Control and protection

The use of common equipment for reactor control and protection is not generally permitted, because a common-mode fault on control equipment could re­sult in a reactor fault coincident with loss of one trip group.

Safety interlocks

For some protection applications, an interlock to pre­vent the occurrence of an unsafe reactor condition may be preferable to a trip group. In such a case the ‘safety interlock’ must be designed to a similar stand­ard to the equivalent trip group; with similar redun­dancy, diversity and reliability requirements.

Operator action

The safety trip system is designed to provide protection entirely independently of operator action. No reliance is placed on operator resetting of trip levels on modern stations, auto reset trip amplifiers being used where necessary. The operator can initiate a trip at any time, however, as a high integrity manual trip switch is pro­vided on the control desk (see Volume F, Chapter 6).

Operational vetoes may be installed to permit veto­ing of a trip group for reactor conditions in which its protection is not required and is operationally restrictive. Where this is done, the vetoes are inter­locked with other protection to prevent operation of the reactor in an unprotected condition.

However, it should be noted that operator action may be involved in the longer term after a reactor trip to ensure reactor cooling.

Fig, 2.59 Double ‘2 out of 3’ trip system in reactor guard lines

Maintenance

The safety trip system is designed to achieve its required reliability when tested at three monthly inter* sals. Maintenance vetoes are not provided on modern stations owing to the difficulty of guaranteeing that 4ich vetoes are removed after maintenance; the trip channels are allowed to go into the trip condition during maintenance.

Ammeters are provided (Fig 2.60) to check correct

operation,