In order to meet world-wide nuclear power plant safety requirements, a nuclear power plant safety system must meet a requirement that is commonly referred to as the “single failure criterion” (SFC). This means that the safety system must be able to withstand any single failure and still perform its safety function. This requirement leads to safety system designs that include redundant parts each capable of performing the required safety function. The redundant parts are commonly referred to as safety divisions.
Nuclear power plant safety systems typically provide two types of protective actions: (1) drop the neutron absorbing control rods into the reactor to stop the nuclear chain reaction, known as a “reactor trip” (RT); or (2) start pumps and control valves to keep the reactor cool and guard against radiation release to the surrounding atmosphere, known as “engineered safety features” (ESF) actuation. There are typically multiple ESF functions (e.g., core cooling, containment isolation, air filtration) for a nuclear reactor, any or all of which can be activated during ESF actuation.
A safety system configuration that includes two safety divisions, either of which can perform the safety functions, meets the single failure criterion requirement. This type of redundant configuration is referred to as a one-out-of-two (1oo2) configuration.
However, with a 1oo2 configuration, there is a concern that a single failure in either one of the two safety divisions can cause an unneeded automatic protective action that will shut down the plant due to erroneous actuation of RT or ESF safety functions, and thereby adversely affect normal nuclear power plant operation. To address this concern, additional safety divisions have been added in prior safety system designs. In these configurations, there are at least three redundant safety divisions, and at least two-out-of-three (2oo3) of the redundant safety divisions need to initiate their protective action safety demands before an automatic RT or ESF protective action is initiated.
While three divisions resolve the erroneous action concern, the majority of nuclear safety systems have four divisions to allow one division to be taken out of service for periodic testing, and to allow for equipment failure. Testing or failures can result in an actuated state for the affected division, placing the system in a 1-out-of-3 configuration for the remaining three divisions, which makes the system susceptible to spurious actuation that could cause an erroneous plant shutdown. Taking the fourth division out of service for testing or failures allows the system to return to a 2-out-of-3 configuration. The majority of prior systems are analog systems that are under test for a significant period of time to meet reliability requirements.
In addition to requiring 2ooN divisions to confirm a need for safety action, current safety systems employ two levels of 2ooN voting to reliably actuate RT or ESF protective actions, while providing additional tolerance to prevent plant disturbances due to spurious actions.
In most current safety systems, calculation results data for the same process measurement channels are shared among the three or four safety divisions using isolated data communications so that like trip function results (typically referred to as partial trip signals) can be voted within each division before that division initiates its own protective action safety demands. This is referred to as specific coincidence voting, as opposed to general coincidence voting.
With general coincidence voting, one division may initiate its protective action safety demand based on a channel that measures temperature, and a second division may initiate its protective action safety demand based on a channel that measures pressure. For this condition, an unneeded reactor shutdown will be initiated erroneously based on the 2-out-of-N (2ooN) division protective action logic.
Specific coincidence voting prevents this erroneous protective action, by ensuring that each division initiates its own protective action, only when 2ooN divisions calculate the need for protective action based on the same process measurement (e.g., temperature).
Therefore, most current nuclear safety systems employ two levels of voting: level 1 and level 2. Level 1 voting is specific coincidence voting for like measurement channels within each division; and Level 2 voting is general coincidence voting based on the protective action safety demand (e.g., RT or a specific ESF function) of each division.
Current plants have only two ESF divisions; plants that have been newly licensed but not yet constructed have as many as four ESF divisions. Regardless of the number of divisions, in most modern plants, each division is actuated through level 2 voting that is based on 2ooN (most typically 2oo4) signals from level 1. This 2oo4 design meets the single failure criterion while preventing spurious actuation caused by a level 1 single failure or test. But this 2oo4 level 2 voting requires additional isolated data communications to receive the level 1 signals from the four safety divisions, which adds additional design complexity and cost.
Thus, the nuclear industry has migrated to four division safety systems with 2oo4 voting at level 1 and level 2 to achieve single failure criterion compliance, spurious actuation prevention, and testing/failure tolerance. While this is a robust solution, installing and maintaining four safety divisions with two levels of multi-division voting is costly. It would therefore be desirable to achieve these same critical performance demands using only two safety divisions.