A conventional BWR includes a pressure vessel containing a nuclear fuel core immersed in circulating coolant, i.e., water, which removes heat from the nuclear fuel. The water is boiled to generate steam for driving a steam turbine-generator for generating electrical power. Respective piping circuits carry the heated water or steam to the steam generators or turbines and carry recirculated water or feedwater back to the vessel.
The BWR includes several conventional closed-loop control systems which control various individual operations of the BWR in response to demands. For example, a conventional recirculation flow control system (RFCS) is used to control core flowrate, which in turn determines the output power of the reactor core. A control rod drive system controls the control rod position and thereby controls the rod density within the core for determining the reactivity therein. A turbine control controls steam flow from the BWR to the turbine based on load demands and pressure regulation.
The operation of all of these systems, as well as other conventional systems, is controlled utilizing various monitoring parameters of the BWR. Exemplary monitoring parameters include core flow and flowrate effected by the RFCS, reactor vessel dome pressure (which is the pressure of the steam discharged from the pressure vessel to the turbine), neutron flux or core power, feedwater temperature and flowrate, steam flowrate provided to the turbine and various status indications of the BWR systems. Many monitoring parameters are measured directly by conventional sensors, while others, such as core thermal power, are conventionally calculated using measured parameters. These status monitoring parameters are provided as output signals from the respective systems.
Nuclear reactors are conservatively specified to minimize any risks from the hazardous materials involved in their use. The materials used in BWRs must withstand various loading, environmental and radiation conditions. For example, operating pressures and temperatures for the reactor pressure vessel are about 7 MPa and 288.degree. C. for a BWR. Reactor vessel walls are thus several inches thick and very strong materials are used for reactor components. Nonetheless, contingencies are required for failure as components are subjected to operational stress for decades. These contingencies involve not only many layers of preventive systems, but also procedures for rectifying problems that arise.
Conventional reactor control systems have automatic and manual controls to maintain safe operating conditions as the demand is varied. The several control systems control operation of the reactor in response to given demand signals. Computer programs are used to analyze thermal and hydraulic characteristics of the reactor core for the control thereof. The analysis is based on nuclear data selected from analytical and empirical transient and accident events, and from reactor physics and thermal-hydraulic principles. In the event of an abnormal transient event, the reactor operator is usually able to diagnose the situation and take corrective action based on applicable training, experience and judgment. Whether the manual remedial action is sufficient depends upon the event and upon the operator's knowledge and training. If the event is significant (i.e., challenges any of the reactor safety limits), reactor trip (also referred to as reactor shutdown, scram, or insertion of all control rods) may be required. Some transient events may occur quickly, i.e., faster than the capability of a human operator to react. In such an event, a reactor trip will be automatically effected. Safety analyses generally show that no operator action is necessary within 10 minutes of a postulated event.
A conventional nuclear reactor protection system comprises a multi-channel electrical alarm and actuating system which monitors operation of the reactor, and upon sensing an abnormal event initiates action to prevent an unsafe or potentially unsafe condition. The conventional protection system provides three functions: (1) reactor trip which shuts down the reactor when certain monitored parameter limits are exceeded; (2) nuclear system isolation which isolates the reactor vessel and all connections penetrating the containment barrier; and (3) engineered safety feature actuation which actuates conventional emergency systems such as cooling systems and residual heat removal systems.
Core power protection schemes are typically employed in BWRs when the reactor is operating in the normal power range (i.e. above heatup and startup of the unit). Reactor trip is initiated for certain transient events that could cause an increase in power above the maximum safe operating level. Generally, an overpower equal to about 120 percent of the rated power can be tolerated without causing damage to the fuel rods. If thermal power should exceed this limiting value (the maximum safe operating level) or if other abnormal conditions should arise to endanger the system, the reactor protection system will cause reactor trip.
An essential requirement of a nuclear reactor protection system is that it must not fail when needed. Therefore, unless the operator promptly and properly identifies the cause of an abnormal transient event in the operation of the reactor, and promptly effects remedial or mitigating action, conventional nuclear reactor protection systems will automatically effect reactor trip. However, it is also essential that reactor trip be avoided when it is not desired or necessary, i.e., when there is an error in the instrumentation or when the malfunction is small enough that reactor trip is unnecessary.
Three primary power-related methods are conventionally used to ensure that acceptable fuel and reactor protection are maintained. Each method uses monitored neutron flux to sense when an increase in power occurs, but each employs a different method to initiate reactor trip.
The first known method of protection causes reactor trip or shutdown if the monitored neutron flux exceeds a preselected and fixed setpoint. This maximum operating level is normally about 120% of rated power.
The second method of protection causes reactor trip if the monitored neutron flux exceeds a preselected, but flow-referenced setpoint. In this method, the setpoint is equal to that of the first method when the reactor core flow is high. However, when reactor core flow is reduced, the setpoint is also reduced.
The third method of protection involves electronically filtering the neutron flux signal to produce a signal that has been called simulated thermal power (STP). Usual practice is to employ a single time constant filter that approximates the thermal response of the reactor fuel rods. Reactor trip is initiated when the STP signal exceeds the flow-referenced setpoint of the second method. The third method is usually used in combination with the first method.
In all three known methods, the reactor trip set-point is above the normal operating range to avoid undesired trips during operation in the upper portion of the range. If more protection is required due to partial core power and flow conditions, the setpoints are manually adjusted. These manual adjustments are a cumbersome nuisance for reactor operators. However, if the setpoints are not adjusted, complex and restrictive core operating limits are required to ensure acceptable protection at all operating power and flow conditions.
In addition, new, slow transient events have been postulated in the partial power and flow range that challenge the effectiveness of the three conventional protection methods. These slow transient events have been postulated to avoid the current, high-power protection setpoints. Since the postulated events are slow, reactor operators are able to manually respond with appropriate mitigation actions.