ML17332A851
| ML17332A851 | |
| Person / Time | |
|---|---|
| Site: | Cook  |
| Issue date: | 04/30/1969 |
| From: | BURNETT T W, DORRYCOTT J W, RISHER D H WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML17332A849 | List: |
| References | |
| WCAP-7306, NUDOCS 9507180151 | |
| Download: ML17332A851 (276) | |
Text
{{#Wiki_filter:wnu-7306 NUCLEAR ENERGY SYSTEMS CLASS 3 REACTOR PROTECTION SYSTEM DIVERSITY ZN WESTINGHOUSE PRESSURIZED WATER REACTORS April 1969 Author: T.Q.T.Burnett Contributors: J.W.Dorrycott A.C.Hall D.H.Risher APPROVED: S.ore, Manager Core Engineering Westinghouse Electric Corporation Nuclear Energy Systems Division P.O.Box 355 Pittsburgh, Pennsylvania 15230 9507180151 950707 PDR ADQCK 05000315 9 PDR<3RZ Restintthouse Electric Corp./ FOREWORD Over the past four years, considerable attention has been focused on design cx'iteria and methods of implementation for nuclear power plant protection systems.Of paxticular difficulty has been che"establishment of suitable criteria to deal with the problems of single and multiple failures, channel independence, Control and Proteccion System independence, and the'eviation of Protection System inputs..A key factor in this difficulty has b'een the conflict between the goal to minimize the number of redundant measurements fox'ny single process variable, with regaxd to the overall nuclear plane requirements, and the goal to establish a auucbnum degree of separation between the Protection System and the Control System.Obtaining an accurate and reliable measuxement of a particular process variable is one of the most difficult aspects of an instrumentacdon system.There are significant problems associated with the physical mounting of the measurement devices including optimum location, supporting structuxes, access to che equipment for maintenance, and protection against adverse environmental factors.In the case of nuclear power plants, there is also the problem of transmitting the signals fxom the containment to the control room equipment. All of these factors provide arguments for minimizing the number of separate measuremencs. Most of the functions performed by the plant Control System require the same process information as the Protection System.In these cases, Westinghouse provides Control System inputs from Protection System channels.The"Proposed IEEE Criteria for Nuclear Power Plant Protection Systems," IEEE No.279, permits this design approach, sub)ect to certain restrictions. However, this proposed resolution was not unanimously accepted by members of other United States standards and regulatory agencies, in particular, USASX Sectional Committee N3 (N42), and the AEC-ACRS.Westinghouse held meetings with members of the AEC to clarify the Westinghouse design approach and to identify the additional design criteria applied by Westinghouse, which go beyond the proposed IEEE criteria.These additional criteria require separation and identification of control and protection equipment and the use of isolation devices to transmit signals from the Protection System to the Control System.It is the position of Westinghouse that these additional criteria offer a resolution to the'tated design conflict.Westinghouse has demonstrated by actual implementation of these criteria that a high degree of separation, including proper identification, can be achieved between Protection System equipment and Control System equipment. More recently, the question of the failure mode changed from that of a single random failure to common-mode failure-a failure mode which would adversely affect all, redundant channels of a particular protective function in the Protection System.It is generally recognized that separation of control and protection does not provide defense against the common-mode failures. The nuclear power plant Control and Protection System design employed by Westinghouse was evaluated in detail with respect to the commonmode failure and presented in a series of meetings to members of the AEC.This report documents the information transmitted in these meetings and provides a technical basis for the development of criteria for design of Protection Systems with adequate consideration for common-mode failures.The conclusion of Westinghouse based>upon actual experience, previous work, and reinforced by the results presented herein, is that design criteria for nuclear power plant protection systems should permit magnum effective use of process measurements both for control and protection functions including the use of Protection System measurements in the Control.System.Such criteria significantly enhance the designer's capability to provide a system with adequate capability to deal with the majority of common~ode failures t as well as to provide redundancy for critical control functions. J.M.Gallagher,'Jr. Consulting Engineer-Control Technology Vestinghouse design philosophy for Reactor Protection and Control Systems is to make maxiunaa use, for both protection and control functions, of a wide range of measurements. The Protection and Control Systems are separate and identifiable. The design approach permits not only redundancy of control, providing its own desirable increment to overall plant safety, but also provides a Protection System which continuously monitors numerous system variables by different means;i.e., protection system diversity. The extent of Protection System diversity has been evaluated for a wide variety of postulated accidents. In most cases, two or more=diverse pro-tective functions. would terminate an accident before intolerable consequences could occur.
teetiee 1 1.1 1.2 2 3 3.1 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.2 3.2.3., 3.2.2 3.3 TABLE OF CONTENTS Title ABSTRACT INTRODUCTION COMMONMODE FAILURES AND.DIVERSITY PROTECTION SYSTEM EVALUATION QjMMARY FUNCTIONAL DESCRIPTION, REACTOR CONTROL AND PROTECTION SYSTEM REACTOR PROTECTION SYSTEM GENERAL REACTOR TRIPS Manual Trip High Nuclear Power (Power Range)High Nuclear Power (Intermediate Range)High Nuclear Power (Source Range)Overtemperature 4T Trip Overpower 4T Trip'Low Pressure Trip High Pressure Trip High Pressurizer Water Level Trip Low Reactor Coolant Flow Safety In)ection System Actuation Trip (SIS)Turbine Trip Low Feedwater Flow Reactor Trip Low Steam Generator Water Level Trip PERMISSIVE CIRCUITS List of Permissive Circuits ROD STOPS Rod Stop List INDICATION Control Board Indicators and Recorder Central Board Annunciator Panel Control Board Status Panel STEAM DUMP CONTROL SYSTEM CONDENSER STEAM DUMP SYSTEM System Design Control System Load Refection Control Turbine Trip Control Pressure Control ATMOSPHERIC STEAM RELIEF SYSTEM REACTOR CONTROL The Temperature Chanel The Power Mismatch Channel The Pressure Channel The Rod Speed Program~Pa e iv 1>>1 l-l 1-5 2 1 3.1-1 3.1-1 3.1>>1 3.1-1 3.1-1 3.1-1 3.1-2 3.1-2 3.1-3 3.1-3 3.1-4 3.1W 3.1-5 3.1>>5 3.1-6 3.1-7 3.1-7 3.1-7 3.1-8 3.1-8 3.1-9 3.1-9 3.1-10 3.1-10 3.'1-10 3.1-11 3.2-1 3.2-1 3.2-1 3e2~3 3e2~3 3.2-4 3.2-5 3.2-6 3.3-1 3.3-1 3.3-1 3'~2 3~3 2 Seetiet 3,4'.5 3.5.1 3.5.2 3.5.3 4 4.1 4.2 4.3 4.4 4.4.1 4.4.2 4.4.3 4.4.4 4.4.5 4.4.6 5 5.l.5.1.1 5.1.2 5.1.3 5.1.4 5.2 5.2.1~5.2.2.;:!.5.3 5.3-1 5-3.2 TABLE OP CONTENTS (Cont'd)Title STEAM GENERATOR LEVEL CONTROL STEAM BREAK PROTECTION SYSTEM SAFETY INJECTION SYSTEM ACTUATION FEEDWATER LINE XSOLATION STEAM LINE ISOLATION PROTECTION AND CONTROL SYSTEMS DESXGN PRINCIPLES PROTECTION SYSTEM FUNCTIONAL DESIGN CONTROL SYSTEM PJNCTIONAL DESXGN CONTROL AND PROTECTION INTERRELATION SPECIFIC CONTROL AND PROTECTION INTERACTIONS NUCLEAR FLUX COOLANT TEMPERATURE PRESSURIZER PRESSURE Control of Rod Motion Pressure Control Low Pressure High Pressure PRESSURIZER LEVEL High Level Low Level STEAM GENERATOR WATER LEVEL FEEDWATER PLO..Feedwater Flow Steam Flow Level STEAM LINE PRESSURE ACCIDENT EVALUATXON ROD WITHDRAWAL ACCIDENT I PROBABLE CONSEOUENCES OF ACCIDENT PROBABILITY OF ACCIDENT MANUAL INTERVENTION DIVERSXTY OF REACTOR TRIPS LOSS OF FEEDWATER LOSS OF FEEDWATER-TRANSIENT ANALYSIS TYPXCAL SYSTEM DESIGN REOUIR1M2KS Auxiliary Feedwater System Main Steam and Feedwater Piping LOSS OF COOLANT PLOW ANALYSIS ZNTRODUCTION AND
SUMMARY
PROTECTION SYSTEM DESCRIPTXON Low Reactor Coolant Plow Reactor Coolant Pump Low Voltage Reactor Coolant Pump Low Frequency Pump Circuit Breaker Position Overpower Delta-T Reactor Trip Interlocks ~Pa e 3.4-1 3.5-1 3.5-1 3-5-1 3.5-1 4.1<<1 4.1-1 4.2-1 4.3-1 4.4-1 4.4-1 4e 4-2 4.4-3 4.4-3 4.M3 4.4-3 4.4-4 4.4-4 4.4-5 4.4-5 4.4>>6 4.4>>7 4.4-8 4.4-8 4.4-8 5.3.-1 5.1-1 5.1-2 5.1-4 5.1-4 5.1-6 5.2-1 5.2-2 5.2-4 5.2-4 5.2-6 5.3-1 5.3-1 5.3-1 5.3-2 5.3-2 5.3-2 5.3-3 5.3-3 5.3-4 1 4 C Sectice 5.3.3 5.3.4 5.3.5 5.4 5.4.1 5.4.2 5.4.3 5.5 5.5.1 5.5.2 5.5.3 5.5.4 5.6 5.7 5.8 5.9 5.10: 5.11 5.12 TABLE OF CONTENTS (Cont'd)Title MULTILOOP LOSS OF FLOW SINGLE LOOP LOSS OF FLOW LOCKED ROTOR ACCIDENT ROD EJECTION ANALYSIS INTRODUCTION AND
SUMMARY
CASES CONSIDERED IN DETAIL Zero Power Case Full Power End of Life Coze BACK-UP TRIP PROTECTION LOSS OF STEAM LOAD INTRODUCTION AND
SUMMARY
LOSS OF LOAD PROTECTION AND DESIGN CRITERIA Steam Dump to Condenser Pressurizer Pressure Relief Steam System Pressure Relief Direct Reactor Trip High Pressurizer Pressure Trip Overtemperature 4T High Pressurizer Level Trip EVALUATION OF'PROTECTION SYSTEM FOR LOSS OF LOAD Initiation of Accident Analysis and Discussion CONCLUSIONS ROD WITHDRAWAL DURING STARTUP CONTROL ROD DROP ENGINEERED SAFEGUARDS ACTUATION CONTAINMENT PRESSURE PROTECTION EXCESSIVE MAD EXCESSZVE FEEDWATER PLOW STATION BLACKOUT CONTROL AND PROTECTION FUNCTIONS~Pa e 5.3-4 5.3-6 5.3-7 5.4-1 5.4-1 5.4-1 5.4 1 5.4-2 5.4-3 5.5-1 5.5-1 5.5-2 5.5-2 5.5-3 5.5-3 5.5-3 5,5~4 5.5W 5.5-4 5.5-5 5.5-5 5.5-7 5.5-9 5.6 1 5.7-1 5.8-1 5.9-1 5.10-1 5.11-1 5.12-1
LIST OF FIGURES~Fg ure No.2-1 Illustration of Control and Protection Design 3.1-1 3.1-2 3.2-1 3.3-2 3.3-1 Overtemperature dT Channel Overpower dT Channel Steam Cycle Valve Arrangement Condenser Steam Dump Control Scheme Reactor Control System 4.2-1 4.3-1 5.1-1 5.1-2 5.1-3 5.1-4 5.1-5 5.1-6 5.1-7 5.1-8 5.1-9 5.1-10 5 2-1 5 2 2.~5.2-3 5.2-4 5.2-5 5.2-6 5.2-7 5.2-8 5.2-9 5.3-I.5-3-2 5+3 3 5.3-4 5.3-5 5.3-6 Steam Generator Level Contxol and Protection System Pressurizer Pressure Protection and Contxol Systems Design I Fault Tree fox Rod Withdrawal Accident Fault Tree for Rod Withdrawal Accident Inserted Rod Wox'th and Reactivity Required to Reach DNBR~1.0 in Hot Assembly Versus Core Life Complete Rod Withdrawal from Maximum Full Power Complete Rod Withdrawal from Maximum Full Power Steady State Core Limits and Reactor Trip and Alarm Points Beginning of Life, Rod Withdrawal from 102X Power, Minimum DNBR Beginning of Life, Rod Withdrawal from 102X Power, Time of Event Beginning of Life, Rod Withdrawal from 80X Power, Resulting Minimum DNBR Beginning of Life, Rod Withdrawal from 80X Power, Time of Event Fault Tree for Loss of Feedwater Flow Fault Tree for Loss of Feedwater Flow Fault Tree for Loss of Feedwater Flow Level Response to Loss of Steam Flow Signal Loss of Feedwater Flow to One Steam Generator at T~One Second, Typical Two-Loop Plant Loss of Feedwater Flow to One Steam Generator at T~One Second, Typical Two-Loop Plant Complete Loss of Feedwater Complete Loss of Feedwater Auxiliary Feedwater System Schematic, Two-Loop Plant Fault Tree for Multi-Loop Loss of Flow Fault Tree for Single Loop Loss of Flow Fault Tree for Locked Rotor Accident Multi-Loop Loss of Flow, Typical Plant Single Loop Loss of Flow, Two Loop Plant Locked Rotor Loss of Flow, Two Loop Plant ~e+l y I A'I'I'lh P l 0 V 0 LIST OF FIGURES (Cont'd)Fi ure No-5.4-1 5.4-2 5.4-3 5.4-4 5.5-1 5.5>>2 5.5-3 5.6-1 5.6-2 5.7-1.5.7 2 5.8-1 Zero Power End of Life Rod Ejection, No Trip Full Power End of Life Rod Ejection, No Trip Illustration of Safety Limits and Trip Points for Rod Ejection Accidents, No Trip Illustration of Transient Trajectories for Rod Ejection Accidents, With No Trip Fault Tree for Loss of Load Accident Fault Tree for Core Damage, Loss of Steam Load Loss of Load Accident Uncontrolled Rod Withdrawal from Subcritical, Fraction of Nuclear Power Uncontrolled Rod Withdrawal from Subcritical Condition, Temperature Response to a Dropped Control Rod Response to a Dropped Control Rod Safety Injection Actuation Signal vs Break Area ~e mme~e'~'%q el t*4 9~*t 1.INTRODUCTION p o ophy for Reactor Protection and Co ol tomaema xaum use for both protection and control functions of a wide range of measurements. This results in a broad spectrum of redundant protection and control functions. The design approach used permits all equipment components to be identified as protection or control and located accordingly, with electrical isolation and physical separation between them.The design approach thus permits not only reduncancy of contx'ol, providing a significant and desirable increment to overall plant safety, but also provides a Protection System which continuously monitors numerous system vax'iables by different means;i.e., Protection System diversity. Although the Protection System design basis requires only that random single failures not negate the Protection System, a considerable depth of protection I is achieved by the Westinghouse design approach.Systems designers and re-viewers have xecently emphaaLzed the importance of achieving a suitable balance of design obfectives in regard to functional and equipment diversity. "'nteraction of control and protection functions, testing, and surveillance to~thieve a Protection System design that has adequate capability to cope with both random and systematic failure modes.(Systematic failures are also known as common-mode, or nonrandom failures.)
1.1 COMMONWODE
FAILURES AND DIVERSITY Common-mode, or systematic failures, are those that partially or completely prevent identical, instrument channels from performing their function-p'~.4*/I dundancy is no t an answer to this tyPe o f f ailure, since all channels are assume~ed to be affected.Further, these failures cannot be evaluated by pro ao~bability analysis or reliability data;indeed, they are characterized by oversights or deficiencies which presumably would be corrected when first detected.The general categories of common~ode failures are: a)Functional deficiency -The variable being monitored does not provide the information intended during the course of an accident.This deficiency could be caused by the accident's following a different course/than calcu1ated by the designers, or by a change in the plant characteristics which changes the relation between the pxocess and the variable being monitored. b)Maintenance error-This failure includes consistent miscalibration of all channels of a type, and also circuit modification ox repqir which inadvertently renders the channels functionally inoperative.'esign deficiency -Pailuxe of the equipment as installed to meet functional requirements. This could arise thxough unrecognized dependence on a single, common element., such as ventilation; by an unexpected charpcteristic (such as saturation or slow response)in all controllers of a type;or by the instrumentation being disabled as a result of the accident-d)~<<mal catastrophe -With proper isolation and separation between redundant channels, this is confined to ma)or disasters such as flood,<<rthquake, fire, etc.Where separation is not complete, less drastic~vents can have the same result.For example, a falling ob)ect could conceivably sever all cables in a small area.1-2 t+J~~N Considerable effort is being made in Reactor Protection Systems design prevent these common-mode failures, as illustrated by the examples below.However remote, the possibility of a commonmode failure must nevertheless be considered. The likelihood of maintenance errors can be minimized by proper administrative procedures, identif ication of Protection System components, and complete documentation of the as-supplied Protection System, including the design basis.Design deficiencies can be largely.eliminated by equipment qualification testing and by caxeful review of all potential common elements.Redundancy is an accepted defense against x'andom failures which affect only one component or channel at a time.Similarly,"cliversity is a defense against common~de failures which could affect multiple channels.Such protective diversity can be achieved in either of two ways: equipment diversity, by providing different types of instrumentat'ion'to monitor the same variable, or functional diversity, by monitoring different plant variables. Functional diversity entails some degree of equipment diversity, P~rily with respect to sensors and setpoints. More importantly, however, functional diversity is not dependent on the calculated respense of any one"ariable during an accident.As a convex'se of this, functional diversity is more complex to demonstrate since the response of several variables must be analyzed for each type of accident evaluated. The Westinghouse Pxotection System is therefore evaluated in this report with respect to functional divexsity. To demonstrate diversity where protective action is needed, it is necessary to show combinations of two or more of the 1-3 e 4 f o 1 lowing barriers" for each accident.Some of these are addressed to the need for protective action, rather than to the Instrumentation System itself.This is considered a reasonable approach to judging the adequacy of a Protection System.a)Tolerable consequences for expected conditions -Although case" analysis might fail to prove that protection is not vast majority of cases may have acceptable consequences. worst needed, the Whether or not this is a suitable barrier depends on the probability of adverse conditions (such as excessive inserted rod worth)and the design and operating precautions taken to prevent them.b)Low probability of accident-Probability of the initiating fault might be considered, but only in conjunction with the probable consequences. That is, a loss-of-coolant accident does not require less protection t than a loss of flow accident simply because it is less likely to occur.c)Control interlocks -Rod stops or other devices which arrest or modify spurious control action short of reactor trip can be part of the Protection System.Protection System design standards, equipment testing, and Technical Specification limits would therefore be applied.nual action-Manual action can be considered a reliable backup to automatic protection, depending on the accident rate, the complex ty the problem and corrective action, and the alarms and indication provided.1-4
Automatic reactor trip-Each accident may have a"principle" reactor trip associated with it..)BackuP reactor trip-A second reactor trip function of is an additional barrier.In all but a few cases in the Westinghouse design, a specific reactor trip is not categorically either"principle" or"backup": it serves as the principle protection against some accidents, and as backup protection against others.1.Z PROTECTION SYSTEM-EVALUATION An accident-by>>accident evaluation has been performed in order to evaluate the"depth" or degree of diversity provided by current Westinghouse design.As expected, diversity could not be demonstrated for all accidents. The xesults in genex'al, however, indicate a considerable degree of protection System divexsity. The evaluation, reported in-.Section 5 of this report, analyzed each postulated ~ccident without credit for protective action to the point at which one of the three following events occurs: Inherent plant charactex'istics terminated the accident;b)The consequences are clearly intolex'able', or c)=<<<ting analytical methods are no longer valid (for example, system alculations cannot be perfoxmed with any degx'ee of confidence if severe core damage occurs).1-5 tyne of evaluation, the amount of analytical rigor must be reduced Ka this type o as con t on s become increasingly remote and safety lhaits are exceeded is because present technology cannot rigorously support assumptions as system behavior for these remote cases.In large part, this fact explains the reason why such conservative safety limits are selected for design purposes.1-6 I SL~5ARY In the Westing ou tin house Reactor Control and Pro tection Systems the Control System is seoara's seoarate and distinct from the Protection Syst P"orection System is independent of the Contro]he Protect on S"ste-"L is highly dependent upon signals derived from the Protectio S through isolation amplifiers; This interre].ationship is illust d in inure-1.he design of the Control and Protection Syst~d th interactions between them are discussed in detail i Sectio'd 4 of this report.The design philosophy is to make maxianun usage, for both control and protection purposes, of all measurements of plant variables. For each variable monitored, the best type of equipment available is selected as the vehicle of measurement. Clearly, the requirements for measurements for control or protection purposes so nearly overlap that the optimum equipment for one purpose is also the optimum for the other,.It's recognized by those responsible for Protection System design and review that little if any additional safety is achieved by utilizing independent, but identical, measurements for control and protection. In fa<<, it is Westinghouse's position that additional identical channels are seriously disadvantageous jn that more penetrations, maintenance, and control room readouts are required.por example, operator surveiU.ance of protection channels'is necessarily diluted when plant operation is dependent on other indications.
pressurized water reactor plant, it is almost axiomatic that-.n a Large Pre s rturbation which encroaches on safety limits significantly affects~v pertur a For example, a reactivity excursion-such as accidental rod vt.th raw drawal-causes not only an increase in neutron flux and core power,~so an increase in coolant temperatures and in pressurizer pressure but and level.Reliable control is obviously'he best approach to plant safety.The prime, purpose of a control system is to limit excursions before protective action is necessary. Since the control devices must be capable of Limiting excursions, they are also capable of causing an excursion-perhaps in the, opposite direction-if spuriously actuated.Failure of the Control System, either by not acting when needed, or acting when not needed, decreases the leve1 of safety.Redundancy-of control, where applicable, is therefore highly desirable. Pressurizer pressure control is a prime example of efficient use of redundant measurements for safe operation via a reliable Control System.Two oower-operated pneumatic relief valves are provided to limit pressure excursions within the normal operating range.Although not essential to-safety, these valves increase safety margins for system overpressure ~overpressure protection is provided by the high pressure reactor trip~safety valves).Should either valve be actuated spuriously, however, p~tection against the reduction in pressure might also be required.2~2 'Ph contro3.channels, derived form the four pressure protection ."-our pressure con t no sing3.e ins-hanne3.s, are use-el'ei when needed, nor can any single i Qt~t fail duce pressure to the point at which protection would be needed ressure channels are used to contro1 each valve.One pressure channel Mo pressure serves as an interlock, blocking the air supply to the valve on a low pressure a3.arm.Since the pneumatic valve requires air to open, thi's low pressure alarm closes the valve (if open)and holds it closed.In the absence of a low pressure alarm on the first channel, a high pressure alarm on the second channel opens the valve.."-rom the protection System viewpoint, the corollary to maxbaum usage of all measurements is that protection against any given accident is not necessarily confined to measurement of just one variable.Thus the reactivity excursion noted previously, the reactor trip on high pressurizer wager leve3, also provides a degree of protection, even though the basic purpose of this trip is to protect the pressurizer relief piping from water relief surge, through the safety valves.Since completely different. types of measurement are used<<r neutron flux and pressurizer water level, diversity does exist in the Protection System.Lhe extent of such diversity is evaluated in Section 5 for a wide variety ot accidents. In most cases, two or more diverse reactor trips terminate~accident before catastrophic consequences can occur.However, the second trip reached (the"backup")generally does not prevent the design satey limit from being exceeded.In this context, the design saiety 2-3 h h as a DNg ratio of 1.30, is itself a highly conservative such~,.exceeding this limit does not imply intolerable consequences. ~one case evaluated-the hypothetical rod ejection accident-protection system em diversity could not be adequately demonstrated for the worst case.~eyer a rod ej ection is considered to be an extremely unlikely accident one caused by complete and instantaneous mechanical failure of a control rod pressure housing.Further, the probable consequences, as distinct from the worst case, are tolerable since most control rods are fully withdrawn from the core.Even those rods that remain inserted are seldom inserted to their insertion limits.."-or another type of accident-complete loss of feedwater-diversity of reactor trips does exist.Ho~ever, automatic actuation of the auxiliary feedwater system is not diverse for all of'he ways in which feedwater flow could be lost.For those cases, it is shown that manual actuation consti-rutes a reliable back-up to automatic actuation. 2-4 'P 7"I H t I 0 ILLUSTRATION OF CONT."d)L'lND PROTECTION DESIGN CONTROL SYSTEM l (Signal con~itionins, controllers,~I interlocks, and defeat switches)t.otection {test signa.ague)(test r adout)~est CONTROL PROTECTION Channel'Sensor I\I Cabling and Penetrations ~I!P ewer Suoply!Isolation I;ihmplifier I Bistable l I (From other protection channels)".harm el Channel 2 3 f" 1 I In8icatio Channel 4 C C CJ o 4k IJ CO C IH g~g O Cl~+I cd 0 C cC CJ PROTECTION LOGIC a&CKS TRAIN TO REACTOR TRIP BREAKERS FIGURE 2-l ~,'I 1"k 0 P CTIONAL DESCRIPTION REACTOR CONTROL AND PROTECTION SYSTEH~~CTIONAL REACTOR PROTECTION SYSTEH 3.1 3.1.1 GENERAL'r'1 and Protection Szstm functi~di , , based on the Robert Emmett Ginna Nuclear Station of the Rochester Gas and Electric Co.(RGBE).It is representative of Westinghouse design practice.All reactor trips meet the following criteria: a)A single fai1ure shall not negate a reactor trip b)All channels are capable of calibration and maintenance at power.3.1.2 REACTOR TRIPS 4 A resume of reactor trips, means of actuation and coincident circuit requirements is given in Table 3.1-1.i~fllnual Trig Depressing either of two manual push buttons on the main control board actuates a reactor trip.Hi h Nuclear Power (Power Ran e)Dual trip settings=are provided: 3.1 1 " ca.l\"1~ )Low (approximately 25X)b)High (approximately 110X).The low setting can be manually blocked when power increases above P-10*(approximately 10X power)and is automatically reinstated when power decreases below P-10.These circuits trip the reactor when two of the four external ion chamber average flux signals are above the trip setpoint.Hi h Nuclear Power (Intermediate Ran e)This circuit trips the reactor when either of the two intermediate channels indicate above the trip setpoint, Et may be manual1y blocked when power is above P-10 and is automatically reset when power decreases-below P-10.Expected trip setpoint is 25X.HL h Nuclear Power (Source Ran e)This circuit trips the reactor when either of the two intermediate P range channels indicate above the trip setpoint.It may be manua11y blocked when two intermediate range channels reads a value above P-6 and is automatically reinstated when both intermediate range channels decrease below P-6.Trip setting is between P-6 and the maximum source range power level.*P-()designates a permissive circuit to block or activate a trip function.These circuits are defined in Section 3.1.3. 4~I' ~Fj t yvertemoe temperature 4T Trio of this trip is to protect the core purpose o po , p ssure, temperature,'cion Two out~f four oop~For each channel per eactor c lative measure of reactor power and is compared with a continu ously calculated setpoint of the form: 4T~K+K xPressure-K x T>>f(4I)setpoint L 2 J avg~en the reactor coolant loop 4T exceeds the calculated setpoint, the r atfected channel is tripped.Zn the above equation, 4Z is the difference'between the top and bottom power-range ion chamber signals..This compensation signal automat-ically reduces the trip setpoint if adverse axial core power I distribution exists.Dynamic compensation of the T signal is avg also provided to compensate for instrument and piping delays between the reactor core and the'loop temperature sensors..A schematic representation of this circuit is shown on Figure 3.1-1.An illustration of the setpoint is shown on Figure 5.1-6.Overoower 4T Tri The purpose of this trip is to protect against excessive power (fuel<<d power density).Two-out-of-four trip logic is used;there are two channels per reactor coolant loop.3.1-3 i for each channel is calculated as: Ne setpoint tor e~K-K-T-K (T-T)-f(II)4 5 dt avg 6 avg avg~'quation>f (41)is the same function as used in the overtemperature equat o-serpo nt e tpoint equation.The term K5 compensates for the piping and instrument delay.The term K6 compensates for the change in density and heat t~ac ty o ity of water with temperature (T's the nominal T at full power).avg avg 6~th K and K are limited such that the rate and/or magnitude of T can avg only decrease the 4T trip setpoint from its normal value at full power.ected steady-state trip setpoint is llOX of the indicated hT at full poMer;i.e., llOX power.A schematic representation of this cricuit is shown on Figure 3.1-2.~Pressure Tri.he purpose of'this trip is to protect against excessive boiling in the core and to limit the pressure range in which coze DNB protection is required for the overtempezature aT zeactor trip.This circuit trips the:eactor on coincidence of twmf-four channels.It is automatically blocked below P-7.The expected setpoint is 1715 psig.-"-'-h Pressure Tri=he purpose of this trip is to protect against overpressure and to limit the es<<<<range in which core DNB protection is required of the overtemperature Wected setpoint is 2385 psig.-a<<circuit trips the reactor on coincidence of two~f-three channels.3.1-4 ~h Pressurizer Water Level Tri tzip provides a backup to the high pressure trip and also prevents the pzessuz zessuzizer safety and relief valves from relieving water for credible accident conditions. Expected setpoint is 92X of span.This circuit trips the reactor on coincidence of two-of-three channels.Xt is automatically blocked.below P-7.Low Reactor Coolant Flow This circuit is provided to protect the core from DUB following a loss of coolant flow accident.The means of sensing a loss of coolant flow accident aze as follows: a)Measured low flow tn the reactor coolant piping b)Reactor coolant pump circuit breaker open c)Undervoltage on reactor coolant pump bus d)Underfrequency on reactor coolant pump bus The low flow trip signal is actuated by the coincidence of two-of-three signals per loop.Above P-7, reactor trip occurs for a loss of flow in both loops;above P-S, reactor trip occurs for a loss of few in either loop.Expected setpoint is 90K of indicated full flow.The reactor trip signal derived from reactor coolant pump breaker position is actuated by a single auxiliary contact'or each reactor coolant pump breaker.Trip logic is similar to the low flow trip;above P-7 reactor trip occurs for a"breaker open" signal from any two breakers;above P8.a signal fzom any one breaker actuates a reactor trip. ~wg a~~V~~tor trip provides additonal reactor protection against~undervoltage reactor powers 4 coaplete loss o o~t pump buses as~d b oa Lcw voltage on o ected setpoint is 70Z of~crvoltage se a~t a r t j rapid decrease in electrical frequency can decelerate th~princip e, a~tor coolant pumps faster than a complete loss of power.An underfrequency condition on both reactor coolant buses, as sensed by either of two under>>frequency relays on'ach bus, trips the reactor and opens both reactor coolant pump circuit breakers.Expected setpoint is approximately 58 cps.a Safety Xn ection S stem Actuation Tri (SIS)"pon actuation of the Safety Infection System, the reactor fs tripped to decrease the severity of the accident condition. The means of actuating the Safety In)ection System and thus tripping the reactor are as follows: l a)Low pressurizer pressure (1715 psig)in coincidence with low pressurizer water.level (5Z span).Any one of the three circuits La actuates the SIS.This function may be manually bypassed below 2000 psig.~Pressure (500 psig)in any steam line.A coincidence of two~f-three signals for any steam line actuates this function.This function can be manually bypassed when reactor coolant pr~ssure is below 2000 psig.c)"igh containment pressure (6 psig).A coincidence of two-of-three signals actuates the SIS.d)Manual Actuatj on f~~ Trio~trip sensed by loss of autostop oi 1 pressure or by turbine stop g turbine tr ps losure actuates a reactor trip during high power operation. Trip<s~o~r-three for the autostop oil pressure switches and two~f-two pic is sor the stop valve position switches.This trip is in coincidence with~r~sszve ci~ssiye circuit P-7 (blocked below 10X power)and permissive circuit P-9~blocked below 50X power unless condenser steam dump is blocked).Low."-eedvater Plow Reactor Tri For either steam generator, low feedwater flow (compared to steam flow)in coincidence with low steam generator vater level actuates a reactor trip.'Ms protects the reactor against a sudden loss of heat sink.This condition is sensed for either steam generator if e'ither of: two steam flow~feedvater flov channels indicate a difference greater than a setpoint and either of tvo steam generator narrow-range level channels indicate less 6 than a setpoint.Expected setpoints are 0.7 x.10 lbs/hr and 30X of span respectively. Low Steam Generator Water Level Tri~e purpose of this trip is to protect the reactor from a'1oss of heat sink-<<the case of a sustained steam/feedwater flow mismatch which is too ll<<actuate the low feedwater flow trip.~h~s~~-s trip is actuated on coincidence of two-of-three lov-lov level signals~n steam generator. Expected setpoint, is 15X of narrow range level span-3.1-7 /t 6.,.t;>)0 C 3>MQSSIVE CIRCUITS 3.'.3 p ously to permissive circuits Reference has been ma o k certain activities as well-~~its are use to ac'vfties.t of Permissive Circuits nunbnc Funccfnn Rod withdrawal stop on overpower (Automatic and manual)~Xn uc One~f-four high nuclear power (power range)*;one-of-two high nuclear power (intermediate range*l;one-of-four overtemperature AW;or one-of-four overpower AT*.Automatic rod with-drawal stop at low power.Automatic rod with-drawal stop on rod drop Selection of steam dump controller mode Permit manual block of source range high nuclear power trip One-of-one turbine first stage steam pressure I Oneof-four rapid decrease of nuclear power or rod bottom indication h Turbine trip signal One~f-two high intermediate range nuclear power allows manual block, twomf-two low intermediate range nuclear power automatically reinstates trip.~bypass on individual channels.."~y e~ally blocked if peanissive circuit P-10 is cleared. ~' ~ssive Circuits (Cont'd)t of Pe ss luabaa puaaaiaa~Xa ua permissive power (block various trips at low power)Block single primary loop loss of flow trip Block reactor trip on turbine trip Threemf-four low nuclear power and onemf-two low turbine impulse stage pressure Threeof-four low nuclear power Three~f-four low nuclear power and condenser steam dump avaQ-able (not locked out by high condenser pressure or by loss of both circulating water pumps)10 3.1.>>ROD STOPS Permit manual block of intermediate range power level trip and rod stop and low power range trip Two-of-four high nuclear power allows manual block, thre~f-four low nuclear power automatically reinstates the trips A complete list of rod stops is noted below.Rd Stop List Fuaaataa a)Rod drop b)Nuclear Overpower Actuation Si nal One~f-four rapid power range nuclear power decrease or any rod bottom signal Oneof-four high power range nuclear power or Rod Motion to be Blocked Automatic withdrawal (redundant, contacts)Automatic and manual withdrawal one-of-two high intermediate range nuclear power 3.1-9 t~g 4-top~st (Cont d)UjjCj:Xjjn c)iU.gh 4T Actuation Si nal One-of-four overpower 4T or one-of-four Rod Motion to be Blocked Automatic and manual withdrawal overtemperature 4T (Manual bypass on indi-vidual 4T channels)(Actuation of this rod stop initiates a continuous turbine load reduction until the actuation signal is'emoved) .d)Low power e)T avg deviation One-ofmne low turbine impulse stage pressure One-of-four T devia-avg tion from average T avg Automatic withdrawal H Automatic withdrawal and insertion 3.1.5 LQXCATION F Control Board Xndicators and Recorder-All transmitted analog signals which actuate reactor trips, rod stops, oz permissive circuits are either indicated or recorded for every.channel-Also.variable trip setpoints (overpower 4T and overtemperature 4T)are icated or recorded for every channel.Central Board Annunciator Panel~y of the following conditions actuate an alarm: Reactor trip (first out annunciator) b).aztial reactortrip (any channel)~wi oz~i<<deviation of any control variable (pressure, T, pressurizer level avg'li nuclear power, and steam generator level)for any channel.3.1-10 ~>>~t'lvl%1~y W C~ns'r, zy~\~ ';t"o>.3oard Status Pm&status of each reactor trip'c" on the trip status panel'-'.channel is continuously displayed I status o f each permissive circuit is continuously displayed on th pe~sive stat panel~~'reactor trip channel;bypass is.continuously indicated on the hypos status pmn-'I 17~a 3.1-11 s P k .,y ll+~~l IE~Tgtp I.fluuual 2.High nuclear flux CplHClUEHCY. ClRCULTRY b lHTERIXKKS 1/2, no interlocks 2/4, no interlocks for high setting P-10 for low setting l.'ON 1 k l)1 S High and low setttngs;manual block and automatic reset of low setting 3.', lligh nuclear flux (inter>>mediate range)High nuclear flux (source range)1/2q P-10 I 2/4;no interlocks 2/4, no interlocks 2/4>blocked by P-7 2/3>no interlocks 2/3, blocked by P-7 5, Overtemperature LiT 6.Overpower hT 7.Low'ressure 8.9.High pressure High pressurizer water level 10a.Low Flop 10b.Pump breaker trip 10c.Undervoltage 10d.Underfrequency SIS actuation 12.Turbine trip 13, Low feedwater flow 14.Low-low S.G.water level 2/3 per loop~p 7~P>>S 1/1 per loop]P 7)P+S 1/2 t'1/2~P-7 1/2+1/2 P-7 1/3,.(low pressurizer pressure and low pressurizer level);2/3 Low pressure in any steam line;or 2/3 high containment pressure 2/3 autostop oil or 2/2 stop valves>P;7]P-9 1/2+1/2 per loop, (flow mismatch in coincidence with low leyel)2/3$per loop h 0 Tayg n>AYO K4 T38 8 AT setpoint 1 Comparator C3.C3 C 4 2/4 ogic hot T c Comparator Rod Stop 0~POWER AT CHANNEL (ONE CHANNEL OF FOUR SROHH)FIGURE 3.1-2 l.l CONTROL SYSTEH t am dumP are available: condensex'umP and atmosPheric <cle valve arrangement is shown on Figure 3-2-1-yq steam cy C0gDENSER S~QUMP SYSTEM Svs ea Desi steam lines are installed to dump steam from the steam generators directly co the condenser, bypassing the turbine.Connections with the steam mains axe downstream of the stea'm main isolation valves.ralves and LLnes are sized to pass 35X of turbine auuctunan calculated steam flow at full load steam pressure.Condenser steam dump performs three functions: Following a sudden loss of load of up to 210 MRe{about 45X of=aximum calculated turbine load), condenser dump acts as an artificial load removing excess power and stored energy while the reactor power is decreased to match the xeduced turbine\In this manner, the condenser steam dump acts to prevent a reactor trip.Condenser steam dump, together with feedwater addition, removes stored energy in the Reactor Coolant System following a plant trip, bringing the plant ro equilibrium no load condition without 3.2-1 r o f the s team generator saf ety valves.It also maintains~tuation o 1 t at hot shutdown by removing residual heat.gg pJ.ant at ser steam dump is used for plant cooldown to cold shutdown.condenser ste~~er steam dump is used to improve operational flexibility. For a plant trip may occur following a large load reduction if~le, ap an~4.user steam dump is not available. ~condenser steam dump system uses modulating, Unear-characteristics,~~crated valves (air to open).Their stroke time is approximately 5 aecaads.Xn addition, they can be tripped from the fully closed to tate fu11 open position within 3 seconds after receiving an input eLectric trip signal.While this trip signal exists, the valves are bahf~the fully open position.When the trip signal does not exist, che valve position is determined by a variable input electrical signal-For condenser protection, condenser steam dump is blocked by high~enser pressure.Other interlocks'described below)are used~~e same manner to avoid spurious operation. ~pur'<<ous actuation of steam dump may cause a plant trip In addition,'-the ralves stay open, an uncontrolled cooldown results.For these the steam dump control system is required to meet the criterion signal failure shall cause spurious actuation-3~2~2
Control System al block diagram for the Condenser Steam Dump Control~e funct on Svstem is shown on Figure 3.2-2.Load Re ection Control."-or partial loss of turbine load, steam dump is controlled by the error signal between T and T f, where T is the average of four avg ref'vg reactor coolant average.temperatures and.T" is the progz~ed, se~ref, point for T as a function of turbine load.(These signals are the avg same as those used in the Reactor Control System.)Following a turbine load decrease, T is imm'ediately reset to a lower value, causing an ref error signal.If the error signal exceeds the deadband for the load.re)ection controller, the dump valves are modulated open.If the error signal exceeds the HI setpoint, a trip.signal is generated which rapidly opens four of the eight valves to their fully~~en position.At'he occurrence of a HZ-HI trip signal, all eight valves trip open.The distinction between modulating and tripping valves open is made because of the difference in required time for both of these actions.If valves are already modulated open corresponding to the error signal<<the time a trip open signal is generated, no additional trip action takes place.Sin~e the steam dump system requires a finite time to, act, an increase is to be expected.Lead/lag compensation for T increases avg avg 3~2 3 g f T on the error, thereby compensating f or the legs~gcect of l response and valve positioning. s reactor power by control rod insertion. reduces reac tpoint steam dump is redu appx'oaches avg valves are f ully seated M en ough to be handledoontroL system alone.~~d contra trol system also acting on the T-T f errox'ignal ~avg ref Ln order to prevent actuation of steam dump on small load perturbations, ,r a block is provided which prevents valve response to either the trip~modulate signal unless a turbine load reduction has occurred.AIl elcaents of this channel, including the turbine impulse chamber pressure tap, are independent of the steam dump control system described above.4 rate/lag unit in this channel generates an output proportional to~rare of decrease in turbine load;This output, when indicating a Load rejection gxeater than lOX step or 5X/mLnute ramp, removes the Once unblocked, this block is manually xeset.Minual-contxol of~team dump also removes this block.7uxb inc Tri Control~~e of the laxge heat capacity of the Reactox Coolant System and~~high T at full load the steam generator safety valves would avg~'~owing a turbine trip if there were no other means of removing ed heat.'ondenser steam dump and subcooled feedwater flow 3.2-4
plant to thermal no-load equilibrium without~~ed to bring-lease to atmosphere. e ea I e trip, monitored by loss of turbine autostop oil t e o he load re]ection steam dump controller is defeated and plant tr p trip controller becomes active.In the T control mode, avg r signal is T-T d'nd steam dump is proportional ~error s gn avg no-Load'he same error signal is used for on-off control of~fe~>>ter control valve, as described in 3.4, Steam Generator~L Control.As T.is reduced to its no>>load setpoint, steam'vg reduced and feedwater is shut off.As in the case of p load re)ection, if the error signal exceeds the HX setpoint, a trip asgaaL w generated which trips open four of the eight valves to their iull~pen position.At the occurrence of a HI-Hl trip signal, all~ght valves trip open.GeneraUy, the valves are not closed completely l~use of decay heat.No-load conditions are established within mo minutes.pressure Control'or><<g term removal of residual heat at hot shutdown, o~during plant it>rtup or cooldown, the plant operator can manually switch to steam der pressure control.In this control mode, condenser steam dump o maintain a preset pressure in the steam header.A manual~tion is provided so that the operator can ad)ust the setpoint~<<ssure or manually position the valves.3.2-5 ~pbbs j, S>H~ZC S~RELIEF SYSTEH steam relief valves are mounted on the steam mains upstream uoayher'c steam ves.At the set pre 4g~>o steam (about 1050 psig), f low calcu'c have provisgon f e s less than Z0 Provided to reduce d to permit a plant oold s'cedia dump is not available. These functions are explained below.a)If a plant trip is caused by loss of condenser vacuum, condenser dump m bIocked.The'steam generator safety valves are available to remove stored energy from the Reactor Coolant System.Atmos-@heroic steam relief reduces the steam pressure below the safety valve set pressure within two minutes after the trip.This prevents'ontinuous chattering of the safety valves as residual beat m removed from the reactor.Plant coo]down is accomplished by steam dump.If condens<<dump not available, the atmospheric relief is adequate to cool d~to the temperature and pressure at which the residual heat removal system can be used.3.2-6
C)Zn the event of a plant trip caused by an overpower/overtemperature condition or by a faU.ure in the feedwater system, the atmospheric steam dump provides additidhal relief capacity, reducing the pro-babDity of safety valve actuation. Separate controllers are provided for the atmospheric dump valves on the two steam generators, permitting independent pressure regu-lation if the steam generators are isolated.3e 2~7 T cold AVG T~at 1 V2 Swl K3 P K2 AT setpoi t E Comparator 2 2]4 Logic 3 C 4 hot cold'/Comparator Rod Stop 0$EBTEMPEBATURE AT CHANNEL (ONE CHANNEL OF POUR SHOWN)P1GVRE 3.1-1 F~.~~'I rl EnM lEHEl/ATOR Nntrr.)VAl VN ISAtIM YAllg l J IOOla'nON VALVE BYPASS.VALVE HAIN FEEDWATEE kLN.IQ'AI.VL I IA)I AT I lNli Olla:K TO TURBINE CON1'AINMENT AUXILIARY FEEUHATER+P go I i CONDENSER STEAM DUMP VALVES<<TEAM IEHERATOR B MAIN FEEWATER TO CONDENSER AUXILIARY FEEOHATER Figure 3.2-1 STEAM CYCLE VALVE ARRAMEMENT I i ~en/LAG COMPENSATION STEAM DUMP)ER PRESSURE CONTROLLER r RATE+RESET AUTO"MAN STATION PROP.ANALOG SWITCH OPERA-TING ON TURBIHE TRIP SIGHAL STEAM DUMP SELECTOR SWITCH MODULATE COHDEHSER DUMP VALVES LEAD/LAG COMPENSATION ((<>>s).I Jf<Sgl+fg$)L TRZ I COmZROLIhR Hi-TURB ZHE TRIP INTER-LOCK LOGIC TURBINE-TRIP SIGNAL TRIP OPEH GROUP A VALVES OR TRIP OPEN GROUP A 8c B VAL~STEAM DUMP VALVES.TRIP OPEH ONLY IF UHBLOCK SIGNAL IS PRESENT (SEE BELOW)Hj E LOSS OF LOAD INTERLOCK r:J+A--ROPRIATE POSITION OH SKZCTOR SWITCH ZHTKGDCK Figure 3.2-2 CONDENSER STEAM EUMP CONTROL SC1HHE UHB LOCK STEAM DUMP VALVES SIGHAL TURBINE TRIP SIGNAL BYPASSES LOSS OF LOAD INTERLOCK AHD UHBLOCKS STEAM DUMP VALVES 1 f'V (Y+gpQ+g+q+gl Y f" Al+J 1l 3 3 REACTOR CONTROL The basic Reactor Control System consists of three channels, which are re temperature (T), powez'ismatch (QT-Q)and reactor coolant avg'x'essure (P)~The output'of these three channels is used to drive the control rods via the rod program.A schematic representation of the control system is given in Figure 3.3>>1.The functions of each of these channels are as foU.ows: a)To maintain the programmed T as accurately as possible avg b)To be responsive to load perturbations without causing undue movement and reactor trips c)To take corrective action in the case of large load changes if the pressure exceeds the limits of the noxma1 pressure control.The T erature Channel The temperature channel functions to maintain the programmed temperature -(T)as accurately as possible.The main requirements of this channel avg are that it should be accuxate, stable and repeatable. This is the dominant contx'ol channel in steady-state conditions.'he Power Mismatch Channel The power mismatch channels provide control stability and fast response t>>oad pertuxbations. The output is proportional to the mismatch between turbine power and nucleax power.A high-pass filter in this channel ensures that steady-state calibration errors in the input power signals"as no effect on steady-state control.3.3-1 .at I ,'g l~jl ~other requirement of this channel is that its steady-state output should be zero even though a Axed offset in power signals may exist.The Pressure Channel This channel is provided to prevent large pressure changes foU.owing a large change in power.It retards the rate at which the controller changes T to its new programmed set point.(If T were to be changed avg avg too rapidly, pressurizer pressure contxol might not be able to maintain pressure within the normal operating range.)The pressure control channel has an adjustable deadband, so that only large pressure changes have an effect on rod motion.This channel is not required for initial plant.operation. The Rod S eed Pro am The rod speed program is made up of four parts: ari adjustable deadband, a minimum speed, a proportional speed, and a maxLmum speed.The auucLannn speed is dictated by the mechanism design.A11 the other settings are ad)ustable.
Expected set points are+1.5 F for the deadband, and+5 F for amximum rod speed demand.The outputs from the three channe1s mentioned above feed into the summing amplifier associated with the rod program.3a3~2 Ijgg~gi 4t'~s~A)t l(~
- i.
- ailure could fill or empty the pressurizer at a sLow rate (on the order OE f half an hour or more).Irggh 18V81~reactor trip on pressurizer high level is provided to prevent rapid 4 thermaL expansions of reactor coolant fluid from fiLLing the pressurizer; the rapid change from high rates of steam relief to water relief can be damaging to the safety valves and the reLief piping and pressure relief tank.However, a Level control failure cannot actuate the safety valves because the high pressure reactor trip is set belo~the safety vaLve set pressure.With the slow rate of charging available, overshoot in pressure before the trip is effective is much less than the difference between reactor trip and safety valve set pressures.
SUMMARY
c~3~I the reactor is~the power range of operation, loss of coolant flow eaten t e potential conce-n.Without suf f icient flow, DNB and clad failure~d quickly occur.estinghouse PWR's, constant-speed pumps supply coolant flow.Plow is egulated or otherwise varied.High-inertia flywheels are mounted on each.so that f low dec=eases ovex'period o f time (typically 12 seconds to f flow)following a loss of power to the pump motor.This flow coast-ioMn allows for Protection System tMe delays and remova1 of stored heat in xbe fueL.Subsequent decay heat is removed by natural circulation. Diverse, redundant protection circuits are provided to protect against all possible loss of flow accidents. These protection circuits axe evaluated this report for multiloop loss of flow, single loop loss of;flow, and~othetical pumo seizure.Although design Limits might be exceeded, the onsequences are found to be tolerable in all cases even if any one protection circuit failed to per orm its function.-3.Z PROTECTION SYSTRf DESCRIPTION erous reactor trf.p circuits provide core protection for a Loss of flow~c-"ident. These trips are: reactor'oolant f low, Reactor coolant pump bus Low voltage, Reactor coolant pump bus Low frequency, Reactor coolant pump bx'esker position, Overpower Delta-T.5.3-L
percept f or the overpower Delta-T trip, all trips are blocked below 10X power.Low Reactor Coolant Flow Three redundant flow channels are provided for each loop.At high power, loss of flow in any loop, as sensed by two of the three channels, actuates a reactor trip.The set point for this trip is typically at 90X of normal indicated flow.At lower power (typically 50X, 65X, and 75X for 2, 3, and 4-loop plants respectively) loss of flow in any two loops actuates trip.The same flow set point and 2/3 logic is used as for the single loop low flow trip.Reactor Coolant Pump Low Volta e In order to insure that total loss of pump power does not violate the core design limits, a reactor trip is actuated by low voltage on thy, reactor I coolant pump buses.The design requirement is to meet the single-failure criterion for complete loss'of pump power.The trip logic is generally such that loss of power on any two buses causes a reactor trip.Typical set points for this trip are in the range of 60X to 80X~of normal voltage.Reactor Coolant Punm Low Fre uenc The reactor coolant pumps are provided with flywheels to increase their rotating inertia.This provides forced circulation for some period of time after a loss of power.It is conceivable that a rapid system fre-quency decrease would slow the pumps down faster than for a loss of power.5.3-2
Therefore, an undhrfzequency reactor tirp is provided.The trip logic is identical to that used fox the undexvoltage reactox trip.In addition to tripping the reactor, underfxequency also trips open the reactor coolant Pump circuit breakers to maintain effective flywheel inertia.Typical setpoints for this txip are in the range of 56-58 cps.p Circuit Breaker Position A reactor trip dezived from auxiliary contacts on the reactor coolant pump circuit breaker affords additional safety mazgin for the most Likely causes of loss of flow.Trip logic is shear to that used fox the low flow'rip;i.e., opening of any breaker, as indicated by a position contact, actuates a zeactor trip at high power, and opening of any two breakers at reduced power actuates a trip.Ove ower Delta>>T Reactor Tri This trip circuit is designed to protect the core against overpower transients. However,since Delta>>T increases as flow decreases, it also provides backup protection for loss of flow accidents. On a two-loop plant, two Delta-T channels per loop are pxovided;one channel per loop U provided on thx'ee-and four-loop plants.For aLL plants, trip of two channels trips the reactor.During steady-state operation, the trip set-Point for these channels is in the range of llOX to 120X of the normal Delta-T indicated at full power.This setpoint is automatically reduced<<r increasing temperature (x'ate of change of T)to compensate for piping avg delays.(However, the setpoint is not increased for decreasing T.)Since avg also increases following a loss of flow accident, the Delta-T set-avg 5.3-3 4@i'4.a*A'4" po oint decreases at.the same time as Delta-T increases. This significantly decreases the trip delay time.ggarlacks ~cept for the overpower Delta-T reactor trip, the loss of flow protection trips are blocked at low power.This interlock is in itself redundant and diverse, in that the trip signal is passed.if either 2/4 nuclear channels indicate above 10X or if 2/2 turbine load signals indicate above 10X.Single loop loss of flow trips from low flow and circuit breaker position are blocked at reduced power.(The trip is passed if 2/4 nuclear channels indicate above a preset, power.)Since these two trips share a common, nonMiverse interlock, they should not be considered as.completely diverse protection functions.
5.3.3 MULTILOOP
LOSS OF FLOW I A fault tree for a multi-loop loss of flow accident is shown, on Figure 5.3-1.Only electrical faults can cause all pumps to fail simultaneously, and the undervoltage and underfrequency reactor trips provide direct protection against these faults.The low flow reactor trip circuits provide backup protection for this accident, and they do not necessarily insure a minimum DNB ratio greater than 1.30.Figure 5.3-4 illustrates the transient resulting from a complete loss of flow accident representative of high power density plants currently under design.The solid lines represent the design case, with reactor trip on undervoltage. The dashed lines illustrate the calculated transient if this reactor trip is neglected. 5.3-4 alculations are done by standard design methods, with the usual~ese ca c tions for safety analysis;e.g., the most adverse steady-state sssump<<opera rating conditions at the time of trip.accident is relatively rapid, with a DNB ratio of 1.3 in..the hot~e acc channel reached in about two seconds.It is not appropriate, therefore, gp assum ssume any manual corrective action.Also, the minimum DNB ratio is reached at the time the hot spot heat f lux begins to decrease.There is little transient overshoot except for reactor trip time delays.The undervoltage trip ii the design protection for this accident, and it meets the requirement that, the minimum DNB ratio does not fall below 1.30.Less restrictive requirements would be imposed on a backup trip.A minimum allowable DNB ratio of 1.0 in the hot assembly, could be selected on the basis that this would insure that core damage, if it occurred at, all, would be limited to a very small fraction of the coze.(The peaking factors in the hot assembly are essentially those in the hot channel gthout al1owance for engineering subfactors.) Alternately, a hot-spot clad melting limit could be imposed for this accident on the backup protection. With either requirement, Protection System diversity exLsts.The low flow reactor trip point is reached at 1.8 seconds, assaying a 3Z error in the set point (trip point at 87X flow).Although the hot channel minimum DNB ratio is somewhat below 1.3, the hot assembly minimum DNB ratio is still well above 1.0.If DNB should occur at the>>t spot, the transition boiling correlation'ndicates that peak clad temperature would be in the neighborhood of 1000'F, and no clad damage is expected.(See results for single 1oop loss of flow.)5.3-5 Ne De ta-e D lta-T transient is calculated for this case.Because of piping~d instrume trument delays a trip signal would not be generated until about gecon nds after the loss of flow.The effect of rate compensation on is to reduce the trip set point.Even with this longer trip delay, ave die pea ak clad temperature is not expected to exceed 1500'F, we11 below<he melting point.Therefore, three levels of protection exist for a~nltiloop loss of flow accident.. 5.3,4 SINGLE LOOP LOSS OF FLOE A Eault tree for a single loop loss of flow accident is shown on Figure 5.3-2.Vote that loss of power to one bus is the only credible way this accident can occur without an immediate trip from the pump circuit breaker.{An open circuit in the pump motor is a highly unlikely fault, and is shown r Eor the sake of completeness.) The circuit breaker trip is therefore classed as a backup, or anticipatory, trip.I Figure 5.3-5 illustrates the transient resulting from a single-loop loss ot flow accident in a high-power density, two-loop plant.The transient h is less severe in a three or four-loop plant.The low-flow reactor trip is the design protection for this accident,<nd it meets the design requirement of minimum hot channel DNB ratio uo less than 1.30.If the accident is caused by loss of bus voltage, and no credit is taken Eor the low flow reactor trip, the hot channel DNB ratio would be less than 1.3.However, a reactor trip on high Delta-T would terminate the 5.3-6 icc ident before 18B occurs in a significant percentage of the core.pssumI sag that the hot spot goes into DNB at the time the hot spot DNB rat o+t j o is L.30, and assigning a conservative additional instrument delay of p 9 sec to the Delta-T trip, a peak hot spot clad temperature (on the inner clad surface)of appro~tely 1300'F is calculated using a transition boiling correlation. Only the Delta-T transient for the active loop is shown on Figure 5.3-5.S For the dead loop, Delta-T increases somewhat more rapidly.On a two-loop plant, two Delta-T channels exist on each loop, so a reactor trip is expected earlier than is shown.Ia summary: For a single loop loss of flow accident, Protection System ddversdty does seder.At least tso, and generally three, dndspendent levels of protection exist.5.3.5 LOCKED ROTOR ACCIDENT The hypothetical'case of an instantaneous pump seizure.has been'evaluated <o determine whether diversity exists.The fault tree is shown on Figure 5.3-3.If this accident occurs when the reactor is at high power, the core design limits are exceeded independent of any protective action.The design requirement for this accident is to prevent any consequential failure of<he Reactor Coolant System.Failure could be caused by high system pressure.Also, systems calculations cannot be done with confidence if gross core damage occurs.For this reason, core conditions are evaluated. 5.3-7 The transient for a hypothetica1 locked rotor accident is shown on Figure 5.3-6..Flow through the Reactor Coolant System is rapidly reduced, Leading to a reactor trip on a low-flow signal.Following the trip, heat stored in the fuel rods continues to pass into the core coolant, causing the coolant to expand.At the same time, heat transfer to the shell side p f the steam generator is reduced, f irst because the reduced f low resuLts in a decreased tube side film coefficient and then because the reactor coolant, in the tubes cools down while the shell side temperature increases (turbine steam flow is reduced to zero upon plant trip).The rapid expansion of the coolant in the reactor core, combined with the reduced heat transfer in the steam generator, causes an insurge into the pressurizer and a pressure increase throughout the Reactor Coolant System.The insurge into the pressurizer compresses the steam volume, actuates the automatic Spray System, opens the power~perated relief valves, and opens the pressurizer safety vaLves, in that sequence.The two power-'operated relief valves are designed for reLiable operation and would be expected to function properly during the accident.However, for conservatism, their pressure-reducing effect is not included in the analysis.With no protection, a peak reactor coolant pressure of approximately 3050 psia would be reached about.3.5 seconds after the pump seizes.After this time, fluid, mixing and increased heat transfer in the active steam generator tend to reduce the pressurizer surge rate, and the pressurizer safety valves reduce pressure.(During the peak, the pressurizer surge rate may slightly exceed the pressurizer safety valve capacity, but pressurizer pressure does not significantly exceed the safety valve set 5.3-8 lus aU.owance for accumulation.) Although the normal code-allowable ><assure p Us pressure o of 2750 psia is exceeded foz this accident, the peak pressure is below t e u he ultimate strength of all members of the Reactor CooLant System by an approx a ximate factor of two.Therefore, the Reactor Coolant System would z'ega jn intact o In the core, clad melting at the.hot spot inner clad surface begins at.24 seconds.Af ter this time, system calculations are uncertain. The reactor trip set.point for the redundant low flow instrumentation on the affected loop is reached within 0.1 seconds.Assuming DNB at 0.1 seconds, and.a conservative trip delay (2 seconds befoze the nuclear flux is reduced to 80X), the peak clad temperature is approximately 1%0'P and is reached at 4.5 seconds.Other calculated results for this case are peak system pressure of 2800 psia and less than 20K of the fuel.rods with a k calculated DNB ratio of 1.0 or less.Neglecting this trip, a high pressurizer pressure trip point would be C reached at about 1.5 seconds,'nd a high Delta<<T trip (from the active loop)would be reached at about 4.5 seconds.The peak clad temperature for these cases would be 1750 and 1950 for the high pressure and high Delta>>T trips respectively. Since these values are well below the melting point, no gross cLad failure is expected.In summary: For the hypothetical locked rotor accident, core design Limits may be exceeded.However, three independent, diverse levels of protection exist, any of which would insure that the Reactor Coolant System boundary is not violated.5.3-9 FAULT TREE FOR MULTZLOOP LOSS OF FLOW PROBABLE GROSS CORE DAMAGE SLS HI 4T R.T.COND XTIO POSSIBLE CORE DAMAGE FAXL'ORE LOW PLOW R.T.L.O;F.-LOSS OF FLOW R.T.-REACTOR TRIP R.C.P.-REACTOR COOLANT PUMP DESIGN CORE LIMITS EXCEEDED (DNBR<1.30)REACTOR.AT HXGH~~POWER~ALL LOOP L.O.F.WXTH NO IMMEDIATE R.T OR UNDER VOLTAGE R T.BKR.OPEN R.T.LOW FREQUEHCY ON ALL BUSES SIMULTANEOUS LOSS OF POWER SIMULTANEOUS R.C.P.BKR.OPTING."IGURE 5.3-1
FAULT TREE IOR SIICLE UM)t lOSS OF FMQ tRObhhLK CROSS CORE NHhCI CONDITION Nl AT R.T.CORK DKSICN LINITS KICKKDKD UN FLON R>>T>>.L>>O>>F~MSS OF FLON R>>T>>~REACTOR IRIt R>>C>>t ii RKACFOR COOIANT FUNt CORK DNSR>>l 3 hfACIOR AT RICiR FOMER'llCLE LOOt L>>O>>NO INNKDIA (I)REACTOR'NOFFKTION SISTIIl (2)ELECTRICAL thOFKCTION STETS)I SINCLE UXlt R C FAULT lAl5$OF bUS PARR SKR OFKN R>>E, (I)SUS FAULT IO ntKN SKR.a TSKF AKD SKR IO OPENS TRIP!KACIOR (2)R>>C>>P>>bKR>>Ot INC IC>>P>>OPEN CKT>>R>>C>>t>>QIORT CKT SUS FAULT PI&et$3>>>>2 ~q I I i FAULT TREE FOR LOCKED ROTOR ACCIDENT PROBABLE GROSS CORE DAMAGE HI dT R.T.HI PRESSURE R.T.PROBABLE CORE DAMAGE LOW FLOW R.T.CORE DESIGN LIMITS EXCEEDED SYMBOLS CONDITIO REACTOR AT HIGH POWER R.C.P.MECHANI FAIISRE (LOCKED ROTOR)R.T.-REACTOR TRIP R.C.P.-REACTOR COOLANT PUMP FIGURE 5.3-3 h Pt~>a' Es KULTI~P LOSS OP PLOW, TYPIChL PL@K'I~t 80 a 70 60 50 CORE FLOW PO NUCLEhR POWER{meZRVOLTaCZ ,TRIP)HOT SPOT HKLT FLUX'UNDEKVOLThaK lzazH..,pe~I~a: t I l.6 HOT ASSMLY'--MXH.DHB RATIO=)i I()~fe~J 1.2 L00 0 100 90 SIC LOOP LOSS OP KlÃ2-UNp MT 80~0 70 OW DEAD: LOOP 50 1.8:.:.i HIM.DMS RATIO j~I~1.4 ROT ASSZ8BLY-1.0 1400 1200 NO TRIP aoo TRXP ON LOW PLOW~*I*~\120 u.p DELTh T TRXP POISE HX 4T-=-...TRZP.~NO TRIP~~~~I~100 (ACTIVE LNP-TRZP PolllT 0 1 2'3 4 5 6 7 8 9 10~jj&la'e ht TPVr tmTP C 0 C
LOCKED ROTOR, LOSS OP HOW 2 LOOP PLANT~~F00 SO I..i~~~ACTXVZ MOP I~~~~~*60~~CORE PL(M~~~I]JJ~~~~w~40 20 3000 zsoo~~DEAD LOOP':.l I~~~~>>~l-~~I~~~'I~I~~~~0 5'o S~6'.I'.~I OJ 2600 2400~~REACTOR f COOLANT SYSTEH PRESSURIZER 'NO TRIP LOP FL(N TRIP~~2200'0 3000~o~~~~~~TIHE, SECONDS\~2500 J~+>>~e f I~~~I II.I'I TIHE OF REACTOR.NO TRIP-=(SEC)2000 e 4 4 F500 H 2 lOQO 500~~~~~~~~l~i I I~%t~I L~~~\)~~~I~~'l I~~<p e letely separate sensors and channels, and reactor trip is actuated if any two channels indicate high power.Analysis has been conducted to r:.'.-e*t~~~=~vl~Ie determine the consequences of a hypothetical failure of all the nuclear channels coupled with a hypothetical rod ejection accident.Analysis, made on the basis of the Ginna Nuclear Plant of Rochester Gas a Electric Co.(RGB), indicate that in the majority of rod ejection cases no protection is required (for example, ejection of a zod from its normally-expected position). It is further shown that the Delta-T trip provides I~, an acceptable second level of defense for some cases.However, protection can not be demonstrated for some of the more severe full power cases.Protection may in fact exist, but it is not possible to positively demonstrate this with the currently available models.An analysis of the available trip has been made, and is compared with an I arbitrary clad limit of 2750'F and an arbitrary pressure Vms of 3000'psi.Two detailed cases are presented: a severe case from zero power end of core life, and a moderate case from full power end of core life.No reactor trip has been assumed for either case.5.4.2 CASES CONSIDERED IN DETAIL Zero Power Case The case considered represents a zod ejection accident for an end of life core.The assumed ejected zod worth and hot channel factor aze 1.0X6k and 12.5 respectively.
~ting power transient and hot spot temperatures are detailed in~~result F 5.4-1.1 steady power level is conservatively assumed to be 15X of full~+fina s This power level is lower than the value which one might normally~er.~q)ect foz a rod reactivity insertion of 1.0<k>>owing to the high feedback ueig i hting factors-{The large hot channel factors results in a large power n<e in the hot spot, where the statistical weight is high).The prompt yzst results in a reactivity undershoot which, combined with the shortage of delayed neutrons, temporarily fozces the power to a value below equilibrium condition. The power level is assumed to ramp up to 15X at 5 seconds after e]ection>>although calculations indicated that it would take much longer to reach this power level.The plotted hot spot temperatures indicate that equilibrium conditions can be sustained. Zt is therefore concluded that no protection is required for this accident.Zn general, the ejected rod worths and hot channel factors arq lower for the beginning of life zero power cases, and therefore the consequences are expected to be, somewhat less severe.Full Power End of Life Case The case presented is for a rod ejection accident occurring at the end of core life with an e5ected rod worth of 0.336k and a hot channel factor of 3'3.The power transients and hot spot temperatures are detailed in Figure 5.4-2.The equilibrium power level is 112X of full power.5.4-2 0 k cladding temperature of 2950'F occurs some 50 seconds after ge pe Under equilibrium conditions, some 50X by volume of the hot ,ection 0]fuel is melted.A reactor trip'n overpower Delta-T occurs at 6~~c ue limiting clad temperature to about 2400'.This case represents recon s, evere accident, but is not intended to represent a limit.~<eve>~~lar rod ejection accident, occurring at the beginning of life, auld result in an equilibrium power level of about 12SX of full power,ith an equilibrium cladding temperature of the order 3100'F to 3200'F.5.4.3 BACK<<UP TRIP PROTECTION The most limiting cases occur at or near full power.The protection System is examined to determine under what circumstances a trip signal would terminate a rod ejection accident at full power.The results of the study are illustrated in Figure 5.4-3.The graph is a plot of total excess nuclear energy addition versus time.Steady full power operation results in a locus covering the hd~ontal axis.The nuclear flux trip is represented by a straight line of gradient 0.18,, corresponding to a power'level of 118X Note that this line is an upper and its position is in fact dependent on the power versus time shape.This is a general, but not important, effect for the lines plot~ed.A rise in nuclear power produces a pressure surge.However, the effect is attenuated by the heat transfer time constant, of the fuel (of the order of 4 seconds), and the possible relieving effect of the hole in the vessel head and relieving capacity of the power-operated relief valves.The high pressure trip could not be expected for any rod ejection accident.5.4-3 The high Delta-T trip furnishes a backup trip for any severe rod e)ection zcc cident.Except in the most severe cases, it Limits the clad temperatuxe pp]ess than 2750'F.Transport delays in the coolant loop delay the trip f or several seconds.Also plotted on the graph axe two arbitrary limit lines.They are respectively a clad Limit of 2750 F*and a Coolant System pressure of 3000 psi.Both these Limits have been arbitrarily selected and are not intended to represent I~I-.r pl~S physical Limits.A power burst of some six full power seconds at time zero results in both these 1lmits being reached some two to.three seconds I later.This is not a physically reliable condition for any Westinghouse reactor.Figure 5.4-4 shows the power transients for rod ejection accidents occurring at end of core life for various ejected xod worths.fr f t I 1+These Lines are based on stead~tate and transient hot channel factors of 3.23.5.4W j ZERO POWER EHD OF LIFE ROD EJECTION, NO TRIP&~~~HjjCLjj&R POjjE&VS~T2$=~1~~~I i.: A~~4~1.0X F~12.S"::?30 20 M~--EHERGT INPUT UP TO O.S SECONDS~1.70 F.P.S fact::.FPS: Full ot spo power seconds~'-9-&vmbols 6k: Change in reactiviey T.F: Total heat flux peald.ng or at h t 10~~~i~~~i~i&(&.=~::i I:.-:i i&~~~~&--~)&'i 0 2 4 6 8 10 12 14 16 TQK, SECONDS: HOT SPOT VS.TIHE=-"-.~~~4000: FUEL AVG.-I~~~L~e:::3Z&&":&&2000 1~-~~-~~~~~~~-.-::-.1008 0 4 6 S 10 12 14 16 18 TIME, SECONDS FIGURE S.4-1
PULL POWER END OP LIFE ROD EJECTION, NO TRIP I~>~~:='UCLEAR POWER VS.TIME~leak 0.33 P m'3~23 T r~~'i.-: L~Sba III Sk: Change in Reactivity P: Total Heat Flux Peaking Factor T q at Hot Spot~.~4 5 TIME, SECONDS ting).~I I~~rI~4s r ,~~III I~I HOT SPOT TEMPSULTURE VS+TZME':.-.-,:-'Mel=--'-'-~~~PURL AVG I:~r~~~'"I~~~W M.:~..~'~..':'LAD OUT~T':.I:I~Ii~~IP'PEAK CLAD SURFACE TEMP.--:~2950'P AT 50 SEC.50X (HY VOLUME)OF'cCL i'.." MELTS.V.~:.-..~-=-'i::!=-'i;:, i-.--'2 4 6 S 10 12 14 16 TIME, SECONDS PIGURI'.4-2 0 P e Full Power End of Life F~3.23 T xa~+\8 7 6 4 3 pi 2 C~8p~0 2 3 4 5 6 7 8 9 l0 TIME, SECONDS~~TOM OF SkFEXY GZHZTS AND TRIP POINTS'~<ROD EJECTION'ACCIDENTS, HO TRIP-represents the locus of points at which trio would terminate the accident represeecs laces ar sefery lfrsirs FULL POWER END OP LIPS ROB EHKTION WH33RK TRIP CO 4l 5 CD~CC3 CO~~C~2~~I 1~l 0 0 10.e 0.33 TIME, SECOHDS Wte: 0.4X Qc'represents a practical Bait:ar fuIl pcwer ceses.~ROD EJECTION ACCIDEHTS'QXXH N)THXP,'IGURE 5.4~ I 0 LOSS OF STEAM LOAD 5,5.1 XNTRODUCTION AND SUHHARY Vp'<<,', loss of steam load may be caused by closing of the turbine stop valves, which norma21y follows a turbine trip signal;by closing of the turbine control valves following a rejection of electrical load;or by steam isolation following a Reactor protection System signal.The consequences <<of a loss of steam load are a rapidly increasing Steam System pressure and Reactor Coolant System temperature and pressure due to the loss of heat sink.Protection instrumentation is provided to immediately trip the reactor following a turbine trip signal.A.steam line isolation signal is normally accompanied by a safety infection signal and also results in a reactor trip.Following a re)ection of electrical load, a Steam Dump<<~"".%'ystem acts to prevent reactor trip by automatic steam dump to the con-, denser.(Up to 100X load rejection can be handled by some'planes-)Xf the load re)ection great1y exceeds the steam dump capacity, or if the Steam Dump System should fail to operate, a reactor trip may occur on high pressure.Redundant protective instrumentation and conservative design of pressure relief devices assures the safety of the plant for a large load rejection without recourse to Automatic Rod Control, Pressurizer Pressure Control, or Steam Dump Control Systems.5.5-1 In this report, the Protection System is examined to see if diverse px'o rotection exists for a complete loss of load without direct reactor trip.Diversity is found to exist to protect the Reactor Coolant System and reactor coxe.5.5.2 LOSS OF LOAD PROTECTION AND DESIGN CRITERIA The reactor is pxotected for loss of load by: a)Steam dump to'ondenser (actuated by the Contxol System)b)c)Pressurizer pressure relief (safety valves and powez~perated reLief valves)Steam System pressure relief (safety valves and power-operated relief.valves)') Direct reactor trip (on turbine trip)e)High pressurizer-pressure trip f)Overtemperatuze 4T trip g)High pressurizer level trip.Steam D to Condenser The Steam Dump System acts automatically upon sensing a loss of load greater than a preset amount.The steam dump valves are then either modulated or tripped open until the Reactor Coolant System temperatuxe reaches the new programmed load reference temperature. The reactor power is reduced by control rod, insertion during this time.Zn case of a turbine trip or reactor trip, the steam dump is actuated and con-trolled on a preset uo-load reference temperatuze. The Steam Dump Control System is described in Section 3.2.5.5-2 0 t Pressurizer Pressure Relief The pressurizer safety valves are sized to match the maxfmnnn volumetric surge rate associated with a complete loss of load without steam dump or a direct reactor trip.This is not dependent on pxessurizer pressure control.The pressurizer safety valves therefore completely protect the Reactor Coolant System against ovexpressure, independent of the high pressure reactor trip.The relief valves are sized to prevent actuation of the high pressure trip when the steam dump and rod drive systems work, and the required steam reLLef is within the capacity of the Steam Dump System.Steam S stem Pressure Relief The Steam System safety valves pass 100Z of ma~man calculated turbine steam flow, at the safety valve set pressure plus accumulation. This allows the plant to accept a 100Z load re]ection without reactor txip or steam dump without ovexpressurizing the Steam System..Xn addition, relief valves set to open at a lower pressure are also provided, and axe typically sized at about lOZ of the safety valve capacity.Direct Reactor Tri The most common cause of a loss of load is a turbine-generator trip.Zn the event of such a trip, the turbine stop valves close.A turbine 5.5-3 trip sensed bye 2/3 low auto-scop oil pressure or 2/2 stop valve closure results in a reactor trip if the reactor is at high power.The purpose o f these triPs is to mizdzMe the thermal transient snd steam dumP requirements for these relatively frequent plant transients. Hi h Pressurizer Pressure Tri There is a reactor trip on 2/3 high pressurizer pressure, generally set to 2400 psia, or slightly above the pressurizer power operated relief valve setting and below the pressurizer safety valve opening pressure.Overt erature dT The purpose of this trip is to protect the core against any combination of reactor coolant temperature, power or pressure which could cause I DNS.Trip logic is 2/4 for 2.and 4-loop plants snd 2/3 for 3-loop plants.Hi h Pressurizer Level Tri This trip acts to prevent water discharge from the pressurizer safety valves.Logic is 2/3.5.5W
5.5.3 EVALELKON
OF PROTECTION SYSTEM FOR LOSS OF LOAD A complete loss of load without steam dump and without a direct reactor trip is evaluated to find if diverse protection exists to prevent a hazard to the integrity of the plant through overpressurization or'NB.The transient was investigated for a current, high power density\lant, and no credit was taken for power reduction due to automatic'../'.".t~control rod motion or moderator temperature coefficient. /'Initiation of Accident Figure 5.5.1 shows a fault tree for a loss of load without steam dump, with the reactor at high power and ao direct reactor trip.One way a 1088 of load can occur is by closing of the turbine stop valves following a turbine trip signal or by hydraulic fluid pressure failure{the valves are held open by hydraulic fluid)-However, one and.possibly two trips must then fail in order to prevent an immediate reactor trip.Another possible failure mode is a turbine runback caused by, the throttle valves closing.This could be initiated by a rod drop, an overpower or overtemperature 4T signal, by an actual or spurious loss of electrical load signal, or by a failure in the turbine controller and load limit system.A spurious rod drop signal would normally decrease the turbine load by a fixed small percentage of full load.The control 5.5-5 alve could close completely only if an improper circuit exists in the controller. Similarly, an overpower or overtemperature 4T signal coxmally causes a step load.decrease of SX every 30 seconds;and only in the case of a simultaneous failure ox improper circuit in the controller could there be insufficient time for the operator to take notice.Ef the turbine runback is caused by an overpower or overtemperature 4T protection System failure, the failure could only be in the safe direction; that is, the error or failure would be in the direction to cause a reactor trip.A third possible path for a loss of load is through steam line isolation. This may occur either through a loss of air supply to the isolation valves, or by a spurious or real isolation signa1 from the Reactor Protection System.As a result of the loss of steam flow.to the turbine by any hf the three paths outlined above, the Steam Dump System is activated. However, no 1 credit can be taken for this following steam line isolation, since, the dump valves are downstream of the isolation valves.For all three paths, the resulting decrease in first stage turbine impulse pressure causes automatic reactox'ower reduction by control rod insertion. Even if the reactor is in manual control, the moderator coefficient of reactivity is generally negative and would cause a power decrease as temperatures increase.5.5-6 0 I i)~~ 'C The fault tree shown on Figure 5.5.1 indicates that, in most cases, a fault could cause a complete loss of load with no steam dump or reactor it"~>>I'power decrease only if one ox more simultaneous failures of the Control or Protection System also xesuLted.However, the following analysis is based on a complete loss of steam load without steam dump, reactor contxol, or direct reactor trip.Anal sis and Discussion Figure 5.5.3 shows the results of a transient analysis for a complete loss of load without steam dump.The results'show that'he safety~~I I'I I I>>valves capacity of the Steam System is..sufficient to LixQt the pressure lrise to less than LUO psia, even without a reactor trip.The Reactor Coolant System T.transient is shown for a high pressurizer pressure avg or high pressurizer level reactor trip, as well as for no txip.I Actuation of the Steam System safety valves restores the reactor heat\s~and causes a decxease in the rate of rise of the reactor coolant average tempexature. Without a reactor trip, T would eventually come avg into equilibrium when the required heat dissipation at the suety valve ,~set pressure is reached.The Reactor CooLant System pressure transient is also depicted.in Figure 5.5.3.The effect of the pressurizer power operated relief valves is felt slightly above their set pressure of 2350 psia.Since the required 5.5-7 4 e relief for a&61 loss of load without steam dump far exceeds the relief valve capacity, the pressure continues to rise to the safety valve set pressure of 2500 psia.The opening of the pressurizer safety valves, and the restoration of the secondary sink by steam relief, limits the Reactor Coolant System pressure rise.The surge rate decreases as the rate of rise of T decreases, and eventually the pressure decreases to avg the relief valve opening pressure.The transient is also shown for the high pressurizer pressure and leve1 reactor trips.The power operated relief valves delay the reaching of the high pressure reactor trip setpoint by about 2 seconds.The lower graph in Figure 5.5.3 shows the aduinnxm (hot channel)DNB transient. For the first few seconds, the DNB ratio rises due to the increasing system pressure, while piping delays cause the core inlet temperature to remain constant.Two trips, the high pressure and overtemperature hT reactor trips, prevent the core design limf.ts from being exceeded.Rate compensation on T, which.is included in avg'he overtemperature dT trip, would actually cause the trip setpoint-to be reached much sooner than is depicted in the figure.The high pressurizer water level reactor trip is inadequate to prevent the core from exceeding the design limits.However, the minimum DNB ratio in the hot assembly for a high level trip is above 1.0 and would assure that core damage, if it occured at all, would be limited to a small fraction of the core.A conservative setpoint was assumed for the high level trip.5.5-8 0 A fault tree for the accident, leading to core damage, is shown in Pigure 5.5.2.5.
5.4 CONCLUSION
S This accident is not considered 1Qcely since in most of the incidents which could cause it, one or more simultaneous failures of control or protection instrumentation must also occur.In addition, at any time.other than early in.core Life, the large negative moderator coefficient would cause the accident to be self limiting and give much better results than depicted in this analysis.However, if the accident were to occur, diversity does exist in that three different levels of protection are avail,able. 5.5-9 ,I h SJSNfs<<ls<<s<<<<<<<<<<<<u~<<"<<<<<<<<.<<<<<<NSJSSR<<j~R<<g@N<<'JJ@ " g<<<<j ,,<<,lt, fIQJRS 5.5 2 Oj R Ts OR S D<<s NO ROD JIFION CFOR N MANUAL CONIIJOL<<<<4 fTKAM LIbE ISOIATION, NO TURRINE COÃIROL VALVES CLO.E, NO TURSINE STOP vvx.v"" AIR SUPPLI AUTO.S,D, AUTO.S.D, LOAD LIMIT ACIUAL OR SIUFIQJS LOSS Oj EJECT~LOAD SCOP VALVE R<<T<<TURBINE CONIROLIA3.SR EXCESSIVE RUNS'X IJJSS OF IIQiCENCV FIUID NJRIQJF ICOIA TION f IGNAI'<<ITN QJT REAClOR TRIP IMISOPER CRT AND hlJTOGIOP R.T<<CONDITIOJI FA I JJJRI REACIOR I%REC-TION SISIIJ'.IAJGIC FAULTs SBJRIQJS F<<OD DROP EIGJIAL REAL OR SIURIQJG OVIR POLJER OR OVER OR LOSS DP AUIOSIOP PIJJID NUCL<<INST<<SISTIIl ROD POSITION INDICATION i FAIIJJRE ANT SJRBINE TRIP SIGNAL R.T.RKACIOR TRIP K.C,-ST&QJJJP , S)1, SAINT INJECFICN I~SCFEJ Anf Slsaa IIos Isolalloa~ISJ<<al Is also~@castor tcIP sISJnal.Theccfcea> ooIF loSto clccoll falllls shool4 Lc coas14ctc4 ~NIGH TAV NIGH AT FIGURE 5.5-1 FAULT TREE IOR INN 0 j llRD ACCII<<ENI , 5'~a~'1 1 FAULT TREE FOR CORE DAMAGE LOSS OF STEAM LOAD CONDITION Probable Gross Core Damage AND High Pressurize Level R.T.Core Design Limits Exceeded R.T.-REACTOR TRIP S.D.-STEAM DUMP S.I.-SAFETY INJECTION Overtemperature AT R.T.i High Prdssure RiT Loss of Load, No SeD~or POUer Decrease Early in Core Life Loss of Load, No Direct R.T.or S.D., No Rod Insertion (See Figure 5.5-1)FIGURE 5.5-2 1200 1000 800 600 2600 2500 2400 2300 zzoo 6zo 600 580 560 1 8 1.6 1.4 5 1.2 1.0.8 0 LOSS OP LOAD ACCIDENT~~I l-~1-STEAM SYSTEM PRESSURE'-)~.':~te~~~I I~I~~~~I~/~l".~I." REACTOR COOLANT SYSTEM PRESSURE I:-:~I t~~I~~~~~~i~'O TRIP."'HIGH PRESSURE" REACTOR TRIP J'.'l"IGH LEVEL REACTOR TRIP~).'I l.'.!.(I I t'~I l'-i=(REACTOR COOLANT T VG I'~~).-.NO~~I~'t.TRIP (HIGH LEVEL-'EACTOR TRIP f..~~~~~I~)~.HIGH PRESSURE.-'REACTOR TRIP~~I HIGH PRESSURE".:-.EEACTOR TRIP~I~~~g I.L.-~~I I'VERHK'ERATURE .AT REACTOR TRIP i'IGH LEVEL'EA,CTOR TRIP-'~~~L.'UNB RATIO.NO L~4~~)20 30 40 50 10 SECONDS FIGURE 5.5-3 0 I, 5,6 ROD WITHDRAWAB DURING STARTUP Normal startup procedure is by control rod withdrawal under manual control.~function of the rod contxol system or operator error can cause a reactivity excuxsion with a resultant rapid increase in power.Rod withdrawal accidents ia the power range are evaluated in Section 5.1.For these accidents, the power increase is approximately linear for a linear increase in reactivity. For accidents starting from very, low power (staxtup x'ange), the neutron flux may increase by many decades before there is significant Doppler feedback.. The nuclear power response to a continuous reactivity insertion from the startup range is characterised by a very fast rise terminated by the reac-tivity feedback effect of the negative fuel temperature coefficient (Doppler effect).This self limitiag effect is of prime importance during a startup I accident since it.limits the power to a tolerable level prior to external protective action.After the initial power burst, the nuclear power is momentarily xeduced aad then if the accident is not terminated, the nucl'ear power increases again but at a much slower rate.Protection against startup accidents is provided by diverse types of neutron-monitoring instrumentatioa: source range, intermediate range, and power range channels.Ma)or differences in the ion chamber and cixcuit design exist between the intermediate and power range channels.The source xaage uses a neutron sensor of a different principle: proportional counter rather than ionization chamber.5-6-L ~'4 4 Should continuous control rod withdrawal be initiated and assuming the source and intermediate range alarms and indications are ignored, the transient will be terminated by any of the following automatic protective actions.a)Source range flux level trip-actuated when either of two independent. source range channels indicates a flux level above a preselected,~g~<<manually ad]ustable value..This trip function may be manually bypassed when either intermediate range flux channel indicates a flux level above the source range cutoff power level.It is automatically rein-stated when both intermediate range channels indicate a flux level belo~the source range cutoff power level.~<<b)Intermediate range rod stop-actuated when either of two independent <<intermediate range channels indicates a flux level above a preselected, manually ad)ustable value.This rod stop may be manually bypassed when two out of the four power range channels indicate a power level above approximately ten per cent power.It is automatically reinstated when three of the four power range channels are below this value.c)Intermediate range flux level trip-actuated when either of two independent intermediate range channels indicates a flux level above a preselected, manually ad]ustable value.This trip function is manually bypassed when two of the four power range channels are reading above approximately ten per cent power and is automatically reinstated when three of the four channels indicate a power level below this value.d)Power range flux level trip (low setting)-actuated when two out of the four power range channels indicate a power level above approxima y tel 25 per cent.This trip function may be manually bypassed when two of the 5.6>>2 II'0 four power range channels indicate a power level above approximately ten per cent power and is automatically xeinstated when three of the four channels indicate a power level below this value.e)Power range flux level trip (high setting)-actuated when two out of the four power range channels indicate a'power level above a preset setpoint.This trip function is always active.Since all protective actions in the above list are based on level set points, I rather than rate set points, protection is not dependent upon having a rapid rate of power increase.The standard startup accident analysis reported in Safety Analysis Reports takes credit fox only the power range protection. Howevex, the intermediate range hfgh flux reactor trip is always in service below lOX power, and would also serve to terminate the accident.Further,.any accident starting from a subcritical condition would be terminated by the high source range'I xeactor trip.Therefore, Protection System deversity exists for startup accidents. Figures 5.6-1 and 5.6-2 show the calculated transient response of nuclear flux and fuel temperatuxes for a startup accident with a high rate of xeactivity insex tion.5.6-3 0 ~I 10 10'~I I I~~Uncontrolled Rod Qithdrawal Prom a Subcritical Condition Praction of Nuclear Power a~+1 x 10 6k/F W 5 o a<lxlp 6k/P f Reactivity Insertion Rate~8 x 10 6k/sec k~1.0 0-1~t~I 10 8 W 0 g M 10 pl il li ko C o Oe 10 g~~~I~~I~10 8 0 W o o o 10-3 5 o Cl~u 10 10 0 10 20 25 10 30 Time, Seconds FlGVRE 5.6-1 4~<<((I-"~(4<<<<.(.<<<<4V,~~I(are J>~w<<(i'(<<<<M>>1000 900 Puel Clad Uncontrolled Rod MithdraMal Prom a Subcritical Condition Temperature 4 ag<<+1 x 10 5 6k/'P o=-1 x 10 6k/'P Reactivitg Insertion Rate f<<8 x 10 Lk/sec k<<l.0 70 65 800 700 Core Mater 14 o (4 l0 c e'0 oj 60 55 600 50 500 45 6 10 1.L 18 22 26 30'Time, Seconds FIGURE 5.6-2 5 7 CONTROL ROD DROP De-energixing a drive mechanism causes a full>>length control rod to fall into the core.(Part-length rods fail"as-is" when de-energized.) This causes an immediate decrease in coxe power, most noticeable in the region of the dropped rod.Xf the average coze power is returned to its original valve, most of the core would be at a higher power density because of the local depxession in the region of the dropped rod.During the initial design fox the current generation of Westinghouse PWR's, the increase in hot channel factors for a dropped zod was not known.Zt was therefore assumed that DNB might xesult if the core were allowed to return to full power following a zod drop.Protective circuits were design-ed accordingly and classified as part of the Protection System.The design requirement for this protective function was to insure that, follmrtng a dynamic rod drop, the xeactor would not zeturn to a power leve3high enough I to cause a DNB ratio less than 1.30., Mechanisms which would tend to restore r initial core power are.noxmal automatic control and plant cooldown with a negative moderator coefficient. However, recent physics analysis for malpositioned control rods has shown that, in every case for an insezted rod, full power operation would not cause a DNB ratio less than 1.30.Because the local power decrease causes a general power increase throughout the rest of the core, the increase in hot channel factors is Usted to approximately 15'x less, depending on core size.With x'espect to DNB, this is equivalent to 15X overpower. Core DNB'esign 5.7-1 ~~~E margins of this magnitude must exist at full power to allow for operational transients and instrumentation errors.In additon, for plants presently near completion, it has been found that inserted rod hot channel.factors do not even exceed the design hot channel factors.Since the consequences of a dynamic rod drop are tolerable, the following ff discussion of rod drop protection is somewhat academic.Rod drop protection diversity has been provided, both in the means of detection and in the means of actuating protection. Redundancy. was more readily obtained by diverse instrumentation than by independent, but identical, channels.A rod drop signal is generated by either of the following: a)A=rapid decrease in indicated nuclear flux from any one of the four power range nuclear instrument channels b)Rod bottom indication from any one of the rod position indicators when the associated rod bank is not on the bottom.One-out-of-four logic for the nuclear channels is used'because it was not known whether more than one channel would respond to the dropped rod.Therefore, redundancy is not claimed.Protective action is directed toward inhibiting those mechanisms which would otherwise cause the reactor to return to its initial power level, i..e., automatic rod withdrawal and load demand with a negative moderator temperature coefficient. Again, since the magnitude of the hot channel factor increase was not known, it was assumed that both mechanisms would have to be inhibited. 5.7-2 Redundant rod stop contacts are provided to block normal automatic control rod withdrawal. Manual rod withdrawal is not blocked since it is necessary to withdraw the dropped rod.Turbine load reduction is accomplished through redundant channels.Most plants are supplied with electro-hydrauLLc (E-H)control systems for the turbine.The turbine runback is activated by the following~ either of which reduces or restricts turbine control valve position and steam load.a)Reduction of the load refezence setpoint of the turbine,E-H., controller by a preset amount.This is accomplished by zeducing the set point at constant rate (200X/min.) for a preset time with a.time delay relay.b)Reduction of the turbine load.limit to a preset value.The load limit (a clamp on the voltage signal controlling the turbine control valve position)is reduced until turbine thermal load as I)sensed by either of two turbine impulse pressure'channels is below a preset value.Following plant startup tests to verify that the DNB ratio is greater than 1.30 at full power with a dropped rod, it is intended to adjust the turbine runback for operational requirements. That is, the automatic load reduction would be large enough such that, with reasonable operator action, an orderly manual plant shutdown can be accomplished, rather than a reactor trip on low pressurizer pressure.Fi.gures 5.7-1 and 5.7-2 show the transient response of nuclear plant variables to a rod drop with turbine runback.5.7-3
l l l r 1.U.9.8.7~t~~-I.I~~I.',.f=~C I~:I~-I.~~~t 4~~~~~~:H'Response to a Dropped RCCA of.North-2.3 x,10 6k With a Power Cutback of 25 Percent of Nominal~-3.5 x 10 bk/7'-'~>>1.65 x 10 6k/Z'.~~I I~~i: I~..l.,~~~~~t~t 1.0 0 0C K he Q E 8.9.8'~~7~t>~t l~t tt I~~~I'~':I-"'I~l~'t{~~~I~~tt I~I~~I I 2400 2300~pk~~~~~~~~~I t~~-I~t t~~~'{::.-~I I~~I~I t~~~t 2200 2100~~~"-I~I 40 80 120 160 200 0 4~ ~'I I I~~I~~0~~~~~~~~~~~0t~0'I.t t0~~~I I 0~I 0~~--}t~*L0~>>0t'If 0 580 578 576 I L00~IQ 0 Q~~~I 0~r~0~~0<<I~00 0~0~I~~I t~LL~00 L 00 00~>>~>I~I 0~~0 I~~~l I~~-I'='~I~0:..00 J~565 I Q 0~0 I~Response to a Dropped RCCA of Woph-203 x 10 6k with a Power Cutback of 25 Percent of Nominal~~560 4~~, 0 0 4a 0~t 0't~'fQ M C4 o 555 550 U~M~I J0=I~I~~~I~~~~~~O H 1.0~~0~~M 00 g ,9~>>~~0 I~~0 ,8 L~~00'~0~~~~~~I~~.7 40 80 120 160 200 TDK, SECONDS
5~8 ENGINEERED SAFEGUARDS ACTUATION Actuation of auxiliary feedwater is discussed in Section 5.2.Engineered safeguards for containment pressure protection are discussed in Section 5.9.Actuation of Emergency Core Cooling for loss of coolant protection is discussed in this section.For loss of coolant protection, a safety in]ection signal is generated by either of two diverse sets of automatic signals: a)Coincident low pzessure and water leve1 in the pressurizer; b)High containment pzessure.Both sets of signals are redundant and meet all protection System design criteria.The signals derived from the pressurixer indicate that reactor coolant is being lost well before the core is uncovered. Reactor coolant blowdown also increases containment pressure.Set points'for high can-tainment pressure are typically about 10X of contaiaamt design pressure.This set point is reached well before the core uncovers.Figure 5.8-1 shows the results of a calculation for a representative plant for the complete range of break sixes.Zt shows that either the pressurixer or the containment signal initiate safety in)ection l-l/2 minutes or more before the core would be otherwise uncovered.(For large breaks>passive accumulator system supplies water and delays the time.at which active core cooling is required.) This analysis included the effects of containment heat sinks and fan coolers in delaying the time at which the containment high pressure signal is reached.5.8>>1 SAFETY INJECTION ACTUATION SIG:NL VS BREAK AREA 1000 4 o~I+I'~'T~~~i I}.o~l<<~,~~I I I I l~~I~~<<~~}le r o, on e*o I r I~~~~~<<~t~~>>v~t tt~I~"tt rl tt<<~~~I}'-: Range of Protection of I:.: Passive Accumulator System-(;I~I ae I 4 V 100~~o oo 1}:<<I I~I~~I P tl~~I'~I'<<~~>>:ii}'."~I It~~I~I I~~~}I~~~~~I~~~v 0~~r,~!Ia.~o~~~tt~\~v}'"--t t I~~~~\~~t<<to~o~to~~~I'I~~o~~~~~<<~~~~I<<.)~o I I O I hC 10 o~~t~<<'o o~I~~I~Itz~~<<'I''I~'I.....~Time to Reach Lou Pres-I:-surizer Pressure and Level Signal 7>>~~~~\~~~~~~>>~~~~I~I~~~~<<o~<<e~o<<v pt t I:TI~I~~*~I~I~I~~~~I~~I" I~}~~~~~~~i-.', I~PI~'~I"I<<I~I I~)}=.1-I:i lne ce Uncavel Case Ndd Plane LNe Sadecv ln eccdcn)j~o~~~\f<<~~~~~I~~I t I~lel~~~'I~~jjjr"~~i Time to Reach Pigh Containment Pressure Signal'<<l l~~~v I<<j~0.01'ii l\~4 0.1~6" 10" DAUEa:.BREAK SIZE (Fi)FIGUPE 5.8-1 ~V 5 9 CONTAINMENT PRESSURE PROTECTION Typical westinghouse dry concaiament plants are equipped with faa cooler unics aad spray systems.These are provided to reduce the contaiamenc pressure eo to esseatially atmospheric following a loss of coolant accident or a steam line break accident inside the containmeac. The containment is designed to withstand the eoeal blowdown of the Reactor Coolant Syscem or a steam generator wieh no dependence on ehe aceive safe-guards.The active safeguards are, however, aueomatically actuated following che accident.The pr9nary containment safeguards are the fan cooler units and their cooling water supply which aze actuated by the safety injection signal which is generated by: a)Coincident low pressurizer pzessure and waeer level in the pressurizer b)Ri.gh containment pressure (approximately lOX of design pressure). The backup contaiameac safeguard, ch'e coneaiamene Spray 9ystem, is accuaeed by a high containmenc pzessure signal when the concainmenc pressure reaches appxoximacely 50X of che design value.Automatic spray actuation uses six concainmenc pressuze channels, in 2/3 2/3 logic.The Spxay System can also be actuated manually.Only 2 ouc of 4 fan cooliag units for two or three loop plants and 3 ouc of S cooling units for four loop plaacs are necessary eo limit the containmene pressuxe below design even considering ehac the Emergency Core Cooling Syseem is.unable co suppxess boiling in ehe core, and ehe core decay heac energy continues co be added to ehe containmenc in the form of steam.5.9-1
The operation of only one of the spray pumps is required in order for the Spray System to supplement the heat removal capabiU.ty of the fan cooling units to provide a margin for effects from metalmater or other chemical reactions that could occur as a consequence of failure of Emergency Core Cooling Systems.Since either fans or sprays are adequate, and diverse signals are used to actuate the fans,.the Protection System is diverse for actuation of con-tainment pressure protection. 5.9-2
5.3.0 EXCESSIVE
LOAD~rgb~a+&vf" f'>Excessive load is one means which could cause excessive core power generation. As distinct from the ovezpower~vertemperature accident discussed in Section 5.3.(Rod Withdrawal at Power), reactor coolant temperature, pressuze, and pressurizer water level would not increase.Reactor power follows turbine load, both by contxol design intent and the inherently negative moderator coefficient. An increase in load above design is therefoxe of potential concern.Diverse overpower protection is provided by Reactor Protection System., These aze the ovezpower delta-T and the nuclear overpower reactor txips-Since the accident is initiated from the secondary plant, the reactor I coolant loop temperatures respond before the core coolant temperature. !I Piping lags applicable to the rod withdrawal accident are therefore not applicable to an excessive load accident, and either the delta-T or-the nuclear overpower trip protects the core for any rate or magnitude load increase.5.10-1 p P 'C 5.11 EXCESSXVE FEEDWATER FLOW An excessive feedwater flow accident is primarily of concern to the turbine (high water level Xn the steam generator leads to excessive moisture carryover and potentia1 turbine damage).'ith respect to nuclear protection, however, excessive feedwater flow (or feedwater temperature decrease)is seen as an excessive thermal load, and the discussion in Section 5.10 is applicable.
5 12 STATION BLACKOUT A station blackout, or loss of aU.a-c power to the station auxiliaries, results from loss of incoming station a~power coincident with a plant trip.Numerous reactor trip signals would be generated, such as turbine trip, low coolant flow, low gpedwater flow, etc.This is not important however, since the loss of a-c power deenezgizes the zod control power'upply, and the control rods fall into the core, even if no reactor trip signal is generated. Natural circulation of reactor coolant transfers reactor decay heat from the coze to the steam generators. Since steam generator steam pressure is automatically controlled by the power-operated steam line relief valves (with backup from the steam line safety valves, if necessazy), the only requirement for maintaining hot shutdown conditions is to Apply feedwater to the steam generatozs. The auxiLiary feedwater system is discussed in Section 5.2, Loss of Feedwater. As noted in that section, the loss of a~power starts all a~iazy pumps-A diverse automatic actuation signal-steam generator low water level-is also provided.Further, the energy sources for the auxiliary feedwater pumps are.themselves diverse (steam-driven pumps and motor-driven pumps energized from the diesel-generator), such that faQ.uze to actuate an energy source does not prevent auxiliary feedwater. 5.12-1
APPENDIX CONTROL AND PROTECTION FUNCTIONS reactor con'tro 1 and protection functions perf ormed f rom each process~eter in the present Westinghouse design are Mmlated below.Pro-e~tion functions are listed first, and control functions listed last.u~ny functions'.g-, indication, alarms and interlocks, are not clearly either control or protection. ~These are classified as"supervisory" unc talons~In the left margin, all functions are listed as P, S or C, showing pro-tection, supervisory or control;-i%JCLEAR INSTRUMENTATION 1,.3.Power Range 1.2 Intermediate Range 1.3 Source Range'W~REACTOR COOLANT SYSTEM PARAMETERS Z.l Reactor Coolanr, Temperature (4T, T)avg 2-2 Pressurizer Pressure 2.3 Pressurizer Water Level 2.4 Reactor Coolant Flow 3~STEAM GENERATOR PARA%.'TERS 3.l Steam Generator Water Level 3.2 Feedwater Flow 3.3 Steam Plow 3 4 Steam Line Pressure 3 S Steam Header Pressure V PARAMETERS Turbine First Stage Steam Pressure Oo m Turbine Auto Stop Oil Pressure Turbine Stop Valve Position~ASTROL ROD POSITION 5.1 Bank Position).Z Individual Rod Position~.CONTAINMENT PRESSURE gZCZRICAL PARAMZERS 7'.1 Reactor Coolant Pump Bus 7.2 Reactor Coolant Pump Breaker Position 7.3 F edwater Pump Power A-2
gJCLEAR ZNSTRUMENTATION SYSTBt power Range-(linear indication in power range of operation). P 1.Overpower reactor trip (high range)-rapid detection of fast overpower excursions during power operation. P 2.Overpower reactor trip (low range)-protection during low power plant operation. p 3.Top-to-bottom flux tilt bias of 4T reactor trip set points-reduce DNB protection limits to offset effects of hot channel factors.(Both high dT reactor trips), see 2.1, 1&3 P 4.Reactor trip permissives a.Permit single loop loss of flow trip at high power.b.Permit reactor trip on turbine trip at high power.c.Permit"at-power" trips during power operation. d.Defeat, manual block of low range and&termediate range overpower trips at low power.e.Lock out source range high voltage supply during power operation. S 5.Rod drop detection-rod stop and turbine runback to maintain DNB margins.6-Overpower rod stop.-stop a power excursion caused by rod withdrawal. 7.Overpower alarm (for equipment purposes, this function is combined with the overpower rod stop).8.Control room indication and recording (including top-to bottom difference). Channel deviation alarm-detect channel failure, detect flux tilts.10.Top-to<<bottom flux tilt bias of dT rod stop and turbine runback set points (see 2-1, 264).A 3
Automatic control rod motion-provide stable reactor control and rapid response.gntermediate Ran e-(Logarithmic scale for power range and upper startup range)p'.High level reactor trip-prevent power increase into power range unless power range channels are indicating. p 2.Defeat manual block of source range high level trip-low intermediate range indication rearms source range trip.S 3.High leve1 rod stop-prevents excessive withdrawal of control rods during low power operation. S 4.Control room indicating and recording. S 5.Startup rate indication. P.l.High leveL reactor trip-prevent startup accident from source range;prevent power increase into intermediate range unless intermediate range channels are indicating. S 2.High count rate alarms-warn of approach to cripicality. S'.Control room indication and audible count.range.S 4..Startup rate indication. A-4 ~N c.s gP't"K5 <<<CTOR COOLANT SYSTEM PARAMETER or Coolant Tem eraeure (4T-T)avg Overeemperature high 4T reactor trip-prevent core DNB (set point calculated from T , pressure, and nuclear avg'lux axial tilt).2.Overtemperacure high 4T rod stop and turbine cueback-maintain operating margin eo DNB (set point is a fixed margin below reactor trip set point).3.Overpower high 4T reactor ezip>>prevent high power density (see point calculaeed from nuclear flux tile)i 4.Overpower high 4T rod scop and turbine runback-maintain operating power density (see point is a fixed margin below reactor trip set point).S 5.Channel deviation alarms-deeect channel failures, detect abnormal process candieions. S 6.Control room indication and recording. S 7.Control rod insertion limit alarm-maintain reactiviey shutdown margin;maintain low ejected rod worth;maintain , uniform core burnup.f r.8.Low T alarm (interlocked with high scesm flow for steam avg line isolation) -steam break protection. In addition to the above functions for 4T and T, T is also avg'vg used 0 9.High T alarm.avg 10.T channel deviation rod scop (of automatic motion)-avg prevent spurious rod withdrawal or insertion. 11.T deviation alarm-deviacion fram programmed setpoinc.avg
Automatic control rod motion-control core powex'o main>>tain programmed tempex'ature. 13~Steam dump control (condenser steam dump)-remove excess energy from reactor coolant.14.Feedwater valve control-control addition to subcooled water to steam generators following a plant trip.15.Pressurizer level programming -determine level setpoint to minimize charging and letdown changes during load changes.2.2 Pressurizer Pressure p 1.High pressure reactor trip-maintain pressure in AT protection range;provide overpressure backup to safety valves.P 2.Low pressure reactor trip-maintain pressure in 4T protection range.P 3.Low pressure safeguax'ds actuation-actuate loss of coolant protection. P 4.High pressuxe defeat of safeguards actuation manual block-I.automatically renave manual block as operating pressure is approached. P 5-Compensate overtemperature AT reactor trip setpoint-core DNB pzotection. 6.Compensate qvertemperature T rod stop and.turbine runback setpoint-maintain operating margin to DNB.Control room indication and recording. 8 High-low pressure alarms.Low pressure relief valve interlock-close relief valves on 10.low pressure to avoid accidental loss of coolant./Pxessure control (on-off heaters, vaziable heatexs, spray, and x'elief valve actuation) -maintain normal operating pressure.A-6 F 11.Compensation signal for automatic control rod motion-improve reactor control response.2.3 Pressurizer Water Level-(This variable measures reactor coolant fluid inventory and mean temperature). P 1.High level reactor trip-prevent water discharge (an relief piping damage)through safety valves following rapid insurge.P 2.Low level safegnards actuation-indication of loss of reactor coolant.S 3.Control room indication and recording. S 4.High-low level alarms.S 5.Low level heater cutoff-prevent energizing heaters when uncovered (equipment protection). S 6.Low level letdown isolation-prevent loss of coolant by excessive letdown.C 8.High-low level deviation alarm-deviation from level set-point.Charging pump speed control-maintain progranmN.d water level.C 9.High level deviation heater a'ctuation -heat subcooled water insurge.2.4 Reactor Coolant F P 1.Low flow reactor trip-prevent core DNB.S 2.Control room indication-A-7 P 3 ST~GENERATOR PRtAK'.TERS Steam Generator Water Level-(This variable is a measure of water inventory in steam generators). p l.Low-low water level reactor trip and auxiliary feedwater pump start-protect steam generators; preserve normal heat sink for removal of early decay heat.p 2.Low level reactor trip (coincident with low feedwater flow)-provide rapid protection against a complete loss of f eedwater flow.S 3.High level feedwater control valve override-close feed-water valve to prevent excessive moisture carryover and turbine damage.S 4.High-low level.alarms.S 5.Control room indication and recording. S 6.Level deviation alarm-deviation from programmed level.C 7.Feedwater valve control-maintain desired steam generator level.l 3.2 Feedwater Flow P 1.Low feedwater flow reactor trip (coincident with low steam generator water level)-provide rapid protection against complete loss of feedwater flow.S 2.Control room indication and recording. C 3.Feedwater valve control>>provide stable control of steam generator level.3.3~Se~F1 ow P.1.Set point for low feedwater flow reactor trip (see 3.2.1 above).P 2.High steam flow steam line isolation-steam break protection. 't V 4 S 3~C 4 Control room indication and recording. Feedwater valve control-provide rapid res'ponse gf cgntzot for steam generator level.3.4 Steam Line Pressure>~, W/!-P 1.Low pressure (or tuic differential pressure)safe~d actuation-steam break protection P,C 2.Compensation of steam flow channels-provide accurate signal of steam flow.S 3~S 4.C.5.Low steam pressure alarm.Control room indication and recording. Control of steam line relief valves-minimize actuation g f safety valves.3.5 Steam Header Pressure C 1.Contzol steam dump to condenser. S 2.Control zoom indication ,F TUgBXNE PARAMETERS Turbine First Sta e Steam Pressure-(This variable is proportional to turbine steam load).p l.Reactor trip permissives -pexmits"at-power" reactor trips above minimum turbine load.p 2.Steam line isolation-determines set point for high steam flow for steam break protection. S 3.Control room indication. S 4.Low power block of automatic control rod withdrawal-prevents unstable reactor control.S 5.Steam dump interlock-prevents operation of steam dump to condenser unless a rapid loss of load has occurred.C 6.T program-determines set point for T in control avg avg rod and steam bypass control systems.C 7.Steam generator level program-determine set point for level in feedwater control system.4.2 Turbine Auto-Sto Oil Pressure-(Presence or absence of oil pressure indicates'trip or non-trip condition of turbine).1.Reactor trip-prevent temperature-pressure excursion in reactor coolant from loss of steam load.C 2.Steam bypass control-selects mode of contxol.3.Feedwater control-selects mode of control, steam generator water level or T avg 4~3 Turbine Sto Valve Position-used as backup to autostop oil pressure fox reactor trip signal. CO~OL ROD POSITION Bank Position-(SteP counters)Bank insertion limit alarm (set point determined from and 4T)-maintain reactivity shutdown margins;avg maintain acceptable core power distribution. S 2, Bank withdrawal limf.t alarm-warn operator that control rods are nearing the end of their useful travel.S 3, Control zoom indication and recording 5.Z Individual Rod Position (LVDT)S l.Rod position'deviation alarm-warn of possible rod malpositioning. S Z.Rod bottom rod drop detection-rod stop and turbine runback to maintain DNB margins.S 3.Control zoom indication and recording= CPNTAZgKNT PRESSURE p l.High containment pressure safeguards actuation and reactor trip-protection against small steam breaks, backup protection for loss of coolant accidents and large steam breaks.-P 2.High containment pressure steam line isolation p 3.High containment pressure spray actuation. S 4.Control room indication. A>>12 ELECTRICAL SYSTEM VARIABLES Resistor Coolant Pump Bus P l.Underyoltage reactor trip-protection against multi-loop loss of flow.p 2i Underfrequency reactor trip and RCP breaker opening-prevent rapid system frequency opening-prevent rapid system.fre-quency decrease from braking RCP.7.2 Reactor Coolant Pump Breaker Position (contacts) P 1.Reactor trip on breaker opening-backup.to low flow protection for loss of flow.7.3 Feedwater Power P l.Auxiliary feedwater system actuation (feedwater pump breaker position and/or bus voltage)-backup feedwater protection for loss of feedwater. A-l3 ATTACHMENT 8 TO AEP:NRC'1184H2 RESPONSE TO ITEM 8 DEFENSE-IN-DEPTH EVALUATION PERFORMED FOR THE REACTOR PROTECTION AND CONTROL PROCESS INSTRUMENTATION REPLACEMENT PROJECT}}