Text

KPNRC2208014 Enclosure 1 Response to NRC Request for Additional Information 348 (NonProprietary)

NRC Request for Additional Information RAI Package 348, Question 408 Section 50.34 of Title 10 of the Code of Federal Regulations (10 CFR 50.34), "Contents of applications; technical information," provides requirements for information to be provided in a Construction Permit (CP). 10 CFR 50.34(a)(4) states that a CP shall contain a preliminary analysis and evaluation of structures, systems, and components (SSCs) to determine margins of safety during normal operations and transient conditions and the adequacy of SSCs provided for prevention and mitigation of the consequences of accidents.

As given in the Kairos topical report on principal design criteria for the KPFHR, criterion 29, which is referenced in the Hermes Preliminary Safety Analysis Report (PSAR), states, "The protection and reactivity control systems shall be designed to assure an extremely high probability of accomplishing their safetyfunctions in the event of anticipated operational occurrences." For the Hermes test reactor "anticipated operational occurrences is replaced by postulated events" per PSAR Section 3.1.

NUREG1537, Part 2, Section 4.2.2, "Control Rods," states that the staff should determine that reasonable assurance exists that the scram features designed for this reactor will perform as necessary to ensure fuel integrity and to protect the health and safety of the public.

Preliminary Safety Analysis Report Section 13.1.10.1, "Recriticality and Unprotected Events" states, "Unprotected events, or events where reactor shutdown is not achievable, are excluded from the design basis." In addition, Section 13.1.10.1 states, "The RCSS [reactivity control and shutdown system] is designed with sufficient independence, diversity, and redundancy from detection and actuation to element insertion to ensure reactor shutdown when necessary." To reach a reasonable assurance finding that the RCSS has sufficient reliability to preclude unprotected events, the staff is requesting additional information regarding the following:

1. Please describe any instrumentation and control design features which provide defenseindepth or reduce the probability of a common cause failure to preclude an unprotected event.

2. What mechanical testing of the RCSS system will be performed to ensure element insertion, including the insertion of the shutdown elements into the pebble bed and control elements into the graphite reflector?

3. If control and shutdown elements (beyond the assumed highest worth stuck element) fail to insert, partially insert, or suffer neutron absorber loss (e.g., through the loss of element cladding integrity), are other means of reactivity control available to mitigate postulated events? If other means are not available, please describe how there is sufficient diversity or reliability to justify excluding unprotected events from the design basis.

Page 1 of 4

Kairos Power Response NRC Question 408, Item 1 Please describe any instrumentation and control design features which provide defenseindepth or reduce the probability of a common cause failure to preclude an unprotected event.

Kairos Power has submitted changes to the PSAR and analytical methods to describe how the design conformed to PDC 26 (ML22243A138, ML22242A168). The change credits reliance on the shutdown elements as designed with sufficient worth to shut down the reactor in response to postulated events. Additionally, PSAR Section 13.1.10.1 clarified the meaning of an unprotected event as a scenario in which the safetyrelated reactor shutdown system would not be available to mitigate a postulated event. In order to preclude this scenario from occurring in the design basis, the shutdown portion of the RCSS, the reactor shutdown system (RSS), is designed with safetyrelated treatment, as described in 4.2.2 to ensure that the reactor will shut down during a postulated event.

The reactor protection system (RPS) is the specific instrumentation and control system credited for initiating the shutdown function which is performed by the RSS. The portion of the RPS that initiates the RSS is the reactor trip system (RTS). The RSS automatically initiates the insertion of the shutdown elements.

During normal operation, the RTS continuously sends a signal to keep the shutdown elements withdrawn from the reactor core. If power is lost, the continuous signal sent to the RCSS by the RTS is interrupted, and both the control elements and shutdown elements are inserted into the reactor (although only the shutdown element insertion is credited for satisfying PDC 26 for postulated events). Shutdown element positions are also monitored using two concurrent independent and diverse methods which allow for realtime functionality checks as described in PSAR Section 4.2.2.1.

As described in PSAR Section 7.3.1, the RPS includes the following safetyrelated treatments to preclude an unprotected event:

Separate channels of sensor electronics and input devices Redundant and separate groups of signal conditioning Redundant and separate groups of trip determination Safetyrelated components to provide electrical isolation from the nonsafetyrelated DC power system power supply Multiple reactor trip devices RPS isolation hardware Two divisions of reactor trip system (RTS) voting and actuation equipment The safetyrelated treatments include independence and redundancy to ensure that there is no portion of the RPS (from the detection of an offnormal event to the automatic initiation of the shutdown function of RSS) that is subject to a single failure.

The RPS design also includes diverse design features to preclude common cause failures. The Field Programmable Gate Array (FPGA) portion of the RPS could be postulated to experience a software logicbased common cause failure. In order to preclude such an unlikely failure, the RPS requires at least two different FGPA architectures (e.g., onetime programmable or flashbased, and static Page 2 of 4

randomaccess memory). Additionally, a loss of power to the RPS could represent a postulated common cause failure. However, as described above, the design is such that a loss of power will result in shutdown element insertion.

Additionally (although not credited for shutdown of the reactor during a postulated event), the RPS will initiate the insertion of the control elements concurrent with insertion of shutdown elements, providing additional shutdown worth. RCSS control and shutdown element withdrawal from the core is inhibited by interlocks after a loss of power (which require a manual reset) to prevent inadvertent positive reactivity insertion when power returns as described in PSAR Section 7.3.1.

NRC Question 408, Item 2 What mechanical qualification testing of the RCSS system will be performed to ensure element insertion, including the insertion of the shutdown elements into the pebble bed and control elements into the graphite reflector?

The results of the mechanical testing of the RCSS that provide assurance it is qualified to operate in normal and postulated event environmental conditions will be available with the application for an Operating License. The PSAR includes commitments to test safetyrelated structures, systems, and components to ensure the successful performance of safety functions. As described in PSAR Section 4.2.2.3, the safetyrelated portion of RCSS will meet PDC 4, which requires that the control elements accommodate dynamic effects and be compatible with the environmental conditions during normal plant operation as well as during postulated events. As described in PSAR Chapter 12, Appendix B, Section 2.3.3, the adequacy of the design will be verified using methods including the performance of qualification tests. Qualification testing for the safetyrelated portion of the RCSS will be defined in a formal test plan that includes appropriate acceptance criteria and demonstrates the system reliability and adequacy of performance under conditions that simulate the most adverse design basis conditions.

The shutdown elements and drive mechanisms will also meet ASME Section III, Division 5 loads due to operational stepping, reactor trip, stuck element, fatigue, and shipping and handling. As stated in a previously submitted change to PSAR Section 4.2.2.3 (ML22062B679), the shutdown elements are qualification tested outofpile prior to operation and a conservative wear limit is established to ensure that wear during element movement is acceptable.

The reactor vessel head penetrations, in which the safetyrelated reactor shutdown elements insert through the upper graphite reflector and directly into the pebble bed, meet Reference 1 requirements. The shutdown elements themselves are also qualified to insert under seismic conditions. The graphite reflector blocks are designed to maintain their structural integrity, as described in PSAR Section 4.3, and are qualified in accordance with Reference 2.

Testing is performed to confirm the insertion time of individual shutdown elements is within the insertion time assumed within the postulated event analysis. Testing is also performed to confirm that the insertion time of all shutdown elements concurrently inserting is within the insertion time assumed in the postulated event analyses. As stated in Section 4.2.2.3 of the PSAR, the insertion capability of the shutdown elements will also be demonstrated as part of startup testing by performing insertion time testing. An insertion test of each shutdown element will be for the expected deflection of the insertion path. An insertion test deflects the shutdown element upper Page 3 of 4

reflector guide structures consistent with the maximum misalignment. The shutdown element insertion time is measured and compared to the insertion time testing performed with no deflection of the upper reflector guide structures. These tests provide assurance that the upper reflector blocks maintain the shutdown element insertion pathways.

NRC Question 408, Item 3 If control and shutdown elements (beyond the assumed highest worth stuck element) fail to insert, partially insert, or suffer neutron absorber loss (e.g., through the loss of element cladding integrity),

are other means of reactivity control available to mitigate postulated events? If other means are not available, please describe how there is sufficient diversity or reliability to justify excluding unprotected events from the design basis.

Although there are other means of reactivity control in addition to the RSS, those means are not credited to perform the shutdown safety function. The failure of the shutdown elements to insert in response to a postulated event is beyond the design basis. Many existing systems provide assurance that the RSS has sufficient diversity and reliability to shut down the reactor in response to a postulated event: the safetyrelated design features of the RPS and RSS described in the response to Item 1 above, the testing described in response to Item 2 above, and the periodic testing and inspections discussed in PSAR Section 4.2.2.4. Consistent with the NRC guidance in NUREG1537, the performance of the RSS is evaluated in a postulated event assuming the highest worth shutdown element does not insert.

The control portion of the RCSS is not credited for shutdown worth in the mitigation of postulated events. However, as described in the response to Item 1 above, the RPS initiates an insertion of the control elements concurrent with the shutdown elements. This system provides an additional non credited diverse and reliable means of reactivity control. The four reactivity control elements insert into the upper and side reflector, near the periphery of the core. Section 4.2.2.1 of the PSAR also states that the control elements are an assembly of segmented annular cylinders which differs from the cruciformshaped shutdown elements.

References:

1. ASCE 4319, Seismic Design Criteria for Structures, Systems, and Components in Nuclear Facilities.

2. Kairos Power LLC, Graphite Material Qualification for the Kairos Power Fluoride SaltCooled HighTemperature Reactor, KPTR014P, Revision 3.

Impact on Licensing Document:

This response does not impact the Kairos Power construction permit application. However, a previously submitted change to the Kairos Power Preliminary Safety Analysis Report (ML22243A138, ML22242A168) made relevant changes.

Page 4 of 4