Reactor protection system

A reactor protection system (RPS) is a set of nuclear safety and security components in a nuclear power plant designed to safely shut down the reactor and prevent the release of radioactive materials. The system can "trip" automatically (initiating a scram), or it can be tripped by the operators. Trips occur when the parameters meet or exceed the limit setpoint. A trip of the RPS results in full insertion (by gravity in pressurized water reactors or high-speed injection in boiling water reactors) of all control rods and shutdown of the reactor.

Safety role

The RPS provides a first line of automatic protective response to both anticipated operational occurrences and postulated accident conditions, by detecting abnormal conditions and initiating reactor trip and other protective actions that help preserve core and pressure-boundary integrity. ^[1] In advanced reactor I&C frameworks, the RPS may also provide additional post-trip functions to support continued heat removal after shutdown. ^[2]

Because protective actions depend on timely and reliable detection and actuation, the RPS is tightly coupled to plant sensors and actuators and is treated as among the most safety-significant subsystems in safety analyses. ^[3]

Operational design

RPS actuation logic is configured around measured process variables (trip variables) and setpoints derived from safety analysis, including fuel and thermal-hydraulic design limits. ^[2] In order to ensure reliability, the RPS often employs multi-channel redundancy combined with voting logic to reduce spurious trips. One common configuration is four channels with 2-out-of-4 trip logic. ^[4]

Independence among redundant channels is emphasized as a design principle to mitigate random single failures and certain classes of common-cause vulnerabilities. However, while redundancy and independence can mitigate some failures, they may not address all systematic failures such as during natural disasters. ^[1]

Software system

Digitization of safety I&C has been pursued to address obsolescence and to realize functional advantages such as improved diagnostics, but it also introduces new challenges, especially software failure and increased system complexity. As functionality now depends on extensive software, strict verification and validation (V&V) practices for safety-critical code are emphasized. ^[5] In a typical RPS software workflow, protection software is specified, designed in function-block or ladder-logic representations, translated into C code, and compiled for programmable logic controllers (PLCs). ^[6]

A variety of reliability modeling approaches are used for RPS software evaluation. Dynamic fault tree (DFT) modeling has been proposed to better capture changes in effective k-out-of-n logic caused by periodic testing and maintenance, addressing limitations of static fault trees in representing time-dependent configurations in RPS safety analysis. ^[7] Markov-based methods remain common for but may face scalability challenges. ^[8]

Cybersecurity

Increasing digitization of RPS and other safety I&C has elevated the importance of cybersecurity controls for systems whose compromise could affect protective functions. Nuclear power plant cybersecurity measures emphasize a defense-in-depth model, including identification of critical digital assets, risk assessment, threat modeling, and establishment of layered protections. ^[4]

Implementation

Pressurized water reactors

Some of the measured parameters for US pressurized water plants would include:

"High power", auctioneered between high nuclear power and high differential temperature (delta T) between the inlet and outlet of the reactor vessel (a measure of the thermal power for a given RCS flowrate).
"High startup rate" (active below 10-4 percent power) at low power levels.
"High pressurizer pressure"
"Low reactor coolant flow"
"Thermal margin / low pressure" (reactor power versus RCS pressure)
"High containment pressure"
"Low steam generator level"
"Low steam generator pressure"
"Loss of load" (main turbine trip)

Each parameter is measured by independent channels such that actuation of any two channels would result in an automatic SCRAM or reactor shutdown. The system also allows manual actuation by the operator.^[9]

Boiling water reactors

Advanced reactors

While much of historical RPS development is rooted in large light-water reactor practice, RPS concepts and design requirements also appear in advanced and smaller reactors. For example, digital RPS development has also been documented for high-temperature gas-cooled reactors (HTGRs). ^[10]