Text

KP-NRC-2401-001 Changes to Hermes 2 PSAR Chapters 4, 5, 7, and 13 (Non-Proprietary)

PreliminarySafetyAnalysisReport

ReactorDescription

KairosPowerHermes2,Units1and2

Revision0 437 Table4.31:ReactorVesselTopHeadPenetrations NameofPenetration NumberofPenetrations System PebbleExtractionMachine(PEM) 1 PHSS PebbleInsertion 2

PHSS ReactivityShutdownElement 3

RCSS ReactivityControlElement 4

RCSS PrimarySaltPump(PSP) 1 PHTS CoolantFill/DrainLine 2

IMS InertGasLine 2

IGS MaterialSurveillanceSystem 1

MSS NeutronSource 1

RSSReactorStartupSystem ReserveInstrumentation 3

I&C ReactorCoolantLevelSensor 4

I&C ReactorCoolantThermocouple 3

I&C GraphiteThermocouple 2

I&C FluidicDiodeInspectionNozzle 4

I&C

PreliminarySafetyAnalysisReport

HeatTransportSystems

KairosPowerHermes2Unit1and2 54 Revision0 bloweron.Duringnormaloperations,airsurroundingtheHRRisisolatedbetweentheinletandoutletof theHRS.TheairisrecirculatedthroughasubsystemoftheTMSwhichcapturestritiumpermeating throughtheHRRandreturnsairatappropriatetemperaturestoprovidethermalmanagementforthe HRRandlimitheatlosses.FurtherdetailsofthetritiumcapturesubsystemoftheTMSwhichinterfaces withtheHRRareprovidedinSection9.1.3.Duringstartupandnormalshutdownconditions,tritium captureisnotconductedbytheTMSandpermeationlossesthroughtheHRRarereleasedthroughthe HRSasagaseouseffluent.

Thetransitionfrompoweroperationtonormalshutdowncoolinginvolvesaprogrammedrunback(see Section7.2)ofthePSPandactivationactuationoftheheatrejectionblowertominimizethethermal transientexperiencedbythereactorvesselandthePHTS.

TheheatrejectionbloweristrippedconcurrentwiththePSPtopreventforcedairingressduring postulatedHRRtubefailures.

5.1.2 DesignBasis ConsistentwithPDC2,thesafetyrelatedSSCslocatednearthePHTSareprotectedfromtheadverse effectsofpostulatedPHTSfailuresduringadesignbasisearthquake.

ConsistentwithPDC10,thedesignofthereactorcoolantsupportstheassurancethatspecified acceptablesystemradionuclidereleasedesignlimits(SARRDLs)arenotexceededduringanycondition ofnormaloperation,aswellasduringanyunplannedtransients.

ConsistentwithPDC12,thedesignofthereactorcoolant,inpart,ensuresthatpoweroscillations cannotresultinconditionsexceedingspecifiedacceptableSARRDLs.

ConsistentwithPDC16,thedesignofthereactorcoolant,inpart,providesameanstocontrolthe releaseofradioactivematerialstotheenvironmentduringpostulatedeventsaspartofthefunctional containmentdesign.

ConsistentwithPDC33,thedesignofthePHTSincludesantisiphonfeaturestomaintainreactorcoolant inventoryintheeventofbreaksinthesystem.

ConsistentwithPDC60,thedesignofthePHTSsupportsthecontrolofradioactivematerialsduring normalreactoroperation.

ConsistentwithPDC70,thedesignofthePHTSsupportsthepuritycontroloftheprimarycoolantby limitingairingress.

Consistentwith10CFR20.1406,thedesignofthePHTS,totheextentpracticable,minimizes contaminationofthefacilityandtheenvironment,andfacilitateseventualdecommissioning.

5.1.3 SystemEvaluation ThedesignofthenonsafetyrelatedPHTSissuchthatafailureofcomponentsofthePHTSdoesnot affecttheperformanceofsafetyrelatedSSCsduetoadesignbasisearthquake.Inadditiontoprotective barriers,thePHTSpipeconnectionstothereactorvesselnozzleshavesufficientlysmallwallthickness, suchthatifloadedbeyondelasticlimits,inelasticresponseoccursinthePHTSpiping,whichisnon safetyrelated.Thesefeatures,alongwiththeseismicdesigndescribedinSection3.5,demonstrate conformancewiththerequirementsinPDC2.

WhiletheprimarysideofthePHTSisaclosedsystem,thereareconceivablescenariosthatmayresultin thereleaseofradioactiveeffluents.Thefueldesignlocatesthefuelparticlesneartheperipheryofthe fuelpebble,enhancingtheabilityofthefueltotransferheattothecoolant.Thethermalhydraulic analysisofthecore(seeSection4.6)ensuresthatadequatecoolantflowismaintainedtoensurethat

PreliminarySafetyAnalysisReport

InstrumentationandControls

KairosPowerHermes2,Units1and2

73 Revision0 Figure7.11:InstrumentationandControlsSystemArchitecture

PreliminarySafetyAnalysisReport

InstrumentationandControls

KairosPowerHermes2,Units1and2

74 Revision0

PreliminarySafetyAnalysisReport

InstrumentationandControls

KairosPowerHermes2,Units1and2 76 Revision0 7.2 PLANTCONTROLSYSTEM 7.2.1 Description ThePCSisanonsafetyrelatedcontrolsystemwhichcontrolsreactorstartup,changesinpowerlevels, reactorshutdown,heattransport,andpowergenerationsystem.ThePCSimplementsthesefunctions throughaseriesofsubsystemswhichinclude:

Reactorcontrolsystem(RCS)

Reactorcoolantauxiliarycontrolsystem(RCACS)

Primaryheattransportcontrolsystem(PHTCS)

Intermediateheattransportcontrolsystem(IHTCS)

Powergenerationcontrolsystem Auxiliarymonitoredsystems ThePCSisamicroprocessorbaseddistributedcontrolsystemthatindividuallycontrolsplantsystems usingapplicableinputs.ThesubsystemslistedaboveareintegratedintothePCSusingnonsafety relatedsignalwirewayswhichareterminatedatlocalcabinetsandusingredundant,nonsafety,real timedatahighways.

Thecontrolsubsystemscommunicatewitheachothertoensureeachsubsystemhasaccessto parameterssuchasmeasurementsandactuationeventsfromothersubsystems.

ThisallowsthePCStomaintainplantandunitparameterswithinthenormaloperatingenvelope.The RCS,RCACS,PHTCS,andIHTCSareunitspecificsubsystems.Thepowergenerationcontrolsystemis sharedbetweenUnit1andUnit2.Theauxiliarymonitoredsystemsareunitspecific.ThePCSalso providesdatatothecontrolconsoleslocatedinthemaincontrolroom(seeSection7.4).Figure7.11 showstheelementsofthePCS.

Theplantwidesensorinputsareusedtoverifyinterlockandpermissiverulesforthevariousplantstates.

Thesensordataisalsousedtoprovidefeedbackandalarmstotheoperatorsviathecontrolconsoles.

ThePCSispoweredbyACandDCpowersupplieswhicharediscussedinChapter8.

ThePCSusesnonsafetyrelatedsensorinputsaswellassafetyrelatedsensorinputsfromtheplant protectionsystem(SeeSection7.3.3).ThePCSincludestheinputparametersshowninTable7.21.The sensorsaredescribedinSection7.5.Theinstrumentationprovidesinputsignalsusingnonsafetyrelated signalwirewaysthatareterminatedatlocalcabinets.

Controloutputsaregeneratedusingacontroltransferfunctionbasedonthesensorinputsand setpointsprovidedbythecontrolsystem.Thesetpointsareadjustedautomaticallybasedontheplant operatingmode,orinsomecasesbytheoperatorviathemaincontrolroomconsoles.Plantoperators donotdirectlycontrolPCSoutputs.

ThePCSdoesnotprovideanysafetyrelatedfunctionsduringanymodeofoperationorpostulated event.ThePCSiselectricallyandfunctionallyisolatedfromthesafetyrelatedRPS(seeSection7.3)using asafetyrelatedisolationdeviceasshowninFigure7.11.TheRPSisolationdevicesensureelectrical isolationbetweentheelectricalsystemandthenonsafetyrelatedSSCsthatPCSnormallycontrolsthat aredeactivatedbytheRPSwhenareactortripisdemanded.

ThesubsystemsofthePCSaredescribedbelow.

PreliminarySafetyAnalysisReport

InstrumentationandControls

KairosPowerHermes2,Units1and2 77 Revision0 7.2.1.1 ReactorControlSystem TheRCScontrolsandmonitorssystemsandcomponentsthatsupportnormaloperation,planned transients,andnormalshutdownofthereactor.TheRCScontrolsthesystemslistedinFigure7.11and supportsthefollowingcapabilities:

Reactivitycontrolandplannedtransients/adjustmentsinpowerlevel Monitoringofcoreneutronics Pebblehandlingandstorage Monitoringandcontroloftemperatureinthereactor TheRCScontrolsreactivityfornormaloperationsandnormalshutdownusingreactorcontrolelements andreactorshutdownelementsinthereactivitycontrolandshutdownsystem(RCSS)(seeSection4.2).

TheRCSiscapableofincrementallychangingthepositionofreactorcontrolelementsandofreleasing thecontrolandshutdownelements.TheRCSisonlycapableofwithdrawingelementsoneatatimeand theRCSincludesalimitontherateatwhichacontrolelementcanbewithdrawn,asalsodiscussedin Section4.2.2.Inthiswaythedesignprecludes,withmargin,thepotentialforpromptcriticalityand rapidreactivityinsertions.TheRCSinputsincludereactoroutlettemperatureandreactorinlet temperaturesensorsandsourceandpowerrangeneutronexcoredetectors.TheRCSalsoprovidesa reactormonitoringfunctiontomonitorplantcomponentsthatareassociatedwithreactorfunctions.

TheRCSusessourceandpowerrangesensorsthatarelocatedoutsidethereactorvesselforreactor control.

TheRCScontrolspebbleinsertionandextraction,invesselpebblehandling,andexvesselpebble handlinginthepebblehandlingandstoragesystem(PHSS)(seeSection9.3).TheRCSiscapableof countinglinearizedpebblesexternaltothevessel,controllingtherateofpebbleinsertionandremoval fromthevessel,andcontrollingpebbledistributionwithinthePHSS.

TheRCScontrolsthereactorthermalmanagementsystem(RTMS)(seeSection9.1.5)tomonitorthe temperatureoftheprimarysystemtomaintainitwithinthenormaloperatingenvelopeandto implementplannedtransients.TheRCScontrolsexternalheatingelementsintheRTMStoprevent overcooling.

TheRCSprovidesthecapabilityforeventmonitoringandactiveactuationofthedecayheatremoval system(DHRS)(SeeSection6.3.1).

7.2.1.2 ReactorCoolantAuxiliaryControlSystem TheRCACScontrolsandmonitorssystemsandcomponentsthatsupportnormaloperationinthecore.

Thesystemsupportsthefollowingcapabilitiesinthecore:

Chemistrycontrolintheprimarysystem Inventorymanagementsystemcontrol Inertgassystemcontrolintheprimaryloops Tritiummanagementsystemmonitoringandcontrol Remotehandlingsystemmonitoringandcontrol TheRCACScontrolsthechemistrycontrolsystem(seeSection9.1.1)tomonitorreactorcoolant chemistry.Themonitoringsystemsprovideinformationtofacilitatemaintainingcoolantpurityand circulatingactivitywithinspecificationsforthesystem.

PreliminarySafetyAnalysisReport

InstrumentationandControls

KairosPowerHermes2,Units1and2 78 Revision0 TheRCACSreceivesinputfromtheinventorymanagementsystem(seeSection9.1.4)whichmonitors primarycoolantlevelduringnormaloperations.Thesystemalsoprovidescontrolforchangestoprimary inventoryduringplannedprimaryfillinganddrainingoperations.

TheRCACSalsocontrolstheinertgassystem(seeSection9.1.2).Duringnormaloperation,thesystem providescontrolsignaltomaintaincovergaspressureandflow,monitorsventinggasforimpurities abovespecifiedlimitsinthegasspaceoftheprimarysystem.Duringstartup,thesystemmonitorsand controlsinertgasflowandtemperaturetosupportinitialheatingoftheprimarysystem.

TheRCACSreceivesinputfromthetritiummanagementsystem(seeSection9.1.3)andprovidescontrol signaltoremovetritiumfromthecovergasintheprimarysystem.

TheRCACSreceivesinputfromtheremotemaintenanceandinspectionsystem(SeeSection9.8.1)and providesmonitoringandcontrolstosupportremotemaintenanceactivities.

7.2.1.3 PrimaryHeatTransportControlSystem ThePHTCScontrolsandmonitorssystemsandcomponentsthatsupportnormaloperationofthe primaryheattransportsystem(PHTS).Thesystemsupportsthefollowingcapabilities:

ControloftheflowratethroughthePHTS PHTSthermalmanagement Controloftheheatrejectionsubsystem Primaryloopdraining,filling,andpipingmonitoring,includingPHTSexternalpiping ThepurposeofthePHTCSistocontrolthetransportofprimarycoolantthroughthePHTS,tomaintain theprimarycoolantinaliquidstate,andtomonitortheinventoryofprimarycoolantinthePHTS.The PHTCSmaintainstheparametersinthePHTSwithinthenormaloperatingenvelope.ThePHTCScontrols theprimarysaltpump(PSP)andtheprimaryloopthermalmanagementsubsystem(PLTMS).Thesensors usedbythePHTCSarediscussedinSection7.5.

ThePHTCSprovidescontrolsignalforthePSP(seeChapter5).Thecontrolsystemmanipulatesthe primarycoolantflowratebyvariablefrequencytomaintainPHTSparameterswithinthenormal operatingrange.ThePHTCSdoesnotprovideasafetyfunction;however,asdiscussedinSection7.3,the RPStripsthePSPonareactortrip,asaprotectionfeatureforthereactorsystemrelatedtothepump.

ThePHTCSmaintainstheprimarycoolantinliquidphasethroughoutthePHTStopreventlocalizedover orunderheating.ThecontrolsystemusestemperatureasinputtoprovidecontrolsignaltothePHTS auxiliaryheaters.

ThePHTCSprovidescontrolsandmonitoringofthecomponentsthatsupporttheoperationoftheheat rejectionsubsystem.

7.2.1.4 IntermediateHeatTransferControlSystem TheIHTCScontrolsandmonitorssystemsandcomponentsthatsupportnormaloperationofthe intermediateloopwhichremovesheatfromtheprimaryloop.Thesystemsupportsthefollowing capabilities:

Controloftheflowratethroughtheintermediateloop Intermediateloopheating Intermediateloopdraining,filling,andpipingmonitoring Chemistrycontrolintheintermediateloop MaintainpositivepressuredifferentialbetweenthePHTSandIHTSduringnormaloperations

PreliminarySafetyAnalysisReport

InstrumentationandControls

KairosPowerHermes2,Units1and2 79 Revision0 ThepurposeoftheIHTCSistocontrolthetransportofintermediatecoolantthroughtheintermediate loop,tomaintaintheintermediatecoolantinaliquidstate,andtomonitortheinventoryof intermediatecoolantintheintermediateloop.Themonitoringsystemsprovideinformationtofacilitate maintainingintermediatecoolantpuritywithinspecificationsforthesystem.TheIHTCSdoesnot performasafetyfunction.TheIHTCSmaintainstheparametersintheintermediateloopwithinthe normaloperatingenvelope.TheIHTCScontrolstheintermediatesaltpump(ISP),theintermediateloop auxiliaryheatingsystem,theintermediatecoolantinventorysystem,theintermediatecoolantchemistry controlsystem,andtheintermediateinertgassystem.TheIHTCScontrolstheISPbychangingthe intermediatecoolantflowratebyvariablefrequencytomaintainintermediateloopparameterswithin thenormaloperatingrange.TheIHTCScontrolstheintermediateloopauxiliaryheatingsystemto maintaintheintermediatecoolantinliquidphasethroughouttheintermediatelooptopreventlocalized overorunderheating.Thecontrolsystemusestemperatureinformationasinputtoprovidecontrol signaltotheintermediateloopauxiliaryheaters.TheIHTCSmonitorstheintermediatecoolantinventory system,theintermediatecoolantchemistrycontrolsystem,andtheintermediateinertgassystemand providesinformationtofacilitatemaintainingtheintermediatecoolantwithinspecificationsforthe system.TheIHTCSmonitorstheIHXintermediatecoolantinletpressureandreactorcoolantoutlet pressureandcontrolsthespeedoftheISPtomaintainapositivepressuredifferential.

7.2.1.5 PowerGenerationControlSystem Thepowergenerationcontrolsystemcontrolsandmonitorssystemsandcomponentsthatsupport normaloperationoftheturbinegeneratorwhichconvertsheatfromtheintermediateloopinto electricalpower.Thesystemincludesfivesubsystems,asshownonFigure7.11,whichsupportsthe controlandmonitoringoffollowingthefollowingcapabilities:

MonitoringofturbineTurbinegeneratorsystemparametersandinitiationofturbinegenerator trips,andpumprunbacks,positionofturbinecontrol,andbypassvalves ControlofsteamSteamsystemflowratefromeachunitssuperheatertotheturbine,and auxiliarysteamloads ControlofcondensateCondensateandfeedwatersystemflowrateandtemperaturetothe evaporator Controlofthepositionofturbinecontrolandbypassvalves ControloftheremovalRemovalofheatfromtheaircooledcondenser Makeupwatersuppliedtothecondensateandfeedwatersystem;andblowdowntothedrains Thepurposeofthepowergenerationcontrolsystemistocontroltheconversionofthermalenergyinto mechanicalenergy.Thepowergenerationcontrolsystemdoesnotperformasafetyrelatedfunction.

Thepowergenerationcontrolsystemmaintainstheparameterswithintheturbinegenerator,main steam,condensate,andfeedwatersystemswithinthenormaloperatingenvelope.Thepower generationsystemisfurtherdiscussedinSection9.9.

7.2.1.6 AuxiliaryMonitoredSystems Theauxiliarymonitoredsystemscontrolandmonitorauxiliarysystemstosupportnormaloperations.

Theauxiliarycontrolsystemsincludethefollowing:

Compressedairsystem Chilledwatersystem Electricsupply/loads Reactorbuildingheating,ventilation,airconditioning(RBHVAC)

Environmentalmonitoring

PreliminarySafetyAnalysisReport

InstrumentationandControls

KairosPowerHermes2,Units1and2 710 Revision0 Thecompressedairsupply,asdiscussedinSection9.8.3,iscontrolledandmonitoredtoprovideand distributecompressedairformaintenanceanduseinvalveoperation.

Thechilledwatersystem,asdiscussedinSection9.7.4,iscontrolledandmonitoredtosupplycooling watertononsafetyrelatedSSCs.

Theelectricalsupply,asdiscussedinChapter8,iscontrolledandmonitoredtosupportthenonsafety relatednormalandbackuppowersupply.

TheRBHAVACiscontrolledandmonitoredtosupplyreactorbuildingHVAC,asdiscussedinSection9.2.

Theenvironmentalmonitoringsystem,asdiscussedinSection11.1.7,monitorsradiationlevelsin unrestrictedareasandradioactivematerialineffluents.

7.2.2 DesignBases ConsistentwithPrincipalDesignCriteria(PDC)13,thePCSisdesignedtomonitorvariablesandsystems overtheiranticipatedrangesfornormaloperation,andovertherangedefinedinpostulatedevents.

7.2.3 SystemEvaluation ThePCSisdesignedtomonitorplantandunitparametersandmaintainsystemswithinnormal operatingrange.ThePCSisalsodesignedtocontrolplannedtransientsassociatedwithanticipated operationaloccurrencesandmaintaintheaffectedreactorinashutdownstate.Thesefunctionsare consistentwithPDC13.ThePCSdoesnotperformasafetyrelatedfunction.Finally,thePCSisdesigned sothatitcannotinterferewiththeRPSsabilitytoperformitssafetyfunctions;seeSection7.3formore informationabouttheisolationoftheRPSfromthePCS.

ThePCSisadigitalsystemthatcontrolsthereactorpoweraboutapointsetbytheoperator.Thecontrol systemuseslinearaveragetemperatureandflowrateintheprimarysystemasvariableinputsto controlpowerlevelsothatitremainswithinthenormaloperatingenvelope.ThePCScontrolselectrical powergenerationaboutapointsetbytheoperatorsusingsteamflowrates,feedwaterflowrates,and feedwatertemperaturesasinputstocontrolthepositionsofturbinecontrolvalves,turbinebypass valves,andfeedwaterregulatingvalvestobalancetheturbineloadfromeachunit.Thesystemdesign meetstheapplicableportionsInternationalElectrotechnicalCommission(IEC)standard61131for industrialcontrollers(Reference1),andtheapplicableportionsofthecybersecuritystandardIEC62443 (Reference2).Table7.22listsotherstandardsappliedtothePCS.ApplicableportionsofIEEE1012 2017(Reference3)areusedforverificationandvalidationofPCScomponents,whichisconsistentwith thenonsafetyrelatedclassificationofthePCS.

ActioninthePCSisdesignedtoaccuratelyandreliablyprovidecontrolsignalforallmodesofnormal operation.ThePCSisalsodesignedtoprovidetimelycontrolsignals,withfurtheranalysisoftimeliness tobeprovidedinanapplicationfortheOperatingLicense.

ThePCSincludesinterlocksandinhibitsthatprohibitorrestrictoperationofthereactor,PHSS,andthe powergenerationsystemunlesscertainoperatingconditionsaremet.Thefollowinginterlocksare includedinthecontrolsystemdesign:

Aninterlockthatprohibitsreactivitycontrolelementwithdrawaluntilthereissufficientneutron countratetoensurethatnuclearinstrumentsarerespondingtoneutrons.

Interlocksarealsoprovidedrelatedtostartuppowerlevelandpebblehandlingasdetailedin Table7.23.

Aninterlockthatpreventstheopeningofaunitsmainsteamisolationvalvefollowingareactor tripuntilthereissufficientsteamproductiontoensurethataturbineimbalancewillnotoccur.

PreliminarySafetyAnalysisReport

InstrumentationandControls

KairosPowerHermes2,Units1and2 718 Revision0 ConsistentwithPDC21,theRPSisdesignedwithsufficientredundancyandindependencetoassure thannosinglefailureresultsinlossofitsprotectionfunction.IndividualcomponentsoftheRPSmay beremovedfromservicefortestingwithoutlossofrequiredminimumredundancy.TheRPSis designedtopermitperiodictesting.

ConsistentwithPDC22,theeffectsofnaturalphenomena,andofnormaloperating,maintenance, testing,andpostulatedeventconditions,donotresultinlossoftheprotectionfunctionfortheRPS.

TheRPSisdesignedwithsufficientfunctionalandcomponentdiversitytopreventthelossof functionfortheRPS.

Uponlossofelectricalpowerordetectionofadverseenvironmentalconditions,theRPSfailstoa safestate,consistentwithPDC23.

TheRPSsystemfunctionallyindependentfromthecontrolsystems,consistentwithPDC24.

ConsistentwithPDC25,theRPSisdesignedtoensurethatradionuclidereleasedesignlimitsarenot exceededuponreactortripactuation,includingintheeventofasinglefailureofthereactivity controlsystem.

ConsistentwithPDC28,theRPSsetpointsaredesignedtolimitthepotentialamountandrateof reactivitytoensuresufficientprotectionfrompostulatedeventsinvolvingreactivitytransients.The limitsaresetsuchthatreactivityeventscannotresultindamagetothereactorcoolantboundary greaterthanlimitedlocalyielding,andcannotsufficientlydisturbthecore,itssupportstructures,or otherreactorvesselinternalstoimpairsignificantlythecapabilitytocoolthecore.

TheRPSisdesignedtoberedundantanddiversetoassurethereisahighprobabilityof accomplishingitssafetyrelatedfunctionsinpostulatedevents,consistentwithPDC29.

TheRPSisdesigned,fabricated,erected,constructed,tested,andinspectedtoqualitystandards commensuratewiththesafetyfunctiontobeperformed.

TheRPSisdesignedinaccordancewithIEEEStd6032018(Reference1).

7.3.3 SystemEvaluation TheRPSprovidesautomaticreactortrip(1)ifplantparametersexceedthenormaloperationenvelope (PDC20),(2)intheeventofstationblackout,and(3)manuallyusingsignalfromthemaincontrolroom orremoteonsiteshutdownpanel.TheRPSalsoensuresthattheDHRSisrunningwhenthereactortrips.

TheRPSisconsistentwithNUREG1537,GuidelinesforPreparingandReviewingApplicationsforthe LicensingofNonPowerReactors,bymeetingIEEE6032018.Table7.31providesalistofthe consensusstandardstowhichtheRPSisdesigned.

Chapter13describesthepostulatedeventstowhichtheRPSisdesignedtorespond.TheRPSusesthe samesetofoperatingparametersinthetripandactuationlogicforallmodesofreactoroperation.The setpointsareestablishedtoensurethatthedesignconditionsofthereactorcoolantboundaryarenot exceededduringoperationwithinthedesignbasis.ThisisconsistentwithPDC25becausemaintaining thereactorcoolantboundarywithindesignbasisboundswillensurethatradionuclidereleasedesign limitsarenotexceeded.Thesetpointsareestablishedandcalibratedusingthemethoddescribedin Section7.1.2.

ReactortripsimplementedbytheRPSmeetIEEE6032018,Section4.Theprimaryplanttripsignalis basedoncoretemperaturemeasurement.Inaddition,theplantwillalsohaveatripsignalforhighflux ratebasedoninputfromtheneutrondetectorsensorsandatripofthereactorupondetectionofa breakinthePHSSextractionline.Whenthetemperatureorfluxrateareoutsidethenormaloperating rangeorwhenaPHSSextractionlinebreakisdetected,theprimaryplanttripdeenergizestheRSS reactivityshutdownsystemtripdevice,theDHRSlooptripdevice,andthePCSinhibitortripdevice.

Redundanttripdevicesareprovidedforeachsignalpathway.Notethatthecablingtothetripdevicesis notclassifiedassafetyrelatedbecausethetripdevicesaccomplishtheirsafetyfunctionwithoutreliance

PreliminarySafetyAnalysisReport

InstrumentationandControls

KairosPowerHermes2,Units1and2 723 Revision0 Figure7.31:ReactorProtectionSystemTripLogicSchematic

PreliminarySafetyAnalysisReport

InstrumentationandControls

KairosPowerHermes2,Units1and2 724 Revision0

PreliminarySafetyAnalysisReport

InstrumentationandControls

KairosPowerHermes2,Units1and2 725 Revision0

PreliminarySafetyAnalysisReport

InstrumentationandControls

KairosPowerHermes2,Units1and2 727 Revision0 duringshutdown,and(2)providesthecapabilityforsubsequentsafeshutdownofthereactor throughtheuseofsuitableprocedures.

7.4.3 SystemEvaluation 7.4.3.1 MainControlRoom TheMCRislocatedinanauxiliarybuildingseparatefromtheReactorBuilding.Therearenooperator actionsperformednorsafetyrelatedSSCslocatedintheMCRthatarecreditedformitigatingthe consequencesofpostulatedeventsdescribedinChapter13.Therefore,theMCRandthebuildingthat housestheMCRaredesignedtolocalbuildingcodestandards.

TheMCRconsolesaredesignedtoallowoperatorstomanipulateplantparameterstocontrolthe reactorwithinanacceptableenvelopeduringnormaloperatingconditions,includingplannedtransients.

However,nooperatoractionsarecreditedinthesafetyanalysisofpostulatedeventsdescribedin Chapter13.AlthoughthecontrolsintheMCRarenotcreditedinthesafetyanalysis,theMCRconsoles aredesignedasfollows:

MCRdisplaysimplementstheguidancefromNUREG1537,Section7.6,withrespecttoeaseof operatorsuse.HumanfactorengineeringprincipleswillbeconsideredintheMCRdesign.Theplant controlsaregroupedandlocatedintheMCRsothatoperatorscaneasilyreachandmanipulatethe controls.Displaysoftheresultsofanoperatorsactionsarereadilyobservable.

Thescreenelementorganizationandappearanceoftheconsolesaredesignedtoallowoperatorsto performactionstooperatethereactorundernormaloperatingconditionsandtomonitoritunder postulatedeventconditions,consistentwithPDC19.

TheMCRconsolesaredigitalinterfacesthatconsiderIEEE74.3.22003(Reference1),asitrelatesto hardwaredesign,andRegulatoryGuide1.152,Revision2CriteriaforUseofComputersinSafety SystemsofNuclearPowerPlants.ThecontrolconsolesintheMCRaredesignedtodisplayplant parametersthatindicateplantstatus.TheMCRconsolesdisplaythefollowinginformation:

o Plantsensordataanddigitallyprocessedparameteroutputsbasedonplantsensordata o IndicationsofPCSandRPSsystemandequipmentstatus o Currentandpastoperatingparameterandsysteminformationforadurationrelevanttoinform processandmaintenancetrending Administrativecontrolsareappliedtotheconsolesinthemaincontrolroomtoprevent unauthorizedaccess.MCRconsolescreensarepasswordprotectedandincludeinterlockssuchas swipecardsandmultioperatorcoordinatedloginstopreventunauthorizedaccessandsystems actuation.

Thetworeactorunitswillbecontrolledindividuallytoachievecriticalityandproducethermal power.However,thesteamsupplyfrombothreactorsisregulatedthroughcommonflowcontrol valvestoensurebalancedsteamsupplytotheturbineaswellaspreventcoolantfeedbackfromone systemtotheother.

TheMCRislocatedatadistancefromtheReactorBuildingssuchthattheradiologicalconsequencesof unfilteredairintheMCRduringpostulatedeventsdoesnotexceed5remTEDEforthedurationofthe event.TheenvironmentalcontrolfeaturesfortheMCRareseparatefromtheenvironmentalcontrol featuresfortheReactorBuildings.Theanalysisofoperatordosedependsonthefinaldesignofthe reactorssafetyrelatedSSCsandtheanalysiswillreflectthemethodsdescribedinChapter13.

Accordingly,adescriptionoftheanalysisofoperatordosewillbeprovidedintheapplicationofthe OperatingLicense.

PreliminarySafetyAnalysisReport

AccidentAnalysis

KairosPowerHermes2,Units1and2 1313 Revision0 Aturbinemissilecouldbegeneratedduetoapostulatedturbinegeneratorfailure.Duetothefavorable orientationoftheturbinegeneratorwithrespecttothereactorbuilding,SSCsassociatedwith engineeredsafetyfeaturesarenotaffectedbyapotentialturbinemissiletotheextentthattheycould notperformtheirsafetyfunctions.

ForSSCsnotprotectedwithsuchanarea,theamountofmaterialsatriskareassumedtobelimitedto anupperboundlimitsuchthattheamountofradioactivematerialreleasedisboundedbytheamount releasedduringtheMHA.ReleasesfromtheseSSCsareconsideredinSection13.1.6.

Duringtheseismicevent,thepackingfractionofthepebblebedwouldincreaseduetoshakingofthe pebblebed,andthegraphitereflectorblockswouldshift.Thisresultsinanincreaseinreactivity,causing anincreaseinfueltemperature.Theincreaseinreactivityduetoincreaseinpackingfractionofthe pebblebedandmaximumdisplacementofgraphitereflectorblocksduringaseismiceventisbounded bythereactivityinsertioneventwherethecontrolelementisinadvertentlywithdrawn.Insertionof excessreactivityeventsaredescribedinSection13.1.2.

MechanicalaerosolscouldalsobegeneratedduetosplashingofFlibeinthereactorduringaseismic event.Theamountofaerosolsgeneratedduringaseismiceventisboundedbytheamountofaerosols generatedbythesaltspilleventwhereapipebreaks.

Abreakinahighenergysteamlineorsuperheatercouldoccurduetoafailureofthesteamsystem.

PhysicalseparationofthepowergenerationsystemsfromsafetyrelatedSSCsandthedesignofthe safetyrelatedportionofthereactorbuildingensuresthatahighenergybreakwillnotpreventsafety relatedSSCsfromperformingtheirsafetyfunctions.Thepotentialreactivityinsertioncausedbyan increaseinheatremovalduetoasteamlinebreakisconsideredinSection13.1.2.

13.1.10 PreventedEvents Thissectiondescribestheeventspreventedbydesign.Thejustificationforexcludingtheseeventsfrom thedesignbasisisprovidedwithreferencestotherelevantdesigninformation.

13.1.10.1 RecriticalityorReactorReactivityShutdownSystemFailure Inpostulatedeventsthatrequireareactortrip,thereactorreactivityshutdownsystem(thesafety relatedportionoftheRCSS),isreliedupontoshutdownthereactorandmaintainshutdownmargin.

ReactorReactivityshutdownsystem(RSS)failureeventsareexcludedfromthedesignbasis.Eventsthat wouldresultinarecriticalityeventarealsoexcludedfromthedesignbasis.TheRCSSisdesigned (describedinSection4.2.2)withsufficientindependence,diversity,andredundancyfromdetectionand actuationtoelementinsertiontoensurereactorshutdownwhennecessary.Theshutdownmarginis maintainedforallpostulatedeventconditionstoensurethereisnorecriticalityaftertheRCSShas initiatedshutdown,asdescribedinSection4.5.Additionally,thegraphitereflectorblocksaredesigned tomaintainstructuralintegrityandensuremisalignmentsdonotpreventtheinsertionpathofthe shutdownelements,asdiscussedinSection4.3.

13.1.10.2 DegradedHeatRemovalorUncooledEvents Inpostulatedeventswherethenormalheatremovalisnotavailable,naturalcirculationinthereactor vesselandtheheatremovalfunctionoftheDHRSarereliedupontoremoveheatfromthereactorcore.

Degradedheatremovaloruncooledeventsareexcludedfromthedesignbasis.Theinitiationofnatural circulationiscompletelypassive,andthedesignfeatures,includingthestructuralintegrityofthereactor vesselinternals,thatensureacontinuednaturalcirculationflowpatharediscussedinSection4.6.The DHRSisalignedandoperatingwhenthereactorpowerisaboveathresholdpowerandremainsinthis stateasdescribedinSection6.3,precludingtheneedforanactuationtooccurfortheDHRStoremove