Fig. 1: Click to enlarge
Nuclear power reactors will automatically shut down within seconds if early signs of trouble are detected. This post describes how the automatic shut downs occur on boiling water reactors (BWRs). A similar concept is employed for pressurized water reactors (PWRs).
The simplified drawing (Fig. 1) shows a BWR’s major components. During operation, the heat produced by atoms splitting in the reactor core boils water that flows through pipes to spin a turbine that generates electricity. The steam is cooled down, converted back into water, and pumped back to the reactor vessel for re-use.
The automatic shut downs that may occur during operation include:
(1) The reactor core’s power level rising too high or increasing too rapidly. Sensors monitor the reactor core’s power level. When those sensors indicate that control of the reactor has been lost, the reactor is automatically shut down.
(2) The water level inside the reactor vessel dropping too low. During normal operation, the mass of water leaving the reactor vessel as steam is matched by the amount of water being supplied by the pumps. The automatic shut down of the reactor reduces the amount of steam leaving the reactor vessel in an attempt to restore that balance and recover the dropping water level.
(3) The pressure inside the reactor vessel rising too high. This automatic shut down protects the reactor vessel and its attached piping from failing due to high stresses associated with too much pressure.
(4) The isolation valves in the pipes carrying steam to the turbine close. These isolation valves will automatically close within seconds as necessary to retain radioactive material inside the containment. Closure of these valves also stops the loss of coolant inventory if the pipe just outside the containment wall has broken. The path to the turbine is lost when the valves close so there’s no need for the reactor core to continue making steam.
(5) The valves at the inlet to the turbine close. The turbine will automatically shut down for a number of causes including high vibration and failure of the generator. The inlet valves to the turbine close literally in a split-second. As with closure of the isolation valves, the closure of the turbine inlet valves automatically shuts down the reactor core as it no longer needs to make steam. Because the whole purpose of a nuclear power plant is to generate electricity for sale to customers, there’s no need for the reactor to operate when its turbine/generator (also called the “nickel-maker” since it produces the revenue) is no longer available.
(6) The pressure inside the containment rises too high. If a pipe connected to the reactor vessel breaks, cooling water leaks into the containment causing its pressure to increase. For the rupture of a large pipe, it’s a race between the shut down on low water level (#2 above) and the automatic shut down on high containment pressure. If a smaller pipe breaks, high containment pressure wins the race to automatically shut down the reactor core. The containment and its supporting systems are designed to withstand the energy released during an accident – but that design relies on the reactor core being shut down to limit the amount of energy flowing into containment.
(7) The control rod system is becoming impaired. The control rods in a BWR are moved via hydraulic pistons. Water is applied to one side and vented from the opposite side to move control rods into and out of the reactor core. A metal tank collects the water vented from control rod hydraulic pistons during an automatic shut. When too much water is sensed in this tank, an automatic shut down will be triggered to enable the control rods to be inserted using the remaining volume in the tank. There’s little point in operating the reactor core when its brakes have failed.
Any automatic shut down, as well as the operators manually tripping the reactor, cause the control rods to fully insert into the reactor core within a handful of seconds.
The Reactor Protection System (RPS) is an array of sensors, wires, and relays that monitor conditions in the plant and send signals to rapidly insert the control rods when problems are detected.
To allow the protective measures to be tested during operation and to avoid one sensor or relay failure from causing the reactor to be shut down when no problems exist, the RPS features multiple sensors and trip channels.
Fig. 2
Figure 2 shows a common arrangement for one automatic reactor scram signal, such as the one that occurs when the water level inside the reactor vessel drops too low. Four sensors, in this case level switches, monitor the water level inside the reactor vessel. Two of the sensors are in Trip Channel A while the other two are in Trip Channel B. This arrangement is called a “one out of two taken twice” trip logic scheme.
Fig. 3
When any sensor detects an undesired condition or fails, its trip channel trips (Fig. 3). The reactor is not automatically shut down because it takes two tripped trip channels to generator the shut down, or SCRAM, signal. Workers periodically test the RPS. For example, workers will cause reactor vessel water level Sensor C to slowly decrease until it detects too low a level and causes Trip Channel A to trip. This verifies that Sensor C activates at the proper level and causes Trip Channel A to trip. Workers will return Sensor C to normal and check all other sensors and trip channels.
Occasionally, a sensor or trip channel will fail. The RPS is designed such that these devices fail-safe. In other words, failure causes them to function as if an undesired plant condition was present. The reactor can continue operating as long as nothing causes the other trip channel to trip. (It goes without saying, but not typing, that a failed sensor gets repaired with utmost urgency to get the plant out of this vulnerable situation as quickly as possible.)
Fig. 4
As soon as at least one sensor in both trip channels have either detected an undesired condition or failed, the RPS generators a SCRAM signal to shut down the reactor within seconds (Fig. 4).
As shown here, it takes as few as two sensors – but the right combination of two – to produce a SCRAM signal. Sensors A and C alone won’t do it.
The figure suggests that it takes three sensors to guarantee a SCRAM – once Sensors A and C have tripped, either Sensor B or D will complete the logic necessary for a SCRAM signal.
This demonstrates the single failure criterion at work. The RPS is designed to function even if a single sensor fails. While most failures cause sensors to behave as if the undesired condition was present (in other words, to trip), some failures can cause sensors to misbehave. For example, a sensor monitoring the water level inside the reactor vessel that is miscalibrated and fails to trip until the level drops all the way below the nuclear fuel has failed. But assuming none of the other sensors are also miscalibrated, they will conspire to generator the automatic SCRAM at the proper point.
Each scram condition (e.g., high reactor vessel pressure, low water level in the reactor vessel, high containment pressure, etc.) has its own trip logic scheme in the RPS. But there is some overlap or sharing. All of the Trip Channel A’s are connected as are all of the Trip Channel B’s. Thus, if Sensor A in the reactor pressure trip logic scheme causes its Trip Channel A to trip and Sensor D in the containment pressure trip logic scheme causes its Trip Channel B to trip, an automatic reactor SCRAM signal will occur.
Bottom Line
The Reactor Protection System performs an important safety role by monitoring key plant parameters and initiating the rapid shut down of the reactor core upon signs of trouble. The RPS is designed to perform this vital role even if one of its components fails.
While the RPS is designed to withstand the failure of a single device, multiple failures can disable it. Fission Stories #106 described how the wrong maintenance practice at the Salem nuclear plant in New Jersey “glued” the RPS trip relays in place, preventing them from operating when required.
And Fission Stories #107 described an event at the Browns Ferry Unit 3 reactor in Alabama involved the RPS doing its thing by generating a signal to rapidly shut down the reactor core but the control rod drive system failing to properly respond to that signal. Instead of shutting down the reactor core within seconds, it took four tries over nearly 15 minutes for it to finally work.