Text

KP-NRC-2403-001 Changes to Hermes 2 PSAR Chapter 7 (Non-Proprietary)

Preliminary Safety Analysis Report Instrumentation and Controls Kairos Power Hermes 2, Units 1 and 2 7-3 Revision 0 Figure 7.1-1: Instrumentation and Controls System Architecture

Preliminary Safety Analysis Report Instrumentation and Controls Kairos Power Hermes 2, Units 1 and 2 7-4 Revision 0

Preliminary Safety Analysis Report Instrumentation and Controls Kairos Power Hermes 2, Units 1 and 2 7-8 Revision 0 The RCACS receives input from the inventory management system (see Section 9.1.4) which monitors primary coolant level during normal operations. The system also provides control for changes to primary inventory during planned primary filling and draining operations.

The RCACS also controls the inert gas system (see Section 9.1.2). During normal operation, the system provides control signal to maintain cover gas pressure and flow, monitors venting gas for impurities above specified limits in the gas space of the primary system. During startup, the system monitors and controls inert gas flow and temperature to support initial heating of the primary system.

The RCACS receives input from the tritium management system (see Section 9.1.3) and provides control signal to remove tritium from the cover gas in the primary system.

The RCACS receives input from the remote maintenance and inspection system (See Section 9.8.1) and provides monitoring and controls to support remote maintenance activities.

7.2.1.3 Primary Heat Transport Control System The PHTCS controls and monitors systems and components that support normal operation of the primary heat transport system (PHTS). The system supports the following capabilities:

Control of the flow rate through the PHTS PHTS thermal management Control of the heat rejection subsystem Primary loop draining, filling, and piping monitoring, including PHTS external piping The purpose of the PHTCS is to control the transport of primary coolant through the PHTS, to maintain the primary coolant in a liquid state, and to monitor the inventory of primary coolant in the PHTS. The PHTCS maintains the parameters in the PHTS within the normal operating envelope. The PHTCS controls the primary salt pump (PSP) and the primary loop thermal management subsystem (PLTMS). The sensors used by the PHTCS are discussed in Section 7.5.

The PHTCS provides control signal for the PSP (see Chapter 5). The control system manipulates the primary coolant flow rate by variable frequency to maintain PHTS parameters within the normal operating range. The PHTCS does not provide a safety function; however, as discussed in Section 7.3, the RPS trips the PSP on a reactor trip, as a protection feature for the reactor system related to the pump.

The PHTCS maintains the primary coolant in liquid phase throughout the PHTS to prevent localized over-or under-heating. The control system uses temperature as input to provide control signal to the PHTS auxiliary heaters.

The PHTCS provides controls and monitoring of the components that support the operation of the heat rejection subsystem through the heat rejection control system (HRCS) (See Section 5.1.1).

7.2.1.4 Intermediate Heat Transfer Control System The IHTCS controls and monitors systems and components that support normal operation of the intermediate loop which removes heat from the primary loop. The system supports the following capabilities:

Control of the flow rate through the intermediate loop Intermediate loop heating Intermediate loop draining, filling, and piping monitoring Chemistry control in the intermediate loop Highlighted text was previously changed. Submitted on 1/3/24 (ML24003A767).

Preliminary Safety Analysis Report Instrumentation and Controls Kairos Power Hermes 2, Units 1 and 2 7-11 Revision 0 Interlocks are also provided related to startup power level and pebble handling as detailed in Table 7.2-3.

An interlock that prevents the opening of a units main steam isolation valve following a reactor trip until there is sufficient steam production to ensure that a turbine imbalance will not occur.

The PCS initiates automatic turbine generator trip signals if certain conditions are detected. In the event of a turbine generator trip, the PCS initiates runbacks of the RCSS, PSP, ISP, and feedwater pumps on both units to decrease reactor thermal power and heat transport to a level that can be safely rejected using normal shutdown cooling if the condenser is available or using main steam power relief valves and/or main steam safety valves if the condenser is not available.

In the event of a single unit reactor trip, the PCS will initiate signals to close the main steam isolation valve, open turbine bypass valves, regulate flow control valves through the unit specific superheater and runback feedwater flow to the affected unit to maintain a minimum flow to the steam generator, ensure balanced steam supply to the turbine, and prevent overcooling of the intermediate loop, as discussed in Section 9.9. A turbine generator runback will also be initiated to establish turbine generator output within the capacity of a single units superheater to allow the unaffected unit to remain online. Should the grid be unable to absorb the communicated power loss of a single unit trip, the turbine generator will lose grid synchronization and trip, in which case steam from the remaining unit will bypass the turbine while the reactor ramps down in power or grid connection is re-established.

The unit-specific plant controls are grouped and located on unit-specific operating panels in the main control room so that operators for each unit can easily reach and manipulate the controls. The shared system controls are grouped and located on a separate operating panel within the main control room, that is accessible to both units operators, and requires coordination between each units operators before controls can be manipulated. Displays of the results of operator actions are readily observable.

See Section 7.4 for more information about the human interface for the PCS.

The PCS is not safety-related and no safety-related SSCs cross the seismic isolation moat, discussed in Section 3.5. However, any portion of the PCS that crosses the moat includes flexible design features to accommodate design displacements from postulated seismic events to the extent necessary to prevent damage of SSCs in the PCS from affecting a safety-related SSC's ability to perform its safety function.

Specific design features and the SSCs to which they are applied, will be provided in the Operating License application.

Additional information about the PCS that is dependent on the final design of the reactor and the power generation systems SSCs will be provided in the Operating License Application, including: (1) further specifics about the hardware and software, (2) software flow diagrams for digital computer systems, (3) a description of how the operational and support requirements will be met, and (4) the basis for reliability of PCS systems and reliability targets.

7.2.4 Testing and Inspection Functional tests will be performed prior to initial startup and tests and inspections consistent with the standards discussed in Section 7.2.3.

7.2.5 References

1. International Electrotechnical Commission, IEC 61131, "Programmable Controllers. 2020.

2. International Electrotechnical Commission, IEC 62443, Cybersecurity. 2015.

Preliminary Safety Analysis Report Instrumentation and Controls Kairos Power Hermes 2, Units 1 and 2 7-27 Revision 0 7.4 MAIN CONTROL ROOM AND REMOTE ONSITE SHUTDOWN PANEL 7.4.1 Description The main control room (MCR) is shared between Unit 1 and Unit 2. The MCR provides means for operators to monitor the behavior of each unit and shared systems, control performance of each unit and the shared systems, and manage the response to postulated event conditions in each unit. Unit-specific remote onsite shutdown panels (ROSP) provide separate means to shut down each unit and monitor plant parameters in response to postulated event conditions. Figure 7.4-1 shows the architecture of the MCR and ROSP.

7.4.1.1 Main Control Room The MCR contains equipment related to normal operation of the plant. These include operator and supervisor workstation terminals, which provide alarms, annunciations, personnel and equipment interlocks, and process information. These pieces of equipment are the main point of interaction (human/system interface (HSI)) between operators and the PCS and the information coming from the RPS. The terminals are connected to the main plant network through a network switch. The system uses redundant fiber optic communication channels between the PCS and the MCR. Communication from the RPS to the MCR utilizes the data diode discussed in Section 7.3.3 for one-way communication.

The MCR consoles display plant parameters to allow operators to monitor conditions during and following postulated events. Dedicated consoles are provided to control and monitor each unit individually and to control and monitor shared systems. The MCR consoles contain a manual trip switch that propagates through a gateway and through safety-related isolation, which allows operators to initiate a reactor trip, but this is not a credited safety-related function nor credited in the accident analyses (see Chapter 13).

The MCR also contains a central alarm panel for the fire protection system so that operators can monitor the status of fire protection equipment inside the Reactor Building. The central alarm panel includes controls for the ventilation and extinguishing systems related to the response to fires.

7.4.1.2 Remote Onsite Shutdown Panel The ROSP provides a HSI for plant staff to monitor unit-specific indications from the reactor protection system including operating status of the RTS and the DHRS in the event that the MCR becomes inaccessible or uninhabitable. The ROSP features one-way (read-only) communication with reactor protection system instrumentation signals and the ability to initiate a trip signal from the manual trip button that actuates reactor protection systems. The ROSP is not safety-related and is located in the safety related portion of the Reactor Building for each unit.

7.4.2 Design Bases Consistent with PDC 19:

The design of the main control room allows actions to be taken to operate the reactor under normal operating conditions and to monitor it under postulated event conditions.

The main control room is designed to provide radiation protection allowing access and occupancy of the control room under postulated event conditions without personnel receiving radiation exposures in excess of 5 rem total effective dose equivalent (TEDE) for the duration of the event.

The main control room is designed to be habitable, allowing access and occupancy of the main control room during normal operations and under postulated event conditions.

An ROSP for each unit is located outside the control room that (1) provides the capability to promptly shutdown the reactor and includes instrumentation and controls to monitor the unit

Preliminary Safety Analysis Report Instrumentation and Controls Kairos Power Hermes 2, Units 1 and 2 7-31 Revision 0 Figure 7.4-1: Architecture of the Main Control Room and the Remote Shutdown Onsite Panel

Preliminary Safety Analysis Report Instrumentation and Controls Kairos Power Hermes 2, Units 1 and 2 7-32 Revision 0