Text

KP-NRC-2403- 001

Enclosure 1 Changes to Hermes 2 PSAR Chapter 7 (Non-Proprietary)

Preliminary Safety Analysis Report Instrumentation and Controls

The RCACS receives input from the inventory management system (see Section 9.1.4) which monitors primary coolant level during normal operations. The sy stem also provides control for changes to primary inventory during planned primary filling and draining operations.

The RCACS also controls the inert gas system (see Section 9.1.2). Duri ng normal operation, the system provides control signal to maintain cover gas pressure and flow, monitors venting gas for impurities above specified limits in the gas space of the prim ary system. During startup, the system monitors and controls inert gas flow and temperature to s upport initial heating of the primary system.

The RCACS receives input from the tritium management system (see Section 9.1.3) and provides control signal to remove tritium from the cover gas in the primary system.

The RCACS receives input from the remote maintenance and inspection system (See Section 9.8.1) and provides monitoring and controls to su pport remote maintenance activities.

7.2.1.3 Primary Heat Transport Control System The PHTCS controls and monitors systems and comp onents that support normal operation of the primary heat transport system (PHTS). The system supports the following capabilities:

Control of the flow rate through the PHTS PHTS thermal management Control of the heat rejection subsystem Primary loop draining, filling, and piping monitoring, including PHTS external piping The purpose of the PHTCS is to control the transpor t of primary coolant through the PHTS, to maintain the primary coolant in a liquid stat e, and to monitor the inventory of primary coolant in the PHTS. The PHTCS maintains the parameters in the PHTS within the normal operating envelope. The PHTCS controls the primary salt pump (PSP) and the primary loop thermal management subsystem (PLTMS). The sensors used by the PHTCS are discussed in Section 7.5.

The PHTCS provides control signal for the PSP (see Chapter 5). The control system manipulates the primary coolant flow rate by variable frequency to maintain PHTS parameters within the normal operating range. The PHTCS does not provide a safety function; however, as discussed in Section 7.3, the RPS trips the PSP on a reactor trip, as a protection feature for the reactor system related to the pump.

The PHTCS maintains the primary coolant in liquid phas e throughout the PHTS to prevent localized over-or under-heating. The control system uses temperature as input to provide control signal to the PHTS auxiliary heaters.

The PHTCS provides controls and monitoring of the co mponents that support the operation of the heat rejection subsystem through the heat rejection control system (HRCS) (See Section 5.1.1) .

7.2.1.4 Intermediate Heat Transfer Control System The IHTCS controls and monitors systems and components that support normal operation of the intermediate loop which removes heat from the primary loop. The syst em supports the following capabilities:

Control of the flow rate through the intermediate loop Intermediate loop heating Intermediate loop draining, f illing, and piping monitoring Chemistry control in the intermediate loop

Kairos Power Hermes 2, Units 1 and 2 7-8 Revision 0 Preliminary Safety Analysis Report Instrumentation and Controls

Interlocks are also provided related to startu p power level and pebble handling as detailed in Table 7.2-3.

An interlock that prevents the opening of a units main steam isolation valve following a reactor trip until there is sufficient steam production to ensure that a turbine imbalance will not occur.

The PCS initiates automatic turbine generator trip signals if certain conditions are detected. In the event of a turbine generator trip, the PCS initiates runbacks of the RCSS, PSP, ISP, and feedwater pumps on both units to decrease reactor thermal power and heat transport to a level that can be safely rejected using normal shutdown cooling if the condenser is available or using main steam power relief valves and/or main steam safety valves if the condenser is not available.

In the event of a single unit reactor trip, the PCS w ill initiate signals to close the main steam isolation valve, open turbine bypass valves, regulate flow co ntrol valves through the unit specific superheater and runback feedwater flow to the affected unit to mainta in a minimum flow to the steam generator, ensure balanced steam supply to the turbine, and prevent overcooling of the intermediate loop, as discussed in Section 9.9. A turbine generator runback will also be initiated to es tablish turbine generator output within the capacity of a single units superheater to allow the unaffected unit to remain online. Should the grid be unable to absorb the communicated power loss of a single unit trip, the turbine generator will lose grid synchronization and trip, in which case steam from the remaining unit will bypass the turbine while the reactor ramps down in power or grid connection is re-established.

The unit-specific plant controls are grouped and located on unit-specific operating panels in the main control room so that operators for each unit can easily reach and manipulate the controls. The shared system controls are grouped and located on a separate operating panel within the main control room, that is accessible to both units operators , and requires coordination between each units operators before controls can be manipulated. Displays of the results of operat or actions are readily observable.

See Section 7.4 for more information ab out the human interface for the PCS.

The PCS is not safety-related and no safety-related SSCs cross the seismic isolation moat, discussed in Section 3.5. However, any portion of the PCS that cr osses the moat includes flex ible design features to accommodate design displacements from postulated seismic events to the extent necessary to prevent damage of SSCs in the PCS from affecting a safety-r elated SSC's ability to perform its safety function.

Specific design features and the SSCs to which they are applied, will be provided in the Operating License application.

Additional information about the PCS that is dependent on the final design of the reactor and the power generation systems SSCs will be provided in the Operating License Application, including: (1) further specifics about the hardware and software, (2) software flow diagrams for digital computer systems, (3) a description of how the operational and support re quirements will be met, and (4) the basis for reliability of PCS systems and reliability targets.

7.2.4 Testing and Inspection Functional tests will be performed prior to initial st artup and tests and inspections consistent with the standards discussed in Section 7.2.3.

7.2.5 References

1. International Electrotechnical Commission, IEC 61131, "Programmable Controllers. 2020.

2. International Electrotechnical Commissi on, IEC 62443, Cybersecurity. 2015.

Kairos Power Hermes 2, Units 1 and 2 7-11 Revision 0 Preliminary Safety Analysis Report Instrumentation and Controls

7.4 MAIN CONTROL ROOM AND REMOTE ONSITE SHUTDOWN PANEL 7.4.1 Description The main control room (MCR) is shared between Unit 1 and Unit 2. The MCR provides means for operators to monitor the behavior of each unit and shared systems , control performance of each unit and the shared systems, and manage the response to postulated event conditions in each unit. Unit-specific remote onsite shutdown panels (ROSP) provide separate means to shut down each unit and monitor plant parameters in response to postulated event conditions. Figure 7.4-1 shows the architecture of the MCR and ROSP.

7.4.1.1 Main Control Room The MCR contains equipment related to normal oper ation of the plant. These include operator and supervisor workstation terminals, which provide alarms, annunciations, personnel and equipment interlocks, and process information. These pieces of equipment are the main point of interaction (human/system interface (HSI)) between operators and the PCS and the information coming from the RPS. The terminals are connected to the main plant network through a network switch. The system uses redundant fiber optic communication channels between the PCS and the MCR. Communication from the RPS to the MCR utilizes the data diode discussed in Section 7.3.3 for one-way communication.

The MCR consoles display plant parameters to allow operators to monitor conditions during and following postulated events. Dedicated consoles are provided to control and monitor each unit individually and to control and monitor shared systems. The MCR consoles contain a manual trip switch that propagates through a gateway and through safety-related isolation, which allows operators to initiate a reactor trip, but this is not a credited safety-rel ated function nor credited in the accident analyses (see Chapter 13).

The MCR also contains a central alarm panel for th e fire protection system so that operators can monitor the status of fire protection equipment inside the Reactor Building. The central alarm panel includes controls for the ventilation and extinguishing systems related to the response to fires.

7.4.1.2 Remote Onsite Shutdown Panel The ROSP provides a HSI for plant staff to monitor unit-specific indications from the reactor protection system including operating status of the RTS and the DHRS in the event that the MCR becomes inaccessible or uninhabitable. The ROSP features one-way (read-only) communication with reactor protection system instrumentation signals and the ability to initiate a trip signal from the manual trip button that actuates reactor protecti on systems. The ROSP is not safe ty-related and is located in the safety related portion of the Reactor Building for each unit.

7.4.2 Design Bases Consistent with PDC 19:

The design of the main control room allows actions to be taken to operate the reactor under normal operating conditions and to monitor it under postulated event conditions.

The main control room is designed to provide radi ation protection allowing access and occupancy of the control room under postulated event conditions without personnel receiving radiation exposures in excess of 5 rem total effective dose equivalent (TEDE) for the duration of the event.

The main control room is designed to be habita ble, allowing access and occupancy of the main control room during normal operations and under postulated event conditions.

An ROSP for each unit is located outside the control room that (1) provides the capability to promptly shutdown the reactor and includes instrumentation and controls to monitor the unit

Kairos Power Hermes 2, Units 1 and 2 7-27 Revision 0