Text

KP-NRC-2401-001 Enclosure 1 Changes to Hermes 2 PSAR Chapters 4, 5, 7, and 13 (Non-Proprietary)

Preliminary Safety Analysis Report Reactor Description Table 4.31: Reactor Vessel Top Head Penetrations Name of Penetration Number of Penetrations System Pebble Extraction Machine (PEM) 1 PHSS Pebble Insertion 2 PHSS Reactivity Shutdown Element 3 RCSS Reactivity Control Element 4 RCSS Primary Salt Pump (PSP) 1 PHTS Coolant Fill/Drain Line 2 IMS Inert Gas Line 2 IGS Material Surveillance System 1 MSS Neutron Source 1 RSSReactor Startup System Reserve Instrumentation 3 I&C Reactor Coolant Level Sensor 4 I&C Reactor Coolant Thermocouple 3 I&C Graphite Thermocouple 2 I&C Fluidic Diode Inspection Nozzle 4 I&C Kairos Power Hermes 2, Units 1 and 2 437 Revision 0

Preliminary Safety Analysis Report Heat Transport Systems blower on. During normal operations, air surrounding the HRR is isolated between the inlet and outlet of the HRS. The air is recirculated through a subsystem of the TMS which captures tritium permeating through the HRR and returns air at appropriate temperatures to provide thermal management for the HRR and limit heat losses. Further details of the tritium capture subsystem of the TMS which interfaces with the HRR are provided in Section 9.1.3. During startup and normal shutdown conditions, tritium capture is not conducted by the TMS and permeation losses through the HRR are released through the HRS as a gaseous effluent.

The transition from power operation to normal shutdown cooling involves a programmed runback (see Section 7.2) of the PSP and activation actuation of the heat rejection blower to minimize the thermal transient experienced by the reactor vessel and the PHTS.

The heat rejection blower is tripped concurrent with the PSP to prevent forced air ingress during postulated HRR tube failures.

5.1.2 Design Basis Consistent with PDC 2, the safetyrelated SSCs located near the PHTS are protected from the adverse effects of postulated PHTS failures during a design basis earthquake.

Consistent with PDC 10, the design of the reactor coolant supports the assurance that specified acceptable system radionuclide release design limits (SARRDLs) are not exceeded during any condition of normal operation, as well as during any unplanned transients.

Consistent with PDC 12, the design of the reactor coolant, in part, ensures that power oscillations cannot result in conditions exceeding specified acceptable SARRDLs.

Consistent with PDC 16, the design of the reactor coolant, in part, provides a means to control the release of radioactive materials to the environment during postulated events as part of the functional containment design.

Consistent with PDC 33, the design of the PHTS includes antisiphon features to maintain reactor coolant inventory in the event of breaks in the system.

Consistent with PDC 60, the design of the PHTS supports the control of radioactive materials during normal reactor operation.

Consistent with PDC 70, the design of the PHTS supports the purity control of the primary coolant by limiting air ingress.

Consistent with 10 CFR 20.1406, the design of the PHTS, to the extent practicable, minimizes contamination of the facility and the environment, and facilitates eventual decommissioning.

5.1.3 System Evaluation The design of the nonsafetyrelated PHTS is such that a failure of components of the PHTS does not affect the performance of safetyrelated SSCs due to a design basis earthquake. In addition to protective barriers, the PHTS pipe connections to the reactor vessel nozzles have sufficiently small wall thickness, such that if loaded beyond elastic limits, inelastic response occurs in the PHTS piping, which is non safetyrelated. These features, along with the seismic design described in Section 3.5, demonstrate conformance with the requirements in PDC 2.

While the primary side of the PHTS is a closed system, there are conceivable scenarios that may result in the release of radioactive effluents. The fuel design locates the fuel particles near the periphery of the fuel pebble, enhancing the ability of the fuel to transfer heat to the coolant. The thermal hydraulic analysis of the core (see Section 4.6) ensures that adequate coolant flow is maintained to ensure that Kairos Power Hermes 2 Unit 1 and 2 54 Revision 0

Preliminary Safety Analysis Report Instrumentation and Controls Figure 7.11: Instrumentation and Controls System Architecture Kairos Power Hermes 2, Units 1 and 2 73 Revision 0

Preliminary Safety Analysis Report Instrumentation and Controls Kairos Power Hermes 2, Units 1 and 2 74 Revision 0

Preliminary Safety Analysis Report Instrumentation and Controls 7.2 PLANT CONTROL SYSTEM 7.2.1 Description The PCS is a nonsafety related control system which controls reactor startup, changes in power levels, reactor shutdown, heat transport, and power generation system. The PCS implements these functions through a series of subsystems which include:

Reactor control system (RCS)

Reactor coolant auxiliary control system (RCACS)

Primary heat transport control system (PHTCS)

Intermediate heat transport control system (IHTCS)

Power generation control system Auxiliary monitored systems The PCS is a microprocessorbased distributed control system that individually controls plant systems using applicable inputs. The subsystems listed above are integrated into the PCS using nonsafety related signal wireways which are terminated at local cabinets and using redundant, nonsafety, real time data highways.

The control subsystems communicate with each other to ensure each subsystem has access to parameters such as measurements and actuation events from other subsystems.

This allows the PCS to maintain plant and unit parameters within the normal operating envelope. The RCS, RCACS, PHTCS, and IHTCS are unitspecific subsystems. The power generation control system is shared between Unit 1 and Unit 2. The auxiliary monitored systems are unitspecific. The PCS also provides data to the control consoles located in the main control room (see Section 7.4). Figure 7.11 shows the elements of the PCS.

The plantwide sensor inputs are used to verify interlock and permissive rules for the various plant states.

The sensor data is also used to provide feedback and alarms to the operators via the control consoles.

The PCS is powered by AC and DC power supplies which are discussed in Chapter 8.

The PCS uses nonsafety related sensor inputs as well as safetyrelated sensor inputs from the plant protection system (See Section 7.3.3). The PCS includes the input parameters shown in Table 7.21. The sensors are described in Section 7.5. The instrumentation provides input signals using nonsafety related signal wireways that are terminated at local cabinets.

Control outputs are generated using a control transfer function based on the sensor inputs and setpoints provided by the control system. The setpoints are adjusted automatically based on the plant operating mode, or in some cases by the operator via the main control room consoles. Plant operators do not directly control PCS outputs.

The PCS does not provide any safetyrelated functions during any mode of operation or postulated event. The PCS is electrically and functionally isolated from the safetyrelated RPS (see Section 7.3) using a safetyrelated isolation device as shown in Figure 7.11. The RPS isolation devices ensure electrical isolation between the electrical system and the nonsafety related SSCs that PCS normally controls that are deactivated by the RPS when a reactor trip is demanded.

The subsystems of the PCS are described below.

Kairos Power Hermes 2, Units 1 and 2 76 Revision 0

Preliminary Safety Analysis Report Instrumentation and Controls 7.2.1.1 Reactor Control System The RCS controls and monitors systems and components that support normal operation, planned transients, and normal shutdown of the reactor. The RCS controls the systems listed in Figure 7.11 and supports the following capabilities:

Reactivity control and planned transients/adjustments in power level Monitoring of core neutronics Pebble handling and storage Monitoring and control of temperature in the reactor The RCS controls reactivity for normal operations and normal shutdown using reactor control elements and reactor shutdown elements in the reactivity control and shutdown system (RCSS) (see Section 4.2).

The RCS is capable of incrementally changing the position of reactor control elements and of releasing the control and shutdown elements. The RCS is only capable of withdrawing elements one at a time and the RCS includes a limit on the rate at which a control element can be withdrawn, as also discussed in Section 4.2.2. In this way the design precludes, with margin, the potential for prompt criticality and rapid reactivity insertions. The RCS inputs include reactor outlet temperature and reactor inlet temperature sensors and source and power range neutron excore detectors. The RCS also provides a reactor monitoring function to monitor plant components that are associated with reactor functions.

The RCS uses source and power range sensors that are located outside the reactor vessel for reactor control.

The RCS controls pebble insertion and extraction, invessel pebble handling, and exvessel pebble handling in the pebble handling and storage system (PHSS) (see Section 9.3). The RCS is capable of counting linearized pebbles external to the vessel, controlling the rate of pebble insertion and removal from the vessel, and controlling pebble distribution within the PHSS.

The RCS controls the reactor thermal management system (RTMS) (see Section 9.1.5) to monitor the temperature of the primary system to maintain it within the normal operating envelope and to implement planned transients. The RCS controls external heating elements in the RTMS to prevent overcooling.

The RCS provides the capability for event monitoring and active actuation of the decay heat removal system (DHRS) (See Section 6.3.1).

7.2.1.2 Reactor Coolant Auxiliary Control System The RCACS controls and monitors systems and components that support normal operation in the core.

The system supports the following capabilities in the core:

Chemistry control in the primary system Inventory management system control Inert gas system control in the primary loops Tritium management system monitoring and control Remote handling system monitoring and control The RCACS controls the chemistry control system (see Section 9.1.1) to monitor reactor coolant chemistry. The monitoring systems provide information to facilitate maintaining coolant purity and circulating activity within specifications for the system.

Kairos Power Hermes 2, Units 1 and 2 77 Revision 0

Preliminary Safety Analysis Report Instrumentation and Controls The RCACS receives input from the inventory management system (see Section 9.1.4) which monitors primary coolant level during normal operations. The system also provides control for changes to primary inventory during planned primary filling and draining operations.

The RCACS also controls the inert gas system (see Section 9.1.2). During normal operation, the system provides control signal to maintain cover gas pressure and flow, monitors venting gas for impurities above specified limits in the gas space of the primary system. During startup, the system monitors and controls inert gas flow and temperature to support initial heating of the primary system.

The RCACS receives input from the tritium management system (see Section 9.1.3) and provides control signal to remove tritium from the cover gas in the primary system.

The RCACS receives input from the remote maintenance and inspection system (See Section 9.8.1) and provides monitoring and controls to support remote maintenance activities.

7.2.1.3 Primary Heat Transport Control System The PHTCS controls and monitors systems and components that support normal operation of the primary heat transport system (PHTS). The system supports the following capabilities:

Control of the flow rate through the PHTS PHTS thermal management Control of the heat rejection subsystem Primary loop draining, filling, and piping monitoring, including PHTS external piping The purpose of the PHTCS is to control the transport of primary coolant through the PHTS, to maintain the primary coolant in a liquid state, and to monitor the inventory of primary coolant in the PHTS. The PHTCS maintains the parameters in the PHTS within the normal operating envelope. The PHTCS controls the primary salt pump (PSP)and the primary loop thermal management subsystem (PLTMS). The sensors used by the PHTCS are discussed in Section 7.5.

The PHTCS provides control signal for the PSP (see Chapter 5). The control system manipulates the primary coolant flow rate by variable frequency to maintain PHTS parameters within the normal operating range. The PHTCS does not provide a safety function; however, as discussed in Section 7.3, the RPS trips the PSP on a reactor trip, as a protection feature for the reactor system related to the pump.

The PHTCS maintains the primary coolant in liquid phase throughout the PHTS to prevent localized over or underheating. The control system uses temperature as input to provide control signal to the PHTS auxiliary heaters.

The PHTCS provides controls and monitoring of the components that support the operation of the heat rejection subsystem.

7.2.1.4 Intermediate Heat Transfer Control System The IHTCS controls and monitors systems and components that support normal operation of the intermediate loop which removes heat from the primary loop. The system supports the following capabilities:

Control of the flow rate through the intermediate loop Intermediate loop heating Intermediate loop draining, filling, and piping monitoring Chemistry control in the intermediate loop Maintain positive pressure differential between the PHTS and IHTS during normal operations Kairos Power Hermes 2, Units 1 and 2 78 Revision 0

Preliminary Safety Analysis Report Instrumentation and Controls The purpose of the IHTCS is to control the transport of intermediate coolant through the intermediate loop, to maintain the intermediate coolant in a liquid state, and to monitor the inventory of intermediate coolant in the intermediate loop. The monitoring systems provide information to facilitate maintaining intermediate coolant purity within specifications for the system. The IHTCS does not perform a safety function. The IHTCS maintains the parameters in the intermediate loop within the normal operating envelope. The IHTCS controls the intermediate salt pump (ISP), the intermediate loop auxiliary heating system, the intermediate coolant inventory system, the intermediate coolant chemistry control system, and the intermediate inert gas system. The IHTCS controls the ISP by changing the intermediate coolant flow rate by variable frequency to maintain intermediate loop parameters within the normal operating range. The IHTCS controls the intermediate loop auxiliary heating system to maintain the intermediate coolant in liquid phase throughout the intermediate loop to prevent localized over or underheating. The control system uses temperature information as input to provide control signal to the intermediate loop auxiliary heaters. The IHTCS monitors the intermediate coolant inventory system, the intermediate coolant chemistry control system, and the intermediate inert gas system and provides information to facilitate maintaining the intermediate coolant within specifications for the system. The IHTCS monitors the IHX intermediate coolant inlet pressure and reactor coolant outlet pressure and controls the speed of the ISP to maintain a positive pressure differential.

7.2.1.5 Power Generation Control System The power generation control system controls and monitors systems and components that support normal operation of the turbinegenerator which converts heat from the intermediate loop into electrical power. The system includes five subsystems, as shown on Figure 7.11, which supports the control and monitoring of followingthe following capabilities:

Monitoring of turbineTurbinegenerator system parameters and initiation of turbinegenerator trips, and pump runbacks, position of turbine control, and bypass valves Control of steam Steam system flow rate from each units superheater to the turbine, and auxiliary steam loads Control of condensate Condensate and feedwater system flow rate and temperature to the evaporator Control of the position of turbine control and bypass valves Control of the removal Removal of heat from the aircooled condenser Makeup water supplied to the condensate and feedwater system; and blowdown to the drains The purpose of the power generation control system is to control the conversion of thermal energy into mechanical energy. The power generation control system does not perform a safetyrelated function.

The power generation control system maintains the parameters within the turbine generator, main steam, condensate, and feedwater systems within the normal operating envelope. The power generation system is further discussed in Section 9.9.

7.2.1.6 Auxiliary Monitored Systems The auxiliary monitored systems control and monitor auxiliary systems to support normal operations.

The auxiliary control systems include the following:

Compressed air system Chilled water system Electric supply/loads Reactor building heating, ventilation, air conditioning (RBHVAC)

Environmental monitoring Kairos Power Hermes 2, Units 1 and 2 79 Revision 0

Preliminary Safety Analysis Report Instrumentation and Controls The compressed air supply, as discussed in Section 9.8.3, is controlled and monitored to provide and distribute compressed air for maintenance and use in valve operation.

The chilled water system, as discussed in Section 9.7.4, is controlled and monitored to supply cooling water to nonsafety related SSCs.

The electrical supply, as discussed in Chapter 8, is controlled and monitored to support the nonsafety related normal and backup power supply.

The RBHAVAC is controlled and monitored to supply reactor building HVAC, as discussed in Section 9.2.

The environmental monitoring system, as discussed in Section 11.1.7, monitors radiation levels in unrestricted areas and radioactive material in effluents.

7.2.2 Design Bases Consistent with Principal Design Criteria (PDC) 13, the PCS is designed to monitor variables and systems over their anticipated ranges for normal operation, and over the range defined in postulated events.

7.2.3 System Evaluation The PCS is designed to monitor plant and unit parameters and maintain systems within normal operating range. The PCS is also designed to control planned transients associated with anticipated operational occurrences and maintain the affected reactor in a shutdown state. These functions are consistent with PDC 13. The PCS does not perform a safetyrelated function. Finally, the PCS is designed so that it cannot interfere with the RPSs ability to perform its safety functions; see Section 7.3 for more information about the isolation of the RPS from the PCS.

The PCS is a digital system that controls the reactor power about a point set by the operator. The control system uses linear average temperature and flow rate in the primary system as variable inputs to control power level so that it remains within the normal operating envelope. The PCS controls electrical power generation about a point set by the operators using steam flow rates, feedwater flow rates, and feedwater temperatures as inputs to control the positions of turbine control valves, turbine bypass valves, and feedwater regulating valves to balance the turbine load from each unit. The system design meets the applicable portions International Electrotechnical Commission (IEC) standard 61131 for industrial controllers (Reference 1), and the applicable portions of the cyber security standard IEC 62443 (Reference 2). Table 7.22 lists other standards applied to the PCS. Applicable portions of IEEE 1012 2017 (Reference 3) are used for verification and validation of PCS components, which is consistent with the nonsafety related classification of the PCS.

Action in the PCS is designed to accurately and reliably provide control signal for all modes of normal operation. The PCS is also designed to provide timely control signals, with further analysis of timeliness to be provided in an application for the Operating License.

The PCS includes interlocks and inhibits that prohibit or restrict operation of the reactor, PHSS, and the power generation system unless certain operating conditions are met. The following interlocks are included in the control system design:

An interlock that prohibits reactivity control element withdrawal until there is sufficient neutron count rate to ensure that nuclear instruments are responding to neutrons.

Interlocks are also provided related to startup power level and pebble handling as detailed in Table 7.23.

An interlock that prevents the opening of a units main steam isolation valve following a reactor trip until there is sufficient steam production to ensure that a turbine imbalance will not occur.

Kairos Power Hermes 2, Units 1 and 2 710 Revision 0

Preliminary Safety Analysis Report Instrumentation and Controls Consistent with PDC 21, the RPS is designed with sufficient redundancy and independence to assure than no single failure results in loss of its protection function. Individual components of the RPS may be removed from service for testing without loss of required minimum redundancy. The RPS is designed to permit periodic testing.

Consistent with PDC 22, the effects of natural phenomena, and of normal operating, maintenance, testing, and postulated event conditions, do not result in loss of the protection function for the RPS.

The RPS is designed with sufficient functional and component diversity to prevent the loss of function for the RPS.

Upon loss of electrical power or detection of adverse environmental conditions, the RPS fails to a safe state, consistent with PDC 23.

The RPS system functionally independent from the control systems, consistent with PDC 24.

Consistent with PDC 25, the RPS is designed to ensure that radionuclide release design limits are not exceeded upon reactor trip actuation, including in the event of a single failure of the reactivity control system.

Consistent with PDC 28, the RPS setpoints are designed to limit the potential amount and rate of reactivity to ensure sufficient protection from postulated events involving reactivity transients. The limits are set such that reactivity events cannot result in damage to the reactor coolant boundary greater than limited local yielding, and cannot sufficiently disturb the core, its support structures, or other reactor vessel internals to impair significantly the capability to cool the core.

The RPS is designed to be redundant and diverse to assure there is a high probability of accomplishing its safetyrelated functions in postulated events, consistent with PDC 29.

The RPS is designed, fabricated, erected, constructed, tested, and inspected to quality standards commensurate with the safety function to be performed.

The RPS is designed in accordance with IEEE Std 6032018 (Reference 1).

7.3.3 System Evaluation The RPS provides automatic reactor trip (1) if plant parameters exceed the normal operation envelope (PDC 20), (2) in the event of station blackout, and (3) manually using signal from the main control room or remote onsite shutdown panel. The RPS also ensures that the DHRS is running when the reactor trips.

The RPS is consistent with NUREG1537, Guidelines for Preparing and Reviewing Applications for the Licensing of NonPower Reactors, by meeting IEEE 6032018. Table 7.31 provides a list of the consensus standards to which the RPS is designed.

Chapter 13 describes the postulated events to which the RPS is designed to respond. The RPS uses the same set of operating parameters in the trip and actuation logic for all modes of reactor operation. The setpoints are established to ensure that the design conditions of the reactor coolant boundary are not exceeded during operation within the design basis. This is consistent with PDC 25 because maintaining the reactor coolant boundary within design basis bounds will ensure that radionuclide release design limits are not exceeded. The setpoints are established and calibrated using the method described in Section 7.1.2.

Reactor trips implemented by the RPS meet IEEE 6032018, Section 4. The primary plant trip signal is based on core temperature measurement. In addition, the plant will also have a trip signal for high flux rate based on input from the neutron detector sensors and a trip of the reactor upon detection of a break in the PHSS extraction line. When the temperature or flux rate are outside the normal operating range or when a PHSS extraction line break is detected, the primary plant trip deenergizes the RSS reactivity shutdown system trip device, the DHRS loop trip device, and the PCS inhibitor trip device.

Redundant trip devices are provided for each signal pathway. Note that the cabling to the trip devices is not classified as safetyrelated because the trip devices accomplish their safety function without reliance Kairos Power Hermes 2, Units 1 and 2 718 Revision 0

Preliminary Safety Analysis Report Instrumentation and Controls Figure 7.31: Reactor Protection System Trip Logic Schematic Kairos Power Hermes 2, Units 1 and 2 723 Revision 0

Preliminary Safety Analysis Report Instrumentation and Controls Kairos Power Hermes 2, Units 1 and 2 724 Revision 0

Preliminary Safety Analysis Report Instrumentation and Controls Kairos Power Hermes 2, Units 1 and 2 725 Revision 0

Preliminary Safety Analysis Report Instrumentation and Controls during shutdown, and (2) provides the capability for subsequent safe shutdown of the reactor through the use of suitable procedures.

7.4.3 System Evaluation 7.4.3.1 Main Control Room The MCR is located in an auxiliary building separate from the Reactor Building. There are no operator actions performed nor safetyrelated SSCs located in the MCR that are credited for mitigating the consequences of postulated events described in Chapter 13. Therefore, the MCR and the building that houses the MCR are designed to local building code standards.

The MCR consoles are designed to allow operators to manipulate plant parameters to control the reactor within an acceptable envelope during normal operating conditions, including planned transients.

However, no operator actions are credited in the safety analysis of postulated events described in Chapter 13. Although the controls in the MCR are not credited in the safety analysis, the MCR consoles are designed as follows:

MCR displays implements the guidance from NUREG1537, Section 7.6, with respect to ease of operators use. Human factor engineering principles will be considered in the MCR design. The plant controls are grouped and located in the MCR so that operators can easily reach and manipulate the controls. Displays of the results of an operators actions are readily observable.

The screen element organization and appearance of the consoles are designed to allow operators to perform actions to operate the reactor under normal operating conditions and to monitor it under postulated event conditions, consistent with PDC 19.

The MCR consoles are digital interfaces that consider IEEE 74.3.22003 (Reference 1), as it relates to hardware design, and Regulatory Guide 1.152, Revision 2 Criteria for Use of Computers in Safety Systems of Nuclear Power Plants. The control consoles in the MCR are designed to display plant parameters that indicate plant status. The MCR consoles display the following information:

o Plant sensor data and digitally processed parameter outputs based on plant sensor data o Indications of PCS and RPS system and equipment status o Current and past operating parameter and system information for a duration relevant to inform process and maintenance trending Administrative controls are applied to the consoles in the main control room to prevent unauthorized access. MCR console screens are passwordprotected and include interlocks such as swipe cards and multioperator coordinated logins to prevent unauthorized access and systems actuation.

The two reactor units will be controlled individually to achieve criticality and produce thermal power. However, the steam supply from both reactors is regulated through common flow control valves to ensure balanced steam supply to the turbine as well as prevent coolant feedback from one system to the other.

The MCR is located at a distance from the Reactor Buildings such that the radiological consequences of unfiltered air in the MCR during postulated events does not exceed 5 rem TEDE for the duration of the event. The environmental control features for the MCR are separate from the environmental control features for the Reactor Buildings. The analysis of operator dose depends on the final design of the reactors safetyrelated SSCs and the analysis will reflect the methods described in Chapter 13.

Accordingly, a description of the analysis of operator dose will be provided in the application of the Operating License.

Kairos Power Hermes 2, Units 1 and 2 727 Revision 0

Preliminary Safety Analysis Report Accident Analysis A turbine missile could be generated due to a postulated turbine generator failure. Due to the favorable orientation of the turbine generator with respect to the reactor building, SSCs associated with engineered safety features are not affected by a potential turbine missile to the extent that they could not perform their safety functions.

For SSCs not protected with such an area, the amount of materials at risk are assumed to be limited to an upper bound limit such that the amount of radioactive material released is bounded by the amount released during the MHA. Releases from these SSCs are considered in Section 13.1.6.

During the seismic event, the packing fraction of the pebble bed would increase due to shaking of the pebble bed, and the graphite reflector blocks would shift. This results in an increase in reactivity, causing an increase in fuel temperature. The increase in reactivity due to increase in packing fraction of the pebble bed and maximum displacement of graphite reflector blocks during a seismic event is bounded by the reactivity insertion event where the control element is inadvertently withdrawn. Insertion of excess reactivity events are described in Section 13.1.2.

Mechanical aerosols could also be generated due to splashing of Flibe in the reactor during a seismic event. The amount of aerosols generated during a seismic event is bounded by the amount of aerosols generated by the salt spill event where a pipe breaks.

A break in a high energy steam line or superheater could occur due to a failure of the steam system.

Physical separation of the power generation systems from safetyrelated SSCs and the design of the safetyrelated portion of the reactor building ensures that a high energy break will not prevent safety related SSCs from performing their safety functions. The potential reactivity insertion caused by an increase in heat removal due to a steam line break is considered in Section 13.1.2.

13.1.10 Prevented Events This section describes the events prevented by design. The justification for excluding these events from the design basis is provided with references to the relevant design information.

13.1.10.1 Recriticality or Reactor Reactivity Shutdown System Failure In postulated events that require a reactor trip, the reactor reactivity shutdown system (the safety related portion of the RCSS), is relied upon to shut down the reactor and maintain shutdown margin.

Reactor Reactivity shutdown system (RSS) failure events are excluded from the design basis. Events that would result in a recriticality event are also excluded from the design basis. The RCSS is designed (described in Section 4.2.2) with sufficient independence, diversity, and redundancy from detection and actuation to element insertion to ensure reactor shutdown when necessary. The shutdown margin is maintained for all postulated event conditions to ensure there is no recriticality after the RCSS has initiated shutdown, as described in Section 4.5. Additionally, the graphite reflector blocks are designed to maintain structural integrity and ensure misalignments do not prevent the insertion path of the shutdown elements, as discussed in Section 4.3.

13.1.10.2 Degraded Heat Removal or Uncooled Events In postulated events where the normal heat removal is not available, natural circulation in the reactor vessel and the heat removal function of the DHRS are relied upon to remove heat from the reactor core.

Degraded heat removal or uncooled events are excluded from the design basis. The initiation of natural circulation is completely passive, and the design features, including the structural integrity of the reactor vessel internals, that ensure a continued natural circulation flow path are discussed in Section 4.6. The DHRS is aligned and operating when the reactor power is above a threshold power and remains in this state as described in Section 6.3, precluding the need for an actuation to occur for the DHRS to remove Kairos Power Hermes 2, Units 1 and 2 1313 Revision 0