development of a safety case for the use of current

DEVELOPMENT OF A SAFETY CASE FOR THE USE OF CURRENT LIMITING DEVICES TO MANAGE SHORT CIRCUIT CURRENTS ON ELECTRICAL DISTRIBUTION NETWORKS

This work was commissioned and managed by the DTI's Distributed Generation Programme in support of the Technical Steering Group (TSG) of the Distributed Generation Co-ordinating Group (DGCG). The DGCG is jointly chaired by DTI and Ofgem, and further information can be found at

www. distributed-generation, gov. uk

Report Number: DG/CG/0022/REP URN 04/1066

Contractor

P B Power

The work described in this report was carried out under contract as part of the DTI’S New & renewable Energy programme. The views and judgements expressed in

this report are those of the contractor and do not necessarily reflect those of the DTI or Future Energy

Solutions.

First Published 2004

© CROWN COPYRIGHT

Page i

CONTENTS

1 INTRODUCTION AND BACKGROUND..................................................................................................1

1.1 Background to Project............................................................................................................................... 1

1.2 Introduction................................................................................................................................................. 2

1.3 Methodology................................................................................................................................................ 2

2 THE CURRENT LIMITING DEVICE...................................................................................................... 4

2.1 Introduction................................................................................................................................................. 4

2.2 Overview of Operation and Application...............................................................................................4

2.2.1 Existing Experience in the 'UK........................................................................................................ 4

2.2.2 Principles of Operation....................................................................................................................4

2.2.3 Applications.....................................................................................................................................5

2.2.4 Fault types........................................................................................................................................6

2.3 Hazard Identification................................................................................................................................. 7

2.3.1 'Introduction..................................................................................................................................... 7

2.3.2 Failure Modes, Effects and Criticality Analysis.............................................................................. 8

2.3.3 HA=OP...........................................................................................................................................12

2.3.4 Findings of Hazard Identification.................................................................................................. 12

2.4 Operational Experience........................................................................................................................... 17

2.4.1 Mal-Operations..............................................................................................................................17

2.5 Reliability assessment............................................................................................................................. 19

2.5.1 'Predictive Reliability Assessment................................................................................................... 19

2.5.2 Reliability Assessment Based on Operational Data...................................................................... 20

2.5.3 Discussion......................................................................................................................................21

2.5.4 Conclusion .....................................................................................................................................21

3 SAFETY LEGISLATION REVIEW, INTERPRETATION AND COMPLIANCE............................22

3.1 Introduction............................................................................................................................................... 22

3.2 Review of general safety legislation................................................................................................. 23

3.2.1 The Health and Safety at Work Act 1974...................................................................................... 23

3.2.2 Management of Health and Safety at Work Regulations 1999......................................................24

3.2.3 Review of The Electricity at Work Regulations 1989.................................................................... 25

3.2.4 Review of The Electricity Safety, Quality and Continuity Regulations 2002 (ESQC'R)................28

3.3 Review of IEC 61508 Functional safety of electrical/electronic/programmable

electronic safety-related systems.................................................................................................................33

3.4 Explosive regulations.............................................................................................................................. 35

3.5 Conclusions................................................................................................................................................. 37

4 SAFETY MANAGEMENT........................................................................................................................ 39

Page i

4.1 Introduction................................................................................................................................................ 39

4.2 As Low As Reasonably Practicable (ALARP)................................................................................... 39

4.3 Risk Assessment..........................................................................................................................................39

4.3.1 Tolerability Of Risk (TOR) Framework..........................................................................................40

4.3.2 Tolerability Limits..........................................................................................................................40

4.4 Applicability of ALARP Approach to Current Limiting Devices................................................42

4.4.1 Good Practice argument.................................................................................................................42

4.4.2 Broadly acceptable risk argument................................................................................................ 42

4.4.3 Proportionality argument.............................................................................................................. 43

4.4.4 'Modification of existing plant argument.......................................................................................43

4.4.5 Summary.........................................................................................................................................44

4.5 Business Implications............................................................................................................................... 44

4.5.2 Conclusion......................................................................................................................................45

5 CONSEQUENCE ASSESSMENT............................................................................................................ 46

5.1 Consequences of Failure to trip.............................................................................................................46

5.1.1 Direct Consequences of mal-operation - Localised effect............................................................ 46

5.1.2 Direct Consequences of mal-operation -Effects on the wider network.........................................47

5.1.3 'Indirect consequences...................................................................................................................48

5.2 spurious tripping.........................................................................................................................................48

6 CONTROL MEASURES............................................................................................................................49

7 CONCLUSIONS..........................................................................................................................................51

8 RECOMMENDATIONS............................................................................................................................ 53

APPENDIX A LIST OF ABBREVIATIONS AND REFERENCES

APPENDIX B RISK MANAGEMENT AND ALARP BACKGROUND READING

APPENDIX C HSE GUIDANCE ON ASSESSING COMPLIANCE WITH THE LAW IN INDIVIDUAL CASES AND THE USE OF GOOD PRACTICE

APPENDIX D STATEMENTS FROM THE HSE, DTI AND OFGEM

APPENDIX E FAULT CURRENT LIMITERS DETAILED DATA

APPENDIX F EFFECT OF FAULT CURRENT LIMITERS ON SWITCHING TRANSIENTS AND DOWNSTREAM CIRCUIT BREAKERS

APPENDIX G COMPLETED QUESTIONNAIRES

Page //

1 INTRODUCTION AND BACKGROUND

1.1 Background to Project

The Department of Trade and Industry (DTI) and the Office of Gas and Electricity Markets (Ofgem)

created, and jointly chair, the Distributed Generation Coordinating Group (DGCG). The aims of the

DGCG are to recommend priorities for action arising from the joint Government industry working

group on embedded generation (the Embedded Generation Working Group) which reported in

January 2001. In achieving this it provides advice to DTI, DEFRA and Ofgem on any actions required

to assist the integration of small generation into the utility electrical network.

The Technical Steering Group was established to support the work of the DGCG and address a range

of technical issues regarding the connection of distributed generation. A key issue being addressed by

this group is how to increase the amount of electricity generated from distributed generators that can

be accepted by the electrical network. This is likely to be achieved by increasing the degree of

network and generation management and increasing the complexity of the network infrastructure.

A number of work streams have been established by the Technical Steering Group. Work stream 3

(WS3), focuses on short-term network solutions. One of the solutions that the work stream has

recommended for implementation in the short term is the application of a particular type of current

limiting device to manage short circuit currents. These are capable of detecting and limiting a short

circuit current very quickly by use of a small explosive charge to open a conductor. This diverts the

current to a parallel fuse which quenches the short circuit current.

The Distribution Network Operators (DNOs) have a licence obligation to operate their networks in

compliance with the Distribution Code, DTI regulations and Health and Safety Legislation. The DNOs

have concerns about the use of these current limiting devices. The issues that they are particularly

concerned about are:-

□ any possibility that a failure of the current limiting device to operate could overstress

switchgear.

□ any legal constraints that could prevent the use of this type of current limiting device

□ the lack of an associated ‘back up' system.

□ their intrinsic safety.

□ the testing of operation.

□ their triggering integrity.

Parsons Brinckerhoff Ltd Page 1 Final report draft3

Terms of reference for this study were therefore developed in order to address these issues. The

study has been funded by the DTI New and Renewable Energy Programme.

1.2 Introduction

The purpose of this study was to critically review the safety issues associated with the use of current

limiting devices and to prepare a critical risk assessment in accordance with ‘good industry practice'.

During the course of the project, when the legislative barriers became apparent, the scope changed to

include a much greater involvement with the HSE, the DTI and Ofgem. It also became apparent that it

would not be possible to develop a generally applicable safety case that would satisfy all of the

agencies, or a critical risk assessment that would cover all applications. The scope therefore changed

to focus on how the existing barriers should be approached and the implications of the existing

legislation.

The study has included a review of the operation, application, experience, hazards and reliability of

the devices currently available . The relevant UK safety legislation and its interpretation formed a key

part of the work. There has been a review of the relevance of this legislation to current limiting devices

and of whether or not compliance is possible when current limiting devices are used in order to avoid

plant being operated beyond its rating. This review has led to an assessment of the applicability and

implications of a risk assessment based on an ‘As Low as is Reasonably Practicable' approach,

given that current compliance is based on the principles of inherent safety using suitably rated

equipment and the use of good practice.

The wider consequences and risk associated with using current limiting devices on the UK electrical

network have been examined and control measures proposed. Most importantly, recommendations

have been made for the way forward on this complex issue.

1.3 Methodology

The study required close liaison with all of the stakeholders, including WS3, the HSE, the DTI, Ofgem,

the manufacturers and the existing users. WS3 is made up of representatives from the various

Distribution Network Operators, the Energy Networks Association, generator developers and Ofgem.

The study has benefited from contributions by all of the stakeholders and from the organisation and

co-ordination of meetings and inputs by the WS3 project manager. The contributions came through

meetings, e-mail and comments on draft versions of this report.

The meetings included:-

• A kick-off meeting with WS3, followed by a meeting with ABB

• A meeting with G&W Electric


• A meeting and HAZOP session with one of the existing UK users of current limiting devices

• Three meetings with the HSE, the DTI and Ofgem to review and discuss the relevant UK

legislation, its interpretation and its implications for the future use of current limiting devices in the

UK

• Several report review meetings with WS3

Various members of WS3 attended and contributed to the above meetings.

The study was tackled in several stages. The first stage was a review of the available background

information and literature. This included published papers, manufacturers' literature and the Long

Term Development Statements published by the Distribution Network Operators.

Questionnaires were issued to the two manufacturers, and to users. Anonymous copies of the

questionnaires completed are included in Appendix G. The background data gathered is summarised

in section 2 of this report., and is given in more detail in Appendix E.

The next stage was an assessment of the hazards and reliability of the devices, based on the data

gathered from the manufacturers and users. This is also reported in section 2.

Carried out in parallel with this work was a review of all of the relevant UK safety legislation, and this

is presented in section 3 of this report. The interpretation, the assessment of its relevance and the

measures required for compliance are also reported in this section. Major contributions to this work

were made by the HSE and the DTI, copies of their statements have been included in Appendix D.

Section 4 presents a summary of the main concepts used in the management of Health and Safety in

the UK. It also gives an assessment of the applicability and implications of a risk assessment based

on the ‘As Low as Reasonably Practicable' (ALARP) approach, given that current compliance is

based on the principles of inherent safety using suitably rated equipment and the application of

industry good practice.

Section 5 examines the consequences arising from failure of the fault current limiting device and

section 6 covers the control measures which could be used in order to minimise the risks. Sections 7

and 8 present the conclusions, the recommendations and the way forward.


2 the current limiting device

2.1 Introduction

This section gives a review of the operation, application, experience, hazards and reliability of the

current limiting devices available .

2.2 Overview of Operation and Application

2.2.1 Existing Experience in the UK

The published literature confirmed a rather limited use of the devices in the UK with their application

only within industrial applications in the pulp and paper, chemical, petrochemical and starches

sectors. Use of these devices has not been identified within the utility sector. Furthermore, analysis

of the Long Term Development Statements provided by the Distribution Companies indicates that

there is no reference to existing or future use of current limiting devices in their networks.

2.2.2 Principles of Operation

There are currently two manufacturers with commercially available current limiting devices in

widespread use at service voltages ranging from 450V to 38kV. These are ABB, from their German

factory, and G&W Electric in the US. There was also a French manufacturer, but they have been

acquired by ABB in recent years.

The ABB and G&W Electric devices are based on similar principles, in that they both consist of a

current carrying conductor in parallel with a fuse. When a short circuit is detected an explosive charge

in the main current carrying conductor is detonated. This ruptures the main current carrying path

thus diverting the current to the fuse which quenches it. The entire operation takes place within a few

milliseconds.

After operation the devices are isolated and inserts containing the fuses and the ruptured conductors

are removed and replaced with spares. One device is installed in each phase of a three phase

system, and a circuit breaker is always required in series with it, in order to perform normal circuit

opening and closing duties.

Although the principles are similar, the detailed design, construction, setting and testing of the devices

from the two manufacturers are rather different. Further details can be found in Appendix E.

1FRANSEN, P.: ‘Case History: Electronically Controlled Fault Current Limiters Allow Inplant Switchgear to be

Interconnected', IEEE Transactions on Industry Applications, Vol. 33JNo. 2, March/April 1997. pp.319-332.


2.2.3 Applications

The following three scenarios have been considered following agreement with WS3:

1. Current limiting devices in system interconnections or busbar couplers.

2. Current limiting devices in transformer secondary circuits.

3. Current limiting devices in links between public network and private generation sites.

2) Transformer secondary circuits 3) Generator connection1) System Interconnections

Current limiting devices are often used with plant operating within its rating in order to limit short circuit

thermal effects and the consequential damage. However this study focuses on the situation where the

devices are used to avoid existing plant being operated beyond its rating. It has also been assumed

that it is only the ratings of the feeder circuits that would be exceeded, should the current limiting

device fail to operate. This is because the feeder circuits are the only ones that will see the short

circuit currents from all sources. This will be the situation in the majority of applications.

The following diagram illustrates the effect of a current limiting device installed in the bus coupler

between two transformers (scenario 1) on the total current flowing in a faulted feeder.


It should be noted that with arrangement 3, when there is a fault in the distribution network, the

current flowing through the current limiting device will only be the contribution of the local generator.

Given the generator sizes typical for the range of applications considered in this study (relatively small

embedded generators), such contributions may only be detected via relatively sensitive settings in the

current limiting device, with a resulting danger of spurious tripping. It is possible to achieve a

directional discrimination between faults on the network and faults on the generator side, including

generator internal faults, by installing three CTs in the generator neutral connections in addition to

those installed on the current limiting device. This will also prevent tripping when the generator is

disconnected.

2.2.4 Fault types

The fault limiting device will be subject to fault current during fault conditions affecting the power

system.

The significant fault types to be considered are the three-phase fault, the phase-phase fault and the

phase to earth fault. It should be noted, however, that the fault location under examination is just

downstream of a feeder breaker, while the current limiting device will be located on the busbars, on a

transformer secondary circuit or on a generator connection. The device will however see the same

fault type as the feeder, although of reduced magnitude.

A three-phase current limiting device comprises three elements, one on each phase. This provides a

certain degree of redundancy in the amount of devices installed when used on impedance earthed

systems.

The earth fault level in impedance earthed distribution systems is typically of significantly lower

magnitude than the three-phase fault level, owing to the use of earthing resistors located at


transformer neutral points. For a single phase to earth fault, the system should be designed so that

the current limiting device does not trip. For a phase-phase fault, two limiting devices will respond to

fault current, and even with a failure of one unit to operate, the healthy unit should still trip and clear

the fault. Similarly, for a three phase fault, fault current will flow in all three devices and failure of one

unit to operate will still leave the other two units available to clear the fault.

In solidly earthed systems, the earth fault level is typically of a very similar magnitude to the three-

phase fault level. Moreover, the earth fault level on the secondary side of delta-star primary

transformers may exceed marginally the three-phase fault level, due to the transformer zero sequence

impedance being smaller than the positive sequence and due to the delta winding stopping the

primary network zero sequence impedance from having any effect on the earth fault level. This type

of system should be designed to provide tripping of the current limiting device for an earth fault. The

device located in the faulted phase does not have any back-up from the other two phases if it fails to

operate. However, this is unlikely to be an issue in the UK where solid earthing is normally only used

on the 132kV system, as current limiting devices are not yet available for 132kV systems.

Independently of the neutral earthing, a phase-phase fault yields a lower fault level than a three-phase

fault (87 %), and this needs to be taken into account when setting the device.

2.3 Hazard Identification

2.3.1 Introduction

The identification of hazards is the first stage of the risk management process.

In order to carry out the risk assessment of the triggered current limiting device a functional

representation has been developed showing the key functions of the device.

Although the two manufacturers have a number of differences in the way the device operates the

main functions are essentially similar. A HAZOP study was carried out on the functional

representation of a typical current limiting device as illustrated in Figure 2.3.1. Also the results of a

Failure Mode, Effects, and Criticality Analysis (FMECA) of the G&W CLiP fault current limiter device

are presented.


Power Supply

Triggered Current LimiterCurrent Sensor

Figure 2.3.1 - Functional representation of the Triggered Current Limiting Device

2.3.2 Failure Modes, Effects and Criticality Analysis

As part of the development of the G&W CLIP fault current limiter device a Failure Mode, Effects, and

Criticality Analysis (FMECA) was conducted to identify critical components and improve the device

based on Mil-Std 1629A “Procedures for Performing a Failure Mode, Effects and Criticality Analysis”.

The FMECA included:

• a systematic identification, analysis, and evaluation of the components;

• item and interface failure modes;

• evaluation of failures in terms of the severity of the consequence; and

• appropriate corrective action.

The G&W FMECA is presented in Table 2.3.2. The FMECA also estimated the potential failure rate of

each failure mode. However, the project did not have established failure data therefore the failure rate

was derived from engineering judgement based on Mil-Std 1629A. The effects of each failure are

classified as:

Category I Catastrophic: a failure that may cause death (or the G&W assessment includes the

destruction of equipment)


Category II Critical: a failure that may cause severe injury, major property damage, or system

damage, and which would result in mission loss.

Category III Marginal: a failure that may cause minor injury, property damage, or system damage, and

which would result in delay, or loss of availability, or in mission degradation.

Category IV Minor: a failure that is not serious enough to cause injury, property damage, or system

damage, but would result in unscheduled maintenance or repair.

The FMECA of the G&W device seems to only consider the failure modes that lead to the failure of

the device to operate on demand. There is no assessment of the potential for spurious trips. The

assessment is limited to the functional effects of the device and has not considered the device

application and the potential impact on the wider electrical network. The failure probability

assessment does not provide adequate information on the device reliability for any future risk

assessment, as it is based on engineering judgement rather than failure rate data. The FMECA was

carried out on a developmental prototype fault current limiter device but the basic functionality is

applicable to the current G&W device.


PB Power Final Report

Table 2.3.2 FMECA of a developmental prototype Current Limiting Protector

Item Function Failure mode and cause

Failure effects Failuredetection

SeverityClass

Failureprobability

CommentLocal Effect Next Higher

LevelEnd Effect

Power Supply Provide power to the CLP system

Loss of power Sensing and firing circuit inoperative

CLPinoperative

No currentlimitingprotection

Propose an alarm or indication

II 0.05

Inverter Convert dc toac

Loss of output 11Boperational

None None Alarm IV 0.015

Inverter Convert dc toac

Loss of output 11Aoperational


Battery Supply dc Loss of dc supply

Loss of power to inverter

Loss of power to sensing and firing circuit


Low voltage alarm

II 0.05 Unlikely to happen

Battery Charger Maintain charge on battery

Loss of output 13Boperational


Battery Charger Maintain charge on battery

Loss of output 13Aoperational


Power supply to battery chargers

Maintain power to battery charger

Loss of supply power (14A)

Alternative (14B) power supply available


Power supply to battery chargers

Maintain power to battery charger

Loss of supply power (14B)

Alternative (14A) power supply available


Sensing andLogic

Provide current sensing and signal to firing circuit

Failure of: cts,diodes,resistors,capacitors,comparator

Loss of signal to firing circuit

CLPinoperative


Supervisory and alarm

II 0.01 Represent loss of A, B and C sensing and logic

Sensing andLogic

Provide current sensing and signal to firing circuit

Failure of components, one phase

Alternative Sensing and Logicoperational

None None Supervisory and alarm

IV 0.033 Failure of one phase is assumed



Item Function Failure mode and cause

Failure effects Failuredetection

SeverityClass

Failureprobability

CommentLocal Effect Next Higher

LevelEnd Effect

Firing circuit Initiate CLP Failure of: trigger, charging circuit,capacitor, hot wire

Loss of firing pulse to CLP

CLPinoperative


Supervisory and alarm

II 0.01 Represent loss of A, B and C firing circuit

Firing circuit Provide firing pulse to CLP

Failure of components, one phase

Alternative firing circuit operational

None None Supervisory and alarm


Current limiting protectors

Limit and interrupt fault current

Loss of current limitation

No effect None No currentlimitingprotection

Inspection on assembly

I 0.01 Represent loss of A, B and C CLP

Primary andsecondarycharges

Initiate chemical charge and cut mainconductor

Failure to cut mainconductor

Mainconductor not cut

Current not commutated to fuse




Main currentcarryingconductor

Carry primary current. Form gaps & commutates current to fuse

Inaccurate machining, failure to form gaps

None Current not commutated to fuse




Fuse Limit and interrupt fault current

Incorrecttermination,mechanicaldamages,insufficientfilling

None Current not commutated to fuse




Support and enclosure

Support and enclose CLP components

Improper manufacture and assembly

Discharge of gas on operation

None None Inspection on assembly

IV 0.003 Minordischarge of gas is of no consequence



2.3.3 HAZOP

A Hazard and Operability Study (HAZOP) was conducted on a functional representation of a typical

current limiting device, as illustrated in Figure 2.3.1, to assess the possible failures that may occur

and their effect on the safety and operability of the system. In order to ensure that a representative

study of the device was carried out, the HAZOP included representatives from a manufacturer, user

and a network operator.

The HAZOP was carried out at the user's plant on 13th October 2003. During the meeting a visit was

made to the switchroom to view the installed current limiting devices in situ. The minutes from the

HAZOP are presented in Table 2.3.3.

In order to ensure the HAZOP was representative of the devices from both manufacturers, a meeting was held with G&W on 15th October 2003, at which point a number of the issues raised at the HAZOP

were discussed further.

The HAZOP confirmed that the main hazard related to the device is the failure to operate upon

demand. Any hazards associated with the installation of the device and the pyrotechnic charge were

considered to be small.

2.3.4 Findings of Hazard Identification

The pyrotechnic charge used within the current limiting device is very small, less than 2g for the ABB

device and 3-16g for the G&W device, and is contained, therefore the operation of the pyrotechnic

does not present a hazard to people.

A significant proportion of the faults would be detected by the supervisory system, and this would

raise an alarm to the user. Failure of the current sensor, logic, power supply and firing units is likely to

be detected by the supervisory unit. . This is supported by the G&W FMECA as presented in Table

2.3.2. This would reduce the unrevealed failure rate of the device. The ABB reliability assessment as

presented in Section 2.5 indicates that about 50% of the faults relating to failure to operate would be

detected by the supervisory unit.

The triggering of the current limiting device cannot normally be tested and can only be functionally

tested by activating the pyrotechnic charge.

The majority of the applications of the device are in three phase systems, for example 80% of the

2500 ABB current limiting devices are installed in all three phases. This provides redundancy in the

event of failure of a device for two or three phase faults.



The other key mode of failure is a spurious trip, i.e. operation when there is no fault current. This in

itself is not a safety concern but would result in a loss of supply, and this may have safety implications

for the users who have lost supply.

In conclusion the main hazard associated with the device is failure to operate on demand.



Table 2.3.3 HAZOP Study

Project: Current Limiting Device HAZOP StudyItem Attribute/

FunctionGuideword Cause Consequence Mitigation Notes

Currenttransformer

Senses current Fails to operate on demand

Damaged component, or aging

Failure to break current

The majority of the applications are in three phase systems. This arrangement provides redundancy in the event of a 2 or 3 phase fault, but not for single phase fault in solidly earthed system .

There is significant experience with current limiting devices, ABB andG&W devices have been in use for over45 and 20 years respectively.

Causes a spurious trip

Equipment failure or incorrect design

Unintended Loss of electrical supply

ABB indicate that they have no information on spurious trips due to hardware failure. 5 possible spurious trips were found to be due to redesign of the users system, they had worked as expected. G&W indicate that there have been around a dozen spurious trips.





Power supply To provide power to the limiter

Power supply fails Loss of power to device, could fail to detect fault current

There are two independent power supplies to the device, one being a UPS.There is a capacitor in the system to ensure continuity of power during switchover

The ABB device requires an AC power supply, although it can convert a DC source if required. G&W recommend the use of DC supply.Alternatively an ACUPS system may be applied.

Logic To monitor the current and initiate the trip on demand

Fails to operate on demand

Damaged or aged component. Component set out of range

Fails to detect fault current

System is designed such that a failure will cause the device to trip (i.e. failsafe)

Both the ABB andG&W devices consist of analogue circuits and do not contain any programmable electronics

It is recommended that the Is limiter is tested every 1 -2 years

ABB track the test results to identify any faulty components or degradation due to aging





Explosive To break the current path

Fails to operate as required

Failure of trigger circuit

Fails to break the circuit at fault current

The current path of the explosive charge is tested in the factory.

If required ABB can supply a test equipment specifically for testing the current path through the explosive, although it is not recommended practice. G&W indicate that continuity of the detonator can be checked. However the functional test could not be performed on the interrupter as it is a “one shot” device.

Explosive hazard to staff and equipment

Shrapnel from the explosion

Potential harm to staff in the area or damage to equipment

The housing is designed to safely contain the explosive.

Experience shows that some smoke and a small amount of dust may be released

Housing To contain the current path and explosive

Contamination into the housing

Humidity Possible corrosion of the conductive path

Humidity is not a major concern. Will also be enclosed in a cabinet.

It is also possible to have heating or cooling in the cabinets depending on the particular climate

Testing The complete system (except the triggering of the current limiter and the pyrotechnic charge) is fully testable and is carried out by the users using a testing device. The device is connected to a series of points on the circuit by which all the components can be tested. The results are returned to ABB for review. Richard Kasher (the user) stated that testing takes less than 1 hour, per year. The overall function of the G&W device triggering circuit can be tested with a field test unit. These checks can be performed by the client staff and the test takes approximately 5 minutes. G&W do not usually ask for records of these tests.



2.4 Operational Experience

There is considerable operational experience in the use of current limiting devices device world wide.

ABB indicated that their Is-limiter was first installed in 1961 and that currently there are approximately

2500 ABB Is-limiters in operational use.

This breaks down as follows:

• 1330 x 3 phase - Installed after 1980 (i.e. between 1980 and 2003)

• 670 x 3 phase - Installed before 1980 (i.e. between 1961 and 1979)

• 500 x single phase - Installed between 1961 and 2003

The total Is-limiter device operational experience.

500 x 1 phase x 21 years = 10,500 device years

670 x 3 phase x 33 years = 66,300 device years

1330 x 3 phase x 11 years = 43, 890 device years

Therefore ABB have a total of 121,720 device years of operational experience. After activation, the

tripped current limiter insert is returned to ABB for refurbishment. Comparing the number of tripped

unit against the operational units ABB assessed that on average each current -limiting device has

tripped once every 4 years.

G&W units were developed in the late 1970's and were first used in 1980. Substantial development

was undertaken in the early 1980's and the present PAF unit was first used in 1985. G&W has sold

205 sets or 615 single phase CLiP units and 102 sets or 306 single phase PAF units worldwide.

G&W do not keep a precise record of units in operation. They estimate that there are currently 570

CLiP units and 300 PAF units in operation.

2.4.1 Mal-Operations

ABB have no record of their Is-limiter device failing to operate on demand. However there have been

five cases of spurious trips. Investigation showed that all five cases were related to a change in the

network by the operators, who had installed capacitor banks without checking the settings of the

existing Is-limiters. The charging and discharging of these capacitor banks, and the resulting high

rate of rise, high peak currents had caused the Is-limiter to trip. ABB have no record of injury to

people arising from hazardous incidents associated with the transport, storage, operation,

maintenance and disposal of the Is-limiter units.



G&W have no comprehensive system to record failures of their devices. However, they estimated

that about 20 items have been returned due to failure. There have been less than 10 returned logic

units. Such units tends to be a result of false triggering rather than a failure to operate. Also there

have been less than 10 returned isolation transformers.

G&W estimate that there have been about a dozen spurious trips, however the exact number is not

known. There has been one failure to operate on demand, this was caused by a deficiency in the

quality checking of the location of the pyrotechnic cord. The quality process has been improved and

the problem has not occurred on devices manufactured since. G&W also advise that there has been

no incident of injury to people associated with their device.



2.5 Reliability assessment

The reliability of the Is-limiter device has been assessed using two approaches, the first by reviewing

predictive reliability assessments, and the second by analysing the manufacturers' historical

operational data.

2.5.1 Predictive Reliability Assessment

The FMECA conducted for the prototype G&W device estimated the potential failure rate for each

failure mode. The project did not have established failure data therefore the failure rate was derived

from engineering judgement based on Mil-Std 1629A. The failure data seems to been used to

compare the relatively reliability of individual components of the system to improve the system design.

However, the FMECA data does not provide a clear value of the overall system reliability.

The failure rates for the different failure conditions of the ABB Is limiter device was assessed by

Brown Boveri (BBC) in 1980 using failure data from their failure-rate catalogue. The results are

presented in the Table below.

Failure condition Failure rate (10-3 per year)

Ground Benign Ground fixed

Tripping of the Is Limiter insert without

demand

1.75 7.01

Indication of a disturbance 2.63 10.5

No indication and no triggering 3.50 9.64

Total 7.01 27.2

‘Ground Benign' is defined by ABB as ‘nearly zero environmental stress with optimum engineering

operation and maintenance'.‘Ground Fixed' is defined by ABB as ‘conditions less than ideal, to include

installation in permanent racks with adequate cooling air, maintenance by military personnel and

possible installation in unheated buildings'.

Under less than ideal conditions (Ground fixed case) the assessment estimated that the unrevealed failure rate for the device failing, without indication of a failure, is 9.64x10-3 per year. Assuming a

proof test interval of once per year the probability of failure to operate on demand is estimated as 4.82 x10-3. The failure mode of “indication of a disturbance” has been excluded from the above unrevealed



failure mode. It is considered that a revealed failure as indicated by the supervisory unit will be repaired quickly. The frequency of spurious trip is estimated as 7.0x10-3 per year.

Under ideal conditions (Ground Benign case) the unrevealed failure rate is estimated as 3.5x10-3 per

year and the frequency of spurious trip is estimated as 1.75x10-3 per year. Assuming a proof test

interval of once per year the probability of failure to operate on demand is estimated as 1.75x10-3.

2.5.2 Reliability Assessment Based on Operational Data

ABB indicated that they have there are approximately 2500 ABB Is limiters applications currently in

operational use. Section 2.4 shows that most of the Is-limiters are in three phase systems and it is

probable that a fault will involve two of the phases. Therefore only one of the Is-limiters is required to

operate in order to break the current. However, it may be optimistic to assume in all cases that all the

devices are in an operational state, for example a device could have failed in an unrevealed state, but

the system is only protected by the other healthy device. Therefore the estimation of failure to

operate on demand will be based on the application population data rather than the total device

operational experience. Based on the information in Section 2.4 the total application experience is

estimated as 48,240 application years. ABB experience indicates that on average each Is-limiter has

tripped once every 4 years. Assuming that this is the average demand on the Is limiters, the total

number of demands to operate experienced by the whole population of Is Limiters is estimated as

12,060.

ABB indicated that they have no record of the device failing to operate on demand. This does not

necessarily mean that there has never been a failure to operate during the last 43 years, but this is

difficult to check. For the assessment it is assumed that there has been a single failure some time

during the whole of the operational experience. The probability of failure to operate on demand is therefore estimated as 8.3x10-5 based on the operational data. This should be considered as an

approximate estimate as it is based on a number of assumptions and there is uncertainty as to the

completeness of the data, given the 43 year operational history and the reliance on users to report

back to ABB any failures to operate.

ABB have five known cases of spurious trips. Spurious activation of any one Is limiter in a set would

lead to a spurious trip. The total device experience is estimated as 121,720 device years. Therefore

the failure rate of spurious trip is estimated as 4.1x10-5 per unit year. ABB's investigation revealed

that the all five spurious trips were due to application error, where the operator had changed the

system by adding capacitor banks, without consulting ABB over any revisions necessary to the

settings. The charging and discharging of the current of the capacitor banks caused the Is-limiter to

operate. ABB has no record of hardware failure leading to spurious trip.



2.5.3 Discussion

We have tried to obtain reliability data on the current limiting device by collecting information using

two routes; predictive assessment and historical data based on operational experience.

We have focused our attention on historical data as predictive assessment tends to use equipment

failure data from generic sources and may not represent accurately the components used for the

current limiting device and operational conditions.

The G&W FMECA failure probability assessment was based on engineering judgement rather than

failure rate data, therefore it does not provide adequate information on the device reliability, for any

future risk assessment. Our study found that G&W do not have the comprehensive information on the

failure data and device population required to estimate the reliability of their device.

ABB have conducted a Failure Mode and Effect Analysis (FMEA) to estimate the reliability of their

current limiting device. Under ideal conditions, assuming a proof test interval of once per year, the

FMEA predicted the probability of failure to operate on demand as 1.75x10-3.

ABB collect some information on the failure data and device operation. This information has been

used to provide an approximate estimate of the current limiting device reliability. The probability of failure to operate on demand, based on this operational data, is estimated as 8.3x10-5. However this

estimate is based on a number of assumptions.

There is significant uncertainty as to the completeness of the data for reliability assessment. There is

a significant difference between the reliability estimated from the predictive assessment and that

estimated from operational data. For example, for the probability of failure to operate on demand,

there is a factor of 20 difference between the predictive assessment and the estimation based on

operational data.

2.5.4 Conclusion

Currently the only reasonable information on the current limiting device reliability is for the ABB device

based on a predictive assessment. This gives a probability of failure to operate on demand of 1.75 x

10-3, based on a proof test interval of once per year. The operational information provided by the

manufacturers is not sufficient to carry out a suitable reliability assessment. The information on the

reliability of the current limiting device is critical for any future safety assessment. Ideally this should

be based on historical data, and it is recommended that the manufacturers should critically review

their operational data and consider the collection of additional data to support any future safety

assessment.



3 SAFETY LEGISLATION REVIEW, INTERPRETATION AND COMPLIANCE

3.1 Introduction

The relevant UK safety legislation and its interpretation formed a key part of the work. There has been

a review of the relevance of this legislation to current limiting devices and of whether or not

compliance is possible when current limiting devices are used to avoid plant being operated beyond

its rating.

Specific regulations relevant to the use of current limiting devices, in particular those against which

their use will be tested for compliance, were reviewed to identify the specific obligations imposed by

these regulations. The following standards and regulations were reviewed as being those with

greatest relevance:

□ The Health & Safety at Work Act 1974

□ The Management of Health and Safety at Work Regulations 1999

□ The Electricity at Work Regulations 1989

□ Memorandum of guidance on the Electricity at Work Regulations 1989

□ The Electricity Safety, Quality and Continuity Regulations 2002

□ IEC 61508 - Functional safety of electrical/electronic/programmable electronic safety-

related systems.

□ Explosive Regulations

The HSE and DTI provided guidance on particular regulations to be considered, on their interpretation

and whether or not compliance is possible when current limiting devices are used to avoid plant being

operated beyond its rating. This required extensive discussions within the DTI and the HSE, and has

triggered a far-reaching debate about the current legislation and the need to review and update parts

of it to improve clarity.

The HSE, the DTI and Ofgem were able to provide written statements on their positions, and these

have been included in Appendix D. The HSE and DTI statements have also been included, in bold

italic text, in the sections below. All other comments are Parsons Brinckerhoff's interpretation of the

legislation and the HSE and DTI statements. Ofgem's key concern is to demonstrate that the

connection is cost effective and this is discussed further in section 4.5 of this report.



3.2 Review of general safety legislation

3.2.1 The Health and Safety at Work Act 1974

The Health and Safety at Work Act (HASWA) is essentially an enabling act, which paves the way for

other, more specific pieces of legislation to be introduced (some of which are reviewed below). It

does however contain a number of general duties that an employer must adhere to. The following

section summarises those duties that are applicable to this study.

Duties to those in your employ

Section 2 (1) - There is a general duty on all employers to ensure, so far as is reasonably practicable,

the health, safety and welfare at work.

Section 2 (2)a - So far as is reasonably practicable, employers must provide machinery, equipment

and other plant that is safe and without risk to health and must maintain them in that condition. Safe

systems of work should be used.

Section 2 (2)b - Manufacturers should ensure, so far as is reasonably practicable, that materials

supplied for use at work are safe and without risk to health, and they should supply users with

information about its use and any associated hazards.

Section 2 (2) - Employers must provide employees with suitable instruction, training and supervision.

Duties to those not in your employ

Sections 3 (1) & 3 (2) - Employers should ensure, so far as reasonably practicable, that they do not

expose people who are not in their employ to risks to their health and safety. This duty applies to

people who may be inside the workplace such as visitors, contractors and another employer's workers

visiting their premises.

There is also a duty to ensure the safety and health of those people who have accessed the premises

without authorisation.

summary

This is general health and safety legislation and the minimum requirement that all employers should

adhere to. There is nothing in the legislation that applies specifically to the use of current limiting

devices.

The one point that does deserve additional attention is the requirement to protect those not in your

employ. This has implications in that the duty extends out of the workplace to the wider environment

and could be interpreted as meaning that the installation of a current limiting device should not, so far



as is reasonably practicable, have a health and safety impact on the wider network and other parties

connected to the network, or on people or the public. This is a key point, since the interconnectivity of

electrical systems means that changes on a private network can impact on the wider network and vice

versa. The implications for the duty holders are covered by the Management of Health and Safety at

Work Regulations.

HSE View

The HSE have stated that:-

The HSWAct 1974 is relevant and would not, in principle, prevent the use of ls Limiters.

3.2.2 Management of Health and Safety at Work Regulations 1999

Regulation 3 of the ‘Management' Regulations states that:

(1) Every employer shall make a suitable and sufficient assessment of-

(a) the risks to health and safety of his employees to which they are exposed whilst they

are at work; and

(b) the risks to the health and safety of persons not in his employment arising out of or in connection with the conduct by him of his undertaking

The contents of this report will provide material for the risk assessment, however each user will be

required to undertake an application specific risk assessment of the current limiting devices as

installed. Equally, any other employers whose network is affected by the installation of the current

limiting devices will need to carry out a risk assessment, or revise their existing risk assessment. The

complexity of the interaction required should not be under-estimated.

HSE View


The Management of Health and Safety at Work Regulations 1992 are relevant. Regulation 3 (1.b) is particularly relevant and would have important implications for duty

holders involved in electrical generation and distribution network operations together with users of electricity. Particularly relevant is the information, and the confidence of the information, that will need to be made available to allow duty holders, downstream of the ls Limiters, to fulfil their legal duties. In the context of the possible introduction of the application of ls Limiters, the complexity of the necessary information is likely to be

greater than is currently the case. With the many interfaces (embedded generator provider, DNO and multiple end users) there is the potential for getting things wrong.



Implications

The party who installs a fault current limiting device will need to look beyond their own network when

examining the effect that the device could have, including the consequences of the device failing to

operate when required. Where the DNO installs the device, they will have an obligation to provide all

necessary information to other duty holders who are affected, so that those duty holders can assess

the effect on their networks and the risks resulting. For example their switchgear could also be

overstressed, should the current limiting device fail to operate when required.

When a private network owner or generator developer installs the device, they will have an obligation

to inform the DNO and to provide the information needed by the other duty holders affected. It is

believed that the DNO will then have a responsibility to inform other customers who could be affected.

The DNO will have a duty of care to ensure that their customers understand the issues and have

taken all of the measures that the DNO would have taken in their position. These measures should

include an adequate risk assessment.

The HSE have highlighted that this is likely to require the exchange of more complex and detailed

information than is the case currently. This would need building into current practices, for example

through the modification of the information required as part of the generation connection application

process.

3.2.3 Review of The Electricity at Work Regulations 1989

There are a number of regulations within The Electricity at Work Regulations 1989 which are

particularly relevant to the use and application of current limiting devices. In all of these, an

understanding of what is meant by ‘danger' is essential. Danger is defined within the Regulations as

‘risk of injury’. The notes within the ‘Memorandum of guidance on the Electricity at Work Regulations

1989' explain that the ability of circuit breakers and fuses to operate successfully and without

dangerous effects, serious arcing or the liberation of oil is implicit in the requirements to prevent

danger.

The relevant regulations include 4(1) which requires that ‘All systems shall at all times be of such

construction as to prevent, so far as is reasonably practicable, danger. ’

The commentary within the ‘Memorandum of guidance on the Electricity at Work Regulations 1989'

makes it clear that ‘construction' includes the design of the system and the equipment within it, and

that all likely or reasonably foreseeable conditions of application of the electrical equipment should be

considered. The guidance highlights the factors to be considered, those that are particularly relevant

to the application of current limiting devices include the manufacturer's assigned or other certified

rating of the equipment, the likely load and fault conditions, the fault level at the point of supply, the



ability of the equipment and the protective devices to handle likely fault conditions, and the manner in

which commissioning, testing and subsequent maintenance or other work may need to be carried out.

Regulation 5 is also very relevant to the use and application of current limiting devices. It states that

‘No electrical equipment shall be put into use where its strength and capability may be exceeded in

such a way as may give rise to danger.'

This is an absolute requirement, as opposed to being qualified by a ‘reasonably practicable'

statement. The guidance recommends that electrical equipment should be used within the

manufacturer's rating and in accordance with any instructions supplied with the equipment. It is also

stated that the selection of equipment should take into account the fault levels and characteristics of

the electrical protection provided to interrupt or reduce fault current.

Regulation 11 states that ‘Efficient means, suitably located, shall be provided for protecting from

excess of current every part of a system as may be necessary to prevent danger.'

The guidance indicates that the means of protection could be in the form of fuses, circuit breakers

controlled by relays, or ‘by some other means capable of interrupting the current or reducing it to a

safe value. ’

Regulation 29 provides a defence clause in any proceedings for an offence consisting of a breach of a

number of the regulations, including regulations 5 and 11. It states that ‘it shall be a defence for any

person to prove that he took all reasonable steps and exercised all due diligence to avoid the

commission of that defence’.

Regulation 30 gives the HSE the power to issue general or special exemptions to the regulations,

these are only granted if ‘it is satisfied that the health and safety of persons who are likely to be

affected by the exemption will not be prejudiced in consequence of it. ’

In summary, there is no part of The Electricity at Work Regulations 1989 which would prevent the use

of current limiting devices, provided that:-

• they operate successfully on demand without dangerous effects, and

• they are used and applied correctly within a network such that they meet regulations 4, 5 and 11

The assessment of the current limiting devices has shown that the device itself has no dangerous

effects, and that the available data currently shows a very high level of reliability. However, this does

not guarantee that every device installed now and in the future will operate every time on demand.

The most likely need for the current limiting devices will be when the fault ratings of existing

distribution system switchgear are close to being exceeded, and current limiting devices are being

considered, for example, as an alternative to replacing transformers or switchgear. This will be the



most demanding situation in terms of meeting The Electricity at Work Regulations 1989, and is the

situation which this project has focused on. In this type of application, if the device fails to operate on

demand then switchgear is likely be overstressed, depending upon the type and location of the fault.

The particular circuit breakers which are overstressed, their ownership, and the degree of

overstressing will also depend on the particular application.

It could be argued that clause 5 has been breached if the current limiting device fails to operate and

switchgear is then overstressed, and this point comes out in the HSE statement.

HSE View


Regulation 5 of The Electricity at Work Regulations 1989 is particularly relevant since it places an absolute requirement on duty holders. For example, Regulation 5 would apply

to a duty holder, downstream of the ls Limiter, who has under his control a circuit break

being ‘protected’ by the ls Limiter. In the event of a fault, (e.g. a cable fault) arising

downstream of the circuit breaker and subsequent failure of the ls Limiter causing the

circuit breaker to become over-stressed and fail catastrophically, it could be argued

there was a breach of Regulation 5.

To cater for the situation outlined ... above, it was envisaged that Regulation 29 could

provide a basis of a defence for the relevant duty holder providing the duty holder was

able to demonstrate he had taken “ all reasonable steps and exercised all due

diligence“. However, having reviewed Regulation 29 we have concerns about what these words actually mean in law in the context of all the issues arising in the

application of an ls Limiter, and in the end, this could become a matter for the courts to

decide.

In principal there is nothing in the EAWRegulations 1989 to prevent the use of ls Limiters but we have highlighted the uncertainty of the application of Regulation 29. There are two options that we are currently assessing which will include discussion

with relevant parties:

a) Short term: We could explore the provision of an exemption(s), under Regulation 30 of the EAW Regulations1989, relating to the application of Regulation 5. We would see the use of an exemption(s), if and where permitted, as a stop-gap measure but the problems of such an approach may make it impractical.

b) Mid - Longer term: The EAW Regulations 1989 are under review and we could take advantage of the revision process to assess what changes could be made to deal effectively and safely with future technical developments such as embedded generation and the application of ls Limiters in particular. However, the degree of



change will be constrained by the HSW Act 1974 Section 1(2) which prevents the dilution of the levels of safety already established in existing Regulations.

Implications

A user installing a current limiting device, and other duty holders affected by the installation, could

potentially be in breach of the absolute requirements of Regulations 5 and 11 of the Electricity at Work

Regulations, if there was a failure of the current limiting device, leading to overstressing of other

equipment and danger.

The discussions within HSE have established that the meaning of clause 29 is not clear, and there is

insufficient case law for it to be legally defined. There would therefore be considerable uncertainty in

relying on this as a defence clause to cover a breach of clause 5. In the longer term the HSE want to

improve the clarity of clause 29 through changes in the regulations, however this is likely to be a

protracted process.

For the interim, the HSE are willing to explore the possibility of using an exemption process under

Regulation 30. This would need further discussion within the HSE and with the stakeholders. These

discussions would need to identify the extent of any exemption, the criteria which would need to be

met for an exemption to be granted (for example ALARP) and the process for granting an exemption.

All of the dutyholders affected by the installation of the device would need an exemption if the

exemption route proved to be feasible.

3.2.4 Review of The Electricity Safety, Quality and Continuity Regulations 2002 (ESQCR)

There are a number of regulations within The Electricity Safety, Quality and Continuity Regulations

2002 which are particularly relevant to the use and application of current limiting devices.

3.2.4.1 Regulation 3.1

These include regulation 3.1'General adequacy of electrical equipment' which states that:-

Generators, distributors and meter operators shall ensure that their equipment is -

(a) sufficient for the purposes for and the circumstances in which it is used; and

(b) so constructed, installed, protected (both electrically and mechanically), used and maintained

as to prevent danger, interference with or interruption of supply, so far as is reasonably

practicable.

This mirrors the requirements within The Electricity at Work Regulations 1989.



DTI View

This (3.1a) is an absolute requirement, which would not be covered by the “as far as

reasonably practicable” qualification in regulation 3(1)(b). It does not preclude the use of a Is

limiter, because if designed and specified properly, it should be “sufficient for purpose”.

The Is limiter will prevent existing switchgear seeing fault levels above duty. The premise here

is that the Is limiter will work in all circumstances.

If the Is device fails, it is clear that any circuit breaker unit that fails subsequently to clear (due

to inadequate duty) would not be "sufficient for purpose". In this circumstance, the duty

holder would have to demonstrate that he/she had anticipated the consequences of a possible

failure of the Is device and any mitigation measures required to keep within a tolerable risk

level the duty holder would need to justify.

Regulation 3.1(b) - Any responsible duty holder should go through a thorough design

installation and commissioning process if these devices were to be used. As discussed, due

to the nature of the devices there will be requirements for the correct system analysis tools

and considerations of alternatives to identify tolerable risk levels that the duty holder would

need to justify. The “as far as is reasonably practicable” qualification applies to this limb of regulation 3 and allows scope for guidelines and code of practice introduction assuming that the device complies with regulation 3.1(a).

Implications

Clarification was sought from the DTI on the above statement. The DTI view is that the dutyholder

would be in breach of Regulation 3.1a) if the current limiting device fails to operate. However in this

event, if the DTI decided to investigate and/or prosecute, then the key issues would be the

consequences of the failure of the current limiting device and the mitigating measures taken by the

dutyholder. The decision as to whether there should be an investigation will also depend upon the

consequences.

It should be noted that this would not be an issue if the current limiting device was being used with

equipment that would still be operating within its rating without the device. This would be the case

where current limiting devices were being used to reduce the thermal impact of faults.



3.2.4.2 Regulation 4

Regulation 4 ‘Duty of co-operation', requires that generators, distributors, suppliers and meter

operators should disclose such information to each other as might reasonably be required and

otherwise co-operate amongst themselves so far as is necessary in order to ensure compliance with

the ESQCR. In addition, regulation 28 details the information to be provided on request by a

distributor. This includes, for any existing or proposed consumer's installation which is connected or is

to be connected to his network, a written statement of the maximum prospective short circuit current

at the supply terminals and the type and rating of the distributor's protective device or devices nearest

to the supply terminals.

The relevance to current limiting devices will be that the distributors will need to maintain information

on any current limiting devices that they install, and ensure that other parties know and understand

any effects that they will have on their own networks.

DTI View

The main issues here are as to which fault levels will be assumed between networks and as to

what would be communicated between duty holders. It suggests from the consideration of adequacy above, that the device cannot be tested properly until a fault occurs. If therefore

there is a chance of adjacent networks becoming overstressed this should be communicated. The duty holders concerned can then decide how they wish to comply with the relevant regulations and the level of risk they take for insurance/safety of employees/public. The

important thing is that the possibility of risk is communicated clearly and the consequences

are spelt out between parties. This illustrates that a set of common guidelines between the

companies is highly desirable otherwise there will be unnecessary disputes over approach

between duty holders, possibly involving enforcement bodies.

There is no obligation under regulation 4 on duty holders to disclose information to

consumers. However, we would expect consumers to be informed of the effect on his/her network due to the adoption of Is limiters on the duty holder’s network. This would allow the

consumer to decide what level of risk he/she wishes to take at his premises.

In addition, this discussion between the duty holder(s) and consumers would need to be

undertaken in a timely manner so it did not become a “fait accompli” for the consumer or duty

holder, otherwise it could lead to unnecessary disputes.

Implications

Although there is no obligation under the ESQCR for the duty holders to disclose information to

consumers without being asked, there is an obligation under the Management of Health & Safety at

Work Regulations. It will be essential for the industry to have a common approach and a common set



of guidelines for the installation of current limiting devices and the exchange of information. As a first

step in developing the process and guidelines the legal, commercial and safety duties of all parties will

need to be clarified and set out. This will require all parties to take legal advice.


Regulation 6 ‘Electrical protection', states that:-

A generator or distributor shall be responsible for the application of such protective devices to his

network as will, so far as is reasonably practicable, prevent any current, including any leakage to

earth, from flowing in any part of his network for such a period that that part of his network can no

longer carry that current without danger.

Again, this mirrors the requirements within The Electricity at Work Regulations 1989.

DTI View

If the device is considered as an "intelligent fuse" and therefore an electrical protection

device, and it operates correctly, then there would be no breach of this regulation.

If it fails to operate there is no other protection that will clear the fault, no grading being

possible because the disconnection devices (i.e. circuit breakers) remaining will be

inadequate.

Bearing this in mind, it would be difficult to demonstrate compliance with Regulation 6 if the

device failed. This would also be the case for conventional relays where it was set incorrectly

or failed to operate. However, the consequences of failure could be more serious for a Is

limiter and again this would need to be assessed at the design stage and a risk mitigation

approach considered.

Implications

Again, there will be an issue if the current limiting device ever fails to operate on demand. A risk

mitigation approach would be required to provide a defence case in the event of prosecution for

breach of regulation 6.


Regulation 23 ‘Precautions against supply failure' will affect how the current limiting devices are

applied and set in order to avoid spurious tripping. The regulation requires distributors to arrange their

networks and provide fuses or automatic switching devices, located and set, as to limit, so far as is

reasonably practicable, the number of consumers affected by any fault in his network.



DTI View

Under regulation 23 the duty holder must show that the device is set to operate at a correct level to restrict, so far as is reasonably practicable, the numbers of consumers affected by any

fault and also that all reasonably practicable steps have been taken to avoid interruptions of supply resulting from his own acts. As this cannot be demonstrated without destruction of the

device, there would be no way of practically demonstrating correct setting other than by the

demonstration of the detection circuit function (for ABB and G&W) and correct trip signal. This

is no different to the case with a conventional fuse except that a back-up arrangement (from a

larger fuse) is available with a conventionally fused circuit arrangement.

Implications

It will be essential that the current limiting devices are set correctly and tested regularly.

3.2.4.S Regulation 28

Regulation 28 lists the information which a DNO must provide to interested parties for consumer's

installations connected to his network.

DTI View

Under this regulation there is no obligation on the duty holder to provide information on the

network unless requested by the consumer connected to the network.

In line with the comments on regulation 4 above, a code of practice would need to be

developed so it was clear that under regulation 28(a) when fault level data was supplied to

connectees, fault levels were stated for correct device operation and for the situation if it failed

to operate. The connectee could then decide how much risk he/she wanted to take.

Also under regulation 28 (c) some information regards the settings/capability of equipment and limitations at the interface with the connectee would need to be explained so that any

shortfalls for a failure of the device (i.e. the two possible situations) could be highlighted.

The very nature of doing this may cause a problem on failure of a device, as any legal action

against the duty holder could demonstrate that there was a possibility of plant failure for the

loss of the Is limiter and there had been a decision not to invest to avoid danger and/or interruption to supplies. This eventuality would need to be covered via the design process and

consideration of alternatives, the duty holding company having a defensible risk assessment process.



A possible outcome is that the consumer would decide to invest in equipment below the duty

of the Is limiter. Again, the consumer would need to have a proper assessment process in

place informed from the duty holder’s own assessment of risk of failure of its Is limiter. Therefore it would be expected that the duty holder will need to provide data to the consumer to allow a full risk assessment to be undertaken by the consumer.

Implications

Clarification was sought from the DTI on this statement. The DTI's view is that the duty holder would

have to be able to demonstrate that they had looked fully at the use of the device and the alternative

options from a risk perspective, and had not justified its use purely on the basis of cost. The DTI

would expect the DNO to pro-actively offer the consumer adequate information.

3.3 Review of IEC 61508 Functional safety ofelectrical/electronic/programmable electronic safety-related systems

The IEC 61508 standard (published as BS EN 61508 by the BSI in the UK) applies to safety related

systems when one or more of such systems incorporate electrical and/or electronic and/or

programmable electronic (E/E/PE) devices. The range of E/E/PE safety related systems to which IEC

61508 applies can include electro-mechanical relays (i.e. electrical), non-programmable solid-state

electronics (i.e. electronic) and programmable electronics. It covers possible hazards caused by

failure of the safety functions to be performed by the E/E/PE safety-related systems, as distinct from

hazards arising from the E/E/PE equipment itself (for example electric shock etc). It is generically

based and applicable to all E/E/PE safety-related systems, irrespective of the application.

The standard is applicable to fault current limiting devices as their detection and logic units are

electrical and electronic devices, and failure of the safety function would give rise to a significant

increase in the risk to the safety of people. In addition, the standard covers possible hazards caused

by failure of the safety-related equipment and is therefore particularly relevant for fault current limiting

devices since their failure to operate is associated with hazardous conditions.

The evidence for this applicability is in IEC 61508-1 clause 1.2, which states that ‘..this standard

a) applies to safety-related systems when one or more of such systems incorporates

electrical/electronic/programmable electronic devices:

b) is generically-based and applicable to all E/E/PE safety-related systems irrespective of the

application;

c) covers possible hazards caused by failures of the safety functions to be performed by E/E/PE

safety related systems.... ’



IEC 61508 recognises that the consequences of failure could also have serious economic

implications, and in such cases the standard could be used to specify any E/E/PE safety-related

systems used for the protection of equipment or products. Failure of a fault current limiting device

could have significant economic impacts.

The term, ‘safety-related' is used to describe systems that are required to perform a specific function

or functions, to ensure that risks are kept at an acceptable level. Such functions are, by definition,

safety functions. Two types of requirements are necessary to achieve functional safety:

• safety function requirements (what the function does) and

• safety integrity requirements (the likelihood of a safety function being performed

satisfactorily).

The safety function requirements are derived from a hazard analysis and the safety integrity

requirements are derived from a risk assessment. Note that a safety integrity level is a property of a

safety function, rather than of a system or any part of a system. This means that the duty holder has

to determine for every application the appropriate safety functions and the corresponding Safety

Integrity Levels for that application.

IEC 61508 uses a risk based approach to determine the safety integrity requirements of E/E/PE

safety-related systems, but does not require a quantitative risk analysis to be carried out in order to

determine safety integrity levels. However, in our experience most assessments of safety integrity

levels have adopted a quantitative approach to provide sufficient confidence that the safety

requirements are met. This would require the duty holder to set the quantitative safety target

appropriate for their circumstances and this safety target will dictate the reliability that the fault current

limiting device has to achieve for that application. . Such application specific quantitative risk analysis

would be complex, as the assessment has to be appropriate for each application. However, it may be

possible to develop a risk assessment framework or good practice guidelines to simplify the

implementation of IEC 61508 for a defined range of current limiting device applications.

The hazards analysis and risk analysis undertaken as part of the IEC 61508 assessment could be

used to support Regulation 3 of the Management of Health and Safety at Work Regulations 1999.

The IEC 61508 standards allow certain system to be defined as low complexity if the failure modes of

each individual component are well defined and the behaviour of the system under fault conditions

can be completely determined. This allows certain of the requirements to be exempt, provided that

this is justified. The fault current limiting device may be classified as low complexity as it is based on

analogue technology and consists of a relatively small number of components. However, to be

classed as low complexity would require dependable field experience data, to provide the necessary

confidence that the required safety integrity can be achieved.



The ABB and G&W devices were developed prior to the introduction of the IEC 61508 standard and

therefore these devices would not have been designed against the requirements of IEC 61508.

However it may be possible to use a proven in use argument as an alternative to meeting the design

requirements for dealing with systematic failure causes in IEC 61508. A ‘proven in use' claim relies on

the availability of historical data for both random hardware and systematic failures, and on analytical

techniques and testing, if the previous conditions of use of the subsystem differ in any way from those

which will be experienced in the E/E/PE safety related systems. IEC 61508 requires that:

• the previous conditions of use of the subsystem are the same as, or sufficiently close to,

those which will be experienced in the E/E/PE safety-related system (see 7.4.7.7 of IEC

61508-2);

• if the above conditions of use differ in any way, a demonstration is necessary (using a

combination of appropriate analytical techniques and testing) that the likelihood of unrevealed

systematic faults is low enough to achieve the required safety integrity level of the safety

functions which use the subsystem (see 7.4.7.8 of IEC 61508-2);

• the claimed failure rates have sufficient statistical basis (see 7.4.7.9 of IEC 61508-2);

• failure data collection is adequate (see 7.4.7.10 of IEC 61508-2);

• evidence is assessed taking into account the complexity of the subsystem, the contribution

made by the subsystem to the risk reduction, the consequences associated with a failure of

the subsystem, and the novelty of design (see 7.4.7.11 of IEC 61508-2); and

• the application of the ‘proven in use' subsystem is restricted to those functions and interfaces

of the subsystem that meet the relevant requirements (see 7.4.7.12 of IEC 61508-2).

Therefore the availability and quality of the manufacturers' failure data will be critical to the

successful demonstration of compliance with the IEC 61508 design requirements for dealing with

systematic failure causes and for providing evidence that the devices meet the safety integrity

level requirements.

3.4 Explosive regulations

The fault current limiting devices employ an explosive charge. The type and amount of explosive

charges for the ABB and G&W devices are presented below.



ABB G&W

Mass of explosive charge

per device<2g 3-16g

UN Class 1 UN Class 1

Classification Hazard Division 1.1 B Hazard Division 1.4B

UN No 0030 UN No 0257

The manufacturers recommend that the user should store one spare set of fault current limiting device

inserts. In practice, most users would keep three spare inserts as most applications are on three

phase systems.

Explosives can normally be stored only in a place registered or licensed under the Explosives Act

1875. The exact types and quantities of explosives which may be kept, and the kind of safety

precautions required, vary according to the category of the storage place. The Act requires the

explosives to be stored in an appropriate category of storage. The amount of explosive within the

spare inserts likely to be stored by users would require the premises to be registered with the Local

Authority. The Local Authority may decide to relax some of these requirements for the users of fault

current limiting devices because of the small amount of explosive involved.

Currently there is a proposal to replace the Explosives Act 1875 with the Manufacture And Storage Of

Explosives Regulations. The intention is that the new regulations would come into force in 2004. The

new regulations retain the fundamental features of the existing framework and it is considered that the

new regulations are unlikely to affect the current duties on the users of fault current limiting devices.

The Control of Explosives Regulations 1991 (COER), enforced mainly by the police, addresses the

security of explosives. The type of explosives used in the ABB and G&W devices, as defined in the

above table, are not exempted by the COER, so the use of these devices would come under these

regulations. One of the main requirements of the COER is an Explosives Certificate, supplied by the

police.

The transport of explosive is controlled by the Carriage of Explosives by Road Regulations 1996.

Explosives must be transported in a vehicle suitable for the safety and security of the explosives being

carried. It is considered that for current limiting devices the amount of explosive will be small and most

vehicles would be suitable. However it is recommended that the driver is separated from the load.

The driver should be provided with appropriate information, instruction and training. Depending on the



type of explosive being transported the Carriage of Dangerous Goods by Road (Driver Training)

Regulations 1996 may place additional responsibilities on the employer. .

The consignor of any explosive by road needs to ensure that it is transported in the packaging in

which it was classified and labelled in accordance with Classification and Labelling of Explosives

Regulations 1983. In addition, the package is required to comply with the requirements of the

Packaging of Explosive for Carriage Regulations 1991.

3.5 Conclusions

Installing current limiting devices in order to avoid plant being operated beyond its rating will give

some difficulties in complying with UK safety legislation. It should be noted that UK safety legislation is

very different from the legislation used elsewhere in Europe. The problems highlighted by the HSE are

difficult but are possibly surmountable. The problems highlighted by the DTI with the ESQCR could

result in dutyholders being in breach of the regulations and open to prosecution.

The DTI view is that the dutyholder would be in breach of Regulation 3.1a) and Regulation 6 of the

ESQCR if the current limiting device fails to operate. However in this event, if the DTI decided to

investigate and/or prosecute, then the key issues would be the consequences of the failure of the

current limiting device and the mitigating measures taken by the dutyholder. The decision as to

whether there should be an investigation will also depend upon the consequences. The DTI's view is

that the duty holder would have to be able to demonstrate that they had looked fully at the use of the

device and the alternative options from a risk perspective, and had not justified its use purely on the

basis of cost.





The possibility of using an exemption process under Regulation 30 needs further exploration. This

would require further discussion within the HSE and with the stakeholders. These discussions would

need to identify the extent of any exemption, the criteria which would need to be met for an exemption

to be granted (for example ALARP) and the process for granting an exemption. All of the dutyholders

affected by the installation of the device would need an exemption if the exemption route proved to be

feasible.


consumers, there is an obligation under the Management of Health & Safety at Work Regulations. It

will be essential for the industry to have a common approach and a common set of guidelines for the

installation of current limiting devices and the exchange of information. As a first step in developing



the process and guidelines the legal, commercial and safety duties of all parties will need to be

clarified and set out. This will require all parties to take legal advice.

The party who installs a fault current limiting device will need to look beyond their own network when

examining the effect that the device could have, including the consequences of the device failing to

operate when required. Where the DNO installs the device, they will have an obligation to provide all

necessary information to other duty holders who are affected, so that those duty holders can assess

the effect on their networks and the risks resulting. For example their switchgear could also be

overstressed, should the current limiting device fail to operate when required.

When a private network owner or generator developer installs the device, they will have an obligation

to inform the DNO and to provide the information needed by the other duty holders affected. It is

believed that the DNO will then have a responsibility to inform other customers who could be affected.

The DNO will have a duty of care to ensure that their customers understand the issues and have

taken all of the measures that the DNO would have taken in their position. These measures should

include an adequate risk assessment.

The IEC 61508 standard is applicable to fault current limiting devices as they are safety related

systems. In our experience most assessments of safety integrity levels have adopted a quantitative

approach to provide sufficient confidence that the safety requirements are met. This would require

the duty holder to set a quantitative safety target appropriate for their circumstances and this safety

target will dictate the reliability that the fault current limiting device has to achieve for that application.

Such application specific quantitative risk analysis would be complex, as the assessment has to be

appropriate for each application. However, it may be possible to develop a risk assessment

framework or good practice guidelines to simplify the implementation of IEC 61508 for a defined range

of current limiting device applications.

The ABB and G&W devices were developed prior to the introduction of the IEC 61508 standard and

therefore these devices would not have been designed against the requirements of IEC61508.

Therefore the availability and quality of the manufacturers' failure data will be critical to the successful

demonstration of compliance with the IEC 61508 design requirements for dealing with systematic

failure causes and for providing evidence that the devices meet the safety integrity level requirement.

The users of fault current limiting devices would have to comply with the various explosives

regulations as discussed in section 3.1.5. The requirements for registration of the premises, storage

and an explosives certificate should not place a significant burden on the duty holder.



4 safety management

4.1 Introduction

Certain regulations are ‘absolute', as already identified in Section 3, in general such requirements

must be met, regardless of cost or any other considerations. Other regulations are qualified by the

term ‘reasonably practicable'. This section presents a summary of the main risk assessment

concepts, including ALARP. It also gives an assessment of the applicability and implications of a risk

assessment based on the ALARP approach, given that current compliance is based on the principles

of inherent safety using suitably rated equipment and the use of good practice.

4.2 As Low As Reasonably Practicable (ALARP)

The Health and Safety at Work Act 1974 requires the employers,

to ensure, so far as is reasonably practicable, the health and safety and welfare at work of all

their employees; and

to conduct their undertaking in such a way as to ensure, so as far as reasonably practicable,

that persons not in their employment who may be affected are not thereby exposed to risks to

their health or safety.

These duties are qualified by the principle of “so far as is reasonably practicable” ("SFAIRP") which

allows the duty holder to balance the degree of residual risk against sacrifice of taking the measures

to avoid the risk. HSE considers that duties to ensure health and safety so far as is reasonably

practicable and duties to reduce risks as low as is reasonably practicable ("ALARP") call for the same

set of tests to be applied. The principles and guidance for assessment of compliance with ALARP is

presented in Appendix B.

4.3 Risk Assessment

The Health and Safety at Work Act 1974 supported by the general requirements of the Management

of Health and Safety at Work Regulations 1999 requires an assessment of risk. This places the duties

on the employer to asses the risk and take appropriate measures. This requires the duty holder to

identify hazards, assess the potential harm and evaluate the risk to decide whether existing

precautions are adequate or additional measures is required. The framework for risk evaluation is

presented below.



4.3.1 Tolerability Of Risk (TOR) Framework

HSE has developed a framework for assessing the tolerability of risk as presented in the ‘Reducing

Risks, Protecting People' document. This is presented in Figure 4.1. Risks can be categorized into

three broad regions. They are:

Unacceptable Risk

Risks in this region (whether for individual or societal risk) are regarded as unacceptable. Hazards

giving rise to risks in this region would, as a matter of principle, be ruled out unless it is can be

modified to reduce the degree of risk so that it falls in one of the region below, or there are exceptional

reasons for it to be retained.

"Tolerable if ALARP" Risk

It is considered that people are prepared to tolerate risks in this region if the nature and level of the

risks are properly assessed and the results are used to determine control measures. Also the

residual risks should not be unduly high and are kept As Low As Reasonably Practicable (ALARP).

The extent of the risk assessment and ALARP demonstration should be proportionate to the level of

risk.

Broadly Acceptable Risk

Risks in this region are generally regarded as insignificant and adequately controlled. Normally no

further actions are required to reduce risks unless reasonable practical measures are available. For

example, for risks in this region the ALARP demonstration may be based on adherence to codes,

standards and established good practice. However, these must be shown to be up-to-date and

relevant to the operations in question.

4.3.2 Tolerability Limits

The TOR framework describe the principle for the evaluation of risks. In order to determine

reasonable practicable measures for any particular hazards, whether the option taken to control risk

is adequate or not depends on where the boundaries are set between the unacceptable, tolerable or

broadly acceptable regions. The tolerability limits for individual risk and societal risk are presented in

Appendix B. These criteria are general guidelines expressed as the total risk exposed to an

individual or from an industrial activity for societal risk. Suitable risk criteria should be developed for

the specific risk assessment to ensure that the total risks are reduced to 'ALARP'.



UnacceptableRisk reduction

regardless of cost Intolerable

Relevant Good Practice

Risk reduction Measures

Plus

Gross\Disproportion

olerable if ALARP

evant Good Practice

Broadly Acceptable

Figure 4.1 HSE Framework for the Tolerability Of Risk



4.4 Applicability of ALARP Approach to Current Limiting Devices

An assessment of the ALARP requirement with regard to the implementation of current limiting

devices is presented below using a number of different arguments.

4.4.1 Good Practice argument

Our understanding of the HSE’s view is that there is currently good practice adopted by the industry

for protection from fault current by applying the principle of inherent safety using suitably rated

equipment.

HSE guidance on the use of good practice states where the law requires risks to have been reduced

ALARP, HSE

“does not normally accept a lower standard of protection than would be provided by the application of

current good practice; and

will, where the duty-holder wishes to adopt a different approach to controlling risks, seek assurance

that the risks are no greater than that which would have been achieved through adoption of good

practice and so are ALARP for that different approach. ”

In general, the use of current limiting devices would present a higher safety risk than current good

practice. Therefore the general application and wide spread application of current limiting devices will

be difficult to justify based on the above HSE statement.

4.4.2 Broadly acceptable risk argument

HSE expects that the duty holder to adopt relevant good practice even if the risk is low, even within

the broadly acceptable level. This is illustrated Figure 4.1. Therefore HSE may not accept the

argument for the use of current limiting devices just because the risk is very low, if there is relevant

good practice available that further reduces the risk.

This view is supported by the information in the HSE Reducing Risk Protecting People document

discussion on the application of the Tolerability of Risk framework which aims to lead to control

regimes that improve or at least maintain standards. The document states that:

“Thus when we apply the framework to policy formulation, regulatory development and enforcement

activities, we:



start with the expectation that those controls should as a minimum, implement authoritative good

practice precautions (or achieve similar standard of prevention/ protection), irrespective of specific risk

estimates. ”

HSE considers authoritative good practice as “those enshrined in prescriptive legislation, Approved

Codes of Practice and guidance produced by Government. We would also consider including as other

sources of good practice, standards produced by Standards-making organisations (eg BS, CEN,

CENELEC, ISO, IEC, ICRP) and guidance agreed by a body representing an industrial or

occupational

sector (eg trade federation, professional institution, sports governing body). Such considerations

would take into account that HSE is a repository of information concerning good engineering,

managerial and organisational practice, and would also include an assessment of the extent to which

these sources had gained general acceptance within the safety movement”.

4.4.3 Proportionality argument

Determination of ALARP requires a comparison of sacrifice and risk. It is considered that risks have

been reduced to ALARP level if the sacrifice in taking the measures is grossly disproportionate to the

benefit to be gained.

proportion factor = Sacrifice

Benefits of risk reduction

Therefore it is possible to conduct a cost benefit analysis for use of current limiting devices. This may

show the proportion factor is very high and this may be interpreted as grossly disproportionate. It may

then be argued that the use of a current limiting device is ALARP.

However, this demonstration is normally made to show that an adequate level of safety has been

adopted and a further safety measure is not justified. Therefore, it is unclear as to whether the

grossly disproportionate principle can be used to retrospectively argue for a level of safety reduced

from that which has been adopted in the past.

4.4.4 Modification of existing plant argument

HSE recognised that reducing the risks from an existing plant ALARP may still result in a level of

residual risk which is higher than that which would be achieved by reducing the risks ALARP in a

similar, new plant.



Therefore potentially it may be argued from an ALARP point of view, current limiting devices may be

implemented on existing plant where other measures are shown not to be reasonably practicable and

it can be shown that the use of the device is ALARP.

4.4.5 Summary

The arguments shows that from an ALARP point of view (excluding the consideration of the absolute

requirements of the Electricity at Work Regulations) it will not be straight forward to justify the use of

current limiting devices This is based on the assumption that current limiting devices present a higher

risk than the current good practice relating to protection from excessive fault current (for example the

use of adequately rated switchgear).

The argument for the implementation of current limiting devices is likely to be application specific or

for well defined cases. The ALARP assessment would need to address a range of factors, for

example the actual increase in risk, those that are affected, the potential benefits associated with the

use of current limiting devices, alternative options and control measures.

The approach and requirements for such an ALARP assessment, in addition to a ‘suitable and

sufficient' risk assessment, would need to be explored more fully with the HSE. A common approach

and common guidelines to the assessment should be developed.

4.5 Business Implications

Using a risk assessment approach, rather than relying on good engineering practice will represent an

important shift in some parts of the electricity industry. New competences and extensive training in

risk assessment will be required. Training in the maintenance activities associated with current limiting

devices will also be required.

The costs associated with using current limiting devices will therefore not be trivial. Ofgem's key

concern is that the use of the devices should be an efficient solution. Any cost benefit analysis would

therefore need to consider the full range of costs. These will include the following:-

4.5.1.1 Prior to first use

1. Development of common process and guidelines

2. Training DNO planning and design engineers in technology, application principles, guidelines

for use, risk assessments required.

3. Training of DNO maintenance engineers in on-site tests and replacing inserts



4.5.1.2 For Each Application

4. Determining application design, risk assessment, project management, specification,

procurement

5. Obtaining exemption certificate from HSE

6. Fault current limiters including cubicle, bus extensions, test equipment, manufacturer costs for

installation and commissioning, any costs associated with extending substation building (civil,

any outages required, additional land?) and any costs associated with possible relocation of

existing equipment eg cabling, labour.

The costs of item 6 will depend upon the particular application, the manufacturer, the rating and the

existing equipment. Typically for an 11kV indoor substation, three phase installation, the cost would

be approximately £80,000. This excludes any land or outage costs, but includes for all other items.

4.5.1.3 Operational and Maintenance Costs

1. Bi-annual on-site tests, as per manufacturer guidelines - labour

2. Cost of any outages required during test

3. Cost of replacing/refurbishing inserts after operation. This will depend upon the manufacturer

and rating but will be between £600 and £2,500.

4. Cost of storing inserts

4.5.2 Conclusion

The Boards of the DNO's should be made aware of the business implications of the adoption of

current limiting devices, including the legal issues, the costs and benefits, the competences and

training required for the move from a good practice to a risk assessment approach and the increased

DNO role in co-ordination and information exchange with other parties. A full cost benefit analysis will

be required to establish that the use of current limiting devices is an efficient solution.



5 consequence assessment

The following sections provide an overview of the consequences of mal-operation affecting a current

limiting device.

5.1 Consequences of Failure to trip

5.1.1 Direct Consequences of mal-operation - Localised effect

The most immediate consequence of a current limiting device failing to trip is the exposure by the

connected switchgear to prospective fault levels higher than rating. This may result in damage and

permanent mechanical failure of the overstressed switchgear.

The overstressed switchgear will be subject to excessive fault energy and abnormally high

electromagnetic forces, and will be unable to operate in accordance with its design, with the resulting

electrical and thermal stress which can sometimes lead to catastrophic failure, i.e. total destruction of

the switchgear. In oil filled switchgear such failures are accompanied by burning gas clouds and oil

mist which can potentially envelop personnel near the switchgear and lead to serious burn injuries,

and can potentially be fatal.

The mechanical failure can also be accompanied by an explosion due to the excessive energy and

high electromagnetic forces. Circuit breakers are designed to direct the products of the explosion

(vaporised metal, gas or oil) through the back of the panel as opposed to the front to reduce risk of

injury to personnel. In the event of such an explosion, however, the circuit would ultimately be

interrupted and the fault current would cease to flow.

However, a circuit breaker will attempt to break the current at its first zero after the trip signal is

received, independently of the magnitude of the fault current. Therefore, the phenomenon that may

occur first is the melting of the contacts during the interval between the fault appearance and the first

useful current zero. The duration of this interval depends on the protection settings controlling the

breaker as well as on thedelays associated with the protection system and the breaker itself.

Depending on whether the switchgear failure results in interruption of the fault current or not (it may

explode and interrupt or just melt and continue to conduct) there might be other associated

consequences.

If the breaker contacts melt and weld together, the fault current will have to be interrupted by another

circuit breaker. In scenario 1) (see section 2.2.3), each of the transformer secondary breakers will see

a portion of the total fault current which is the same as they would see for a fault on their side of the

busbar with the busbar open, and which is therefore within their respective rating. Each breaker will



interrupt its fault infeed and the busbar will be isolated, with loss of power supply to all loads

connected to the busbar.

Similar sequences of events can be envisaged for scenarios 2) and 3), where the feeder breaker

would fail and the remaining breakers would be able to interrupt their contribution to the fault.

It is also possible that mechanical failure (explosion) of one item of switchgear will lead to electrical

and/or mechanical failure of the switchboard that it is part of. It could also damage or destroy the

busbar which it connects to. Again, the busbar would be lost and hence the supply to its loads.

5.1.2 Direct Consequences of mal-operation -Effects on the wider network

Even if the fault current is eventually interrupted as a result of the mechanical separation of the circuit

breaker contacts, it can be envisaged that the fault interruption process may have taken longer than it

would have under correct operation of the switchgear. The excessive thermal let-through has the

potential of transferring thermal and electromechanical stress to other active elements of plant located

upstream of the fault point (e.g. transformers, generators). However, the circuit breakers dedicated to

these items of plant will in general be subjected to current values which are within their respective

ratings.

The installation of an additional primary transformer (scenarios 1) and 2)) or of a local generator

(scenario 3)) with the fault limiting device, carries the risk of increasing the fault level at all

switchboards supplied by the primary substation if the device fails to operate correctly. The increase

in fault level at downstream substations may or may not take the prospective fault level following

failure of the limiting device above switchgear ratings at the downstream locations. This cannot be

predicted in general and would need to be assessed for the specific application. It will be important

that the owner of the fault current limiting device provides the fault level data to the owners of

downstream equipment.

Depending on the fault level values at the primary and at the downstream switchboards, the possibility

exists that the let through current for which the limiter is set to not operate may take downstream

switchboards above rating even with correct operation. If, for example, the primary switchgear is

rated at 21 kA and the additional transformer increases the prospective fault level from 15 kA to

30 kA, the limiter may be set to let through 5 kA before tripping to avoid spurious tripping (20 kA

prospective fault level). If a downstream switchboard is rated at 16 kA with an original fault level of 13

kA, the insertion of the additional primary transformer may result in a 4 kA increase (due to the 5 kA

let through), hence above rating. The specific case will have to be evaluated.

A downstream fault may result in failure of switchgear in the same way described above for the

primary feeder breaker when the limiting device fails to trip.



5.1.3 Indirect consequences

• From the above analysis it is clear that the failure of an overstressed feeder breaker will result

in unnecessary loss of supply to healthy circuits.

• The reputation of the DNO will be affected by both the switchgear failure and by the loss of

supply to customers.

• The DNO's ability to meet its IIP targets for Customer Minutes Lost and Customer

interruptions could be affected

5.2 Spurious tripping

Spurious tripping may occur as a result of incorrect design of the application and/or setting of the

current limiting device. In all events, a spurious trip will result in unnecessary maintenance and costs

associated with the replacement of the triggering elements (charge and fuse) and with the use of

spare parts.

Other consequences of spurious tripping are related to the application. A spurious trip on scenario 1)

may not yield any load disruption if both transformers are in operation and the busbar is subject to

relatively small current flow at the time of the trip. The trip would split the busbar but each transformer

would continue to supply its own loads. If, on the other hand, only one transformer were in operation

supplying all loads (e.g. during maintenance of the other unit), the spurious trip would result in loss of

half of the busbar and its loads. This could be avoided if the system is configured in a way such that

when only one transformer is connected, the fault current limiting device is disabled.

A trip in scenario 2) would open the transformer circuit and that source of supply would be lost. Loss

of supply is therefore inevitable in this case. Scenario 3) is envisaged to be the most likely to incur

spurious tripping as it requires relatively low pick-up settings in order to detect fault contributions of

embedded generator. Spurious tripping would result in an unnecessary disconnection of the

generator from the network.

It is assumed that the network operator does not rely on the generator output to supply its loads and

therefore that the disconnection of the generator does not result in loss of supply to customers.

It is also assumed that connection of the local generator will be allowed by the DNO only on the basis

that sudden, unplanned connection or disconnection of the generator, is not associated with

excessive voltage steps at the DNO's primary terminals and at customers' low voltage terminals.

On this basis, from a DNO prospective, spurious trips affecting scenario 3) will have little impact on

the operation of the distribution network and should have an effect similar to that of generator

connection/disconnections.



6 control measures

A number of control measures may be put in place in order to reduce the risk and mitigate the

consequences of failure of a fault current limiting device. Best practice can be obtained from a

number of HSE publications, for example HSE information document HSE 483/27 ‘Oil-filled

Distribution and other Switchgear'.

One useful control measure will be to develop a set of guidelines for users of the devices, covering

how and where fault current limiting devices should be implemented. These instructions would assist

the process of achieving a new system of good practice for the devices within the industry.

Duplication could be considered, namely installing two devices in series or parallel, with an

appropriate degree of component diversity where suitable. On resistance earthed systems there is

already some redundancy (see section 2.2.4). The increased number of devices would reduce the

impact of failure of one device.

Intertripping to circuit breakers further up the electrical system should also be considered, provided

that these circuit breakers are operating within their fault ratings. This will reduce the period for which

the switchgear is overstressed.

A management system should be kept in place for the current limiting device, so as to assist safe

operation and minimise the risk of failure. The following should be considered:

- an appropriate system of records;

- policies and procedures covering the installation, commissioning, operation, maintenance

and removal of the equipment;

- definitions of responsibilities and training requirements for staff;

- an auditing regime to monitor and maintain the effectiveness of procedures.

Inspection, maintenance and test of the device and its environment should be performed regularly and

in accordance with the manufacturer's instructions.

Measures to control and mitigate the effect of fire and smoke spread are available and can be used

singularly or in combination. Compartmentation can be employed which consists of separating

substation plant items by fire-resisting barriers to limit the extent of any fire to the item affected.

Attention must be paid not to inhibit any venting that may be required to safeguard against explosion.

Fire-extinguishing systems can be employed based on extinguishing mediums such as halon and

carbon dioxide. Halon has some environmental implications but its use may be necessary in areas



where fire hazards are particularly severe and could affect adjacent plant. These systems require the

flooding of fire compartments and often are arranged to operate automatically on detection of fire.

Secure measures to make the system non-automatic should be made available for use by personnel

before entering the protected area. Suitable warning notices and instructions should be prominently

displayed at the points of access to the area. These instructions should also be included in the safety

rules.



7 conclusions

Installing current limiting devices in order to avoid plant being operated beyond its rating will give

some difficulties in complying with UK safety legislation. It should be noted that UK safety legislation is

very different from the legislation used elsewhere in Europe. The problems highlighted by the HSE are

difficult but are possibly surmountable. The problems highlighted by the DTI with the ESQCR could

result in dutyholders being in breach of the regulations and open to prosecution.

The DTI view is that the dutyholder would be in breach of Regulation 3.1a) and Regulation 6 of the

ESQCR if the current limiting device fails to operate. However in this event, if the DTI decided to

investigate and/or prosecute, then the key issues would be the consequences of the failure of the

current limiting device and the mitigating measures taken by the dutyholder. The decision as to

whether there should be an investigation will also depend upon the consequences.





The possibility of using an exemption process under Regulation 30 needs further exploration. This

would require further discussion within the HSE and with the stakeholders. These discussions would

need to identify the extent of any exemption, the criteria which would need to be met for an exemption

to be granted (for example ALARP) and the process for granting an exemption. All of the dutyholders

affected by the installation of the device would need an exemption if the exemption route proved to be

feasible.

The arguments shows that from an ALARP point of view (excluding the consideration of the absolute

requirements of the Electricity at Work Regulations) it will not be straight forward to justify the use of

current limiting devices This is based on the assumption that current limiting devices present a higher

risk than the current good practice relating to protection from excessive fault current (for example the

use of adequately rated switchgear).

The argument for the implementation of current limiting devices is likely to be application specific or

for well defined cases. The ALARP assessment would need to address a range of factors, for

example the actual increase in risk, those that are affected, the potential benefits associated with the

use of current limiting devices, alternative options and control measures. The approach and

requirements for such an ALARP assessment, in addition to a ‘suitable and sufficient' risk

assessment, would need to be explored more fully with the HSE. A common approach and common

guidelines to the assessment should be developed.




consumers, there is an obligation under the Management of Health & Safety at Work Regulations. It

will be essential for the industry to have a common approach and a common set of guidelines for the

installation of current limiting devices and the exchange of information. As a first step in developing

the process and guidelines the legal, commercial and safety duties of all parties will need to be

clarified and set out. This will require all parties to take legal advice.

The operational information provided by the manufacturers is not sufficient to carry out a suitable

reliability assessment. The information on the reliability of the current limiting device is critical for any

future safety assessment. Ideally this should be based on historical data, and it is recommended that

the manufacturers should critically review their operational data and consider the collection of

additional data to support any future safety assessment. This will also be critical to the successful

demonstration of compliance with the IEC 61508 design requirements for dealing with systematic

failure causes and for providing evidence that the devices meet the safety integrity level requirements.

Using a risk assessment approach, rather than relying on good engineering practice will represent an

important shift in some parts of the electricity industry. New competences and extensive training in

risk assessment will be required. Training in the maintenance activities associated with current limiting

devices will also be required. The costs associated with using current limiting devices will therefore

not be trivial. Ofgem's key concern is that the use of the devices should be an efficient solution. A full

cost benefit analysis will be required to establish that the use of current limiting devices is an efficient

solution.

The Boards of the DNO's should be made aware of the business implications of the adoption of

current limiting devices, including the legal issues, the costs and benefits, the competences and

training required for the move from a good practice to a risk assessment approach and the increased

DNO role in co-ordination and information exchange with other parties.



8 recommendations

The following recommendations are made:-

• WS3 should explore further with the DTI the DTI view that dutyholders would be in breach of the

ESQCR if the current limiting device fails to operate when it has been installed in order to avoid

plant being operated beyond its rating

• the HSE exemption route should be explored further by WS3. Discussions should be held with the

HSE to identify the extent of any exemption, the criteria which would need to be met for an

exemption to be granted (for example ALARP) and the process for granting an exemption.

• a common approach and a common set of guidelines on how to carry out the risk assessment

and cost-benefit analysis necessary to support the installation of current limiting devices should

be developed. As a first step in developing the process and guidelines all parties should take legal

advice in order to clarify their legal, commercial and safety duties. The guidelines should cover:-

• Appropriate applications and limitations on use of the device

• The requirements, including the risk assessment approach, to meet UK safety legislation

• Requirements for information exchange with other parties

• Approach to cost-benefit analysis to meet Ofgem cost efficiency requirements

• The process required for correct application and setting (including failure analysis, assurance of the assessment by the manufacturer and compliance with IEC 61508)

• Recommendations on redundancy when used on solidly earthed systems

• Recommendations on testing regime

• One or more pilot projects should be used to help develop the guidelines and inform the legal

position.

• The Boards of the DNO's should be made aware of the business implications of the adoption of

current limiting devices, including the legal issues, the competences and training required for the

move from a good practice to a risk assessment approach and the increased DNO role in co

ordination and information exchange with other parties.

• The manufacturers should critically review their operational data and consider the collection of

additional data to support any future safety assessment. This will also be critical to the successful

future demonstration of compliance with the IEC 61508 design requirements.



appendix a

list of abbreviations and references

Parsons Brinckerhoff Ltd Page 54 Final report Graft3 54


abbreviations

ALARP As Low as Reasonably Practicable

CLiP Current Limiting Protection

DGCG Distributed Generation Co-ordinating Group

DNO’s Distribution Network Operators

ESQCR Electricity Safety, Quality and Continuity Regulations

FMECA Failure Mode, Effects and Criticality Analysis

HASWA Health and Safety at Work Act

HAZOP Hazard and Operability Study

OFGEM Office of Gas and Electricity Markets

PAF Power Assisted Fuse

WS3 Work Stream 3



appendix b

RISK MANAGEMENT AND ALARP BACKGROUND READING



HSE Tolerability Limits

The tolerability of risk framework discussed in Section 4 presents the principles for assessing the

acceptability of risk. For specific risk assessment, the boundaries of unacceptable, tolerable and the

broadly acceptable regions need to be defined. This section presents the general HSE tolerability

limits guidelines. The criteria shown are the total risk that workers and the public are exposed.

Therefore for specific risk assessment these criteria need to be adapted to take account of the

specific circumstances.

Risk to people can be expressed in two complementary forms:

• Individual risk - the risk experienced by an individual person

• Societal risk - the total risk experienced by the whole group of people exposed to the

hazards.

Both individual risk and societal risk criteria are presented for completeness. The concept of individual

risk is well defined and understood, with precise safety criteria for the assessment of acceptability.

The concept of societal risk is complex and ill defined. However both individual and societal risk can

be assessed.

UK HSE indicates that an individual risk of death of one in a million (1x10-6) per annum for both

workers and the public corresponds to a very low level of risk, and should be used as a guideline for

the boundary between the broadly acceptable and tolerable regions. HSE suggests that an individual

risk of death of one in a thousand per annum should represent the dividing line between what could

be just tolerable for any substantial category of workers for any large part of a working life, and what is

unacceptable for any but fairly exceptional groups. For members of the public who have a risk

imposed on them ‘in the wider interest of society' this limit is judged to be an order of magnitude

lower, at 1 in 10000 per annum. These risks are represented in Figure B1.

The assessment and evaluation of societal risk is complex and difficult. There are no well-defined

acceptable criteria for societal risk. The HSE has cautiously provided some limited guidance. It

proposed that accidents causing the death of 50 people or more in a single event should be regarded

as intolerable if the frequency is estimated to be more than one in five thousand per annum. This

criterion has been developed by Hirst (2002) into an F-N plot (as shown in Figure B2) defining the

three regions within which the risks are categorised as “unacceptable”, “tolerable” and “broadly

acceptable”. The F-N plots show societal risk in the form of the relationship between the cumulative

frequency and the number of fatalities. Societal risk may also be presented as an annual fatality rate

(AFR) in which the frequency and fatality data is combined into a convenient single measure. The

AFR is the long-term average number of expected fatalities per year.



Unacceptable

1x1 O'3 (Worker) 1x10"4 (Public)

Tolerable if ALARP

Broadly Acceptable

Figure B1 HSE Individual Risk Criteria



ro

0)Q.

ZC0)3O"0)

c0)

"D"u

oro0)>%3E3o

1x10-2

1x10-3

Unacceptable1x10-4

Tolerable1x10-5

1x10-6 Broadly Acceptable

100 1000 10000

Number of fatalities

Figure B2 HSE Tolerability of Societal Risk Presented as an F-N plots



As Low As Reasonably Practicable (ALARP)

The section presents the interpretation of “as low as is reasonably practicable” (ALARP) and some of

the issues associated with ALARP as provided by Health and Safety Executive guidance. However,

ultimately it is for the Courts to decide whether or not duty-holders have complied with the law.

SFAIRP’ and ‘ALARP’

In terms of what they require of duty-holders, HSE considers that duties to ensure health and safety

so far as is reasonably practicable (“SFAIRP”) and duties to reduce risks as low as is reasonably

practicable (“ALARP”) call for the same set of tests to be applied. However, SFAIRP and ALARP are

not always interchangeable because legal proceedings will have to employ (for example, in

complaints or information) the particular term cited in the relevant legislation.

Determining that risk has been reduced ALARP

ALARP guidance is largely based on the key case of Edwards v. The National Coal Board. In that

case, the Court of Appeal held that -

, "... in every case, it is the risk that has to be weighed against the measures necessary to eliminate

the risk. The greater the risk, no doubt, the less will be the weight to be given to the factor of cost. ”

and

“’Reasonably practicable’ is a narrower term than ‘physically possible’ and seems to me to imply that

a computation must be made by the owner in which the quantum of risk is placed on one scale and

the sacrifice involved in the measures necessary for averting the risk (whether in money, time or

trouble) is placed in the other, and that, if it be shown that there is a gross disproportion between them

- the risk being insignificant in relation to the sacrifice - the defendants discharge the onus on them. ”

Thus, determining that risks have been reduced ALARP involves an assessment of the risk to be

avoided, of the sacrifice (in money, time and trouble) involved in taking measures to avoid that risk,

and a comparison of the two.

This process can involve varying degrees of rigour which will depend on the nature of the hazard, the

extent of the risk and the control measures to be adopted. The more systematic the approach, the

more rigorous and more transparent it is to the regulator and other interested parties. However, duty-

holders (and the regulator) should not be overburdened if such rigour is not warranted. The greater

the initial level of risk under consideration, the greater the degree of rigour HSE requires of the

arguments purporting to show that those risks have been reduced ALARP.



Risk

The assessment of risk is confined to those matters with which the legislation in question is

concerned. It is risks to health, safety and welfare that are covered by the Health and Safety at Work

Act 1974, and its subordinate legislation such as the Management of Health and Safety at Work

Regulations 1999.

Other legislation for which HSE is responsible may include other risks, such as the Control of Major

Accident Hazards Regulations 1999 (COMAH) which include environmental risks. Requirements for

environmental protection may constrain the options available to duty-holders for controlling health and

safety risks.

The risks must be only those over which duty-holders can exercise control or mitigate the

consequences through the conduct of their undertaking. Some risks arise from external events or

circumstances over which the duty-holder has no control, but whose consequences duty-holder can

mitigate. Such risks should be included in the assessment.

In any given workplace there would be a large number of hazards which duty-holders could address.

HSE will not expect them to take account of hazards other than those which are a reasonably

foreseeable cause of harm, taking account of reasonably foreseeable events and behaviour.

The risk will be not only to the duty-holders' employees but may also affect other workers and

members of the public, including the local community which would be affected by an accident or

incident such as an explosion on site.

Risk should be assessed in relation to a hypothetical person, eg. the person most exposed to the

hazard, or a person living at some fixed point or with some assumed pattern of life, such as a person

who is in good health and works exactly forty hours a week with the hazard, or a child present

continuously in a house sited at the closest point to a major hazard. To ensure that all significant risks

for a particular hazard are covered, it may be necessary to construct a number of hypothetical

persons, to cover the different populations exposed, such as ‘a person who is in good health', ‘young

persons'.

The actual persons who are to be exposed to the risk will have to be considered when the control

measures determined via risk assessment are applied in practice because these measures may need

to be adapted to meet the particular abilities of these persons, for example, their ability to read

instructions, or whether they are colour-blind.

Risks should be assessed in an integrated manner by duty-holders. It is important that duty-holders

consider the 'full picture' when assessing risk and not a partial view from considering hazards in

isolation, or in a slice of time, or location by location rather than across the whole system.



Location by location consideration of risks should however be carried out to determine whether, even

if application of a control measure system-wide would be ruled out on the grounds of excessive costs,

application is reasonably practicable in certain locations, such as those that present a particularly high

risk and/or low cost.

Sacrifice

The sacrifice under consideration here is that which would be incurred by duty-holders as a

consequence of their taking measures to avert or reduce the risks identified. In the Edwards case,

Asquith LJ referred to the sacrifice in terms of money, time or trouble. These costs which should be

considered are only those which are necessary and sufficient to implement the measures to reduce

risk.

For any particular measure, these might include the cost of installation, operation, and maintenance,

and the costs due to any consequent productivity losses resulting directly from the introduction of the

measure (for example, a new guard may cause a machine to operate less efficiently).

Temporary shutdown costs incurred during implementation must be included since these clearly

constitute part of the duty-holders' 'sacrifice'. HSE will expect duty-holders to take full advantage of

opportunities to reduce shutdown costs to a minimum, such as implementing control measures during

planned maintenance. It may be reasonably practicable to implement control measures during

shutdown for planned maintenance, even though not to shut down solely to implement control

measures.

Individual duty-holders' ability to afford a control measure or the financial viability of a particular

project is not a legitimate factor in the assessment of its costs. HSE must present duty-holders with a

level playing field. Thus HSE cannot take into account the size and financial position of the duty-

holder when making judgements on whether risks have been reduced ALARP.

Benefits gained by duty-holders as a result of their instituting a health and safety measure should be

offset against the costs they incur.

Comparison

The basis on which comparison is made is provided by the Edwards case: the test of 'gross

disproportion'. In any assessment as to whether risks have been reduced ALARP, measures to

reduce risk can be ruled out only if the sacrifice involved in taking them would be grossly

disproportionate to the benefits of the risk reduction.

That gross disproportion is required before a measure can be ruled out on the grounds of sacrifice

can be interpreted as applying a bias on the side of safety. From the statement of Tucker LJ, that -



“The greater the risk, no doubt, the less will be the weight to be given to the factor of cost",

we believe that the greater the risk, the more that should be spent in reducing it, and the greater the

bias on the side of safety. This can be represented by a 'proportion factor', indicating the maximum

level of sacrifice that can be borne without it being judged 'grossly disproportionate' -

sacrifice

benefits of risk reduction

Although there is no authoritative case law which considers the question, we believe it is right that the

greater the risk: the higher the proportion may be before being considered ‘gross'. But the

disproportion must always be gross.

HSE has not formulated an algorithm which can be used to determine the proportion factor for a given

level of risk. The extent of the bias must be argued in the light of all the circumstances. It may be

possible to come to a view in particular circumstances by examining what factor has been applied in

comparable circumstances elsewhere to that kind of hazard or in that particular industry.

Taking greater account of the benefits as the risk increases also compensates to some extent for

imprecision in the comparison of costs and the benefits. It again errs on the side of safety, since the

consequences of the imprecision have greater impact, in terms of the degree of unanticipated death

and injury, as the level of risk rises.

In measuring the risk to be reduced, and the sacrifice involved in measures to achieve that reduction,

the starting point should be the present situation. If there are several options, therefore, they should

each be considered as against the present situation.

In some situations, it will not be possible to assess options in this way. For example, where an

installation is being built, it will not be possible to separate the costs of risk reduction measures from

the costs of building. In such situations, the starting point should be an option which is known to be

reasonably practicable (such as one which represents existing good practice). Any other options

should be considered as against that starting point, to determine whether further risk reduction

measures are reasonably practicable.

Societal Concerns

Societal concerns can arise when the realisation of a risk impacts on society as a whole. The impact

may produce an adverse socio-political response (which has its origins in the public aversion to

certain characteristics of the hazards concerned). The harm which results is a loss of confidence by

society in the provisions and arrangements in place for protecting people and, consequently, a loss of



trust in the regulator and duty-holders with respect to control of the particular hazard and hazards

more generally.

This might arise where large numbers of people are killed at one time (which we call “societal risk”),

where potential victims are particularly vulnerable (such as children), or where the nature of the risks

inspire dread (such as long-term or irreversible effects).

There is no guidance from the courts as to whether societal concerns should be taken into account by

duty holders in deciding what is grossly disproportionate. In deciding whether to propose regulations,

or in setting enforcement priorities, the HSC considers that risk and sacrifice must be assessed in its

social context. As well as taking account of individual risk, the HSC considers societal concerns.

We believe it is right that, in all cases, the judgment as to whether measures are grossly

disproportionate should reflect societal risk, that is to say, large numbers of people (employees or the

public) being killed at one go. This is because society has a greater aversion to an accident killing 10

people than to 10 accidents killing one person each.

Where the HSC considers that duty-holders should take other societal concerns into account,

Regulations, ACoPs or other HSE guidance will state how duty-holders should take such concerns

into account and what those concerns are.

Transfer of Risks

Introduction of a health and safety measure to control a hazard may transfer risk to other employees

or members of the public.

If the transferred risk arises from the same hazard, then it should be offset against the benefit from the

measure under consideration. For example, the introduction of mechanical exhaust ventilation may

transfer the risk from the same hazard (fumes) from the employee to the general public as the fumes

are pumped outside the workplace. The added risk to the public should be offset against the benefits

the measure otherwise brings to employees.

If the transferred risk arises from a different hazard, it should be treated as a separate matter for

which control measures must be introduced to reduce its risk ALARP. For example, providing scaffold

fans to protect members of the public from being struck by objects dropped from the scaffold will

transfer some of the risk from the public to the scaffolders involved in erecting the fans. Since a

different hazard is involved (ie. scaffolders falling from a height), the fans should be provided to

reduce the risks to the public ALARP, but at the same time, the duty holder must ensure that the risks

of the scaffolders' working methods are reduced ALARP. However, if the risks from the health and

safety measure to be introduced (in this example, scaffolding fans) when properly controlled are still

greater than the risks which it is sought to prevent (injury to members of the public) when properly

controlled, the measure should not be introduced.



Changed Circumstances

Duty-holders may wish to alter the conditions in which equipment is operated or to relax or otherwise

alter some or all control measures in response to changed circumstances. This is permissible

provided that the altered control measures continue to ensure that risks are reduced ALARP.

Good Practice

The determination of control measures forms part of the statutory risk assessment duty-holders are

required to undertake. Such assessments involve duty-holders identifying the hazards in their

workplace, determining who might be harmed and how; evaluating the risk from the hazards and

deciding whether the existing control measures are sufficient or whether more should be done.

In reality, there is often only a limited number of options for dealing with a particular health and safety

issue and the optimum option is in many cases likely to have been already established as relevant

good practice accepted by HSE as reducing risks ALARP. Often HSE staff will be able to rely on

authoritative documented sources of good practice, such as HSC AcoPs and HSE Guidance, on legal

standards which require risks to be reduced ALARP.

HSE staff should ensure that duty-holders are using good practice which is appropriate to their

activities, relevant to the risks from their undertaking, and covering all the risks from that undertaking.

Such documents may only deal with some of the risks which the duty-holder must consider. Good

practice which covers all the risks which a duty-holder must address in order to reduce risks ALARP

may not be available, and this is particularly likely to be so for major investments in safety measures

or where hazards are regulated through safety case regimes.

A universal practice in the industry may not necessarily be good practice or reduce risks ALARP. Duty

holders should not assume that it is. HSE must keep its acceptance of good practice under review

since it may cease to be relevant with the passage of time; new legislation may make it no longer

acceptable; new technology may make a higher standard REASONABLY PRACTICABLE. Similarly

HSE expects duty-holders to keep relevant good practice under review.

Probably the majority of judgements made by HSE involves it in comparing duty-holders' actual or

proposed practice against RELEVANT GOOD PRACTICE. Relevant good practice provides duty-

holders with generic advice for controlling the risk from a hazard. In so far as they can adopt relevant

good practice, this relieves duty-holders of the need (but not the legal duty) to take explicit account of

individual risk, costs, technical feasibility and the acceptability of residual risk, since these will also

have been considered when the good practice was established.



In practice therefore, explicit evaluations of risk rarely need to be made in relation to day-to-day

hazards. However, duty-holders have to make them where there is no relevant good practice

establishing clearly what control measures are required.

HSE guidance on the use of good practices is provided in Appendix C.

Choosing Between Options

A selection amongst options may be needed at any stage of a particular project: at the design stage,

involving choice between different design concepts for the whole project, and, as the project is

developed, between more detailed options. In making these options, duty-holders must consider the

risks involved in the whole life-cycle of a project.

At the design stage, where safety cases or plans are required to be submitted to HSE, HSE will

assess the option which duty-holders put before it, but where that option does not reduce risks

ALARP, HSE may reject a safety case, ask duty holders to consider a different option, or use its

enforcement powers to prevent further work (depending on the situation in question). HSE will make

its judgement as to whether the design presented to it reduces risks ALARP based on its knowledge

as a regulator, including its knowledge of good practice in that area, and its knowledge of other

possible design options. Where the option put forward does not reduce risks ALARP, HSE may

intervene according to the situation in question - for example, to prevent further work or to inform the

duty-holder of its opinion.

The reason for the design chosen will be a relevant factor in considering what it is reasonably

practicable to do. Depending on the particular legal context and the circumstances in question, where

the very essence or ethos of the business could not be achieved without following the design

suggested, then HSE could not reject the option so as to prevent the undertaking proceeding. The

question would be how to reduce the risks of that option ALARP. But such situations will be rare. In

most cases, there will be several options for achieving the essence of the business in question.

At a more detailed level, HSE would consider judgements as to whether risks are or will be controlled

ALARP as central to deciding between options, though again the reason for the option chosen may

still be a relevant factor. For example, HSE may have to accept a process using intrinsically more

dangerous components since only these components will provide the products essential to the duty-

holder's undertaking.

In practice, duty-holders may have a number of options where an assessment would show that costs

are not grossly disproportionate. The option, or combination of options which achieves the lowest

level of residual risk should be implemented, provided grossly disproportionate costs are not incurred.

The legal requirement to reduce risks as low as is reasonably practicable rules out HSE accepting a

less protected but significantly cheaper option.



New Versus Existing Plant

It should be borne in mind that reducing the risks from an existing plant ALARP may still result in a

level of residual risk which is higher than that which would be achieved by reducing the risks ALARP

in a similar, new plant. Factors which could lead to this difference include the practicability of

retrofitting a measure on an existing plant, the extra cost of retrofitting measures compared to

designing them in on the new plant, the risks involved in installation of the retrofitted measure (which

must be weighed against the benefits it provides after installation) and the projected lifetime of the

existing plant.

All this may mean, for example, that it is not reasonably practicable to apply retrospectively to existing

plant, what may be demanded by reducing risks ALARP for a new plant (and what may have become

good practice for every new plant).



APPENDIX C

HSE GUIDANCE ON ASSESSING COMPLIANCE WITH THE LAW IN INDIVIDUAL

CASES AND THE USE OF GOOD PRACTICE



HSE Guidance On Assessing Compliance With The Law In Individual Cases And The

Use Of Good Practice

1. SCOPE

1.1 The Health and Safety Executive is responsible for making adequate arrangements for the

enforcement of health and safety legislation in the UK. In fulfilment of its duty, the Executive provides

guidance to its regulatory staff who have to judge whether measures put in place, or proposed, by

those who are under a duty to control and reduce risks “as low as reasonably practicable” (ALARP),

are acceptable.

1.2 This document provides guidance on what constitutes good practice and on how relevant

application of good practice contributes to the duty to reduce risks ‘so far as is reasonably practicable'

(SFAIRP) or demonstrate that risks have been reduced ALARP. It complements, ‘Principles and

Guidelines to assist HSE in its judgements that duty-holders have reduced risk as low as reasonably

practicable'' and “Policy and guidance on reducing risks as low as reasonably practicable in Design”.

Together, these three documents have been issued as guidance in support of the HSE document

“Reducing Risks, Protecting People” (R2P2).

2. DEFINITIONS

2.1 Good Practice:

Within HSE and in this document, good practice is the generic term for those standards for controlling risk which have been judged and recognised by HSE as satisfying the law when applied to a particular relevant case in an appropriate manner.

Explanatory notes to the definition.

a. Written good practice may take many forms. The scope and detail of good practice will reflect the

nature of the hazards and risks, the complexity of the activity or process and the nature of the

relevant legal requirements.

b. Sources of written, recognised good practice include:

(i) HSC Approved Codes of Practice (ACoPs);

(ii) HSE Guidance;

NB: ACoPs give advice on how to comply with the law; they represent good practice and have a

special legal status. If duty-holders are prosecuted for a breach of health and safety law and it is

proved that they have not followed the relevant provisions of the ACoP, a court will find them at



fault unless they can show that they have complied with the law in some other way. Following the

advice in an ACoP, on the specific matters on which it gives advice, is enough to comply with the

law.

c. Other written sources which may be recognised include:

(iii) guidance produced by other government departments;

(iv) Standards produced by Standards-making organisations (e.g. BS, CEN, CENELEC, ISO,

IEC);

(v) guidance agreed by a body (e.g. trade federation, professional institution, sports governing

body) representing an industrial/occupational sector.

d. Other, unwritten, sources of good practice may be recognised if they satisfy the necessary

conditions (see ‘Policy - identifying good practice' below), e.g. the well- defined and established

standard practice adopted by an industrial/occupational sector.

e. Good practice may change over time because, for example, of technological innovation which

improves the degree of control (which may provide potential to increase the use of elimination

and of engineering controls), cost changes (which may mean that the cost of controls decreases)

or because of changes in management practices.

f. Good practice may also change because of increased knowledge about the hazard and/or a

change in the acceptability of the level of risk control achieved by the existing good practice.

g. In the definition of good practice, ‘law' refers to that law applicable to the situation in question;

such law may set absolute standards or its requirements may be qualified in some way, for

example, by ‘practicability' or ‘reasonable practicability'.

h. ‘Good practice', as understood and used by HSE, can be distinguished from the term ‘best

practice' which usually means a standard of risk control above the legal minimum.

3. POLICY

Overall approach

3.1 In support of the following policy, HSE:

(a) provides guidance to inspectors on the law, its interpretation by the courts, and on good

practice;



(b) maintains mechanisms to guide the exercise of inspector discretion in order to promote

consistency in assessing compliance and deciding on a proportionate response.

3.2 In securing compliance with the law in accordance with the HSC Enforcement Policy principles of

proportionality, consistency, targeting, transparency and accountability, HSE inspectors take account

of the legal interpretations given in statute, relevant case law and the guidance in ‘Principles and

Guidelines to assist HSE in its judgements that duty-holders have reduced risk as low as reasonably

practicable' which contains specific advice on the application of good practice.

Use of good practice

3.3 To promote effective compliance and improved health and safety performance by duty-holders,

HSE may develop and recognise good practice and draw this to their attention. In some

circumstances, to promote consistent, cost-effective assessment by inspectors, HSE makes use of

good practice to guide decisions when judging the adequacy of compliance and applying the differing

legal tests, (e.g. ‘absolute', ‘practicable' or ‘reasonably practicable').

3.4 In judging compliance, HSE expects duty-holders to apply relevant good practice as a minimum.

For new plant/installations/situations, this will mean the application of current good practice. For

existing plant/installations/situations, this will mean the application of current good practice to the

extent necessary to satisfy the relevant law.

3.5 Where the law requires risks to have been reduced ALARP, HSE:

(a) may accept the application of relevant good practice in an appropriate manner as a sufficient

demonstration of part or whole of a risk/sacrifice computation;

(b) does not normally accept a lower standard of protection than would be provided by the

application of current good practice; and

(c) will, where the duty-holder wishes to adopt a different approach to controlling risks, seek

assurance that the risks are no greater than that which would have been achieved through

adoption of good practice and so are ALARP for that different approach.

3.6 Compliance with relevant good practice alone may be sufficient to demonstrate that risks have

been reduced ALARP. For example, recognised standards provide a realistic framework within which

equipment designers, manufacturers and suppliers (including importers) can fulfil their general duties

under HSWA S.6.

3.7 However, depending on the level of risk and complexity of the situation, it is also possible that

meeting good practice alone may not be sufficient to comply with the law. For example, in high hazard

situations (those with the potential to harm large numbers of people in a single event), where the



circumstances are not fully within the scope of the good practice, additional measures may be

required to reduce risks ALARP. Furthermore, where the potential consequences are high, HSE will

take a precautionary approach by giving more weight to the use of sound engineering and operational

practice than to arguments about the probability of failure.

3.8 In simple terms, in situations such as described in paragraph 3.7, duty-holders need to:

a) review their accident scenarios and risk management arrangements (for prevention, control

and mitigation);

b) identify what good practice is relevant;

c) comply with the good practice (to the extent to which it is applicable);

d) ask the question - are there any other measures which would be effective in further reducing

the risks?

e) determine whether the extra measures are reasonably practicable and implement those that

are.

Identifying good practice

3.9 In judging and recognising good practice, HSE must be satisfied that it is correctly formulated in

that it:

(a) takes account, where relevant, of:

• individual risk, societal risks and societal concerns;

• the sacrifice and benefits;

• the technical feasibility of proposed control measures and the level of risk control they achieve;

(b) maximises the use of:

• inherent safety and the elimination of hazards;

• the avoidance of risk;

• the control of risk at source by the use of physical engineering controls;

whilst it,

(c) minimises the need for:



• procedural controls; and,

• personal protective equipment;

and it is in a form that:

(d) clearly defines the scope of the good practice and the circumstances where it is relevant; and,

(e) can be clearly specified, e.g. it is either written down or is a well-defined and established

practice adopted by an industrial/occupational sector.

Assessing compliance with reasonable practicability

3.10 When reviewing health or safety measures on an existing plant, installation or situation (such as

when considering retrofitting, safety reviews or upgrades), duty-holders should compare existing

measures against current good practice. The good practice measures set out should be adopted so

far as is reasonably practicable. It might not be reasonably practicable to apply retrospectively to

existing plant, for example, all the good practice expected for new plant. However, there may still be

ways to reduce the risk e.g. by partial solutions, alternative measures etc.

3.11 In determining what is reasonably practicable, the starting point for the risk/sacrifice computation

should be the current situation. Duty-holders should also consider the adequacy of the relevant good

practice (paragraphs 2.1.e. & f. are appropriate considerations). When a code or standard is updated

to a higher standard, the plant, installation or situation should be examined to see if it can be brought

up to the new standard. Any such upgrades should be undertaken if reasonably practicable.

3.12 New plant, installations or situations should conform to current good practice, as a starting point.

Other potential options should be considered to determine whether further risk reduction measures

are reasonably practicable. As a guide, designers can aim and compare against levels of safety that

are known to have been achieved in other “best practice” designs.

3.13 The use of good practice at the design stage is essential to demonstrating achievement of

ALARP. This should include use of sound design principles (e.g. inherent safety) as well as codes,

standards and guidance. Further advice is given in “Policy and guidance on reducing risks as low as

reasonably practicable in Design”

3.14 In prioritising its resources, HSE may decide in an individual case not to pursue further action

where a duty-holder has reduced risk to within the ‘broadly acceptable' region of the TOR framework

(see R2P2, para.122ff, for an explanation of this framework) and only a small reduction in risk would

be achieved.” However, the legal duty to reduce risks ALARP remains.



APPENDIX D

STATEMENTS FROM THE HSE, DTI AND OFGEM



HSE comments on the legal position of the use of active current limiting devices

1) HSE has reviewed the legal position of the adoption of active current limiting devices, such as ls Limiters, and has the following comments. The comments are not intended to be all embracing but are focussed on a number of key issues and are in addition to those comments that HSE has already provided to you in recent discussions.

a) The HSW Act 1974 is relevant and would not, in principle, prevent the use of Is Limiters.

b) The Management of Health and Safety at Work Regulations 1992 are relevant. Regulation 3 (1.b) is particularly relevant and would have important implications for duty holders involved in electrical generation and distribution network operations together with users of electricity. Particularly relevant is the information, and the confidence of the information, that will need to be made available to allow duty holders, downstream of the Is Limiters, to fulfil their legal duties. In the context of the possible introduction of the application of Is Limiters, the complexity of the necessary information is likely to be greater than is currently the case. With the many interfaces (embedded generator provider, DNO and multiple end users) there is the potential forgetting things wrong.

c) Regulation 5 of The Electricity at Work Regulations 1989 is particularly relevant since it places an absolute requirement on duty holders. For example, Regulation 5 would apply to a duty holder, downstream of the Is Limiter, who has under his control a circuit break being ‘protected' by the Is Limiter. In the event of a fault, (e.g. a cable fault) arising downstream of the circuit breaker and subsequent failure of the Is Limiter causing the circuit breaker to become over-stressed and fail catastrophically, it could be argued there was a breach of Regulation 5.

d) To cater for the situation outlined in (c) above, it was envisaged that Regulation 29 could provide a basis of a defence for the relevant duty holder providing the duty holder was able to demonstrate he had taken “ all reasonable steps and exercised all due diligence". However, having reviewed Regulation 29 we have concerns about what these words actually mean in law in the context of all the issues arising in the application of an Is Limiter, and in the end, this could become a matter for the courts to decide.

2) In principal there is nothing in the EAW Regulations 1989 to prevent the use of ls Limiters but we have highlighted the uncertainty of the application of Regulation 29. There are two options that we are currently assessing which will include discussion with relevant parties:

c) Short term: We could explore the provision of an exemption(s), under Regulation 30 of the EAW Regulations!989, relating to the application of Regulation 5. We would see the use of an exemption(s), if and where permitted, as a stop-gap measure but the problems of such an approach may make it impractical.

d) Mid - Longer term: The EAW Regulations 1989 are under review and we could take advantage of the revision process to assess what changes could be made to deal effectively and safely with future technical developments such as embedded generation and the application of ls Limiters in particular. However, the degree of change will be constrained by the HSW Act 1974 Section 1(2) which prevents the dilution of the levels of safety already established in existing Regulations.

Ron BellHead of HSE’s Electrical & Control Systems Unit Tel: 0151 951 4788 Email: [email protected] 29th January 2004



DTI ref CCCG/002/00021

Date 11 December 2003

Mr John SinclairElectricity Networks AssociationNetwork Operations and Design Engineer18 Stanhope PlaceLondonW2 2HH

Dear Mr Sinclair,FAULT LIMITERS AND THE APPLICATION OF THE ELECTRICITY SAFETY, QUALITY, CONTINUITY AND QUALITY REGULATIONS 2002

Further to your request for comments on the PB report into fault (Is) limiters (Doc No 03/UK/00667) under Work Stream 3 and the meeting of the 4 December 2003, I am writing on behalf of the Engineering Inspectorate to give a formal view regards the current interpretation of the Electricity Safety, Quality and Continuity Regulations 2002 (ESQCR) highlighting how these may impact on the application of the device throughout. The comments are:-

1- Regulation 3 - General adequacy of electrical equipment

Regulation 3.1(a) - "sufficient for the purposes for and the circumstances in which it is used;"This is an absolute requirement, which would not be covered by the “as far as reasonably practicable” qualification in regulation 3(1)(b). It does not preclude the use of a Is limiter, because if designed and specified properly, it should be “sufficient for purpose”.

The Is limiter will prevent existing switchgear seeing fault levels above duty. The premise here is that the Is limiter will work in all circumstances.

If the Is device fails, it is clear that any circuit breaker unit that fails subsequently to clear (due to inadequate duty) would not be "sufficient for purpose". In this circumstance, the duty holder would have to demonstrate that he/she had anticipated the consequences of a possible failure of the Is device and any mitigation measures required to keep within a tolerable risk level the duty holder would need to justify.Regulation 3.1(b) - Any responsible duty holder should go through a thorough design installation and commissioning process if these devices were to be used. As discussed, due to the nature of the devices there will be requirements for the correct system analysis tools and considerations of alternatives to identify tolerable risk levels that the duty holder would need to justify. The “as far as is

Department of Trade and Industry

Energy Group

V 1601 Victoria Street London SW1H 0ET

Direct Line +44 (0)20 7215 2745Fax +44 (0)20 7215 2842Minicom +44 (0)20 7215 6740Enquiries +44 (0)20 7215 5000www.dti.gov.ukDavid. G ray@dti. gsi. gov.uk



reasonably practicable” qualification applies to this limb of regulation 3 and allows scope for guidelines and code of practice introduction assuming that the device complies with regulation 3.1(a).

2- Regulation 4 - Duty of Co-Operation

The main issues here are as to which fault levels will be assumed between networks and as to what would be communicated between duty holders. It suggests from the consideration of adequacy above, that the device cannot be tested properly until a fault occurs. If therefore there is a chance of adjacent networks becoming overstressed this should be communicated. The duty holders concerned can then decide how they wish to comply with the relevant regulations and the level of risk they take for insurance/safety of employees/public. The important thing is that the possibility of risk is communicated clearly and the consequences are spelt out between parties. This illustrates that a set of common guidelines between the companies is highly desirable otherwise there will be unnecessary disputes over approach between duty holders, possibly involving enforcement bodies.

There is no obligation under regulation 4 on duty holders to disclose information to consumers. However, we would expect consumers to be informed of the effect on his/her network due to the adoption of Is limiters on the duty holder's network. This would allow the consumer to decide what level of risk he/she wishes to take at his premises.

In addition, this discussion between the duty holder(s) and consumers would need to be undertaken in a timely manner so it did not become a “fait accompli” for the consumer or duty holder, otherwise it could lead to unnecessary disputes.

3- Regulation 6 - Electrical Protection

If the device is considered as an "intelligent fuse" and therefore an electrical protection device, and it operates correctly, then there would be no breach of this regulation.

If it fails to operate there is no other protection that will clear the fault, no grading being possible because the disconnection devices (i.e. circuit breakers) remaining will be inadequate.

Bearing this in mind, it would be difficult to demonstrate compliance with Regulation 6 if the device failed. This would also be the case for conventional relays where it was set incorrectly or failed to operate. However, the consequences of failure could be more serious for a Is limiter and again this would need to be assessed at the design stage and a risk mitigation approach considered.

4- Regulation 23 - Precautions against Supply Failure

Under regulation 23 the duty holder must show that the device is set to operate at a correct level to restrict, so far as is reasonably practicable, the numbers of consumers affected by any fault and also that all reasonably practicable steps have been taken to avoid interruptions of supply resulting from his own acts. As this cannot be demonstrated without destruction of the device, there would be no way of practically demonstrating correct setting other than by the demonstration of the detection circuit function (for ABB and G&W) and correct trip signal. This is no different to the case with a conventional fuse except that a back-up arrangement (from a larger fuse) is available with a conventionally fused circuit arrangement.

5- Regulation 28 - Information to be provided on request

Under this regulation there is no obligation on the duty holder to provide information on the network unless requested by the consumer connected to the network.

In line with the comments on regulation 4 above, a code of practice would need to be developed so it was clear that under regulation 28(a) when fault level data was supplied to connectees, fault levels were stated for correct device operation and for the situation if it failed to operate. The connectee could then decide how much risk he/she wanted to take.



Also under regulation 28 (c) some information regards the settings/capability of equipment and limitations at the interface with the connectee would need to be explained so that any shortfalls for a failure of the device (i.e. the two possible situations) could be highlighted.

The very nature of doing this may cause a problem on failure of a device, as any legal action against the duty holder could demonstrate that there was a possibility of plant failure for the loss of the Is limiter and there had been a decision not to invest to avoid danger and/or interruption to supplies. This eventuality would need to be covered via the design process and consideration of alternatives, the duty holding company having a defensible risk assessment process.

A possible outcome is that the consumer would decide to invest in equipment below the duty of the Is limiter. Again, the consumer would need to have a proper assessment process in place informed from the duty holder's own assessment of risk of failure of its Is limiter. Therefore it would be expected that the duty holder will need to provide data to the consumer to allow a full risk assessment to be undertaken by the consumer.

6- General Approach to the WS3 Fault limiter Report and further Investigation Areas

Further to the meeting, the Inspectorate feel that a suggested approach to the current report and further work in the longer term is:-

i) Identify the legal environment and identify areas that require further investigation (current report)ii) Examine the implications for installationsiii) Develop draft guidelines for use of Is Limitersiv) Test these guidelines on a number of real examples, undertaking the engineering and study work to identify risk and mitigation methods, training (for planners and installers and operations) and study tools required. This would be an iterative process with (iii).v) From (iv) the level of risk could be determined and the practicality for application in a DNO environment assessed.

As discussed at the meeting on the 4 December 2003, the report is at stage (i) above. Therefore there is still a lot of investigative and evaluation work to be undertaken by the industry companies and their consultants before any decision regards adoption of the devices for general use could be made by duty holders.

7- Risk

As outlined at the meeting the adoption of Is limiters would put the duty holder into a position where the company would be operating with level of assessed risk of failure. This is not the normal position at present where all equipment is rated for duty and will (as in the case for circuit breakers) be installed such that they are sufficient for purpose even after the failure of another piece of equipment on the network. This change in philosophy needs to be highlighted to the duty holder management so that the change in approach is properly understood.

I would be grateful if you could circulate these comments to the appropriate members of the workstream. As discussed at the meeting please feel free to ask for opinions from the Engineering Inspectorate on new developments arising from the various workstreams at an early stage so that the legal framework can be discussed and scoped as part of the investigation.

I would be interested in any additional work that is commissioned in relation to fault limiters as a result of this initial report.

Yours sincerely

David GraySenior Engineering Inspector



John,

At the meeting on 4 December I took an action to consider whether Ofgem has any governance over the safety issues related to the deployment of IS Limiters. I have discussed this with our legal advisors and can offer the following summary of our position.

Ofgem s governance of a DNO’s activities is given effect through the DNO’s licence. The licence requires a DNO to have in place a Distribution Code and this in turn requires that protective devices are employed on a DNO’s system in accordance with the ESQC regulations. Together with the Electricity at Work regulations, the ESQC regulations are of course already being considered fully in the IS Limiter debate. It does not appear therefore that Ofgem has any governance role additional to the regulations already being considered.

It is worth noting that, if the use of the device increased costs in an inefficient way, Ofgem would be concerned. However, as the reason for considering the use of IS Limiters is to provide a lower cost solution this does not seem to be applicable.

Finally, a DNO would have to consider the impact of using the device in terms of interruption performance. This is captured by the Electricity (Standards of Performance) Regulations 1993 and the IIP mechanism.

I hope this answers the question but please come back to me if any clarification is required.

Regards

Gareth EvansTechnical AdvisorOfgem, London+44 (0)20 7901 [email protected]

This message may be confidential, privileged or otherwise protected from disclosure. It does not represent the views or opinions of Ofgem unless expressly stated otherwise.



APPENDIX E

FAULT CURRENT LIMITERS DETAILED DATA



The Device and Its Application

The Device

ABB

ABB produces a fault current limiting device, known as an Is-limiter. The following is a summary

obtained from the ABB product literature.

Product description

The device is a combination of a fast acting switch with high current carrying capability but low

switching capacity and a fuse with high breaking capacity, mounted in parallel.

A small explosive charge (of comparable quantity to that used in airbags) is employed to give fast

operation of the switch on the main conductor. Once the switch has operated, the current is diverted

to flow in the parallel fuse where it is interrupted.

The current flowing through the device is monitored in an electronic measuring and tripping unit which

is responsible for initiating tripping when an abnormally high and fast rising current is detected. Both

magnitude and rate of rise of the current are monitored and tripping is initiated only when both

quantities are above certain setting values.

The Is-limiter for three-phase applications comprises three single pole holders with replaceable

inserts, three tripping current transformers and one electronic measuring and tripping unit.

Two insulators carry the pole heads with a clamping device to hold the Is-limiter insert (see Figure

2.1.1). On the 12 kV and 17.5 kV versions, one insulator is fitted with a pulse transformer, while on

the 24 kV and 36 kV versions, both insulators are fitted with such transformers.

The pulse transformers transmit the tripping pulse from the measuring and tripping device to the

charge in the insert at system potential, and at the same time serve to isolate the measuring and

tripping device from the charge. The clamping device is activated by a lever with rated currents of up

to 2000 A. For rated currents above 2000 A, the Is-limiter holder contains four insulators and a

clamping device activated with studbolts.

The Is-limiter insert is the actual switching element comprising the main conductor and the parallel

fuse. The insert is replaced after tripping and reconditioned at the manufacturer's premises.



Is-limiter insert holder with insert for 12 kV, 2000 A

1 Base plate

2 Insulator

3 Pole head with clamping device

4 Fuse

5 Telescopic contact

6 Insulator with pulse transformer

Is-limiter insert

4 Fuse

7 Fuse indicator

8 Insulating tube

9 Bursting bridge

10 Charge

11 Main conductor indicator

12 Fuse element

Figure 2.1.1 Detail of Is-limiter construction.

A tripping current transformer is installed in series with the Is-limiter in each phase and used to

measure the current.

These current transformers are externally identical to a conventional current transformer and

designed as a post or bushing type current transformer. They have special features such as high

overcurrent factor, an iron core with an air gap and a low impedance shield between the primary and

secondary winding.

The measuring and tripping device is accommodated in a sheet steel control cabinet or in the low

voltage compartment of the Is-limiter panel. The functional groups within the panel are combined so

as to form replaceable units, and are partly mounted on hinged frames.

The measuring and tripping device includes:



• a power unit to provide the necessary auxiliary DC voltages, a main switch which allows the tripping

system to be switched on and off at any time, and a monitoring module

• one tripping unit for each phase, which monitors the current flowing in the relevant phase and on

tripping provides the energy for triggering of the charge in the corresponding insert

• an indication unit with five flag indicator relays:

- one relay per phase for trip signalling,

- one relay for monitoring of readiness for operation

- one relay for monitoring of the supply voltages

• an anti-interference unit to protect the measuring and tripping assemblies from interference pulses

from the outside, which could possibly cause malfunction. The connecting wires from the measuring

and tripping device to the current transformers, to the Is-limiter insert holders and to the AC voltage

supplies are routed via the anti-interference unit.

Maintenance and handling of the device

ABB recommends the following maintenance schedule.

a) Type of maintenance

Testing of the Is-limiter in accordance with the "Description of the Is-limiter test set" provided by ABB.

b) Frequency

Testing of the Is-limiter should be undertaken with the same frequency as the remaining protection

equipment (e.g. once every year / every two years).

c) Expected duration of such maintenance and any impact on fault current limiter and system down

time

For the testing of the Is-limiter the Is-limiter inserts have to be replaced by test inserts. For this reason

the Is-limiter has to be isolated. The testing of the Is- limiter takes 1 to 2 hours.

d) The maintenance can be carried out by the customer staff.

e) Self monitoring and testing

The self-monitoring unit of the Is-limiter performs a continuous check (analogue technology) of the

device's basic functions. In the event that a defect appears inside the electronic circuitry, an alarm is



given. Additionally, the sensitivity of the device is automatically increased to cater for the internal

fault. This however gives exposure to possible spurious trips.

During the "maintenance test", a special Is-limiter test certificate has to be completed. All of the

components which need to be tested can be tested using the Is-limiter test set.

f) Repair time

The typical repair times for the potential failure modes of the fault current limiter system are given by

ABB as:

- tripped Is-limiter inserts: 1 ...3 days

- all other components: 2 ...4 days

- current transformers: 2 weeks

g) Handling

ABB states that there are no special requirements for transport and storage of these devices in

addition to those applicable to general electrical equipment.

G&W Electric

G&W Electric Company produces two types of current limiting devices, the CUP® (Current Limiting

Protector) and the PAF® (Power Assisted Fuse).

The following is a summary obtained from the G&W product literature.

Product description

The CLiP utilizes electronic sensing and triggering while the PAF uses an element sensor for initiation

of triggering.

Conceptually, these devices are high-speed switches that carry the continuous current. Upon sensing

of a fault and response by the electronic triggering logic, the switch is opened and the current is

forced into a current-limiting fuse which interrupts the circuit (see figure below).



I CUTTING (SWITCHING) ^LOCATIONS ON MAIN

'""---CONDUCTOR

TRIGGERING 3IC

CURRENT-LIMITING HUNT FUSE ELEMENT

-REPLACEABLEINTERRUPTER

ISOLATION TRANSFORMS!

POWER SUPPLY CONNECTION '

CURRENT TF1ANSF0RME R

STAND-OFFINSULATOR

Layout of a Triggered Current Limiter

These devices are characterized by a primary conduction path, which electrically parallels a current

limiting fuse of very high energy absorption capability and low melting l2t. Approximately 0.1% of the

continuous current flows through the shunt fuse in its normal state due to its resistance versus that of

the primary TCL current path. Upon incident of a fault meeting the triggering criteria, the primary

current path is opened - essentially a high-speed switching operation.

Sensing of the fault current actuates a linear cutting device which cuts the copper of the main

conductor into a number of fractional lengths and bends them upwards forming multiple gaps which

host arclets. The arc voltage diverts the short circuit current into the shunt current-limiting fuse which

provides the interruption. The interrupt process of this shunt fuse is typical of the traditional current-

limiting fuse with 1/4 cycle extinction of symmetrical and 1/2 cycle extinction of asymmetrical faults.

The point of actual current limitation is often well in advance of the time of extinction. Note that this is

not at the natural current-zero point at which most circuit breakers, switches, reclosers and expulsion-

type fuses interrupt. The one exception to this is the reactor bypass application where the TCL is

clearing against only partial system voltage across the reactor. In this case the clearing time is

typically only a few hundred microseconds after occurrence of the peak let-through condition.

The G&W devices are not dependent on rate-of-rise of fault current, but instead, are responsive to

magnitude. Further details of operation can be found on the G&W web-site, in particular within an on

line article entitled ‘An Effective Alternative for High Current Protection’. This gives a step by step

description of what happens during the interruption process.

Maintenance and handling of the device

G&W Electric recommends keeping 1 spare set per 3-phase installation.



Presently in the U.K. G&W has maintained 1 extra set of fuses on consignment (our ownership) at the

customer as an additional backup set. This happens to be the same rating as our other U.K. customer

and has been used/replenished.

G&W recommends the following maintenance schedule.


A check with the Field Test unit and possible paint touch-up on outdoor units.

b) Frequency

Every 1 - 2 years, typically when the system is deenergized for similar circuit breaker checks. A

nuclear plant application, for example, has an active period of 1.5 years between maintenance

periods.

c) Expected duration of such maintenance and any impact on fault current limiter and system down

time - Following deenergization and grounding, about 45 minutes.

d) Maintenance can be carried out by the client's staff. If G&W is called for commissioning they train

the user's personnel. Alternatively, approximately 50% of their customers commission their own units.

Calls for maintenance checks have totalled 3 or 4 in the past 18 years. If questions occur, they can

typically be handled by telephone, fax and email.

e) Self monitoring and testing

A primary concern of the unit is maintenance of control power to the unit. The units rely on the client's

supply. Generally G&W recommends that the DC station batteries used to provide power to

substation equipment and trip the circuit breakers also be used for the CLiP supply, which is generally

the most reliable. Alternatively, an AC UPS system may be applied. Control voltage monitoring relays

(2 sets of contacts) can provide feedback to the client's supervisory controls or staff if control power is

lost.

The overall function of the CLiP triggering circuitry can be periodically tested with the field test unit

provided by the manufacturer. The client's staff can readily perform these tests. Use of the field tester

not only verifies that the sensing and triggering functions are active, but also measures the triggering

pulse magnitude and time constant to ensure that the pulse is of the proper characteristics.

Tests can also be performed on the control box functions to verify that the protective relays are

functional. The feedback circuit indicating an operation, which they monitor, is also tested. These

checks can also be performed by the client's staff. Testing takes approximately 5 minutes.



The one function that can not be checked is that of the interrupter. Continuity through the detonator

can be checked if desired. The interrupter is, however, a “one-shot” device. One can therefore not

perform a functional test on the interrupter.

f) Repair time

G&W recommends ordering the “Redundant Sensing and Firing Logic” option on overseas units. In

that way, if one SFL were to become disabled, it would not prevent use of the system - the other SFL

on that phase provides complete redundancy. Alternatively, a new unit can typically be built,

calibrated and shipped in 4 days.

The isolation transformer can typically be prepared, tested and shipped in 1 week. On rare occasions,

customers will order an additional phase which would include both isolation transformer and SFL.

The control box printed circuit board can be shipped overnight. Inverters, sometimes used in the

control box, are generally in stock, but can take up to 6 weeks.

g) Handling

G&W state that there is minimal additional care to be taken when handling and transporting these

devices. The interrupter units are entirely self-contained. Each contains a minimal amount of

pyrotechnic matter 3 grams for the smallest and 16 grams for the largest. While they need to be

treated with respect to avoid dropping and subsequent damage to the enclosing tubes, they are not

regarded as a substantial hazard. Transport regulations are straight-forward for shipment around the

world. Cargo planes and commercial overland carriers handle them without difficulty.

Storage is recommended in a cool, dry location where other electrical equipment is generally kept.

The units are designated by the U.S. ATF (Alcohol, Tobacco & Firearms) as a “pyrotechnically

assisted tool,” similar to the designation applied to the cartridge operated nail guns used in building

construction.

Disposal is simply a matter of common refuse. Customers do not try to reclaim the copper as it is

difficult to access with the heavy, glass-reinforced, cast-epoxy ends. If incinerated, we recommend

drilling or puncturing of the tube wall to prevent pressure build-up and sudden release.

Coordination

These devices have very fast operating times and are designed to trip before other circuit breakers.

Their operation takes place when the remaining circuit breakers are approaching their ratings.

The continuous current is, for all practical purposes, completely independent of the current-limiting

performance of the device. Since these are electronically sensed and triggered units, their operating



criteria is preset and not dependent on time versus current, temperature, element size (or melting I2t)

or preconditions.

System Scenarios

It is envisaged that the internal processes which constitute the functioning of the current limiting

device are not influenced greatly by the specific application in which the device is employed.

However, the study, and in particular the risk assessment, considers a range of possible installation

arrangements.

The following three scenarios have been considered following agreement with WS3:

4. Current limiting devices in system interconnections or busbar couplers.

5. Current limiting devices in transformer secondary circuits.

6. Current limiting devices in links between public network and private generation sites.

2) Transformer secondary circuits 3) Generator connection1) System Interconnections

It is assumed throughout this study that the sole reason for installing the current limiting device is to

limit the fault levels to within the ratings of the existing equipment. It has also been assumed that it is

only the ratings of the feeder circuits that would be exceeded, should the current limiting device fail to

operate. This is because the feeder circuits are the only ones that will see the short circuit currents

from all sources. This will be the situation in the majority of applications.

It should be noted that with arrangement 3, when there is a fault in the distribution network, the

current flowing through the current limiting device will only be the contribution of the local generator.

Given the generator sizes typical for the range of applications considered in this study (relatively small

embedded generators), such contributions may only be detected via relatively sensitive settings in the



current limiting device, with a resulting danger of spurious tripping. It is possible to achieve a

directional discrimination between faults on the network and faults on the generator side, including

generator internal faults, by installing three CTs in the generator neutral connections in addition to

those installed on the current limiting device. This will also prevent tripping when the generator is

disconnected.

Fault conditions

The fault limiting device will be subject to fault current during fault conditions affecting the power

system.

The significant fault types to be considered are the three-phase fault, the phase-phase fault and the

phase to earth fault. It should be noted, however, that the fault location under examination is just

downstream of a feeder breaker, while the current limiting device will be located on the busbars, on a

transformer secondary circuit or on a generator connection. The device will however see the same

fault type as the feeder, although of reduced magnitude.

A three-phase current limiting device comprises three elements, one on each phase. This provides a

certain degree of redundancy in the amount of devices installed.

The earth fault level in impedance earthed distribution systems is typically of significantly lower

magnitude than the three-phase fault level, owing to the use of earthing resistors located at

transformer neutral points. For a single phase to earth fault, the system should be designed so that

the current limiting device does not trip.

For a phase-phase fault, two limiting devices will respond to fault current, and even with a failure of

one unit to operate, the healthy unit should still trip and clear the fault.

Similarly, for a three phase fault, fault current will flow in all three devices and failure of one unit to

operate will still leave the other two units available to clear the fault.

In solidly earthed systems, the earth fault level is typically of a very similar magnitude to the three-

phase fault level. Moreover, the earth fault level on the secondary side of delta-star primary

transformers may exceed marginally the three-phase fault level, due to the transformer zero sequence

impedance being smaller than the positive sequence and due to the delta winding stopping the

primary network zero sequence impedance from having any effect on the earth fault level. This type

of system should be designed to provide tripping of the current limiting device for an earth fault. The

device located in the faulted phase does not have any back-up from the other two phases if it fails to

operate. However, this is unlikely to be an issue in the UK where solid earthing is normally only used

on the 132kV system, as current limiting devices are not yet available for 132kV systems.



Independently of the neutral earthing, a phase-phase fault yields a lower fault level than a three-phase

fault (87 %), and this needs to be taken into account when setting the device.

The table below shows fault data for all except two of the UK DNO licence areas (Eastern and

Seeboard) for the period 2001/02.

Voltage

(kV)

Total O/H Cables SwGr Trans Other

1 < 20 27,708 13,939 5,799 3,007 2,087 2,876

22 < 66 2,375 993 676 166 152 388

Overhead line faults can be regarded as predominantly single phase and cable and plant faults can

be regarded as predominantly two or three phase. For resistance earthed systems the current limiting

devices will not be required to operate for single phase to earth faults, these represent almost half of

the faults on the system.



APPENDIX F

EFFECT OF FAULT CURRENT LIMITERS ON SWITCHING TRANSIENTS AND

DOWNSTREAM CIRCUIT BREAKERS



Introduction

The use of current limiting devices is currently being considered for applications where a feeder circuit

breaker may be otherwise subjected to fault levels above its ratings.

Some concerns were raised during meetings with WS3 on the behaviour of the current limiting device

when the feeder circuit breaker closes onto a fault. In particular, there was concern about the speed of

operation of the current limiting device, and whether or not the circuit breaker would experience a

peak current or rate of rise of current in excess of its rated capability.

WS3 requested that an explanatory paper on the subject of switching transients should be issued in

advance of the final draft of the main report. This paper provides a brief overview of the fundamental

phenomena and fault current waveforms associated with switching transients in circuits employing

fault current limiting devices.

Close on Fault

A switching transient arises when a circuit breaker is closed on to a downstream short circuit fault.

The resulting fault current can be studied using the simplified single-phase circuit shown in Figure 1,

where the equivalent impedance between the source and the location of the fault is used.

I R L^<--------

v<S)

Figure 1

Simplified equivalent RL circuit supplied by an AC voltage source.

The total impedance between fault point and source

= — R + jX L — R + j 2 sfL — 5 + ja>L

Z = total impedance, :R = total resistance, :

f = system frequency, Hz L = total inductance, H

m = system pulsation, rad/s



This has a steady-state power factor given by

Rcos M — —

I =Eq. 1.

The presence of inductance in the circuit means that the current flowing through the circuit cannot

change instantaneously. Before the circuit breaker is closed there is zero current flowing and there is

zero magnetic energy stored in the circuit inductance. As soon as the circuit breaker is closed onto a

fault, current will try to flow. The change in current through the conductor is opposed by an

dielectromagnetic force of magnitude L —. There will also be a voltage drop across the circuit

resistance of RL (Ohm’s Law).

From the instant at which the circuit breaker is closed, the circuit equation is therefore

RL + L — — v — Vm sin (at + T) Eq. 2Wt

i = instantaneous current, Amps t = time, sVm = Voltage peak, Volts v = instantaneous voltage, Volts 0 = switching angle, rad.

The arbitrary phase angle 0 accounts for the time of closure of the circuit breaker within the voltage

cycle. 0 has the value required to give the correct instantaneous voltage at the time of circuit breaker

closure (t=0).

Following the closure of the circuit breaker there will be a transient period during which there will be a

transient dc current with an exponential decay, superimposed on a sinusoidal 50Hz current. This can

be seen by solving equation 2, using simple steps based on basic trigonometric relationships and on

partial fractions as well as more complex Laplace transformations.

The final expression derived for the transient current is

L(t) — V- >sin(at + T - m ) - sin(T - m )h -t'W ] Eq. 3

w = L/R = circuit time constant, s.

The first term in Equation 3 is the steady-state element, with magnitude Vm/Z and phase angle -m with

respect to the voltage. The second term is the transient element with the exponentaial decay. At t=0,



the transient element has same magnitude as the steady-state element and is equal and opposite

giving 1=0 A, while at t=oo it extinguishes leaving only the steady state sinusoidal wave. It should be

noted that for high values of the time constant t=L/R, the exponential approaches a constant value

equal to the magnitude of the steady-state term. The following figures have been derived with t=63.6

ms (X/R=20).

Time (sec)

DC Compt Fault Current AC Comp

Figure 2

Asymmetrical fault current obtained from Equation 3; cos(p=0.8 (cp=36.87 deg), 0=0 deg.

Two particular values of the switching angle 0 can be identified.

If the circuit breaker closes when 0=cp, the transient component is zero and the total current coincides

with the steady-state element, sinusoidal and symmetrical (Figure 3).



Time (sec)

DC Compt-------Fault Current AC Comp

Figure 3

Symmetrical fault current obtained from Equation 3; cos(p=0.8 ((p=36.87 deg), 0=36.87 deg.

On the other hand, if breaker closure takes place when Q-<p=±nl2, the transient component attains its

maximum amplitude (Vm/Z) and the first peak of the total current (t=10 ms at f=50 Hz) approaches a

value of twice the magnitude of the sinusoidal steady-state component, particularly for high values of t

(Figure 4). This peak value must be contained within the fault making rating of the circuit breaker.



Time (sec)

DC Compt-------Fault Current AC Comp

Figure 4

Asymmetrical fault current obtained from Equation 3; cos(p=0.8 ((p=36.87 deg), 6—53.13 deg.

Circuits Employing Fault Current Limiting Devices

Figure 5 illustrates the effect of a current limiting device installed in the bus coupler between two

transformers (scenario 1)) on the total current flowing in a faulted feeder.

C

E3o

-0

Time (sec)

■ Pro Trip Current Post Trip Current

Figure 5

Effect of a current limiting device on a fully asymmetric fault.



The prospective fault current is assumed to be fully asymmetrical, as depicted in Figure 4.

It can be seen that, under the conservative assumption that two contributions are in exact phase, the

fault current T at the feeder point has a prospective profile which is double that associated with one

transformer.

Due to the tripping of the limiter, the fault contribution of one transformer is clamped and the total

current T has a peak value which is of similar magnitude to that obtained with one transformer in

operation. The actual peak value will depend on the tripping settings employed for the limiter and, as

shown in Figure 6, can be higher than that obtained with one transformer in operation.

CUP ASYMMETRICAL FAULT INTERRUPTCIRCUIT X/R OF 20 IS APPLIED

CRESTS = (rms. sym Amperes) * Asym Pk Multiplier of 2.624

CURRENT LIMITER WITH

CUP ASYMMETRICAL FAULT INTERRUPTCIRCUIT X/R OF 20 IS APPLIED

CRESTS = (rms, sym Amperes) * Asym Pk. Multiplier of 2.624

HIGHER TRIGGER LEVEL

C ™ 40

Degrees

Figure 6



Different waveforms of the feeder current depending on the current limiter settings (courtesy of G&W

Electric Company).

Figure 5 also shows that the total current flowing through the feeder circuit breaker presents an initial

profile which, until the limiting device initiates tripping, coincides with that associated with the two

transformers in parallel and without the current limiting device. The rate of rise (di/dt) of the total

current in the feeder breaker before the tripping of the device takes place, is therefore higher than that

experienced with one transformer in operation.

A preliminary investigation into whether this higher di/dt could impose dangerous electromechanical

stresses on the breaker revealed that the relevant standards do not specify a maximum or rated value

of di/dt that a circuit breaker should withstand (IEC 60282, IEC 60694, IEC 62271). Also the issue

does not appear to be treated as critical in currently used literature (R. T. Lythall, “The J & P

Switchgear book”, Butterworth & Co Ltd, London).

Additionally, discussions with switchgear manufacturers and designers revealed that the value of rate

of rise of current does not represent a concern on making onto a fault or while the breaker is closed,

only on breaking of the current (contacts separating). The additional di/dt when conducting current for

a few milliseconds only yields a negligible increase in the thermal load on the contacts.

A preliminary evaluation of the value of di/dt associated with two 250 MVA, 11 kV fault infeeds was

undertaken under conservative assumptions (maximum current asymmetry, fault infeeds in phase)

using Equation 4 below, and a value of 6.2 A/ps was calculated. Comparison with values used in

current impulse tests for surge arresters, which can reach 1250 A/ps for MV applications (BS 2914,

The J & P Switchgear book), would also suggest that the increase in di/dt should not be regarded as

problematic.

Some members of WS3 were also concerned about the throw-off forces present during making of the

circuit breaker contacts, as these are proportional to the square of the current flowing. With a higher

rate of rise of current, there was concern that the throw off force at any particular point during closure

of the contacts could be greater than the force exerted by the closing mechanism.

The manufacturers of the current limiting devices have been asked if they have not carried out any

specific tests on circuit breakers closing onto faults for applications where the current limiting device is

being used as an alternative to replacing the circuit breaker with higher rated equipment. They have

not come across any instances where the circuit breaker has been unable to close onto a fault in this

type of application.

ABB advise that under IEE 62271-100 Clause 6.111, circuit breakers for a rated voltage of 12kV are

tested with a frequency of 4250Hz, 20kA - peak back to back. Circuit breakers have been able to

make satisfactory during these tests.



ABB Device Setting

The ABB device requires that two settings are reached before tripping takes place.

The Is limiter's measuring and tripping device constantly monitors the instantaneous value (i) and the

rate of rise (di/dt) of the current through the limiter. The device trips when the rate of rise reaches or

exceeds a specified level (di/dt)T, whilst the current flowing through the limiter is between i2 (lower

measuring range limit) and i1 (upper measuring range limit). Both setting parameters, namely (di/dt)T,

and the range i2 to i1, use instantaneous current values.

Selection of the measuring range limits i1 and i2

The values for i1 and i2 are determined by the conditions at the location where the device is installed

(e.g. operating current, maximum short-circuit current, tripping value) and the type of device. The

lower measuring range limit i2 is, for example, to be selected as approximately 1000 A to 3000 A

above the operating current peak value. The measuring range (i1-i2) is in general 1000 A to 4000 A.

Selection of the setting value (di/dt)T for the current rate of rise

The calculation and selection of this parameter is rather more complex than that for i1 and i2 and may

require the use of computerised tools based on the analytical expression for (di/dt):

5 5------Z

cos(zW + T - m) +---- sin(T - m)h ; Eq. 4

The attached paper “Calculation of the settings for an Is-Limiter measuring and tripping device” was

distributed by the manufacturer and contains details of the selection process and calculations. Great

care needs to be taken when choosing the settings to be used, in particular with the selection of

(di/dt)T. The manufacturer would normally select the correct settings, based on the circuit information

provided by the user.

The following example serves to demonstrate the importance of using the exact settings provided by

the manufacturer. It also demonstrates the importance of making sure that the manufacturer has the

correct circuit information, so that the correct setting can be calculated. The settings should be

revisited if the circuit parameters change (for example due to the addition of power factor correction

capacitor banks).

The rate of rise di/dt presents different maxima during the transient period. This is due to the shape of

the current during the transient which is in effect a sinusoid slightly rotated clockwise by the

exponential term. This yields higher absolute slopes in the half cycles when the current decreases

than in those where it increases (see Figure 6).

Parsons Brinckerhoff Ltd Page99 Final report draft3


Figure 7 shows, on a different scale, the value of a parameter “trip” which is “true” (=1) when the

derivative of the current is above a certain setting. In the case of Figure 5, the tripping (di/dt)T has

been set correctly at 1500 kA/s. If, with the parameter values used in this example, the setting is

increased to 1570 kA/s, tripping does not occur in the first half cycle.

It should be noted that only the values of di/dt in those instants when the current flowing through the

limiter is between h and i2 are relevant to the tripping of the device.

2000

-1679-1692-1710

Time (sec)

di/dt

Figure 7

Rate of rise of current di/dt derived from Equation 4.



Figure 8

Example of incorrect selection of (di/dt)T with failed trip in the first half cycle following the fault.

G&W Electric Device Setting

The G&W device requires only one setting, the current setting, to be reached in order to trip.

These are electronically sensed and triggered devices, and their operating properties are preset and

are not dependent on the conditions prior to or during the fault. These devices do not use rate-of-rise

of fault current as a tripping parameter, but instead, respond solely to current magnitude.

For specifics of fault sensing and trigger level setting as well as the methodology of trigger level

selection further references can be found in the attached paper “Triggered current limiters for closing

bus ties, bypassing reactors and improving power quality”.

Open on Fault

The appearance of a short-circuit fault on a circuit has exactly the same effect on the functioning of

the current limiting device as the closure of the circuit breaker represented in Figure 1 and treated in

Section 1.2.

A transient takes place during which the current limiter device is required to trip, in particular during

the first rise of the fault current (first half cycle).

Once the fault current limiting device has tripped, the feeder circuit breaker will be required to

interrupt a current which must be within its fault breaking rating.



The opening of the circuit breaker takes place typically a minimum of 20 ms to 50 ms after the fault

appears on the system (relay operating time), depending on the protection relay type and settings

employed. This is well after the current limiting device should have operated.

Conclusion

Current limiting devices are being considered for applications where a feeder circuit breaker may be

otherwise subjected to fault levels above its ratings.

The current limiting device needs to trip within several milliseconds of the circuit breaker seeing a fault

on the circuit. This could be for a situation where the breaker is already closed and a short circuit

occurs, or it may be a situation where the circuit breaker is required to close onto an existing fault.

This paper has demonstrated that this can be achieved, even with a fully asymmetric fault current,

provided that the current limiting devices are set correctly. The interested reader can test this further

using the spreadsheet accompanying this paper.

The limitation of fault current by the limiting device will reduce both the fault make current and the fault

breaking current experienced by the circuit breaker. However, because the device acts so fast in

reducing the first peak value of the feeder current, the most direct benefit of a reliable current limiting

device would be that of reducing the fault make current.



APPENDIX G

COMPLETED QUESTIONNAIRES



(Please use extra sheets if necessary and attach any standard documentation which answers the

questions)

Questionnaire for Users of Fault Current Limiters

Product (type, specification, use)

1. Application / function of devices installed (please provide single line diagram)

Final connection to REC system .

2. Range of Ratings:- 6.6kV Voltage

Continuous Current

Interrupting Current (r.m.s. symm)

Current peak and I2t let through

Original design for let through limit of 50MVA. Calor Emag will have data.

3. Range of Settings:- Tripping Values

Setting Values




questions)


System design

4. The process for the design of the fault current limiter system. For example the involvement of the

third parties (manufacturer, consultant, regulator, distribution company etc) in the design or review

of the design.

5. Distribution company manufacturer.

6. To what extent the design process considered the potential failure of the fault current limiter and

the consequence of such failure.

Maintenance

7. The type and level of spares kept

6 inserts

1set of electronic modules




questions)


8. Maintenance carried out on the fault current limiter


Clean of main enclosure

b) Frequency (per year)

Annual

c) Duration of such maintenance and any impact on fault current limiter and system down

time

System down at this time, associated with testing approx. 4 hours

d) Whether or not the maintenance is carried out by the user's staff

Internal staff . Occasional check by Calor Emag (approx. 5/6 years)

9. Extent and coverage of self testing and periodical testing, recommended frequency of testing and

whether or not this can be carried out by the client's staff. Please identify any components which

cannot be tested regularly.

Annual calibration check. Verifies all settings - operational test, measurement element check,

blocking check and input circuits - which tests all system components except insert. (Dummy unit used)

Carried out by staff.

Installed inserts removed at 5 yearly interval for recharge, spares at 8 years. Return to

manufacturer

Calibration unit returned to manufacturer about every 6 years.




questions)


Operational experience

10. The year of first use of fault current limiters

1979

11. Number of fault current limiters currently in operational use.

2 - sets in series

12. Total fault current limiters device operational experience (device that has been in operation or

currently in operation x duration in operation for that particular device)

48 years ?




questions)


13. Number of demands on the fault current limiter (e.g. the number of over current fault) since the

device been installed.

In my time (1983 on) 3.

14. Number of spurious trips (operation of the device outside of design intent) recorded




questions)


a) Cause of spurious trip (This may be due to hardware failure, incorrect setting or

incorrect system design etc)

Hardware component drift. All devices uprated by supplier,

b) Applications in which spurious trips occurred

Return of whole site from ‘island mode'. Transformer inrush seen as fault.

c) Consequences of spurious trips to the system

Site shutdown

15. Number of failed trips (device failed to operate within design intent) recorded

None




questions)


a. Cause of failure (This may be due to hardware failure, incorrect setting or incorrect

system design etc)

b. Applications in which failed trips occurred

c. Consequences of failed trips to the system

16. Availability of the fault current limiter e.g. downtime due to planned maintenance and breakdown

maintenance

Typically 4 - 6 hours / year for above test/ clean .

17. Actual service life of fault current limiters and any component parts requiring more frequent

replacement.

5years




questions)


18. Records of hazardous incident (injury to people) associated with the fault current limiter during

transport, storage, operation, maintenance and disposal.

None occurred

19. Other comments with regards to the fault current limiter.


development of a safety case for the use of current

Documents