COMPREHENSIVE CABLE FAILURES ANALYSIS FOR PROBABILISTIC FIRE
SAFETY ASSESSMENTS
H.P. Berg •
Bundesamt für Strahlenschutz, Salzgitter, Germany e-mail: [email protected]
E. Piljugin, J. Herb, M. Röwekamp
Gesellschaft für Anlagen- und Reaktorsicherheit mbH, Köln, Germany
ABSTRACT
Fire PSA for all plant operational states is part of a state-of-the-art that a Level 1 PSA. Within a fire PSA not only the malfunction of systems and components has to be assessed but also all supply systems and cables have to be traced for a given component. In the past it was assumed that in the case of a fire in a compartment all components and corresponding cables in that compartment are destroyed. However, this is in many cases a very conservative approach which may lead to overestimated fire induced core damage frequencies. Therefore, a method is required to assess in a more realistic manner the effects of cables failures caused by fire. Such a procedure is based on a sound data base containing all relevant equipment, a list of cables and their properties as well as cable routing. Two methods which are currently developed and already partially applied are described in more detail. One of these methods is a cable failure mode and effect analysis which is easier to apply in practice.
1 INTRODUCTION
Fires have been recognized as one major contributor to the risk of nuclear power plants depending on the plant specific fire protection concept. Therefore, a state-of-the-art Level 1 probabilistic safety assessment (PSA) meanwhile includes fire PSA as part and supplement of the internal events PSA for full power as well as for low power and shutdown plant operational states (Berg & Rowekamp 2010, Rowekamp et al. 2011).
An overview of the main steps of an advanced fire PSA process is given in Figure 1. The task "fire PSA cable selection" is not (or not in detail) performed in current fire PSA.
One of the important parameters in a fire PSA is the conditional probability of a specific failure mode (e.g., loss of function, spurious actuation) of a selected component, given (assuming) that a postulated fire has damaged an electrical cable connected to that component.
In general, evaluation of this parameter can require the analysis of a number of cable failure scenarios, where each scenario involves a particular fire induced cable failure mode and the propagation of the effects of this failure through the associated electrical circuit.
The cable failures of interest cover the following conductor failure modes:
• Loss of continuity,
• Short-to-ground, and
• Conductor to conductor short.
Figure 1. Overview of the main steps of an advanced fire PSA process.
There are three primary functional types of cables in a nuclear power plant: namely, power cables, instrumentation cables, and control cables as shown in Figure 2.
Cables can also be categorized by their physical configuration. The most common types are single conductor, multi-conductor, and triplex.
Cables are generally routed horizontally through the plant on raceways (in principle on cable trays or conduits) with vertical runs used as required between different elevations in the plant.
The cables are usually segregated by type as described above and illustrated in Figure 2. However, cables of various voltages and functions can be found together in the same raceway for some plants (in particular in nuclear power plants built to earlier standards).
While short-to-ground or open circuit failures may render a system unavailable, a hot short failure might lead to other types of circuit faults including spurious actuations, misleading or faulty signals, and unrecoverable losses of plant equipment.
These circuit failures, taken individually or in combination with other failures, may have unique and unanticipated impacts on plant safety systems and on plant safe shutdown capability being not always reflected in current fire PSA studies.
In most of the fire PSAs which have been performed to date, circuit failure analysis has been performed in a more simple manner and not in such a detailed manner as recommended in Figure 1.
Usually, the circuit failure analysis assumes that if any of the cables associated with a given circuit or system are damaged due to fire (i.e., the cables fail), then the circuit or system is rendered unavailable. This approach neglects the potential for spurious actuations entirely and may represent a too optimistic approach.
Figure 2. Schematic drawing of I & C (blue, dashed) and power cables (black, solid).
Most of the common approaches apply a single-valued damage threshold of temperature and/or heat flux to predict the onset of cable failure. When the cable reaches a predetermined temperature and/or the cable is exposed to a threshold heat flux, a worst case failure of the cables inside the respective fire compartment is assumed. The worst case failure modes have been deduced by expert judgment.
Simplified assumptions on the failure modes could lead to an overestimation of specific event sequences whereas other effects such as spurious actuation of not directly connected components were neglected.
On that background in the U.S. and in Germany two approaches have been developed. In both cases the success of the method strongly depends on the quality and form of the prerequisite information on the cables and their properties.
Therefore, several cable fire tests have been and are performed to gain the necessary data for the safety assessment.
For a more realistic picture of cable failure effects a cable failure mode and effect analysis (FMEA) methodology has been developed. It is intended to use this method as an integral part of Level 1 fire PSA in Germany in particular in the frame of periodic safety reviews, performed every ten years.
The main purpose of the methodology and its supporting tools is to improve the comprehensibility and completeness of cable failure analysis within the context of a fire PSA.
The computer aided methodology based on the principles of FMEA is supported by a plant specific database application named CaFEA (Cable Failures Effect Analysis) developed by GRS.
The database CaFEA comprises all relevant data of the cables, such as cable routing within the plant, cable type as well as data on the connected components. Availability of such information is a prerequisite for the implementation of a state-of-the-art FMEA methodology.
2 PROCEDURE OF RISK EVALUATION DEVELOPED IN THE U.S.
During the 1990s, both the Nuclear Regulatory Commission (NRC) Office of Nuclear Regulatory Research (RES) and the Electric Power Research Institute (EPRI) were active in the development of methods for fire risk analysis. U.S. NRC and EPRI initiated a collaborative project to document the state-of-the-art for conducting Fire PSA. The principal objective of the Fire Risk Study is to develop a technical basis and methodology that will clarify issues affecting application of fire risk methods.
The project was designed to culminate in a joint EPRI/RES publication of state-of-the-art fire PSA methodology. The report NUREG-CR-6850 (EPRI 2005) is a compendium of methods, data and tools to perform a fire probabilistic risk assessment and develop associated insights.
This report is intended to serve the needs of a fire PSA team by providing a structured framework for conduct and documentation of the analysis in four key areas:
• Fire analysis,
• General PSA and plant systems analysis,
• Human reliability analysis (HRA), and
• Electrical analysis.
One finding of the investigations outlined in the report was that the selection, routing, and failure analysis of cables and circuits have not been covered generally by past fire PSA methodology.
The issue of circuit analysis, including the spurious operation of components and systems, continues to be an area of significant technical challenge.
The approaches recommended in the report (EPRI 2005) provide a structured framework for the incorporation of fire-unique cable failure modes and effects in the fire PSA. The circuit analysis issue impacts fire PSA methods and practice broadly. Circuit analysis affects the following steps:
• Identification of fire PSA components and cables,
• Mapping of fire PSA components and cables to fire analysis compartments,
• Development of the plant post-fire safe shutdown response model,
• Incorporation of circuit failure modes in the quantitative screening analysis,
• Detailed analysis of cable failure modes and effects,
• Detailed analysis of circuit fault modes and effects, and
• Quantification of human actions in response to a fire.
A possible process for including circuit analysis into a fire PSA as proposed in U.S. NRC report (EPRI 2005) is shown in Figure 3.
Another report of the U.S. NRC (LaChance et al. 2003) presents a new methodology for the analysis of cable failure modes and effects as illustrated in Figure 4.
Figure 3. Circuit analysis for fire risk assessment.
Electrical analysis involves circuit failure modes and affects the analysis conducted for specific plant circuits, including the selection of circuits and systems, cable and component routing, development of the fire PSA database and quantification of failure mode likelihood values.
Instrument Readings Lost/Misleading
Figure 4. Circuit analysis process structure.
Based on experience with the demonstration studies and the collective experience of the authors of the report, at least 4000 engineering hours would be needed to perform a complete plant-
wide fire PSA using the methods recommended in (LaChance et al. 2003). This estimate is predicated on a large number of positive factors in terms of the quality of the plant analyses and the level of sophistication desired in the fire PSA.
The low-end manpower estimate for the circuit and cable selection, tracing, and analysis efforts (600 hours) represents a case where the following three factors apply:
• The plant has a pre-existing state-of-the-art deterministic post-fire safe shutdown analysis.
• There is a pre-existing and well-documented electronic system for tracing cables and components-
• There is a pre-existing and well-documented fire PSA safe shutdown plant response model. The upper end of the manpower estimates for the circuit and cable selection, tracing, and
analysis efforts (6000 hours) represents a case where the following conditions apply:
• The plant has a pre-existing deterministic post-fire safe shutdown analysis that has not undergone significant review.
• The plant has merely a paper (non-electronic) cable and raceway system and/or database.
• The fire PSA model is intended to include at least all components that are credited in the internal events PSA.
The report (LaChance et al. 2003) also provides findings regarding cable fire performance testing in the U.S. over the past three decades. From the viewpoint of cable failure mode likelihood estimation, the available information in these reports is sparse. This is because the bulk of fire-related cable research has focused on one of two areas:
• Most large-scale cable tests were designed to examine the flammability and fire behaviour of cables. In a minority of these tests electrical performance of a small sample of cables was monitored, but this was rarely a primary test objective. Even in those cases where electrical function was monitored, only a small subset of these tests explicitly sought information on cable failure modes.
• A second class of cable tests has sought to determine the failure thresholds of the cables. These are typically small-scale tests where cables are exposed to simulated fire conditions (Wyant & Nowlen 2002). The time to failure for exposed cables is commonly monitored. The failure behaviour is commonly characterized based on the heat flux or atmospheric temperature in the test chamber and the time of exposure to these conditions.
A second potential source of information on fire-induced cable failure behaviour is actual fire experience. However, fire experience is relatively limited, and fire reports rarely focus on details of cable failures or the resulting circuit faults. The most significant exception to this observation is the 1975 Browns Ferry fire (Scott 1976). This fire damaged more than 1600 cables routed in 117 conduits and 26 cable trays. Various studies of that incident have noted that the fire resulted in spurious initiation of components, spurious control room annunciation, spurious indicator light behaviour, and loss of many safety related systems. Examples of the component and system behaviour observed during the fire are outlined in the U.S. NRC report (Collins et al. 1976).
A range of factors may affect the conditional probability that for a given a fire induced cable failure a particular mode of failure might be observed. Various factors may also affect the timing of potential faults being observed as well as the timing of fault mode transitions (e.g., hot short transition to a short-to-ground). The identified factors can be roughly categorized into one of four broad groups; namely, factors associated with the cable's physical properties and configuration, factors associated with the routing of the cable, factors associated with the electrical function of the circuit, and factors associated with the fire exposure conditions. The report (EPRI 2005) discusses each of the influence factors identified to date including the current evidence available regarding each of the factors from both experiments and actual experience.
The advanced cable failure analysis should be able to predict when a cable failure occurs, the relative likelihood that specific modes of cable failure would occur given failure, how long a particular failure mode is likely to persist, and the overall occurrence frequency of each cable
damage state or failure mode (including fire frequency, fire severity, mitigation by detection and suppression before damage, etc.).
The electrical circuit fault analysis determines how each circuit will respond to the various modes of cable failure that may be observed. The circuit fault analysis also feeds information back to the cable failure analysis task by means of specific cable failure modes that may be of particular interest to the PSA and provides occurrence frequency estimates for each of the circuit fault modes of potential interest to risk quantification.
One task is to estimate the probability of hot short cable failure modes of interest, which in turn can be correlated to specific component failure modes. The methods and techniques for deriving circuit failure mode probability estimates are based on limited data and experience. Consequently, this area of analysis is not yet a mature technology, and undoubtedly further advances and refinements will come with time.
The final task assesses the functional impact of the circuit faults on the potential for plant safe shutdown, i.e. it should provide a probabilistic assessment of the likelihood that a cable will experience one or more specific failure modes (e.g., short-to-ground, intra-cable conductor-to conductor short, inter-cable conductor-to-conductor short, etc.). The results of this assessment are entered into the fire PSA database, allowing generation of equipment failure reports, including the estimated likelihood of the failure modes of concern. This is needed for the quantification of the contribution for the postulated fire scenarios to the total core damage frequency. This task is in the domain of PSA plant systems modelling and event/fault tree analysis and quantification.
3 FAILURE MODE AND EFFECT ANALYSIS
A computer aided methodology based on the principles of FMEA provided in (LaChange et al. 2003) has been developed by GRS (Germany) to systematically assess the effects of cable failures caused by fire in a nuclear power plant.
The main objective of the approach of the GRS is the standardization of the FMEA for similar components of affected electrical circuits.
Cable FMEA (CaFEA) consists of two phases of analysis: In the first phase an analysis of generic cable failures of standardized electrical circuits of the nuclear power plant is performed. In the second phase, those generic failure modes are identified for each cable which could affect safety related components.
3.1 Generic FMEA
Based on the circuit type, the attached source and target component types and sub-types, the operating condition, and the transmitted signal, the generic FMEA is performed (see Figure 5).
All possible circuit failures have to be considered, because it is not necessarily known which cable failures have to be considered while performing the specific FMEA. The experiences gained while applying the computer aided cable FMEA to all cables within one fire compartment demonstrated that about 100 generic circuit types have to be investigated for a whole nuclear power plant.
In a first step, the FMEA expert has to screen the list of safety related components typically provided by a Level 1 PSA for full power operational plant states and to define the generic circuit types to be investigated.
Examples of circuit types may be power supply circuits, instrumentation circuits or control circuits.
In the next step, for each circuit type "source" and "target" component types have to be specified. Typical source component types are switchgear, electronic board, and relay. Examples of target component types are pumps, valves, motor drives, and measurement sensors.
Definition of the type of generic electrical circuit,
e.g. power supply, instrumentation, control
Generic failure effect analysis of the electrical circuits caused by potential cable failures
Result:
Specification of potential impacts on the affected components
Definition of the generic types of the components of the circuits,
e.g. drive, sensor, switchgear, I/O module
¥
Identification of the generic type of potential cable failure,
e.g. hot short, short-to-ground, open circuit
¥
Operating condition of the target component,
e.g. valve open/closed, switchgear on/off
Definition of the signal
type:
e.g. feedback signal, control signal, power supply
Figure 5. Generic phase of CaFEA.
For both, the source and the target components a sub-type or signalling type has to be additionally specified.
The sub-type is used to distinguish between different circuit types connected to one component (type). A valve might be attached to the circuit type "power supply" as well as to the circuit type "feedback signal". For the circuit type "power supply" the source component sub-type might be "power supply" and the target component sub-type "motor". For the circuit type "feedback signal" the source component sub-type might be "drive control module" and the target component sub-type "control head".
Examples of a generic FMEA are provided in Table 1 (see also Piljugin et al. 2011) for one combination of source and target (sub-)types.
The possible effects on the attached component depend on the operating condition of the target component type. Therefore, the generic FMEA has to be performed for all operating conditions of the generic circuit type. The effects also depend on the type of signal transmitted by the cable. Valid signal types could be, e.g., feedback signal of a valve or control signal for a motor.
Table 1. Examples of a generic FMEA
Description of the electrical circuit Generic FMEA
Source of signal (power) of process, electric or electronic components Target of signal (power) of process, electric or electronic components Description of the signal Failure mode Failure effect Identification
Type Subtype Type Subtype State Type function
I&C cabinet (Data aquistion sub-system) Analog input module SAA (TXS) Level transmitter Differential pressure transmitter (4 lead / 0-20mA Loop) Normal value Level measurment Power supply Intrerruption of the circuit (broken conductor) Interruption of the power supply of the transmitter output Signal of transmitter I=0mA (Message: signal is out of the range)
I&C cabinet (Data aquistion sub-system) Analog input module SAA (TXS) Level transmitter Differential Pressure Transmitter (4 lead / 0-20mA Loop) Normal value Level measurment Power supply Ground fault of the circuit Interruption of the power supply of the transmitter Message: signal is out of the range (output Signal of transmitter I=0mA)
I&C cabinet (Data aquistion sub-system) Analog input module SAA (TXS) Level transmitter Differential pressure transmitter (4 lead / 0-20mA Loop) Normal value Level measurment Measurement loop Intrerruption of the circuit (broken conductor) Signal is out of the range Open circuit monitoring
I&C cabinet (Data aquistion sub-system) Analog input module SAA (TXS) Level transmitter Differential pressure transmitter (4 lead / 0-20mA Loop) Normal value Level measurment Measurement loop Ground fault of the circuit False value (higher or lower) of the output signal of transmitter Signal range monitoring / redundant signal comparator
I&C cabinet (Data aquistion sub-system) Analog input module SAA (TXS) Level transmitter Differential pressure transmitter (4 lead / 0-20mA Loop) Normal value Level measurment Measurement loop Hot-short fault of the circuit False value (higher or lower) of the output signal of transmitter Signal range monitoring / redundant signal comparator
I&C cabinet (drive control circuits) Analog output module XPA92, Output C18 Contactor relais of the MOV Contacts of the control circuit open Normally open circuit control command CLOSE to coupling relay Intrerruption of the circuit (broken conductor) Loss of CLOSE function of the MOV MOV remains in "OPEN" position by test
I&C cabinet (drive control circuits) Analog output module XPA92, Output C18 Contactor relais of the MOV Contacts of the control circuit open Normally open circuit control command CLOSE to coupling relay Ground fault of the circuit spurious close of the MOV Indication of the RUN and CLOSED functions of the MOV
I&C cabinet (drive control circuits) Analog output module XPA92, Output C18 Contactor relais of the MOV Contacts of the control circuit open Normally open circuit control command CLOSE to coupling relay Hot-short fault of the circuit spurious close of the MOV Indication of the RUN and CLOSED functions of the MOV
I&C cabinet (drive control circuits) Analog output module XPA92, Output C18 Contactor relais of the MOV Contacts of the control circuit open Normally open circuit control command CLOSE to coupling relay Hot-short fault (overvoltage) of the circuit Destroying of the analog output module XPA92 Loss of the control of the MOV
Motor- operated valve (MOV) Contacts of the position indication I&C cabinet (drive control circuits) Module XKU98, Input signal B03 Closed loop position indication of the MOV CLOSED indication of the MOV Intrerruption of the circuit (broken conductor) Loss of the indication of the position CLOSED of the MOV Functional test
Motor- operated valve (MOV) Contacts of the position indication I&C cabinet (drive control circuits) Module XKU98, Input signal B03 Closed loop position indication of the MOV CLOSED indication of the MOV Ground fault of the circuit Loss of the indication of the position CLOSED of the MOV Functional test
Motor- operated valve (MOV) Contacts of the position indication I&C cabinet (drive control circuits) Module XKU98, Input signal B03 Closed loop position indication of the MOV CLOSED indication of the MOV Hot-short (shorts to power lead) False indication „MOV contactor CLOSED" and "MOV run" Inconsistency of MOV position indication (e.g. MCR, I&C cabinet, alarm system)
Motor- operated valve (MOV) Contacts of the position indication I&C cabinet (drive control circuits) Module XKU98, Input signal B04 Closed loop position indication of the MOV OPEN indication of the MOV Intrerruption of the circuit (broken conductor) Loss of the indication of the position OPEN of the MOV Functional test
Motor- operated valve (MOV) Contacts of the position indication I&C cabinet (drive control circuits) Module XKU98, Input signal B04 Closed loop position indication of the MOV OPEN indication of the MOV Ground fault of the circuit Loss of the indication of the position OPEN of the MOV Functional test
Motor- operated valve (MOV) Contacts of the position indication I&C cabinet (drive control circuits) Module XKU98, Input signal B04 Closed loop position indication of the MOV OPEN indication of the MOV Hot-short (shorts to power lead) False indication „MOV contactor OPEN " and "MOV run" MOV position indication (e.g. MCR, I&C cabinet, alarm system)
3.2 Component specific FMEA
In the second phase, those generic failure modes are identified for each cable which could affect safety related components in the respective compartment (see Figure 6). Based on the information on the cable type, the attached components and their types, as well as on their operational mode, all the possible cable failures have to be identified by the FMEA expert. The probable cable failures are a sub-set of the failure modes found in the generic FMEA. The specific effects identified in the second phase of the FMEA are mapped to basic events used as initiating events and/or component failures in the fire PSA.
Computer aided identification and selection of the cables in the room affected by fire
Computer aided identification of the failure relevant characteristic of selected cable, e.g. multicore structure, shielding, laying
Computer aided identification of the components connected to the selected cable
Qualitative assessment of the most probable failure mode of the fire affected cable and/or cable conductors
Use of the result of generic failure effect analysis of
the generic electrical circuits
Specification of the operating condition of the components and of the corresponding electrical circuits
Analysis of a potential impacts of the functions of the affected components regarding relevance for the model of the Fire-PSA
Identification of the candidates
for initiating events or for impacts of the accident control functions in the PSA model
Figure 6. Component specific phase of CaFEA.
The failure conditions for the cables were specified on the basis of the results of fire tests carried out at the Technical University of Braunschweig, Institute for Building Materials, Concrete Construction and Fire Protection (iBMB) - see (Hosser et al. 2005) and (Riese et al. 2006) for typical cables used in nuclear power plant in Germany.
Comparable tests have also be conducted in other countries (see, e.g., EPRI 2002, Keski-Rahkonen et al. 1997 and Mangs et al. 1999), partially also with cables from Germany.
In the fire tests at iBMB, among other things, the fire induced functional failures of the cables were examined for both, energized as well as non-energized cables.
Based on the test results of the iBMB study (Riese et al. 2006), the following different types of cable failure modes were specified and are used in the cable FMEA:
• Short-to-ground via insulation material of the cable jacket or an earthed conductor inside or outside a cable or via earthed structures, e.g. a cable tray;
• Hot short to an energized conductor inside or outside a cable (e.g. high-voltage propagation, impacts of electric arcs);
• Short circuit fault to a de-energized conductor inside or outside a cable (high or low impedance failure);
• Interruption of the cable conductor (open circuit failure mode).
4 DATABASE APPLICATION
The database application consists of a user interface frontend and a database backend. With the aid of CaFEA, the data obtained in the FMEA for fires can be systematically evaluated for cable failures. The CaFEA database comprises the data from different sources, correlates them to each other and displays the correlation results to the FMEA expert who carries out the actual failure mode and effects analysis and stores the results in the database (Herb & Piljugin 2011). The database frontend can be used for data sets of different nuclear power plants.
The FMEA is specific for the plant operational state stored in the database. After opening the database application the user can choose if the generic or the specific FMEA shall be performed. For both tasks input forms are available.
For both generic and component specific FMEA results the database provides import and export functions to and from Microsoft® Excel®.
4.1 Generic FMEA
If (incomplete) specific FMEA results already exist in the database the user can create template data for the generic FMEA. The input form for the generic FMEA contains questions with respect to the following data:
• Type and sub-type of source component,
• Type and sub-type of target component,
• Operating condition of target component,
• Identification of the signal type (circuit type),
• Failure of the cable occurring in the electrical circuit affected by the fire,
• Effect on the target component,
• Optional comment on the determined component effect and its relevance for the PSA.
4.2 Component specific FMEA
The user interface for the component specific FMEA in the CaFEA application subdivides the different analytical steps into several sub-tasks:
• After selecting a compartment and a cable function (corresponding to one signal transmitted via the cable) the first sub-task consists in providing information about the components connected to the cable ("start" and "end" component) and the target component. For the target component the operating condition has also to be provided. The last step is supported by providing information from the plant operating manual and/or safety specifications included in the database.
• In the second sub-task, the FMEA expert has to specify all possible cable failure modes for the selected cable function. As the information about the cable type, routing, etc. has to be considered, it has to be provided by the FMEA expert and stored in the database.
• The third sub-task consists in the determination of the effect on the component by the cable failure mode. By means of a query in the database it is checked if a generic FMEA result provided by the FMEA expert in the previous steps is applicable to the specific case. If a generic FMEA result has been found, it is shown how the FMEA expert can take the decision if and how this generic result can be applied in the specific case.
5 FIRST EXEMPLARY APPLICATION OF THE CABLE FMEA
The analytical method and database tool CaFEA has been developed by GRS based on the available plant data (database with respect to components and compartments and cable routing in the reference nuclear power plant) and on a generic procedure for analyzing fire induced circuit failures in the cables concerned. The FMEA method was tested using data of a reference plant for a given compartment. 432 cables are routed through this compartment transmitting in total 932 signals because of some cables representing I&C cables with multiple conductors.
The qualitatively estimated probability (high, medium and low probability class) was assigned as conditional probability in case of fire to the corresponding effect on the component and the resulting PSA basic event or initiating event.
6 CONCLUSIONS AND OUTLOOK
This paper describes, in addition to the approach applied to some extent in the U.S., a second possible method to assess effects of cable failures.
Basis for this activity is a fire PSA cable list which is not simply a list of cables but establishes for each cable a link to the associated fire PSA component and to the cable routing and its location. These relationships provide the basis for identifying potential equipment functional failures at a fire area, fire compartment or raceway level.
During the pilot applications of the U.S. approach it was noticed that circuit analysts were basically assuming that many cables within a fire area could cause a spurious operation independently of the other cables affected by the same fire (EPRI 2010). However, under certain conditions, when the first cable is damaged (either from spurious operation or blowing the fuse in the circuit), the damage to the other cables does not affect the outcome, i.e., the likelihood of a spurious actuation of the component is not increased.
Therefore it is recommended that the "exclusive or" combinatorial approach for spurious actuation probabilities can only be applied in cases where multiple cables can cause the undesired component effect and the postulated cable failure modes and effects are found to be independent (EPRI 2010). In cases where the cables of concern are dependent, the likelihood of spurious actuation should be determined by the first cable failure only. If the spurious actuation probability is different for the different cables of concern (e.g., due to differences in the cable or routing configuration), the analysis can either determine which cable would likely fail first for the given scenario, or simply bound the individual cable values.
The computer aided methodology of the FMEA as another approach compared with the U.S process offers a good basis for performing a systematic and traceable analysis of the effects of fire induced cable failures in the frame of a fire PSA. The methodology was tested on the basis of data for a given compartment which have been provided by a reference nuclear power plant in Germany.
The major difference between the methodology proposed in (EPRI 2005) and (LaChange et al. 2003) and that one developed by GRS is that the computer aided methodology CaFEA allows to use a combination of generic and (component) specific tasks of the FMEA of the cable failures. This can reduce the specific FMEA of all circuits in the fire affected compartments of the nuclear power plant significantly. The database application of generic cable FMEA can be extended with regard to consideration of all typical electrical circuits in a generic nuclear power plant.
Up to now, the results of the FMEA provide only qualitative indications for those component effects which result in the unavailability of system functions or in new initiating events in the fire PSA.
In a next step, quantification of the failure mode probabilities and the corresponding effects on the affected components shall be included in the approach. The current database architecture of CaFEA allows an easy integration of this feature in the future. In general, two options are possible:
to use failure mode probability tables from literature or to perform explicit model calculations which involves to apply circuit failure mode probability estimation formulas. The second approach is currently under development within a new investigation project. Results including an application for an exemplary room in the reference plant will be available in 2013.
Future challenges of the CaFEA development are the consideration of failure modes of new (digital) technologies of signal transmission and processing, e.g. bus architectures of I&C systems, fibre optical cables, etc.
In principle, the FMEA methodology developed may be also applied for investigating cable failures in the frame of analyzing the effect of other plant internal or external hazards such as flooding and or structural damage by earthquakes.
7 REFERENCES
Berg, H.P. & Röwekamp, M. (2010). Current status of fire risk assessment for nuclear power plants, SCIYO - Nuclear Power, September 2010, 140 - 162.
Collins, H. J. (1976). Recommendations Related to Browns Ferry Fire, NUREG-0050, U.S.
NRC.
Electric Power Research Institute - EPRI (2002). Spurious Actuation of Electrical Circuits due to Cable Fires: Results of an Expert Elicitation, EPRI 1006961.
Electric Power Research Institute - EPRI (2005). EPRI/NRC-RES Fire PRA Methodology for Nuclear Power Facilities, NUREG/CR-6850 Vol. 1 Summary and Overview and Vol. 2 Detailed Methodology, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001.
Electric Power Research Institute - EPRI (2010). Fire Probabilistic Risk Assessment Methods Enhancements, Supplement 1 to NUREG/CR 6850 and EPRI 1011989, Technical Report 1019259, September 2010.
Herb, J. & Piljugin, E. (2011). Failure mode and effect analysis of cable failures in the context of a fire PSA, Proceedings of ANS PSA 2011 International Topical Meeting on Probabilistic Safety assessment and Analysis, Wilmington, NC, March 13 - 17, 2011, on CD-ROM.
Hosser D., Riese, O. & Klingenberg, M. (2005). Durchführung von weiterführenden Kabelbrandversuchen einschließlich der Präsentation der Ergebnisse im Rahmen des internationalen Projektes ICFMP, Juni 2004, Schriftenreihe Reaktorsicherheit und Strahlenschutz des Bundesministeriums für Umwelt, Naturschutz und Reaktorsicherheit (Federal Ministry for the Environment, Nature Conservation and Nuclear Safety), BMU- 2005-663, Bonn, Germany.
Keski-Rahkonen, O. et al. (1997). Derating of cables at high temperatures, VTT Publications 302, Technical Research Centre of Finland, Espoo, Finland.
LaChance, J. L., Nowlen, S. P., Wyant, F. J. & Dandini, V. J. (2003). Circuit Analysis -Failure Mode and Likelihood Analysis, NUREG/CR-6834, prepared for Division of Risk Analysis and Applications Office of Nuclear Regulatory Research, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001.
Mangs, J. et al. (1999). Failure distribution in instrumental cables in fire, OECD/STUK Workshop on Fire Risk Assessment, Helsinki, Finland.
Piljugin, E., Herb, J., Röwekamp, M., Berg, H. P. (2011). Methods to assess effects of cable failures caused by fire, Journal of Polish Safety and Reliability Association, Proceedings of the Summer Safety and Reliability Seminars, July, 03 - 09, 2011, Gdansk-Sopot, Poland, Volume 1, 163 - 170.
Riese, O., Hosser, D. & Röwekamp, M. (2006). Evaluation of Fire Models for Nuclear Power Plant Applications, Flame Spread in Cable Tray Fires, International Panel Report - Benchmark Exercise No. 5, Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Report GRS - 214, Köln, Germany.
Rowekamp, M., Turschmann, M. & Berg, H.P. (2011). A Holistic Approach for Performing Level 1 Fire PRA, Proceedings of ANS PSA 2011 International Topical Meeting on Probabilistic Safety assessment and Analysis, Wilmington, NC, March 13 - 17, 2011, on CD-ROM.
Scott, R. L. (1976). Browns Ferry Nuclear Power-Plant Fire on Mar. 22, 1975, Nuclear Safety, Vol. 17, No.5, September-October 1976.
Wyant, F. J. &. Nowlen, S. P. (2002). Cable Insulation Resistance Measurements during Cable Fire Tests, NUREG/CR-6776, U.S. NRC.