.T.L.O;F.-LOSSOFFLOWR.T.-REACTORTRIPR.C.P.-REACTORCOOLANTPUMPDESIGNCORELIMITSEXCEEDED(DNBR<1.30)REACTOR.ATHXGH~~POWER~ALLLOOPL.O.F.WXTHNOIMMEDIATER.TORUNDERVOLTAGERT.BKR.OPENR.T.LOWFREQUEHCYONALLBUSESSIMULTANEOUSLOSSOFPOWERSIMULTANEOUSR.C.P.BKR.OPTING."IGURE5.3-1
FAULTTREEIORSIICLEUM)tlOSSOFFMQtRObhhLKCROSSCORENHhCICONDITIONNlATR.T.CORKDKSICNLINITSKICKKDKDUNFLONR>>T>>.L>>O>>F~MSSOFFLONR>>T>>~REACTORIRItR>>C>>tiiRKACFORCOOIANTFUNtCORKDNSR>>l3hfACIORATRICiRFOMER'llCLELOOtL>>O>>NOINNKDIA(I)REACTOR'NOFFKTIONSISTIIl(2)ELECTRICALthOFKCTIONSTETS)ISINCLEUXltRCFAULTlAl5$OFbUSPARRSKROFKNR>>E,(I)SUSFAULTIOntKNSKR.aTSKFAKDSKRIOOPENSTRIP!KACIOR(2)R>>C>>P>>bKR>>OtINCIC>>P>>OPENCKT>>R>>C>>t>>QIORTCKTSUSFAULTPI&et$3>>>>2
~qIIi FAULTTREEFORLOCKEDROTORACCIDENTPROBABLEGROSSCOREDAMAGEHIdTR.T.HIPRESSURER.T.PROBABLECOREDAMAGELOWFLOWR.T.COREDESIGNLIMITSEXCEEDEDSYMBOLSCONDITIOREACTORATHIGHPOWERR.C.P.MECHANIFAIISRE(LOCKEDROTOR)R.T.-REACTORTRIPR.C.P.-REACTORCOOLANTPUMPFIGURE5.3-3 hPt~>a' EsKULTI~PLOSSOPPLOW,TYPIChLPL@K'I~t80a706050COREFLOWPONUCLEhRPOWER{meZRVOLTaCZ,TRIP)HOTSPOTHKLTFLUX'UNDEKVOLThaKlzazH..,pe~I~a:tIl.6HOTASSMLY'--MXH.DHBRATIO=)iI()~fe~J1.2L000 10090SICLOOPLOSSOPKlÃ2-UNpMT80~070OWDEAD:LOOP501.8:.:.iHIM.DMSRATIOj~I~1.4ROTASSZ8BLY-1.014001200NOTRIPaooTRXPONLOWPLOW~*I*~\120u.pDELThTTRXPPOISEHX4T-=-...TRZP.~NOTRIP~~~~I~100(ACTIVELNP-TRZPPolllT012'345678910~jj&la'ehtTPVrtmTPC0C
LOCKEDROTOR,LOSSOPHOW2LOOPPLANT~~F00SOI..i~~~ACTXVZMOPI~~~~~*60~~COREPL(M~~~I]JJ~~~~w~40203000zsoo~~DEADLOOP':.lI~~~~>>~l-~~I~~~'I~I~~~~05'oS~6'.I'.~IOJ26002400~~REACTORfCOOLANTSYSTEHPRESSURIZER'NOTRIPLOPFL(NTRIP~~2200'03000~o~~~~~~TIHE,SECONDS\~2500J~+>>~efI~~~III.I'ITIHEOFREACTOR.NOTRIP-=(SEC)2000e44F500H2lOQO500~~~~~~~~l~iII~%t~IL~~~\)~~~I~~'lI~~<<II~I2TIHEAFTERPUHPSEIZURE,SECONDS 0
RODJUNCTIONANALYSISji4INTRODUCTIONANDSUMMARY54~zimaryprotectionforarodejectionaccidentisareactortripon~epz~ighnuchnuclearflux.Thenuclearfluxinstzumentationismadeupoffource>peletelyseparatesensorsandchannels,andreactortripisactuatedifanytwochannelsindicatehighpower.Analysishasbeenconductedtor:.'.-e*t~~~=~vl~Iedeterminetheconsequencesofahypotheticalfailureofallthenuclearchannelscoupledwithahypotheticalrodejectionaccident.Analysis,madeonthebasisoftheGinnaNuclearPlantofRochesterGasaElectricCo.(RGB),indicatethatinthemajorityofrodejectioncasesnoprotectionisrequired(forexample,ejectionofazodfromitsnormally-expectedposition).ItisfurthershownthattheDelta-TtripprovidesI~,anacceptablesecondlevelofdefenseforsomecases.However,protectioncannotbedemonstratedforsomeofthemoreseverefullpowercases.Protectionmayinfactexist,butitisnotpossibletopositivelydemonstratethiswiththecurrentlyavailablemodels.Ananalysisoftheavailabletriphasbeenmade,andiscomparedwithanIarbitrarycladlimitof2750'FandanarbitrarypressureVmsof3000'psi.Twodetailedcasesarepresented:aseverecasefromzeropowerendofcorelife,andamoderatecasefromfullpowerendofcorelife.Noreactortriphasbeenassumedforeithercase.5.4.2CASESCONSIDEREDINDETAILZeroPowerCaseThecaseconsideredrepresentsazodejectionaccidentforanendoflifecore.Theassumedejectedzodworthandhotchannelfactoraze1.0X6kand12.5respectively.
~tingpowertransientandhotspottemperaturesaredetailedin~~resultF5.4-1.1steadypowerlevelisconservativelyassumedtobe15Xoffull~+finasThispowerlevelislowerthanthevaluewhichonemightnormally~er.~q)ectfozarodreactivityinsertionof1.0<k>>owingtothehighfeedbackueigihtingfactors-{Thelargehotchannelfactorsresultsinalargepowern<einthehotspot,wherethestatisticalweightishigh).Thepromptyzstresultsinareactivityundershootwhich,combinedwiththeshortageofdelayedneutrons,temporarilyfozcesthepowertoavaluebelowequilibriumcondition.Thepowerlevelisassumedtorampupto15Xat5secondsaftere]ection>>althoughcalculationsindicatedthatitwouldtakemuchlongertoreachthispowerlevel.Theplottedhotspottemperaturesindicatethatequilibriumconditionscanbesustained.Ztisthereforeconcludedthatnoprotectionisrequiredforthisaccident.Zngeneral,theejectedrodworthsandhotchannelfactorsarqlowerforthebeginningoflifezeropowercases,andthereforetheconsequencesareexpectedtobe,somewhatlesssevere.FullPowerEndofLifeCaseThecasepresentedisforarodejectionaccidentoccurringattheendofcorelifewithane5ectedrodworthof0.336kandahotchannelfactorof3'3.ThepowertransientsandhotspottemperaturesaredetailedinFigure5.4-2.Theequilibriumpowerlevelis112Xoffullpower.5.4-2 0
kcladdingtemperatureof2950'Foccurssome50secondsaftergepeUnderequilibriumconditions,some50Xbyvolumeofthehot,ection0]fuelismelted.Areactortrip'noverpowerDelta-Toccursat6~~cuelimitingcladtemperaturetoabout2400'.Thiscaserepresentsrecons,evereaccident,butisnotintendedtorepresentalimit.~<eve>~~larrodejectionaccident,occurringatthebeginningoflife,auldresultinanequilibriumpowerlevelofabout12SXoffullpower,ithanequilibriumcladdingtemperatureoftheorder3100'Fto3200'F.5.4.3BACK<<UPTRIPPROTECTIONThemostlimitingcasesoccuratornearfullpower.TheprotectionSystemisexaminedtodetermineunderwhatcircumstancesatripsignalwouldterminatearodejectionaccidentatfullpower.TheresultsofthestudyareillustratedinFigure5.4-3.Thegraphisaplotoftotalexcessnuclearenergyadditionversustime.Steadyfullpoweroperationresultsinalocuscoveringthehd~ontalaxis.Thenuclearfluxtripisrepresentedbyastraightlineofgradient0.18,,correspondingtoapower'levelof118XNotethatthislineisanupperanditspositionisinfactdependentonthepowerversustimeshape.Thisisageneral,butnotimportant,effectforthelinesplot~ed.Ariseinnuclearpowerproducesapressuresurge.However,theeffectisattenuatedbytheheattransfertimeconstant,ofthefuel(oftheorderof4seconds),andthepossiblerelievingeffectoftheholeinthevesselheadandrelievingcapacityofthepower-operatedreliefvalves.Thehighpressuretripcouldnotbeexpectedforanyrodejectionaccident.5.4-3 ThehighDelta-Ttripfurnishesabackuptripforanysevererode)ectionzcccident.Exceptinthemostseverecases,itLimitsthecladtemperatuxepp]essthan2750'F.Transportdelaysinthecoolantloopdelaythetripforseveralseconds.Alsoplottedonthegraphaxetwoarbitrarylimitlines.TheyarerespectivelyacladLimitof2750F*andaCoolantSystempressureof3000psi.BoththeseLimitshavebeenarbitrarilyselectedandarenotintendedtorepresentI~I-.rpl~SphysicalLimits.Apowerburstofsomesixfullpowersecondsattimezeroresultsinboththese1lmitsbeingreachedsometwoto.threesecondsIlater.ThisisnotaphysicallyreliableconditionforanyWestinghousereactor.Figure5.4-4showsthepowertransientsforrodejectionaccidentsoccurringatendofcorelifeforvariousejectedxodworths.frftI1+TheseLinesarebasedonstead~tateandtransienthotchannelfactorsof3.23.5.4W jZEROPOWEREHDOFLIFERODEJECTION,NOTRIP&~~~HjjCLjj&RPOjjE&VS~T2$=~1~~~Ii.:A~~4~1.0XF~12.S"::?3020M~--EHERGTINPUTUPTOO.SSECONDS~1.70F.P.Sfact::.FPS:Fullotspopowerseconds~'-9-&vmbols6k:ChangeinreactivieyT.F:Totalheatfluxpeald.ngoratht10~~~i~~~i~i&(&.=~::iI:.-:ii&~~~~&--~)&'i0246810121416TQK,SECONDS:HOTSPOTVS.TIHE=-"-.~~~4000:FUELAVG.-I~~~L~e:::3Z&&":&&20001~-~~-~~~~~~~-.-::-.1008046S1012141618TIME,SECONDSFIGURES.4-1
PULLPOWERENDOPLIFERODEJECTION,NOTRIPI~>~~:='UCLEARPOWERVS.TIME~leak0.33Pm'3~23Tr~~'i.-:L~SbaIIISk:ChangeinReactivityP:TotalHeatFluxPeakingFactorTqatHotSpot~.~45TIME,SECONDSting).~II~~rI~4sr,~~IIII~IHOTSPOTTEMPSULTUREVS+TZME':.-.-,:-'Mel=--'-'-~~~PURLAVGI:~r~~~'"I~~~WM.:~..~'~..':'LADOUT~T':.I:I~Ii~~IP'PEAKCLADSURFACETEMP.--:~2950'PAT50SEC.50X(HYVOLUME)OF'cCLi'.."MELTS.V.~:.-..~-=-'i::!=-'i;:,i-.--'246S10121416TIME,SECONDSPIGURI'.4-2 0P eFullPowerEndofLifeF~3.23Txa~+\87643pi2C~8p~023456789l0TIME,SECONDS~~TOMOFSkFEXYGZHZTSANDTRIPPOINTS'~<RODEJECTION'ACCIDENTS,HOTRIP-representsthelocusofpointsatwhichtriowouldterminatetheaccidentrepreseecslacesarseferylfrsirs FULLPOWERENDOPLIPSROBEHKTIONWH33RKTRIPCO4l5CD~CC3CO~~C~2~~I1~l0010.e0.33TIME,SECOHDSWte:0.4XQc'representsapracticalBait:arfuIlpcwerceses.~RODEJECTIONACCIDEHTS'QXXHN)THXP,'IGURE5.4~
I0 LOSSOFSTEAMLOAD5,5.1XNTRODUCTIONANDSUHHARYVp'<<,',lossofsteamloadmaybecausedbyclosingoftheturbinestopvalves,whichnorma21yfollowsaturbinetripsignal;byclosingoftheturbinecontrolvalvesfollowingarejectionofelectricalload;orbysteamisolationfollowingaReactorprotectionSystemsignal.Theconsequences<<ofalossofsteamloadarearapidlyincreasingSteamSystempressureandReactorCoolantSystemtemperatureandpressureduetothelossofheatsink.Protectioninstrumentationisprovidedtoimmediatelytripthereactorfollowingaturbinetripsignal.A.steamlineisolationsignalisnormallyaccompaniedbyasafetyinfectionsignalandalsoresultsinareactortrip.Followingare)ectionofelectricalload,aSteamDump<<~"".%'ystemactstopreventreactortripbyautomaticsteamdumptothecon-,denser.(Upto100Xloadrejectioncanbehandledbysome'planes-)Xftheloadre)ectiongreat1yexceedsthesteamdumpcapacity,oriftheSteamDumpSystemshouldfailtooperate,areactortripmayoccuronhighpressure.RedundantprotectiveinstrumentationandconservativedesignofpressurereliefdevicesassuresthesafetyoftheplantforalargeloadrejectionwithoutrecoursetoAutomaticRodControl,PressurizerPressureControl,orSteamDumpControlSystems.5.5-1 Inthisreport,theProtectionSystemisexaminedtoseeifdiversepx'orotectionexistsforacompletelossofloadwithoutdirectreactortrip.DiversityisfoundtoexisttoprotecttheReactorCoolantSystemandreactorcoxe.5.5.2LOSSOFLOADPROTECTIONANDDESIGNCRITERIAThereactorispxotectedforlossofloadby:a)Steamdumpto'ondenser(actuatedbytheContxolSystem)b)c)Pressurizerpressurerelief(safetyvalvesandpowez~peratedreLiefvalves)SteamSystempressurerelief(safetyvalvesandpower-operatedrelief.valves)')Directreactortrip(onturbinetrip)e)Highpressurizer-pressuretripf)Overtemperatuze4Ttripg)Highpressurizerleveltrip.SteamDtoCondenserTheSteamDumpSystemactsautomaticallyuponsensingalossofloadgreaterthanapresetamount.ThesteamdumpvalvesaretheneithermodulatedortrippedopenuntiltheReactorCoolantSystemtemperatuxereachesthenewprogrammedloadreferencetemperature.Thereactorpowerisreducedbycontrolrod,insertionduringthistime.Zncaseofaturbinetriporreactortrip,thesteamdumpisactuatedandcon-trolledonapresetuo-loadreferencetemperatuze.TheSteamDumpControlSystemisdescribedinSection3.2.5.5-2 0
tPressurizerPressureReliefThepressurizersafetyvalvesaresizedtomatchthemaxfmnnnvolumetricsurgerateassociatedwithacompletelossofloadwithoutsteamdumporadirectreactortrip.Thisisnotdependentonpxessurizerpressurecontrol.ThepressurizersafetyvalvesthereforecompletelyprotecttheReactorCoolantSystemagainstovexpressure,independentofthehighpressurereactortrip.Thereliefvalvesaresizedtopreventactuationofthehighpressuretripwhenthesteamdumpandroddrivesystemswork,andtherequiredsteamreLLefiswithinthecapacityoftheSteamDumpSystem.SteamSstemPressureReliefTheSteamSystemsafetyvalvespass100Zofma~mancalculatedturbinesteamflow,atthesafetyvalvesetpressureplusaccumulation.Thisallowstheplanttoaccepta100Zloadre]ectionwithoutreactortxiporsteamdumpwithoutovexpressurizingtheSteamSystem..Xnaddition,reliefvalvessettoopenatalowerpressurearealsoprovided,andaxetypicallysizedataboutlOZofthesafetyvalvecapacity.DirectReactorTriThemostcommoncauseofalossofloadisaturbine-generatortrip.Zntheeventofsuchatrip,theturbinestopvalvesclose.Aturbine5.5-3 tripsensedbye2/3lowauto-scopoilpressureor2/2stopvalveclosureresultsinareactortripifthereactorisathighpower.ThepurposeofthesetriPsistomizdzMethethermaltransientsndsteamdumPrequirementsfortheserelativelyfrequentplanttransients.HihPressurizerPressureTriThereisareactortripon2/3highpressurizerpressure,generallysetto2400psia,orslightlyabovethepressurizerpoweroperatedreliefvalvesettingandbelowthepressurizersafetyvalveopeningpressure.OverteraturedTThepurposeofthistripistoprotectthecoreagainstanycombinationofreactorcoolanttemperature,powerorpressurewhichcouldcauseIDNS.Triplogicis2/4for2.and4-loopplantssnd2/3for3-loopplants.HihPressurizerLevelTriThistripactstopreventwaterdischargefromthepressurizersafetyvalves.Logicis2/3.5.5W 5.5.3EVALELKONOFPROTECTIONSYSTEMFORLOSSOFLOADAcompletelossofloadwithoutsteamdumpandwithoutadirectreactortripisevaluatedtofindifdiverseprotectionexiststopreventahazardtotheintegrityoftheplantthroughoverpressurizationor'NB.Thetransientwasinvestigatedforacurrent,highpowerdensity\lant,andnocreditwastakenforpowerreductionduetoautomatic'../'.".t~controlrodmotionormoderatortemperaturecoefficient./'InitiationofAccidentFigure5.5.1showsafaulttreeforalossofloadwithoutsteamdump,withthereactorathighpowerandaodirectreactortrip.Onewaya1088ofloadcanoccurisbyclosingoftheturbinestopvalvesfollowingaturbinetripsignalorbyhydraulicfluidpressurefailure{thevalvesareheldopenbyhydraulicfluid)-However,oneand.possiblytwotripsmustthenfailinordertopreventanimmediatereactortrip.Anotherpossiblefailuremodeisaturbinerunbackcausedby,thethrottlevalvesclosing.Thiscouldbeinitiatedbyaroddrop,anoverpowerorovertemperature4Tsignal,byanactualorspuriouslossofelectricalloadsignal,orbyafailureintheturbinecontrollerandloadlimitsystem.Aspuriousroddropsignalwouldnormallydecreasetheturbineloadbyafixedsmallpercentageoffullload.Thecontrol5.5-5 alvecouldclosecompletelyonlyifanimpropercircuitexistsinthecontroller.Similarly,anoverpowerorovertemperature4Tsignalcoxmallycausesastepload.decreaseofSXevery30seconds;andonlyinthecaseofasimultaneousfailureoximpropercircuitinthecontrollercouldtherebeinsufficienttimefortheoperatortotakenotice.Eftheturbinerunbackiscausedbyanoverpowerorovertemperature4TprotectionSystemfailure,thefailurecouldonlybeinthesafedirection;thatis,theerrororfailurewouldbeinthedirectiontocauseareactortrip.Athirdpossiblepathforalossofloadisthroughsteamlineisolation.Thismayoccureitherthroughalossofairsupplytotheisolationvalves,orbyaspuriousorrealisolationsigna1fromtheReactorProtectionSystem.Asaresultofthelossofsteamflow.totheturbinebyanyhfthethreepathsoutlinedabove,theSteamDumpSystemisactivated.However,no1creditcanbetakenforthisfollowingsteamlineisolation,since,thedumpvalvesaredownstreamoftheisolationvalves.Forallthreepaths,theresultingdecreaseinfirststageturbineimpulsepressurecausesautomaticreactox'owerreductionbycontrolrodinsertion.Evenifthereactorisinmanualcontrol,themoderatorcoefficientofreactivityisgenerallynegativeandwouldcauseapowerdecreaseastemperaturesincrease.5.5-6 0Ii)~~
'CThefaulttreeshownonFigure5.5.1indicatesthat,inmostcases,afaultcouldcauseacompletelossofloadwithnosteamdumporreactorit"~>>I'powerdecreaseonlyifoneoxmoresimultaneousfailuresoftheControlorProtectionSystemalsoxesuLted.However,thefollowinganalysisisbasedonacompletelossofsteamloadwithoutsteamdump,reactorcontxol,ordirectreactortrip.AnalsisandDiscussionFigure5.5.3showstheresultsofatransientanalysisforacompletelossofloadwithoutsteamdump.Theresults'showthat'hesafety~~II'III>>valvescapacityoftheSteamSystemis..sufficienttoLixQtthepressurelrisetolessthanLUOpsia,evenwithoutareactortrip.TheReactorCoolantSystemT.transientisshownforahighpressurizerpressureavgorhighpressurizerlevelreactortrip,aswellasfornotxip.IActuationoftheSteamSystemsafetyvalvesrestoresthereactorheat\s~andcausesadecxeaseintherateofriseofthereactorcoolantaveragetempexature.Withoutareactortrip,Twouldeventuallycomeavgintoequilibriumwhentherequiredheatdissipationatthesuetyvalve,~setpressureisreached.TheReactorCooLantSystempressuretransientisalsodepicted.inFigure5.5.3.Theeffectofthepressurizerpoweroperatedreliefvalvesisfeltslightlyabovetheirsetpressureof2350psia.Sincetherequired5.5-7 4e relieffora&61lossofloadwithoutsteamdumpfarexceedsthereliefvalvecapacity,thepressurecontinuestorisetothesafetyvalvesetpressureof2500psia.Theopeningofthepressurizersafetyvalves,andtherestorationofthesecondarysinkbysteamrelief,limitstheReactorCoolantSystempressurerise.ThesurgeratedecreasesastherateofriseofTdecreases,andeventuallythepressuredecreasestoavgthereliefvalveopeningpressure.Thetransientisalsoshownforthehighpressurizerpressureandleve1reactortrips.Thepoweroperatedreliefvalvesdelaythereachingofthehighpressurereactortripsetpointbyabout2seconds.ThelowergraphinFigure5.5.3showstheaduinnxm(hotchannel)DNBtransient.Forthefirstfewseconds,theDNBratiorisesduetotheincreasingsystempressure,whilepipingdelayscausethecoreinlettemperaturetoremainconstant.Twotrips,thehighpressureandovertemperaturehTreactortrips,preventthecoredesignlimf.tsfrombeingexceeded.RatecompensationonT,which.isincludedinavg'heovertemperaturedTtrip,wouldactuallycausethetripsetpoint-tobereachedmuchsoonerthanisdepictedinthefigure.Thehighpressurizerwaterlevelreactortripisinadequatetopreventthecorefromexceedingthedesignlimits.However,theminimumDNBratiointhehotassemblyforahighleveltripisabove1.0andwouldassurethatcoredamage,ifitoccuredatall,wouldbelimitedtoasmallfractionofthecore.Aconservativesetpointwasassumedforthehighleveltrip.5.5-8 0
Afaulttreefortheaccident,leadingtocoredamage,isshowninPigure5.5.2.5.
5.4CONCLUSION
SThisaccidentisnotconsidered1Qcelysinceinmostoftheincidentswhichcouldcauseit,oneormoresimultaneousfailuresofcontrolorprotectioninstrumentationmustalsooccur.Inaddition,atanytime.otherthanearlyin.coreLife,thelargenegativemoderatorcoefficientwouldcausetheaccidenttobeselflimitingandgivemuchbetterresultsthandepictedinthisanalysis.However,iftheaccidentweretooccur,diversitydoesexistinthatthreedifferentlevelsofprotectionareavail,able.5.5-9
,Ih SJSNfs<<ls<<s<<<<<<<<<<<<u~<<"<<<<<<<<.<<<<<<NSJSSR<<j~R<<g@N<<'JJ@"g<<<<j,,<<,lt,fIQJRS5.52OjRTsORSD<<sNORODJIFIONCFORNMANUALCONIIJOL<<<<4fTKAMLIbEISOIATION,NOTURRINECOÃIROLVALVESCLO.E,NOTURSINESTOPvvx.v""AIRSUPPLIAUTO.S,D,AUTO.S.D,LOADLIMITACIUALORSIUFIQJSLOSSOjEJECT~LOADSCOPVALVER<<T<<TURBINECONIROLIA3.SREXCESSIVERUNS'XIJJSSOFIIQiCENCVFIUIDNJRIQJFICOIATIONfIGNAI'<<ITNQJTREAClORTRIPIMISOPERCRTANDhlJTOGIOPR.T<<CONDITIOJIFAIJJJRIREACIORI%REC-TIONSISIIJ'.IAJGICFAULTsSBJRIQJSF<<ODDROPEIGJIALREALORSIURIQJGOVIRPOLJEROROVERORLOSSDPAUIOSIOPPIJJIDNUCL<<INST<<SISTIIlRODPOSITIONINDICATIONiFAIIJJREANTSJRBINETRIPSIGNALR.T.RKACIORTRIPK.C,-ST&QJJJP,S)1,SAINTINJECFICNI~SCFEJAnfSlsaaIIosIsolalloa~ISJ<<alIsalso~@castortcIPsISJnal.Theccfcea>ooIFloStoclccollfallllsshool4Lccoas14ctc4~NIGHTAVNIGHATFIGURE5.5-1FAULTTREEIORINN0jllRDACCII<<ENI
,5'~a~'11 FAULTTREEFORCOREDAMAGELOSSOFSTEAMLOADCONDITIONProbableGrossCoreDamageANDHighPressurizeLevelR.T.CoreDesignLimitsExceededR.T.-REACTORTRIPS.D.-STEAMDUMPS.I.-SAFETYINJECTIONOvertemperatureATR.T.iHighPrdssureRiTLossofLoad,NoSeD~orPOUerDecreaseEarlyinCoreLifeLossofLoad,NoDirectR.T.orS.D.,NoRodInsertion(SeeFigure5.5-1)FIGURE5.5-2 120010008006002600250024002300zzoo6zo600580560181.61.451.21.0.80LOSSOPLOADACCIDENT~~Il-~1-STEAMSYSTEMPRESSURE'-)~.':~te~~~II~I~~~~I~/~l".~I."REACTORCOOLANTSYSTEMPRESSUREI:-:~It~~I~~~~~~i~'OTRIP."'HIGHPRESSURE"REACTORTRIPJ'.'l"IGHLEVELREACTORTRIP~).'Il.'.!.(IIt'~Il'-i=(REACTORCOOLANTTVGI'~~).-.NO~~I~'t.TRIP(HIGHLEVEL-'EACTORTRIPf..~~~~~I~)~.HIGHPRESSURE.-'REACTORTRIP~~IHIGHPRESSURE".:-.EEACTORTRIP~I~~~gI.L.-~~II'VERHK'ERATURE.ATREACTORTRIPi'IGHLEVEL'EA,CTORTRIP-'~~~L.'UNBRATIO.NOL~4~~)2030405010SECONDSFIGURE5.5-3 0I, 5,6RODWITHDRAWABDURINGSTARTUPNormalstartupprocedureisbycontrolrodwithdrawalundermanualcontrol.~functionoftherodcontxolsystemoroperatorerrorcancauseareactivityexcuxsionwitharesultantrapidincreaseinpower.RodwithdrawalaccidentsiathepowerrangeareevaluatedinSection5.1.Fortheseaccidents,thepowerincreaseisapproximatelylinearforalinearincreaseinreactivity.Foraccidentsstartingfromvery,lowpower(staxtupx'ange),theneutronfluxmayincreasebymanydecadesbeforethereissignificantDopplerfeedback..Thenuclearpowerresponsetoacontinuousreactivityinsertionfromthestartuprangeischaracterisedbyaveryfastriseterminatedbythereac-tivityfeedbackeffectofthenegativefueltemperaturecoefficient(Dopplereffect).ThisselflimitiageffectisofprimeimportanceduringastartupIaccidentsinceit.limitsthepowertoatolerablelevelpriortoexternalprotectiveaction.Aftertheinitialpowerburst,thenuclearpowerismomentarilyxeducedaadtheniftheaccidentisnotterminated,thenucl'earpowerincreasesagainbutatamuchslowerrate.Protectionagainststartupaccidentsisprovidedbydiversetypesofneutron-monitoringinstrumentatioa:sourcerange,intermediaterange,andpowerrangechannels.Ma)ordifferencesintheionchamberandcixcuitdesignexistbetweentheintermediateandpowerrangechannels.Thesourcexaageusesaneutronsensorofadifferentprinciple:proportionalcounterratherthanionizationchamber.5-6-L
~'44Shouldcontinuouscontrolrodwithdrawalbeinitiatedandassumingthesourceandintermediaterangealarmsandindicationsareignored,thetransientwillbeterminatedbyanyofthefollowingautomaticprotectiveactions.a)Sourcerangefluxleveltrip-actuatedwheneitheroftwoindependent.sourcerangechannelsindicatesafluxlevelaboveapreselected,~g~<<manuallyad]ustablevalue..Thistripfunctionmaybemanuallybypassedwheneitherintermediaterangefluxchannelindicatesafluxlevelabovethesourcerangecutoffpowerlevel.Itisautomaticallyrein-statedwhenbothintermediaterangechannelsindicateafluxlevelbelo~thesourcerangecutoffpowerlevel.~<<b)Intermediaterangerodstop-actuatedwheneitheroftwoindependent<<intermediaterangechannelsindicatesafluxlevelaboveapreselected,manuallyad)ustablevalue.Thisrodstopmaybemanuallybypassedwhentwooutofthefourpowerrangechannelsindicateapowerlevelaboveapproximatelytenpercentpower.Itisautomaticallyreinstatedwhenthreeofthefourpowerrangechannelsarebelowthisvalue.c)Intermediaterangefluxleveltrip-actuatedwheneitheroftwoindependentintermediaterangechannelsindicatesafluxlevelaboveapreselected,manuallyad]ustablevalue.Thistripfunctionismanuallybypassedwhentwoofthefourpowerrangechannelsarereadingaboveapproximatelytenpercentpowerandisautomaticallyreinstatedwhenthreeofthefourchannelsindicateapowerlevelbelowthisvalue.d)Powerrangefluxleveltrip(lowsetting)-actuatedwhentwooutofthefourpowerrangechannelsindicateapowerlevelaboveapproximaytel25percent.Thistripfunctionmaybemanuallybypassedwhentwoofthe5.6>>2 II'0 fourpowerrangechannelsindicateapowerlevelaboveapproximatelytenpercentpowerandisautomaticallyxeinstatedwhenthreeofthefourchannelsindicateapowerlevelbelowthisvalue.e)Powerrangefluxleveltrip(highsetting)-actuatedwhentwooutofthefourpowerrangechannelsindicatea'powerlevelaboveapresetsetpoint.Thistripfunctionisalwaysactive.Sinceallprotectiveactionsintheabovelistarebasedonlevelsetpoints,Iratherthanratesetpoints,protectionisnotdependentuponhavingarapidrateofpowerincrease.ThestandardstartupaccidentanalysisreportedinSafetyAnalysisReportstakescreditfoxonlythepowerrangeprotection.Howevex,theintermediaterangehfghfluxreactortripisalwaysinservicebelowlOXpower,andwouldalsoservetoterminatetheaccident.Further,.anyaccidentstartingfromasubcriticalconditionwouldbeterminatedbythehighsourcerange'Ixeactortrip.Therefore,ProtectionSystemdeversityexistsforstartupaccidents.Figures5.6-1and5.6-2showthecalculatedtransientresponseofnuclearfluxandfueltemperatuxesforastartupaccidentwithahighrateofxeactivityinsextion.5.6-3 0
~I1010'~III~~UncontrolledRodQithdrawalPromaSubcriticalConditionPractionofNuclearPowera~+1x106k/FW5oa<lxlp6k/PfReactivityInsertionRate~8x106k/seck~1.00-1~t~I108W0gM10plillikoCoOe10g~~~I~~I~1080Wooo10-35oCl~u101001020251030Time,SecondsFlGVRE5.6-1 4~<<((I-"~(4<<<<.(.<<<<4V,~~I(areJ>~w<<(i'(<<<<M>>1000900PuelCladUncontrolledRodMithdraMalPromaSubcriticalConditionTemperature4ag<<+1x1056k/'Po=-1x106k/'PReactivitgInsertionRatef<<8x10Lk/seck<<l.07065800700CoreMater14o(4l0ce'0oj605560050500456101.L18222630'Time,SecondsFIGURE5.6-2 57CONTROLRODDROPDe-energixingadrivemechanismcausesafull>>lengthcontrolrodtofallintothecore.(Part-lengthrodsfail"as-is"whende-energized.)Thiscausesanimmediatedecreaseincoxepower,mostnoticeableintheregionofthedroppedrod.Xftheaveragecozepowerisreturnedtoitsoriginalvalve,mostofthecorewouldbeatahigherpowerdensitybecauseofthelocaldepxessionintheregionofthedroppedrod.DuringtheinitialdesignfoxthecurrentgenerationofWestinghousePWR's,theincreaseinhotchannelfactorsforadroppedzodwasnotknown.ZtwasthereforeassumedthatDNBmightxesultifthecorewereallowedtoreturntofullpowerfollowingazoddrop.Protectivecircuitsweredesign-edaccordinglyandclassifiedaspartoftheProtectionSystem.Thedesignrequirementforthisprotectivefunctionwastoinsurethat,follmrtngadynamicroddrop,thexeactorwouldnotzeturntoapowerleve3highenoughItocauseaDNBratiolessthan1.30.,Mechanismswhichwouldtendtorestorerinitialcorepowerare.noxmalautomaticcontrolandplantcooldownwithanegativemoderatorcoefficient.However,recentphysicsanalysisformalpositionedcontrolrodshasshownthat,ineverycaseforaninseztedrod,fullpoweroperationwouldnotcauseaDNBratiolessthan1.30.Becausethelocalpowerdecreasecausesageneralpowerincreasethroughouttherestofthecore,theincreaseinhotchannelfactorsisUstedtoapproximately15'xless,dependingoncoresize.Withx'especttoDNB,thisisequivalentto15Xoverpower.CoreDNB'esign5.7-1
~~~Emarginsofthismagnitudemustexistatfullpowertoallowforoperationaltransientsandinstrumentationerrors.Inadditon,forplantspresentlynearcompletion,ithasbeenfoundthatinsertedrodhotchannel.factorsdonotevenexceedthedesignhotchannelfactors.Sincetheconsequencesofadynamicroddroparetolerable,thefollowingffdiscussionofroddropprotectionissomewhatacademic.Roddropprotectiondiversityhasbeenprovided,bothinthemeansofdetectionandinthemeansofactuatingprotection.Redundancy.wasmorereadilyobtainedbydiverseinstrumentationthanbyindependent,butidentical,channels.Aroddropsignalisgeneratedbyeitherofthefollowing:a)A=rapiddecreaseinindicatednuclearfluxfromanyoneofthefourpowerrangenuclearinstrumentchannelsb)Rodbottomindicationfromanyoneoftherodpositionindicatorswhentheassociatedrodbankisnotonthebottom.One-out-of-fourlogicforthenuclearchannelsisused'becauseitwasnotknownwhethermorethanonechannelwouldrespondtothedroppedrod.Therefore,redundancyisnotclaimed.Protectiveactionisdirectedtowardinhibitingthosemechanismswhichwouldotherwisecausethereactortoreturntoitsinitialpowerlevel,i..e.,automaticrodwithdrawalandloaddemandwithanegativemoderatortemperaturecoefficient.Again,sincethemagnitudeofthehotchannelfactorincreasewasnotknown,itwasassumedthatbothmechanismswouldhavetobeinhibited.5.7-2 Redundantrodstopcontactsareprovidedtoblocknormalautomaticcontrolrodwithdrawal.Manualrodwithdrawalisnotblockedsinceitisnecessarytowithdrawthedroppedrod.Turbineloadreductionisaccomplishedthroughredundantchannels.Mostplantsaresuppliedwithelectro-hydrauLLc(E-H)controlsystemsfortheturbine.Theturbinerunbackisactivatedbythefollowing~eitherofwhichreducesorrestrictsturbinecontrolvalvepositionandsteamload.a)Reductionoftheloadrefezencesetpointoftheturbine,E-H.,controllerbyapresetamount.Thisisaccomplishedbyzeducingthesetpointatconstantrate(200X/min.)forapresettimewitha.timedelayrelay.b)Reductionoftheturbineload.limittoapresetvalue.Theloadlimit(aclamponthevoltagesignalcontrollingtheturbinecontrolvalveposition)isreduceduntilturbinethermalloadasI)sensedbyeitheroftwoturbineimpulsepressure'channelsisbelowapresetvalue.FollowingplantstartupteststoverifythattheDNBratioisgreaterthan1.30atfullpowerwithadroppedrod,itisintendedtoadjusttheturbinerunbackforoperationalrequirements.Thatis,theautomaticloadreductionwouldbelargeenoughsuchthat,withreasonableoperatoraction,anorderlymanualplantshutdowncanbeaccomplished,ratherthanareactortriponlowpressurizerpressure.Fi.gures5.7-1and5.7-2showthetransientresponseofnuclearplantvariablestoaroddropwithturbinerunback.5.7-3
lllr1.U.9.8.7~t~~-I.I~~I.',.f=~CI~:I~-I.~~~t4~~~~~~:H'ResponsetoaDroppedRCCAof.North-2.3x,106kWithaPowerCutbackof25PercentofNominal~-3.5x10bk/7'-'~>>1.65x106k/Z'.~~II~~i:I~..l.,~~~~~t~t1.000CKheQE8.9.8'~~7~t>~tl~tttI~~~I'~':I-"'I~l~'t{~~~I~~ttI~I~~II24002300~pk~~~~~~~~~It~~-I~tt~~~'{::.-~II~~I~It~~~t22002100~~~"-I~I4080120160200 04~
~'III~~I~~0~~~~~~~~~~~0t~0'I.tt0~~~II0~I0~~--}t~*L0~>>0t'If0580578576IL00~IQ0Q~~~I0~r~0~~0<<I~000~0~I~~It~LL~00L0000~>>~>I~I0~~0I~~~lI~~-I'='~I~0:..00J~565IQ0~0I~ResponsetoaDroppedRCCAofWoph-203x106kwithaPowerCutbackof25PercentofNominal~~5604~~,004a0~t0't~'fQMC4o555550U~M~IJ0=I~I~~~I~~~~~~OH1.0~~0~~M00g,9~>>~~0I~~0,8L~~00'~0~~~~~~I~~.74080120160200TDK,SECONDS
5~8ENGINEEREDSAFEGUARDSACTUATIONActuationofauxiliaryfeedwaterisdiscussedinSection5.2.EngineeredsafeguardsforcontainmentpressureprotectionarediscussedinSection5.9.ActuationofEmergencyCoreCoolingforlossofcoolantprotectionisdiscussedinthissection.Forlossofcoolantprotection,asafetyin]ectionsignalisgeneratedbyeitheroftwodiversesetsofautomaticsignals:a)Coincidentlowpzessureandwaterleve1inthepressurizer;b)Highcontainmentpzessure.BothsetsofsignalsareredundantandmeetallprotectionSystemdesigncriteria.Thesignalsderivedfromthepressurixerindicatethatreactorcoolantisbeinglostwellbeforethecoreisuncovered.Reactorcoolantblowdownalsoincreasescontainmentpressure.Setpoints'forhighcan-tainmentpressurearetypicallyabout10Xofcontaiaamtdesignpressure.Thissetpointisreachedwellbeforethecoreuncovers.Figure5.8-1showstheresultsofacalculationforarepresentativeplantforthecompleterangeofbreaksixes.Ztshowsthateitherthepressurixerorthecontainmentsignalinitiatesafetyin)ectionl-l/2minutesormorebeforethecorewouldbeotherwiseuncovered.(Forlargebreaks>passiveaccumulatorsystemsupplieswateranddelaysthetime.atwhichactivecorecoolingisrequired.)Thisanalysisincludedtheeffectsofcontainmentheatsinksandfancoolersindelayingthetimeatwhichthecontainmenthighpressuresignalisreached.5.8>>1 SAFETYINJECTIONACTUATIONSIG:NLVSBREAKAREA10004o~I+I'~'T~~~iI}.o~l<<~,~~IIIIl~~I~~<<~~}lero,one*oIrI~~~~~<<~t~~>>v~ttt~I~"ttrltt<<~~~I}'-:RangeofProtectionofI:.:PassiveAccumulatorSystem-(;I~IaeI4V100~~ooo1}:<<II~I~~IPtl~~I'~I'<<~~>>:ii}'."~IIt~~I~II~~~}I~~~~~I~~~v0~~r,~!Ia.~o~~~tt~\~v}'"--ttI~~~~\~~t<<to~o~to~~~I'I~~o~~~~~<<~~~~I<<.)~oIIOIhC10o~~t~<<'oo~I~~I~Itz~~<<'I''I~'I.....~TimetoReachLouPres-I:-surizerPressureandLevelSignal7>>~~~~\~~~~~~>>~~~~I~I~~~~<<o~<<e~o<<vpttI:TI~I~~*~I~I~I~~~~I~~I"I~}~~~~~~~i-.',I~PI~'~I"I<<I~II~)}=.1-I:ilneceUncavelCaseNddPlaneLNeSadecvlneccdcn)j~o~~~\f<<~~~~~I~~ItI~lel~~~'I~~jjjr"~~iTimetoReachPighContainmentPressureSignal'<<ll~~~vI<<j~0.01'iil\~40.1~6"10"DAUEa:.BREAKSIZE(Fi)FIGUPE5.8-1
~V 59CONTAINMENTPRESSUREPROTECTIONTypicalwestinghousedryconcaiamentplantsareequippedwithfaacoolerunicsaadspraysystems.Theseareprovidedtoreducethecontaiamencpressureeotoesseatiallyatmosphericfollowingalossofcoolantaccidentorasteamlinebreakaccidentinsidethecontainmeac.ThecontainmentisdesignedtowithstandtheeoealblowdownoftheReactorCoolantSyscemorasteamgeneratorwiehnodependenceoneheaceivesafe-guards.Theactivesafeguardsare,however,aueomaticallyactuatedfollowingcheaccident.Thepr9narycontainmentsafeguardsarethefancoolerunitsandtheircoolingwatersupplywhichazeactuatedbythesafetyinjectionsignalwhichisgeneratedby:a)Coincidentlowpressurizerpzessureandwaeerlevelinthepressurizerb)Ri.ghcontainmentpressure(approximatelylOXofdesignpressure).Thebackupcontaiameacsafeguard,ch'econeaiameneSpray9ystem,isaccuaeedbyahighcontainmencpzessuresignalwhentheconcainmencpressurereachesappxoximacely50Xofchedesignvalue.Automaticsprayactuationusessixconcainmencpressuzechannels,in2/32/3logic.TheSpxaySystemcanalsobeactuatedmanually.Only2oucof4fancooliagunitsfortwoorthreeloopplantsand3oucofScoolingunitsforfourloopplaacsarenecessaryeolimitthecontainmenepressuxebelowdesignevenconsideringehactheEmergencyCoreCoolingSyseemis.unablecosuppxessboilinginehecore,andehecoredecayheacenergycontinuescobeaddedtoehecontainmencintheformofsteam.5.9-1
TheoperationofonlyoneofthespraypumpsisrequiredinorderfortheSpraySystemtosupplementtheheatremovalcapabiU.tyofthefancoolingunitstoprovideamarginforeffectsfrommetalmaterorotherchemicalreactionsthatcouldoccurasaconsequenceoffailureofEmergencyCoreCoolingSystems.Sinceeitherfansorspraysareadequate,anddiversesignalsareusedtoactuatethefans,.theProtectionSystemisdiverseforactuationofcon-tainmentpressureprotection.5.9-2 5.3.0EXCESSIVELOAD~rgb~a+&vf"f'>Excessiveloadisonemeanswhichcouldcauseexcessivecorepowergeneration.Asdistinctfromtheovezpower~vertemperatureaccidentdiscussedinSection5.3.(RodWithdrawalatPower),reactorcoolanttemperature,pressuze,andpressurizerwaterlevelwouldnotincrease.Reactorpowerfollowsturbineload,bothbycontxoldesignintentandtheinherentlynegativemoderatorcoefficient.Anincreaseinloadabovedesignistherefoxeofpotentialconcern.DiverseoverpowerprotectionisprovidedbyReactorProtectionSystem.,Theseazetheovezpowerdelta-Tandthenuclearoverpowerreactortxips-Sincetheaccidentisinitiatedfromthesecondaryplant,thereactorIcoolantlooptemperaturesrespondbeforethecorecoolanttemperature.!IPipinglagsapplicabletotherodwithdrawalaccidentarethereforenotapplicabletoanexcessiveloadaccident,andeitherthedelta-Tor-thenuclearoverpowertripprotectsthecoreforanyrateormagnitudeloadincrease.5.10-1 pP
'C5.11EXCESSXVEFEEDWATERFLOWAnexcessivefeedwaterflowaccidentisprimarilyofconcerntotheturbine(highwaterlevelXnthesteamgeneratorleadstoexcessivemoisturecarryoverandpotentia1turbinedamage).'ithrespecttonuclearprotection,however,excessivefeedwaterflow(orfeedwatertemperaturedecrease)isseenasanexcessivethermalload,andthediscussioninSection5.10isapplicable.
512STATIONBLACKOUTAstationblackout,orlossofaU.a-cpowertothestationauxiliaries,resultsfromlossofincomingstationa~powercoincidentwithaplanttrip.Numerousreactortripsignalswouldbegenerated,suchasturbinetrip,lowcoolantflow,lowgpedwaterflow,etc.Thisisnotimportanthowever,sincethelossofa-cpowerdeenezgizesthezodcontrolpower'upply,andthecontrolrodsfallintothecore,evenifnoreactortripsignalisgenerated.Naturalcirculationofreactorcoolanttransfersreactordecayheatfromthecozetothesteamgenerators.Sincesteamgeneratorsteampressureisautomaticallycontrolledbythepower-operatedsteamlinereliefvalves(withbackupfromthesteamlinesafetyvalves,ifnecessazy),theonlyrequirementformaintaininghotshutdownconditionsistoApplyfeedwatertothesteamgeneratozs.TheauxiLiaryfeedwatersystemisdiscussedinSection5.2,LossofFeedwater.Asnotedinthatsection,thelossofa~powerstartsalla~iazypumps-Adiverseautomaticactuationsignal-steamgeneratorlowwaterlevel-isalsoprovided.Further,theenergysourcesfortheauxiliaryfeedwaterpumpsare.themselvesdiverse(steam-drivenpumpsandmotor-drivenpumpsenergizedfromthediesel-generator),suchthatfaQ.uzetoactuateanenergysourcedoesnotpreventauxiliaryfeedwater.5.12-1
APPENDIXCONTROLANDPROTECTIONFUNCTIONSreactorcon'tro1andprotectionfunctionsperformedfromeachprocess~eterinthepresentWestinghousedesignareMmlatedbelow.Pro-e~tionfunctionsarelistedfirst,andcontrolfunctionslistedlast.u~nyfunctions'.g-,indication,alarmsandinterlocks,arenotclearlyeithercontrolorprotection.~Theseareclassifiedas"supervisory"unctalons~Intheleftmargin,allfunctionsarelistedasP,SorC,showingpro-tection,supervisoryorcontrol;-i%JCLEARINSTRUMENTATION1,.3.PowerRange1.2IntermediateRange1.3SourceRange'W~REACTORCOOLANTSYSTEMPARAMETERSZ.lReactorCoolanr,Temperature(4T,T)avg2-2PressurizerPressure2.3PressurizerWaterLevel2.4ReactorCoolantFlow3~STEAMGENERATORPARA%.'TERS3.lSteamGeneratorWaterLevel3.2FeedwaterFlow3.3SteamPlow34SteamLinePressure3SSteamHeaderPressure VPARAMETERSTurbineFirstStageSteamPressureOomTurbineAutoStopOilPressureTurbineStopValvePosition~ASTROLRODPOSITION5.1BankPosition).ZIndividualRodPosition~.CONTAINMENTPRESSUREgZCZRICALPARAMZERS7'.1ReactorCoolantPumpBus7.2ReactorCoolantPumpBreakerPosition7.3FedwaterPumpPowerA-2
gJCLEARZNSTRUMENTATIONSYSTBtpowerRange-(linearindicationinpowerrangeofoperation).P1.Overpowerreactortrip(highrange)-rapiddetectionoffastoverpowerexcursionsduringpoweroperation.P2.Overpowerreactortrip(lowrange)-protectionduringlowpowerplantoperation.p3.Top-to-bottomfluxtiltbiasof4Treactortripsetpoints-reduceDNBprotectionlimitstooffseteffectsofhotchannelfactors.(BothhighdTreactortrips),see2.1,1&3P4.Reactortrippermissivesa.Permitsinglelooplossofflowtripathighpower.b.Permitreactortriponturbinetripathighpower.c.Permit"at-power"tripsduringpoweroperation.d.Defeat,manualblockoflowrangeand&termediaterangeoverpowertripsatlowpower.e.Lockoutsourcerangehighvoltagesupplyduringpoweroperation.S5.Roddropdetection-rodstopandturbinerunbacktomaintainDNBmargins.6-Overpowerrodstop.-stopapowerexcursioncausedbyrodwithdrawal.7.Overpoweralarm(forequipmentpurposes,thisfunctioniscombinedwiththeoverpowerrodstop).8.Controlroomindicationandrecording(includingtop-tobottomdifference).Channeldeviationalarm-detectchannelfailure,detectfluxtilts.10.Top-to<<bottomfluxtiltbiasofdTrodstopandturbinerunbacksetpoints(see2-1,264).A3
Automaticcontrolrodmotion-providestablereactorcontrolandrapidresponse.gntermediateRane-(Logarithmicscaleforpowerrangeandupperstartuprange)p'.Highlevelreactortrip-preventpowerincreaseintopowerrangeunlesspowerrangechannelsareindicating.p2.Defeatmanualblockofsourcerangehighleveltrip-lowintermediaterangeindicationrearmssourcerangetrip.S3.Highleve1rodstop-preventsexcessivewithdrawalofcontrolrodsduringlowpoweroperation.S4.Controlroomindicatingandrecording.S5.Startuprateindication.P.l.HighleveLreactortrip-preventstartupaccidentfromsourcerange;preventpowerincreaseintointermediaterangeunlessintermediaterangechannelsareindicating.S2.Highcountratealarms-warnofapproachtocripicality.S'.Controlroomindicationandaudiblecount.range.S4..Startuprateindication.A-4
~Nc.sgP't"K5
<<<CTORCOOLANTSYSTEMPARAMETERorCoolantTemeraeure(4T-T)avgOvereemperaturehigh4Treactortrip-preventcoreDNB(setpointcalculatedfromT,pressure,andnuclearavg'luxaxialtilt).2.Overtemperacurehigh4Trodstopandturbinecueback-maintainoperatingmargineoDNB(setpointisafixedmarginbelowreactortripsetpoint).3.Overpowerhigh4Treactorezip>>preventhighpowerdensity(seepointcalculaeedfromnuclearfluxtile)i4.Overpowerhigh4Trodscopandturbinerunback-maintainoperatingpowerdensity(seepointisafixedmarginbelowreactortripsetpoint).S5.Channeldeviationalarms-deeectchannelfailures,detectabnormalprocesscandieions.S6.Controlroomindicationandrecording.S7.Controlrodinsertionlimitalarm-maintainreactivieyshutdownmargin;maintainlowejectedrodworth;maintain,uniformcoreburnup.fr.8.LowTalarm(interlockedwithhighscesmflowforsteamavglineisolation)-steambreakprotection.Inadditiontotheabovefunctionsfor4TandT,Tisalsoavg'vgused09.HighTalarm.avg10.Tchanneldeviationrodscop(ofautomaticmotion)-avgpreventspuriousrodwithdrawalorinsertion.11.Tdeviationalarm-deviacionframprogrammedsetpoinc.avg
Automaticcontrolrodmotion-controlcorepowex'omain>>tainprogrammedtempex'ature.13~Steamdumpcontrol(condensersteamdump)-removeexcessenergyfromreactorcoolant.14.Feedwatervalvecontrol-controladditiontosubcooledwatertosteamgeneratorsfollowingaplanttrip.15.Pressurizerlevelprogramming-determinelevelsetpointtominimizechargingandletdownchangesduringloadchanges.2.2PressurizerPressurep1.Highpressurereactortrip-maintainpressureinATprotectionrange;provideoverpressurebackuptosafetyvalves.P2.Lowpressurereactortrip-maintainpressurein4Tprotectionrange.P3.Lowpressuresafeguax'dsactuation-actuatelossofcoolantprotection.P4.Highpressuxedefeatofsafeguardsactuationmanualblock-I.automaticallyrenavemanualblockasoperatingpressureisapproached.P5-CompensateovertemperatureATreactortripsetpoint-coreDNBpzotection.6.CompensateqvertemperatureTrodstopand.turbinerunbacksetpoint-maintainoperatingmargintoDNB.Controlroomindicationandrecording.8High-lowpressurealarms.Lowpressurereliefvalveinterlock-closereliefvalveson10.lowpressuretoavoidaccidentallossofcoolant./Pxessurecontrol(on-offheaters,vaziableheatexs,spray,andx'eliefvalveactuation)-maintainnormaloperatingpressure.A-6 F
11.Compensationsignalforautomaticcontrolrodmotion-improvereactorcontrolresponse.2.3PressurizerWaterLevel-(Thisvariablemeasuresreactorcoolantfluidinventoryandmeantemperature).P1.Highlevelreactortrip-preventwaterdischarge(anreliefpipingdamage)throughsafetyvalvesfollowingrapidinsurge.P2.Lowlevelsafegnardsactuation-indicationoflossofreactorcoolant.S3.Controlroomindicationandrecording.S4.High-lowlevelalarms.S5.Lowlevelheatercutoff-preventenergizingheaterswhenuncovered(equipmentprotection).S6.Lowlevelletdownisolation-preventlossofcoolantbyexcessiveletdown.C8.High-lowleveldeviationalarm-deviationfromlevelset-point.Chargingpumpspeedcontrol-maintainprogranmN.dwaterlevel.C9.Highleveldeviationheatera'ctuation-heatsubcooledwaterinsurge.2.4ReactorCoolantFP1.Lowflowreactortrip-preventcoreDNB.S2.Controlroomindication-A-7 P
3ST~GENERATORPRtAK'.TERSSteamGeneratorWaterLevel-(Thisvariableisameasureofwaterinventoryinsteamgenerators).pl.Low-lowwaterlevelreactortripandauxiliaryfeedwaterpumpstart-protectsteamgenerators;preservenormalheatsinkforremovalofearlydecayheat.p2.Lowlevelreactortrip(coincidentwithlowfeedwaterflow)-providerapidprotectionagainstacompletelossoffeedwaterflow.S3.Highlevelfeedwatercontrolvalveoverride-closefeed-watervalvetopreventexcessivemoisturecarryoverandturbinedamage.S4.High-lowlevel.alarms.S5.Controlroomindicationandrecording.S6.Leveldeviationalarm-deviationfromprogrammedlevel.C7.Feedwatervalvecontrol-maintaindesiredsteamgeneratorlevel.l3.2FeedwaterFlowP1.Lowfeedwaterflowreactortrip(coincidentwithlowsteamgeneratorwaterlevel)-providerapidprotectionagainstcompletelossoffeedwaterflow.S2.Controlroomindicationandrecording.C3.Feedwatervalvecontrol>>providestablecontrolofsteamgeneratorlevel.3.3~Se~F1owP.1.Setpointforlowfeedwaterflowreactortrip(see3.2.1above).P2.Highsteamflowsteamlineisolation-steambreakprotection.
'tV4 S3~C4Controlroomindicationandrecording.Feedwatervalvecontrol-providerapidres'ponsegfcgntzotforsteamgeneratorlevel.3.4SteamLinePressure>~,W/!-P1.Lowpressure(ortuicdifferentialpressure)safe~dactuation-steambreakprotectionP,C2.Compensationofsteamflowchannels-provideaccuratesignalofsteamflow.S3~S4.C.5.Lowsteampressurealarm.Controlroomindicationandrecording.Controlofsteamlinereliefvalves-minimizeactuationgfsafetyvalves.3.5SteamHeaderPressureC1.Contzolsteamdumptocondenser.S2.Controlzoomindication
,F TUgBXNEPARAMETERSTurbineFirstStaeSteamPressure-(Thisvariableisproportionaltoturbinesteamload).pl.Reactortrippermissives-pexmits"at-power"reactortripsaboveminimumturbineload.p2.Steamlineisolation-determinessetpointforhighsteamflowforsteambreakprotection.S3.Controlroomindication.S4.Lowpowerblockofautomaticcontrolrodwithdrawal-preventsunstablereactorcontrol.S5.Steamdumpinterlock-preventsoperationofsteamdumptocondenserunlessarapidlossofloadhasoccurred.C6.Tprogram-determinessetpointforTincontrolavgavgrodandsteambypasscontrolsystems.C7.Steamgeneratorlevelprogram-determinesetpointforlevelinfeedwatercontrolsystem.4.2TurbineAuto-StoOilPressure-(Presenceorabsenceofoilpressureindicates'tripornon-tripconditionofturbine).1.Reactortrip-preventtemperature-pressureexcursioninreactorcoolantfromlossofsteamload.C2.Steambypasscontrol-selectsmodeofcontxol.3.Feedwatercontrol-selectsmodeofcontrol,steamgeneratorwaterlevelorTavg4~3TurbineStoValvePosition-usedasbackuptoautostopoilpressurefoxreactortripsignal.
CO~OLRODPOSITIONBankPosition-(StePcounters)Bankinsertionlimitalarm(setpointdeterminedfromand4T)-maintainreactivityshutdownmargins;avgmaintainacceptablecorepowerdistribution.S2,Bankwithdrawallimf.talarm-warnoperatorthatcontrolrodsarenearingtheendoftheirusefultravel.S3,Controlzoomindicationandrecording5.ZIndividualRodPosition(LVDT)Sl.Rodposition'deviationalarm-warnofpossiblerodmalpositioning.SZ.Rodbottomroddropdetection-rodstopandturbinerunbacktomaintainDNBmargins.S3.Controlzoomindicationandrecording=
CPNTAZgKNTPRESSUREpl.Highcontainmentpressuresafeguardsactuationandreactortrip-protectionagainstsmallsteambreaks,backupprotectionforlossofcoolantaccidentsandlargesteambreaks.-P2.Highcontainmentpressuresteamlineisolationp3.Highcontainmentpressuresprayactuation.S4.Controlroomindication.A>>12 ELECTRICALSYSTEMVARIABLESResistorCoolantPumpBusPl.Underyoltagereactortrip-protectionagainstmulti-looplossofflow.p2iUnderfrequencyreactortripandRCPbreakeropening-preventrapidsystemfrequencyopening-preventrapidsystem.fre-quencydecreasefrombrakingRCP.7.2ReactorCoolantPumpBreakerPosition(contacts)P1.Reactortriponbreakeropening-backup.tolowflowprotectionforlossofflow.7.3FeedwaterPowerPl.Auxiliaryfeedwatersystemactuation(feedwaterpumpbreakerpositionand/orbusvoltage)-backupfeedwaterprotectionforlossoffeedwater.A-l3 ATTACHMENT8TOAEP:NRC'1184H2RESPONSETOITEM8DEFENSE-IN-DEPTHEVALUATIONPERFORMEDFORTHEREACTORPROTECTIONANDCONTROLPROCESSINSTRUMENTATIONREPLACEMENTPROJECT}}
