ML22161B014
| ML22161B014 | |
| Person / Time | |
|---|---|
| Site: | Hermes File:Kairos Power icon.png |
| Issue date: | 06/10/2022 |
| From: | Kairos Power |
| To: | Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML22161B012 | List: |
| References | |
| KP‐NRC‐2206‐002 | |
| Download: ML22161B014 (18) | |
Text
KPNRC2206002
ChangestoHermesPSARChapter7 (NonProprietary)
PreliminarySafetyAnalysisReport DesignofStructures,Systems,andComponents KairosPowerHermesReactor 337 Revision0 SSCName Safety Classification Seismic Classification QualityProgram SARSection PlantArea TritiumManagement System Nonsafetyrelated SDC2 NotQualityRelated 9.1.3 SRandNSRareas InventoryManagement System Nonsafetyrelated SDC2 NotQualityRelated 9.1.4 SRarea InstrumentationandControlSystems ReactorProtectionSystem, includingfieldsensors, cabinetsandassociated wiringexceptforCablingto theRPStripdevicesand manualreactortrip switches Safetyrelated SDC3 QualityRelated 7.1 7.5 SRarea CablingtotheRPStrip devicesandmanualreactor tripswitches Nonsafetyrelated SDC2 NotQualityRelated 7.3 SRandNSRareas PlantControlSystem, includingfieldsensors, cabinetsandassociated wiring Nonsafetyrelated SDC2 NotQualityRelated 7.2 7.5 SRandNSRareas MainControlRoom Nonsafetyrelated SDC2 NotQualityRelated 7.4 AuxiliaryBuilding RemoteOnsiteShutdown Panel Nonsafetyrelated SDC2 NotQualityRelated 7.4 SRarea PlantAuxiliarySystems RemoteMaintenance System Nonsafetyrelated SDC2 NotQualityRelated 9.8 SRandNSRareas FireProtectionSystem Nonsafetyrelated SDC2 NotQualityRelated 9.4 SRandNSRareas RadioactiveWaste HandlingSystems Nonsafetyrelated SDC2 NotQualityRelated 11.2.2 SRandNSRareas
PreliminarySafetyAnalysisReport
InstrumentationandControls
KairosPowerHermesReactor 71 Revision0 CHAPTER7 INSTRUMENTATIONANDCONTROLS 7.1 INSTRUMENTATIONANDCONTROLSOVERVIEW 7.1.1 SummaryDescription Theinstrumentationandcontrol(I&C)systemsmonitorandcontrolplantoperationsduringnormal operationsandplannedtransients.Thesystemsalsomonitorandactuateprotectionsystemsinthe eventofunplannedtransients.I&Ciscomprisedoffourparts,describedinthebulletedlistbelow.Each ofthefourpartsaredescribedinfurtherdetailinsubsequentsubsectionsofthischapter.The architecturaldesignofthesystemaccountsforinterconnectioninterfacesforplantI&Cstructures, systems,andcomponents(SSCs).Figure7.11providesanoverviewoftheI&Csystemarchitecture.
Theplantcontrolsystem(PCS)providesthecapabilitytoreliablycontroltheplantsystemsduring normal,steadystate,andplannedtransientpoweroperations,includingnormalplantstartup, powermaneuvering,andshutdown(seeSection7.2).
Thereactorprotectionsystem(RPS)providesprotectionforreactoroperationsbyinitiatingsignals tomitigatetheconsequencesofpostulatedeventsandtoensuresafeshutdown(seeSection7.3).
Themaincontrolroomandremoteonsiteshutdownpanelprovidethecapabilityforplantoperators tomonitorplantsystems,controlplantsystems,andtoinitiateplantshutdown(seeSection7.4).
Sensorsprovideinputtomultiplecontrolandprotectionsystems(seeSection7.5).
TheI&CsystemimplementsIEEEStandard6032018(Reference1)andIEEEStandard74.3.22003 (Reference2)andotherconsensusstandardsforsafetyrelatedI&Cfunctions.Theparticularapplication ofconsensusstandardsisdiscussedforeachI&Csubsysteminthefollowingsections.
TheI&Csystemincorporatestheprinciplesofindependence,redundancy,anddiversity.Features reflectingthoseprinciplesarediscussedinthespecificsubsystemdescriptions.TheRPSisthesafety relatedsystemcreditedfortrippingthereactorandactuatingengineeredsafetyfeatures.Accordingly, theRPSisisolatedandindependentfromtheotherI&Csystemsandusesinputsignalsfrom independentinstrumentation.RPSinstrumentationsignalsareprovidedtothePCSviaadatadiode, whichisapartoftheRPShardwareplatform(seeSection7.3.3).TheRPSincorporatesredundancyand diversityinthesystemdesignasdiscussedinSection7.3.TheI&Csystemincludesthecapabilityforboth manualandautomaticcontrol.
Section7.5describesthesensorsusedatthefacility.Sensorsfortemperature,pressure,neutroncount rates,level,flow,radiationlevel,andotheranaloganddigitalfielddetectorsprovideinputtotheplant controlsystemandreactorprotectionsystem.IndependentinstrumentsareprovidedforRPSandPCS.
EachsectionaboutspecificI&Csubsystemsincludesadiscussionoftheinstrumentsthatsupportthat subsystemandthetypeofinstrumentationused(i.e.,analogordigital).
7.1.2 CalibrationofTrips,Interlocks,andAnnunciators Safetylimits(oranalyticallimits(ALs))aredefinedbytheoperatinglimitsintheplantsafetyanalysis.
Systemshavingsignificantsafetyfunctions(forexampletechnicalspecificationlimitingconditionsfor operation)thatdonotdirectlyprotectaplantsafetylimit,willbeanalyzedinthesamefashionasthose havingsafetylimits.ThetechnicalspecificationsaredescribedinChapter14.
Setpointsforsafetyrelatedinstrumentationwillbecalculatedinaccordancewiththeguidanceof ANSI/ISA67.04.012018(Reference3).ThesetpointnomenclatureasdefinedintheRegulatory InformationSummaryRIS200617(Reference4),willbeappliedtosetpointcalculationsdevelopedto supportlicensingactivities.Operationalconsiderationssuchasdrift,linearity,hysteresis,and
PreliminarySafetyAnalysisReport
InstrumentationandControls
KairosPowerHermesReactor 72 Revision0 operationalmarginsareconsideredinthedevelopmentofspecificinstrumentloopsetpoints.
Considerationisalsogiventofixedinstrumenterrorsandenvironmentalaffectsintheselectionof instrumentsetpoints.
ThePCSandRPSincludessensors,trips,and,interlocks,andannunciationstomonitortheoperationof theprocesscontrolsystemsshutdownthereactorwhenoperatingparametersexceedoperational limits.FortheRPS,tThisincludesreleaseofthecontrolandshutdownelementswithinasetofdefined parametersaftertheonsetofapostulatedevent.Specifictripsand,interlocks,andannunciationsfor eachsystemarediscussedinSections7.2and7.3.However,forbothsystems,activationandRPS actuationsetpointsfortripsand,interlocks,andalarmsarecalculatedbasedonthefollowingdesign principles:
Simulationmodels:Timetoreachoperationallimitsbasedonsystemqualification(environments, processconditions,etc.)asdemonstratedbyactualempiricaldatacollectedduringsimulation testing ControlSystemRPSTechnicalSpecifications:Measurementtime,processparametersasinformedby safetycaseassumptionsandboundedbyTechnicalSpecificationlimits Mechanicaldesignandtestingresponsetimeforactuationtocomplete:Timetodetect,process, andactuatetherequiredcontrols;thistimeshouldbelessthanthetimebetweeneventonsetand parameterreachingalimitingconditionforcontinuedoperation Tiered(graded)approachtoprotection:InallcasesthePCSutilizesearlydetectionmonitoringof parametersthatarenonsafetyrelatedtoinformriskforcontinuedoperationortripstatusfor investmentprotection.TheRPSutilizeshighlyreliablesafetyrelatedparametersasthefinallevelof protectionforpublichealthandsafetyaswellasinvestmentprotection.
Annunciatorsareusedtoinformoperationsofthechangingprocessparametersthatwillrequire systemcontrolresponseorpotentialoperatorinterventioninordertomaintainparameterswithin thenormaloperatingenvelope.
7.1.3 References
- 1. InstituteofElectricalandElectronicsEngineers,StandardIEEE603,StandardCriteriaforSafety SystemsforNuclearPowerGeneratingStations.2018.
- 2. InstituteofElectricalandElectronicsEngineers,IEEEStandard74.3.2,"IEEEStandardCriteriafor ProgrammableDigitalDevicesinSafetySystemsofNuclearPowerGeneratingStations."2003.
- 3. InstrumentSocietyofAmerica,ANSI/ISA67.04.01,SetpointsforNuclearSafetyRelated Instrumentation.2018.
- 4. NuclearRegulatoryCommission,RegulatoryIssueSummary200617,NRCStaffPositiononThe Requirementsof10CFR50.36,TechnicalSpecifications,RegardingLimitingSafetySystemSettings DuringPeriodicTestingandCalibrationofInstrumentChannels.August24,2006.
PreliminarySafetyAnalysisReport
InstrumentationandControls
KairosPowerHermesReactor
73 Revision0 Figure7.11:InstrumentationandControlsSystemArchitecture
PreliminarySafetyAnalysisReport
InstrumentationandControls
KairosPowerHermesReactor
75 Revision0 T
Temperature P
Pressure L
Level F
Flow N
Neutronics R
RadiationMonitor D
Discrete(DigitalInputofOutput/Actuation)
A Analog(ModulatingOutput/Actuation)
OA Otheranalogfieldinstruments OD Otherdigitalfieldinstruments
PreliminarySafetyAnalysisReport
InstrumentationandControls
KairosPowerHermesReactor 76 Revision0 7.2 PLANTCONTROLSYSTEM 7.2.1 Description ThePCSisanonsafetyrelatedcontrolsystemwhichcontrolsreactorstartup,changesinpowerlevels, andshutsdownthereactor.ThePCSimplementsthesefunctionsthroughaseriesofsubsystemswhich include:
Reactorcontrolsystem(RCS)
Reactorcoolantauxiliarycontrolsystem(RCACS)
Primaryheattransportcontrolsystem(PHTCS)
Primaryheatrejectioncontrolsystem(PHRCS)
ThePCSmaintainsplantparameterswithinthenormaloperatingenvelope.Thissystemalsoprovides datatothecontrolconsoleslocatedinthemaincontrolroom(seeSection7.4).Figure7.11showsthe elementsofthePCS.
ThePCSisamicroprocessorbaseddistributedcontrolsystemthatindividuallycontrolsplantsystems usingapplicableinputs.ThesubsystemslistedaboveareintegratedintothePCSusingnonsafety relatedsignalwirewayswhichareterminatedatlocalcabinetsandusingredundant,nonsafety,real timedatahighways.
Theplantwidesensorinputsareusedtoverifyinterlockandpermissiverulesforthevariousplantstates.
Thesensordataisalsousedtoprovidefeedbackandalarmstotheoperatorsviathecontrolconsoles.
ThePCSispoweredbyACandDCpowersupplieswhicharediscussedinChapter8.
ThePCSusesnonsafetyrelatedsensorinputsaswellassafetyrelatedsensorinputsfromtheplant protectionsystemviaadatadiode(SeeSection7.3.3).ThePCSincludestheinputparametersshownin Table7.21.ThesensorsaredescribedinSection7.5.Theinstrumentationprovidesinputsignalsusing nonsafetyrelatedsignalwirewaysthatareterminatedatlocalcabinets.
Controloutputsaregeneratedusingacontroltransferfunctionbasedonthesensorinputsand setpointsprovidedbythecontrolsystem.Thesetpointsareadjustedautomaticallybasedontheplant operatingmode,orinsomecasesbytheoperatorviathemaincontrolroomconsoles.Plantoperators donotdirectlycontrolPCSoutputs.
ThePCSdoesnotprovideanysafetyrelatedfunctionsduringanymodeofoperationorpostulated event.ThePCSiselectricallyandfunctionallyisolatedfromthesafetyrelatedRPS(seeSection7.3)using asafetyrelatedisolationdeviceasshowninFigure7.11.TheRPSisolationdevicesensureelectrical isolationbetweentheelectricalsystemandthenonsafetyrelatedSSCsthatPCSnormallycontrolsthat aredeactivatedbytheRPSwhenareactortripisdemanded.
ThesubsystemsofthePCSaredescribedbelow.
7.2.1.1 ReactorControlSystem TheRCScontrolsandmonitorssystemsandcomponentsthatsupportnormaloperation,planned transients,andnormalshutdownofthereactor.TheRCScontrolsthesystemslistedinFigure7.11and supportsthefollowingcapabilities:
Reactivitycontrolandplannedtransients/adjustmentsinpowerlevel Monitoringofcoreneutronics Pebblehandlingandstorage Monitoringandcontroloftemperatureinthereactor
PreliminarySafetyAnalysisReport
InstrumentationandControls
KairosPowerHermesReactor 78 Revision0 Primaryloopdraining,filling,andpipingmonitoring,includingPHTSexternalpiping ThepurposeofthePHTCSistocontrolthetransportofprimarycoolantthroughthePHTS,tomaintain theprimarycoolantinaliquidstate,andtomonitortheinventoryofprimarycoolantinthePHTS.The PHTCSmaintainstheparametersinthePHTSwithinthenormaloperatingenvelope.ThePHTCScontrols theprimarysaltpump(PSP)andtheprimaryloopauxiliaryheatingsystem.Thesensorsusedbythe PHTCSarediscussedinSection7.5.
ThePHTCSprovidescontrolsignalforthePSP(seeChapter5).Thecontrolsystemmanipulatesthe primarycoolantflowratebyvariablefrequencytomaintainPHTSparameterswithinthenormal operatingrange.ThePHTCSdoesnotprovideasafetyfunction;however,asdiscussedinSection7.3,the RPStripsthePSPonareactortrip,asaprotectionfeatureforthereactorsystemrelatedtothepump.
ThePHTCSmaintainstheprimarycoolantinliquidphasethroughoutthePHTStopreventlocalizedover orunderheating.ThecontrolsystemusestemperatureasinputtoprovidecontrolsignaltothePHTS auxiliaryheaters.
7.2.1.4 PrimaryHeatRejectionControlSystem ThePHRCScontrolsandmonitorssystemsandcomponentsthatsupportnormaloperationofthe intermediateloopwhichremovesheatfromtheprimaryloop.Thesystemsupportsthefollowing capabilities:
Controloftheflowratethroughtheintermediateloop Intermediateloopheating Intermediateloopdraining,filling,andpipingmonitoring ThepurposeofthePHRCSistocontrolthetransportofintermediatecoolantthroughtheintermediate loop,tomaintaintheintermediatecoolantinaliquidstate,andtomonitortheinventoryof intermediatecoolantintheintermediateloop.ThePHRCSdoesnotperformasafetyfunction.The PHRCSmaintainstheparametersintheintermediateloopwithinthenormaloperatingenvelope.
ThePHRCScontrolstheintermediatesaltpump(ISP),theintermediateloopauxiliaryheatingsystem, theintermediatecoolantinventorysystem,theintermediateloopchemistrycontrolsystem,the intermediateloopcovergassystem,andtheheatrejectionblower.ThePHRCScontrolstheISPby changingtheintermediatecoolantflowratebyvariablefrequencytomaintainintermediateloop parameterswithinthenormaloperatingrange.ThePHRCScontrolstheintermediateloopauxiliary heatingsystemtomaintaintheintermediatecoolantinliquidphasethroughouttheintermediateloop topreventlocalizedoverorunderheating.Thecontrolsystemusestemperatureinformationasinput toprovidecontrolsignaltotheintermediateloopauxiliaryheaters.
7.2.2 DesignBases ConsistentwithPrincipalDesignCriteria(PDC)13,thePCSisdesignedtomonitorvariablesandsystems overtheiranticipatedrangesfornormaloperation,andovertherangedefinedinpostulatedevents.
7.2.3 SystemEvaluation ThePCSisdesignedtomonitorplantparametersandmaintainsystemswithinnormaloperatingrange.
ThePCSisalsodesignedtocontrolplannedtransientsassociatedwithanticipatedoperational occurrencesandmaintainthereactorinashutdownstate.ThesefunctionsareconsistentwithPDC13.
ThePCSdoesnotperformasafetyrelatedfunction.Finally,thePCSisdesignedsothatitcannot interferewiththeRPSsabilitytoperformitssafetyfunctions;seeSection7.3formoreinformation abouttheisolationoftheRPSfromthePCS.
PreliminarySafetyAnalysisReport
InstrumentationandControls
KairosPowerHermesReactor 79 Revision0 ThePCSisadigitalsystemthatcontrolsthereactorpoweraboutapointsetbytheoperator.Thecontrol systemuseslinearaveragetemperatureandflowrateintheprimarysystemasvariableinputsto controlpowerlevelsothatitremainswithinthenormaloperatingenvelope.Thesystemdesignmeets theapplicableportionsInternationalElectrotechnicalCommission(IEC)standard61131forindustrial controllers(Reference1),andtheapplicableportionsofthecybersecuritystandardIEC62443 (Reference2).Table7.22listsotherstandardsappliedtothePCS.ApplicableportionsofIEEE1012 2017(Reference3)areusedforverificationandvalidationofPCScomponents,whichisconsistentwith thenonsafetyrelatedclassificationofthePCS.
ActioninthePCSisdesignedtoaccuratelyandreliablyprovidecontrolsignalforallmodesofnormal operation.ThePCSisalsodesignedtoprovidetimelycontrolsignals,withfurtheranalysisoftimeliness tobeprovidedinanapplicationfortheOperatingLicense.
ThePCSincludesinterlocksandinhibitsthatprohibitorrestrictoperationofthereactorandPHSSunless certainoperatingconditionsaremet.Thefollowinginterlocksareincludedinthecontrolsystemdesign:
Aninterlockthatprohibitsreactivitycontrolelementwithdrawaluntilthereissufficientneutron countratetoensurethatnuclearinstrumentsarerespondingtoneutrons.
Interlocksarealsoprovidedrelatedtostartuppowerlevelandpebblehandlingasdetailedin Table7.23.
PCSactuationsetpointsareestablishedandcalibratedusingthemethoddescribedinSection7.1.2.The finaldesignofSSCscontrolledbythePCSaffecttheacceptancecriteriatoestablishPCSactuation setpoints.Accordingly,theOperatingLicenseapplicationwillincludeadescriptionoftheacceptance criteriatoestablishandcalibrateactuationsetpointsorinterlockfunctions,whichwillreflectthe setpointmethoddescribedinSection7.1.2.
Theplantcontrolsaregroupedandlocatedonasingleoperatingpanelinthemaincontrolroomsothat operatorscaneasilyreachandmanipulatethecontrols.Displaysoftheresultsofoperatoractionsare readilyobservable.SeeSection7.4formoreinformationaboutthehumaninterfaceforthePCS.
ThePCSisnotsafetyrelatedandnosafetyrelatedSSCscrosstheseismicisolationmoat,discussedin Section3.5.However,anyportionofthePCSthatcrossesthemoatincludesflexibledesignfeaturesto accommodatedesigndisplacementsfrompostulatedseismiceventstotheextentnecessarytoprevent damageofSSCsinthePCSfromaffectingasafetyrelatedSSC'sabilitytoperformitssafetyfunction.
SpecificdesignfeaturesandtheSSCstowhichtheyareapplied,willbeprovidedintheOperating Licenseapplication.
AdditionalinformationaboutthePCSthatisdependentonthefinaldesignofthereactorSSCswillbe providedintheOperatingLicenseApplication,including:(1)furtherspecificsaboutthehardwareand software,(2)softwareflowdiagramsfordigitalcomputersystems,(3)adescriptionofhowthe operationalandsupportrequirementswillbemet,and(4)thebasisforreliabilityofPCSsystemsand reliabilitytargets.
7.2.4 TestingandInspection Functionaltestswillbeperformedpriortoinitialstartupandtestsandinspectionsconsistentwiththe standardsdiscussedinSection7.2.3.
7.2.5 References
- 1. InternationalElectrotechnicalCommission,IEC61131,"ProgrammableControllers.2020.
- 2. InternationalElectrotechnicalCommission,IEC62443,Cybersecurity.2015
PreliminarySafetyAnalysisReport
InstrumentationandControls
KairosPowerHermesReactor 713 Revision0 Table7.23:PlantControlSystemInterlocksandInhibits InputSignaltothePlantControlSystem InterlockorInhibit Highradiationdetectedinpebblehandlingarea Movementofpebblesstopswithinaspecified timedelay
Purpose:
MinimizeeffectsofaPHSStransferline break AbnormalpositioningofpebbleinPHSS Movementofpebblesstopswithinaspecified timedelay
Purpose:
PreventdamagetoPHSSsystem NeutronFluxdetectedonSourceRangeandis below0.5count/second Blockreactivitycontrolelementwithdrawal
Purpose:
Preventinadvertentrapidpositive reactivityinsertion DHRSoperating Reactorauxiliaryheatingsystem(RAHSRTMS) blockedfromoperating
Purpose:
Preventinadvertentactuationof RAHSRTMS.
PreliminarySafetyAnalysisReport
InstrumentationandControls
KairosPowerHermesReactor 714 Revision0 7.3 REACTORPROTECTIONSYSTEM 7.3.1 Description TheRPSprovidesprotectionforreactoroperationsbyinitiatingsignalstomitigatetheconsequencesof postulatedeventsandtoensuresafeshutdown.TheRPSistheonlyportionoftheI&Csystemthatis safetyrelatedandthatiscreditedfortrippingthereactorandactuatingengineeredsafetyfeatures.The purposeoftheRPSistoactuateuponreceiptofatripsignalinresponsetooutofnormalconditionsand provideautomaticinitiatingsignalstoprotectionfunctions.Therearethreepossibletripsourcesthat cancausetheRPStoactuateandthreeprotectionfunctionsthatresultfromRPSactuation,shown belowinFigure7.31.Thethreepossibletripsourcesare:
Processvariablesreachorexceedspecifiedsetpoints,asmeasuredbyRPSsensors Manualinitiationfromthemaincontrolroomorremoteonsiteshutdownpanel Plantelectricpowerislost(withatimedelay)
ThethreeKPFHRprotectionfunctionsthatresultfromRPSactuationare:
ActivateActuatetheRCSSthatinsertscontrolandshutdownelementsintothereactorcore InhibitactionsfromthePCSsothatitdoesnotinterferewiththefunctioningoftheRPS Ensureactivationanactuationofthedecayheatremovalsystem(DHRS)thatpassivelyremoves heatfromthePHTStotheatmosphere ActuationoftheRPStotripthereactorincludesseveralactuationsthatstopspecificnonsafetyrelated SSCs,normallycontrolledbyPCS,toensurethatthosenonsafetyrelatedSSCstodonotpreventa safetyrelatedSSCfromperformingitssafetyfunction.Thenonsafetyrelatedfunctionsthatare stoppedareshowninFigure7.11.RCSSelementwithdrawalisinhibitedafteralossofpower,to preventinadvertentpositivereactivityinsertionwhenpowerreturns(seealsoTable7.32).ThePSPis stoppedtomaintainFlibeinventoryinthecore.ISPisstoppedtopreventapressuredifferential betweentheprimaryandintermediatesystems.PebbleextractionandinsertioninthePHSSisstopped topreventremovingpebblesfromthecoreintheeventofaPHSSextractionlinebreak.Finally,RAHS actuationisprohibitedtopreventachallengetotheheatremovalcapabilityoftheDHRS.These inhibitionsareaccomplishedthroughsafetyrelatedtripdevicesasshowninFigure7.11.
TheRPSisbuiltonalogicbasedplatformthatdoesnotutilizesoftwareormicroprocessorsfor operation.Itiscomposedoflogicimplementationusingdiscretecomponentsandfieldprogrammable gatearray(FPGA)technology.TheRPSisisolatedfromotherI&Csystems,includingthemaincontrol roomandtheremoteonsiteshutdownpanel,usingsafetyrelatedisolationhardwaregateways.
Isolationisachievedatthepointofsignalgenerationeitherthroughfeaturesbuiltintothehardware platformorthroughseparateisolationdevices.TheRPSincludesthefollowingsafetyrelated(exceptas notedotherwise)elements:
Separatechannelsofsensorelectronicsandinputdevices Redundantandseparategroupsofsignalconditioning Redundantandseparategroupsoftripdetermination Manualreactortripswitchesinthemaincontrolroom(switchesarenonsafetyrelated)
Safetyrelatedcomponentstoprovideelectricalisolationfromthenonsafetyrelatedhighlyreliable DCpowersystempowersupply PowersuppliesforsafetyrelatedsensorsandRPScomponents,whichalsoprovideisolationfrom thenonsafetyrelatedhighlyreliableDCpowersystempowersupply Redundantvoltagesensorsfordetectinglossof120VACtotheuninterruptiblepowersupplysystem Multiplereactortripdevicesandassociatedcabling(cablingisnonsafetyrelated)
PreliminarySafetyAnalysisReport
InstrumentationandControls
KairosPowerHermesReactor 715 Revision0 TwononsafetyrelatedRPSgatewaysisolationhardware Twodivisionsofreactortripsystem(RTS)votingandactuationequipment ReactortripfunctionsarehardcodedintoFPGAlogicandarenotdependentonplantoperatingstate.
Operatingconditionsarecomparedagainstthetripsetpointsandactuateprotectionfunctions accordingtoestablishedprogrammablelogic.TheRPScabinetsarelocatedwithinthesafetyrelated portionoftheReactorBuildingwithinanenvironmentallyseparatedenclosure,discussedfurtherin Section7.3.3.
TheRPSperformssafetyrelatedfunctionsasshowninFigure7.11whichincludeRTSactuationand ensuringactuationoftheDHRS.BothfunctionsaredescribedinmoredetailinSections7.3.1.1and 7.3.1.2.OperatorinterfacefortheRPSisdiscussedinSection7.4.TheRPSusesinputsfromthereactor coretemperature,reactorvessellevel,andsourceandpowerrangeneutrondetectors.Thesensorsthat provideinputtotheRPSaresafetyrelatedanddescribedfurtherinSection7.5.
7.3.1.1 ReactorTripSystem TheRTSactivatesactuatestheRCSSthatallowforinsertionofcontrolandshutdownelementsintothe reactorcore.Uponreceiptofatripsignal,theRTSremovespowerfromcoilsonthereactivityshutdown elementswhichdropbygravityintothereactor(SeeSection4.2.2formoreinformationaboutthe shutdownelements).TheRTSreceivestripsignalsgeneratedfromautomaticormanualsources.
TheRTSisbuiltonalogicbasedplatformthatdoesnotutilizesoftwareormicroprocessorsfor operation.ItiscomposedoflogicimplementationusingdiscretecomponentsandFPGAtechnology.The RTSisisolatedfromotherI&Csystemsusingsafetyrelatedisolationgatewaysisolationhardware.
TheRTSreceivesinputfromsensorsthroughhardwired,analog,safetyrelatedsignalwirewaysthatare terminatedatlocalcabinets.Section7.5providesadditionalinformationaboutthesensorsthatprovide inputtotheRTS.Usingtheinputsfromthesensors,theRTSautomaticallyopensthereactortripdevices whensetpointsarereached.Thesystemusesbothundervoltagecoilsaswellasshunttripcoilsto providethemeanstoopenthetripdevices.Thereactivityshutdownelementpositioncoilsfailopenon lossofpower.
Themaincontrolroomandtheremoteonsiteshutdownpaneleachhavethecapabilitytoprovidea manualtripsignaltotheRTS.Section7.4includesadiscussionofthehumaninterfacewiththeRTS.
Table7.32providesalistofinterlocksimplementedforRPSsystems.Ifnormalpowerisnotavailable andtheRPSdoesnotdetectatransfertobackuppowerwithinadefinedtimeperiod,theRPSremoves powerfromtheRTS,causingthecontrolandshutdownelementstodropintothecore.TheRPSincludes aninterlockthatinhibitsmovementofreactivitycontrolelements,andamanualresetisrequired beforereactivitycontrolelementscanbewithdrawn.Thepurposeofthisinterlockistoprevent inadvertentinsertionofpositivereactivitywhennormalpowerislostandsubsequentlyrestored.
Onactivationactuation,theRTSwilltripthePSP.Amanualresetpreventsthepumpfrominadvertently restartingafterpowerreturn.Toensurepositivepressurebetweentheprimaryandintermediate coolantloopswithintheheatexchangers,theISPtripsconcurrentlywiththePSP.Aninterlockprevents startingtheISPifthePSPisnotrunning.
7.3.1.2 DecayHeatRemovalSystem TheDHRSprovidespassiveresidualheatremovalthatrequiresnoelectricalpowertooperate,as discussedinSection6.3.AlthoughtheDHRSisalwaysoperatingaboveacertainthresholdoffission productaccumulationlevel,thedecayheatremovalportionoftheRPSprovidesactuationsignalto DHRStoensuretheDHRSisoperatingwhenthereisaRPSactuationsignal.TheRPSactuationsignalto
PreliminarySafetyAnalysisReport
InstrumentationandControls
KairosPowerHermesReactor 717 Revision0 TheRPSisdesignedwithsufficientfunctionalandcomponentdiversitytopreventthelossof functionfortheRPS.
Uponlossofelectricalpowerordetectionofadverseenvironmentalconditions,theRPSfailstoa safestate,consistentwithPDC23.
TheRPSsystemfunctionallyindependentfromthecontrolsystems,consistentwithPDC24.
ConsistentwithPDC25,theRPSisdesignedtoensurethatradionuclidereleasedesignlimitsarenot exceededuponreactortripactuation,includingintheeventofasinglefailureofthereactivity controlsystem.
ConsistentwithPDC28,theRPSsetpointsaredesignedtolimitthepotentialamountandrateof reactivitytoensuresufficientprotectionfrompostulatedeventsinvolvingreactivitytransients.The limitsaresetsuchthatreactivityeventscannotresultindamagetothereactorcoolantboundary greaterthanlimitedlocalyielding,andcannotsufficientlydisturbthecore,itssupportstructures,or otherreactorvesselinternalstoimpairsignificantlythecapabilitytocoolthecore.
TheRPSisdesignedtoberedundantanddiversetoassurethereisahighprobabilityof accomplishingitssafetyrelatedfunctionsinpostulatedevents,consistentwithPDC29.
Consistentwith10CFR50.55(i),RPSisdesigned,fabricated,erected,constructed,tested,and inspectedtoqualitystandardscommensuratewiththesafetyfunctiontobeperformed.
Consistentwith10CFR50.55a(h)(3),theRPSisdesignedinaccordancewithIEEEStd6032018 (Reference1).TheRPSimplementsthe2018editionofIEEEStd603asanalternativecodetoIEEE Std6031991(Reference2)andthecorrectionsheetdatedJanuary30,1995.
7.3.3 SystemEvaluation TheRPSprovidesautomaticreactortrip(1)ifplantparametersexceedthenormaloperationenvelope (PDC20),(2)intheeventofstationblackout,and(3)manuallyusingsignalfromthemaincontrolroom orremoteonsiteshutdownpanel.TheRPSalsoensuresthattheDHRSisrunningwhenthereactortrips.
TheRPSisconsistentwith10CFR50.55a(h)(3)andNUREG1537,GuidelinesforPreparingand ReviewingApplicationsfortheLicensingofNonPowerReactors,bymeetingIEEE6032018.Table7.31 providesalistoftheconsensusstandardstowhichtheRPSisdesigned.
Chapter13describesthepostulatedeventstowhichtheRPSisdesignedtorespond.TheRPSusesthe samesetofoperatingparametersinthetripandactuationlogicforallmodesofreactoroperation.The setpointsareestablishedtoensurethatthedesignconditionsofthereactorcoolantboundaryarenot exceededduringoperationwithinthedesignbasis.ThisisconsistentwithPDC25becausemaintaining thereactorcoolantboundarywithindesignbasisboundswillensurethatradionuclidereleasedesign limitsarenotexceeded.Thesetpointsareestablishedandcalibratedusingthemethoddescribedin Section7.1.2.
Consistentwith10CFR50.55a(h)(3),reactortripsimplementedbytheRPSmeetIEEE6032018, Section4.Theprimaryplanttripsignalisbasedonaveragecoretemperaturemeasurement.Inaddition, theplantwillalsohaveatripsignalforhighfluxratebasedoninputfromtheneutrondetectorsensors andatripofthereactorupondetectionofabreakinthePHSSextractionline.Whenthetemperatureor fluxrateareoutsidethenormaloperatingrangeorwhenaPHSSextractionlinebreakisdetected,the primaryplanttripdeenergizestheRSStripdevice,theDHRSlooptripdevice,andthePCSinhibitortrip device.Redundanttripdevicesareprovidedforeachsignalpathway.Notethatthecablingtothetrip devicesisnotclassifiedassafetyrelatedbecausethetripdevicesaccomplishtheirsafetyfunction withoutrelianceontheinputcabling.However,thecablestothetripdevicesaredesignedtoIEEE603 2018.SeeFigure7.31foraschematicoftheRPStriplogic.Tripsetpointsareestablishedandcalibrated usingthemethodsdescribedinSection7.1.2.ThePCSinhibitortripdevicefunctionallyisolatestheRPS
PreliminarySafetyAnalysisReport
InstrumentationandControls
KairosPowerHermesReactor 718 Revision0 fromthePCS.ThisincludestrippingthePSP,discussedinSection7.2.1.3.TheRPSalsoprovidesalarm signalstothemaincontrolroom,whichwillbedescribedintheOperatingLicenseapplication.
ConsistentwithPDCs10,15,and20,theRPSprovidesreactortripanddecayheatremovalactuationto ensurethatthedesignconditionsofthereactorcoolantboundaryarenotexceededduringnormal operation,includinganticipatedoperationaloccurrences.Withpower,theRPSprovidesatripactuation whichopensatripdevice,removingpowerfromthereactorprotectionfeatures(shutdownelements anddecayheatremoval),asdiscussedinSections7.3.1.1and7.3.1.2.IntheeventthattheRPSloses power,theRPSfailstoasafestate,consistentwithPDC23.Withlossofpower,theRPStripdevicesfail open,andpowerisremovedfromtheaforementionedreactorprotectionfeatures.
ThereliabilityoftheRPSissuchthatthereisahighprobabilitytheRPSwillaccomplishitssafetyrelated functionsifapostulatedeventoccurs,consistentwithPDCs22and29.Nosinglefailureresultsinlossof theRPSprotectivefunctions,consistentwithPDC21andSection5ofIEEE6032018.Specificsofthe minimumredundancyintheRPStopermitperiodictestingwithoutcompromisingthefunctionofthe RPSwillbeprovidedinanapplicationfortheOperatingLicense.
TheRPSisfunctionallyindependentfromthePCS,consistentwithPDC24andSection6ofIEEE603 2018.ThesystemdoesnotsharecomponentswiththePCSandtakesinputsfromseparate,dedicated sensors.However,safetyrelatedsensorsthatprovideinputtotheRPSalsoprovidesignalstothePCS viaasafetyrelateddatadiodethatusesonewayfiberopticchannels.Thedatadiodeisintegratedinto theRPShardwareplatform.ConsistentwithPDC13,thesystemusessensorsthatmonitorvariablesand systemsovertheiranticipatedrangesfornormaloperationandforpostulatedeventconditions.As discussedinSections7.3.1,theRPSusesasinputcoretemperatureandvessellevelfromsafetyrelated sensors.ThesensorsarediscussedinSection7.5,includingtherangeoverwhichthesensorsmonitor reactorvariables.
ConsistentwithPDC3,theRPSisdesignedtoperformitssafetyfunctionintheeventofafirehazard.
TheRPSisdesignedandlocatedtominimizetheprobabilityandeffectoffiresandexplosionsbytheuse oflowcombustiblematerialsandphysicalseparation.Thesedesignfeatures,inconjunctionwiththefire protectionprogramdescribedinSection9.4,provideassurancethattheRPSconformstoPDC3.
ConsistentwithPDC4and22,theRPSisdesignedfortheenvironmentalconditionsassociatedwith normaloperation,maintenance,testing,andpostulatedevents.Adescriptionofhowtheoperational andsupportrequirementswillbemet,includingadescriptionoftheenclosurethathousestheRPS cabinets,willbeprovidedinanapplicationfortheOperatingLicense.
TheRPSislocatedinthesafetyrelatedportionoftheReactorBuilding.TheReactorBuildingisdesigned toprotectinternalSSCsfromexternalhazardsasdiscussedinChapter3.ConsistentwithPDC22,the RPSslocationinthesafetyrelatedportionoftheReactorBuildingensuresthatnaturalphenomenawill notresultinalossofprotectionfortheRPS.
NoportionoftheRPSthatperformsasafetyfunctioncrossestheseismicisolationmoatthatis describedinSection3.5.TheRPSincludesablocktothePCStopreventanyPCSSSCsfrominterfering withasafetyrelatedSSCsperformanceofitssafetyfunction.TheRPSblockisaccomplishedby removingpowertoasafetyrelatedrelay.Thesafetyrelatedrelayisalsolocatedinthesafetyrelated portionoftheReactorBuilding,sonootherflexibledesignfeaturestoaddressdifferentialdisplacement arerequiredfortheRPStoaccomplishtheblocktothePCSduringpostulatedseismicevents.Thisis consistentwithPDCs2and4.
TheRPSisundertheQualityAssuranceProgramasdescribedinSection12.9whichisconsistentwith PDC1and10CFR50.55(i).
PreliminarySafetyAnalysisReport
InstrumentationandControls
KairosPowerHermesReactor 721 Revision0 Table7.32:ReactorProtectionSystemInterlocksandInhibits InputSignaltotheReactorProtectionSystem InterlockorTrip Fissionproductaccumulationinthecoreexceeds adefinedlevel
DHRSisactuatedactivated
Purpose:
ensuredecayheatremoval Fissionproductaccumulationinthecoreexceeds adefinedlevel
ManualresetforDHRSprohibited
Purpose:
DHRScannotbedisengagedwhilethe coregeneratesdecayheat Lowpowerlevel ANDaminimumdefinedfissionproduct accumulationinthecoreisreached*
ManualresetforDHRSavailable
Purpose:
Preventovercoolingwhileshutdown DHRSmanualresetisavailableafterRPS actuationactivation NOTE:seerowabovefortheinitialconditionsfor DHRSmanualresetavailability ReactorAuxiliaryHeatingSystem actuationactivationavailable.
Purpose:
Allowadditionalthermalmanagement capabilitiesfollowingareactortrip Lossofnormalpower AND Notransfertobackuppowerwithinadefined timeperiod
Movementofreactivitycontrolelements inhibitedwithmanualresetrequired
Purpose:
preventinadvertentpositivereactivity additiontothecorebypreventingwithdrawalof reactivitycontrolelementswhenpowerreturns followingareactortrip Lossofnormalpower AND ActuationActivationoftheRTS AftertheRTStripsthePSP,manualresetis requiredtorestartthePSP
Purpose:
PreventinadvertentrestartofthePSP whenpowerisrestored ActuationActivationoftheRTS AftertheRTStripsthePSPandISP,theISPis preventedfromrestartingunlessthePSPis running
Purpose:
ensurepositivepressurebetweenthe primaryandintermediatecoolantloops PSPnotrunning TriptheISPandlockoutrestartoftheISPuntil thePSPisrunning.
Purpose:
preventingressofnitrateintothe primaryloopaboveacertainthreshold DetectionofabreakinthePHSSextractionline Tripthepebbleextractionandinsertionmachines
- Thefissionproductaccumulationisbasedontheoperatingtimeandpowerlevelrelationship.
PreliminarySafetyAnalysisReport
InstrumentationandControls
KairosPowerHermesReactor 723 Revision0 7.4 MAINCONTROLROOMANDREMOTEONSITESHUTDOWNPANEL 7.4.1 Description Themaincontrolroom(MCR)providesmeansforoperatorstomonitorthebehavioroftheplant, controlperformanceoftheplant,andmanagetheresponsetopostulatedeventconditionsintheplant.
Theremoteonsiteshutdownpanel(ROSP)providesseparatemeanstoshutdowntheplantandmonitor plantparametersinresponsetopostulatedeventconditions.Figure7.41showsthearchitectureofthe MCRandROSP.
7.4.1.1 MainControlRoom TheMCRcontainsequipmentrelatedtonormaloperationoftheplant.Theseincludeoperatorand supervisorworkstationterminalswhichprovidealarms,annunciations,personnelandequipment interlocks,andprocessinformation.Thesepiecesofequipmentarethemainpointofinteraction (human/systeminterface(HSI))betweenoperatorsandthePCSandtheinformationcomingfromthe RPS.Theterminalsareconnectedtothemainplantnetworkthroughanetworkswitch.Thesystemuses redundantfiberopticcommunicationchannelsbetweenthePCSandtheMCR.Communicationfromthe RPStotheMCRutilizesathedatadiodediscussedinSection7.3.3fiberopticchannelforoneway communication.
TheMCRconsoledisplaysplantparameterstoallowoperatorstomonitorconditionsduringand followingpostulatedevents.TheMCRconsolecontainsamanualtripswitchthatpropagatesthrougha gatewayandthroughsafetyrelatedisolation,whichallowsoperatorstoinitiateaplanttrip,butthisis notacreditedsafetyrelatedfunctionnorcreditedintheaccidentanalyses(seeChapter13).
TheMCRalsocontainsacentralalarmpanelforthefireprotectionsystemsothatoperatorscan monitorthestatusoffireprotectionequipmentinsidetheReactorBuilding.Thecentralalarmpanel includescontrolsfortheventilationandextinguishingsystemsrelatedtotheresponsetofires.
7.4.1.2 RemoteOnsiteShutdownPanel TheROSPprovidesaHSIforplantstafftomonitorindicationsfromthereactorprotectionsystem includingoperatingstatusoftheRTSandtheDHRSintheeventthattheMCRbecomesinaccessibleor uninhabitable.TheROSPfeaturesoneway(readonly)communicationwithreactorprotectionsystem instrumentationsignalsandtheabilitytoinitiateatripsignalfromthemanualtripbuttonthat actuatesactivatesreactorprotectionsystems.TheROSPisnotsafetyrelatedandislocatedinthesafety relatedportionoftheReactorBuilding.
7.4.2 DesignBases ConsistentwithPDC19:
Thedesignofthemaincontrolroomallowsactionstobetakentooperatethereactorundernormal operatingconditionsandtomonitoritunderpostulatedeventconditions.
Themaincontrolroomisdesignedtoprovideradiationprotectionallowingaccessandoccupancyof thecontrolroomunderpostulatedeventconditionswithoutpersonnelreceivingradiation exposuresinexcessof5remtotaleffectivedoseequivalent(TEDE)forthedurationoftheevent.
Themaincontrolroomisdesignedtobehabitable,allowingaccessandoccupancyofthemain controlroomduringnormaloperationsandunderpostulatedeventconditions.
AnROSPislocatedoutsidethecontrolroomthat(1)providesthecapabilitytopromptlyshutdown thereactorandincludesinstrumentationandcontrolstomonitortheunitduringshutdown,and(2) providesthecapabilityforsubsequentsafeshutdownofthereactorthroughtheuseofsuitable procedures.
PreliminarySafetyAnalysisReport
InstrumentationandControls
KairosPowerHermesReactor 724 Revision0 7.4.3 SystemEvaluation 7.4.3.1 MainControlRoom TheMCRislocatedinanAuxiliaryauxiliaryBuildingbuilding(seeSection3.5)separatefromtheReactor Building.TherearenooperatoractionsperformednorsafetyrelatedSSCslocatedintheMCRthatare creditedformitigatingtheconsequencesofpostulatedeventsdescribedinChapter13.Therefore,the MCRandAuxiliarythebuildingBuildingthathousestheMCRaredesignedtolocalbuildingcode standards.
TheMCRconsolesaredesignedtoallowoperatorstomanipulateplantparameterstocontrolthe reactorwithinanacceptableenvelopeduringnormaloperatingconditions,includingplannedtransients.
However,nooperatoractionsarecreditedinthesafetyanalysisofpostulatedeventsdescribedin Chapter13.AlthoughthecontrolsintheMCRarenotcreditedinthesafetyanalysis,theMCRconsoles aredesignedasfollows:
MCRdisplaysimplementstheguidancefromNUREG1537,Section7.6,withrespecttoeaseof operatorsuse.TheplantcontrolsaregroupedandlocatedintheMCRsothatoperatorscaneasily reachandmanipulatethecontrols.Displaysoftheresultsofanoperatorsactionsarereadily observable.
Thescreenelementorganizationandappearanceoftheconsolesaredesignedtoallowoperatorsto performactionstooperatethereactorundernormaloperatingconditionsandtomonitoritunder postulatedeventconditions,consistentwithPDC19.
TheMCRconsolesaredigitalinterfacesthatconsiderIEEE74.3.22003(Reference1),asitrelatesto hardwaredesign,andRegulatoryGuide1.152,Revision2CriteriaforUseofComputersinSafety SystemsofNuclearPowerPlants.ThecontrolconsolesintheMCRaredesignedtodisplayplant parametersthatindicateplantstatus.TheMCRconsolesdisplaythefollowinginformation:
o Plantsensordataanddigitallyprocessedparameteroutputsbasedonplantsensordata o IndicationsofPCSandRPSsystemandequipmentstatus o Currentandpastoperatingparameterandsysteminformationforadurationrelevanttoinform processandmaintenancetrending Administrativecontrolsareappliedtotheconsolesinthemaincontrolroomtoprevent unauthorizedaccess.MCRconsolescreensarepasswordprotectedandincludeinterlockssuchas swipecardsandmultioperatorcoordinatedloginstopreventunauthorizedaccessandsystems actuation.
TheMCRislocatedatadistancefromtheReactorBuildingsuchthattheradiologicalconsequencesof unfilteredairintheMCRduringpostulatedeventsdoesnotexceed5remTEDEforthedurationofthe event.TheenvironmentalcontrolfeaturesfortheMCRareseparatefromtheenvironmentalcontrol featuresfortheReactorBuilding.SeeSection3.5formoreinformationabouttheAuxiliaryBuildingthat containstheMCR.Theanalysisofoperatordosedependsonthefinaldesignofthereactorssafety relatedSSCsandtheanalysiswillreflectthemethodsdescribedinChapter13.Accordingly,adescription oftheanalysisofoperatordosewillbeprovidedintheapplicationoftheOperatingLicense.
Further,Section2.2describespotentialchemicalhazardsrelatedtoanhydrousammoniaandchlorine fromoffsitehighwaytraffic.SensorsareprovidedfortheMCRforanhydrousammoniaandchlorine.
Whenlevelsofeitherofthosechemicalsaredetectedtobeaboveathresholdvalue,theventilation systemfortheMCRwillbeturnedoffandadministrativeproceduresapplieduntilthehazarddissipates.
ThedesignfeaturesdescribedabovedemonstrateconformancewithPDC19.
PreliminarySafetyAnalysisReport
InstrumentationandControls
KairosPowerHermesReactor 727 Revision0 Figure7.41:ArchitectureoftheMainControlRoomandtheRemoteShutdownOnsitePanel