This invention relates to the supply of electrical power by the conversion of thermal energy derived from a nuclear reactor. It has particular relationship to the sensing, measurement and observation of the parameters of the operational processes of power-supply apparatus serving this purpose and to the protection and connection of the components of such apparatus responsive to the manifestation of off-normal operation or of an off-normal condition of these components. In the following discussion sensing, measurement or observation will in most cases be referred to as measurement. Typically nuclear-reactor power-supply apparatus includes a nuclear reactor and cooperative components. Typically such components include steam or vapor generators, a turbine, an electrical generator driven by the turbine, a condenser, and the necessary heaters and pumps. A liquid coolant flows through the core of the reactor. Where the reactor is of the pressurized-water type, a pressurizer is included among the components cooperative with the reactor and the coolant flows in a primary loop through each steam generator in heat-exchange relationship with feedwater supplied to the steam generator. The feedwater is converted into steam to drive the turbine. Typical operational processes are the generation of nuclear energy by the reactor, the heating by the core of the coolant, the conversion of the feedwater into steam, the flow of steam to the turbine, the flow of feedwater to the steam generator, and the compression of the coolant by the pressurizer. In the pressurized-water reactor, the coolant must be maintained at critical temperature and pressure. Typical parameters which are sensed, measured or observed are power generated by the reactor, the temperature of the coolant, the pressure of the steam and the level of the feedwater in the steam generators, the pressure and the level of the coolant in the pressurizer, the flow; i.e., the time rate of flow, of the feedwater, categorical parameters such as the state of a switch, whether it is open or closed, are also observed in the practice of this invention. The expression "off-normal" as applied to a condition or state in this application means that the condition or state is above or below limits set as indicated by measurement of the applicable parameter.
In the measurement of the parameters, the principle of redundancy is applied. Each parameter is measured by a plurality of like sensors. The signals delivered by the sensors are processed separately. To avoid reaction responsive to spurious signals, at least two signals indicating an off-normal condition must be received for processing. In this application the set of sensors which measure one parameter of a process are referred to as a "sensor assembly" or a "sensor set". The separate sensors of each assembly or set are referred to as "sensor means". The expression "sensor means" is used because in some cases, for example, excore power measurement, the sensor assembly includes groups of several sensors. The overall object of this invention is to evaluate reliably the validity of the individual parameter signals of each set of signals to determine their truth or falsity.
In accordance with the teachings of the prior art a protection system and a control system are provided for responding by appropriate action to the operational-process parameter signals. The protection system causes protective action such as the opening of disconnects, to take place responsive to off-normal signals which have reached a stage demanding such action. The control system responds to parameter signals drifting towards off-normality or the stage demanding protective action by impressing on the reactor or its components commands tending to counteract the drift.
Also in accordance with conventional practice the control system derives certain of its inputs from the process-parameter signals which are impressed on the protective system. This assures that the nuclear reactor and its cooperative components are controlled responsive to the same process measurements as those which serve to protect them. The control system thus functions to maintain margins between operating conditions and process safety limits and to reduce the likelihood of spurious tripping of the protective apparatus.
The control system is designed to maintain normal conditions in the power supply apparatus and thereby maintain the margins to the safety limits. There are however typically two cases where the trip setpoints on the apparatus are variables which are calculated by the protection system and the margins to trip on these setpoints are used directly by the control system as controlled variables. One case of this direct margin control is performed by the control system where the margin to trip on either low departure from nuclear boiling ratio or high KW/ft along the reactor, whichever is smaller, is used to control the reactor axial power distribution into a more balanced condition thereby reducing the power peaking factors and increasing the margin to trip. The DNBR is an indication of the departure of the reactor coolant from critical temperatures and/or pressure. For example if the pressure of the coolant decreases, the coolant may boil. The protective system defines a margin as a function of the demand on the apparatus. If this margin is passed, the power-supply apparatus is shut down. However, as the margin is approached, the control system reacts to increase coolant pressure or reduce coolant temperature or to take other measures. The KW/ft is the thermal power per foot developed along the reactor at the hottest point, i.e., where the core has a tendency to develop a hot spot. This margin is also set by the protective system in dependence upon the demands on the power-supply apparatus. If the margin is breached, the apparatus is shut down by the protection system. However, the control system reacts to prevent the margin from being passed. If either the DNBR or KW/ft is low, action by the control system is demanded.
The DNBR is derived from the nuclear instrumentation; i.e., from the excore detectors and Q.sub.N-16 power measurement, from the control-rod position, from the cold-leg temperature, and from the pressure of the pressurizer. The KW/ft is derived from the above parameter measurements except the pressure of the pressurizer. The control action is performed by a combination of boron concentration changes and control rod motion, and is taken only when either margin becomes excessively low. The margin signals used for this control function are calculated by the core limits calculations in each protection system.
Another case of direct margin control is performed in conjunction with the dropped-rod protection. If a control rod drops into the core, the control system acts to reset the turbine to lower power. The rod is pulled out by remote actuators. The rod-drop protection function determines a high neutron-flux-trip setpoint, which is less than full power, following a high negative flux-rate event caused by the dropping of one or more control rod assemblies. The setpoint is set by the protection system in dependence upon the power setting of the apparatus. If the neutron flux is too high for the power setting, the protection system shuts down the apparatus. However, when the margin is approached, the control system takes corrective action. Typically the control system acts to reduce the power demand on the apparatus below the setpoint by preventing control rod withdrawal and initiating a turbine runback which is later terminated when the turbine power is below the reactor trip setpoint.
The derivation of the control-system signals through the protection system has the advantage that it reduces the number of redundant measurements required for each process and the overall apparatus complexity at critical boundary penetration. This leads to the reduction in separation requirements within the containment as well as in apparatus cost and maintenance requirements.
To achieve these advantages certain measures must be taken to ensure the independence of the protection and control systems. IEEE-279-1971 (specifically Section 4.7) dictates the criteria which nuclear-reactor power-supply apparatus must meet if protection signals are also used by the control system. In addition to specifying that isolation devices must be provided to guard the protection system against electrical faults in the control system, IEEE-279 contains the following paragraphs which address the functional interaction of the protection and control systems:
"4.7.3 Single Random Failure. Where a single random failure can cause a control system action that results in a generating station condition requiring protective action and can also prevent proper action of a protection system channel designed to protect against the condition, the remaining redundant protection channels shall be capable of providing the protective action even when degraded by a second random failure.
Provisions shall be included so that this requirement can still be met if a channel is bypassed or removed from service for test or maintenance purposes. Acceptable provisions include reducing the required coincidence, defeating the control signals taken from the redundant channels, or initiating a protective action from the bypassed channel."
It is an object of this invention to provide nuclear-reactor power-supply apparatus in which the signal for the control system are derived from the protection system which shall be so structured and shall so operate as to meet this criterion.
In prior art apparatus, this criterion was met by providing two-out-of-four (2/4) logic on protection process signals which were also used for control. That is, four signals for each process parameter were transmitted to the protection system and to the control system. To produce protection or control action two signals indicating off-normal condition or demand for protective action of a process were required. When one channel was taken out of service for test or maintenance, the protective action or actions from that channel were initiated thus causing the logic of the remaining channels to be one out of three (1/3). While operating in the 1/3 mode, the apparatus was exposed to the possibility that a single component failure which may be spurious, will cause an inadvertent trip of the apparatus.
When a protection channel is set for test or maintenance, the operator actuates a switch to disconnect the channel from the input to the constant system. If the operator does not know that the channel is on test, he fails to actuate the switch and maloperation of the apparatus may result.
It is an object of this invention to overcome the above disadvantage of the prior art and to provide nuclear-reactor power-supply apparatus incorporating redundancy in its protection and control but wherein the tendency of inadvertent apparatus trips by a single failure of its process parameter signal channels shall be suppressed.