1. Field of the Invention
The present invention is directed generally to the improvement of the overall performance of nuclear power plant control systems and nuclear reactor protection systems and more specifically to improving the performance of feedwater control systems and eliminating the interaction between the feedwater control system and the reactor protection system.
2. Description of the Prior Art
In existing nuclear power plants, there are two ways to measure the water level within a steam generator. A narrow range span measures the usable water inventory within the normal range of operation while a wide range span measures the water level within the entire steam generator. This invention is directed exclusively to an apparatus and method which measures steam generator water level using the narrow range span. The narrow range span reactor protection system is comprised of two reactor trip mechanisms including a low-low water level trip and a low feedwater flow trip.
FIG. 1 illustrates the logic diagrams for both of these reactor trips. The low-low water level reactor trip operates with three water level channels 10, 11 and 12. Each water level channel 10, 11 or 12 measures steam generator water level independently. Water level signals 13, 14 and 15 generated by water level channels 10, 11 and 12, respectively, and representative of the water level in the steam generator are compared to a predefined steam generator water level set point by water level comparators 16, 17 and 18. Low-low water level signals 19, 20 and 21 from water level comparators 16, 17 and 18, respectively, are input to coincidence gate 22. A low-low water level indication from any two of signals 19, 20 and 21 will cause a signal 23 to be generated which is available at an output of coincidence gate 22 to thereby initiate a reactor trip. A reactor trip is accomplished by inserting control rods into the nuclear core to take the reactor to a subcritical state.
Water level signal 13 generated by water level channel 10 is also input through electrical isolation device 24 to a feedwater control system.
The low feedwater flow reactor trip operates with two steam flow channels 25 and 26 and two feedwater flow channels 27 and 28. Steam flow channel 25 and feedwater flow channel 27 reside in one protection set while steam flow channel 26 and feedwater flow channel 28 are from another redundant protection set. Steam flow signal 29 and feedwater flow signal 30 generated by steam flow channel 25 and feedwater flow channel 27, respectively, are input to flow comparator 31. Steam flow signal 32 and feedwater flow signal 33 generated by steam flow channel 26 and feedwater flow channel 28, respectively, are input to flow comparator 34. A mismatch between steam flow and feedwater flow such that feedwater flow is less by a predetermined magnitude than steam flow will cause low feedwater flow signals 35 and 36 to be generated at the outputs of flow comparators 31 and 34, respectively. These low feedwater flow signals 35 and 36 are input to OR gate 37. A signal 38 will be generated at an output of OR gate 37 whenever either signal 35 or 36 indicates a low feedwater flow condition.
Water level signals 14 and 15 from water level channels 11 and 12, respectively, are also input to water level comparators 39 and 40. Water level comparators 39 and 40 utilize water level set points equal to or greater than those utilized by water level comparators 16, 17 and 18. Low water level signals 41 and 42 from water level comparators 39 and 40, respectively, are input to OR gate 43. A low water level indication from either of low water level signals 41 or 42 will cause a signal 44 to be generated which is available at an output of OR gate 43.
Signals 38 and 44 are input to AND gate 45. A low water level indication from signal 44 and a low feedwater flow indication from signal 38 will cause a signal 46 to be generated which is available at an output of AND gate 45 to thereby initiate a reactor trip.
The Code of Federal Regulations, Title 10, Part 50.55a Codes and Standards, subpart (h) Protection Systems, endorses the Institute of Electrical and Electronics Engineers Standard IEEE-279 "Criteria for Protection Systems for Nuclear Power Generating Stations" as the governing criteria to which reactor protection system design must conform, as a minimum, in order to meet the requirements of functional adequacy and operational reliability. One of the specific provisions of standard IEEE-279 Paragraph 4.7.3 addresses the issue of control and protection system interaction and provides as follows:
"Single Random Failure. Where a single random failure can cause a control system action that results in a generating station condition requiring protective action and can also prevent proper action of a protection system channel designed to protect against the condition, the remaining redundant protection channels shall be capable of providing the protective action even when degraded by a second random failure."
From FIG. 1, it is evident that water level channel 10 is used both by the low-low water level reactor trip and by the feedwater control system. It is also evident that the other two water level channels 11 and 12 are used both by the low-low water level reactor trip and by the low feedwater flow reactor trip. This design conforms to the requirements established by standard IEEE-279. For example, failure in the high direction of the water level channel 10 indicating falsely that the water level within the steam generator is too high will generate feedwater control system action that results in a reduction of feedwater flow. Consequently, low steam generator water level protection may be subsequently required. This protective action is, however, derived from the remaining water level channels 11 and 12. For such a scenario, standard IEEE-279 imposes the consideration of an additional random failure in the reactor protection system. The underlying logic is that the initial protection system failure is considered the initiating event for the transient and, therefore, does not constitute the "single failure" standard IEEE-279 imposes on the protection system. As such, an additional protection system failure must be postulated to occur and the protection system must continue to be capable of initiating the appropriate protective action.
The second random failure in this instance would be a failure of one of the remaining water level channels 11 or 12. Such a failure would result in only one water level channel 11 or 12 remaining in operation which is not sufficient to satisfy the two out of three reactor trip logic implemented in the low-low water level reactor trip by coincidence gate 22. Nevertheless, presuming that the initial failure occurs in water level channel 10 which is aligned to the feedwater control system and causes a control system transient, and the second random failure is in either water level channel 1; or 12, it can be seen from FIG. 1 that a reactor trip can be accomplished through the low feedwater flow reactor trip logic. A water level signal 14 or 15 from water level channel 11 or 12, respectively, remaining in operation will cause a low water level signal 41 or 42 to be input to OR gate 43 and thus cause a signal 44 to be available at the output of OR gate 43. The steam flow/feedwater flow logic will operate as previously described to produce a low feedwater flow indication at signal 38. Thus, a signal 46 will be available at the output of AND gate 45 to initiate a reactor trip.
The low feedwater flow reactor trip logic is provided only to satisfy the requirements established by standard IEEE-279. This logic is not used for any other independent purpose of either reactor protection or feedwater system control. The low feedwater flow reactor trip logic introduces additional complexity into the steam generator water level protection scheme. At the same time, the use of only one water level channel 10 as an input to the feedwater control system is undesirable because failure of that single water level channel 10 causes feedwater control system transients requiring protective action. Accordingly, the need exists for a feedwater control system design that eliminates the need for the low feedwater flow reactor trip logic while at the same time improves the reliability of the feedwater control system.