ML23117A016
| ML23117A016 | |
| Person / Time | |
|---|---|
| Site: | Hermes, 99902069 File:Kairos Power icon.png |
| Issue date: | 04/27/2023 |
| From: | Charles Brown Advisory Committee on Reactor Safeguards |
| To: | David Petti Advisory Committee on Reactor Safeguards |
| References | |
| Download: ML23117A016 (5) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION ADVISORY COMMITTEE ON REACTOR SAFEGUARDS WASHINGTON, DC 20555 - 0001 April 27, 2023 MEMORANDUM TO:
David Petti, Lead Kairos Power Licensing Subcommittee Advisory Committee on Reactor Safeguards FROM:
Charles Brown, Member /RA/
Advisory Committee on Reactor Safeguards
SUBJECT:
INPUT FOR ACRS REVIEW OF KAIROS NON-POWER REACTOR HERMES CONSTRUCTION PERMIT APPLICATION - DRAFT SAFETY EVALUATION FOR CHAPTER 7, INSTRUMENTATION AND CONTROL SYSTEMS In response to the Subcommittees request, I have reviewed the NRC staffs draft safety evaluation (SE) with no open items, and the associated section of the applicants Preliminary Safety Analysis Report (PSAR), for Chapter 7, Instrumentation and Control Systems, Revision
- 0. I also reviewed selected parts of Revision 2 to confirm discussion points for this memorandum. The following is my recommended course of action concerning further review of this chapter and the staffs associated safety evaluation.
=
Background===
Chapter 7 of the SE documents the staffs review of the Kairos Power LLC (Kairos) Hermes construction permit of the preliminary design of the Hermes non-power test reactor structures, systems, and components (SSCs) as presented in Chapter 7, Instrumentation and Controls, of the Hermes Preliminary Safety Analysis Report (PSAR). The Hermes construction permit application purpose is to test and demonstrate the key technologies, design features, and safety functions of the Kairos Power fluoride salt cooled high temperature reactor technology and its SSCs.
SE Summary The staff SE evaluated and documents descriptions and discussions of Hermes PSARs Instrumentation and Control (I&C) systems, with special attention to design and operating characteristics, unusual or novel design features, and principal safety considerations. The preliminary design of Hermes PSARs I&C systems was evaluated to ensure the appropriate Principal Design Criteria (PDC) and design bases have been established and information relative to materials of construction, general arrangement, and approximate dimensions are sufficient to provide reasonable assurance that the final design will conform to the design basis.
Areas of review for this section included I&C plant control systems, reactor protection system, main control room (MCR), remote onsite shutdown panel (ROSP), display information, and sensors. Within these review areas, the staff assessed the preliminary analysis of the I&C systems needed to monitor key parameters and variables, maintain parameters and variables within prescribed operating ranges, alert operators when operating ranges are exceeded, assure safety limits are not exceeded during normal operations and planned transients.
Discussion The I&C systems are comprised of four parts, described below. The architectural design of the system accounts for interconnection interfaces for plant I&C SSCs. PSAR Figure 7.1-1, Instrumentation and Controls System Architecture, provides an overview of the I&C system architecture.
The plant control system (PCS) provides the capability to reliably control the plant systems during normal, steady state, and planned transient power operations, including normal plant startup, power maneuvering, and shutdown. It consists of three major independent subsystems, reactor control, primary heat transport control, and reactor coolant auxiliary control. Functionally, the Hermes PCS is a microprocessor-based distributed control system that individually controls plant systems using applicable inputs. The subsystems listed above are integrated into the PCS using non-safety related signal wireways from sensors which are terminated at local cabinets for processing for each system. All three systems feed a common Gateway, then a supervisory controller and then to non-safety redundant real time data highways (end to end encrypted) through a second Gateway for data and control to and from the MCR. This second Gateway also connects to Fiber Optic or TCP/IP modems.
The reactor protection system (RPS) provides protection for reactor operations by initiating signals to mitigate the consequences of postulated events and to ensure safe shutdown.
The RPS is built on a logic-based platform that does not utilize software or microprocessors for operation. It is composed of logic implementation using discrete components and field programmable gate array (FPGA) technology. Reactor trip functions are hardcoded into FPGA logic and are not dependent on plant operating state. This is the only safety related I&C system in the plant and is isolated and independent of all other systems including having independent sensors. The RPS and RCS use neutron detectors located outside of the reactor vessel. Figure 7.3-1 shows the RPS is a four independent channel system with input from independent process control sensors for each channel through hardwired, analog, safety-related wireways.
The MCR and ROSP provide the capability for plant operators to monitor plant systems, control plant systems, and to initiate plant shutdown including independent manual controls for reactor shutdown. RPS data is fed to the MCR gateway and ROSP via a safety related data diode that uses one-way fiber optic channels.
Sensors provide input to multiple control and protection systems. The PSAR states that the operation license (OL) application will specify sensors of each type that are suitable for the operating environment and will be rated to perform in their application environment.
Staff used the Design Specific Review Standard (DSRS) for NuScale Small Modular Reactor Design, Chapter 7, Instrumentation and Controls, to evaluate I&C design principals of independence, redundancy and diversity, and the I&C architecture for the PCS.
The staff reviewed PSAR Figure 7.1-1 and PSAR Section 7.3.1.1 and finds that the description of the overall I&C architecture is adequate because it demonstrates adherence to the fundamental I&C design principles of independence, redundancy, and diversity for safety systems. This is accomplished by having four independent channels, with separate sensors for each channel, identifies trip outputs, and isolation devices, either data diodes or safety-related isolation devices for signals going in and out of the RPS.
The descriptions provided by the applicant of the overall I&C architecture are consistent with the guidance found in the DSRS and in Appendix B of the DSRS and the staff finds the information to be adequate at this stage of the licensing process. Further information can reasonably be left for later consideration at the OL stage.
Concerns The primary concern is the use of a microprocessor-based distributed control system to integrate and distribute all plant control system data and functions to and from the MCR. There are two issues:
- 1. Figure 7.1-1 shows two Gateways, a single supervisory controller, and a real time data highway in series for processing all control and monitoring data. This approach results in a single failure taking out all plant control and monitoring capability in the MCR. There is not a discussion of how a single failure is prevented from taking out all PCS control and monitoring systems.
Kairos acknowledged the comment.
- 2. As currently configured by PSAR Figure 7.1-1, the overall plant control and monitoring system is shown to be bi-directionally communication connected to sources external to the plant from the MCR Gateway via Fiber optic or TCP/IP modems. This compromises the control of access goal of prohibiting external electronic access to the plant control and monitoring systems.
Kairos stated that the intent is for this communication path to be a one-way communication path so that the plant status can be monitored remotely. We suggested that this just be shown as a one-way data diode not configured by software as shown for other parts of the architecture.
The RPS appears to be satisfactory with completely independent channels based on the current PSAR Revision 2, Figure 7.3-1 RPS Trip Logic Schematic and isolated from the MCR and PCS systems and thus isolated from external sources by data diodes.
Recommendation Kairos stated that their intention is for this to be a one-way communication path. The staff should identify that the preferred one-way method for connection of the PCS to external plant sources be with hardware-based data diodes. It is recommended the applicant address this issue when appropriate.
References
- 1.
USNRC, Draft Safety Evaluation for Hermes NonPower Reactor Preliminary Safety Analysis Report Chapter 7, January 2023 (ML23017A120)
- 2.
Kairos Power LLC, Submittal of the Preliminary Safety Analysis Report for the Kairos Power Fluoride Salt-Cooled, High Temperature Non-Power Reactor (Hermes), Revision 2, February 2023 (ML23055A672)
- 3.
USNRC, NUREG-1537, Part 1, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Format and Content, February 1996 (ML042430055)
- 4.
USNRC, NUREG-1537, Part 2, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Standard Review Plan and Acceptance Criteria, February 1996 (ML042430048)
- 5.
USNRC, RG 5.71, Cyber Security Programs for Nuclear Power Reactors, January 2010 (ML0903401590)
April 27, 2023
SUBJECT:
INPUT FOR ACRS REVIEW OF KAIROS NON-POWER REACTOR HERMES CONSTRUCTION PERMIT APPLICATION - DRAFT SAFETY EVALUATION FOR CHAPTER 7, INSTRUMENTATION AND CONTROL SYSTEMS Package No: ML23117A000 Memo Accession No: ML23117A016 Publicly Available Y Sensitive N Viewing Rights:
NRC Users or ACRS Only or See Restricted distribution *via e-mail OFFICE ACRS/TSB*
SUNSI Review*
ACRS/TSB*
ACRS*
NAME WWang WWang LBurkhart CBrown DATE 4/27/2023 4/27/2023 4/27/2023 4/27/2023 OFFICIAL RECORD COPY