1 Introduction

Advancement of fire risk analysis methods has resulted in widespread development of detailed fire probabilistic risk assessments (PRA) at nuclear power plants. The PRA models are maintained and frequently exercised to help ensure safe, reliable, and cost-effective operation of nuclear power plants. A brief overview of fire PRA and its applications is provided, with the intended audience being the general fire protection community who may not be familiar with the risk analysis methods and applications used by the nuclear power industry.

PRA is a systematic framework for identifying risk significant accident sequences, including their frequencies and consequences. An accident sequence consists of an initiating event (for example, a loss of offsite power) followed by a series of hardware and/or human failures that lead to an undesired end state, such as reactor core damage.

The PRA framework is well suited and commonly used for a spectrum of hazards, including internal events (focusing on random failures), internal fire, internal flood, seismicity, high winds, external flood, and other external hazards. Risk metrics commonly used by the nuclear power industry include reactor core damage frequency (CDF), representing the likelihood of an accident occurring and progressing to nuclear fuel damage, and large early release frequency (LERF), representing the likelihood of large fission product release prior to evacuation of the local population. Probabilistic risk metrics and models for offsite consequences (for example, public health, land contamination, and other societal consequences) are an area of current research and development.

The importance of fire risk at nuclear power plants was broadly recognized following the March 22, 1975 fire occurring at the Browns Ferry plant. The event started with use of a lit candle to test for airflow across a temporary cable penetration seal, which was made of polyurethane foam. The ensuing fire damaged approximately 1600 electrical cables, many of which provided power, control, and instrumentation functions important for safe reactor shutdown. NUREG/BR-0361 [1], NUREG-0050 [2], and SFPE Technology Report 77-2 [3] provide more background on this landmark fire event.

This Browns Ferry fire prompted new fire protection regulation, much of which was comprised of prescriptive rules intended to maintain three layers of defense-in-depth: preventing fires from occurring, providing means to mitigate fires should they occur, and ensuring at least one train of equipment required for safe reactor shutdown remains unaffected by any credible fire scenario. Gallucci [4] provides a historical review of fire protection regulation at commercial nuclear power plants in the United States.

Development of fire risk analysis methods over the decades following the Browns Ferry fire has supported widespread performance of detailed fire PRAs at nuclear power plants. These analyses have provided meaningful qualitative and quantitative insights that are readily used for the management of risk. Fire PRA has achieved sufficient credibility and value within the nuclear industry that the United States federal regulation was amended to allow implementation of the risk-informed, performance-based fire protection standard NFPA 805 [5] as an alternative to the traditionally prescriptive fire protection requirements.

2 Brief History of Fire PRA in U.S. Nuclear Power

The “Reactor Safety Study” [6] published in 1975, the same year as the Browns Ferry fire, is widely cited as the first major application of PRA to nuclear power. While met with some controversy, the study produced several fundamental insights that may not have been uncovered without the use of probabilistic methods. For example, the study cast some doubt on the risk significance of certain design basis accidents (specifically the large break loss of coolant accident) to which nuclear power plant design, licensing, and regulation placed much emphasis. The study also identified the potential for seemingly less severe failures (for example a small break loss of coolant accident) to be of greater risk significance.

Plant-specific PRAs were subsequently performed for the Zion and Indian Point nuclear power plants, largely in response to petitions for their shutdown due to proximity to Chicago and New York City, respectively. Following success of these studies was a much wider development of plant-specific PRAs throughout the United States. In 1995 the United States Nuclear Regulatory Commission formalized its commitment to risk-informed regulation through its policy statement [7]:

The use of PRA technology should be increased in all regulatory matters to the extent supported by the state of the art in PRA methods and data, and in a manner that complements the NRC’s deterministic approach and supports the NRC’s traditional defense-in-depth philosophy.

In 1998 the NRC issued Regulatory Guide 1.174 [8] providing a framework for using PRA to support risk-informed changes to a plant license basis. This Regulatory Guide, along with continued advancements in PRA methods and data, supported a growing interest and actual implementation of risk-informed applications by nuclear power plant operators.

While the early PRA studies included some consideration of fire, it was Generic Letter 88-20 Supplement 4 [9] that spurred the first industry-wide development of comprehensive fire PRAs in the early 1990s. Most utilities implemented the Electric Power Research Institute’s Fire-Induced Vulnerability Evaluation (FIVE) methodology [10], which was influenced to a large extent by the early works of Apostolakis et al. [1113]. Seismicity, high winds, flooding, and other external initiating events were also assessed in response to the Generic Letter. The primary purposes of these analyses were to identify vulnerabilities and to implement cost-effective plant improvements that would minimize risk associated with those vulnerabilities. NUREG-1742 [14] summarizes the higher level insights arising from these studies.

The fire PRAs developed in the early 1990s tended to be treated as “single use analyses” to support response to Generic Letter 88-20 Supplement 4 [9]. They tended not to be maintained current with the as-operated plant and with the methodological advancements occurring over the next 10 years. So, the 2004 amendment of the fire protection regulation (10 CFR 50.48 [15]) to allow implementation of NFPA 805, as well as the growing interest in other risk-informed applications, spurred a new wave of detailed fire PRA development at most U.S. nuclear power plants. These most recent analyses are generally being performed with the guidance of NUREG/CR-6850 [16], a significant advance from the previous methodology [10], and the fire PRA consensus standard (Part 4 to the ASME/ANS-RA-Sb-2013 [17]).

To date, most U.S. plants are still in the process of developing detailed fire PRAs. The numerical acceptance guidelines provided by Regulatory Guide 1.174 [8], as well as the concurrent development of detailed PRAs of other hazards (in particular seismicity, flooding, and high winds), has created pressure for these analyses to be as realistic as possible in the modeling of risk significant fire scenarios. This has spurred new initiatives including fire testing, operating experience data collection and analysis, and improved modeling techniques.

Outside nuclear power, the application of risk concepts and methods to fire protection problems has steadily grown in several industries. These applications range from qualitative, or semi-quantitative, fire risk index approaches [1820] to more quantitative probabilistic analyses. The 1991 Bigglestone Award winning paper by Hall and Sekizawa [21] outlined a conceptual framework broad enough to encompass many potential applications of fire risk analysis. The paper lays out the basic fundamental concepts of a fire risk analysis, and it examines several diverse fire risk analysis applications within the proposed framework. Later papers by Ramachandran [22, 23] and Alverez et al. [24] propose frameworks for the use of risk information and methods in fire protection design aspects of buildings. Paté-Cornell [25] provides a “post-mortem” analysis of the 1988 catastrophic fire that destroyed the Piper Alpha offshore oil platform and killed 167 crew members. The author then describes a probabilistic risk analysis model, including consideration of “soft” organizational deficiencies leading to the accident, that can be used to identify and assess the benefits of various options for improving fire safety. Other examples of fire risk analysis in the literature include [2631].

3 Fire PRA Process Overview

There are numerous sources of fire PRA methodological guidance used by the nuclear power industry. In the United States, NUREG/CR-6850 [16] and its supplemental documents provide the current guidance, and Part 4 to the ASME/ANS-RA-Sb-2013 [17] standard provides industry consensus requirements for fire PRAs used for risk-informed decision-making. Additionally, the International Atomic Energy Agency Safety Report Series Number 10 [32] documents a broad international consensus of fire PRA good practice.

At a high level, the fire PRA process can be organized into three tasks: fire scenario development, plant response model, and quantification. The fire PRA process is performed iteratively, with increasing levels of modeling realism commensurate with risk significance. At the end of the process, the PRA includes conservative modeling of low risk fire scenarios, very detailed modeling (and understanding) of the most risk significant scenarios, and a sliding scale of modeling detail for scenarios of intermediate risk significance.

3.1 Fire Scenario Development

The process starts with definition of the analysis boundary, which generally includes all plant areas associated with normal operation, emergency operation, and power production. The intent is for the analysis boundary to encompass all areas with the potential to contribute significantly to fire risk. The analysis boundary is then subdivided into fire compartments. Each compartment is defined such that there is high confidence that the effects of fire originating within the compartment will not significantly propagate into an adjacent compartment.

All credible ignition sources within the analysis boundary are then identified, and an estimated fire occurrence frequency for each ignition source is developed. Examples of ignition sources include electrical cabinets, pumps, transformers, and “transient” fires, which can occur at various plant locations due to maintenance activities. Typically, on the order of 1000 unique ignition sources are identified throughout the plant. The mean ignition frequency for an individual fire source ranges from about 1.0E−07 fires per year to 5.0E−03 fires per year, and the total mean fire frequency for a plant is about 1.4E−01 fires per year according to current data. These fire frequency estimates are based on approximately 2,500 reactor-years of operating experience at U.S. nuclear power plants.

Fire scenarios are then defined such that the collection of scenarios encompasses all potentially significant fire risk contributors within the analysis boundary. Compartments in which fire would be inconsequential (that is, neither cause an initiating event nor degrade accident mitigation) are qualitatively screened from further consideration. Fire scenarios are defined for the remaining (unscreened) compartments, starting with a very conservative scenario definition, and successively refining the levels of modeling realism commensurate with risk significance of the compartment.

The first, and most conservative, iteration of fire scenario definition is sometimes referred to as “full compartment burn”. All ignition sources within the compartment are conservatively assumed to fail all targets in the compartment, with no credit given to suppression. The total fire frequency of a given compartment is multiplied by the conditional core damage probability (CCDP) to obtain the fire-initiated CDF for that compartment. CCDP is the conditional probability that core damage will occur, given failure of a defined set of targets (cables, components, etc.). CCDP is calculated, for each fire scenario, using the probabilistic plant response model described in the next section.

The next, and more realistic, iteration of fire scenario definition utilizes a fire progression event tree (FPET). The FPET models the entire fire progression, including the growing set of target failures that occurs as a function of time. It includes a probabilistic modeling of the fire growth and suppression. The FPET level of detail can be adjusted commensurate with risk significance, such that high risk scenarios may use a very detailed FPET, while lower risk scenarios may use a less resolute FPET.

The FPET approach first develops a realistic heat release rate, \(\dot{Q}\), profile for each scenario. This profile considers ignition, growth, steady state burning, and decay of the ignition source itself as well as any secondary combustibles (for example, adjacent cabinets, overhead cable trays) that may ignite during the fire progression. The \(\dot{Q}\) profile is then translated into a “Zone of Influence” (ZOI), which evolves as a function of time with \(\dot{Q}\). The ZOI represents the volume surrounding the ignition source, within which targets (primarily cables) are expected to fail as a result of exposure to elevated heat flux and temperature. The ZOI dimensions are typically characterized using simplified algebraic models for estimating flame radiative heat flux, flame height, plume temperature, ceiling jet temperature, and hot gas layer temperature. Examples of such models are summarized in the NFPA Fire Protection Handbook, NUREG-1934, and NUREG-1805 [3335].

Figure 1 provides example \(\dot{Q}\) and ZOI profiles for a hypothetical ignition source with overhead cable trays.

Figure 1
figure 1

Heat release rate and zone of influence profiles for an example ignition source

Full size image

Once the fire progression is defined in terms of \(\dot{Q}\), it can be modeled using an FPET. The progression is first discretized into several points in time. While the specific points in time chosen are somewhat arbitrary, the general intent is for the discretization to reflect the full range of possible damage that could result from the ignition source, and for that range to be discretized into relatively uniform intervals.

Figure 2 provides an illustrative example of an FPET, which discretizes the progression into three points in time. The first occurs at t 1, at which point the fire grows to sufficient size to damage the first target beyond to the ignition source itself. The third occurs at t 3, at which point the fire has caused its maximum potential damage within the originating compartment (for example, generation of a damaging hot gas layer that fails all targets in the compartment). The second point, t 2, occurs at some intermediate time, perhaps halfway between t 1 and t 3.

Figure 2
figure 2

Example fire progression event tree (FPET)

Full size image

The first top event represents fire occurrence on a given ignition source, with a mean frequency of λF fires per year.

The second top event represents the conditional probability that, given ignition, the fire will grow to sufficient size to damage targets beyond the ignition source itself. The maximum \(\dot{Q}\) to which a fire will grow is estimated probabilistically to account for the random elements and uncertainty associated with fire growth (i.e., two identical complex fuel packages, ignited under the same conditions, may achieve two different peak heat release rates). For example, NUREG/CR-6850 [16] Table G-1 provides gamma distributions representing the peak \(\dot{Q}\) expected for various ignition source types. For a given ignition source and target spatial geometry, the minimum \(\dot{Q}\) required to damage targets beyond the ignition source itself can be calculated using various fire modeling tools. The cumulative distribution function, or the area under the probability density function, beyond this minimum \(\dot{Q}\) is the conditional probability that the fire will cause target damage beyond the ignition source itself. This concept is illustrated in Figure 3.

Figure 3
figure 3

Illustration of the conditional probability of fire damage beyond the ignition source, \( P(\dot{Q}_{peak} > \dot{Q}_{damage} ) \)

Full size image

The third, fourth, and fifth top events represent the likelihoods of fire suppression prior to t 1, t 2, and t 3, respectively. Suppression probability, at each point in time, can be calculated using an event tree approach accounting for the reliabilities of prompt suppression (for example, by continuous fire watch), automatic suppression, and fire brigade suppression. The fire brigade suppression probability can be modeled as an exponential function of time, which increases with increasing time available for suppression. NUREG/CR-6850 Appendix P [16] provides an approach for calculating suppression probabilities.

The final top event in this example represents the likelihood of confining the fire damage to the compartment of origin by the compartment boundaries. The split fractions used for this top event are typically based on generic estimates of fire barrier reliability, which are provided for various barrier types (for example, fire doors, fire dampers, penetration seals) in NUREG/CR-6850 Chapter 11 [16].

With the FPET populated, each sequence (path through the event tree) represents a particular fire damage state (set of failed targets) occurring at a certain frequency. In order to obtain the CDF for each FPET sequence, the CCDP associated with that group of failed targets must be calculated, which is discussed in the following section. The fire scenario CDF is the sum of all sequence core damage frequencies, each of which is the product of the sequence frequency and its CCDP.

3.2 Plant Response Model

Fire PRAs use a plant response model to calculate the conditional probability of core damage, given a set of failed targets and fire-generated conditions. This calculation is performed for each of the ignition sources and fire damage states comprising the fire PRA. While this discussion focuses on the CDF risk metric, the plant response model is also used to calculate conditional probability of other undesired end states, such as large early release of fission products.

The plant response model is a logic model consisting of event trees and fault trees. Typically, an event tree is developed for each credible initiating event. An initiating event is a perturbation to normal plant operation that requires mitigation to prevent an undesired end state, such as core damage. Examples of initiating events include loss of offsite power, loss of normal cooling to the reactor, and leaks or ruptures in the reactor coolant system. The event tree top events represent failures of each plant system or function required to mitigate the initiating event. The probability of each top event (failure of mitigating system or function) is usually calculated with a large fault tree model of that system or function.

Figure 4 illustrates this basic plant response model logic structure. A typical plant response model develops event trees for dozens of initiating events, and the supporting fault trees include thousands of basic events.

Figure 4
figure 4

Illustration of event tree/fault tree plant response model

Full size image

The plant response model is typically developed prior to the start of a fire PRA, as part of the internal events PRA (focusing on random failures). Reviews are performed to identify potentially fire risk significant failures not already included in the base plant response model. These failures are then added to the plant response model.

For example, the internal events plant response model may exclude flow diversion paths that are normally isolated by multiple closed valves designed to fail closed on loss of air or power. The screening basis is that the random spurious opening of multiple such valves is of sufficiently low probability to insignificantly contribute to total plant risk. However, the likelihood of spurious valve operation greatly increases in the presence of fire, which can cause electrical shorting conditions that result in components transferring state.

In addition to causing hardware failures, fire can also degrade the reliability of human actions. For example, fire can disable an instrument or alarm that provides the cue for operators to implement a particular action. The presence of fire or smoke can prevent operators from traversing to a particular action location. Fire can also reduce the pool of operators available to implement plant shutdown actions, as some of them may be diverted to support firefighting. To account for such impacts, a systematic human reliability analysis is performed for all operator actions modeled by the fire PRA. This analysis produces a numerical reliability estimate for each action under a variety of fire-generated conditions, and these estimates are incorporated into the plant response model and its quantification process.

The result is a plant response model capable of estimating the CCDP for each fire damage state, including the contribution of fire-induced hardware failures, fire impact on operator actions, and the potential for random failure of unaffected mitigating equipment. These conditional core damage probabilities are used in quantifying the FPET (Figure 2) to calculate CDF for each fire ignition source.

3.3 Fire PRA Quantification and Typical Results

The fire PRA model is then quantified using PRA quantification software. Given the large number of fire scenarios and complexity of the plant response model, full model quantification can take on the order of 12 to 24 h computer run time. While quantification would seem to be the final step, it is usually performed iteratively throughout fire PRA model development to focus modeling detail on the most risk significant scenarios.

A number of fire PRA studies have estimated total fire-induced CDF on the order of 10−5 per year and fire-induced LERF on the order of 10−6 per year. These values by themselves, however, provide little useful information. Far more valuable are the qualitative insights that arise from exercising the model. For example, Figure 5 provides an example of how fire risk might be distributed throughout a hypothetical plant.

Figure 5
figure 5

Example fire risk distribution throughout plant areas

Full size image

This simple ranking allows utility personnel to understand which plant areas are most vulnerable to fire. For example, control room and cable spreading room fires tend to be dominant with the potential to affect control cables for most plant equipment, including redundant trains of safety equipment. In addition, fires inside the control room can threaten habitability, forcing operators to abandon and attempt plant shutdown from a more limited set of controls available outside the control room. Switchgear room fires tend to be significant risk contributors because they can de-energize broad portions of the safety-related electrical distribution system, including much of the equipment relied upon for accident mitigation. Fire damage within switchgear rooms tends to be limited to one train of safety equipment due to electrical separation requirements. The fire PRA can also uncover vulnerabilities in plant areas previously thought to be benign, for example by identifying “pinch points” where critical cables are routed together.

With this knowledge, plant personnel can incorporate meaningful actions into their plant operation and maintenance activities to minimize the likelihood and potential severity of fire in those important areas. For example, temporary combustible storage and hotwork activities can be moved to less risk significant areas. Additional vigilance for maintaining the operability of detection and suppression systems in higher risk areas can be implemented, and compensatory measures can be taken when those systems are out of service (for example, for maintenance and testing).

Figure 6 provides an example of how fire risk might be distributed across ignition source types at a hypothetical plant.

Figure 6
figure 6

Example fire risk distribution across ignition source types

Full size image

In this example, electrical cabinet fires contribute nearly 50% of total plant fire risk. Their contribution is two-fold: First, failure of cabinets such as switchgear and load centers can de-energize broad portions of the safety-related electrical distribution system. Second, electrical cabinets are numerous (on the order of 500 cabinets per plant), and their location is distributed throughout the plant such that at least some are located in areas containing higher densities of cables supporting important mitigating equipment.

High energy arcing faults also tend to be significant fire risk contributors. Switchgear, load centers, and bus ducts (480 V and above) are vulnerable to this failure mechanism. It can occur when overheating causes vaporization of conductive material, which bridges two energized electrodes causing an arcing fault. The initial fault can be explosive, eject molten debris, mechanically damage nearby equipment, and initiate an ensuing fire. They are often fire risk significant because their occurrence frequency is relatively high, and the consequences tend to be high since they occur on the higher voltage portions of the electrical distribution system (thereby de-energizing the lower voltage features dependent on the faulted device). Further complicating these events, there is no opportunity to prevent the initial damage once the fault has occurred; however, fire detection and suppression systems can help mitigate the ensuing fire, provided they are not damaged by the initial explosive phase. The risk associated with high energy arcing faults is best minimized by careful design, maintenance, and surveillance testing of electrical equipment vulnerable to these faults.

Fires caused by welding and cutting, and transient combustible fires, are a particularly challenging part of the risk assessment, since they can occur at virtually any location throughout the plant. Because the location of all activities involving welding, cutting, and transient combustibles throughout a plant lifetime cannot be reliably predicted, systematic processes are often implemented to evaluate the risk contribution of all potential locations. These analyses provide risk insight into plant areas where fixed ignition sources are not present, and in that sense they complete the fire PRA as a spatial risk assessment of the entire plant.

Figure 6 also illustrates how equipment posing a very high fire hazard may contribute only minimally to fire risk. For example, turbine generator fires can involve thousands of gallons of lubricating oil, causing partial or even full collapse of the turbine building. While this represents a high fire hazard, the risk of reactor core damage can be relatively low because the turbine building often does not contain important mitigating equipment or cables.

Beyond examining fire risk by location and ignition source type, systematically reviewing the dominant fire PRA accident sequences can identify the most important accident mitigating systems and components (for example, systems required for decay heat removal and the injection of borated water into the reactor coolant system). These insights can help focus surveillance testing and maintenance on the most important systems. Similarly, the most crucial operator actions for accident mitigation can be identified, and training programs can be tailored to place more emphasis on those actions.

Finally, the fire PRA can often identify cost-effective plant modifications for reducing fire risk. Examples include installation of additional detection or suppression, re-routing or protecting specific cables, and the installation of additional electrical isolation devices to minimize fire impact on the electrical distribution system.

4 Illustrative Example

A hypothetical plant area is examined as an illustrative example. The plant is a pressurized water reactor with two trains of safety equipment. The plant was designed with each train of safety equipment, including electric power and control, spatially separated such that at least one train would survive fire in any one plant area. In the United States this train separation concept is required by the family of regulations surrounding 10 CFR 50 Appendix R [36]. In this simplified example, each train can be powered from either offsite power or a train-specific emergency diesel generator. Should offsite power and both emergency diesel generators fail, a condition known as station blackout, reactor heat removal can be accomplished by a steam turbine-driven auxiliary feedwater pump. Reactor core damage is assumed to occur if offsite power, both emergency diesel generators, and the steam turbine-driven auxiliary feedwater pump were to fail.

Figure 7 depicts the plant area under examination. The figure shows each emergency diesel generator (EDG-A and EDG-B) separated into their own fire compartments. There is a common area separating the diesel generator compartments from the switchgear, also within their own train-separated compartments (SWGR-A and SWGR-B). Should offsite power fail, EDG-A provides emergency power to SWGR-A, and EDG-B provides emergency power to SWGR-B. All five compartments depicted in Figure 7 are surrounded by rated fire barriers.

Figure 7
figure 7

Depiction of example plant area (not to scale)

Full size image

This example assesses fire risk in the common area separating the emergency diesel generator and switchgear areas. The selected risk metric is reactor core damage frequency.

Plant walkdowns revealed only one fixed ignition source in this area, a wall-mounted electrical cabinet (Cabinet-X) whose failure would cause a loss of offsite power to the essential switchgear. Discussion with plant maintenance personal also revealed a variety of potential transient ignition sources, since the room is used as a staging area for maintenance on the diesel generators.

The fire occurrence frequencies, λF, for the electrical cabinet and the potential transient fire sources are estimated to be 7.20E−05/year and 4.80E−04/year, respectively. These estimates are based on the data and methodology presented in NUREG/CR-6850 [16], which includes approximately 2500 reactor-years of operating experience at U.S. nuclear power plants. Other sources of fire frequency data include [3740].

In the first stage of fire scenario development, it is conservatively assumed that fire occurrence on Cabinet-X would fail all equipment and cables within the common area. A walkdown and examination of cable layout drawings identifies several hundred cables routed through the area. A query of these cables against the fire PRA electrical analysis identifies only two (Cable-EDGB and Cable-TDAFW) associated with equipment modeled by the PRA. The remaining cables are associated with equipment whose failure negligibly affects fire risk. As shown in Figure 7, Cable-EDGB is routed from the ‘B’ emergency diesel generator, across the common area, and into the ‘B’ switchgear compartment. Cable-TDAFW is routed from the ‘A’ switchgear area, and through the common area at the opposing end from Cabinet-X.

So, in this first conservative stage of scenario development, fire on Cabinet-X is modeled to cause a loss of offsite power initiating event (due to the cabinet itself failing), followed by failures of emergency diesel generator ‘B’ and the steam turbine-driven auxiliary feedwater pump.

Figure 8 depicts the event tree used by this example to assess fire-induced loss of offsite power initiating events. Note that the event tree down branches represent failures. So for example pRT is the probability of reactor trip failure, and 1 − pRT is the probability that the reactor successfully trips.

Figure 8
figure 8

Example event tree for loss of offsite power

Full size image

The event tree begins with fire occurrence on Cabinet-X, at frequency of 7.20E−05/year. Electrical analysis demonstrated that failure of Cabinet-X would directly cause a loss of offsite power, so the second top event probability, pLOOP, is 1.0.

Failure probability of the third top event, pRT, is calculated by a fault tree model of the plant systems that initiate reactor trip. An assessment of these systems determined it highly unlikely that fire damage mechanisms (such as cable shorts to ground, conductor-to-conductor faults, and open circuits) would prevent or degrade the likelihood of reactor trip, so the failure probability pRT is based solely on the random and human failures that can occur. In this example pRT is calculated as 2.38E−06, again by quantifying the fault tree model of the reactor trip systems. This relatively low failure probability is indicative of a reliable system design for this important function. Multiplying the Cabinet-X fire occurrence frequency, λF, by pRT yields 1.71E−10/year. Because total plant fire CDF is generally on the order of E−05/year, fires occurring on Cabinet-X and involving reactor trip failure represent and an extremely small contribution to total plant risk and are therefore screened from further consideration.

The fourth top event represents failure of the emergency power system, which is composed of two emergency diesel generators and their support systems. Failure probability of this top event, pEP, is similarly determined by quantifying a fault tree model of the emergency power systems. This model includes the hundreds of individual component and human failures that can occur within the emergency power system. However, in this case, the fire has failed EDG-B via cable damage. Therefore, the emergency power fault tree is quantified with EDG-B failed (set to logical TRUE). In this example, pEP given failure of EDG-B is calculated as 5.13E−02. Inspection of the cutsets generated via fault tree quantification indicates this failure probability is dominated by random failures of components associated with EDG-A.

The fifth top event represents failure of secondary side cooling, which is provided by the auxiliary feedwater system. Failure probability of this top event, pAFW, is determined by fault tree quantification of the auxiliary feedwater system. Note that this quantification is conditioned upon the preceding top event in the event tree. For cases where emergency power fails, the portions of the auxiliary feedwater fault tree that are electrically dependent are also failed during fault tree quantification. In this conservative fire scenario definition, the fire is assumed to damage Cable-TDAFW, which causes failure of the steam-driven auxiliary feedwater pump. So, for this fire scenario, secondary side cooling can only succeed when emergency power remains available. In this example, pAFW is calculated to be 2.05E−04 when emergency power is available, and is 1.0 when emergency power is unavailable.

The final top event represents failure of primary side cooling, which is provided by the safety injection system. This system is completely dependent on power, unlike auxiliary feedwater which contains a steam turbine-driven pump. So, the safety injection system is only demanded in the loss of offsite power event tree for cases where emergency power succeeds. In this example pSI is calculated to be 1.38E−02.

Table 1 summarizes the top event values given failure of all risk-relevant targets within the common area.

Table 1 Top Event Values given Failure of all Risk-Relevant Targets in Area
Full size table

Quantifying and summing the two core damage sequences of the event tree yields a 3.69E−06/year fire-induced CDF posed by Cabinet-X. Note that this estimate excludes contribution of multi-compartment fire propagation, which would further increase the calculated core damage frequency. With total plant fire CDF estimated in the E−05 range, this conservative quantification (assuming failure of all targets in the common area) characterizes Cabinet-X as a significant fire risk contributor. The term “significant” is defined by ASME/ANS-RA-Sb-2013 [17] to be either any individual sequence within the group of sequences collectively comprising the top 95% of total risk, or a sequence that by itself contributes over 1% to total risk.

In order for the overall fire PRA (including all ignition sources throughout the plant) to provide meaningful insights, and to be used for risk-informed applications, it is important that known conservatism in the modeling of significant risk contributors be minimized. Otherwise, attention can be erroneously focused on areas that appear risk significant, when that significance is artificially inflated due to modeling conservatism.

To reduce modeling conservatism in this example, a FPET approach (see Figure 2) is now applied. The FPET defined for this case discretizes the fire progression into three intervals:

  1. (1)

    Ignition through damage to the first target, Cable-EDGB

  2. (2)

    Progression through damage to the second target, Cable-TDAFW

  3. (3)

    Progression beyond damage to the second target, Cable-TDAFW

This FPET developed with these three intervals is depicted in Figure 9.

Figure 9
figure 9

Fire progression event tree for Cabinet-X example

Full size image

Following walkdown inspection of Cabinet-X, a heat release rate probability density function is selected in the form of a gamma distribution with parameters α = 0.7 and β = 216, which has a 98th percentile value of 702 kW. While this distribution is selected based on data summarized in NUREG/CR-6850 [16], there are a variety of heat release rate data sources throughout the fire protection literature, for example [41] and its supporting references.

Cable-EDGB is the first target expected to damage in the fire progression, and it is located in the plume region 2.0 m above the fire source. The cable has thermoset insulation and is estimated to functionally fail at 330°C [16]. Using Heskestad’s plume relation [42], along with field measurements of ambient conditions and the fire source dimensions, a heat release rate of approximately 345 kW would be required to damage Cable-EDGB.

345 kW corresponds to the 88th percentile of the heat release rate gamma distribution with parameters α = 0.7 and β = 216. That is, only 12% of fires occurring on Cabinet-X are estimated to exceed the 345 kW required to damage the first target, Cable-EDGB. In the FPET, P(\(\dot{Q}\) peak > \(\dot{Q}\) dmg) is therefore 1.20E−01.

There are no secondary combustibles (e.g., cable trays) that could ignite, and so the heat release rate profile for this scenario is based entirely on the burning electrical cabinet. Assuming a “t-squared” growth profile, and that the cabinet will reach its peak heat release rate (702 kW) at 11.4 min per NUREG/CR-6850 Appendix G [16], the fire is calculated to reach 345 kW and fail Cable-EDGB approximately 8.0 min following ignition.

The second target, Cable-TDAFW, is located outside the plume and ceiling jet regions and could only be damaged via exposure to the hot gas layer. The area is normally cooled by a forced ventilation system designed to trip upon smoke detection, which is expected early in the fire progression. The doors to this area are also normally maintained closed. Therefore, the compartment is modeled as closed, with no forced ventilation. Using the method of Beyler [43], it is calculated that a heat release rate of 635 kW is sufficient to fail Cable-TDAFW. Again assuming a “t-squared” growth profile with a peak heat release rate of 702 kW reached at 11.4 min, the fire is calculated to reach 635 kW and fail Cable-TDAFW approximately 10.8 min following ignition.

The area is not protected by an automatic suppression system, so only manual suppression by the fire brigade is credited in this analysis. NUREG/CR-6850 Appendix P [16] offers a simplified fire brigade suppression model of the form:

$$ P(t_{\text{supp}} > t) = e^{ - (\lambda s)t} $$

In this equation, t supp represents the fire suppression time, t represents the time to target damage, and λ s is the suppression rate calculated by review of nuclear power plant operating experience with fires. NUREG/CR-6850 [16] suggests a λ s value of 0.12/min for electrical fires. Using this equation, the probabilities of non-suppression prior to Cable-EDGB failure at 8.0 min and Cable-TDAFW failure at 10.8 min are 3.83E−01 and 2.74E−01, respectively.

Since there are no additional targets in this compartment, the fire could only create further functional impact if the compartment boundaries were to fail. In this example, the compartment is surrounded by rated fire walls, with all doors and penetrations rated commensurate with the wall assemblies. While it is highly unlikely that these barriers would fail as a direct result of the fire, they could fail randomly, or they may be improperly restored to service after maintenance. NUREG/CR-6850 Chapter 11 [16] summarizes estimated failure probabilities for various barrier types. In this example, the interface between the common area and each adjacent compartment is composed of a fire rated wall, containing a rated door, and a rated penetration seal. The barrier failure probability is estimated as 1.13E−02 for each compartment interface.

Table 2 summarizes the FPET top event values for this example ignition source.

Table 2 Fire Progression Event Tree Summary for Cabinet-X Modeling
Full size table

Note the values for pCD indicate consideration of a full range of potential plant impact, from the high frequency but relatively benign pCD,0 in which damage is limited to the ignition source, to the low frequency but severe impact pCD,7 in which fire propagates to an adjacent compartment and leads to core damage.

Quantifying the FPET in Figure 9 with the values in Table 2 yields a 1.16E−07/year fire core damage frequency. This detailed estimate is significantly lower than the 3.69E−06/year calculated with the initial conservative approach, which assumed that fire on Cabinet-X would fail all targets within the compartment. It is possible to even further refine the modeling, for example by using a computational fluid dynamics code like the Fire Dynamics Simulator [44], however that level of detail is usually reserved for the more dominant contributors to plant fire risk. It is also likely that such additional modeling detail, focusing on characterizing the time to damage Cable-EDGB and Cable-TDAFW, would not appreciably reduce the estimated CDF when those refinements are propagated through the FPET.

Perhaps more important than numerical refinement, the detailed approach provides further insight into the factors influencing Cabinet-X fire risk. For example, the most dominant group of sequences involves unsuppressed fire growth sufficient to fail Cable-TDAFW. Any efforts to reduce Cabinet-X fire risk might first focus on delaying, or eliminating, fire damage to this cable. Some examples might include installing a suppression system specific to the cabinet (reducing the likelihood of unsuppressed cabinet fire growth), an area-wide suppression system (reducing the likelihood of Cable-TDAFW failure by hot gas layer exposure), or physically protecting Cable-TDAFW by a raceway fire barrier system.

The second most dominant group of sequences involves fire damage limited to the cabinet of origin. It is difficult to mitigate this risk by traditional fire protection measures, since the damage has already occurred (loss of offsite power) once the cabinet ignites. However, plant modifications or procedural enhancements that improve mitigation of loss of offsite power could provide a meaningful fire risk reduction. Examples might include installation an alternate emergency power source, such as a combustion gas turbine generator, or installation of additional electric power-independent core cooling capability, such as steam driven pumps. These types of improvements can broadly reduce fire risk across many ignition sources, and they can even reduce risk associated with other hazards like flooding or earthquakes.

Finally, it was noted early in the fire scenario development that plant personnel stage materials in this area. The fire risk of this combustible storage could be similarly evaluated, and insights might include specific locations where the material poses the least risk. Recommendations to reduce risk might include limiting the type and quantity of combustible storage such that important targets (Cabinet-X, Cable-EDGB, and Cable-TDAFW) would not be damaged should ignition occur, and to require a continuous fire watch when those limitations are exceeded.

5 Applications of Fire PRA

Opportunities to apply fire PRA are numerous, and they generally surround the identification and management of risk throughout design, operation, and maintenance. Two commonly implemented applications, known as NFPA 805 [5] and 10 CFR 50.65 [45], are briefly discussed.

In 2004, the United States Nuclear Regulatory Commission amended the fire protection regulation (10 CFR 50.48 [15]) to allow implementation of the risk-informed, performance-based fire protection standard NFPA 805 as an alternative to the traditional deterministic fire protection requirements. To date, approximately half of the United States operating nuclear power plant fleet has committed to adopting NFPA 805. Regulatory Guide 1.205 [46] and Nuclear Energy Institute 04-02 [47] provide more information regarding implementation of NFPA 805 [5].

Similar to the traditional regulation, NFPA 805 [5] requires a demonstration that fire in any individual plant area will not prevent reactor safe shutdown. This generally involves showing that redundant trains of safety equipment, including electrical cables, are spatially separated by rated fire barriers (or some alternate acceptable degree of separation). In cases where this separation does not exist, the fire PRA can be exercised to show the risk associated with the lack of separation is acceptably small. If the fire PRA concludes that the risk is not acceptably small, then the condition must be corrected, often by physical plant modification.

The question of “what level of risk is acceptable?” is challenging and usually established by the regulator. Regulatory Guide 1.174 [8] provides one approach used by the United States Nuclear Regulatory Commission. This document proposes a five-factor integrated decision-making process that includes consideration of regulation, defense-in-depth, safety margin, monitoring, and risk assessment. This five-factor approach is, in part, a recognition of the uncertainty that exists within any risk assessment. The PRA numerical results are not used as a sole basis for the acceptability of a change, which would be “risk-based” decision making. Rather, the qualitative and quantitative insights of the PRA provide meaningful input into understanding the overall picture of the risk posed by the issue being evaluated, and this approach is characterized as “risk-informed” decision making.

10 CFR 50.65 [45] provides requirements for monitoring the effectiveness of maintenance at nuclear power plants. Paragraph (a) (4) states: “Before performing maintenance activities…the licensee shall assess and manage the increase in risk that may result from the proposed maintenance activity.” For example, removing one of two safety injection pumps from service for maintenance increases the likelihood that safety injection will not function should an accident occur while the pump is in maintenance. The importance of the second pump greatly increases while the first is in maintenance. From a fire risk perspective, actions could be taken to minimize the likelihood of fires that could threaten the second pump (including the areas through which its cables are routed) while the first is in maintenance. Most nuclear power plants in the United States either have or are developing formal processes to consider fire risk in the planning of maintenance activities.

6 Conclusion

Today in the U.S. nuclear power industry, 40 years after its first major application of PRA by the Reactor Safety Study [6], PRA is formally incorporated into many aspects of plant design, licensing, operation, and regulatory oversight. Each utility has a dedicated group of engineers whose job it is to build, maintain, and exercise plant-specific PRA models to support these various applications. The regulator too has a large dedicated staff of risk analysts to support regulatory decision-making, and they maintain plant-specific PRA models developed independent of licensee PRA models. The use of PRA to identify and manage risk is valued as an important attribute of a healthy nuclear safety culture by industry and regulatory senior management.

A review of articles published in Fire Technology indicates consistent growing interest in, and the application of, probabilistic risk concepts to a variety of industries [1831]. One challenge to the broader application of fire PRA to other industries can be the inherent difficulty, by design and with good reason, of modifying regulation, which may have developed over decades, to accommodate the use of risk-informed approaches. This challenge has been confirmed in the nuclear industry, as even with a relatively aggressive program, it has taken the better part of 40 years to overcome.

Adding to this challenge can be reservations, or perceived reservations, on behalf of the regulator regarding probabilistic approaches. One common skepticism is of the ability to estimate the frequency and consequences of rare events. However, fire is unfortunately not yet a rare occurrence. There is significant fire operating experience in most industries to which fire is a concern. There are many ongoing efforts to collect such data, and there are many opportunities to gather unharvested data in support of industry-specific analyses. For areas in which limited data do exist, there are accepted methods for handling data uncertainty. In the nuclear industry, probabilistic methods have been applied to hazards with less data and more uncertainty than fire, and yet they have yielded meaningful insights that might not otherwise have been discovered.

The early applications of probabilistic methods in the Reactor Safety Study [6], Zion PRA, and Indian Point PRA were met with similar skepticism within the regulator. However, it was ultimately the regulator who became a champion of risk-informed decision making, publically committing to increase use of PRA technology in all regulatory matters in its 1995 policy statement [7]. This embracing by the regulator is to a large extent a recognition of the ability of PRA to uncover strengths and weaknesses in complex systems that might otherwise be undiscovered with purely deterministic analysis. The ability to prioritize resources on the issues of most safety significance is also appealing to both the regulator and industry.

The costs to build, maintain, and implement PRA models is often cited as a challenge. While the investment can be significant, in particular for large complex systems where multiple hazards are evaluated, PRA does afford opportunity to reduce unnecessary burden. In the nuclear industry several risk-informed applications are available to utilities and endorsed by the NRC, including the optimization of surveillance frequency and allowed outage time for critical equipment. While implementation of NFPA 805 [5] has been widely viewed as costly, in many cases its application precluded the need for utilities to comply with specific prescriptive requirements that would have been even more costly, without offering much safety benefit. A broader implementation of these PRA applications, aimed at reducing unnecessary burden, is expected as PRA model development activities stabilize and pilot programs are completed.