1. Field of the Invention
The invention relates to an auxiliary protection system for pressurized light water nuclear power plants. More particularly, the invention includes a method and microprocessor-based tripping apparatus for tripping the main stream turbine or initiating other mitigating action to maintain primary system pressure within acceptable limits in the event that a transient occurrence, such as loss of heatsink or loss of feedwater, is accompanied by a failure of a main reactor protection system. The system also includes an integrated automatic tester and tester method which allows testing to occur while the tripping apparatus is on-line thereby increasing the availability of the tripping apparatus.
2. Description of the Related Art
The United States Nuclear Regulatory Commission (NRC) defines an anticipated transient without scram (ATWS) as an expected operational occurrence (such as a loss of feedwater, loss of condenser, or loss of offsite power to the reactor) which is accompanied by a failure of the reactor protection system to shut down the reactor. Because the NRC considers the probability of the occurrence of an ATWS event to be unacceptably high, the NRC has amended its regulations to require nuclear plant operators to install additional protection equipment to detect such transients and initiate mitigating action. For Westinghouse plants, this action consists of tripping the main steam turbine within thirty (30) seconds and initiating flow of auxiliary feedwater within sixty (60) seconds since those steps are sufficient to limit primary system pressure to 3200 pounds per square inch (PSIA).
Presently, pressurized light water nuclear reactor power plants are protected by a single main protection system whose availability is ensured by a redundant design philosophy as illustrated in FIG. 1. Four redundant sets of field sensors 10 transmit signals which represent process variables to four signal processors or channel sets 11 which generate partial trip signals. The channel sets 11 each compare an analog input signal from the sensors 10 with a setpoint and when the set point is exceeded, the digital type partial trip signal is sent to voters 12. The partial trip signals are voted on by the voters 12 using a two-out-of-four (2/4) basis to provide both reliabilty and protection against spurious trips. Further protection against spurious trips is provided by having two such voters 12 whose outputs are voted using a two-out-of-two (2/2) basis at the power interface 13 to the actuated devices 14. The voters 12 produce actuation signals for left L and right R relays whose contacts are arranged to produce the two-out-oftwo vote. The relay contacts on the left side of the power interface 13 must both be closed to start the device 14 while the relay contacts on the right must both be open to stop the device 14. Because each level of redundancy is composed essentialy of multiple sets of the same equipment, the NRC is concerned with the possibility of common-cause or common mode failures.
FIG. 2 is an example of a primary reactor protection system which also includes testers 15 for the trip logic units 16. The testers 15 do not test the signal input units 17 nor do the testers test the partial trip logic within each tester or the relays which are included within the actuators. The testers 15 only test the entire test logic. The details of the system of FIG. 2 can be found in U.S. Pat. No. 3,892,954 to Neuner assigned to the assignee of the present invention.