ML24113A272
| ML24113A272 | |
| Person / Time | |
|---|---|
| Site: | Hermes File:Kairos Power icon.png |
| Issue date: | 04/22/2024 |
| From: | NRC |
| To: | NRC/NRR/DANU |
| References | |
| Download: ML24113A272 (19) | |
Text
From:
Cayetano Santos Sent:
Monday, April 22, 2024 3:14 PM To:
Weidong Wang; Larry Burkhart Cc:
Michael Orenak; Matthew Hiser; Brian Bettes; Josh Borromeo
Subject:
Preliminary Chapter of Hermes 2 SE Attachments:
Chapter 07 - Instrumentation and Controls System.pdf
- Weidong, Attached is another one of the preliminary chapters from the safety evaluation (SE) for the Hermes 2 construction permit application. This chapter has been reviewed by branch chiefs and received a preliminary review by OGC. However, this chapter is not final because it still needs to be reviewed by division management and receive the final OGC review. Thus, this preliminary chapter could change between now and the approved SE that will be sent to ACRS for formal review. I am sending this chapter in advance so that members can become familiar with the safety evaluation and begin preparing for the formal review.
Ten preliminary chapters were provided to you on March 14, and April 4, 2024. I expect to send additional preliminary chapters to you piecemeal after they receive the preliminary OGC for the first planned subcommittee meeting on May 16, 2024.
Kairos Power submitted Revision 0 of the preliminary safety analysis report (PSAR) for Hermes 2 in July 2023. All preliminary SE chapters being sent to the ACRS refer to Revision 1 of the PSAR. Although Revision 1 of the PSAR has not been submitted, Kairos stated their intent to do so once all PSAR changes are known (i.e., the end of the technical review). The current list of docketed PSAR changes that will be incorporated into Revision 1 of the PSAR can be found in ADAMS and on the NRC public webpage at https://www.nrc.gov/reactors/non-power/new-facility-licensing/hermes2-kairos/documents.html.
The staff has taken a different approach toward the Hermes 2 SE considering that Hermes 1 and Hermes 2 CP applications have most of the same information. Due to these similarities, the staff leveraged the Hermes 1 SE to the extent possible for Hermes 2, using an incorporation by reference for many sections. The following description, taken from Chapter 1 of the Hermes 2 SE, discusses how the staffs review of Hermes 1 was applied to its review of the Hermes 2:
Use of Docketed Information The staffs review of the Hermes 2 CP application was informed by the Hermes 1 CP application review. The Hermes 2 facility includes many SSCs that are identical to those that would be used in the Hermes 1 facility. Accordingly, large portions of the Hermes 1 PSAR are identical to the Hermes 2 PSAR. In the July 14, 2023, CP application submittal, Kairos highlighted the differences between the Hermes 1 and Hermes 2 PSARs in two ways. First, Kairos used blue font in the Hermes 2 PSAR to identify any modified or new
text. Second, Kairos provided a summary of the information deleted from the Hermes 1 PSAR to generate the Hermes 2 PSAR (ML23195A132).
In addition, Kairos identified the docketed information and audit information from Hermes 1 that is applicable to the Hermes 2 CP application in two letters dated October 27, 2023 (ML23300A141 and ML22300A144). This information is considered docketed information for the Hermes 2 CP application and was used to inform the staffs review.
Format and Content of Hermes 2 Safety Evaluation Sections Based on the consistencies between the Hermes 1 and Hermes 2 PSARs described above, the staff leveraged the Hermes 1 SE to the greatest extent possible to support its review of the Hermes 2 CP application. Accordingly, applicable contents of the Hermes 1 SE were incorporated by reference into this SE. To determine which Hermes 1 SE content could be incorporated by reference, the staff reviewed the differences between the Hermes 1 and Hermes 2 PSARs. Where the Hermes 2 PSAR only contained minor deviations (e.g., minimal or no effect on the NRC SE or editorial changes, as compared to the Hermes 1 PSAR), the staffs SE was largely limited to incorporating by reference applicable portions of the Hermes 1 SE. Similarly, where the Hermes 2 PSAR contained a limited number of significant but discrete changes, but was otherwise identical to the Hermes 1 PSAR, the staffs SE was likewise limited to an evaluation of the variances between the two PSARs. In this case, the balance of the staffs SE also incorporated by reference applicable portions of the Hermes 1 SE. Based on this approach, many of the Hermes 2 SE sections are organized using the following structure:
Brief introduction summarizing the Hermes 2 PSAR content with a focus on any changes in comparison to the Hermes 1 PSAR.
Regulatory evaluation section that, in most cases, incorporates by reference the regulations and guidance from the corresponding section of the Hermes 1 SE due to the similarities between the Hermes 1 and Hermes 2 facility designs.
Technical evaluation that:
o Identifies the consistent and modified Hermes 2 PSAR information, as compared to the Hermes 1 PSAR.
o Incorporates by reference, as appropriate, content from the Hermes 1 SE for PSAR information that is consistent between Hermes 1 and Hermes 2.
o Evaluates the new design information and non-editorial changes (i.e.,
minor and/or few significant changes), as compared to the Hermes 1 SE.
The depth of the staff review provided for each change is dependent on the significance of that change.
A full conclusion specific to the Hermes 2 review.
For Hermes 2 PSAR sections that contain entirely new information and/or several significant changes when compared to the Hermes 1 PSAR, the staff performed its evaluation without incorporation by reference from the Hermes 1 SE. One example of a section which reflects such an evaluation by the staff is Section 5.2, Intermediate Heat Transport System, of this SE related to the intermediate salt loops. These systems are not in the design of the Hermes 1 test reactor; therefore, they were not evaluated by the staff in its review of the Hermes 1 CP application. Accordingly, the staff evaluated this system without incorporation by reference of the Hermes 1 SE.
If you have any questions, please contact me or Mike Orenak.
-Tanny Santos
Hearing Identifier:
Kairos_Hermes2_CPDocs_Public Email Number:
12 Mail Envelope Properties (MW4PR09MB9010A1926AC6D749FB162C06E5122)
Subject:
Preliminary Chapter of Hermes 2 SE Sent Date:
4/22/2024 3:14:19 PM Received Date:
4/22/2024 3:14:00 PM From:
Cayetano Santos Created By:
Cayetano.Santos@nrc.gov Recipients:
"Michael Orenak" <Michael.Orenak@nrc.gov>
Tracking Status: None "Matthew Hiser" <Matthew.Hiser@nrc.gov>
Tracking Status: None "Brian Bettes" <Brian.Bettes@nrc.gov>
Tracking Status: None "Josh Borromeo" <Joshua.Borromeo@nrc.gov>
Tracking Status: None "Weidong Wang" <Weidong.Wang@nrc.gov>
Tracking Status: None "Larry Burkhart" <Lawrence.Burkhart@nrc.gov>
Tracking Status: None Post Office:
MW4PR09MB9010.namprd09.prod.outlook.com Files Size Date & Time MESSAGE 5927 4/22/2024 3:14:00 PM Chapter 07 - Instrumentation and Controls System.pdf 194869 Options Priority:
Normal Return Notification:
No Reply Requested:
No Sensitivity:
Normal Expiration Date:
7 INSTRUMENTATION AND CONTROL SYSTEMS Chapter 7 of the Kairos Power LLC (Kairos) Hermes 2 construction permit (CP) safety evaluation (SE) describes the U.S. Nuclear Regulatory Commission (NRC) staffs (the staffs) technical review and evaluation of the preliminary design of the Hermes 2 test reactor facilitys structures, systems, and components (SSCs) as presented in Chapter 7.0, Instrumentation and Controls, of the Hermes 2 Preliminary Safety Analysis Report (PSAR), Revision 1.
As part of this review, the staff evaluated information regarding the Hermes 2 Instrumentation and Control (I&C) systems, with special attention to design and operating characteristics, unusual or novel design features, and principal safety considerations. The preliminary design of the Hermes 2 I&C systems was evaluated to ensure the appropriate Principal Design Criteria (PDC) and design bases have been established and information relative to materials of construction, general arrangement, and approximate dimensions are sufficient to provide reasonable assurance that the final design will conform to the design basis.
Areas of review for this section included the plant control system (PCS), reactor protection system (RPS), main control room (MCR), remote onsite shutdown panels (ROSPs), display information, and sensors. Within these review areas, the staff assessed the preliminary design of the I&C systems needed to monitor key parameters and variables, maintain parameters and variables within prescribed operating ranges, alert operators when operating ranges are exceeded, and assure safety limits are not exceeded.
7.1 Instrumentation and Controls Overview Section 7.1.1, Summary Description, of the Hermes 2 PSAR states that the I&C systems monitor and control plant operations during normal operations and planned transients. The systems also monitor and actuate protection systems in the event of unplanned transients.
The Hermes 2 I&C architecture is comprised of four parts, described in the bulleted list below.
Each of the four parts are described in further detail in subsequent subsections of this SE. The architectural design of the system accounts for interconnection interfaces for plant I&C SSCs.
Hermes 2 PSAR Figure 7.1-1, Instrumentation and Controls System Architecture, provides an overview of the I&C system architecture.
x The PCS provides the capability to reliably control plant systems during normal, steady state, and planned transient power operations, including normal plant startup, power maneuvering, and shutdown. The power generation control system is the only portion of the PCS that is shared between Unit 1 and Unit 2. The PCS is evaluated in Section 7.2 of this SE.
x The RPS provides protection for reactor operations by initiating signals to mitigate the consequences of postulated events and to ensure safe shutdown. The safety-related RPS is not shared between Unit 1 and Unit 2. The RPS is evaluated in Section 7.3 of this SE.
x The MCR and ROSPs provide the capability for plant operators to monitor plant systems, control plant systems, and to initiate plant shutdown. Unit 1 and Unit 2 share a common MCR. Each unit is provided with a unit-specific ROSP. The MCR and ROSPs are evaluated in Section 7.4 of this SE.
THIS NRC STAFF DRAFT SE HAS BEEN PREPARED AND IS BEING RELEASED TO SUPPORT INTERACTIONS WITH THE ACRS. THIS DRAFT SE HAS NOT BEEN SUBJECT TO FULL NRC MANAGEMENT AND LEGAL REVIEWS AND APPROVALS, AND ITS CONTENTS SHOULD NOT BE INTERPRETED AS OFFICIAL AGENCY POSITIONS.
x Sensors provide input to multiple control and protection systems. Safety-related sensors are not shared between Unit 1 and Unit 2. Only non-safety related sensors that control and monitor shared systems are shared between Unit 1 and Unit 2. Sensors are evaluated in Section 7.5 of this SE.
As stated in the PSAR, the I&C system implements the Institute of Electrical and Electronics Engineers (IEEE) Standard 603-2018, Standard Criteria for Safety Systems for Nuclear Power Generating Stations, IEEE Standard 7-4.3.2-2003, IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations, and other consensus standards for safety related I&C functions. The I&C system is designed to incorporate the principles of independence, redundancy, and diversity. Features reflecting those principles are discussed in the specific subsystem descriptions.
The RPS is the safety related system credited for tripping the reactor and actuating engineered safety features. Accordingly, the RPS is isolated and independent from the other I&C systems and uses input signals from independent instrumentation. RPS instrumentation signals are provided to the PCS via a data diode, which is part of the RPS hardware platform. As described in PSAR Section 7.3, Reactor Protection System, the RPS is isolated from other I&C systems, including the MCR and the ROSPs, using safety-related isolation hardware. Isolation is achieved through features built into the hardware platform or through separate isolation devices.
The I&C system includes the capability for both manual and automatic control. The sensors for temperature, pressure, neutron count rates, level, flow, radiation level, and other analog and digital field detectors provide input to the RPS and PCS.
The PSAR states that the RPS includes sensors, trips, and interlocks to shut down the reactor when operating parameters exceed operational limits. This includes release of the control and shutdown elements within a set of defined parameters after the onset of a postulated event. As shown on PSAR Figure 7.1-1, the RPS sensors are separate from the PCS sensors, which input into the PCS. Specific trips and interlocks are discussed in PSAR Section 7.3. The PSAR states that RPS actuation setpoints, calculated in accordance with the guidance of ANSI/ISA 67.04.01-2018, Setpoints For Nuclear Safety-Related Instrumentation, for trips and interlocks are based on the following design approaches:
x Simulation models: Time to reach operational limits based on system qualification (environments, process conditions, etc.) as demonstrated by actual empirical data collected during simulation testing.
x RPS Technical Specifications: Measurement time, process parameters as informed by safety case assumptions and bounded by Technical Specification limits.
x Mechanical design and testing - response time for actuation to complete: Time to detect, process, and actuate the required controls; this time should be less than the time between event onset and a parameter reaching a limiting condition for continued operation.
x Tiered (graded) approach to protection: The RPS utilizes highly reliable safety related parameters as the final level of protection for public health and safety.
The PDC for the facility SSCs are described in PSAR Chapter 3, Design of Structures, Systems and Components, and are based on those specified in the NRC-approved Kairos topical report, KP-TR-003-NP-A, Principal Design Criteria for the Kairos Power Fluoride Salt-Cooled, High Temperature Reactor.
7.2 Plant Control System 7.2.1 Introduction Hermes 2 PSAR Section 7.2.1, Description, states that the PCS is a non-safety related control system which controls reactor startup, changes in power levels, reactor shutdown, heat transport, and the power generation system. The PCS is made up of the following subsystems:
x reactor control system (RCS) x reactor coolant auxiliary control system (RCACS) x primary heat transport control system (PHTCS) x intermediate heat transport control system (IHTCS) x power generation control system x
auxiliary monitored systems The PCS maintains plant and individual unit parameters within the normal operating envelope and provides data to the control consoles located in the main control room.
As described in the PSAR, the Hermes 2 PCS is a microprocessor-based distributed control system that individually controls plant systems using applicable inputs. The subsystems listed above are integrated into the PCS using non-safety related signal wireways which are terminated at local cabinets and use redundant, non-safety, real-time data highways. The RCS, RCACS, PHTCS, and IHTCS are unit-specific subsystems. The auxiliary monitored systems are also unit-specific. The power generation control system is shared between Unit 1 and Unit 2.
The plantwide sensor inputs are used to verify interlock and permissive rules for the various plant states. The sensor data are also used to provide feedback and alarms to the operators via the control consoles. The PCS is powered by alternating current and direct current power supplies which are discussed in Hermes 2 PSAR Chapter 8, Electric Power System. The PCS uses non-safety related sensor inputs as well as safety-related sensor inputs from the RPS, as described in PSAR Section 7.3.3, System Evaluation.
7.2.2 Regulatory Evaluation The staff reviewed Section 7.2.2, Regulatory Evaluation, of the Hermes 1 SE for applicability to the Hermes 2 SE. Based on the similarity of the Hermes 1 and Hermes 2 facility designs and the consistency of the PCS design between Hermes 1 and Hermes 2, the staff finds that the regulations and guidance listed in Section 7.2.2 of the Hermes 1 SE are applicable to Hermes 2.
Therefore, this section incorporates by reference Section 7.2.2 of the Hermes 1 SE.
7.2.3 Technical Evaluation Hermes 2 PSAR, Section 3.1, Table 3.1-3, Principal Design Criteria identifies PDC 13 as applicable to I&C systems.
7.2.3.1 Architecture The PCS is made up of the following subsystems: RCS, RCACS, PHTCS, IHTCS, power generation control system, and auxiliary monitored systems. As shown in Hermes 2 PSAR Figure 7.1-1, each of the subsystems are independent from one another. Subsystems RCS, RCACS, PHTCS, and IHTCS are independent from the MCR, isolated via a network switch,
supervisory controller, and redundant switches. The auxiliary monitored systems and power generation control system are separate from the other subsystems and are also isolated using similar pathways. The PCS is independent and isolated from the RPS sensor inputs via a one-way data diode. The non-safety sensors provide input signals using non-safety related signal wireways that are terminated at local cabinets using redundant, non-safety, real-time data highways.
The staff reviewed PSAR Section 7.2.1.1, Reactor Control System, which states that the RCS controls and monitors systems and components that support normal operation, planned transients, and normal shutdown of the reactor. The RCS controls the subsystems identified in Figure 7.1-1 and supports the following capabilities: reactivity control and planned changes in power level, monitoring of core neutronics, pebble handling and storage, and monitoring and control of temperature in the reactor.
The RCS controls reactivity for normal operations and normal shutdown using reactor control elements and reactor shutdown elements in the reactivity control and shutdown system (RCSS).
The RCS is capable of incrementally changing the position of reactor control elements and of releasing the control and shutdown elements. The RCS inputs include reactor outlet and inlet temperature sensors and source and power range neutron excore detectors. The RCS provides a reactor monitoring function to monitor plant components that are associated with reactor functions. The RCS uses source and power range sensors that are located outside the reactor vessel for reactor control. The RCS controls pebble insertion and extraction, in-vessel pebble handling, and ex-vessel pebble handling in the pebble handling and storage system (PHSS) and is capable of counting linearized pebbles external to the vessel, controlling the rate of pebble insertion and removal from the vessel, and controlling pebble distribution within the PHSS.
Additionally, the RCS controls the reactor thermal management system (RTMS), which monitors the temperature of the primary system to maintain it within the normal operating envelope and to implement planned transients (e.g., power changes). The RCS also controls external heating elements in the RTMS to prevent overcooling. The RCS provides the capability for event monitoring and active actuation of the decay heat removal system (DHRS). Further evaluation of these subsystems is provided in Section 6 and Section 9 of this SE.
The staff reviewed PSAR Section 7.2.1.2, Reactor Coolant Auxiliary Control System, which states that the RCACS controls the chemistry control system that monitors reactor coolant chemistry. The RCACS also controls the coolant inventory management system. The monitoring systems provide information to facilitate maintaining coolant purity and circulating activity within specifications for the system. The RCACS also controls the primary coolant loops inert gas system, tritium management system, and remote maintenance and inspection system monitoring and control. Further evaluation of these subsystems is in Section 9 and Section 11 of this SE.
The staff reviewed PSAR Section 7.2.1.3, Primary Heat Transport Control System, which states that the PHTCS controls and monitors systems and components that support normal operation of the primary heat transport system (PHTS). The PHTCS supports the following capabilities: control of flow rate through the PHTS, PHTS thermal management, control of the heat rejection subsystem, and primary loop draining, filling, and piping monitoring, including PTS external piping. The purpose of the PHTCS is to control the transport of primary coolant through the PHTS, maintain the primary coolant in a liquid state, control the rejection of heat from the PHTS, and monitor the inventory of primary coolant in the PHTS. The PHTCS maintains the parameters in the PHTS within the normal operating envelope. The PHTCS controls the primary salt pump (PSP), primary loop thermal management subsystems, and heat
rejection subsystem. The PHTCS does not provide a safety function; however, as discussed in Section 7.3 of this SE, the RPS trips the PSP on a reactor trip as a protective feature for the reactor system related to the pump. Further discussion and evaluation for the PSP is in Chapter 5 of this SE.
The staff reviewed PSAR Section 7.2.1.4, Intermediate Heat Transfer Control System, which states that the IHTCS supports the following capabilities: control of the flow rate through the intermediate loop, intermediate loop heating, intermediate loop draining, filling, and piping monitoring, chemistry control in the intermediate loop, and maintaining a positive pressure differential between the PHTS and IHTS during normal operations.
The staff reviewed PSAR Section 7.2.1.5, Power Generation Control System, which states that the power generation control system controls and monitors systems and components that support normal operation of the turbine generator. The power generation control system does not perform a safety-related function. The power generation control system maintains the parameters within the turbine generator, main steam, condensate, and feedwater systems within the normal operating envelope.
The PCS initiates automatic turbine generator trip signals if certain conditions are detected. In the event of a turbine generator trip, the PCS initiates runbacks of the RCSS, PSP, intermediate salt pump (ISP), and feedwater pumps on both units to decrease reactor thermal power and heat transport to a level that can be safely rejected using normal shutdown cooling if the condenser is available or using main steam power relief valves and/or main steam safety valves if the condenser is not available. In the event of a single unit reactor trip, the PCS will initiate signals to close the main steam isolation valve, open turbine bypass valves, regulate flow control valves through the unit-specific superheater and runback feedwater flow to the affected unit to maintain a minimum flow to the steam generator, ensure balanced steam supply to the turbine, and prevent overcooling of the intermediate loop, as discussed in PSAR Section 9.9. A turbine generator runback will also be initiated to establish turbine generator output within the capacity of a single units superheater to allow the unaffected unit to remain online. Should the grid be unable to absorb the communicated power loss of a single unit trip, the turbine generator will lose grid synchronization and trip, in which case steam from the remaining unit will bypass the turbine while the reactor ramps down in power or grid connection is re-established. Further evaluation of these subsystems is in Chapter 9 of this SE.
The staff reviewed PSAR Section 7.2.1.6, Auxiliary Monitored Systems, which states that the auxiliary monitored systems control and monitor auxiliary systems to support normal operations.
The auxiliary monitored systems supports the following capabilities: compressed air system, chilled water system, electric supply/loads, reactor building heating, ventilation, air conditioning (RBHVAC), and environmental monitoring. Further evaluation of these subsystems is in Chapters 8, 9, and 11 of this SE.
NuScale Small Modular Reactor (SMR) design-specific review standard (DSRS) Sections 7.1.2, 7.1.3, and 7.1.5 were used to evaluate I&C design principles of independence, redundancy, and diversity. Appendix B to the DSRS provides guidance for reviewing I&C architectures. While the DSRS was developed for the NuScale design, it contains updated guidance applicable to both Hermes 1 and Hermes 2. The architecture shown in Figure 7.1-1 of the Hermes 2 PSAR and the descriptions provided in Section 7.2, Plant Control System, of the Hermes 2 PSAR shows appropriate electrical isolation and communication independence for demonstrating independence of systems shown in the architecture figure. The preliminary design contains multiple channels for safety related functions, providing appropriate redundancy. The
preliminary design includes both functional and component diversity. Because of these preliminary design features, the staff finds that the information provided by Kairos demonstrates an adequate design basis for the preliminary design of the PCS to meet the I&C design principles of independence, redundancy, and diversity such that the design would adequately support normal operations, including planned transients. The staff also finds that the design of the PCS is consistent with the guidance found in the DSRS and Appendix B to the DSRS.
Further information on the Hermes 2 I&C architecture can reasonably be left for later consideration at the operating license (OL) stage.
7.2.3.2 Communications As shown on PSAR Figure 7.1-1 and described in PSAR Section 7.2.1, the staff finds that there is no communication from the PCS to the RPS; communication is from the RPS to the PCS through safety related isolation and a data diode. The description of communication paths between the PCS and RPS provided by Kairos is consistent with the guidance in DSRS Section 7.1.2 on independence because the proposed design exhibits communication independence between safety and non-safety systems. The staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.
7.2.3.3 Codes and Standards Hermes 2 PSAR Table 7.2-2, Standards Applicable to the Plant Control System, states that the Hermes 2 software development process will follow Annex C, Sections C.2.2.2, C.2.2.3 and C.2.3 of IEEE 7-4.3.2-2003, IEEE Standard Criteria for Digital Computers in Safety Systems of Nuclear Power Generating Stations, International Electrotechnical Commission (IEC) 61131, Programmable controllers, for the programable controllers, and IEC 62443, Industrial communication networks - Network and system security, for cybersecurity. The staff reviewed PSAR Table 7.2-2, which lists the standards for the digital platform. The staff finds that the standards provided by Kairos are adequate for the design of the PCS because the standards listed provide sufficient guidance for software development, hardware/software for controllers, and cybersecurity and are consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.3, Reactor Control System. The staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.
7.2.3.4 Technical Specifications PSAR Table 14.1-1, Proposed Variables and Conditions for Technical Specifications, states that the RCS objective is to infer or calculate reactivity coefficients during normal plant operation to limit the severity of a reactivity transient. The staff reviewed the information provided in PSAR Section 7.2.1.1 that describes how the RCS controls reactivity for normal operations and limits rapid reactivity insertion via the reactor control elements. Additionally, PSAR Section 7.2.3, System Evaluation, describes the PCS, which is designed to monitor plant parameters and maintain systems with normal operation and to control planned transients associated with anticipated operational occurrences. The staff finds that the information provided is adequate to support the preliminary development of the technical specifications and is consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.3, because setpoints are adjusted automatically based on plant modes or adjusted by operators to limit the severity of reactivity transients, thus maintaining reactivity coefficients within limits over the allowable range of operation. The staff finds the information to be adequate at this stage of
the licensing process and that further information can reasonably be left for later consideration at the OL stage.
7.2.3.5 Logic, Displays, and Alarms As stated in Hermes 2 PSAR Section 7.2.1, the PCS includes trips, interlocks, and annunciations to monitor the operation of the PCS. The staff reviewed PSAR Sections 7.2.1.1, 7.2.1.2, 7.2.1.3, 7.2.1.4, 7.2.1.5, 7.2.1.6, and Tables 7.2-1 and 7.2-3. Because the trips, interlocks, and annunciations, as described in the PSAR, are able to monitor and maintain variables and systems over their anticipated ranges for normal operation and over the range defined in postulated events, the staff finds that the preliminary design is consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.3. The staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.
7.2.3.6 Failure Modes Hermes 2 PSAR Section 7.2.3 states that the PCS is designed so that it cannot interfere with the RPSs ability to perform its safety functions. This is accomplished by isolating the RPS from the PCS and other non-safety SSCs through safety-related isolation and a data diode.
Additionally, the PSAR states that, upon receipt of a reactor trip signal, the RPS deactivates non-safety related SSCs controlled by the PCS that would affect the RPS from performing its safety functions. The isolation and deactivation of non-safety SSCs are described and evaluated in Section 7.3 of this SE. Because of these isolation and deactivation features, the failure modes of the PCS do not interfere with the RPS performance of its safety functions and the staff finds that the preliminary design is consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.3. The staff finds the information to be adequate at this stage of the licensing process and that further information can reasonably be left for later consideration at the OL stage.
7.2.4 Conclusion The staff finds that the level of detail provided on the PCS, including its RCS, is consistent with the applicable acceptance criteria in NUREG-1537, Part 2, Section 7.3, Reactor Control System, and demonstrates an adequate design basis for a preliminary design.
A more detailed evaluation of information (e.g., ranges of transient and steady-state conditions, requirements for multiple setpoints and trip criteria, PCS platform) will occur during the review of the Hermes 2 OL application, at which time the staff will confirm that the final design conforms to PDC 13 for the facility SSCs, based on topical report KP-TR-003-NP-A and applicable regulations.
Based on its review, the staff finds that the preliminary design of the Hermes 2 PCS, as described in Hermes 2 PSAR Section 7.2, is sufficient and meets the applicable regulatory requirements and guidance identified in this section for the issuance of CPs in accordance with Title 10 of the Code of Federal Regulations (10 CFR) Section 50.35, Issuance of construction permits, and 10 CFR 50.40, Common standards.
7.3 Reactor Protection System 7.3.1 Introduction Section 7.3, Reactor Protection System, of the Hermes 2 PSAR states that the RPS provides protection for reactor operations by initiating signals to mitigate the consequences of postulated events and to ensure safe shutdown. The RPS is the only portion of the I&C system that is safety related and that is credited for tripping the reactor and actuating engineered safety features. The purpose of the RPS is to actuate upon receipt of a trip signal in response to out-of-normal conditions and provide automatic initiating signals to protection functions. The RPS SSCs are unit-specific and not shared between Units 1 and 2.
7.3.2 Regulatory Evaluation The staff reviewed Section 7.3.2, Regulatory Evaluation, of the Hermes 1 SE for applicability to the Hermes 2 SE. Based on the similarities between the Hermes 1 and Hermes 2 facility designs and the consistency of the RPS design between Hermes 1 and Hermes 2, the staff finds that the regulations and guidance listed in Section 7.3.2 of the Hermes 1 SE are applicable to Hermes 2. Therefore, this section incorporates by reference Section 7.3.2 of the Hermes 1 SE.
7.3.3 Technical Evaluation The staff reviewed Section 7.3 of the Hermes 2 PSAR and compared it to the equivalent section in the Hermes 1 PSAR (Section 7.3, Reactor Protection System). The staff found that Section 7.3 of the Hermes 2 PSAR contains information consistent with that in the Hermes 1 PSAR, except for one minor change and one significant change, which are evaluated below in SE Sections 7.3.3.1 and 7.3.3.2, respectively. The NRC staff found that the following portions of Section 7.3 in the Hermes 2 PSAR contain information consistent with the Hermes 1 PSAR (e.g., minor or editorial changes only):
x Sections 7.3.1.2, Decay Heat Removal System, through 7.3.5, References, and Table 7.3-1, Codes and Standards Applied to the Reactor Protection System Since the Hermes 2 system design and functionality largely remain identical, apart from the differences evaluated below, Section 7.3 of the Hermes 2 PSAR contains information consistent with Section 7.3 of the Hermes 1 PSAR. Based on these consistencies, this section incorporates by reference Section 7.3 of the Hermes 1 SE.
7.3.3.1 Minor Changes Compared to the Hermes 1 PSAR The minor changes in Hermes 2 PSAR Section 7.3, as compared to the information in Hermes 1 PSAR Section 7.3, include the following:
x The RPS is described as being unit-specific and SSCs making up the RPS are not shared between units x
Addition of the heat rejection control system (HRCS) Figure 7.3-1, Reactor Protection System Trip Logic Schematic
In Hermes 2 PSAR Section 7.3.1, Description, Kairos states that the RPS is unit-specific and not shared between the units. Having an independent RPS for each unit is consistent with the dual unit design of Hermes 2. Safety-related systems should not be shared to avoid common cause failure. Additionally, Kairos updated Figure 7.3-1 by adding the HRCS. The addition of this HRCS to Figure 7.3-1 is consistent with the Hermes 2 design. Based on the above, the staff finds the inclusion of a separate RPS for each unit and the revised Figure 7.3-1 is acceptable.
7.3.3.2 Significant Change Compared to the Hermes 1 PSAR A significant change contained in Section 7.3 of the Hermes 2 PSAR, as compared to Section 7.3 of the Hermes 1 PSAR, includes information regarding the following:
x Reactor trip system (RTS) trip function for the ISP. The discussion of this trip displaces the discussion of the RPS trip of the heat rejection subsystem blower, which was originally described in the Hermes 1 PSAR.
This change is identified in:
x PSAR Section 7.3.1 x
Table 7.3-2, Reactor Protection System Interlocks and Inhibits The staff evaluated the sufficiency of this additional preliminary information regarding the Hermes 2 RTS trip of the ISP using the guidance and acceptance criteria in NUREG-1537, Part 2, Section 7.4, Reactor Protection System. The ISP in the Hermes 2 design replaces the heat rejection subsystem blower that is incorporated in the Hermes 1 design as the SSC with an active function for normal heat removal from the PHTS. In Hermes 2, the ISP is secured to limit inadvertent overcooling of the PHTS. The trip removes power from the ISP, similar to the trip of other non-safety related subsystems and their components (i.e., the RCSS, PHSS, RTMS, PSP, PLTMS, and HRCS) as shown on Figure 7.1-1 and Figure 7.3-1. To limit overcooling, the ISP trips concurrently with the PSP and an interlock prevents starting the ISP if the PSP is not running, as described in Section 7.3.1.1, Reactor Trip System, and Table 7.3-2. The staff review of PSAR Section 7.3.1, Figure 7.1-1, Figure 7.3-1 and Table 7.3-2, finds that Kairos provided the necessary design basis information for the RPS trip of the ISP and meets the guidance of NUREG-1537, Part 2, Section 7.4, and, therefore, is acceptable.
7.3.4 Conclusion Based on the staff findings above, and as incorporated by reference from the Hermes 1 SE, the staff concludes that the design of the Hermes 2 RPS, as described in Hermes 2 PSAR Section 7.3, is sufficient to meet the applicable regulatory requirements and guidance identified in this section for the issuance of CPs in accordance with 10 CFR 50.35 and 10 CFR 50.40.
A more detailed evaluation of information (e.g., ranges of transient and steady-state conditions, requirements for multiple setpoints and trip criteria, RPS platform) will occur during the review of the Hermes 2 OL application, at which time the staff will confirm that the final design conforms to the PDCs 1, 2, 3, 4, 10, 13, 15, 20, 21, 22, 23, 24, 25, 28, and 29 for the facility SSCs, based on the topical report KP-TR-003-NP-A and applicable regulations.
7.4 Main Control Room and Remote Onsite Shutdown Panel 7.4.1 Introduction Section 7.4.1, Description, of the Hermes 2 PSAR states that the MCR provides means for operators to monitor the behavior of each unit and the shared systems, control performance of each unit and the shared systems, and manage the response to postulated event conditions in each unit. The unit-specific ROSPs provides separate means to shut down each unit and monitor plant parameters in response to postulated event conditions.
Section 7.4.1.1, Main Control Room, of the Hermes 2 PSAR states that the MCR contains equipment related to normal operation of the plant. This equipment includes operator and supervisor workstation terminals, which provide alarms, annunciations, personnel and equipment interlocks, and process information. The MCR console displays plant parameters that allow operators to monitor conditions during and following postulated events. Dedicated consoles are provided to control and monitor each unit individually and to control and monitor shared systems.
Section 7.4.1.2, Remote Onside Shutdown Panel, of the Hermes 2 PSAR states that the ROSPs provide a human/system interface for plant staff to monitor unit-specific indications from the RPS including operating status of the RTS and the DHRS in the event that the MCR becomes inaccessible or uninhabitable. The ROSPs communicate (one-way, read-only) with the RPS instrumentation using a safety related isolation device, with the ability to initiate a trip signal from a manual trip button that actuates RTS. The ROSPs are not safety-related and are located in the safety-related portion of their respective reactor buildings.
7.4.2 Regulatory Evaluation The staff reviewed Section 7.4.2, Regulatory Evaluation, of the Hermes 1 SE for applicability to the Hermes 2 SE. Based on the similarities between the Hermes 1 and Hermes 2 facility designs and the consistency of the MCR and ROSP designs between Hermes 1 and Hermes 2, the staff finds that the regulations and guidance listed in Section 7.4.2 of the Hermes 1 SE are applicable to Hermes 2. Therefore, this section incorporates by reference Section 7.4.2 of the Hermes 1 SE.
7.4.3 Technical Evaluation The staff reviewed Section 7.4, Main Control Room and Remote Onsite Shutdown Panel, of the Hermes 2 PSAR and compared it to the equivalent material in the Hermes 1 PSAR (Section 7.4, Main Control Room and Remote Onsite Shutdown Panel). The staff found that Hermes 2 PSAR Section 7.4 contains information consistent with that in the Hermes 1 PSAR, except for three minor changes and two significant changes, which are evaluated below in SE Sections 7.4.3.1 and 7.4.3.2, respectively. The staff found that the following portions of Section 7.4 in the Hermes 2 PSAR contain information consistent with the Hermes 1 PSAR (e.g., minor or editorial changes only):
x Sections 7.4.1, Description and 7.4.2, Design Bases Since the Hermes 2 system design and functionality largely remain identical, apart from the differences evaluated below Section 7.4 of the Hermes 2 PSAR contains information consistent
with Section 7.4 of the Hermes 1 PSAR. Based on these consistencies, this section incorporates by reference Section 7.4 of the Hermes 1 SE.
7.4.3.1 Minor Changes Compared to the Hermes 1 PSAR The minor changes in Hermes 2 PSAR Section 7.4, as compared to the information in Hermes 1 PSAR Section 7.4, include the following:
x Separate ROSPs for each unit x
Dedicated consoles provided to control and monitor each unit individually x
Removal of the gateway component discussed as part of the reactor trip path via manual trip switch No changes to the individual Hermes 2 ROSPs designs are identified compared to the previously described Hermes 1 ROSP. Incorporation of an ROSP into the design of each unit is consistent with the dual unit design of Hermes 2. Based on the above, the staff finds that having individual ROSP for each unit to be acceptable.
No changes to the individual Hermes 2 control and display MCR console(s) design are identified compared to the Hermes 1 MCR. Incorporation of a MCR console into the design of each unit is consistent with the dual unit design of Hermes 2. Based on the above, the staff finds that each unit having dedicated consoles to be acceptable.
Section 7.4.1.1 of the Hermes 1 PSAR stated that a gateway lies in the reactor trip path between the trip switch and a safety-related isolation, but one was not present on Hermes 1 PSAR Figures 7.1-1, Instrumentation and Controls System Architecture, and 7.4-1, Architecture of the Main Control Room and the Remote Shutdown Onsite Panel. Kairos did not identify a gateway on Hermes 2 PSAR Figures 7.1-1 and 7.4-1 between the trip switch and the safety-related isolation in the reactor trip path, and a description of the gateway was not provided in the Hermes 2 PSAR. Removing discussion of the gateway in Section 7.4.1.1 aligns the Hermes 2 PSAR text with Figures 7.1-1 and 7.4-1. This gateway is not safety related for either Hermes 1 or Hermes 2; therefore, the staff finds that removal of the discussion of the gateway in Section 7.4.1.1 of the Hermes 2 PSAR is acceptable.
7.4.3.2 Significant Changes Compared to the Hermes 1 PSAR Significant changes contained in Section 7.4 of the Hermes 2 PSAR, as compared to Section 7.4 of the Hermes 1 PSAR, include information regarding the following:
x Human factors engineering consideration for the common MCR that is shared between Unit 1 and Unit 2 x
Controls and monitoring are added to the dedicated consoles for each unit in the MCR for the two new shared PCS subsystems, Power Generation Control System and Auxiliary Monitored Systems These changes are identified in:
x Section 7.4.1.1 x
Figures 7.1-1 and 7.4-1
The staff evaluated the sufficiency of this additional preliminary information regarding the Hermes 2 MCR using the guidance and acceptance criteria from NUREG-1537, Part 2, Section 7.6, Control Console and Display Instruments. Specifically, it is stated in Hermes 2 PSAR Section 7.4.1.1 that [d]edicated consoles are provided to control and monitor each unit individually and to control and monitor shared systems. This aspect of the Hermes 2 design warranted review to confirm that the detailed design of the MCR will incorporate the appropriate human factors engineering (HFE)-related considerations necessary to support human performance during dual unit operations.
NUREG-1537 Part 2, Section 7.6, states that control room control console and display instruments should be based on good engineering practice and includes criteria that address, in part, (1) the observability and understandability of displays that show reactor status, rod position indication, and important parameters; (2) the accessibility of controls associated with important parameters and reactivity; and (3) providing clear alarms and annunciators to the operator.
While not explicitly discussed under NUREG-1537, Part 2, Section 7.6, good engineering practice within the context of operator observability, accessibility, and understandability entails the application of HFE. PSAR section 7.4.3.1, Main Control Room, includes the statement that Human factor [sic] engineering principles will be considered in the MCR design, and the staff evaluated this additional statement. The staff expects that application of HFE principles within the design of the MCR would lead to the HFE-related criteria of NUREG-1537, Part 2, Section 7.6, being met in the finalized Hermes 2 design as submitted with the OL in a manner that supports human performance during dual unit operations. Therefore, the staff find that the consideration of HFE within the MCR design is appropriate for a test reactor CP application.
Based on the above, the staff finds the change to be acceptable.
Section 7.4.1.1 of the Hermes 2 PSAR also states that dedicated consoles are provided to control and monitor each unit individually and to control and monitor shared systems. These shared systems are the power generation control system and the auxiliary monitored systems, which are discussed in Section 7.2 of this SE. Both systems are classified as non-safety. The control and monitoring for the power generation control system will allow the operators to regulate the steam supply from both reactors through common flow control valves to ensure balanced steam supply to the turbine as well as prevent coolant feedback from one system to the other. The control and monitoring for the auxiliary monitored systems will allow operators to control the balance of plant SSCs. Both systems were added to Hermes 2 PSAR Figures 7.1-1 and 7.4-1. The staff evaluated the sufficiency of this additional preliminary information regarding the Hermes 2 consoles for controlling and monitoring these shared systems using the guidance and acceptance criteria of NUREG-1537, Part 2, Section 7.6. The communication path for both subsystems shown in Figure 7.1-1 and Figure 7.4-1 is from unit console(s) in the MCR through network switches, plant-specific redundant real time data highways, redundant switches, system-specific switches, and then to the individual systems. This communication path provides sufficient preliminary information on the adequacy of the console design to allow the operators to perform the necessary control and monitoring of these systems. Based on the above, the staff finds that the addition of these systems on the MCR control boards and to Figures 7.1-1 and 7.4-1 is acceptable.
7.4.4 Conclusion Based on the staff findings above, and as incorporated by reference form the Hermes 1 SE, the staff concludes that the preliminary design of the Hermes 2 MCR and ROSPs, as described in Hermes 2 PSAR Section 7.4, is sufficient and meets the applicable regulatory requirements and
guidance identified in this section for the issuance of CPs in accordance with 10 CFR 50.35 and 10 CFR 50.40.
A more detailed evaluation of information (e.g., ranges of transient and steady-state conditions, requirements for multiple setpoints and trip criteria, MCR and ROSP consoles) will occur during the review of the Hermes 2 OL application, at which time the staff will confirm that the final design conforms to PDC 19 for the facility SSCs based on the topical report KP-TR-003-NP-A and applicable regulations.
7.5 Sensors 7.5.1 Introduction Section 7.5, Sensors, of the Hermes 2 PSAR describes the sensors used to provide information about temperature, pressure, neutron count rates, level, flow of the primary coolant and area radiation levels as input to multiple control and protection subsystems. Independent sensors are provided to the RPS and the PCS. Sections in PSAR Chapter 7 provide information on specific I&C subsystems, including a discussion of the sensors that support that subsystem and the type of sensor used (i.e., analog or digital).
Temperature, pressure, level, and flow sensors measure and monitor plant operating process parameters and are used to control operations and to initiate reactor protective actions. Neutron source range sensors provide indication of power level during the initial stages of startup.
Gamma radiation monitors provide information about area radiation levels during all plant modes of operation.
7.5.2 Regulatory Evaluation The staff reviewed Section 7.5.2, Regulatory Evaluation, of the Hermes 1 SE for applicability to the Hermes 2 SE. Based on the similarities between the Hermes 1 and Hermes 2 facility designs and the consistency of the proposed sensors between Hermes 1 and Hermes 2, the staff finds that the regulations and guidance listed in Section 7.5.2 of the Hermes 1 SE are applicable to Hermes 2. Therefore, this section incorporates by reference Section 7.5.2 of the Hermes 1 SE.
7.5.3 Technical Evaluation The staff reviewed Section 7.5 of the Hermes 2 PSAR and compared it to the equivalent section in the Hermes 1 PSAR (Section 7.5, Sensors). The staff found that Section 7.5 of the Hermes 2 PSAR contains information consistent with that in the Hermes 1 PSAR. The staff also verified that the Hermes 2 sensor design and functionality remain identical to Hermes 1. Based on these consistencies, this section incorporates by reference Section 7.5.3, Technical Evaluation, of the Hermes 1 SE.
7.5.4 Conclusion Based on the staff findings above, and as incorporated by reference from the Hermes 1 SE, the staff concludes that the preliminary design of the safety-related and non-safety related sensors, as described in Hermes 2 PSAR Section 7.5, is sufficient and meets the applicable regulatory requirements and guidance identified in this section for the issuance of CPs in accordance with 10 CFR 50.35 and 10 CFR 50.40.
A more detailed evaluation of information (e.g., ranges of transient and steady-state conditions, requirements for non-safety and safety-related sensors) will occur during the review of the Hermes 2 OL application, at which time the staff will confirm that the final design conforms to PDCs 1, 2, 3, 13, 21, 22, 24 and 29 for the facility SSCs based on the NRC-approved topical report KP-TR-003-NP-A and applicable regulations.
7.6 Summary and Conclusions on Instrumentation and Control Systems The staff evaluated the information on the Hermes 2 I&C systems as described in PSAR Chapter 7 and finds that the preliminary information on, and design criteria of, the I&C systems, including the PDC, design bases, and information relating to materials of construction, general arrangement, and approximate dimensions: (1) provide reasonable assurance that the final design will conform to the design bases, (2) meet all applicable regulatory requirements, and (3) meet the applicable acceptance criteria in NUREG-1537, Part 2. Based on these findings, the staff makes the following conclusions regarding issuance of CPs in accordance with 10 CFR 50.35 and 10 CFR 50.40:
x Kairos has described the proposed design of the I&C systems, including, but not limited to, the principal engineering criteria for the design, and has identified the major features or components incorporated therein for the protection of the health and safety of the public.
x Such further technical or design information as may be required to complete the safety analysis of the I&C systems, and which can reasonably be left for later consideration, will be provided in the final safety analysis report as part of the OL application.
x Safety features or components which require research and development have been described by Kairos and a research and development program (see SE Section 1.1.5) will be conducted that is reasonably designed to resolve any safety questions associated with such features or components.
x There is reasonable assurance that safety questions will be satisfactorily resolved at or before the latest date stated in the application for completion of construction of the proposed facility.
x There is reasonable assurance: (i) that the construction of the facility will not endanger the health and safety of the public, and (ii) that construction activities will be conducted in compliance with the Commissions regulations.
x The issuance of permits for the construction of the Hermes 2 facility would not be inimical to the common defense and security or to the health and safety of the public.
7.7 References Institute of Electrical and Electronics Engineers (IEEE). Standard 7-4.3.2, "IEEE Standard Criteria for Programmable Digital Devices in Safety Systems of Nuclear Power Generating Stations." New York. 2003.
. Standard 379, IEEE Standard Application of the Single-Failure Criterion to Nuclear Power Generating Station Safety Systems. New York. 2014.
. Standard 1012-2017, System, Software, and Hardware Verification and Validation. New York. 2017
. Standard 603, Standard Criteria for Safety Systems for Nuclear Power Generating Stations. New York. 2018.
Institute of Electrical and Electronics Engineers, Instrument Society of America, ANSI/ISA-67.04.01, Setpoints for Nuclear Safety-Related Instrumentation. New York. 2018.
International Electrotechnical Commission (IEC). IEC 62443, Cybersecurity. Geneva. 2015
. IEC 61131, "Programmable Controllers. Geneva. 2020.
Kairos Power LLC. KP-TR-003-NP-A, "Principal Design Criteria for the Kairos Power Fluoride Salt-Cooled, High Temperature Reactor," Revision 1, June 2020, ML20167A174.
. Submittal of the Preliminary Safety Analysis Report for the Kairos Power Fluoride Salt-Cooled, High Temperature Non-Power Reactor (Hermes), Revision 3, May 31, 2023, Pkg.
U. S. Nuclear Regulatory Commission (NRC). NUREG-1537, Guidelines for Preparing and Reviewing Applications for the Licensing of Non-Power Reactors, Part 2, Standard Review Plan and Acceptance Criteria. NRC: Washington, D.C. February 1996. ADAMS Accession Nos.
. Regulatory Issue Summary 2006-17, The Staff Position on The Requirements of 10 CFR 50.36, Technical Specifications, Regarding Limiting Safety System Settings During Periodic Testing and Calibration of Instrument Channels. NRC: Washington, D.C. August 2006. ADAMS Accession Nos. ML051810077.
. Design-Specific Review Standard for NuScale SMR Design. NRC: Washington, D.C.
June 2016. ML15355A295.
. Design Review Guide (DRG): Instrumentation and Controls for Non-Light-Water Reactor (non-LWR) Reviews. NRC: Washington, D.C. February 2021. ML21011A140.