ML23017A150

From kanterella
Jump to navigation Jump to search
Preliminary Hermes CP SE Chapter 7, Instrumentation and Control Systems for ACRS
ML23017A150
Person / Time
Site: Hermes
Issue date: 01/10/2023
From: Benjamin Beasley
NRC/NRR/DANU/UAL1
To:
Advisory Committee on Reactor Safeguards
References
Download: ML23017A150 (1)
v  d  e


Text

7 INSTRUMENTATION AND CONTROL SYSTEMS THIS NRC STAFF DRAFT SE HAS BEEN PREPARED AND IS BEING RELEASED TO SUPPORT INTERACTIONS WITH THE ACRS. THIS DRAFT SE HAS NOT BEEN SUBJECT TO FULL NRC MANAGEMENT AND LEGAL REVIEWS AND APPROVALS, AND ITS CONTENTS SHOULD NOT BE INTERPRETED AS OFFICIAL AGENCY POSITIONS.

Chapter 7 of the Kairos Power LLC (Kairos) Hermes construction permit safety evaluation report (SER) describes the U.S. Nuclear Regulatory Commission (NRC) staff technical review and evaluation of the preliminary design of the Hermes non-power test reactor structures, systems, and components (SSCs) as presented in Chapter 7.0, Instrumentation and Controls, of the Hermes Preliminary Safety Analysis Report (PSAR), Revision 1 (Agencywide Documents Access and Management System (ADAMS)

Accession No. ML22272A595). The Hermes construction permit application is for a non-power reactor facility and is to test and demonstrate the key technologies, design features, and safety functions of the Kairos Power-FHR technology and its SSCs.

As part of this review, the staff evaluated descriptions and discussions of Hermes PSARs Instrumentation and Control (I&C) systems, with special attention to design and operating characteristics, unusual or novel design features, and principal safety considerations. The preliminary design of Hermes PSARs I&C systems was evaluated to ensure the appropriate Principal Design Criteria (PDC) and design bases have been established and information relative to materials of construction, general arrangement, and approximate dimensions are sufficient to provide reasonable assurance that the final design will conform to the design basis.

Areas of review for this section included I&C process control systems, reactor protection system, main control room (MCR), remote onsite shutdown panel (ROSP), display information, and sensors. Within these review areas, the staff assessed the preliminary analysis of the I&C systems needed to monitor key parameters and variables, maintain parameters and variables within prescribed operating ranges, alert operators when operating ranges are exceeded, assure safety limits are not exceeded.

NUREG-1537, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Part 2, Standard Review Plan and Acceptance Criteria can be found in ML042430048 and provides guidance to the staff for performing safety reviews of applications to construct, modify, or operate a nuclear non-power reactor. The staff used NUREG-1537, Part 2 as guidance and acceptance criteria to review the Hermes construction permit application for a non-power reactor facility.

The NRC staffs findings and conclusions in this SER are limited to whether the Hermes non-power test reactor satisfies the Title 10 Code of Federal Regulations (10 CFR) Part 50 requirements for the issuance of a construction permit.

7.1 Instrumentation and Controls Overview Hermes PSAR, Section 7.1.1, Summary Description, states that the I&C systems monitor and control plant operations during normal operations and planned transients. The systems also monitor and actuate protection systems in the event of unplanned transients. The I&C is comprised of four parts, described in the bulleted list below. Each of the four parts are described in further detail in subsequent subsections of this SER. The architectural design of the system accounts for interconnection interfaces for plant I&C SSCs. PSAR Figure 7.1-1, Instrumentation and Controls System Architecture, provides an overview of the I&C system architecture.

  • The plant control system (PCS) provides the capability to reliably control the plant systems during normal, steady state, and planned transient power operations, including normal plant startup, power maneuvering, and shutdown. The PCSJ is evaluated in Section 7.2 of this SER.

The RPS is evaluated in Section 7.3 of this SER.

  • The MCR and ROSP provide the capability for plant operators to monitor plant systems, control plant systems, and to initiate plant shutdown. The MCR and ROSP are evaluated in Section 7.4 of this SER.
  • Sensors provide input to multiple control and protection systems and are evaluated in Section 7.5 of this SER.

As stated in the PSAR, the I&C system implements the Institute of Electrical and Electronics Engineers (IEEE) Standard 603-2018, Standard Criteria for Safety Systems for Nuclear Power Generating Stations, IEEE Standard 7-4.3.2-2003, IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations, and other consensus standards for safety-related I&C functions. The I&C system incorporates the principles of independence, redundancy and diversity. Features reflecting those principles are discussed in the specific subsystem descriptions.

The RPS is the safety-related system credited for tripping the reactor and actuating engineered safety features. Accordingly, the RPS is isolated and independent from the other I&C systems and uses input signals from independent instrumentation. RPS instrumentation signals are provided to the PCS via a data diode, which is part of the RPS hardware platform. As described in PSAR Section 7.3, Reactor Protection System, the RPS is isolated from other I&C systems, including the MCR and the ROSP, using safetyrelated isolation hardware. Isolation is achieved through features built into the hardware platform or through separate isolation devices. The I&C system includes the capability for both manual and automatic control. The sensors for temperature, pressure, neutron count rates, level, flow, radiation level, and other analog and digital field detectors provide input to the RPS and PCS.

The PSAR states that the RPS includes sensors, trips and interlocks to shut down the reactor when operating parameters exceed operational limits. This includes release of the control and shutdown elements within a set of defined parameters after the onset of a postulated event. As shown on PSAR Figure 7.1-1, the RPS sensors are separate from the PCS sensors, which input into the PCS. Specific trips and interlocks are discussed in Section 7.3. The PSAR states that RPS actuate setpoints for trips and interlocks are calculated based on the following design approaches:

  • Simulation models: Time to reach operational limits based on system qualification (environments, process conditions, etc.) as demonstrated by actual empirical data collected during simulation testing.
  • RPS Technical Specifications: Measurement time, process parameters as informed by safety case assumptions and bounded by Technical Specification limits.
  • Mechanical design and testing - response time for actuation to complete: Time to detect, process, and actuate the required controls; this time should be less than the time between event onset and parameter reaching a limiting condition for continued operation.
  • Tiered (graded) approach to protection: The RPS utilizes highly reliable safety-related parameters as the final level of protection for public health and safety.

The PDC for the facility SSCs are described in PSAR Chapter 3, Design of Structures, Systems and Components, and are based on those specified in the NRC-approved Kairos Power Topical Report, KP-TR-003-NP-A, Principal Design Criteria for the Kairos Power Fluoride Salt-Cooled, High Temperature Reactor, can be found in ML20167A174. Hermes PSAR Table 3.1-3, Design Related 10 CFR Regulations Applicable to the Design, identify the 10 CFR Regulations applicable to the design.

7.2 Plant Control System Introduction Hermes PSAR, Section 7.2.1, Description, states that the PCS is a non-safety -related control system which controls reactor startup, changes in power levels, and shuts down the reactor. The PCS is made up of three subsystems:

  • reactor control system (RCS)
  • reactor coolant auxiliary control system (RCACS)
  • primary heat transport control system (PHTCS)

The PCS maintains plant parameters within the normal operating envelope and provides data to the control consoles located in the main control room.

As described in the PSAR, the Hermes PCS is a microprocessor-based distributed control system that individually controls plant systems using applicable inputs. The subsystems listed above are integrated into the PCS using non-safety related signal wireways which are terminated at local cabinets and using redundant, non-safety, real time data highways. The plantwide sensor inputs are used to verify interlock and permissive rules for the various plant states. The sensor data is also used to provide feedback and alarms to the operators via the control consoles. The PCS is powered by alternating current (AC) and direct current (DC) power supplies which are discussed in Hermes PSAR, Chapter 8, Electric Power System. The PCS uses non-safety related sensor inputs as well as safety-related sensor inputs from the RPS as described in PSAR Section 7.3.3.

Regulatory Evaluation The applicable regulatory requirements for the evaluation of Hermes PSAR Section 7.2 are as follows:

For its evaluation of the PCS, the staff used the guidance and following acceptance criteria found in NUREG-1537, Part 2, Section 7.3, Reactor Control System.

  • Application of the functional design and analyses to the development of bases of technical specifications, including surveillance tests and intervals.
  • Description, including logic, schematics, and functional diagrams, of the overall system and component subsystems.
  • PCS failure modes to determine if any malfunction of the RCS could prevent the RPS from performing its safety function or could prevent safe shutdown of the reactor.

The Design Specific Review Standard (DSRS) for NuScale Small Modular Reactor Design, Chapter 7, Instrumentation and Controls, found in ML15355A295, was used to evaluate I&C design principals of independence, redundancy and diversity, and the I&C architecture for the PCS.

The PDC for the facility SSCs are described in Hermes PSAR Section 3.1 and are based on those specified in the NRC-approved Kairos Power Topical Report, KP-TR-003-NP-A, Principal Design Criteria for the Kairos Power Fluoride Salt-Cooled, High Temperature Reactor found in ML20167A174. Hermes PSAR, Section 3.1, Table 3.1-3, Principal Design Criteria identifies PDC 13 as applicable to Section 7.2.

Technical Evaluation Architecture The PCS is made up with three subsystems: RCS, RCACS, and PHTCS. As shown in Figure 7.1-1 in the PSAR, each of the subsystems are independent from one another. The PCS is independent from the MCR, isolated via a gateway, and is independent and isolated from the RPS sensor inputs via a one-way data diode. The non-safety sensors provide input signals using non-safety related signal wireways that are terminated at local cabinets using redundant, non-safety, real time data highways.

For the RCS, PSAR Section 7.2.1.1 states that the RCS controls and monitors systems and components that support normal operation, planned transients, and normal shutdown of the reactor.

The RCS controls the systems listed in Figure 7.1-1 in the PSAR. The RCS controls reactivity for normal operations and normal shutdown using reactor control elements and reactor shutdown elements in the reactivity control and shutdown system (RCSS), which is evaluated in Section 4.2 of this SER.

The RCS is capable of incrementally changing the position of reactor control elements and of releasing the control and shutdown elements. The RCS inputs include reactor outlet and inlet temperature sensors and source and power range neutron excore detectors. The RCS provides a reactor monitoring function to monitor plant components that are associated with reactor functions. The RCS uses source and power range sensors that are located outside the reactor vessel for reactor control. The RCS controls pebble insertion and extraction, in-vessel pebble handling, and ex-vessel pebble handling in the pebble handling and storage system (PHSS), which is evaluated in Section 9.3 of this SER, and is capable of counting linearized pebbles external to the vessel, controlling the rate of pebble insertion and removal from the vessel, and controlling pebble distribution within the PHSS. Additionally, the RCS controls the reactor thermal management system (RTMS), evaluated in Section 9.1 of this SER, which monitors the temperature of the primary system to maintain it within the normal operating envelope and to implement planned transients. The RCS also controls external heating elements in the RTMS to prevent overcooling.

For the RCACS, PSAR Section 7.2.1.2 states that the RCACS controls the chemistry control system that monitors reactor coolant chemistry, which is evaluated in Section 9.1 of this SER. The monitoring systems provide information to facilitate maintaining coolant purity and circulating activity within specifications for the system. The RCACS also controls the inert gas system, evaluated in Section 9.1 of this SER.

For the PHTCS, PSAR Section 7.2.1.3 states that the PHTCS controls and monitors systems and components that support normal operation of the primary heat transport system (PHTS). The purpose of the PHTCS is to control the transport of primary coolant through the PHTS, to maintain the primary

coolant in a liquid state, to control the rejection of heat from the PHTS, and to monitor the inventory of primary coolant in the PHTS. The PHTCS maintains the parameters in the PHTS within the normal operating envelope. The PHTCS controls the primary salt pump, the primary loop thermal management subsystem, and the heat rejection subsystem. The PHTCS does not provide a safety function; however, as discussed in Section 7.3 of this SER, the RPS trips the primary salt pump (PSP) on a reactor trip, as a protection feature for the reactor system related to the pump.

The staff finds that the architecture shown in Figure 7.1-1 and the descriptions provided in Section 7.2 of the Hermes PSAR demonstrate an adequate design basis for the preliminary design of the PCS to meet the I&C design principals of independence, redundancy and diversity and maintain the plant within its normal operation. DSRS Chapter 7, Sections 7.1.2, 7.1.3, and 7.1.5 provide guidance to review the I&C principals of independence, redundancy, and diversity. DSRS Appendix B provides guidance for reviewing I&C architectures. The descriptions provided by the applicant are consistent with the guidance found in the DSRS and in Appendix B of the DSRS and the staff finds the information to be adequate at this stage of the licensing process. Further information can reasonably be left for later consideration at the OL stage.

Communications As shown on PSAR Figure 7.1-1 and described in PSAR Section 7.2.1, there is no communication from the PCS to the RPS; communication is from the RPS to the PCS through safety-related isolation and data diode. Additionally, the RPS provides interlocks that remove the power from the RCSS control, PHSS, RTMS, PSP, PLTMS, and HRCS controllers. The description of communication paths between the PCS and RPS provided by the applicant is consistent with the guidance in DSRS Section 7.1.2. on independence because the proposed design exhibits communication independence between safety and non-safety systems. The staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Codes and Standards Hermes PSAR, Table 7.2-2, Standards Applicable to the Plant Control System states that the Hermes software development process will follow Annex C, Sections C.2.2.2, C.2.2.3 and C.2.3 of IEEE Std. 7-4.3.2-2003, IEC 61131 for the programable controllers, and IEC 62443 for cyber security. The staff reviewed PSAR Table 7.2-2, which lists the standards for the digital platform. The staff finds that the standards provided by the applicant are adequate for the design of the PCS, because the standards listed provide sufficient guidance for software development, hardware/software for controllers, and cyber security and are consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.3, identified above. The staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Technical Specifications PSAR Table 14.1-1, Proposed Variables and Conditions for Technical Specifications states that the RCS objective is to infer or calculate reactivity coefficients during normal plant operation to limit the severity of a reactivity transient. The staff reviewed the information provided in PSAR Section 7.2.1.1 that describes how the RCS controls reactivity for normal operations and limits rapid reactivity insertion via the reactor control elements. Additionally, PSAR Section 7.2.3 describes that the PCS, which is designed to monitor plant parameters and maintain systems with normal operation and to control planned transients associated with anticipated operational occurrences. The staff finds the information provided is adequate to support the preliminary development of the technical specifications because

setpoints are adjusted automatically based on plant modes or adjusted by operators to limit the severity of reactivity transients, thus, maintaining reactivity coefficients within limits over the allowable range of operation. The staff finds the information is consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.3. The staff finds the information to be adequate at this stage of the licensing process, and that further information can reasonably be left for later consideration at the OL stage.

Logic, Displays, and Alarms As stated in Hermes PSAR Section 7.2.1, the PCS includes trips, interlocks, and annunciations to monitor the operation of the PCS. The staff reviewed PSAR Sections 7.2.1.1, 7.2.1.2, 7.2.1.3, 7.2.1.4, Tables 7.2-1 and 7.2-3, and finds that the trips, interlocks, and annunciations as described are able to monitor and maintain variables and systems over their anticipated ranges for normal operation and over the range defined in postulated events. The descriptions provided by the applicant are consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.3. The staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Failure Modes Hermes PSAR, Section 7.2.3, states that the PCS is designed so that it cannot interfere with the RPSs ability to perform its safety functions. This is accomplished by isolating the RPS from the PCS and other non-safety SSCs. Additionally, the PSAR states that the RPS deactivates non-safety related SSCs controlled by the PCS that would affect the RPS from performing its safety functions.

The isolation and deactivation of non-safety SSCs are described and evaluated in Section 7.3 of this SER. The descriptions of how failure modes of the PCS do not interfere with the RPS performance of its safety functions provided by the applicant are reasonable because they are consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.3. The staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Conclusion The staff finds that the level of detail provided on PCS, including its RCS, is consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.3, Reactor Control System, and demonstrates an adequate design basis for a preliminary design.

A more detailed evaluation of information (e.g., ranges of transient and steady-state conditions, requirements for multiple setpoints and trip criteria, PCS platform) will occur during the review of Hermess FSAR, at which time the staff will confirm that the final design conforms to PDC 13 for the facility SSCs based on the NRC-approved Kairos Power Topical Report, KP-TR-003-NP-A and applicable regulations.

Based on its review, the staff finds that the preliminary design of the Hermes PCS, as described in Hermes PSAR Section 7.2, is sufficient and meets the applicable regulatory requirements and guidance for the issuance of a construction permit in accordance with 10 CFR 50.35 and 10 CFR 50.40.

7.3 Reactor Protection System Introduction

Hermes PSAR, Section 7.3.1, Description, states that the RPS provides protection for reactor operations by initiating signals to mitigate the consequences of postulated events and to ensure safe shutdown. The RPS is the only portion of the I&C system that is safety-related and that is credited for tripping the reactor and actuating engineered safety features. The purpose of the RPS is to actuate upon receipt of a trip signal in response to out-of-normal conditions and provide automatic initiating signals to protection functions. There are three possible trip sources that can cause the RPS to actuate:

  • process variables reach or exceed specified setpoints, as measured by RPS sensors;
  • manual initiation from the MCR or ROSP; and
  • plant electric power is lost (with a time delay).

There are three protection functions that result from RPS actuation:

  • actuate the RCSS that inserts control and shutdown elements into the reactor core;
  • inhibit actions from the PCS so that it does not interfere with the functioning of the RPS; and
  • ensure an actuation of the decay heat removal system (DHRS) that passively removes heat from the PHTS to the atmosphere.

Actuation of the RPS to trip the reactor includes several actuations that stop specific non-safety related SSCs, normally controlled by PCS, to ensure that those non-safety related SSCs do not prevent a safety-related SSC from performing its safety function. The non-safety related functions that are stopped via removal of power to controllers are shown in Hermes PSAR, Figure 7.1-1. The RCSS element withdrawal is inhibited after a loss of power to prevent inadvertent positive reactivity insertion when power returns. The PSP is stopped to maintain a low-pressure fluoride-lithium-beryllium (Flibe) salt coolant inventory in the core. The heat rejection subsystem blower is stopped to prevent potential forced air ingress into the PHTS and inadvertent overcooling. Pebble extraction and insertion in the PHSS is stopped to prevent removing pebbles from the core in the event of a PHSS extraction line break. Finally, RTMS actuation is prohibited to prevent a challenge to the heat removal capability of the DHRS. These inhibitions are accomplished through safety-related trip devices as shown in PSAR Figure 7.1-1.

The RPS is built on a logic-based platform that does not utilize software or microprocessors for operation. It is composed of logic implementation using discrete components and field programmable gate array (FPGA) technology. The RPS is isolated from other I&C systems, including MCR and the ROSP, using safety-related isolation hardware. Isolation is achieved through features built into the hardware platform or through separate isolation devices.

Reactor trip functions are hardcoded into FPGA logic and are not dependent on plant operating state.

Operating conditions are compared against the trip setpoints and actuate protection functions according to established programmable logic. The RPS cabinets are located within the safety-related portion of the reactor building within an environmentally separated enclosure.

The RPS uses inputs from the reactor core temperature, reactor vessel level, and source and power range neutron excore detectors.

Regulatory Evaluation

The applicable regulatory requirements for the evaluation of Hermes PSAR Section 7.3 are as follows:

  • Descriptive information, including system logic and schematic diagrams, showing all instruments, computer hardware and software, electrical, and electromechanical equipment used in detecting reactor conditions requiring scram or other reactor protective action and in initiating the action.
  • Analysis of adequacy of the design to perform the functions necessary to ensure reactor safety, and its conformance to the design bases, acceptance criteria, and the guidelines used.
  • Assessment of the suitability of detector channels for initiating reactor protection (scrams).
  • Proposed trip setpoints, time delays, accuracy requirements, and actuated equipment response to verify that the RPS is consistent with the PSAR.
  • Analyses of safety limits, limiting safety system settings (LSSS), and limiting conditions of operation (LCOs), and that this information is adequately included in the technical specifications as discussed in Chapter 14, Technical Specifications.
  • Computer hardware, software, and software verification and validation programs for reactor designs that use computerized protection subsystems.
  • Consideration of the PSAR analyses for the RPS to be designed to perform its safety function after a single failure and to meet requirements for seismic and environmental qualification, redundancy, diversity, and independence.

DSRS for NuScale Small Modular Reactor Design, Chapter 7 was used to evaluate I&C design principals of independence, redundancy and diversity, plant safety function allocation, communication between safety-related and non-safety-related I&C systems, and the I&C architecture for the Hermes RPS.

The PDC for the facility SSCs are described in Hermes PSAR Section 3.1 and are based on those specified in the NRC-approved Kairos Power Topical Report, KP-TR-003-NP-A. Hermes PSAR, Section 3.1, Table 3.1-3 identifies PDCs 1, 2, 3, 4, 10, 13, 15, 20, 21, 22, 23, 24, 25, 28, and 29 as applicable to Chapter 7.3.

Technical Evaluation Architecture Hermes overall I&C architecture is shown in Hermes PSAR, Figure 7.1-1 and the specific RPS architecture is shown in Hermes PSAR, Figure 7.3-1. The staff reviewed the Hermes I&C architecture using the guidance found in DSRS Chapter 7, Sections 7.1.2, 7.1.3, and 7.1.5 and Appendix B. The

I&C architecture for the RPS demonstrates adherence to the fundamental I&C design principles by having four channels, with separate sensors for each channel, identifies trip outputs, and isolation devices, either data diodes or safety-related isolation devices for signals going in and out of the RPS.

The staff finds that the architecture shown in Figure 7.1-1, Figure 7.3-1 and the descriptions provided in Section 7.3 of the Hermes PSAR demonstrate an adequate design basis for the preliminary design of the RPS to meet the fundamental I&C design principles of independence, redundancy, and diversity for a safety system. DSRS Chapter 7, Sections 7.1.2, 7.1.3, and 7.1.5 provide guidance to review the I&C principals of independence, redundancy, and diversity. DSRS Appendix B provides guidance for reviewing I&C architectures. The descriptions provided by the applicant are consistent with the guidance found in the DSRS and in Appendix B of the DSRS and the staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage Protective Functions Hermes PSAR, Section 7.3.1 states that the three Kairos Power Fluoride Salt-Cooled High Temperature Reactor (KP-FHR) protection functions resulting from RPS actuation have separate channels of sensor electronics and input devices, redundant and separate groups of signal conditioning, and redundant and separate groups for trip determination to ensure that the three KP FHR protection functions that result from RPS actuation: 1) actuate the RCSS that inserts control and shutdown elements into the reactor core, 2) inhibit actions from the PCS so that it does not interfere with the functioning of the RPS, and 3) ensure an actuation of the DHRS that passively removes heat from the PHTS to the atmosphere can be met. The staff finds that the descriptions provided in PSAR Section 7.3.1 of how the three KP-FHR protection functions are to be implemented are adequate and consistent with the applicable acceptance criteria found in NUREG-1537, Part 2, Section 7.4. The staff finds that the information provided is adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Communications As shown in Figure 7.1-1, all communications between safety-related and non-safety-related I&C systems are accomplished using a data diode or a safety-related isolation device. Actuation of the RPS to trip the reactor includes several actuations that stop specific non-safety related SSCs actuations, normally controlled by the PCS, to ensure that those non-safety related SSCs do not prevent a safety-related SSC from performing its safety function. The staff finds that the communications scheme for the RPS demonstrates an adequate design basis for the preliminary design of the RPS to provide independence for the communication between safety and non-safety systems. The descriptions provided by the applicant are consistent with the guidance found in the DSRS Section 7.1.2 and the staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Codes and Standards Hermes PSAR, Sections 7.3.2, Design Bases, and 7.3.3, System Evaluation, identify regulatory requirements as applicable for the RPS. The RPS is to be designed in accordance with IEEE Std 603-2018. Additional design-related information for the RPS is shown in PSAR Table 7.3-1, Codes and Standards Applied to the Reactor Protection System. The staff reviewed Table 7.3-1 and Sections 7.3.2 and 7.3.3 and finds that the codes and standards and descriptions, provided by the applicant, are adequate because sufficient guidance is provided for development of the safety-related RPS and are consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.4. The staff finds the information to be adequate at this stage of the licensing process and that further information can

reasonably be left for later consideration at the OL stage.

Logic and Schematics Hermes PSAR, Figure 7.3-1, Reactor Protection System Trip Logic Schematic, and PSAR Sections 7.3.1, 7.3.2, and 7.3.3 provide the information, including system logic and schematic diagrams, showing all instruments, computer hardware and software, electrical, and electro-mechanical equipment used in detecting reactor conditions requiring scram or other reactor protective action and in initiating of the actions. The staff reviewed Figure 7.3-1 and PSAR Sections 7.3.1, 7.3.2, and 7.3.3 and finds that the trip logic scheme provides protection for reactor operations by initiating signals to mitigate the consequences of postulated events and to ensure safe shutdown. The descriptions provided by the applicant are consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.4 and the staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Trip Functions Hermes PSAR Figure 7.3-1 and Section 7.3.1 describe that there are three possible trip sources, which are: 1) process variables reach or exceed specified setpoints, as measured by the RPS sensors;

2) manual initiation from the MCR or ROSP; and 3) plant electric power is lost (with a time delay).

The three protection functions that result from RPS actuation are: 1) activate the RCSS that inserts control and shutdown elements into the reactor core; 2) inhibit actions from the PCS so that it does not interfere with the functioning of the RPS; and 3) ensure activation of the DHRS that passively removes heat from the PHTS to the atmosphere. The staff reviewed the adequacy of the preliminary design to perform the functions necessary to ensure reactor safety for the three protective functions specified in the safety analysis and the design of hardware and software relevant to trip functions using relevant guidance, including IEEE standards and guidance listed by the applicant in PSAR Table 7.3-1.

The staff finds that the descriptions provided by the applicant are consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.4 and the relevant IEEE standards because the trip functions, as described, will be able to perform the functions necessary to ensure reactor safety.

The staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Accident Mitigation PSAR Chapters 5, Heat Transport System, 6, Engineered Safety Features, and 13, Accident Analysis, describe the systems, safety features, and safety functions necessary to mitigate the consequences of postulated events and to ensure safe shutdown. PSAR Sections 7.3.1.1 and 7.3.1.2 describe the I&C components and logic to actuate systems, safety features, and safety functions that are necessary to mitigate the consequences of postulated events and to ensure safe shutdown. The staff finds that PSAR Sections 7.3.1.1 and 7.3.1.2 adequately describes the RPS safety features to ensure initiation of the three protective functions. The descriptions provided by the applicant are consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.4 and the staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Safety Settings Hermes PSAR Chapter 7 does not provide any information for proposed trip setpoints, time delays, and accuracy criteria. The Hermes PSAR does not identify the I&C platform or sensors; therefore the staff cannot verify trip setpoints, time delays, and accuracy criteria. However, based on the staffs review of the architecture and descriptions to perform the functions necessary to ensure reactor safety and the use of ANSI/ISA 67.04.01-2018, as described in PSAR Section 7.1.2, to establish the safety-related

setpoints, the staff finds that the information provided is adequate for the preliminary design of the RPS to support tripping of the reactor when called upon. Once the design is final, sensors with appropriate ranges established to protect the analytical limits specified in the plant safety analysis will be selected as shown in PSAR Table 7.5-1 and setpoints will be established using methodology described in PSAR Section 7.1.2. The descriptions provided by the applicant are consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.4 and the staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Response Time Hermes PSAR, Chapters 7 and 13, do not provide any information on the RPS equipment response times to satisfy the response times allocated from trip initiation to trip completion for the I&C equipment.

However, Chapter 13, Transient Assumption, in various sections, states that the postulated event analysis assumes conservative trip and actuation delays to account for any uncertainty in the signal time associated with the RPS. The staff finds the assumption for response time in Chapter 13, to be acceptable as an adequate design basis for the preliminary design because the assumed conservative trip will account for all I&C response times. The descriptions provided by the applicant are consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.4 and the staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Technical Specifications The technical specifications described in PSAR Chapter 14 are evaluated in Section 14 of this SER by the staff to verify appropriate safety limits, LSSS, LCOs, surveillance tests and intervals. PSAR Section 7.3.1 describes the RPS features required to be in the technical specifications that are credited for tripping the reactor and actuating engineered safety features. PSAR Section 7.3.4 states that the RPS parameters to which operability controls are applied are reactor core temperature, reactor vessel level, source and power range neutron detectors. Surveillance intervals are established based on operating experience, engineering judgement, and available vendor recommendations. The staff finds that the information provided in Section 7.3 describing operational limits, design parameters, and surveillance/testing information to be adequate for the preliminary development of technical specifications and safety-related trip settings, as necessary, for the RPS. Once the design is final and the I&C equipment requirements have been specified, the staff will be able to verify that appropriate safety limits, LSSS, LCOs, surveillance tests and intervals are adequate to ensure reactor safety.

The descriptions provided by the applicant are consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.4 and the staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

I&C Platform Hermes PSAR, Section 7.3.1, states that the RPS is built on a logic-based platform that does not utilize software or microprocessors for operation and is composed of logic implementation using discrete components and field programmable gate array (FPGA) technology. The staff reviewed the descriptions provided in PSAR Section 7.3.1 and finds they are consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.4 because they describe the appropriate software development guidance documents, including verification and validation, that are necessary when developing FPGA-based systems. Once the platform has been identified and more information is available, the staff can confirm the implementation and then evaluate if the I&C platform can perform its safety-related

functions. The staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Single Failure Hermes PSAR Section 7.3.3 states that no single failure results in loss of the RPS protective functions and PSAR Tables 3.1-3 and 7.3-1, list the codes and standards applicable to the RPS. IEEE Std. 603-2018, specifically Section 5, specifies that the RPS is designed to perform its safety function after a single failure and to meet seismic and environmental qualification, redundancy, diversity, and independence criteria. Additionally, IEEE Std. 379-2014, IEEE Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems, is also listed in Table 7.3-1, as a means to meet the single failure criterion. The staff reviewed PSAR Section 7.3.3 and PSAR Tables 3.1-3 and 7.3-1 and finds they provide sufficient guidance to ensure that the RPS can be designed to perform its safety function after a single failure and to meet seismic and environmental qualification, redundancy, diversity, and independence criteria. The descriptions provided by the applicant are consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.4, and the staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Conclusion The staff finds that the level of detail provided on RPS satisfies the acceptance criteria in NUREG-1537, Part 2, Section 7.4, Reactor Protection System, and demonstrates an adequate design basis for a preliminary design.

A more detailed evaluation of information (e.g., ranges of transient and steady-state conditions, requirements for multiple setpoints and trip criteria, and RPS platform) will occur during the review of Hermess FSAR, at which time the staff will confirm that the final design conforms to the PDCs 1, 2, 3, 4, 10, 13, 15, 20, 21, 22, 23, 24, 25, 28, and 29 for the facility SSCs, based on in the NRC-approved Kairos Power Topical Report, KP-TR-003-NP-A and applicable regulations.

Based on its review, the staff finds that the design of the Hermes RPS, as described in Hermes PSAR Section 7.3, is sufficient to meet the applicable regulatory requirements and guidance for the issuance of a construction permit in accordance with 10 CFR 50.35 and 10 CFR 50.40.

7.4 Main Control Room and Remote Shutdown Panel Introduction Hermes PSAR, Section 7.4.1, Description, states that the MCR provides means for operators to monitor the behavior of the plant, control performance of the plant, and manage the response to postulated event conditions in the plant. The ROSP provides separate means to shutdown the plant and monitor plant parameters in response to postulated event conditions.

Hermes PSAR, Section 7.4.1.1, states that the MCR contains equipment related to normal operation of the plant. This equipment includes operator and supervisor workstation terminals, which provide alarms, annunciations, personnel and equipment interlocks, and process information. This equipment is the main point of interaction (human/system interface (I)) between operators and the PCS and the information coming from the RPS. The terminals are connected to the main plant network through a network switch. The system uses redundant fiber optic communication channels between the PCS and the MCR. Communication from the RPS to the MCR utilizes a data diode for one-way communication.

The MCR console displays plant parameters to allow operators to monitor conditions during and following postulated events. The MCR console contains a manual trip switch that propagates through safety-related isolation, which allows operators to initiate a plant trip, but this is not a safety-related function nor credited in the accident analyses. The MCR also contains a central alarm panel for the fire protection system so that operators can monitor the status of fire protection equipment inside the reactor building. The central alarm panel includes controls for the ventilation and extinguishing systems related to the response to fires.

Hermes PSAR, Section 7.4.1.2, states that the ROSP provides tIHSI for plant staff to monitor indications from the reactor protection system including operating status of the RPS and the DHRS in the event that the MCR becomes inaccessible or uninhabitable. The ROSP communicates (one-way, read-only) with the RPS instrumentation using a safety-related isolation device, with the ability to initiate a trip signal from a manual trip button that actuates RPS. The ROSP is not safety-related and is located in the safety-related portion of the reactor building.

Regulatory Evaluation The applicable regulatory requirements for the evaluation of Hermes PSAR Section 7.4 are as follows:

  • 10 CFR 50.40, Common standards For its evaluation of the MCR and ROSP, the staff used the guidance and following acceptance criteria in NUREG-1537, Part 2, Section 7.6, Control Console and Display Instruments.
  • Regulations, bases, criteria, standards, and guidelines that the applicant intends to comply with for the MCR and ROSP design.

Analysis of the adequacy of the design to perform the necessary, control and protection actuation, and information management, storage, and display funct

  • ions.

Coordination with review of other PSAR chapters to verify control inputs and displayed parameters apply for the systems invo

  • lved.

Coordination with technical specifications review to verify that appropriate surveillance tests and intervals are specified to ensure that the instruments and equipment will perform their functions as desi

  • gned.

DSRS for NuScale Small Modular Reactor Design, Chapter 7 was used to evaluate I&C design principals of independence, redundancy and diversity, the I&C architecture, and communication between safety and non-safety system for the MCR, ROSP, and other I&C Platforms.

The PDC for the facility SSCs are described in Hermes PSAR Section 3.1 and are based on those specified in the NRC-approved Kairos Power Topical Report, KP-TR-003-NP-A. Hermes PSAR, Section 3.1, Table 3.1-3 identifies PDC 19 as applicable to Section 7.4.

Technical Evaluation Architecture The staff reviewed the overall I&C architecture as shown in Hermes PSAR, Figure 7.4-1, Architecture of the Main Control Room and the Remote Shutdown Onsite Panel, for the MCR and ROSP for adherence to the fundamental I&C design principles. DSRS Chapter 7, Sections 7.1.2, 7.1.3, and 7.1.5 provide guidance to review the I&C principals of independence, redundancy, and diversity. Appendix B of the DSRS provides guidance for reviewing I&C architectures. The MCR and ROSP are physically separated from one each other, and both are physically separated from the PCS and RPS as shown in Figure 7.4-1 and described in Hermes PSAR Section 7.4. The descriptions provided by the applicant are consistent with the guidance found in the DSRS and in Appendix B of the DSRS. The staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Communication As shown on PSAR Figures 7.1-1 and 7.4-1 and PSAR Section 7.4.1.1, the communication scheme uses redundant fiber optic communication channels between the PCS and MCR. Data diodes and safety-related isolation devices are used between safety-related and non-safety related I&C systems.

A non-safety related gateway is used to control the flow of data between the I&C systems. The data flow can be either bi-directional or one way between systems. The staff reviewed PSAR Figures 7.1-1 and 7.4-1 and Section 7.4.1.1 and finds that the MCR, ROSP, PCS and the RPS have sufficient isolation between all systems. The staff finds the design of the MCR and ROSP is sufficient because it adheres to independence requirements for communication between safety and non-safety systems.

The descriptions provided by the applicant are consistent with the guidance found in the DSRS, Section 7.1.2 and the staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Codes and Standards Hermes PSAR, Table 7.4-1, Codes and Standards Applied to the Main Control Room and Remote Onsite Shutdown Panel, reflects the standards or guidance to be used for the design of MCR and ROSP for developing computer software and software verification and validation programs for reactor designs that use computerized protection subsystems. The staff reviewed the codes and standards provided in PSAR Table 7.4-1 and finds that they are sufficient for developing and controlling the software design for the MCR and ROSP. The staff finds this information to be adequate for the preliminary design of the MCR and ROSP because sufficient guidance is provided for developing software necessary for the controls, displays, and alarms. The descriptions provided by the applicant are consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.6 and the staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Controls, Displays, and Alarms Hermes PSAR, Sections 7.4.1.1 and 7.4.1.2 describe the controls, displays, and alarms to perform the necessary control and protection actuation and information management, storage, and display functions required. Hermes PSAR, Section 7.4.3 describes the system evaluation for both the MCR and the ROSP. The staff finds that the information in Section 7.4.3 is adequate in describing the displays and organization of consoles for both MCR and ROSP. PSAR Section 7.4.3.1 also states that no operator actions are required to mitigate the consequences of postulated events. As a result of no

operator actions required to mitigate the consequences of postulated events, no safety-related displays are required for the HERMES design. The staff reviewed the elements described in PSAR Sections 7.4.1.1 and 7.4.1.2 for the MCR and ROSP and finds this information to be adequate because sufficient guidance is provided for performing the necessary control and protection actuation, and information management, storage, and display functions. The descriptions provided by the applicant are consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.6 and the staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Technical Specifications The MCR is described in PSAR Sections 7.4.1.1 and 7.4.3.1. PSAR Chapter 14, Table 14.1-1, Item 3.0, contains proposed Technical Specifications for controls and monitoring systems to ensure the safe operation of the facility. The staff reviewed the above sections and finds that the MCR controls, displays, and alarms descriptions are adequate because they provide the necessary information to support the preliminary development of the technical specifications, specifically Table 14.1-1, Item 3.0, for controls and monitoring systems to ensure the safety operation of the facility. The descriptions provided by the applicant are consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.6 and the staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Conclusion The staff evaluated the sufficiency of the preliminary design of Hermess MCR and ROSP, as described in Hermes PSAR Section 7.4, in part, by reviewing the operator interface description, operator interface data entry, display interface hardware and software human factors engineering, static annunciator and fixed status display, alarm and event display, human machine interface, and display independence using the applicable acceptance criteria from Section 7.6, Control Console and Display Instruments, of NUREG-1537, Part 2. The staff finds the level of detail provided is consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.6 and demonstrates an adequate design basis for a preliminary design.

A more detailed evaluation of information (e.g., ranges of transient and steady-state conditions, requirements for multiple setpoints and trip criteria, and MCR and ROSP consoles) will occur during the review of Hermess FSAR, at which time the staff will confirm that the final design conforms to PDC 19 for the facility SSCs based on in the NRC-approved Kairos Power Topical Report, KP-TR-003-NP-A and applicable regulations.

Based on its review, the staff finds that the preliminary design of the Hermes control console and display information, as described in Hermes PSAR Section 7.4, is sufficient and meets the applicable regulatory requirements and guidance for the issuance of a construction permit in accordance with 10 CFR 50.35 and 10 CFR 50.40.

7.5 Sensors Introduction Hermes PSAR, Section 7.5.1, Description, states that the sensors are used to provide information about temperature, pressure, neutron count rates, level, flow of the primary coolant and area radiation levels as input to multiple control and protection subsystems. Independent sensors are provided to the RPS and the PCS. Sections in PSAR Chapter 7 provide information on specific I&C subsystems

including a discussion of the sensors that support that subsystem and the type of sensor used (i.e.,

analog or digital).

Temperature, pressure, level, and flow sensors measure and monitor plant operating process parameters and are used to control operations and to initiate reactor protective actions. Neutron source range sensors provide indication of power level during the initial stages of startup. Gamma radiation monitors provide information about area radiation levels during all plant modes of operation.

Regulatory Evaluation The applicable regulatory requirements for the evaluation of Hermes PSAR Section 7.5 are as follows:

  • 10 CFR 50.40, Common standards For its evaluation of sensors, the staff followed portions of the guidance and acceptance criteria in NUREG-1537, Part 2, Sections 7.3, Reactor Control System and 7.4, Reactor Protection System, for criteria applicable to sensors, as follows:
  • Regulations, bases, criteria, standards, and guidelines that the applicant intends to comply with for the sensor design.
  • The range of operation of sensor (detector) channels should be sufficient to cover the expected range of variation of the monitored variable during normal and transient (pulsing or square wave) reactor operation.
  • Coordination with technical specifications review to verify that appropriate surveillance tests and intervals are specified to ensure that the instruments and equipment will perform their functions as designed.

DSRS for NuScale Small Modular Reactor Design, Chapter 7 was used to evaluate I&C design principals of independence, redundancy and diversity, the I&C architecture, and communication between safety and non-safety sensors and other I&C Platforms.

The PDC for the facility SSCs are described in Hermes PSAR Section 3.1 and are based on those specified in the NRC-approved Kairos Power Topical Report, KP-TR-003-NP-A. Hermes PSAR, Section 3.1, Table 3.1-3 identifies PDCs 1, 2, 3, 13, 21, 22, 24, and 29 as applicable to Section 7.5 Technical Evaluation Architecture The overall I&C architecture as shown in Hermes PSAR, Figure 7.1-1 provides a set of independent safety-related sensors for each RPS channel. PSAR Section 7.3.1.1 states that the RPS receives input from sensors through hardwired, analog, safety-related wireways. Once the signal inputs are converted to digital, these safety-related signals are sent to the PCS via a one-way data diode. The non-safety related sensors signals are sent to their respective non-safety local cabinets via non-safety wireways.

The signals are then sent to the PCS in redundant, non-safety, real time data highways. The staff reviewed PSAR Figure 7.1-1 and PSAR Section 7.3.1.1 and finds that the description of overall I&C architecture is adequate because it demonstrates adherence to the fundamental I&C design principles

of independence, redundancy, and diversity for sensors. The descriptions provided by the applicant of the overall I&C architecture are consistent with the guidance found in the DSRS and in Appendix B of the DSRS and the staff finds the information to be adequate at this stage of the licensing process.

Further information can reasonably be left for later consideration at the OL stage.

Codes and Standards As shown on Figure 7.1-1, both the non-safety and safety-related sensors input directly to their respective PCS and RPS platforms. Accordingly, the codes and standards, as evaluated in Sections 7.2 and 7.3 of this SER, apply to the respective sensors of each platform. The staff reviewed PSAR Sections 7.5.2 and 7.5.3, in conjunction with the review of codes and standards, as they apply to Sensors per NUREG-1537, Part 2, in Sections 7.2 and 7.3 of this SER, and finds the information adequate because the sensors are designed to monitor and maintain variables and systems over their anticipated ranges for normal operation, and over the range defined in postulated events.

The descriptions provided by the applicant are consistent with the applicable acceptance criteria in NUREG-1537, Part 2 and the staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Sensors Hermes PSAR, Table 7.5-1, Parameter Range for Safety-Related Sensors Table 7.5-2, Parameter Range for Non-Safety Related Sensors, and PSAR Section 7.5.1 provide the temperature range of operation for both the safety-related and non-safety related sensors and descriptions. The remaining sensor channels (vessel level, area radiation, source range neutronics, intermediate range neutronics, and power range neutronics) are to be provided in the OL application. Section 7.5.3 and Table 7.5-1 provide the temperature safety-related sensors range of 450oC - 816oC, which are designed to monitor temperatures between the freezing temperature of the primary coolant, and up to the highest design temperature determined by the safety analysis, 816°C. For the non-safety-related temperature sensors, the staff reviewed Section 7.5.3 and Table 7.5-2. Table 7.5-2 provides a range of 550°C - 650°C, which as described in Section 7.5.3 are designed to monitor process variables to reflect the range for postulated events and bounds, with margin, the range for normal operation.

The staff reviewed PSAR Tables 7.5-1 and 7.5.2, and Sections 7.5.1 and 7.5.3 and finds that the proposed ranges for the safety-related temperature sensor are adequate because the range bounds, with margin, to monitor normal operation and postulated temperature events. Additionally, the staff finds the proposed ranges for the non-safety related temperature sensor are adequate because the range bounds, with margin, to monitor normal operation. The descriptions provided by the applicant are consistent with the applicable acceptance criteria in NUREG-1537, Part 2 and the staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Technical Specifications As shown in PSAR Figure 7.1-1 and described in Section 7.5.1 and 7.5.3, both the non-safety and safety-related sensors input exclusively to the PCS or the RPS, to support the respective trips described in Table 14.1-1. TS evaluated in Sections 7.2 and 7.3 of this SER apply to the respective sensors. The staff finds the descriptions provided by the applicant are consistent with the applicable acceptance criteria in NUREG-1537, Part 2 and that the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.

Conclusion

The staff finds the level of detail provided on safety-related and non-safety related sensors, as described in Hermes PSAR Section 7.5, is consistent with the applicable acceptance criteria in Sections 7.2, Design of Instrumentation and Control Systems, and 7.3, Reactor Control System, of NUREG-1537, Part 2 and demonstrates an adequate design basis for a preliminary design.

A more detailed evaluation of information (e.g., ranges of transient and steady-state conditions and requirements for both non-safety and safety-related sensors) will occur during the review of Hermess FSAR, at which time the staff will confirm that the final design conforms to PDCs 1, 2, 3, 13, 21, 22, 24 and 29 for the facility SSCs based on the NRC-approved Kairos Power Topical Report, KP-TR-003-NP-A and applicable regulations.

Based on its review, the staff finds that the preliminary design of the safety-related and non-safety-related sensors, as described in Hermes PSAR Section 7.5, is sufficient and meets the applicable regulatory requirements and guidance for the issuance of a construction permit in accordance with 10 CFR 50.35 and 10 CFR 50.40.

References Design Review Guide, Instrumentation and Controls for Non-Light-Water Reactor (non-LWR)

Reviews, can be found in ML21011A140.

Design-Specific Review Standard for NuScale Small Modular Reactor Design, can be found in ML15355A295)

IEEE Standard 379, IEEE Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems. 2014.

IEEE Standard 603, Standard Criteria for Safety Systems for Nuclear Power Generating Stations.

2018.

IEEE Standard 7-4.3.2, "IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations." 2003.

Institute of Electrical and Electronics Engineers, IEEE 1012-2017, System, Software, and Hardware Verification and Validation. 2017 Instrument Society of America, ANSI/ISA-67.04.01, Setpoints for Nuclear Safety-Related Instrumentation. 2018.

International Electrotechnical Commission, IEC 61131, "Programmable Controllers. 2020.

International Electrotechnical Commission, IEC 62443, Cybersecurity. 2015 Kairos Power Topical Report, KP-TR-003-NP-A, Principal Design Criteria for the Kairos Power Fluoride Salt-Cooled, High Temperature Reactor, can be found in ML20167A174.

Nuclear Regulatory Commission, Regulatory Issue Summary 2006-17, The NRC Staff Position on The Requirements of 10 CFR 50.36, Technical Specifications, Regarding Limiting Safety System Settings During Periodic Testing and Calibration of Instrument Channels. August 24, 2006.

NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Standard Review Plan and Acceptance Criteria.

Retrieved from "https://kanterella.com/w/index.php?title=ML23017A150&oldid=3530900"