development of a safety case for the use of current
TRANSCRIPT
DEVELOPMENT OF A SAFETY CASE FOR THE USE OF CURRENT LIMITING DEVICES TO MANAGE SHORT CIRCUIT CURRENTS ON ELECTRICAL DISTRIBUTION NETWORKS
This work was commissioned and managed by the DTI's Distributed Generation Programme in support of the Technical Steering Group (TSG) of the Distributed Generation Co-ordinating Group (DGCG). The DGCG is jointly chaired by DTI and Ofgem, and further information can be found at
www. distributed-generation, gov. uk
Report Number: DG/CG/0022/REP URN 04/1066
Contractor
P B Power
The work described in this report was carried out under contract as part of the DTI’S New & renewable Energy programme. The views and judgements expressed in
this report are those of the contractor and do not necessarily reflect those of the DTI or Future Energy
Solutions.
First Published 2004
© CROWN COPYRIGHT
Page i
CONTENTS
1 INTRODUCTION AND BACKGROUND..................................................................................................1
1.1 Background to Project............................................................................................................................... 1
1.2 Introduction................................................................................................................................................. 2
1.3 Methodology................................................................................................................................................ 2
2 THE CURRENT LIMITING DEVICE...................................................................................................... 4
2.1 Introduction................................................................................................................................................. 4
2.2 Overview of Operation and Application...............................................................................................4
2.2.1 Existing Experience in the 'UK........................................................................................................ 4
2.2.2 Principles of Operation....................................................................................................................4
2.2.3 Applications.....................................................................................................................................5
2.2.4 Fault types........................................................................................................................................6
2.3 Hazard Identification................................................................................................................................. 7
2.3.1 'Introduction..................................................................................................................................... 7
2.3.2 Failure Modes, Effects and Criticality Analysis.............................................................................. 8
2.3.3 HA=OP...........................................................................................................................................12
2.3.4 Findings of Hazard Identification.................................................................................................. 12
2.4 Operational Experience........................................................................................................................... 17
2.4.1 Mal-Operations..............................................................................................................................17
2.5 Reliability assessment............................................................................................................................. 19
2.5.1 'Predictive Reliability Assessment................................................................................................... 19
2.5.2 Reliability Assessment Based on Operational Data...................................................................... 20
2.5.3 Discussion......................................................................................................................................21
2.5.4 Conclusion .....................................................................................................................................21
3 SAFETY LEGISLATION REVIEW, INTERPRETATION AND COMPLIANCE............................22
3.1 Introduction............................................................................................................................................... 22
3.2 Review of general safety legislation................................................................................................. 23
3.2.1 The Health and Safety at Work Act 1974...................................................................................... 23
3.2.2 Management of Health and Safety at Work Regulations 1999......................................................24
3.2.3 Review of The Electricity at Work Regulations 1989.................................................................... 25
3.2.4 Review of The Electricity Safety, Quality and Continuity Regulations 2002 (ESQC'R)................28
3.3 Review of IEC 61508 Functional safety of electrical/electronic/programmable
electronic safety-related systems.................................................................................................................33
3.4 Explosive regulations.............................................................................................................................. 35
3.5 Conclusions................................................................................................................................................. 37
4 SAFETY MANAGEMENT........................................................................................................................ 39
Page i
4.1 Introduction................................................................................................................................................ 39
4.2 As Low As Reasonably Practicable (ALARP)................................................................................... 39
4.3 Risk Assessment..........................................................................................................................................39
4.3.1 Tolerability Of Risk (TOR) Framework..........................................................................................40
4.3.2 Tolerability Limits..........................................................................................................................40
4.4 Applicability of ALARP Approach to Current Limiting Devices................................................42
4.4.1 Good Practice argument.................................................................................................................42
4.4.2 Broadly acceptable risk argument................................................................................................ 42
4.4.3 Proportionality argument.............................................................................................................. 43
4.4.4 'Modification of existing plant argument.......................................................................................43
4.4.5 Summary.........................................................................................................................................44
4.5 Business Implications............................................................................................................................... 44
4.5.2 Conclusion......................................................................................................................................45
5 CONSEQUENCE ASSESSMENT............................................................................................................ 46
5.1 Consequences of Failure to trip.............................................................................................................46
5.1.1 Direct Consequences of mal-operation - Localised effect............................................................ 46
5.1.2 Direct Consequences of mal-operation -Effects on the wider network.........................................47
5.1.3 'Indirect consequences...................................................................................................................48
5.2 spurious tripping.........................................................................................................................................48
6 CONTROL MEASURES............................................................................................................................49
7 CONCLUSIONS..........................................................................................................................................51
8 RECOMMENDATIONS............................................................................................................................ 53
APPENDIX A LIST OF ABBREVIATIONS AND REFERENCES
APPENDIX B RISK MANAGEMENT AND ALARP BACKGROUND READING
APPENDIX C HSE GUIDANCE ON ASSESSING COMPLIANCE WITH THE LAW IN INDIVIDUAL CASES AND THE USE OF GOOD PRACTICE
APPENDIX D STATEMENTS FROM THE HSE, DTI AND OFGEM
APPENDIX E FAULT CURRENT LIMITERS DETAILED DATA
APPENDIX F EFFECT OF FAULT CURRENT LIMITERS ON SWITCHING TRANSIENTS AND DOWNSTREAM CIRCUIT BREAKERS
APPENDIX G COMPLETED QUESTIONNAIRES
Page //
1 INTRODUCTION AND BACKGROUND
1.1 Background to Project
The Department of Trade and Industry (DTI) and the Office of Gas and Electricity Markets (Ofgem)
created, and jointly chair, the Distributed Generation Coordinating Group (DGCG). The aims of the
DGCG are to recommend priorities for action arising from the joint Government industry working
group on embedded generation (the Embedded Generation Working Group) which reported in
January 2001. In achieving this it provides advice to DTI, DEFRA and Ofgem on any actions required
to assist the integration of small generation into the utility electrical network.
The Technical Steering Group was established to support the work of the DGCG and address a range
of technical issues regarding the connection of distributed generation. A key issue being addressed by
this group is how to increase the amount of electricity generated from distributed generators that can
be accepted by the electrical network. This is likely to be achieved by increasing the degree of
network and generation management and increasing the complexity of the network infrastructure.
A number of work streams have been established by the Technical Steering Group. Work stream 3
(WS3), focuses on short-term network solutions. One of the solutions that the work stream has
recommended for implementation in the short term is the application of a particular type of current
limiting device to manage short circuit currents. These are capable of detecting and limiting a short
circuit current very quickly by use of a small explosive charge to open a conductor. This diverts the
current to a parallel fuse which quenches the short circuit current.
The Distribution Network Operators (DNOs) have a licence obligation to operate their networks in
compliance with the Distribution Code, DTI regulations and Health and Safety Legislation. The DNOs
have concerns about the use of these current limiting devices. The issues that they are particularly
concerned about are:-
□ any possibility that a failure of the current limiting device to operate could overstress
switchgear.
□ any legal constraints that could prevent the use of this type of current limiting device
□ the lack of an associated ‘back up' system.
□ their intrinsic safety.
□ the testing of operation.
□ their triggering integrity.
Parsons Brinckerhoff Ltd Page 1 Final report draft3
Terms of reference for this study were therefore developed in order to address these issues. The
study has been funded by the DTI New and Renewable Energy Programme.
1.2 Introduction
The purpose of this study was to critically review the safety issues associated with the use of current
limiting devices and to prepare a critical risk assessment in accordance with ‘good industry practice'.
During the course of the project, when the legislative barriers became apparent, the scope changed to
include a much greater involvement with the HSE, the DTI and Ofgem. It also became apparent that it
would not be possible to develop a generally applicable safety case that would satisfy all of the
agencies, or a critical risk assessment that would cover all applications. The scope therefore changed
to focus on how the existing barriers should be approached and the implications of the existing
legislation.
The study has included a review of the operation, application, experience, hazards and reliability of
the devices currently available . The relevant UK safety legislation and its interpretation formed a key
part of the work. There has been a review of the relevance of this legislation to current limiting devices
and of whether or not compliance is possible when current limiting devices are used in order to avoid
plant being operated beyond its rating. This review has led to an assessment of the applicability and
implications of a risk assessment based on an ‘As Low as is Reasonably Practicable' approach,
given that current compliance is based on the principles of inherent safety using suitably rated
equipment and the use of good practice.
The wider consequences and risk associated with using current limiting devices on the UK electrical
network have been examined and control measures proposed. Most importantly, recommendations
have been made for the way forward on this complex issue.
1.3 Methodology
The study required close liaison with all of the stakeholders, including WS3, the HSE, the DTI, Ofgem,
the manufacturers and the existing users. WS3 is made up of representatives from the various
Distribution Network Operators, the Energy Networks Association, generator developers and Ofgem.
The study has benefited from contributions by all of the stakeholders and from the organisation and
co-ordination of meetings and inputs by the WS3 project manager. The contributions came through
meetings, e-mail and comments on draft versions of this report.
The meetings included:-
• A kick-off meeting with WS3, followed by a meeting with ABB
• A meeting with G&W Electric
Parsons Brinckerhoff Ltd Page 2 Final report draft3
• A meeting and HAZOP session with one of the existing UK users of current limiting devices
• Three meetings with the HSE, the DTI and Ofgem to review and discuss the relevant UK
legislation, its interpretation and its implications for the future use of current limiting devices in the
UK
• Several report review meetings with WS3
Various members of WS3 attended and contributed to the above meetings.
The study was tackled in several stages. The first stage was a review of the available background
information and literature. This included published papers, manufacturers' literature and the Long
Term Development Statements published by the Distribution Network Operators.
Questionnaires were issued to the two manufacturers, and to users. Anonymous copies of the
questionnaires completed are included in Appendix G. The background data gathered is summarised
in section 2 of this report., and is given in more detail in Appendix E.
The next stage was an assessment of the hazards and reliability of the devices, based on the data
gathered from the manufacturers and users. This is also reported in section 2.
Carried out in parallel with this work was a review of all of the relevant UK safety legislation, and this
is presented in section 3 of this report. The interpretation, the assessment of its relevance and the
measures required for compliance are also reported in this section. Major contributions to this work
were made by the HSE and the DTI, copies of their statements have been included in Appendix D.
Section 4 presents a summary of the main concepts used in the management of Health and Safety in
the UK. It also gives an assessment of the applicability and implications of a risk assessment based
on the ‘As Low as Reasonably Practicable' (ALARP) approach, given that current compliance is
based on the principles of inherent safety using suitably rated equipment and the application of
industry good practice.
Section 5 examines the consequences arising from failure of the fault current limiting device and
section 6 covers the control measures which could be used in order to minimise the risks. Sections 7
and 8 present the conclusions, the recommendations and the way forward.
Parsons Brinckerhoff Ltd Page 3 Final report draft3
2 the current limiting device
2.1 Introduction
This section gives a review of the operation, application, experience, hazards and reliability of the
current limiting devices available .
2.2 Overview of Operation and Application
2.2.1 Existing Experience in the UK
The published literature confirmed a rather limited use of the devices in the UK with their application
only within industrial applications in the pulp and paper, chemical, petrochemical and starches
sectors. Use of these devices has not been identified within the utility sector. Furthermore, analysis
of the Long Term Development Statements provided by the Distribution Companies indicates that
there is no reference to existing or future use of current limiting devices in their networks.
2.2.2 Principles of Operation
There are currently two manufacturers with commercially available current limiting devices in
widespread use at service voltages ranging from 450V to 38kV. These are ABB, from their German
factory, and G&W Electric in the US. There was also a French manufacturer, but they have been
acquired by ABB in recent years.
The ABB and G&W Electric devices are based on similar principles, in that they both consist of a
current carrying conductor in parallel with a fuse. When a short circuit is detected an explosive charge
in the main current carrying conductor is detonated. This ruptures the main current carrying path
thus diverting the current to the fuse which quenches it. The entire operation takes place within a few
milliseconds.
After operation the devices are isolated and inserts containing the fuses and the ruptured conductors
are removed and replaced with spares. One device is installed in each phase of a three phase
system, and a circuit breaker is always required in series with it, in order to perform normal circuit
opening and closing duties.
Although the principles are similar, the detailed design, construction, setting and testing of the devices
from the two manufacturers are rather different. Further details can be found in Appendix E.
1FRANSEN, P.: ‘Case History: Electronically Controlled Fault Current Limiters Allow Inplant Switchgear to be
Interconnected', IEEE Transactions on Industry Applications, Vol. 33JNo. 2, March/April 1997. pp.319-332.
Parsons Brinckerhoff Ltd Page 4 Final report draft3
2.2.3 Applications
The following three scenarios have been considered following agreement with WS3:
1. Current limiting devices in system interconnections or busbar couplers.
2. Current limiting devices in transformer secondary circuits.
3. Current limiting devices in links between public network and private generation sites.
2) Transformer secondary circuits 3) Generator connection1) System Interconnections
Current limiting devices are often used with plant operating within its rating in order to limit short circuit
thermal effects and the consequential damage. However this study focuses on the situation where the
devices are used to avoid existing plant being operated beyond its rating. It has also been assumed
that it is only the ratings of the feeder circuits that would be exceeded, should the current limiting
device fail to operate. This is because the feeder circuits are the only ones that will see the short
circuit currents from all sources. This will be the situation in the majority of applications.
The following diagram illustrates the effect of a current limiting device installed in the bus coupler
between two transformers (scenario 1) on the total current flowing in a faulted feeder.
Parsons Brinckerhoff Ltd Page 5 Final report draft3
It should be noted that with arrangement 3, when there is a fault in the distribution network, the
current flowing through the current limiting device will only be the contribution of the local generator.
Given the generator sizes typical for the range of applications considered in this study (relatively small
embedded generators), such contributions may only be detected via relatively sensitive settings in the
current limiting device, with a resulting danger of spurious tripping. It is possible to achieve a
directional discrimination between faults on the network and faults on the generator side, including
generator internal faults, by installing three CTs in the generator neutral connections in addition to
those installed on the current limiting device. This will also prevent tripping when the generator is
disconnected.
2.2.4 Fault types
The fault limiting device will be subject to fault current during fault conditions affecting the power
system.
The significant fault types to be considered are the three-phase fault, the phase-phase fault and the
phase to earth fault. It should be noted, however, that the fault location under examination is just
downstream of a feeder breaker, while the current limiting device will be located on the busbars, on a
transformer secondary circuit or on a generator connection. The device will however see the same
fault type as the feeder, although of reduced magnitude.
A three-phase current limiting device comprises three elements, one on each phase. This provides a
certain degree of redundancy in the amount of devices installed when used on impedance earthed
systems.
The earth fault level in impedance earthed distribution systems is typically of significantly lower
magnitude than the three-phase fault level, owing to the use of earthing resistors located at
Parsons Brinckerhoff Ltd Page 6 Final report draft3
transformer neutral points. For a single phase to earth fault, the system should be designed so that
the current limiting device does not trip. For a phase-phase fault, two limiting devices will respond to
fault current, and even with a failure of one unit to operate, the healthy unit should still trip and clear
the fault. Similarly, for a three phase fault, fault current will flow in all three devices and failure of one
unit to operate will still leave the other two units available to clear the fault.
In solidly earthed systems, the earth fault level is typically of a very similar magnitude to the three-
phase fault level. Moreover, the earth fault level on the secondary side of delta-star primary
transformers may exceed marginally the three-phase fault level, due to the transformer zero sequence
impedance being smaller than the positive sequence and due to the delta winding stopping the
primary network zero sequence impedance from having any effect on the earth fault level. This type
of system should be designed to provide tripping of the current limiting device for an earth fault. The
device located in the faulted phase does not have any back-up from the other two phases if it fails to
operate. However, this is unlikely to be an issue in the UK where solid earthing is normally only used
on the 132kV system, as current limiting devices are not yet available for 132kV systems.
Independently of the neutral earthing, a phase-phase fault yields a lower fault level than a three-phase
fault (87 %), and this needs to be taken into account when setting the device.
2.3 Hazard Identification
2.3.1 Introduction
The identification of hazards is the first stage of the risk management process.
In order to carry out the risk assessment of the triggered current limiting device a functional
representation has been developed showing the key functions of the device.
Although the two manufacturers have a number of differences in the way the device operates the
main functions are essentially similar. A HAZOP study was carried out on the functional
representation of a typical current limiting device as illustrated in Figure 2.3.1. Also the results of a
Failure Mode, Effects, and Criticality Analysis (FMECA) of the G&W CLiP fault current limiter device
are presented.
Parsons Brinckerhoff Ltd Page 7 Final report draft3
Power Supply
Triggered Current LimiterCurrent Sensor
Figure 2.3.1 - Functional representation of the Triggered Current Limiting Device
2.3.2 Failure Modes, Effects and Criticality Analysis
As part of the development of the G&W CLIP fault current limiter device a Failure Mode, Effects, and
Criticality Analysis (FMECA) was conducted to identify critical components and improve the device
based on Mil-Std 1629A “Procedures for Performing a Failure Mode, Effects and Criticality Analysis”.
The FMECA included:
• a systematic identification, analysis, and evaluation of the components;
• item and interface failure modes;
• evaluation of failures in terms of the severity of the consequence; and
• appropriate corrective action.
The G&W FMECA is presented in Table 2.3.2. The FMECA also estimated the potential failure rate of
each failure mode. However, the project did not have established failure data therefore the failure rate
was derived from engineering judgement based on Mil-Std 1629A. The effects of each failure are
classified as:
Category I Catastrophic: a failure that may cause death (or the G&W assessment includes the
destruction of equipment)
Parsons Brinckerhoff Ltd Page 8 Final report draft3
Category II Critical: a failure that may cause severe injury, major property damage, or system
damage, and which would result in mission loss.
Category III Marginal: a failure that may cause minor injury, property damage, or system damage, and
which would result in delay, or loss of availability, or in mission degradation.
Category IV Minor: a failure that is not serious enough to cause injury, property damage, or system
damage, but would result in unscheduled maintenance or repair.
The FMECA of the G&W device seems to only consider the failure modes that lead to the failure of
the device to operate on demand. There is no assessment of the potential for spurious trips. The
assessment is limited to the functional effects of the device and has not considered the device
application and the potential impact on the wider electrical network. The failure probability
assessment does not provide adequate information on the device reliability for any future risk
assessment, as it is based on engineering judgement rather than failure rate data. The FMECA was
carried out on a developmental prototype fault current limiter device but the basic functionality is
applicable to the current G&W device.
Parsons Brinckerhoff Ltd Page 9 Final report draft3
PB Power Final Report
Table 2.3.2 FMECA of a developmental prototype Current Limiting Protector
Item Function Failure mode and cause
Failure effects Failuredetection
SeverityClass
Failureprobability
CommentLocal Effect Next Higher
LevelEnd Effect
Power Supply Provide power to the CLP system
Loss of power Sensing and firing circuit inoperative
CLPinoperative
No currentlimitingprotection
Propose an alarm or indication
II 0.05
Inverter Convert dc toac
Loss of output 11Boperational
None None Alarm IV 0.015
Inverter Convert dc toac
Loss of output 11Aoperational
None None Alarm IV 0.015
Battery Supply dc Loss of dc supply
Loss of power to inverter
Loss of power to sensing and firing circuit
No currentlimitingprotection
Low voltage alarm
II 0.05 Unlikely to happen
Battery Charger Maintain charge on battery
Loss of output 13Boperational
None None Alarm IV 0.01
Battery Charger Maintain charge on battery
Loss of output 13Aoperational
None None Alarm IV 0.01
Power supply to battery chargers
Maintain power to battery charger
Loss of supply power (14A)
Alternative (14B) power supply available
None None Alarm IV 0.02
Power supply to battery chargers
Maintain power to battery charger
Loss of supply power (14B)
Alternative (14A) power supply available
None None Alarm IV 0.02
Sensing andLogic
Provide current sensing and signal to firing circuit
Failure of: cts,diodes,resistors,capacitors,comparator
Loss of signal to firing circuit
CLPinoperative
No currentlimitingprotection
Supervisory and alarm
II 0.01 Represent loss of A, B and C sensing and logic
Sensing andLogic
Provide current sensing and signal to firing circuit
Failure of components, one phase
Alternative Sensing and Logicoperational
None None Supervisory and alarm
IV 0.033 Failure of one phase is assumed
Parsons Brinckerhoff Ltd Page 10 Final report draft3
PB Power Final Report
Item Function Failure mode and cause
Failure effects Failuredetection
SeverityClass
Failureprobability
CommentLocal Effect Next Higher
LevelEnd Effect
Firing circuit Initiate CLP Failure of: trigger, charging circuit,capacitor, hot wire
Loss of firing pulse to CLP
CLPinoperative
No currentlimitingprotection
Supervisory and alarm
II 0.01 Represent loss of A, B and C firing circuit
Firing circuit Provide firing pulse to CLP
Failure of components, one phase
Alternative firing circuit operational
None None Supervisory and alarm
IV 0.033 Failure of one phase is assumed
Current limiting protectors
Limit and interrupt fault current
Loss of current limitation
No effect None No currentlimitingprotection
Inspection on assembly
I 0.01 Represent loss of A, B and C CLP
Primary andsecondarycharges
Initiate chemical charge and cut mainconductor
Failure to cut mainconductor
Mainconductor not cut
Current not commutated to fuse
No currentlimitingprotection
Inspection on assembly
IV 0.00001 Failure of one phase is assumed
Main currentcarryingconductor
Carry primary current. Form gaps & commutates current to fuse
Inaccurate machining, failure to form gaps
None Current not commutated to fuse
No currentlimitingprotection
Inspection on assembly
IV 0.001 Failure of one phase is assumed
Fuse Limit and interrupt fault current
Incorrecttermination,mechanicaldamages,insufficientfilling
None Current not commutated to fuse
No currentlimitingprotection
Inspection on assembly
IV 0.004 Failure of one phase is assumed
Support and enclosure
Support and enclose CLP components
Improper manufacture and assembly
Discharge of gas on operation
None None Inspection on assembly
IV 0.003 Minordischarge of gas is of no consequence
Parsons Brinckerhoff Ltd Page 11 Final report draft3
PB Power Final Report
2.3.3 HAZOP
A Hazard and Operability Study (HAZOP) was conducted on a functional representation of a typical
current limiting device, as illustrated in Figure 2.3.1, to assess the possible failures that may occur
and their effect on the safety and operability of the system. In order to ensure that a representative
study of the device was carried out, the HAZOP included representatives from a manufacturer, user
and a network operator.
The HAZOP was carried out at the user's plant on 13th October 2003. During the meeting a visit was
made to the switchroom to view the installed current limiting devices in situ. The minutes from the
HAZOP are presented in Table 2.3.3.
In order to ensure the HAZOP was representative of the devices from both manufacturers, a meeting was held with G&W on 15th October 2003, at which point a number of the issues raised at the HAZOP
were discussed further.
The HAZOP confirmed that the main hazard related to the device is the failure to operate upon
demand. Any hazards associated with the installation of the device and the pyrotechnic charge were
considered to be small.
2.3.4 Findings of Hazard Identification
The pyrotechnic charge used within the current limiting device is very small, less than 2g for the ABB
device and 3-16g for the G&W device, and is contained, therefore the operation of the pyrotechnic
does not present a hazard to people.
A significant proportion of the faults would be detected by the supervisory system, and this would
raise an alarm to the user. Failure of the current sensor, logic, power supply and firing units is likely to
be detected by the supervisory unit. . This is supported by the G&W FMECA as presented in Table
2.3.2. This would reduce the unrevealed failure rate of the device. The ABB reliability assessment as
presented in Section 2.5 indicates that about 50% of the faults relating to failure to operate would be
detected by the supervisory unit.
The triggering of the current limiting device cannot normally be tested and can only be functionally
tested by activating the pyrotechnic charge.
The majority of the applications of the device are in three phase systems, for example 80% of the
2500 ABB current limiting devices are installed in all three phases. This provides redundancy in the
event of failure of a device for two or three phase faults.
Parsons Brinckerhoff Ltd Page 12 Final report draft3
PB Power Final Report
The other key mode of failure is a spurious trip, i.e. operation when there is no fault current. This in
itself is not a safety concern but would result in a loss of supply, and this may have safety implications
for the users who have lost supply.
In conclusion the main hazard associated with the device is failure to operate on demand.
Parsons Brinckerhoff Ltd Page 13 Final report draft3
PB Power Final Report
Table 2.3.3 HAZOP Study
Project: Current Limiting Device HAZOP StudyItem Attribute/
FunctionGuideword Cause Consequence Mitigation Notes
Currenttransformer
Senses current Fails to operate on demand
Damaged component, or aging
Failure to break current
The majority of the applications are in three phase systems. This arrangement provides redundancy in the event of a 2 or 3 phase fault, but not for single phase fault in solidly earthed system .
There is significant experience with current limiting devices, ABB andG&W devices have been in use for over45 and 20 years respectively.
Causes a spurious trip
Equipment failure or incorrect design
Unintended Loss of electrical supply
ABB indicate that they have no information on spurious trips due to hardware failure. 5 possible spurious trips were found to be due to redesign of the users system, they had worked as expected. G&W indicate that there have been around a dozen spurious trips.
Parsons Brinckerhoff Ltd Page 14 Final report draft3
PB Power Final Report
Project: Current Limiting Device HAZOP StudyItem Attribute/
FunctionGuideword Cause Consequence Mitigation Notes
Power supply To provide power to the limiter
Power supply fails Loss of power to device, could fail to detect fault current
There are two independent power supplies to the device, one being a UPS.There is a capacitor in the system to ensure continuity of power during switchover
The ABB device requires an AC power supply, although it can convert a DC source if required. G&W recommend the use of DC supply.Alternatively an ACUPS system may be applied.
Logic To monitor the current and initiate the trip on demand
Fails to operate on demand
Damaged or aged component. Component set out of range
Fails to detect fault current
System is designed such that a failure will cause the device to trip (i.e. failsafe)
Both the ABB andG&W devices consist of analogue circuits and do not contain any programmable electronics
It is recommended that the Is limiter is tested every 1 -2 years
ABB track the test results to identify any faulty components or degradation due to aging
Parsons Brinckerhoff Ltd Page 15 Final report draft3
PB Power Final Report
Project: Current Limiting Device HAZOP StudyItem Attribute/
FunctionGuideword Cause Consequence Mitigation Notes
Explosive To break the current path
Fails to operate as required
Failure of trigger circuit
Fails to break the circuit at fault current
The current path of the explosive charge is tested in the factory.
If required ABB can supply a test equipment specifically for testing the current path through the explosive, although it is not recommended practice. G&W indicate that continuity of the detonator can be checked. However the functional test could not be performed on the interrupter as it is a “one shot” device.
Explosive hazard to staff and equipment
Shrapnel from the explosion
Potential harm to staff in the area or damage to equipment
The housing is designed to safely contain the explosive.
Experience shows that some smoke and a small amount of dust may be released
Housing To contain the current path and explosive
Contamination into the housing
Humidity Possible corrosion of the conductive path
Humidity is not a major concern. Will also be enclosed in a cabinet.
It is also possible to have heating or cooling in the cabinets depending on the particular climate
Testing The complete system (except the triggering of the current limiter and the pyrotechnic charge) is fully testable and is carried out by the users using a testing device. The device is connected to a series of points on the circuit by which all the components can be tested. The results are returned to ABB for review. Richard Kasher (the user) stated that testing takes less than 1 hour, per year. The overall function of the G&W device triggering circuit can be tested with a field test unit. These checks can be performed by the client staff and the test takes approximately 5 minutes. G&W do not usually ask for records of these tests.
Parsons Brinckerhoff Ltd Page 16 Final report draft3
PB Power Final Report
2.4 Operational Experience
There is considerable operational experience in the use of current limiting devices device world wide.
ABB indicated that their Is-limiter was first installed in 1961 and that currently there are approximately
2500 ABB Is-limiters in operational use.
This breaks down as follows:
• 1330 x 3 phase - Installed after 1980 (i.e. between 1980 and 2003)
• 670 x 3 phase - Installed before 1980 (i.e. between 1961 and 1979)
• 500 x single phase - Installed between 1961 and 2003
The total Is-limiter device operational experience.
500 x 1 phase x 21 years = 10,500 device years
670 x 3 phase x 33 years = 66,300 device years
1330 x 3 phase x 11 years = 43, 890 device years
Therefore ABB have a total of 121,720 device years of operational experience. After activation, the
tripped current limiter insert is returned to ABB for refurbishment. Comparing the number of tripped
unit against the operational units ABB assessed that on average each current -limiting device has
tripped once every 4 years.
G&W units were developed in the late 1970's and were first used in 1980. Substantial development
was undertaken in the early 1980's and the present PAF unit was first used in 1985. G&W has sold
205 sets or 615 single phase CLiP units and 102 sets or 306 single phase PAF units worldwide.
G&W do not keep a precise record of units in operation. They estimate that there are currently 570
CLiP units and 300 PAF units in operation.
2.4.1 Mal-Operations
ABB have no record of their Is-limiter device failing to operate on demand. However there have been
five cases of spurious trips. Investigation showed that all five cases were related to a change in the
network by the operators, who had installed capacitor banks without checking the settings of the
existing Is-limiters. The charging and discharging of these capacitor banks, and the resulting high
rate of rise, high peak currents had caused the Is-limiter to trip. ABB have no record of injury to
people arising from hazardous incidents associated with the transport, storage, operation,
maintenance and disposal of the Is-limiter units.
Parsons Brinckerhoff Ltd Page 17 Final report draft3
PB Power Final Report
G&W have no comprehensive system to record failures of their devices. However, they estimated
that about 20 items have been returned due to failure. There have been less than 10 returned logic
units. Such units tends to be a result of false triggering rather than a failure to operate. Also there
have been less than 10 returned isolation transformers.
G&W estimate that there have been about a dozen spurious trips, however the exact number is not
known. There has been one failure to operate on demand, this was caused by a deficiency in the
quality checking of the location of the pyrotechnic cord. The quality process has been improved and
the problem has not occurred on devices manufactured since. G&W also advise that there has been
no incident of injury to people associated with their device.
Parsons Brinckerhoff Ltd Page 18 Final report draft3
PB Power Final Report
2.5 Reliability assessment
The reliability of the Is-limiter device has been assessed using two approaches, the first by reviewing
predictive reliability assessments, and the second by analysing the manufacturers' historical
operational data.
2.5.1 Predictive Reliability Assessment
The FMECA conducted for the prototype G&W device estimated the potential failure rate for each
failure mode. The project did not have established failure data therefore the failure rate was derived
from engineering judgement based on Mil-Std 1629A. The failure data seems to been used to
compare the relatively reliability of individual components of the system to improve the system design.
However, the FMECA data does not provide a clear value of the overall system reliability.
The failure rates for the different failure conditions of the ABB Is limiter device was assessed by
Brown Boveri (BBC) in 1980 using failure data from their failure-rate catalogue. The results are
presented in the Table below.
Failure condition Failure rate (10-3 per year)
Ground Benign Ground fixed
Tripping of the Is Limiter insert without
demand
1.75 7.01
Indication of a disturbance 2.63 10.5
No indication and no triggering 3.50 9.64
Total 7.01 27.2
‘Ground Benign' is defined by ABB as ‘nearly zero environmental stress with optimum engineering
operation and maintenance'.‘Ground Fixed' is defined by ABB as ‘conditions less than ideal, to include
installation in permanent racks with adequate cooling air, maintenance by military personnel and
possible installation in unheated buildings'.
Under less than ideal conditions (Ground fixed case) the assessment estimated that the unrevealed failure rate for the device failing, without indication of a failure, is 9.64x10-3 per year. Assuming a
proof test interval of once per year the probability of failure to operate on demand is estimated as 4.82 x10-3. The failure mode of “indication of a disturbance” has been excluded from the above unrevealed
Parsons Brinckerhoff Ltd Page 19 Final report draft3
PB Power Final Report
failure mode. It is considered that a revealed failure as indicated by the supervisory unit will be repaired quickly. The frequency of spurious trip is estimated as 7.0x10-3 per year.
Under ideal conditions (Ground Benign case) the unrevealed failure rate is estimated as 3.5x10-3 per
year and the frequency of spurious trip is estimated as 1.75x10-3 per year. Assuming a proof test
interval of once per year the probability of failure to operate on demand is estimated as 1.75x10-3.
2.5.2 Reliability Assessment Based on Operational Data
ABB indicated that they have there are approximately 2500 ABB Is limiters applications currently in
operational use. Section 2.4 shows that most of the Is-limiters are in three phase systems and it is
probable that a fault will involve two of the phases. Therefore only one of the Is-limiters is required to
operate in order to break the current. However, it may be optimistic to assume in all cases that all the
devices are in an operational state, for example a device could have failed in an unrevealed state, but
the system is only protected by the other healthy device. Therefore the estimation of failure to
operate on demand will be based on the application population data rather than the total device
operational experience. Based on the information in Section 2.4 the total application experience is
estimated as 48,240 application years. ABB experience indicates that on average each Is-limiter has
tripped once every 4 years. Assuming that this is the average demand on the Is limiters, the total
number of demands to operate experienced by the whole population of Is Limiters is estimated as
12,060.
ABB indicated that they have no record of the device failing to operate on demand. This does not
necessarily mean that there has never been a failure to operate during the last 43 years, but this is
difficult to check. For the assessment it is assumed that there has been a single failure some time
during the whole of the operational experience. The probability of failure to operate on demand is therefore estimated as 8.3x10-5 based on the operational data. This should be considered as an
approximate estimate as it is based on a number of assumptions and there is uncertainty as to the
completeness of the data, given the 43 year operational history and the reliance on users to report
back to ABB any failures to operate.
ABB have five known cases of spurious trips. Spurious activation of any one Is limiter in a set would
lead to a spurious trip. The total device experience is estimated as 121,720 device years. Therefore
the failure rate of spurious trip is estimated as 4.1x10-5 per unit year. ABB's investigation revealed
that the all five spurious trips were due to application error, where the operator had changed the
system by adding capacitor banks, without consulting ABB over any revisions necessary to the
settings. The charging and discharging of the current of the capacitor banks caused the Is-limiter to
operate. ABB has no record of hardware failure leading to spurious trip.
Parsons Brinckerhoff Ltd Page 20 Final report draft3
PB Power Final Report
2.5.3 Discussion
We have tried to obtain reliability data on the current limiting device by collecting information using
two routes; predictive assessment and historical data based on operational experience.
We have focused our attention on historical data as predictive assessment tends to use equipment
failure data from generic sources and may not represent accurately the components used for the
current limiting device and operational conditions.
The G&W FMECA failure probability assessment was based on engineering judgement rather than
failure rate data, therefore it does not provide adequate information on the device reliability, for any
future risk assessment. Our study found that G&W do not have the comprehensive information on the
failure data and device population required to estimate the reliability of their device.
ABB have conducted a Failure Mode and Effect Analysis (FMEA) to estimate the reliability of their
current limiting device. Under ideal conditions, assuming a proof test interval of once per year, the
FMEA predicted the probability of failure to operate on demand as 1.75x10-3.
ABB collect some information on the failure data and device operation. This information has been
used to provide an approximate estimate of the current limiting device reliability. The probability of failure to operate on demand, based on this operational data, is estimated as 8.3x10-5. However this
estimate is based on a number of assumptions.
There is significant uncertainty as to the completeness of the data for reliability assessment. There is
a significant difference between the reliability estimated from the predictive assessment and that
estimated from operational data. For example, for the probability of failure to operate on demand,
there is a factor of 20 difference between the predictive assessment and the estimation based on
operational data.
2.5.4 Conclusion
Currently the only reasonable information on the current limiting device reliability is for the ABB device
based on a predictive assessment. This gives a probability of failure to operate on demand of 1.75 x
10-3, based on a proof test interval of once per year. The operational information provided by the
manufacturers is not sufficient to carry out a suitable reliability assessment. The information on the
reliability of the current limiting device is critical for any future safety assessment. Ideally this should
be based on historical data, and it is recommended that the manufacturers should critically review
their operational data and consider the collection of additional data to support any future safety
assessment.
Parsons Brinckerhoff Ltd Page 21 Final report draft3
PB Power Final Report
3 SAFETY LEGISLATION REVIEW, INTERPRETATION AND COMPLIANCE
3.1 Introduction
The relevant UK safety legislation and its interpretation formed a key part of the work. There has been
a review of the relevance of this legislation to current limiting devices and of whether or not
compliance is possible when current limiting devices are used to avoid plant being operated beyond
its rating.
Specific regulations relevant to the use of current limiting devices, in particular those against which
their use will be tested for compliance, were reviewed to identify the specific obligations imposed by
these regulations. The following standards and regulations were reviewed as being those with
greatest relevance:
□ The Health & Safety at Work Act 1974
□ The Management of Health and Safety at Work Regulations 1999
□ The Electricity at Work Regulations 1989
□ Memorandum of guidance on the Electricity at Work Regulations 1989
□ The Electricity Safety, Quality and Continuity Regulations 2002
□ IEC 61508 - Functional safety of electrical/electronic/programmable electronic safety-
related systems.
□ Explosive Regulations
The HSE and DTI provided guidance on particular regulations to be considered, on their interpretation
and whether or not compliance is possible when current limiting devices are used to avoid plant being
operated beyond its rating. This required extensive discussions within the DTI and the HSE, and has
triggered a far-reaching debate about the current legislation and the need to review and update parts
of it to improve clarity.
The HSE, the DTI and Ofgem were able to provide written statements on their positions, and these
have been included in Appendix D. The HSE and DTI statements have also been included, in bold
italic text, in the sections below. All other comments are Parsons Brinckerhoff's interpretation of the
legislation and the HSE and DTI statements. Ofgem's key concern is to demonstrate that the
connection is cost effective and this is discussed further in section 4.5 of this report.
Parsons Brinckerhoff Ltd Page 22 Final report draft3
PB Power Final Report
3.2 Review of general safety legislation
3.2.1 The Health and Safety at Work Act 1974
The Health and Safety at Work Act (HASWA) is essentially an enabling act, which paves the way for
other, more specific pieces of legislation to be introduced (some of which are reviewed below). It
does however contain a number of general duties that an employer must adhere to. The following
section summarises those duties that are applicable to this study.
Duties to those in your employ
Section 2 (1) - There is a general duty on all employers to ensure, so far as is reasonably practicable,
the health, safety and welfare at work.
Section 2 (2)a - So far as is reasonably practicable, employers must provide machinery, equipment
and other plant that is safe and without risk to health and must maintain them in that condition. Safe
systems of work should be used.
Section 2 (2)b - Manufacturers should ensure, so far as is reasonably practicable, that materials
supplied for use at work are safe and without risk to health, and they should supply users with
information about its use and any associated hazards.
Section 2 (2) - Employers must provide employees with suitable instruction, training and supervision.
Duties to those not in your employ
Sections 3 (1) & 3 (2) - Employers should ensure, so far as reasonably practicable, that they do not
expose people who are not in their employ to risks to their health and safety. This duty applies to
people who may be inside the workplace such as visitors, contractors and another employer's workers
visiting their premises.
There is also a duty to ensure the safety and health of those people who have accessed the premises
without authorisation.
summary
This is general health and safety legislation and the minimum requirement that all employers should
adhere to. There is nothing in the legislation that applies specifically to the use of current limiting
devices.
The one point that does deserve additional attention is the requirement to protect those not in your
employ. This has implications in that the duty extends out of the workplace to the wider environment
and could be interpreted as meaning that the installation of a current limiting device should not, so far
Parsons Brinckerhoff Ltd Page 23 Final report draft3
PB Power Final Report
as is reasonably practicable, have a health and safety impact on the wider network and other parties
connected to the network, or on people or the public. This is a key point, since the interconnectivity of
electrical systems means that changes on a private network can impact on the wider network and vice
versa. The implications for the duty holders are covered by the Management of Health and Safety at
Work Regulations.
HSE View
The HSE have stated that:-
The HSWAct 1974 is relevant and would not, in principle, prevent the use of ls Limiters.
3.2.2 Management of Health and Safety at Work Regulations 1999
Regulation 3 of the ‘Management' Regulations states that:
(1) Every employer shall make a suitable and sufficient assessment of-
(a) the risks to health and safety of his employees to which they are exposed whilst they
are at work; and
(b) the risks to the health and safety of persons not in his employment arising out of or in connection with the conduct by him of his undertaking
The contents of this report will provide material for the risk assessment, however each user will be
required to undertake an application specific risk assessment of the current limiting devices as
installed. Equally, any other employers whose network is affected by the installation of the current
limiting devices will need to carry out a risk assessment, or revise their existing risk assessment. The
complexity of the interaction required should not be under-estimated.
HSE View
The HSE have stated that:-
The Management of Health and Safety at Work Regulations 1992 are relevant. Regulation 3 (1.b) is particularly relevant and would have important implications for duty
holders involved in electrical generation and distribution network operations together with users of electricity. Particularly relevant is the information, and the confidence of the information, that will need to be made available to allow duty holders, downstream of the ls Limiters, to fulfil their legal duties. In the context of the possible introduction of the application of ls Limiters, the complexity of the necessary information is likely to be
greater than is currently the case. With the many interfaces (embedded generator provider, DNO and multiple end users) there is the potential for getting things wrong.
Parsons Brinckerhoff Ltd Page 24 Final report draft3
PB Power Final Report
Implications
The party who installs a fault current limiting device will need to look beyond their own network when
examining the effect that the device could have, including the consequences of the device failing to
operate when required. Where the DNO installs the device, they will have an obligation to provide all
necessary information to other duty holders who are affected, so that those duty holders can assess
the effect on their networks and the risks resulting. For example their switchgear could also be
overstressed, should the current limiting device fail to operate when required.
When a private network owner or generator developer installs the device, they will have an obligation
to inform the DNO and to provide the information needed by the other duty holders affected. It is
believed that the DNO will then have a responsibility to inform other customers who could be affected.
The DNO will have a duty of care to ensure that their customers understand the issues and have
taken all of the measures that the DNO would have taken in their position. These measures should
include an adequate risk assessment.
The HSE have highlighted that this is likely to require the exchange of more complex and detailed
information than is the case currently. This would need building into current practices, for example
through the modification of the information required as part of the generation connection application
process.
3.2.3 Review of The Electricity at Work Regulations 1989
There are a number of regulations within The Electricity at Work Regulations 1989 which are
particularly relevant to the use and application of current limiting devices. In all of these, an
understanding of what is meant by ‘danger' is essential. Danger is defined within the Regulations as
‘risk of injury’. The notes within the ‘Memorandum of guidance on the Electricity at Work Regulations
1989' explain that the ability of circuit breakers and fuses to operate successfully and without
dangerous effects, serious arcing or the liberation of oil is implicit in the requirements to prevent
danger.
The relevant regulations include 4(1) which requires that ‘All systems shall at all times be of such
construction as to prevent, so far as is reasonably practicable, danger. ’
The commentary within the ‘Memorandum of guidance on the Electricity at Work Regulations 1989'
makes it clear that ‘construction' includes the design of the system and the equipment within it, and
that all likely or reasonably foreseeable conditions of application of the electrical equipment should be
considered. The guidance highlights the factors to be considered, those that are particularly relevant
to the application of current limiting devices include the manufacturer's assigned or other certified
rating of the equipment, the likely load and fault conditions, the fault level at the point of supply, the
Parsons Brinckerhoff Ltd Page 25 Final report draft3
PB Power Final Report
ability of the equipment and the protective devices to handle likely fault conditions, and the manner in
which commissioning, testing and subsequent maintenance or other work may need to be carried out.
Regulation 5 is also very relevant to the use and application of current limiting devices. It states that
‘No electrical equipment shall be put into use where its strength and capability may be exceeded in
such a way as may give rise to danger.'
This is an absolute requirement, as opposed to being qualified by a ‘reasonably practicable'
statement. The guidance recommends that electrical equipment should be used within the
manufacturer's rating and in accordance with any instructions supplied with the equipment. It is also
stated that the selection of equipment should take into account the fault levels and characteristics of
the electrical protection provided to interrupt or reduce fault current.
Regulation 11 states that ‘Efficient means, suitably located, shall be provided for protecting from
excess of current every part of a system as may be necessary to prevent danger.'
The guidance indicates that the means of protection could be in the form of fuses, circuit breakers
controlled by relays, or ‘by some other means capable of interrupting the current or reducing it to a
safe value. ’
Regulation 29 provides a defence clause in any proceedings for an offence consisting of a breach of a
number of the regulations, including regulations 5 and 11. It states that ‘it shall be a defence for any
person to prove that he took all reasonable steps and exercised all due diligence to avoid the
commission of that defence’.
Regulation 30 gives the HSE the power to issue general or special exemptions to the regulations,
these are only granted if ‘it is satisfied that the health and safety of persons who are likely to be
affected by the exemption will not be prejudiced in consequence of it. ’
In summary, there is no part of The Electricity at Work Regulations 1989 which would prevent the use
of current limiting devices, provided that:-
• they operate successfully on demand without dangerous effects, and
• they are used and applied correctly within a network such that they meet regulations 4, 5 and 11
The assessment of the current limiting devices has shown that the device itself has no dangerous
effects, and that the available data currently shows a very high level of reliability. However, this does
not guarantee that every device installed now and in the future will operate every time on demand.
The most likely need for the current limiting devices will be when the fault ratings of existing
distribution system switchgear are close to being exceeded, and current limiting devices are being
considered, for example, as an alternative to replacing transformers or switchgear. This will be the
Parsons Brinckerhoff Ltd Page 26 Final report draft3
PB Power Final Report
most demanding situation in terms of meeting The Electricity at Work Regulations 1989, and is the
situation which this project has focused on. In this type of application, if the device fails to operate on
demand then switchgear is likely be overstressed, depending upon the type and location of the fault.
The particular circuit breakers which are overstressed, their ownership, and the degree of
overstressing will also depend on the particular application.
It could be argued that clause 5 has been breached if the current limiting device fails to operate and
switchgear is then overstressed, and this point comes out in the HSE statement.
HSE View
The HSE have stated that:-
Regulation 5 of The Electricity at Work Regulations 1989 is particularly relevant since it places an absolute requirement on duty holders. For example, Regulation 5 would apply
to a duty holder, downstream of the ls Limiter, who has under his control a circuit break
being ‘protected’ by the ls Limiter. In the event of a fault, (e.g. a cable fault) arising
downstream of the circuit breaker and subsequent failure of the ls Limiter causing the
circuit breaker to become over-stressed and fail catastrophically, it could be argued
there was a breach of Regulation 5.
To cater for the situation outlined ... above, it was envisaged that Regulation 29 could
provide a basis of a defence for the relevant duty holder providing the duty holder was
able to demonstrate he had taken “ all reasonable steps and exercised all due
diligence“. However, having reviewed Regulation 29 we have concerns about what these words actually mean in law in the context of all the issues arising in the
application of an ls Limiter, and in the end, this could become a matter for the courts to
decide.
In principal there is nothing in the EAWRegulations 1989 to prevent the use of ls Limiters but we have highlighted the uncertainty of the application of Regulation 29. There are two options that we are currently assessing which will include discussion
with relevant parties:
a) Short term: We could explore the provision of an exemption(s), under Regulation 30 of the EAW Regulations1989, relating to the application of Regulation 5. We would see the use of an exemption(s), if and where permitted, as a stop-gap measure but the problems of such an approach may make it impractical.
b) Mid - Longer term: The EAW Regulations 1989 are under review and we could take advantage of the revision process to assess what changes could be made to deal effectively and safely with future technical developments such as embedded generation and the application of ls Limiters in particular. However, the degree of
Parsons Brinckerhoff Ltd Page 27 Final report draft3
PB Power Final Report
change will be constrained by the HSW Act 1974 Section 1(2) which prevents the dilution of the levels of safety already established in existing Regulations.
Implications
A user installing a current limiting device, and other duty holders affected by the installation, could
potentially be in breach of the absolute requirements of Regulations 5 and 11 of the Electricity at Work
Regulations, if there was a failure of the current limiting device, leading to overstressing of other
equipment and danger.
The discussions within HSE have established that the meaning of clause 29 is not clear, and there is
insufficient case law for it to be legally defined. There would therefore be considerable uncertainty in
relying on this as a defence clause to cover a breach of clause 5. In the longer term the HSE want to
improve the clarity of clause 29 through changes in the regulations, however this is likely to be a
protracted process.
For the interim, the HSE are willing to explore the possibility of using an exemption process under
Regulation 30. This would need further discussion within the HSE and with the stakeholders. These
discussions would need to identify the extent of any exemption, the criteria which would need to be
met for an exemption to be granted (for example ALARP) and the process for granting an exemption.
All of the dutyholders affected by the installation of the device would need an exemption if the
exemption route proved to be feasible.
3.2.4 Review of The Electricity Safety, Quality and Continuity Regulations 2002 (ESQCR)
There are a number of regulations within The Electricity Safety, Quality and Continuity Regulations
2002 which are particularly relevant to the use and application of current limiting devices.
3.2.4.1 Regulation 3.1
These include regulation 3.1'General adequacy of electrical equipment' which states that:-
Generators, distributors and meter operators shall ensure that their equipment is -
(a) sufficient for the purposes for and the circumstances in which it is used; and
(b) so constructed, installed, protected (both electrically and mechanically), used and maintained
as to prevent danger, interference with or interruption of supply, so far as is reasonably
practicable.
This mirrors the requirements within The Electricity at Work Regulations 1989.
Parsons Brinckerhoff Ltd Page 28 Final report draft3
PB Power Final Report
DTI View
This (3.1a) is an absolute requirement, which would not be covered by the “as far as
reasonably practicable” qualification in regulation 3(1)(b). It does not preclude the use of a Is
limiter, because if designed and specified properly, it should be “sufficient for purpose”.
The Is limiter will prevent existing switchgear seeing fault levels above duty. The premise here
is that the Is limiter will work in all circumstances.
If the Is device fails, it is clear that any circuit breaker unit that fails subsequently to clear (due
to inadequate duty) would not be "sufficient for purpose". In this circumstance, the duty
holder would have to demonstrate that he/she had anticipated the consequences of a possible
failure of the Is device and any mitigation measures required to keep within a tolerable risk
level the duty holder would need to justify.
Regulation 3.1(b) - Any responsible duty holder should go through a thorough design
installation and commissioning process if these devices were to be used. As discussed, due
to the nature of the devices there will be requirements for the correct system analysis tools
and considerations of alternatives to identify tolerable risk levels that the duty holder would
need to justify. The “as far as is reasonably practicable” qualification applies to this limb of regulation 3 and allows scope for guidelines and code of practice introduction assuming that the device complies with regulation 3.1(a).
Implications
Clarification was sought from the DTI on the above statement. The DTI view is that the dutyholder
would be in breach of Regulation 3.1a) if the current limiting device fails to operate. However in this
event, if the DTI decided to investigate and/or prosecute, then the key issues would be the
consequences of the failure of the current limiting device and the mitigating measures taken by the
dutyholder. The decision as to whether there should be an investigation will also depend upon the
consequences.
It should be noted that this would not be an issue if the current limiting device was being used with
equipment that would still be operating within its rating without the device. This would be the case
where current limiting devices were being used to reduce the thermal impact of faults.
Parsons Brinckerhoff Ltd Page 29 Final report draft3
PB Power Final Report
3.2.4.2 Regulation 4
Regulation 4 ‘Duty of co-operation', requires that generators, distributors, suppliers and meter
operators should disclose such information to each other as might reasonably be required and
otherwise co-operate amongst themselves so far as is necessary in order to ensure compliance with
the ESQCR. In addition, regulation 28 details the information to be provided on request by a
distributor. This includes, for any existing or proposed consumer's installation which is connected or is
to be connected to his network, a written statement of the maximum prospective short circuit current
at the supply terminals and the type and rating of the distributor's protective device or devices nearest
to the supply terminals.
The relevance to current limiting devices will be that the distributors will need to maintain information
on any current limiting devices that they install, and ensure that other parties know and understand
any effects that they will have on their own networks.
DTI View
The main issues here are as to which fault levels will be assumed between networks and as to
what would be communicated between duty holders. It suggests from the consideration of adequacy above, that the device cannot be tested properly until a fault occurs. If therefore
there is a chance of adjacent networks becoming overstressed this should be communicated. The duty holders concerned can then decide how they wish to comply with the relevant regulations and the level of risk they take for insurance/safety of employees/public. The
important thing is that the possibility of risk is communicated clearly and the consequences
are spelt out between parties. This illustrates that a set of common guidelines between the
companies is highly desirable otherwise there will be unnecessary disputes over approach
between duty holders, possibly involving enforcement bodies.
There is no obligation under regulation 4 on duty holders to disclose information to
consumers. However, we would expect consumers to be informed of the effect on his/her network due to the adoption of Is limiters on the duty holder’s network. This would allow the
consumer to decide what level of risk he/she wishes to take at his premises.
In addition, this discussion between the duty holder(s) and consumers would need to be
undertaken in a timely manner so it did not become a “fait accompli” for the consumer or duty
holder, otherwise it could lead to unnecessary disputes.
Implications
Although there is no obligation under the ESQCR for the duty holders to disclose information to
consumers without being asked, there is an obligation under the Management of Health & Safety at
Work Regulations. It will be essential for the industry to have a common approach and a common set
Parsons Brinckerhoff Ltd Page 30 Final report draft3
PB Power Final Report
of guidelines for the installation of current limiting devices and the exchange of information. As a first
step in developing the process and guidelines the legal, commercial and safety duties of all parties will
need to be clarified and set out. This will require all parties to take legal advice.
3.2.4.3 Regulation 6
Regulation 6 ‘Electrical protection', states that:-
A generator or distributor shall be responsible for the application of such protective devices to his
network as will, so far as is reasonably practicable, prevent any current, including any leakage to
earth, from flowing in any part of his network for such a period that that part of his network can no
longer carry that current without danger.
Again, this mirrors the requirements within The Electricity at Work Regulations 1989.
DTI View
If the device is considered as an "intelligent fuse" and therefore an electrical protection
device, and it operates correctly, then there would be no breach of this regulation.
If it fails to operate there is no other protection that will clear the fault, no grading being
possible because the disconnection devices (i.e. circuit breakers) remaining will be
inadequate.
Bearing this in mind, it would be difficult to demonstrate compliance with Regulation 6 if the
device failed. This would also be the case for conventional relays where it was set incorrectly
or failed to operate. However, the consequences of failure could be more serious for a Is
limiter and again this would need to be assessed at the design stage and a risk mitigation
approach considered.
Implications
Again, there will be an issue if the current limiting device ever fails to operate on demand. A risk
mitigation approach would be required to provide a defence case in the event of prosecution for
breach of regulation 6.
3.2.4.4 Regulation 23
Regulation 23 ‘Precautions against supply failure' will affect how the current limiting devices are
applied and set in order to avoid spurious tripping. The regulation requires distributors to arrange their
networks and provide fuses or automatic switching devices, located and set, as to limit, so far as is
reasonably practicable, the number of consumers affected by any fault in his network.
Parsons Brinckerhoff Ltd Page 31 Final report draft3
PB Power Final Report
DTI View
Under regulation 23 the duty holder must show that the device is set to operate at a correct level to restrict, so far as is reasonably practicable, the numbers of consumers affected by any
fault and also that all reasonably practicable steps have been taken to avoid interruptions of supply resulting from his own acts. As this cannot be demonstrated without destruction of the
device, there would be no way of practically demonstrating correct setting other than by the
demonstration of the detection circuit function (for ABB and G&W) and correct trip signal. This
is no different to the case with a conventional fuse except that a back-up arrangement (from a
larger fuse) is available with a conventionally fused circuit arrangement.
Implications
It will be essential that the current limiting devices are set correctly and tested regularly.
3.2.4.S Regulation 28
Regulation 28 lists the information which a DNO must provide to interested parties for consumer's
installations connected to his network.
DTI View
Under this regulation there is no obligation on the duty holder to provide information on the
network unless requested by the consumer connected to the network.
In line with the comments on regulation 4 above, a code of practice would need to be
developed so it was clear that under regulation 28(a) when fault level data was supplied to
connectees, fault levels were stated for correct device operation and for the situation if it failed
to operate. The connectee could then decide how much risk he/she wanted to take.
Also under regulation 28 (c) some information regards the settings/capability of equipment and limitations at the interface with the connectee would need to be explained so that any
shortfalls for a failure of the device (i.e. the two possible situations) could be highlighted.
The very nature of doing this may cause a problem on failure of a device, as any legal action
against the duty holder could demonstrate that there was a possibility of plant failure for the
loss of the Is limiter and there had been a decision not to invest to avoid danger and/or interruption to supplies. This eventuality would need to be covered via the design process and
consideration of alternatives, the duty holding company having a defensible risk assessment process.
Parsons Brinckerhoff Ltd Page 32 Final report draft3
PB Power Final Report
A possible outcome is that the consumer would decide to invest in equipment below the duty
of the Is limiter. Again, the consumer would need to have a proper assessment process in
place informed from the duty holder’s own assessment of risk of failure of its Is limiter. Therefore it would be expected that the duty holder will need to provide data to the consumer to allow a full risk assessment to be undertaken by the consumer.
Implications
Clarification was sought from the DTI on this statement. The DTI's view is that the duty holder would
have to be able to demonstrate that they had looked fully at the use of the device and the alternative
options from a risk perspective, and had not justified its use purely on the basis of cost. The DTI
would expect the DNO to pro-actively offer the consumer adequate information.
3.3 Review of IEC 61508 Functional safety ofelectrical/electronic/programmable electronic safety-related systems
The IEC 61508 standard (published as BS EN 61508 by the BSI in the UK) applies to safety related
systems when one or more of such systems incorporate electrical and/or electronic and/or
programmable electronic (E/E/PE) devices. The range of E/E/PE safety related systems to which IEC
61508 applies can include electro-mechanical relays (i.e. electrical), non-programmable solid-state
electronics (i.e. electronic) and programmable electronics. It covers possible hazards caused by
failure of the safety functions to be performed by the E/E/PE safety-related systems, as distinct from
hazards arising from the E/E/PE equipment itself (for example electric shock etc). It is generically
based and applicable to all E/E/PE safety-related systems, irrespective of the application.
The standard is applicable to fault current limiting devices as their detection and logic units are
electrical and electronic devices, and failure of the safety function would give rise to a significant
increase in the risk to the safety of people. In addition, the standard covers possible hazards caused
by failure of the safety-related equipment and is therefore particularly relevant for fault current limiting
devices since their failure to operate is associated with hazardous conditions.
The evidence for this applicability is in IEC 61508-1 clause 1.2, which states that ‘..this standard
a) applies to safety-related systems when one or more of such systems incorporates
electrical/electronic/programmable electronic devices:
b) is generically-based and applicable to all E/E/PE safety-related systems irrespective of the
application;
c) covers possible hazards caused by failures of the safety functions to be performed by E/E/PE
safety related systems.... ’
Parsons Brinckerhoff Ltd Page 33 Final report draft3
PB Power Final Report
IEC 61508 recognises that the consequences of failure could also have serious economic
implications, and in such cases the standard could be used to specify any E/E/PE safety-related
systems used for the protection of equipment or products. Failure of a fault current limiting device
could have significant economic impacts.
The term, ‘safety-related' is used to describe systems that are required to perform a specific function
or functions, to ensure that risks are kept at an acceptable level. Such functions are, by definition,
safety functions. Two types of requirements are necessary to achieve functional safety:
• safety function requirements (what the function does) and
• safety integrity requirements (the likelihood of a safety function being performed
satisfactorily).
The safety function requirements are derived from a hazard analysis and the safety integrity
requirements are derived from a risk assessment. Note that a safety integrity level is a property of a
safety function, rather than of a system or any part of a system. This means that the duty holder has
to determine for every application the appropriate safety functions and the corresponding Safety
Integrity Levels for that application.
IEC 61508 uses a risk based approach to determine the safety integrity requirements of E/E/PE
safety-related systems, but does not require a quantitative risk analysis to be carried out in order to
determine safety integrity levels. However, in our experience most assessments of safety integrity
levels have adopted a quantitative approach to provide sufficient confidence that the safety
requirements are met. This would require the duty holder to set the quantitative safety target
appropriate for their circumstances and this safety target will dictate the reliability that the fault current
limiting device has to achieve for that application. . Such application specific quantitative risk analysis
would be complex, as the assessment has to be appropriate for each application. However, it may be
possible to develop a risk assessment framework or good practice guidelines to simplify the
implementation of IEC 61508 for a defined range of current limiting device applications.
The hazards analysis and risk analysis undertaken as part of the IEC 61508 assessment could be
used to support Regulation 3 of the Management of Health and Safety at Work Regulations 1999.
The IEC 61508 standards allow certain system to be defined as low complexity if the failure modes of
each individual component are well defined and the behaviour of the system under fault conditions
can be completely determined. This allows certain of the requirements to be exempt, provided that
this is justified. The fault current limiting device may be classified as low complexity as it is based on
analogue technology and consists of a relatively small number of components. However, to be
classed as low complexity would require dependable field experience data, to provide the necessary
confidence that the required safety integrity can be achieved.
Parsons Brinckerhoff Ltd Page 34 Final report draft3
PB Power Final Report
The ABB and G&W devices were developed prior to the introduction of the IEC 61508 standard and
therefore these devices would not have been designed against the requirements of IEC 61508.
However it may be possible to use a proven in use argument as an alternative to meeting the design
requirements for dealing with systematic failure causes in IEC 61508. A ‘proven in use' claim relies on
the availability of historical data for both random hardware and systematic failures, and on analytical
techniques and testing, if the previous conditions of use of the subsystem differ in any way from those
which will be experienced in the E/E/PE safety related systems. IEC 61508 requires that:
• the previous conditions of use of the subsystem are the same as, or sufficiently close to,
those which will be experienced in the E/E/PE safety-related system (see 7.4.7.7 of IEC
61508-2);
• if the above conditions of use differ in any way, a demonstration is necessary (using a
combination of appropriate analytical techniques and testing) that the likelihood of unrevealed
systematic faults is low enough to achieve the required safety integrity level of the safety
functions which use the subsystem (see 7.4.7.8 of IEC 61508-2);
• the claimed failure rates have sufficient statistical basis (see 7.4.7.9 of IEC 61508-2);
• failure data collection is adequate (see 7.4.7.10 of IEC 61508-2);
• evidence is assessed taking into account the complexity of the subsystem, the contribution
made by the subsystem to the risk reduction, the consequences associated with a failure of
the subsystem, and the novelty of design (see 7.4.7.11 of IEC 61508-2); and
• the application of the ‘proven in use' subsystem is restricted to those functions and interfaces
of the subsystem that meet the relevant requirements (see 7.4.7.12 of IEC 61508-2).
Therefore the availability and quality of the manufacturers' failure data will be critical to the
successful demonstration of compliance with the IEC 61508 design requirements for dealing with
systematic failure causes and for providing evidence that the devices meet the safety integrity
level requirements.
3.4 Explosive regulations
The fault current limiting devices employ an explosive charge. The type and amount of explosive
charges for the ABB and G&W devices are presented below.
Parsons Brinckerhoff Ltd Page 35 Final report draft3
PB Power Final Report
ABB G&W
Mass of explosive charge
per device<2g 3-16g
UN Class 1 UN Class 1
Classification Hazard Division 1.1 B Hazard Division 1.4B
UN No 0030 UN No 0257
The manufacturers recommend that the user should store one spare set of fault current limiting device
inserts. In practice, most users would keep three spare inserts as most applications are on three
phase systems.
Explosives can normally be stored only in a place registered or licensed under the Explosives Act
1875. The exact types and quantities of explosives which may be kept, and the kind of safety
precautions required, vary according to the category of the storage place. The Act requires the
explosives to be stored in an appropriate category of storage. The amount of explosive within the
spare inserts likely to be stored by users would require the premises to be registered with the Local
Authority. The Local Authority may decide to relax some of these requirements for the users of fault
current limiting devices because of the small amount of explosive involved.
Currently there is a proposal to replace the Explosives Act 1875 with the Manufacture And Storage Of
Explosives Regulations. The intention is that the new regulations would come into force in 2004. The
new regulations retain the fundamental features of the existing framework and it is considered that the
new regulations are unlikely to affect the current duties on the users of fault current limiting devices.
The Control of Explosives Regulations 1991 (COER), enforced mainly by the police, addresses the
security of explosives. The type of explosives used in the ABB and G&W devices, as defined in the
above table, are not exempted by the COER, so the use of these devices would come under these
regulations. One of the main requirements of the COER is an Explosives Certificate, supplied by the
police.
The transport of explosive is controlled by the Carriage of Explosives by Road Regulations 1996.
Explosives must be transported in a vehicle suitable for the safety and security of the explosives being
carried. It is considered that for current limiting devices the amount of explosive will be small and most
vehicles would be suitable. However it is recommended that the driver is separated from the load.
The driver should be provided with appropriate information, instruction and training. Depending on the
Parsons Brinckerhoff Ltd Page 36 Final report draft3
PB Power Final Report
type of explosive being transported the Carriage of Dangerous Goods by Road (Driver Training)
Regulations 1996 may place additional responsibilities on the employer. .
The consignor of any explosive by road needs to ensure that it is transported in the packaging in
which it was classified and labelled in accordance with Classification and Labelling of Explosives
Regulations 1983. In addition, the package is required to comply with the requirements of the
Packaging of Explosive for Carriage Regulations 1991.
3.5 Conclusions
Installing current limiting devices in order to avoid plant being operated beyond its rating will give
some difficulties in complying with UK safety legislation. It should be noted that UK safety legislation is
very different from the legislation used elsewhere in Europe. The problems highlighted by the HSE are
difficult but are possibly surmountable. The problems highlighted by the DTI with the ESQCR could
result in dutyholders being in breach of the regulations and open to prosecution.
The DTI view is that the dutyholder would be in breach of Regulation 3.1a) and Regulation 6 of the
ESQCR if the current limiting device fails to operate. However in this event, if the DTI decided to
investigate and/or prosecute, then the key issues would be the consequences of the failure of the
current limiting device and the mitigating measures taken by the dutyholder. The decision as to
whether there should be an investigation will also depend upon the consequences. The DTI's view is
that the duty holder would have to be able to demonstrate that they had looked fully at the use of the
device and the alternative options from a risk perspective, and had not justified its use purely on the
basis of cost.
A user installing a current limiting device, and other duty holders affected by the installation, could
potentially be in breach of the absolute requirements of Regulations 5 and 11 of the Electricity at Work
Regulations, if there was a failure of the current limiting device, leading to overstressing of other
equipment and danger.
The possibility of using an exemption process under Regulation 30 needs further exploration. This
would require further discussion within the HSE and with the stakeholders. These discussions would
need to identify the extent of any exemption, the criteria which would need to be met for an exemption
to be granted (for example ALARP) and the process for granting an exemption. All of the dutyholders
affected by the installation of the device would need an exemption if the exemption route proved to be
feasible.
Although there is no obligation under the ESQCR for the duty holders to disclose information to
consumers, there is an obligation under the Management of Health & Safety at Work Regulations. It
will be essential for the industry to have a common approach and a common set of guidelines for the
installation of current limiting devices and the exchange of information. As a first step in developing
Parsons Brinckerhoff Ltd Page 37 Final report draft3
PB Power Final Report
the process and guidelines the legal, commercial and safety duties of all parties will need to be
clarified and set out. This will require all parties to take legal advice.
The party who installs a fault current limiting device will need to look beyond their own network when
examining the effect that the device could have, including the consequences of the device failing to
operate when required. Where the DNO installs the device, they will have an obligation to provide all
necessary information to other duty holders who are affected, so that those duty holders can assess
the effect on their networks and the risks resulting. For example their switchgear could also be
overstressed, should the current limiting device fail to operate when required.
When a private network owner or generator developer installs the device, they will have an obligation
to inform the DNO and to provide the information needed by the other duty holders affected. It is
believed that the DNO will then have a responsibility to inform other customers who could be affected.
The DNO will have a duty of care to ensure that their customers understand the issues and have
taken all of the measures that the DNO would have taken in their position. These measures should
include an adequate risk assessment.
The IEC 61508 standard is applicable to fault current limiting devices as they are safety related
systems. In our experience most assessments of safety integrity levels have adopted a quantitative
approach to provide sufficient confidence that the safety requirements are met. This would require
the duty holder to set a quantitative safety target appropriate for their circumstances and this safety
target will dictate the reliability that the fault current limiting device has to achieve for that application.
Such application specific quantitative risk analysis would be complex, as the assessment has to be
appropriate for each application. However, it may be possible to develop a risk assessment
framework or good practice guidelines to simplify the implementation of IEC 61508 for a defined range
of current limiting device applications.
The ABB and G&W devices were developed prior to the introduction of the IEC 61508 standard and
therefore these devices would not have been designed against the requirements of IEC61508.
Therefore the availability and quality of the manufacturers' failure data will be critical to the successful
demonstration of compliance with the IEC 61508 design requirements for dealing with systematic
failure causes and for providing evidence that the devices meet the safety integrity level requirement.
The users of fault current limiting devices would have to comply with the various explosives
regulations as discussed in section 3.1.5. The requirements for registration of the premises, storage
and an explosives certificate should not place a significant burden on the duty holder.
Parsons Brinckerhoff Ltd Page 38 Final report draft3
PB Power Final Report
4 safety management
4.1 Introduction
Certain regulations are ‘absolute', as already identified in Section 3, in general such requirements
must be met, regardless of cost or any other considerations. Other regulations are qualified by the
term ‘reasonably practicable'. This section presents a summary of the main risk assessment
concepts, including ALARP. It also gives an assessment of the applicability and implications of a risk
assessment based on the ALARP approach, given that current compliance is based on the principles
of inherent safety using suitably rated equipment and the use of good practice.
4.2 As Low As Reasonably Practicable (ALARP)
The Health and Safety at Work Act 1974 requires the employers,
to ensure, so far as is reasonably practicable, the health and safety and welfare at work of all
their employees; and
to conduct their undertaking in such a way as to ensure, so as far as reasonably practicable,
that persons not in their employment who may be affected are not thereby exposed to risks to
their health or safety.
These duties are qualified by the principle of “so far as is reasonably practicable” ("SFAIRP") which
allows the duty holder to balance the degree of residual risk against sacrifice of taking the measures
to avoid the risk. HSE considers that duties to ensure health and safety so far as is reasonably
practicable and duties to reduce risks as low as is reasonably practicable ("ALARP") call for the same
set of tests to be applied. The principles and guidance for assessment of compliance with ALARP is
presented in Appendix B.
4.3 Risk Assessment
The Health and Safety at Work Act 1974 supported by the general requirements of the Management
of Health and Safety at Work Regulations 1999 requires an assessment of risk. This places the duties
on the employer to asses the risk and take appropriate measures. This requires the duty holder to
identify hazards, assess the potential harm and evaluate the risk to decide whether existing
precautions are adequate or additional measures is required. The framework for risk evaluation is
presented below.
Parsons Brinckerhoff Ltd Page 39 Final report draft3
PB Power Final Report
4.3.1 Tolerability Of Risk (TOR) Framework
HSE has developed a framework for assessing the tolerability of risk as presented in the ‘Reducing
Risks, Protecting People' document. This is presented in Figure 4.1. Risks can be categorized into
three broad regions. They are:
Unacceptable Risk
Risks in this region (whether for individual or societal risk) are regarded as unacceptable. Hazards
giving rise to risks in this region would, as a matter of principle, be ruled out unless it is can be
modified to reduce the degree of risk so that it falls in one of the region below, or there are exceptional
reasons for it to be retained.
"Tolerable if ALARP" Risk
It is considered that people are prepared to tolerate risks in this region if the nature and level of the
risks are properly assessed and the results are used to determine control measures. Also the
residual risks should not be unduly high and are kept As Low As Reasonably Practicable (ALARP).
The extent of the risk assessment and ALARP demonstration should be proportionate to the level of
risk.
Broadly Acceptable Risk
Risks in this region are generally regarded as insignificant and adequately controlled. Normally no
further actions are required to reduce risks unless reasonable practical measures are available. For
example, for risks in this region the ALARP demonstration may be based on adherence to codes,
standards and established good practice. However, these must be shown to be up-to-date and
relevant to the operations in question.
4.3.2 Tolerability Limits
The TOR framework describe the principle for the evaluation of risks. In order to determine
reasonable practicable measures for any particular hazards, whether the option taken to control risk
is adequate or not depends on where the boundaries are set between the unacceptable, tolerable or
broadly acceptable regions. The tolerability limits for individual risk and societal risk are presented in
Appendix B. These criteria are general guidelines expressed as the total risk exposed to an
individual or from an industrial activity for societal risk. Suitable risk criteria should be developed for
the specific risk assessment to ensure that the total risks are reduced to 'ALARP'.
Parsons Brinckerhoff Ltd Page 40 Final report draft3
PB Power Final Report
UnacceptableRisk reduction
regardless of cost Intolerable
Relevant Good Practice
Risk reduction Measures
Plus
Gross\Disproportion
olerable if ALARP
evant Good Practice
Broadly Acceptable
Figure 4.1 HSE Framework for the Tolerability Of Risk
Parsons Brinckerhoff Ltd Page 41 Final report draft3
PB Power Final Report
4.4 Applicability of ALARP Approach to Current Limiting Devices
An assessment of the ALARP requirement with regard to the implementation of current limiting
devices is presented below using a number of different arguments.
4.4.1 Good Practice argument
Our understanding of the HSE’s view is that there is currently good practice adopted by the industry
for protection from fault current by applying the principle of inherent safety using suitably rated
equipment.
HSE guidance on the use of good practice states where the law requires risks to have been reduced
ALARP, HSE
“does not normally accept a lower standard of protection than would be provided by the application of
current good practice; and
will, where the duty-holder wishes to adopt a different approach to controlling risks, seek assurance
that the risks are no greater than that which would have been achieved through adoption of good
practice and so are ALARP for that different approach. ”
In general, the use of current limiting devices would present a higher safety risk than current good
practice. Therefore the general application and wide spread application of current limiting devices will
be difficult to justify based on the above HSE statement.
4.4.2 Broadly acceptable risk argument
HSE expects that the duty holder to adopt relevant good practice even if the risk is low, even within
the broadly acceptable level. This is illustrated Figure 4.1. Therefore HSE may not accept the
argument for the use of current limiting devices just because the risk is very low, if there is relevant
good practice available that further reduces the risk.
This view is supported by the information in the HSE Reducing Risk Protecting People document
discussion on the application of the Tolerability of Risk framework which aims to lead to control
regimes that improve or at least maintain standards. The document states that:
“Thus when we apply the framework to policy formulation, regulatory development and enforcement
activities, we:
Parsons Brinckerhoff Ltd Page 42 Final report draft3
PB Power Final Report
start with the expectation that those controls should as a minimum, implement authoritative good
practice precautions (or achieve similar standard of prevention/ protection), irrespective of specific risk
estimates. ”
HSE considers authoritative good practice as “those enshrined in prescriptive legislation, Approved
Codes of Practice and guidance produced by Government. We would also consider including as other
sources of good practice, standards produced by Standards-making organisations (eg BS, CEN,
CENELEC, ISO, IEC, ICRP) and guidance agreed by a body representing an industrial or
occupational
sector (eg trade federation, professional institution, sports governing body). Such considerations
would take into account that HSE is a repository of information concerning good engineering,
managerial and organisational practice, and would also include an assessment of the extent to which
these sources had gained general acceptance within the safety movement”.
4.4.3 Proportionality argument
Determination of ALARP requires a comparison of sacrifice and risk. It is considered that risks have
been reduced to ALARP level if the sacrifice in taking the measures is grossly disproportionate to the
benefit to be gained.
proportion factor = Sacrifice
Benefits of risk reduction
Therefore it is possible to conduct a cost benefit analysis for use of current limiting devices. This may
show the proportion factor is very high and this may be interpreted as grossly disproportionate. It may
then be argued that the use of a current limiting device is ALARP.
However, this demonstration is normally made to show that an adequate level of safety has been
adopted and a further safety measure is not justified. Therefore, it is unclear as to whether the
grossly disproportionate principle can be used to retrospectively argue for a level of safety reduced
from that which has been adopted in the past.
4.4.4 Modification of existing plant argument
HSE recognised that reducing the risks from an existing plant ALARP may still result in a level of
residual risk which is higher than that which would be achieved by reducing the risks ALARP in a
similar, new plant.
Parsons Brinckerhoff Ltd Page 43 Final report draft3
PB Power Final Report
Therefore potentially it may be argued from an ALARP point of view, current limiting devices may be
implemented on existing plant where other measures are shown not to be reasonably practicable and
it can be shown that the use of the device is ALARP.
4.4.5 Summary
The arguments shows that from an ALARP point of view (excluding the consideration of the absolute
requirements of the Electricity at Work Regulations) it will not be straight forward to justify the use of
current limiting devices This is based on the assumption that current limiting devices present a higher
risk than the current good practice relating to protection from excessive fault current (for example the
use of adequately rated switchgear).
The argument for the implementation of current limiting devices is likely to be application specific or
for well defined cases. The ALARP assessment would need to address a range of factors, for
example the actual increase in risk, those that are affected, the potential benefits associated with the
use of current limiting devices, alternative options and control measures.
The approach and requirements for such an ALARP assessment, in addition to a ‘suitable and
sufficient' risk assessment, would need to be explored more fully with the HSE. A common approach
and common guidelines to the assessment should be developed.
4.5 Business Implications
Using a risk assessment approach, rather than relying on good engineering practice will represent an
important shift in some parts of the electricity industry. New competences and extensive training in
risk assessment will be required. Training in the maintenance activities associated with current limiting
devices will also be required.
The costs associated with using current limiting devices will therefore not be trivial. Ofgem's key
concern is that the use of the devices should be an efficient solution. Any cost benefit analysis would
therefore need to consider the full range of costs. These will include the following:-
4.5.1.1 Prior to first use
1. Development of common process and guidelines
2. Training DNO planning and design engineers in technology, application principles, guidelines
for use, risk assessments required.
3. Training of DNO maintenance engineers in on-site tests and replacing inserts
Parsons Brinckerhoff Ltd Page 44 Final report draft3
PB Power Final Report
4.5.1.2 For Each Application
4. Determining application design, risk assessment, project management, specification,
procurement
5. Obtaining exemption certificate from HSE
6. Fault current limiters including cubicle, bus extensions, test equipment, manufacturer costs for
installation and commissioning, any costs associated with extending substation building (civil,
any outages required, additional land?) and any costs associated with possible relocation of
existing equipment eg cabling, labour.
The costs of item 6 will depend upon the particular application, the manufacturer, the rating and the
existing equipment. Typically for an 11kV indoor substation, three phase installation, the cost would
be approximately £80,000. This excludes any land or outage costs, but includes for all other items.
4.5.1.3 Operational and Maintenance Costs
1. Bi-annual on-site tests, as per manufacturer guidelines - labour
2. Cost of any outages required during test
3. Cost of replacing/refurbishing inserts after operation. This will depend upon the manufacturer
and rating but will be between £600 and £2,500.
4. Cost of storing inserts
4.5.2 Conclusion
The Boards of the DNO's should be made aware of the business implications of the adoption of
current limiting devices, including the legal issues, the costs and benefits, the competences and
training required for the move from a good practice to a risk assessment approach and the increased
DNO role in co-ordination and information exchange with other parties. A full cost benefit analysis will
be required to establish that the use of current limiting devices is an efficient solution.
Parsons Brinckerhoff Ltd Page 45 Final report draft3
PB Power Final Report
5 consequence assessment
The following sections provide an overview of the consequences of mal-operation affecting a current
limiting device.
5.1 Consequences of Failure to trip
5.1.1 Direct Consequences of mal-operation - Localised effect
The most immediate consequence of a current limiting device failing to trip is the exposure by the
connected switchgear to prospective fault levels higher than rating. This may result in damage and
permanent mechanical failure of the overstressed switchgear.
The overstressed switchgear will be subject to excessive fault energy and abnormally high
electromagnetic forces, and will be unable to operate in accordance with its design, with the resulting
electrical and thermal stress which can sometimes lead to catastrophic failure, i.e. total destruction of
the switchgear. In oil filled switchgear such failures are accompanied by burning gas clouds and oil
mist which can potentially envelop personnel near the switchgear and lead to serious burn injuries,
and can potentially be fatal.
The mechanical failure can also be accompanied by an explosion due to the excessive energy and
high electromagnetic forces. Circuit breakers are designed to direct the products of the explosion
(vaporised metal, gas or oil) through the back of the panel as opposed to the front to reduce risk of
injury to personnel. In the event of such an explosion, however, the circuit would ultimately be
interrupted and the fault current would cease to flow.
However, a circuit breaker will attempt to break the current at its first zero after the trip signal is
received, independently of the magnitude of the fault current. Therefore, the phenomenon that may
occur first is the melting of the contacts during the interval between the fault appearance and the first
useful current zero. The duration of this interval depends on the protection settings controlling the
breaker as well as on thedelays associated with the protection system and the breaker itself.
Depending on whether the switchgear failure results in interruption of the fault current or not (it may
explode and interrupt or just melt and continue to conduct) there might be other associated
consequences.
If the breaker contacts melt and weld together, the fault current will have to be interrupted by another
circuit breaker. In scenario 1) (see section 2.2.3), each of the transformer secondary breakers will see
a portion of the total fault current which is the same as they would see for a fault on their side of the
busbar with the busbar open, and which is therefore within their respective rating. Each breaker will
Parsons Brinckerhoff Ltd Page 46 Final report draft3
PB Power Final Report
interrupt its fault infeed and the busbar will be isolated, with loss of power supply to all loads
connected to the busbar.
Similar sequences of events can be envisaged for scenarios 2) and 3), where the feeder breaker
would fail and the remaining breakers would be able to interrupt their contribution to the fault.
It is also possible that mechanical failure (explosion) of one item of switchgear will lead to electrical
and/or mechanical failure of the switchboard that it is part of. It could also damage or destroy the
busbar which it connects to. Again, the busbar would be lost and hence the supply to its loads.
5.1.2 Direct Consequences of mal-operation -Effects on the wider network
Even if the fault current is eventually interrupted as a result of the mechanical separation of the circuit
breaker contacts, it can be envisaged that the fault interruption process may have taken longer than it
would have under correct operation of the switchgear. The excessive thermal let-through has the
potential of transferring thermal and electromechanical stress to other active elements of plant located
upstream of the fault point (e.g. transformers, generators). However, the circuit breakers dedicated to
these items of plant will in general be subjected to current values which are within their respective
ratings.
The installation of an additional primary transformer (scenarios 1) and 2)) or of a local generator
(scenario 3)) with the fault limiting device, carries the risk of increasing the fault level at all
switchboards supplied by the primary substation if the device fails to operate correctly. The increase
in fault level at downstream substations may or may not take the prospective fault level following
failure of the limiting device above switchgear ratings at the downstream locations. This cannot be
predicted in general and would need to be assessed for the specific application. It will be important
that the owner of the fault current limiting device provides the fault level data to the owners of
downstream equipment.
Depending on the fault level values at the primary and at the downstream switchboards, the possibility
exists that the let through current for which the limiter is set to not operate may take downstream
switchboards above rating even with correct operation. If, for example, the primary switchgear is
rated at 21 kA and the additional transformer increases the prospective fault level from 15 kA to
30 kA, the limiter may be set to let through 5 kA before tripping to avoid spurious tripping (20 kA
prospective fault level). If a downstream switchboard is rated at 16 kA with an original fault level of 13
kA, the insertion of the additional primary transformer may result in a 4 kA increase (due to the 5 kA
let through), hence above rating. The specific case will have to be evaluated.
A downstream fault may result in failure of switchgear in the same way described above for the
primary feeder breaker when the limiting device fails to trip.
Parsons Brinckerhoff Ltd Page 47 Final report draft3
PB Power Final Report
5.1.3 Indirect consequences
• From the above analysis it is clear that the failure of an overstressed feeder breaker will result
in unnecessary loss of supply to healthy circuits.
• The reputation of the DNO will be affected by both the switchgear failure and by the loss of
supply to customers.
• The DNO's ability to meet its IIP targets for Customer Minutes Lost and Customer
interruptions could be affected
5.2 Spurious tripping
Spurious tripping may occur as a result of incorrect design of the application and/or setting of the
current limiting device. In all events, a spurious trip will result in unnecessary maintenance and costs
associated with the replacement of the triggering elements (charge and fuse) and with the use of
spare parts.
Other consequences of spurious tripping are related to the application. A spurious trip on scenario 1)
may not yield any load disruption if both transformers are in operation and the busbar is subject to
relatively small current flow at the time of the trip. The trip would split the busbar but each transformer
would continue to supply its own loads. If, on the other hand, only one transformer were in operation
supplying all loads (e.g. during maintenance of the other unit), the spurious trip would result in loss of
half of the busbar and its loads. This could be avoided if the system is configured in a way such that
when only one transformer is connected, the fault current limiting device is disabled.
A trip in scenario 2) would open the transformer circuit and that source of supply would be lost. Loss
of supply is therefore inevitable in this case. Scenario 3) is envisaged to be the most likely to incur
spurious tripping as it requires relatively low pick-up settings in order to detect fault contributions of
embedded generator. Spurious tripping would result in an unnecessary disconnection of the
generator from the network.
It is assumed that the network operator does not rely on the generator output to supply its loads and
therefore that the disconnection of the generator does not result in loss of supply to customers.
It is also assumed that connection of the local generator will be allowed by the DNO only on the basis
that sudden, unplanned connection or disconnection of the generator, is not associated with
excessive voltage steps at the DNO's primary terminals and at customers' low voltage terminals.
On this basis, from a DNO prospective, spurious trips affecting scenario 3) will have little impact on
the operation of the distribution network and should have an effect similar to that of generator
connection/disconnections.
Parsons Brinckerhoff Ltd Page 48 Final report draft3
PB Power Final Report
6 control measures
A number of control measures may be put in place in order to reduce the risk and mitigate the
consequences of failure of a fault current limiting device. Best practice can be obtained from a
number of HSE publications, for example HSE information document HSE 483/27 ‘Oil-filled
Distribution and other Switchgear'.
One useful control measure will be to develop a set of guidelines for users of the devices, covering
how and where fault current limiting devices should be implemented. These instructions would assist
the process of achieving a new system of good practice for the devices within the industry.
Duplication could be considered, namely installing two devices in series or parallel, with an
appropriate degree of component diversity where suitable. On resistance earthed systems there is
already some redundancy (see section 2.2.4). The increased number of devices would reduce the
impact of failure of one device.
Intertripping to circuit breakers further up the electrical system should also be considered, provided
that these circuit breakers are operating within their fault ratings. This will reduce the period for which
the switchgear is overstressed.
A management system should be kept in place for the current limiting device, so as to assist safe
operation and minimise the risk of failure. The following should be considered:
- an appropriate system of records;
- policies and procedures covering the installation, commissioning, operation, maintenance
and removal of the equipment;
- definitions of responsibilities and training requirements for staff;
- an auditing regime to monitor and maintain the effectiveness of procedures.
Inspection, maintenance and test of the device and its environment should be performed regularly and
in accordance with the manufacturer's instructions.
Measures to control and mitigate the effect of fire and smoke spread are available and can be used
singularly or in combination. Compartmentation can be employed which consists of separating
substation plant items by fire-resisting barriers to limit the extent of any fire to the item affected.
Attention must be paid not to inhibit any venting that may be required to safeguard against explosion.
Fire-extinguishing systems can be employed based on extinguishing mediums such as halon and
carbon dioxide. Halon has some environmental implications but its use may be necessary in areas
Parsons Brinckerhoff Ltd Page 49 Final report draft3
PB Power Final Report
where fire hazards are particularly severe and could affect adjacent plant. These systems require the
flooding of fire compartments and often are arranged to operate automatically on detection of fire.
Secure measures to make the system non-automatic should be made available for use by personnel
before entering the protected area. Suitable warning notices and instructions should be prominently
displayed at the points of access to the area. These instructions should also be included in the safety
rules.
Parsons Brinckerhoff Ltd Page 50 Final report draft3
PB Power Final Report
7 conclusions
Installing current limiting devices in order to avoid plant being operated beyond its rating will give
some difficulties in complying with UK safety legislation. It should be noted that UK safety legislation is
very different from the legislation used elsewhere in Europe. The problems highlighted by the HSE are
difficult but are possibly surmountable. The problems highlighted by the DTI with the ESQCR could
result in dutyholders being in breach of the regulations and open to prosecution.
The DTI view is that the dutyholder would be in breach of Regulation 3.1a) and Regulation 6 of the
ESQCR if the current limiting device fails to operate. However in this event, if the DTI decided to
investigate and/or prosecute, then the key issues would be the consequences of the failure of the
current limiting device and the mitigating measures taken by the dutyholder. The decision as to
whether there should be an investigation will also depend upon the consequences.
A user installing a current limiting device, and other duty holders affected by the installation, could
potentially be in breach of the absolute requirements of Regulations 5 and 11 of the Electricity at Work
Regulations, if there was a failure of the current limiting device, leading to overstressing of other
equipment and danger.
The possibility of using an exemption process under Regulation 30 needs further exploration. This
would require further discussion within the HSE and with the stakeholders. These discussions would
need to identify the extent of any exemption, the criteria which would need to be met for an exemption
to be granted (for example ALARP) and the process for granting an exemption. All of the dutyholders
affected by the installation of the device would need an exemption if the exemption route proved to be
feasible.
The arguments shows that from an ALARP point of view (excluding the consideration of the absolute
requirements of the Electricity at Work Regulations) it will not be straight forward to justify the use of
current limiting devices This is based on the assumption that current limiting devices present a higher
risk than the current good practice relating to protection from excessive fault current (for example the
use of adequately rated switchgear).
The argument for the implementation of current limiting devices is likely to be application specific or
for well defined cases. The ALARP assessment would need to address a range of factors, for
example the actual increase in risk, those that are affected, the potential benefits associated with the
use of current limiting devices, alternative options and control measures. The approach and
requirements for such an ALARP assessment, in addition to a ‘suitable and sufficient' risk
assessment, would need to be explored more fully with the HSE. A common approach and common
guidelines to the assessment should be developed.
Parsons Brinckerhoff Ltd Page 51 Final report draft3
PB Power Final Report
Although there is no obligation under the ESQCR for the duty holders to disclose information to
consumers, there is an obligation under the Management of Health & Safety at Work Regulations. It
will be essential for the industry to have a common approach and a common set of guidelines for the
installation of current limiting devices and the exchange of information. As a first step in developing
the process and guidelines the legal, commercial and safety duties of all parties will need to be
clarified and set out. This will require all parties to take legal advice.
The operational information provided by the manufacturers is not sufficient to carry out a suitable
reliability assessment. The information on the reliability of the current limiting device is critical for any
future safety assessment. Ideally this should be based on historical data, and it is recommended that
the manufacturers should critically review their operational data and consider the collection of
additional data to support any future safety assessment. This will also be critical to the successful
demonstration of compliance with the IEC 61508 design requirements for dealing with systematic
failure causes and for providing evidence that the devices meet the safety integrity level requirements.
Using a risk assessment approach, rather than relying on good engineering practice will represent an
important shift in some parts of the electricity industry. New competences and extensive training in
risk assessment will be required. Training in the maintenance activities associated with current limiting
devices will also be required. The costs associated with using current limiting devices will therefore
not be trivial. Ofgem's key concern is that the use of the devices should be an efficient solution. A full
cost benefit analysis will be required to establish that the use of current limiting devices is an efficient
solution.
The Boards of the DNO's should be made aware of the business implications of the adoption of
current limiting devices, including the legal issues, the costs and benefits, the competences and
training required for the move from a good practice to a risk assessment approach and the increased
DNO role in co-ordination and information exchange with other parties.
Parsons Brinckerhoff Ltd Page 52 Final report draft3
PB Power Final Report
8 recommendations
The following recommendations are made:-
• WS3 should explore further with the DTI the DTI view that dutyholders would be in breach of the
ESQCR if the current limiting device fails to operate when it has been installed in order to avoid
plant being operated beyond its rating
• the HSE exemption route should be explored further by WS3. Discussions should be held with the
HSE to identify the extent of any exemption, the criteria which would need to be met for an
exemption to be granted (for example ALARP) and the process for granting an exemption.
• a common approach and a common set of guidelines on how to carry out the risk assessment
and cost-benefit analysis necessary to support the installation of current limiting devices should
be developed. As a first step in developing the process and guidelines all parties should take legal
advice in order to clarify their legal, commercial and safety duties. The guidelines should cover:-
• Appropriate applications and limitations on use of the device
• The requirements, including the risk assessment approach, to meet UK safety legislation
• Requirements for information exchange with other parties
• Approach to cost-benefit analysis to meet Ofgem cost efficiency requirements
• The process required for correct application and setting (including failure analysis, assurance of the assessment by the manufacturer and compliance with IEC 61508)
• Recommendations on redundancy when used on solidly earthed systems
• Recommendations on testing regime
• One or more pilot projects should be used to help develop the guidelines and inform the legal
position.
• The Boards of the DNO's should be made aware of the business implications of the adoption of
current limiting devices, including the legal issues, the competences and training required for the
move from a good practice to a risk assessment approach and the increased DNO role in co
ordination and information exchange with other parties.
• The manufacturers should critically review their operational data and consider the collection of
additional data to support any future safety assessment. This will also be critical to the successful
future demonstration of compliance with the IEC 61508 design requirements.
Parsons Brinckerhoff Ltd Page 53 Final report draft3
PB Power Final Report
appendix a
list of abbreviations and references
Parsons Brinckerhoff Ltd Page 54 Final report Graft3 54
PB Power Final Report
abbreviations
ALARP As Low as Reasonably Practicable
CLiP Current Limiting Protection
DGCG Distributed Generation Co-ordinating Group
DNO’s Distribution Network Operators
ESQCR Electricity Safety, Quality and Continuity Regulations
FMECA Failure Mode, Effects and Criticality Analysis
HASWA Health and Safety at Work Act
HAZOP Hazard and Operability Study
OFGEM Office of Gas and Electricity Markets
PAF Power Assisted Fuse
WS3 Work Stream 3
Parsons Brinckerhoff Ltd Page 55 Final report draft3
PB Power Final Report
appendix b
RISK MANAGEMENT AND ALARP BACKGROUND READING
Parsons Brinckerhoff Ltd Page 56 Final report draft3
PB Power Final Report
HSE Tolerability Limits
The tolerability of risk framework discussed in Section 4 presents the principles for assessing the
acceptability of risk. For specific risk assessment, the boundaries of unacceptable, tolerable and the
broadly acceptable regions need to be defined. This section presents the general HSE tolerability
limits guidelines. The criteria shown are the total risk that workers and the public are exposed.
Therefore for specific risk assessment these criteria need to be adapted to take account of the
specific circumstances.
Risk to people can be expressed in two complementary forms:
• Individual risk - the risk experienced by an individual person
• Societal risk - the total risk experienced by the whole group of people exposed to the
hazards.
Both individual risk and societal risk criteria are presented for completeness. The concept of individual
risk is well defined and understood, with precise safety criteria for the assessment of acceptability.
The concept of societal risk is complex and ill defined. However both individual and societal risk can
be assessed.
UK HSE indicates that an individual risk of death of one in a million (1x10-6) per annum for both
workers and the public corresponds to a very low level of risk, and should be used as a guideline for
the boundary between the broadly acceptable and tolerable regions. HSE suggests that an individual
risk of death of one in a thousand per annum should represent the dividing line between what could
be just tolerable for any substantial category of workers for any large part of a working life, and what is
unacceptable for any but fairly exceptional groups. For members of the public who have a risk
imposed on them ‘in the wider interest of society' this limit is judged to be an order of magnitude
lower, at 1 in 10000 per annum. These risks are represented in Figure B1.
The assessment and evaluation of societal risk is complex and difficult. There are no well-defined
acceptable criteria for societal risk. The HSE has cautiously provided some limited guidance. It
proposed that accidents causing the death of 50 people or more in a single event should be regarded
as intolerable if the frequency is estimated to be more than one in five thousand per annum. This
criterion has been developed by Hirst (2002) into an F-N plot (as shown in Figure B2) defining the
three regions within which the risks are categorised as “unacceptable”, “tolerable” and “broadly
acceptable”. The F-N plots show societal risk in the form of the relationship between the cumulative
frequency and the number of fatalities. Societal risk may also be presented as an annual fatality rate
(AFR) in which the frequency and fatality data is combined into a convenient single measure. The
AFR is the long-term average number of expected fatalities per year.
Parsons Brinckerhoff Ltd Page 57 Final report draft3
PB Power Final Report
Unacceptable
1x1 O'3 (Worker) 1x10"4 (Public)
Tolerable if ALARP
Broadly Acceptable
Figure B1 HSE Individual Risk Criteria
Parsons Brinckerhoff Ltd Page 58 Final report draft3
PB Power Final Report
ro
0)Q.
ZC0)3O"0)
c0)
"D"u
oro0)>%3E3o
1x10-2
1x10-3
Unacceptable1x10-4
Tolerable1x10-5
1x10-6 Broadly Acceptable
100 1000 10000
Number of fatalities
Figure B2 HSE Tolerability of Societal Risk Presented as an F-N plots
Parsons Brinckerhoff Ltd Page 59 Final report draft3
PB Power Final Report
As Low As Reasonably Practicable (ALARP)
The section presents the interpretation of “as low as is reasonably practicable” (ALARP) and some of
the issues associated with ALARP as provided by Health and Safety Executive guidance. However,
ultimately it is for the Courts to decide whether or not duty-holders have complied with the law.
SFAIRP’ and ‘ALARP’
In terms of what they require of duty-holders, HSE considers that duties to ensure health and safety
so far as is reasonably practicable (“SFAIRP”) and duties to reduce risks as low as is reasonably
practicable (“ALARP”) call for the same set of tests to be applied. However, SFAIRP and ALARP are
not always interchangeable because legal proceedings will have to employ (for example, in
complaints or information) the particular term cited in the relevant legislation.
Determining that risk has been reduced ALARP
ALARP guidance is largely based on the key case of Edwards v. The National Coal Board. In that
case, the Court of Appeal held that -
, "... in every case, it is the risk that has to be weighed against the measures necessary to eliminate
the risk. The greater the risk, no doubt, the less will be the weight to be given to the factor of cost. ”
and
“’Reasonably practicable’ is a narrower term than ‘physically possible’ and seems to me to imply that
a computation must be made by the owner in which the quantum of risk is placed on one scale and
the sacrifice involved in the measures necessary for averting the risk (whether in money, time or
trouble) is placed in the other, and that, if it be shown that there is a gross disproportion between them
- the risk being insignificant in relation to the sacrifice - the defendants discharge the onus on them. ”
Thus, determining that risks have been reduced ALARP involves an assessment of the risk to be
avoided, of the sacrifice (in money, time and trouble) involved in taking measures to avoid that risk,
and a comparison of the two.
This process can involve varying degrees of rigour which will depend on the nature of the hazard, the
extent of the risk and the control measures to be adopted. The more systematic the approach, the
more rigorous and more transparent it is to the regulator and other interested parties. However, duty-
holders (and the regulator) should not be overburdened if such rigour is not warranted. The greater
the initial level of risk under consideration, the greater the degree of rigour HSE requires of the
arguments purporting to show that those risks have been reduced ALARP.
Parsons Brinckerhoff Ltd Page 60 Final report draft3
PB Power Final Report
Risk
The assessment of risk is confined to those matters with which the legislation in question is
concerned. It is risks to health, safety and welfare that are covered by the Health and Safety at Work
Act 1974, and its subordinate legislation such as the Management of Health and Safety at Work
Regulations 1999.
Other legislation for which HSE is responsible may include other risks, such as the Control of Major
Accident Hazards Regulations 1999 (COMAH) which include environmental risks. Requirements for
environmental protection may constrain the options available to duty-holders for controlling health and
safety risks.
The risks must be only those over which duty-holders can exercise control or mitigate the
consequences through the conduct of their undertaking. Some risks arise from external events or
circumstances over which the duty-holder has no control, but whose consequences duty-holder can
mitigate. Such risks should be included in the assessment.
In any given workplace there would be a large number of hazards which duty-holders could address.
HSE will not expect them to take account of hazards other than those which are a reasonably
foreseeable cause of harm, taking account of reasonably foreseeable events and behaviour.
The risk will be not only to the duty-holders' employees but may also affect other workers and
members of the public, including the local community which would be affected by an accident or
incident such as an explosion on site.
Risk should be assessed in relation to a hypothetical person, eg. the person most exposed to the
hazard, or a person living at some fixed point or with some assumed pattern of life, such as a person
who is in good health and works exactly forty hours a week with the hazard, or a child present
continuously in a house sited at the closest point to a major hazard. To ensure that all significant risks
for a particular hazard are covered, it may be necessary to construct a number of hypothetical
persons, to cover the different populations exposed, such as ‘a person who is in good health', ‘young
persons'.
The actual persons who are to be exposed to the risk will have to be considered when the control
measures determined via risk assessment are applied in practice because these measures may need
to be adapted to meet the particular abilities of these persons, for example, their ability to read
instructions, or whether they are colour-blind.
Risks should be assessed in an integrated manner by duty-holders. It is important that duty-holders
consider the 'full picture' when assessing risk and not a partial view from considering hazards in
isolation, or in a slice of time, or location by location rather than across the whole system.
Parsons Brinckerhoff Ltd Page 61 Final report draft3
PB Power Final Report
Location by location consideration of risks should however be carried out to determine whether, even
if application of a control measure system-wide would be ruled out on the grounds of excessive costs,
application is reasonably practicable in certain locations, such as those that present a particularly high
risk and/or low cost.
Sacrifice
The sacrifice under consideration here is that which would be incurred by duty-holders as a
consequence of their taking measures to avert or reduce the risks identified. In the Edwards case,
Asquith LJ referred to the sacrifice in terms of money, time or trouble. These costs which should be
considered are only those which are necessary and sufficient to implement the measures to reduce
risk.
For any particular measure, these might include the cost of installation, operation, and maintenance,
and the costs due to any consequent productivity losses resulting directly from the introduction of the
measure (for example, a new guard may cause a machine to operate less efficiently).
Temporary shutdown costs incurred during implementation must be included since these clearly
constitute part of the duty-holders' 'sacrifice'. HSE will expect duty-holders to take full advantage of
opportunities to reduce shutdown costs to a minimum, such as implementing control measures during
planned maintenance. It may be reasonably practicable to implement control measures during
shutdown for planned maintenance, even though not to shut down solely to implement control
measures.
Individual duty-holders' ability to afford a control measure or the financial viability of a particular
project is not a legitimate factor in the assessment of its costs. HSE must present duty-holders with a
level playing field. Thus HSE cannot take into account the size and financial position of the duty-
holder when making judgements on whether risks have been reduced ALARP.
Benefits gained by duty-holders as a result of their instituting a health and safety measure should be
offset against the costs they incur.
Comparison
The basis on which comparison is made is provided by the Edwards case: the test of 'gross
disproportion'. In any assessment as to whether risks have been reduced ALARP, measures to
reduce risk can be ruled out only if the sacrifice involved in taking them would be grossly
disproportionate to the benefits of the risk reduction.
That gross disproportion is required before a measure can be ruled out on the grounds of sacrifice
can be interpreted as applying a bias on the side of safety. From the statement of Tucker LJ, that -
Parsons Brinckerhoff Ltd Page 62 Final report draft3
PB Power Final Report
“The greater the risk, no doubt, the less will be the weight to be given to the factor of cost",
we believe that the greater the risk, the more that should be spent in reducing it, and the greater the
bias on the side of safety. This can be represented by a 'proportion factor', indicating the maximum
level of sacrifice that can be borne without it being judged 'grossly disproportionate' -
sacrifice
benefits of risk reduction
Although there is no authoritative case law which considers the question, we believe it is right that the
greater the risk: the higher the proportion may be before being considered ‘gross'. But the
disproportion must always be gross.
HSE has not formulated an algorithm which can be used to determine the proportion factor for a given
level of risk. The extent of the bias must be argued in the light of all the circumstances. It may be
possible to come to a view in particular circumstances by examining what factor has been applied in
comparable circumstances elsewhere to that kind of hazard or in that particular industry.
Taking greater account of the benefits as the risk increases also compensates to some extent for
imprecision in the comparison of costs and the benefits. It again errs on the side of safety, since the
consequences of the imprecision have greater impact, in terms of the degree of unanticipated death
and injury, as the level of risk rises.
In measuring the risk to be reduced, and the sacrifice involved in measures to achieve that reduction,
the starting point should be the present situation. If there are several options, therefore, they should
each be considered as against the present situation.
In some situations, it will not be possible to assess options in this way. For example, where an
installation is being built, it will not be possible to separate the costs of risk reduction measures from
the costs of building. In such situations, the starting point should be an option which is known to be
reasonably practicable (such as one which represents existing good practice). Any other options
should be considered as against that starting point, to determine whether further risk reduction
measures are reasonably practicable.
Societal Concerns
Societal concerns can arise when the realisation of a risk impacts on society as a whole. The impact
may produce an adverse socio-political response (which has its origins in the public aversion to
certain characteristics of the hazards concerned). The harm which results is a loss of confidence by
society in the provisions and arrangements in place for protecting people and, consequently, a loss of
Parsons Brinckerhoff Ltd Page 63 Final report draft3
PB Power Final Report
trust in the regulator and duty-holders with respect to control of the particular hazard and hazards
more generally.
This might arise where large numbers of people are killed at one time (which we call “societal risk”),
where potential victims are particularly vulnerable (such as children), or where the nature of the risks
inspire dread (such as long-term or irreversible effects).
There is no guidance from the courts as to whether societal concerns should be taken into account by
duty holders in deciding what is grossly disproportionate. In deciding whether to propose regulations,
or in setting enforcement priorities, the HSC considers that risk and sacrifice must be assessed in its
social context. As well as taking account of individual risk, the HSC considers societal concerns.
We believe it is right that, in all cases, the judgment as to whether measures are grossly
disproportionate should reflect societal risk, that is to say, large numbers of people (employees or the
public) being killed at one go. This is because society has a greater aversion to an accident killing 10
people than to 10 accidents killing one person each.
Where the HSC considers that duty-holders should take other societal concerns into account,
Regulations, ACoPs or other HSE guidance will state how duty-holders should take such concerns
into account and what those concerns are.
Transfer of Risks
Introduction of a health and safety measure to control a hazard may transfer risk to other employees
or members of the public.
If the transferred risk arises from the same hazard, then it should be offset against the benefit from the
measure under consideration. For example, the introduction of mechanical exhaust ventilation may
transfer the risk from the same hazard (fumes) from the employee to the general public as the fumes
are pumped outside the workplace. The added risk to the public should be offset against the benefits
the measure otherwise brings to employees.
If the transferred risk arises from a different hazard, it should be treated as a separate matter for
which control measures must be introduced to reduce its risk ALARP. For example, providing scaffold
fans to protect members of the public from being struck by objects dropped from the scaffold will
transfer some of the risk from the public to the scaffolders involved in erecting the fans. Since a
different hazard is involved (ie. scaffolders falling from a height), the fans should be provided to
reduce the risks to the public ALARP, but at the same time, the duty holder must ensure that the risks
of the scaffolders' working methods are reduced ALARP. However, if the risks from the health and
safety measure to be introduced (in this example, scaffolding fans) when properly controlled are still
greater than the risks which it is sought to prevent (injury to members of the public) when properly
controlled, the measure should not be introduced.
Parsons Brinckerhoff Ltd Page 64 Final report draft3
PB Power Final Report
Changed Circumstances
Duty-holders may wish to alter the conditions in which equipment is operated or to relax or otherwise
alter some or all control measures in response to changed circumstances. This is permissible
provided that the altered control measures continue to ensure that risks are reduced ALARP.
Good Practice
The determination of control measures forms part of the statutory risk assessment duty-holders are
required to undertake. Such assessments involve duty-holders identifying the hazards in their
workplace, determining who might be harmed and how; evaluating the risk from the hazards and
deciding whether the existing control measures are sufficient or whether more should be done.
In reality, there is often only a limited number of options for dealing with a particular health and safety
issue and the optimum option is in many cases likely to have been already established as relevant
good practice accepted by HSE as reducing risks ALARP. Often HSE staff will be able to rely on
authoritative documented sources of good practice, such as HSC AcoPs and HSE Guidance, on legal
standards which require risks to be reduced ALARP.
HSE staff should ensure that duty-holders are using good practice which is appropriate to their
activities, relevant to the risks from their undertaking, and covering all the risks from that undertaking.
Such documents may only deal with some of the risks which the duty-holder must consider. Good
practice which covers all the risks which a duty-holder must address in order to reduce risks ALARP
may not be available, and this is particularly likely to be so for major investments in safety measures
or where hazards are regulated through safety case regimes.
A universal practice in the industry may not necessarily be good practice or reduce risks ALARP. Duty
holders should not assume that it is. HSE must keep its acceptance of good practice under review
since it may cease to be relevant with the passage of time; new legislation may make it no longer
acceptable; new technology may make a higher standard REASONABLY PRACTICABLE. Similarly
HSE expects duty-holders to keep relevant good practice under review.
Probably the majority of judgements made by HSE involves it in comparing duty-holders' actual or
proposed practice against RELEVANT GOOD PRACTICE. Relevant good practice provides duty-
holders with generic advice for controlling the risk from a hazard. In so far as they can adopt relevant
good practice, this relieves duty-holders of the need (but not the legal duty) to take explicit account of
individual risk, costs, technical feasibility and the acceptability of residual risk, since these will also
have been considered when the good practice was established.
Parsons Brinckerhoff Ltd Page 65 Final report draft3
PB Power Final Report
In practice therefore, explicit evaluations of risk rarely need to be made in relation to day-to-day
hazards. However, duty-holders have to make them where there is no relevant good practice
establishing clearly what control measures are required.
HSE guidance on the use of good practices is provided in Appendix C.
Choosing Between Options
A selection amongst options may be needed at any stage of a particular project: at the design stage,
involving choice between different design concepts for the whole project, and, as the project is
developed, between more detailed options. In making these options, duty-holders must consider the
risks involved in the whole life-cycle of a project.
At the design stage, where safety cases or plans are required to be submitted to HSE, HSE will
assess the option which duty-holders put before it, but where that option does not reduce risks
ALARP, HSE may reject a safety case, ask duty holders to consider a different option, or use its
enforcement powers to prevent further work (depending on the situation in question). HSE will make
its judgement as to whether the design presented to it reduces risks ALARP based on its knowledge
as a regulator, including its knowledge of good practice in that area, and its knowledge of other
possible design options. Where the option put forward does not reduce risks ALARP, HSE may
intervene according to the situation in question - for example, to prevent further work or to inform the
duty-holder of its opinion.
The reason for the design chosen will be a relevant factor in considering what it is reasonably
practicable to do. Depending on the particular legal context and the circumstances in question, where
the very essence or ethos of the business could not be achieved without following the design
suggested, then HSE could not reject the option so as to prevent the undertaking proceeding. The
question would be how to reduce the risks of that option ALARP. But such situations will be rare. In
most cases, there will be several options for achieving the essence of the business in question.
At a more detailed level, HSE would consider judgements as to whether risks are or will be controlled
ALARP as central to deciding between options, though again the reason for the option chosen may
still be a relevant factor. For example, HSE may have to accept a process using intrinsically more
dangerous components since only these components will provide the products essential to the duty-
holder's undertaking.
In practice, duty-holders may have a number of options where an assessment would show that costs
are not grossly disproportionate. The option, or combination of options which achieves the lowest
level of residual risk should be implemented, provided grossly disproportionate costs are not incurred.
The legal requirement to reduce risks as low as is reasonably practicable rules out HSE accepting a
less protected but significantly cheaper option.
Parsons Brinckerhoff Ltd Page 66 Final report draft3
PB Power Final Report
New Versus Existing Plant
It should be borne in mind that reducing the risks from an existing plant ALARP may still result in a
level of residual risk which is higher than that which would be achieved by reducing the risks ALARP
in a similar, new plant. Factors which could lead to this difference include the practicability of
retrofitting a measure on an existing plant, the extra cost of retrofitting measures compared to
designing them in on the new plant, the risks involved in installation of the retrofitted measure (which
must be weighed against the benefits it provides after installation) and the projected lifetime of the
existing plant.
All this may mean, for example, that it is not reasonably practicable to apply retrospectively to existing
plant, what may be demanded by reducing risks ALARP for a new plant (and what may have become
good practice for every new plant).
Parsons Brinckerhoff Ltd Page 67 Final report draft3
PB Power Final Report
APPENDIX C
HSE GUIDANCE ON ASSESSING COMPLIANCE WITH THE LAW IN INDIVIDUAL
CASES AND THE USE OF GOOD PRACTICE
Parsons Brinckerhoff Ltd Page 68 Final report draft3
PB Power Final Report
HSE Guidance On Assessing Compliance With The Law In Individual Cases And The
Use Of Good Practice
1. SCOPE
1.1 The Health and Safety Executive is responsible for making adequate arrangements for the
enforcement of health and safety legislation in the UK. In fulfilment of its duty, the Executive provides
guidance to its regulatory staff who have to judge whether measures put in place, or proposed, by
those who are under a duty to control and reduce risks “as low as reasonably practicable” (ALARP),
are acceptable.
1.2 This document provides guidance on what constitutes good practice and on how relevant
application of good practice contributes to the duty to reduce risks ‘so far as is reasonably practicable'
(SFAIRP) or demonstrate that risks have been reduced ALARP. It complements, ‘Principles and
Guidelines to assist HSE in its judgements that duty-holders have reduced risk as low as reasonably
practicable'' and “Policy and guidance on reducing risks as low as reasonably practicable in Design”.
Together, these three documents have been issued as guidance in support of the HSE document
“Reducing Risks, Protecting People” (R2P2).
2. DEFINITIONS
2.1 Good Practice:
Within HSE and in this document, good practice is the generic term for those standards for controlling risk which have been judged and recognised by HSE as satisfying the law when applied to a particular relevant case in an appropriate manner.
Explanatory notes to the definition.
a. Written good practice may take many forms. The scope and detail of good practice will reflect the
nature of the hazards and risks, the complexity of the activity or process and the nature of the
relevant legal requirements.
b. Sources of written, recognised good practice include:
(i) HSC Approved Codes of Practice (ACoPs);
(ii) HSE Guidance;
NB: ACoPs give advice on how to comply with the law; they represent good practice and have a
special legal status. If duty-holders are prosecuted for a breach of health and safety law and it is
proved that they have not followed the relevant provisions of the ACoP, a court will find them at
Parsons Brinckerhoff Ltd Page 69 Final report draft3
PB Power Final Report
fault unless they can show that they have complied with the law in some other way. Following the
advice in an ACoP, on the specific matters on which it gives advice, is enough to comply with the
law.
c. Other written sources which may be recognised include:
(iii) guidance produced by other government departments;
(iv) Standards produced by Standards-making organisations (e.g. BS, CEN, CENELEC, ISO,
IEC);
(v) guidance agreed by a body (e.g. trade federation, professional institution, sports governing
body) representing an industrial/occupational sector.
d. Other, unwritten, sources of good practice may be recognised if they satisfy the necessary
conditions (see ‘Policy - identifying good practice' below), e.g. the well- defined and established
standard practice adopted by an industrial/occupational sector.
e. Good practice may change over time because, for example, of technological innovation which
improves the degree of control (which may provide potential to increase the use of elimination
and of engineering controls), cost changes (which may mean that the cost of controls decreases)
or because of changes in management practices.
f. Good practice may also change because of increased knowledge about the hazard and/or a
change in the acceptability of the level of risk control achieved by the existing good practice.
g. In the definition of good practice, ‘law' refers to that law applicable to the situation in question;
such law may set absolute standards or its requirements may be qualified in some way, for
example, by ‘practicability' or ‘reasonable practicability'.
h. ‘Good practice', as understood and used by HSE, can be distinguished from the term ‘best
practice' which usually means a standard of risk control above the legal minimum.
3. POLICY
Overall approach
3.1 In support of the following policy, HSE:
(a) provides guidance to inspectors on the law, its interpretation by the courts, and on good
practice;
Parsons Brinckerhoff Ltd Page 70 Final report draft3
PB Power Final Report
(b) maintains mechanisms to guide the exercise of inspector discretion in order to promote
consistency in assessing compliance and deciding on a proportionate response.
3.2 In securing compliance with the law in accordance with the HSC Enforcement Policy principles of
proportionality, consistency, targeting, transparency and accountability, HSE inspectors take account
of the legal interpretations given in statute, relevant case law and the guidance in ‘Principles and
Guidelines to assist HSE in its judgements that duty-holders have reduced risk as low as reasonably
practicable' which contains specific advice on the application of good practice.
Use of good practice
3.3 To promote effective compliance and improved health and safety performance by duty-holders,
HSE may develop and recognise good practice and draw this to their attention. In some
circumstances, to promote consistent, cost-effective assessment by inspectors, HSE makes use of
good practice to guide decisions when judging the adequacy of compliance and applying the differing
legal tests, (e.g. ‘absolute', ‘practicable' or ‘reasonably practicable').
3.4 In judging compliance, HSE expects duty-holders to apply relevant good practice as a minimum.
For new plant/installations/situations, this will mean the application of current good practice. For
existing plant/installations/situations, this will mean the application of current good practice to the
extent necessary to satisfy the relevant law.
3.5 Where the law requires risks to have been reduced ALARP, HSE:
(a) may accept the application of relevant good practice in an appropriate manner as a sufficient
demonstration of part or whole of a risk/sacrifice computation;
(b) does not normally accept a lower standard of protection than would be provided by the
application of current good practice; and
(c) will, where the duty-holder wishes to adopt a different approach to controlling risks, seek
assurance that the risks are no greater than that which would have been achieved through
adoption of good practice and so are ALARP for that different approach.
3.6 Compliance with relevant good practice alone may be sufficient to demonstrate that risks have
been reduced ALARP. For example, recognised standards provide a realistic framework within which
equipment designers, manufacturers and suppliers (including importers) can fulfil their general duties
under HSWA S.6.
3.7 However, depending on the level of risk and complexity of the situation, it is also possible that
meeting good practice alone may not be sufficient to comply with the law. For example, in high hazard
situations (those with the potential to harm large numbers of people in a single event), where the
Parsons Brinckerhoff Ltd Page 71 Final report draft3
PB Power Final Report
circumstances are not fully within the scope of the good practice, additional measures may be
required to reduce risks ALARP. Furthermore, where the potential consequences are high, HSE will
take a precautionary approach by giving more weight to the use of sound engineering and operational
practice than to arguments about the probability of failure.
3.8 In simple terms, in situations such as described in paragraph 3.7, duty-holders need to:
a) review their accident scenarios and risk management arrangements (for prevention, control
and mitigation);
b) identify what good practice is relevant;
c) comply with the good practice (to the extent to which it is applicable);
d) ask the question - are there any other measures which would be effective in further reducing
the risks?
e) determine whether the extra measures are reasonably practicable and implement those that
are.
Identifying good practice
3.9 In judging and recognising good practice, HSE must be satisfied that it is correctly formulated in
that it:
(a) takes account, where relevant, of:
• individual risk, societal risks and societal concerns;
• the sacrifice and benefits;
• the technical feasibility of proposed control measures and the level of risk control they achieve;
(b) maximises the use of:
• inherent safety and the elimination of hazards;
• the avoidance of risk;
• the control of risk at source by the use of physical engineering controls;
whilst it,
(c) minimises the need for:
Parsons Brinckerhoff Ltd Page 72 Final report draft3
PB Power Final Report
• procedural controls; and,
• personal protective equipment;
and it is in a form that:
(d) clearly defines the scope of the good practice and the circumstances where it is relevant; and,
(e) can be clearly specified, e.g. it is either written down or is a well-defined and established
practice adopted by an industrial/occupational sector.
Assessing compliance with reasonable practicability
3.10 When reviewing health or safety measures on an existing plant, installation or situation (such as
when considering retrofitting, safety reviews or upgrades), duty-holders should compare existing
measures against current good practice. The good practice measures set out should be adopted so
far as is reasonably practicable. It might not be reasonably practicable to apply retrospectively to
existing plant, for example, all the good practice expected for new plant. However, there may still be
ways to reduce the risk e.g. by partial solutions, alternative measures etc.
3.11 In determining what is reasonably practicable, the starting point for the risk/sacrifice computation
should be the current situation. Duty-holders should also consider the adequacy of the relevant good
practice (paragraphs 2.1.e. & f. are appropriate considerations). When a code or standard is updated
to a higher standard, the plant, installation or situation should be examined to see if it can be brought
up to the new standard. Any such upgrades should be undertaken if reasonably practicable.
3.12 New plant, installations or situations should conform to current good practice, as a starting point.
Other potential options should be considered to determine whether further risk reduction measures
are reasonably practicable. As a guide, designers can aim and compare against levels of safety that
are known to have been achieved in other “best practice” designs.
3.13 The use of good practice at the design stage is essential to demonstrating achievement of
ALARP. This should include use of sound design principles (e.g. inherent safety) as well as codes,
standards and guidance. Further advice is given in “Policy and guidance on reducing risks as low as
reasonably practicable in Design”
3.14 In prioritising its resources, HSE may decide in an individual case not to pursue further action
where a duty-holder has reduced risk to within the ‘broadly acceptable' region of the TOR framework
(see R2P2, para.122ff, for an explanation of this framework) and only a small reduction in risk would
be achieved.” However, the legal duty to reduce risks ALARP remains.
Parsons Brinckerhoff Ltd Page 73 Final report draft3
PB Power Final Report
APPENDIX D
STATEMENTS FROM THE HSE, DTI AND OFGEM
Parsons Brinckerhoff Ltd Page 74 Final report draft3
PB Power Final Report
HSE comments on the legal position of the use of active current limiting devices
1) HSE has reviewed the legal position of the adoption of active current limiting devices, such as ls Limiters, and has the following comments. The comments are not intended to be all embracing but are focussed on a number of key issues and are in addition to those comments that HSE has already provided to you in recent discussions.
a) The HSW Act 1974 is relevant and would not, in principle, prevent the use of Is Limiters.
b) The Management of Health and Safety at Work Regulations 1992 are relevant. Regulation 3 (1.b) is particularly relevant and would have important implications for duty holders involved in electrical generation and distribution network operations together with users of electricity. Particularly relevant is the information, and the confidence of the information, that will need to be made available to allow duty holders, downstream of the Is Limiters, to fulfil their legal duties. In the context of the possible introduction of the application of Is Limiters, the complexity of the necessary information is likely to be greater than is currently the case. With the many interfaces (embedded generator provider, DNO and multiple end users) there is the potential forgetting things wrong.
c) Regulation 5 of The Electricity at Work Regulations 1989 is particularly relevant since it places an absolute requirement on duty holders. For example, Regulation 5 would apply to a duty holder, downstream of the Is Limiter, who has under his control a circuit break being ‘protected' by the Is Limiter. In the event of a fault, (e.g. a cable fault) arising downstream of the circuit breaker and subsequent failure of the Is Limiter causing the circuit breaker to become over-stressed and fail catastrophically, it could be argued there was a breach of Regulation 5.
d) To cater for the situation outlined in (c) above, it was envisaged that Regulation 29 could provide a basis of a defence for the relevant duty holder providing the duty holder was able to demonstrate he had taken “ all reasonable steps and exercised all due diligence". However, having reviewed Regulation 29 we have concerns about what these words actually mean in law in the context of all the issues arising in the application of an Is Limiter, and in the end, this could become a matter for the courts to decide.
2) In principal there is nothing in the EAW Regulations 1989 to prevent the use of ls Limiters but we have highlighted the uncertainty of the application of Regulation 29. There are two options that we are currently assessing which will include discussion with relevant parties:
c) Short term: We could explore the provision of an exemption(s), under Regulation 30 of the EAW Regulations!989, relating to the application of Regulation 5. We would see the use of an exemption(s), if and where permitted, as a stop-gap measure but the problems of such an approach may make it impractical.
d) Mid - Longer term: The EAW Regulations 1989 are under review and we could take advantage of the revision process to assess what changes could be made to deal effectively and safely with future technical developments such as embedded generation and the application of ls Limiters in particular. However, the degree of change will be constrained by the HSW Act 1974 Section 1(2) which prevents the dilution of the levels of safety already established in existing Regulations.
Ron BellHead of HSE’s Electrical & Control Systems Unit Tel: 0151 951 4788 Email: [email protected] 29th January 2004
Parsons Brinckerhoff Ltd Page 75 Final report draft3
PB Power Final Report
DTI ref CCCG/002/00021
Date 11 December 2003
Mr John SinclairElectricity Networks AssociationNetwork Operations and Design Engineer18 Stanhope PlaceLondonW2 2HH
Dear Mr Sinclair,FAULT LIMITERS AND THE APPLICATION OF THE ELECTRICITY SAFETY, QUALITY, CONTINUITY AND QUALITY REGULATIONS 2002
Further to your request for comments on the PB report into fault (Is) limiters (Doc No 03/UK/00667) under Work Stream 3 and the meeting of the 4 December 2003, I am writing on behalf of the Engineering Inspectorate to give a formal view regards the current interpretation of the Electricity Safety, Quality and Continuity Regulations 2002 (ESQCR) highlighting how these may impact on the application of the device throughout. The comments are:-
1- Regulation 3 - General adequacy of electrical equipment
Regulation 3.1(a) - "sufficient for the purposes for and the circumstances in which it is used;"This is an absolute requirement, which would not be covered by the “as far as reasonably practicable” qualification in regulation 3(1)(b). It does not preclude the use of a Is limiter, because if designed and specified properly, it should be “sufficient for purpose”.
The Is limiter will prevent existing switchgear seeing fault levels above duty. The premise here is that the Is limiter will work in all circumstances.
If the Is device fails, it is clear that any circuit breaker unit that fails subsequently to clear (due to inadequate duty) would not be "sufficient for purpose". In this circumstance, the duty holder would have to demonstrate that he/she had anticipated the consequences of a possible failure of the Is device and any mitigation measures required to keep within a tolerable risk level the duty holder would need to justify.Regulation 3.1(b) - Any responsible duty holder should go through a thorough design installation and commissioning process if these devices were to be used. As discussed, due to the nature of the devices there will be requirements for the correct system analysis tools and considerations of alternatives to identify tolerable risk levels that the duty holder would need to justify. The “as far as is
Department of Trade and Industry
Energy Group
V 1601 Victoria Street London SW1H 0ET
Direct Line +44 (0)20 7215 2745Fax +44 (0)20 7215 2842Minicom +44 (0)20 7215 6740Enquiries +44 (0)20 7215 5000www.dti.gov.ukDavid. G ray@dti. gsi. gov.uk
Parsons Brinckerhoff Ltd Page 76 Final report draft3
PB Power Final Report
reasonably practicable” qualification applies to this limb of regulation 3 and allows scope for guidelines and code of practice introduction assuming that the device complies with regulation 3.1(a).
2- Regulation 4 - Duty of Co-Operation
The main issues here are as to which fault levels will be assumed between networks and as to what would be communicated between duty holders. It suggests from the consideration of adequacy above, that the device cannot be tested properly until a fault occurs. If therefore there is a chance of adjacent networks becoming overstressed this should be communicated. The duty holders concerned can then decide how they wish to comply with the relevant regulations and the level of risk they take for insurance/safety of employees/public. The important thing is that the possibility of risk is communicated clearly and the consequences are spelt out between parties. This illustrates that a set of common guidelines between the companies is highly desirable otherwise there will be unnecessary disputes over approach between duty holders, possibly involving enforcement bodies.
There is no obligation under regulation 4 on duty holders to disclose information to consumers. However, we would expect consumers to be informed of the effect on his/her network due to the adoption of Is limiters on the duty holder's network. This would allow the consumer to decide what level of risk he/she wishes to take at his premises.
In addition, this discussion between the duty holder(s) and consumers would need to be undertaken in a timely manner so it did not become a “fait accompli” for the consumer or duty holder, otherwise it could lead to unnecessary disputes.
3- Regulation 6 - Electrical Protection
If the device is considered as an "intelligent fuse" and therefore an electrical protection device, and it operates correctly, then there would be no breach of this regulation.
If it fails to operate there is no other protection that will clear the fault, no grading being possible because the disconnection devices (i.e. circuit breakers) remaining will be inadequate.
Bearing this in mind, it would be difficult to demonstrate compliance with Regulation 6 if the device failed. This would also be the case for conventional relays where it was set incorrectly or failed to operate. However, the consequences of failure could be more serious for a Is limiter and again this would need to be assessed at the design stage and a risk mitigation approach considered.
4- Regulation 23 - Precautions against Supply Failure
Under regulation 23 the duty holder must show that the device is set to operate at a correct level to restrict, so far as is reasonably practicable, the numbers of consumers affected by any fault and also that all reasonably practicable steps have been taken to avoid interruptions of supply resulting from his own acts. As this cannot be demonstrated without destruction of the device, there would be no way of practically demonstrating correct setting other than by the demonstration of the detection circuit function (for ABB and G&W) and correct trip signal. This is no different to the case with a conventional fuse except that a back-up arrangement (from a larger fuse) is available with a conventionally fused circuit arrangement.
5- Regulation 28 - Information to be provided on request
Under this regulation there is no obligation on the duty holder to provide information on the network unless requested by the consumer connected to the network.
In line with the comments on regulation 4 above, a code of practice would need to be developed so it was clear that under regulation 28(a) when fault level data was supplied to connectees, fault levels were stated for correct device operation and for the situation if it failed to operate. The connectee could then decide how much risk he/she wanted to take.
Parsons Brinckerhoff Ltd Page 77 Final report draft3
PB Power Final Report
Also under regulation 28 (c) some information regards the settings/capability of equipment and limitations at the interface with the connectee would need to be explained so that any shortfalls for a failure of the device (i.e. the two possible situations) could be highlighted.
The very nature of doing this may cause a problem on failure of a device, as any legal action against the duty holder could demonstrate that there was a possibility of plant failure for the loss of the Is limiter and there had been a decision not to invest to avoid danger and/or interruption to supplies. This eventuality would need to be covered via the design process and consideration of alternatives, the duty holding company having a defensible risk assessment process.
A possible outcome is that the consumer would decide to invest in equipment below the duty of the Is limiter. Again, the consumer would need to have a proper assessment process in place informed from the duty holder's own assessment of risk of failure of its Is limiter. Therefore it would be expected that the duty holder will need to provide data to the consumer to allow a full risk assessment to be undertaken by the consumer.
6- General Approach to the WS3 Fault limiter Report and further Investigation Areas
Further to the meeting, the Inspectorate feel that a suggested approach to the current report and further work in the longer term is:-
i) Identify the legal environment and identify areas that require further investigation (current report)ii) Examine the implications for installationsiii) Develop draft guidelines for use of Is Limitersiv) Test these guidelines on a number of real examples, undertaking the engineering and study work to identify risk and mitigation methods, training (for planners and installers and operations) and study tools required. This would be an iterative process with (iii).v) From (iv) the level of risk could be determined and the practicality for application in a DNO environment assessed.
As discussed at the meeting on the 4 December 2003, the report is at stage (i) above. Therefore there is still a lot of investigative and evaluation work to be undertaken by the industry companies and their consultants before any decision regards adoption of the devices for general use could be made by duty holders.
7- Risk
As outlined at the meeting the adoption of Is limiters would put the duty holder into a position where the company would be operating with level of assessed risk of failure. This is not the normal position at present where all equipment is rated for duty and will (as in the case for circuit breakers) be installed such that they are sufficient for purpose even after the failure of another piece of equipment on the network. This change in philosophy needs to be highlighted to the duty holder management so that the change in approach is properly understood.
I would be grateful if you could circulate these comments to the appropriate members of the workstream. As discussed at the meeting please feel free to ask for opinions from the Engineering Inspectorate on new developments arising from the various workstreams at an early stage so that the legal framework can be discussed and scoped as part of the investigation.
I would be interested in any additional work that is commissioned in relation to fault limiters as a result of this initial report.
Yours sincerely
David GraySenior Engineering Inspector
Parsons Brinckerhoff Ltd Page 78 Final report draft3
PB Power Final Report
John,
At the meeting on 4 December I took an action to consider whether Ofgem has any governance over the safety issues related to the deployment of IS Limiters. I have discussed this with our legal advisors and can offer the following summary of our position.
Ofgem s governance of a DNO’s activities is given effect through the DNO’s licence. The licence requires a DNO to have in place a Distribution Code and this in turn requires that protective devices are employed on a DNO’s system in accordance with the ESQC regulations. Together with the Electricity at Work regulations, the ESQC regulations are of course already being considered fully in the IS Limiter debate. It does not appear therefore that Ofgem has any governance role additional to the regulations already being considered.
It is worth noting that, if the use of the device increased costs in an inefficient way, Ofgem would be concerned. However, as the reason for considering the use of IS Limiters is to provide a lower cost solution this does not seem to be applicable.
Finally, a DNO would have to consider the impact of using the device in terms of interruption performance. This is captured by the Electricity (Standards of Performance) Regulations 1993 and the IIP mechanism.
I hope this answers the question but please come back to me if any clarification is required.
Regards
Gareth EvansTechnical AdvisorOfgem, London+44 (0)20 7901 [email protected]
This message may be confidential, privileged or otherwise protected from disclosure. It does not represent the views or opinions of Ofgem unless expressly stated otherwise.
Parsons Brinckerhoff Ltd Page 79 Final report draft3
PB Power Final Report
APPENDIX E
FAULT CURRENT LIMITERS DETAILED DATA
Parsons Brinckerhoff Ltd Page 80 Final report draft3
PB Power Final Report
The Device and Its Application
The Device
ABB
ABB produces a fault current limiting device, known as an Is-limiter. The following is a summary
obtained from the ABB product literature.
Product description
The device is a combination of a fast acting switch with high current carrying capability but low
switching capacity and a fuse with high breaking capacity, mounted in parallel.
A small explosive charge (of comparable quantity to that used in airbags) is employed to give fast
operation of the switch on the main conductor. Once the switch has operated, the current is diverted
to flow in the parallel fuse where it is interrupted.
The current flowing through the device is monitored in an electronic measuring and tripping unit which
is responsible for initiating tripping when an abnormally high and fast rising current is detected. Both
magnitude and rate of rise of the current are monitored and tripping is initiated only when both
quantities are above certain setting values.
The Is-limiter for three-phase applications comprises three single pole holders with replaceable
inserts, three tripping current transformers and one electronic measuring and tripping unit.
Two insulators carry the pole heads with a clamping device to hold the Is-limiter insert (see Figure
2.1.1). On the 12 kV and 17.5 kV versions, one insulator is fitted with a pulse transformer, while on
the 24 kV and 36 kV versions, both insulators are fitted with such transformers.
The pulse transformers transmit the tripping pulse from the measuring and tripping device to the
charge in the insert at system potential, and at the same time serve to isolate the measuring and
tripping device from the charge. The clamping device is activated by a lever with rated currents of up
to 2000 A. For rated currents above 2000 A, the Is-limiter holder contains four insulators and a
clamping device activated with studbolts.
The Is-limiter insert is the actual switching element comprising the main conductor and the parallel
fuse. The insert is replaced after tripping and reconditioned at the manufacturer's premises.
Parsons Brinckerhoff Ltd Page 81 Final report draft3
PB Power Final Report
Is-limiter insert holder with insert for 12 kV, 2000 A
1 Base plate
2 Insulator
3 Pole head with clamping device
4 Fuse
5 Telescopic contact
6 Insulator with pulse transformer
Is-limiter insert
4 Fuse
7 Fuse indicator
8 Insulating tube
9 Bursting bridge
10 Charge
11 Main conductor indicator
12 Fuse element
Figure 2.1.1 Detail of Is-limiter construction.
A tripping current transformer is installed in series with the Is-limiter in each phase and used to
measure the current.
These current transformers are externally identical to a conventional current transformer and
designed as a post or bushing type current transformer. They have special features such as high
overcurrent factor, an iron core with an air gap and a low impedance shield between the primary and
secondary winding.
The measuring and tripping device is accommodated in a sheet steel control cabinet or in the low
voltage compartment of the Is-limiter panel. The functional groups within the panel are combined so
as to form replaceable units, and are partly mounted on hinged frames.
The measuring and tripping device includes:
Parsons Brinckerhoff Ltd Page 82 Final report draft3
PB Power Final Report
• a power unit to provide the necessary auxiliary DC voltages, a main switch which allows the tripping
system to be switched on and off at any time, and a monitoring module
• one tripping unit for each phase, which monitors the current flowing in the relevant phase and on
tripping provides the energy for triggering of the charge in the corresponding insert
• an indication unit with five flag indicator relays:
- one relay per phase for trip signalling,
- one relay for monitoring of readiness for operation
- one relay for monitoring of the supply voltages
• an anti-interference unit to protect the measuring and tripping assemblies from interference pulses
from the outside, which could possibly cause malfunction. The connecting wires from the measuring
and tripping device to the current transformers, to the Is-limiter insert holders and to the AC voltage
supplies are routed via the anti-interference unit.
Maintenance and handling of the device
ABB recommends the following maintenance schedule.
a) Type of maintenance
Testing of the Is-limiter in accordance with the "Description of the Is-limiter test set" provided by ABB.
b) Frequency
Testing of the Is-limiter should be undertaken with the same frequency as the remaining protection
equipment (e.g. once every year / every two years).
c) Expected duration of such maintenance and any impact on fault current limiter and system down
time
For the testing of the Is-limiter the Is-limiter inserts have to be replaced by test inserts. For this reason
the Is-limiter has to be isolated. The testing of the Is- limiter takes 1 to 2 hours.
d) The maintenance can be carried out by the customer staff.
e) Self monitoring and testing
The self-monitoring unit of the Is-limiter performs a continuous check (analogue technology) of the
device's basic functions. In the event that a defect appears inside the electronic circuitry, an alarm is
Parsons Brinckerhoff Ltd Page 83 Final report draft3
PB Power Final Report
given. Additionally, the sensitivity of the device is automatically increased to cater for the internal
fault. This however gives exposure to possible spurious trips.
During the "maintenance test", a special Is-limiter test certificate has to be completed. All of the
components which need to be tested can be tested using the Is-limiter test set.
f) Repair time
The typical repair times for the potential failure modes of the fault current limiter system are given by
ABB as:
- tripped Is-limiter inserts: 1 ...3 days
- all other components: 2 ...4 days
- current transformers: 2 weeks
g) Handling
ABB states that there are no special requirements for transport and storage of these devices in
addition to those applicable to general electrical equipment.
G&W Electric
G&W Electric Company produces two types of current limiting devices, the CUP® (Current Limiting
Protector) and the PAF® (Power Assisted Fuse).
The following is a summary obtained from the G&W product literature.
Product description
The CLiP utilizes electronic sensing and triggering while the PAF uses an element sensor for initiation
of triggering.
Conceptually, these devices are high-speed switches that carry the continuous current. Upon sensing
of a fault and response by the electronic triggering logic, the switch is opened and the current is
forced into a current-limiting fuse which interrupts the circuit (see figure below).
Parsons Brinckerhoff Ltd Page 84 Final report draft3
PB Power Final Report
I CUTTING (SWITCHING) ^LOCATIONS ON MAIN
'""---CONDUCTOR
TRIGGERING 3IC
CURRENT-LIMITING HUNT FUSE ELEMENT
-REPLACEABLEINTERRUPTER
ISOLATION TRANSFORMS!
POWER SUPPLY CONNECTION '
CURRENT TF1ANSF0RME R
STAND-OFFINSULATOR
Layout of a Triggered Current Limiter
These devices are characterized by a primary conduction path, which electrically parallels a current
limiting fuse of very high energy absorption capability and low melting l2t. Approximately 0.1% of the
continuous current flows through the shunt fuse in its normal state due to its resistance versus that of
the primary TCL current path. Upon incident of a fault meeting the triggering criteria, the primary
current path is opened - essentially a high-speed switching operation.
Sensing of the fault current actuates a linear cutting device which cuts the copper of the main
conductor into a number of fractional lengths and bends them upwards forming multiple gaps which
host arclets. The arc voltage diverts the short circuit current into the shunt current-limiting fuse which
provides the interruption. The interrupt process of this shunt fuse is typical of the traditional current-
limiting fuse with 1/4 cycle extinction of symmetrical and 1/2 cycle extinction of asymmetrical faults.
The point of actual current limitation is often well in advance of the time of extinction. Note that this is
not at the natural current-zero point at which most circuit breakers, switches, reclosers and expulsion-
type fuses interrupt. The one exception to this is the reactor bypass application where the TCL is
clearing against only partial system voltage across the reactor. In this case the clearing time is
typically only a few hundred microseconds after occurrence of the peak let-through condition.
The G&W devices are not dependent on rate-of-rise of fault current, but instead, are responsive to
magnitude. Further details of operation can be found on the G&W web-site, in particular within an on
line article entitled ‘An Effective Alternative for High Current Protection’. This gives a step by step
description of what happens during the interruption process.
Maintenance and handling of the device
G&W Electric recommends keeping 1 spare set per 3-phase installation.
Parsons Brinckerhoff Ltd Page 85 Final report draft3
PB Power Final Report
Presently in the U.K. G&W has maintained 1 extra set of fuses on consignment (our ownership) at the
customer as an additional backup set. This happens to be the same rating as our other U.K. customer
and has been used/replenished.
G&W recommends the following maintenance schedule.
a) Type of maintenance
A check with the Field Test unit and possible paint touch-up on outdoor units.
b) Frequency
Every 1 - 2 years, typically when the system is deenergized for similar circuit breaker checks. A
nuclear plant application, for example, has an active period of 1.5 years between maintenance
periods.
c) Expected duration of such maintenance and any impact on fault current limiter and system down
time - Following deenergization and grounding, about 45 minutes.
d) Maintenance can be carried out by the client's staff. If G&W is called for commissioning they train
the user's personnel. Alternatively, approximately 50% of their customers commission their own units.
Calls for maintenance checks have totalled 3 or 4 in the past 18 years. If questions occur, they can
typically be handled by telephone, fax and email.
e) Self monitoring and testing
A primary concern of the unit is maintenance of control power to the unit. The units rely on the client's
supply. Generally G&W recommends that the DC station batteries used to provide power to
substation equipment and trip the circuit breakers also be used for the CLiP supply, which is generally
the most reliable. Alternatively, an AC UPS system may be applied. Control voltage monitoring relays
(2 sets of contacts) can provide feedback to the client's supervisory controls or staff if control power is
lost.
The overall function of the CLiP triggering circuitry can be periodically tested with the field test unit
provided by the manufacturer. The client's staff can readily perform these tests. Use of the field tester
not only verifies that the sensing and triggering functions are active, but also measures the triggering
pulse magnitude and time constant to ensure that the pulse is of the proper characteristics.
Tests can also be performed on the control box functions to verify that the protective relays are
functional. The feedback circuit indicating an operation, which they monitor, is also tested. These
checks can also be performed by the client's staff. Testing takes approximately 5 minutes.
Parsons Brinckerhoff Ltd Page 86 Final report draft3
PB Power Final Report
The one function that can not be checked is that of the interrupter. Continuity through the detonator
can be checked if desired. The interrupter is, however, a “one-shot” device. One can therefore not
perform a functional test on the interrupter.
f) Repair time
G&W recommends ordering the “Redundant Sensing and Firing Logic” option on overseas units. In
that way, if one SFL were to become disabled, it would not prevent use of the system - the other SFL
on that phase provides complete redundancy. Alternatively, a new unit can typically be built,
calibrated and shipped in 4 days.
The isolation transformer can typically be prepared, tested and shipped in 1 week. On rare occasions,
customers will order an additional phase which would include both isolation transformer and SFL.
The control box printed circuit board can be shipped overnight. Inverters, sometimes used in the
control box, are generally in stock, but can take up to 6 weeks.
g) Handling
G&W state that there is minimal additional care to be taken when handling and transporting these
devices. The interrupter units are entirely self-contained. Each contains a minimal amount of
pyrotechnic matter 3 grams for the smallest and 16 grams for the largest. While they need to be
treated with respect to avoid dropping and subsequent damage to the enclosing tubes, they are not
regarded as a substantial hazard. Transport regulations are straight-forward for shipment around the
world. Cargo planes and commercial overland carriers handle them without difficulty.
Storage is recommended in a cool, dry location where other electrical equipment is generally kept.
The units are designated by the U.S. ATF (Alcohol, Tobacco & Firearms) as a “pyrotechnically
assisted tool,” similar to the designation applied to the cartridge operated nail guns used in building
construction.
Disposal is simply a matter of common refuse. Customers do not try to reclaim the copper as it is
difficult to access with the heavy, glass-reinforced, cast-epoxy ends. If incinerated, we recommend
drilling or puncturing of the tube wall to prevent pressure build-up and sudden release.
Coordination
These devices have very fast operating times and are designed to trip before other circuit breakers.
Their operation takes place when the remaining circuit breakers are approaching their ratings.
The continuous current is, for all practical purposes, completely independent of the current-limiting
performance of the device. Since these are electronically sensed and triggered units, their operating
Parsons Brinckerhoff Ltd Page 87 Final report draft3
PB Power Final Report
criteria is preset and not dependent on time versus current, temperature, element size (or melting I2t)
or preconditions.
System Scenarios
It is envisaged that the internal processes which constitute the functioning of the current limiting
device are not influenced greatly by the specific application in which the device is employed.
However, the study, and in particular the risk assessment, considers a range of possible installation
arrangements.
The following three scenarios have been considered following agreement with WS3:
4. Current limiting devices in system interconnections or busbar couplers.
5. Current limiting devices in transformer secondary circuits.
6. Current limiting devices in links between public network and private generation sites.
2) Transformer secondary circuits 3) Generator connection1) System Interconnections
It is assumed throughout this study that the sole reason for installing the current limiting device is to
limit the fault levels to within the ratings of the existing equipment. It has also been assumed that it is
only the ratings of the feeder circuits that would be exceeded, should the current limiting device fail to
operate. This is because the feeder circuits are the only ones that will see the short circuit currents
from all sources. This will be the situation in the majority of applications.
It should be noted that with arrangement 3, when there is a fault in the distribution network, the
current flowing through the current limiting device will only be the contribution of the local generator.
Given the generator sizes typical for the range of applications considered in this study (relatively small
embedded generators), such contributions may only be detected via relatively sensitive settings in the
Parsons Brinckerhoff Ltd Page 88 Final report draft3
PB Power Final Report
current limiting device, with a resulting danger of spurious tripping. It is possible to achieve a
directional discrimination between faults on the network and faults on the generator side, including
generator internal faults, by installing three CTs in the generator neutral connections in addition to
those installed on the current limiting device. This will also prevent tripping when the generator is
disconnected.
Fault conditions
The fault limiting device will be subject to fault current during fault conditions affecting the power
system.
The significant fault types to be considered are the three-phase fault, the phase-phase fault and the
phase to earth fault. It should be noted, however, that the fault location under examination is just
downstream of a feeder breaker, while the current limiting device will be located on the busbars, on a
transformer secondary circuit or on a generator connection. The device will however see the same
fault type as the feeder, although of reduced magnitude.
A three-phase current limiting device comprises three elements, one on each phase. This provides a
certain degree of redundancy in the amount of devices installed.
The earth fault level in impedance earthed distribution systems is typically of significantly lower
magnitude than the three-phase fault level, owing to the use of earthing resistors located at
transformer neutral points. For a single phase to earth fault, the system should be designed so that
the current limiting device does not trip.
For a phase-phase fault, two limiting devices will respond to fault current, and even with a failure of
one unit to operate, the healthy unit should still trip and clear the fault.
Similarly, for a three phase fault, fault current will flow in all three devices and failure of one unit to
operate will still leave the other two units available to clear the fault.
In solidly earthed systems, the earth fault level is typically of a very similar magnitude to the three-
phase fault level. Moreover, the earth fault level on the secondary side of delta-star primary
transformers may exceed marginally the three-phase fault level, due to the transformer zero sequence
impedance being smaller than the positive sequence and due to the delta winding stopping the
primary network zero sequence impedance from having any effect on the earth fault level. This type
of system should be designed to provide tripping of the current limiting device for an earth fault. The
device located in the faulted phase does not have any back-up from the other two phases if it fails to
operate. However, this is unlikely to be an issue in the UK where solid earthing is normally only used
on the 132kV system, as current limiting devices are not yet available for 132kV systems.
Parsons Brinckerhoff Ltd Page 89 Final report draft3
PB Power Final Report
Independently of the neutral earthing, a phase-phase fault yields a lower fault level than a three-phase
fault (87 %), and this needs to be taken into account when setting the device.
The table below shows fault data for all except two of the UK DNO licence areas (Eastern and
Seeboard) for the period 2001/02.
Voltage
(kV)
Total O/H Cables SwGr Trans Other
1 < 20 27,708 13,939 5,799 3,007 2,087 2,876
22 < 66 2,375 993 676 166 152 388
Overhead line faults can be regarded as predominantly single phase and cable and plant faults can
be regarded as predominantly two or three phase. For resistance earthed systems the current limiting
devices will not be required to operate for single phase to earth faults, these represent almost half of
the faults on the system.
Parsons Brinckerhoff Ltd Page 90 Final report draft3
PB Power Final Report
APPENDIX F
EFFECT OF FAULT CURRENT LIMITERS ON SWITCHING TRANSIENTS AND
DOWNSTREAM CIRCUIT BREAKERS
Parsons Brinckerhoff Ltd Page 91 Final report draft3
PB Power Final Report
Introduction
The use of current limiting devices is currently being considered for applications where a feeder circuit
breaker may be otherwise subjected to fault levels above its ratings.
Some concerns were raised during meetings with WS3 on the behaviour of the current limiting device
when the feeder circuit breaker closes onto a fault. In particular, there was concern about the speed of
operation of the current limiting device, and whether or not the circuit breaker would experience a
peak current or rate of rise of current in excess of its rated capability.
WS3 requested that an explanatory paper on the subject of switching transients should be issued in
advance of the final draft of the main report. This paper provides a brief overview of the fundamental
phenomena and fault current waveforms associated with switching transients in circuits employing
fault current limiting devices.
Close on Fault
A switching transient arises when a circuit breaker is closed on to a downstream short circuit fault.
The resulting fault current can be studied using the simplified single-phase circuit shown in Figure 1,
where the equivalent impedance between the source and the location of the fault is used.
I R L^<--------
v<S)
Figure 1
Simplified equivalent RL circuit supplied by an AC voltage source.
The total impedance between fault point and source
= — R + jX L — R + j 2 sfL — 5 + ja>L
Z = total impedance, :R = total resistance, :
f = system frequency, Hz L = total inductance, H
m = system pulsation, rad/s
Parsons Brinckerhoff Ltd Page 92 Final report draft3
PB Power Final Report
This has a steady-state power factor given by
Rcos M — —
I =Eq. 1.
The presence of inductance in the circuit means that the current flowing through the circuit cannot
change instantaneously. Before the circuit breaker is closed there is zero current flowing and there is
zero magnetic energy stored in the circuit inductance. As soon as the circuit breaker is closed onto a
fault, current will try to flow. The change in current through the conductor is opposed by an
dielectromagnetic force of magnitude L —. There will also be a voltage drop across the circuit
resistance of RL (Ohm’s Law).
From the instant at which the circuit breaker is closed, the circuit equation is therefore
RL + L — — v — Vm sin (at + T) Eq. 2Wt
i = instantaneous current, Amps t = time, sVm = Voltage peak, Volts v = instantaneous voltage, Volts 0 = switching angle, rad.
The arbitrary phase angle 0 accounts for the time of closure of the circuit breaker within the voltage
cycle. 0 has the value required to give the correct instantaneous voltage at the time of circuit breaker
closure (t=0).
Following the closure of the circuit breaker there will be a transient period during which there will be a
transient dc current with an exponential decay, superimposed on a sinusoidal 50Hz current. This can
be seen by solving equation 2, using simple steps based on basic trigonometric relationships and on
partial fractions as well as more complex Laplace transformations.
The final expression derived for the transient current is
L(t) — V- >sin(at + T - m ) - sin(T - m )h -t'W ] Eq. 3
w = L/R = circuit time constant, s.
The first term in Equation 3 is the steady-state element, with magnitude Vm/Z and phase angle -m with
respect to the voltage. The second term is the transient element with the exponentaial decay. At t=0,
Parsons Brinckerhoff Ltd Page 93 Final report draft3
PB Power Final Report
the transient element has same magnitude as the steady-state element and is equal and opposite
giving 1=0 A, while at t=oo it extinguishes leaving only the steady state sinusoidal wave. It should be
noted that for high values of the time constant t=L/R, the exponential approaches a constant value
equal to the magnitude of the steady-state term. The following figures have been derived with t=63.6
ms (X/R=20).
Time (sec)
DC Compt Fault Current AC Comp
Figure 2
Asymmetrical fault current obtained from Equation 3; cos(p=0.8 (cp=36.87 deg), 0=0 deg.
Two particular values of the switching angle 0 can be identified.
If the circuit breaker closes when 0=cp, the transient component is zero and the total current coincides
with the steady-state element, sinusoidal and symmetrical (Figure 3).
Parsons Brinckerhoff Ltd Page 94 Final report draft3
PB Power Final Report
Time (sec)
DC Compt-------Fault Current AC Comp
Figure 3
Symmetrical fault current obtained from Equation 3; cos(p=0.8 ((p=36.87 deg), 0=36.87 deg.
On the other hand, if breaker closure takes place when Q-<p=±nl2, the transient component attains its
maximum amplitude (Vm/Z) and the first peak of the total current (t=10 ms at f=50 Hz) approaches a
value of twice the magnitude of the sinusoidal steady-state component, particularly for high values of t
(Figure 4). This peak value must be contained within the fault making rating of the circuit breaker.
Parsons Brinckerhoff Ltd Page 95 Final report draft3
PB Power Final Report
Time (sec)
DC Compt-------Fault Current AC Comp
Figure 4
Asymmetrical fault current obtained from Equation 3; cos(p=0.8 ((p=36.87 deg), 6—53.13 deg.
Circuits Employing Fault Current Limiting Devices
Figure 5 illustrates the effect of a current limiting device installed in the bus coupler between two
transformers (scenario 1)) on the total current flowing in a faulted feeder.
C
E3o
-0
Time (sec)
■ Pro Trip Current Post Trip Current
Figure 5
Effect of a current limiting device on a fully asymmetric fault.
Parsons Brinckerhoff Ltd Page 96 Final report draft3
PB Power Final Report
The prospective fault current is assumed to be fully asymmetrical, as depicted in Figure 4.
It can be seen that, under the conservative assumption that two contributions are in exact phase, the
fault current T at the feeder point has a prospective profile which is double that associated with one
transformer.
Due to the tripping of the limiter, the fault contribution of one transformer is clamped and the total
current T has a peak value which is of similar magnitude to that obtained with one transformer in
operation. The actual peak value will depend on the tripping settings employed for the limiter and, as
shown in Figure 6, can be higher than that obtained with one transformer in operation.
CUP ASYMMETRICAL FAULT INTERRUPTCIRCUIT X/R OF 20 IS APPLIED
CRESTS = (rms. sym Amperes) * Asym Pk Multiplier of 2.624
CURRENT LIMITER WITH
CUP ASYMMETRICAL FAULT INTERRUPTCIRCUIT X/R OF 20 IS APPLIED
CRESTS = (rms, sym Amperes) * Asym Pk. Multiplier of 2.624
HIGHER TRIGGER LEVEL
C ™ 40
Degrees
Figure 6
Parsons Brinckerhoff Ltd Page 97 Final report draft3
PB Power Final Report
Different waveforms of the feeder current depending on the current limiter settings (courtesy of G&W
Electric Company).
Figure 5 also shows that the total current flowing through the feeder circuit breaker presents an initial
profile which, until the limiting device initiates tripping, coincides with that associated with the two
transformers in parallel and without the current limiting device. The rate of rise (di/dt) of the total
current in the feeder breaker before the tripping of the device takes place, is therefore higher than that
experienced with one transformer in operation.
A preliminary investigation into whether this higher di/dt could impose dangerous electromechanical
stresses on the breaker revealed that the relevant standards do not specify a maximum or rated value
of di/dt that a circuit breaker should withstand (IEC 60282, IEC 60694, IEC 62271). Also the issue
does not appear to be treated as critical in currently used literature (R. T. Lythall, “The J & P
Switchgear book”, Butterworth & Co Ltd, London).
Additionally, discussions with switchgear manufacturers and designers revealed that the value of rate
of rise of current does not represent a concern on making onto a fault or while the breaker is closed,
only on breaking of the current (contacts separating). The additional di/dt when conducting current for
a few milliseconds only yields a negligible increase in the thermal load on the contacts.
A preliminary evaluation of the value of di/dt associated with two 250 MVA, 11 kV fault infeeds was
undertaken under conservative assumptions (maximum current asymmetry, fault infeeds in phase)
using Equation 4 below, and a value of 6.2 A/ps was calculated. Comparison with values used in
current impulse tests for surge arresters, which can reach 1250 A/ps for MV applications (BS 2914,
The J & P Switchgear book), would also suggest that the increase in di/dt should not be regarded as
problematic.
Some members of WS3 were also concerned about the throw-off forces present during making of the
circuit breaker contacts, as these are proportional to the square of the current flowing. With a higher
rate of rise of current, there was concern that the throw off force at any particular point during closure
of the contacts could be greater than the force exerted by the closing mechanism.
The manufacturers of the current limiting devices have been asked if they have not carried out any
specific tests on circuit breakers closing onto faults for applications where the current limiting device is
being used as an alternative to replacing the circuit breaker with higher rated equipment. They have
not come across any instances where the circuit breaker has been unable to close onto a fault in this
type of application.
ABB advise that under IEE 62271-100 Clause 6.111, circuit breakers for a rated voltage of 12kV are
tested with a frequency of 4250Hz, 20kA - peak back to back. Circuit breakers have been able to
make satisfactory during these tests.
Parsons Brinckerhoff Ltd Page 98 Final report draft3
PB Power Final Report
ABB Device Setting
The ABB device requires that two settings are reached before tripping takes place.
The Is limiter's measuring and tripping device constantly monitors the instantaneous value (i) and the
rate of rise (di/dt) of the current through the limiter. The device trips when the rate of rise reaches or
exceeds a specified level (di/dt)T, whilst the current flowing through the limiter is between i2 (lower
measuring range limit) and i1 (upper measuring range limit). Both setting parameters, namely (di/dt)T,
and the range i2 to i1, use instantaneous current values.
Selection of the measuring range limits i1 and i2
The values for i1 and i2 are determined by the conditions at the location where the device is installed
(e.g. operating current, maximum short-circuit current, tripping value) and the type of device. The
lower measuring range limit i2 is, for example, to be selected as approximately 1000 A to 3000 A
above the operating current peak value. The measuring range (i1-i2) is in general 1000 A to 4000 A.
Selection of the setting value (di/dt)T for the current rate of rise
The calculation and selection of this parameter is rather more complex than that for i1 and i2 and may
require the use of computerised tools based on the analytical expression for (di/dt):
5 5------Z
cos(zW + T - m) +---- sin(T - m)h ; Eq. 4
The attached paper “Calculation of the settings for an Is-Limiter measuring and tripping device” was
distributed by the manufacturer and contains details of the selection process and calculations. Great
care needs to be taken when choosing the settings to be used, in particular with the selection of
(di/dt)T. The manufacturer would normally select the correct settings, based on the circuit information
provided by the user.
The following example serves to demonstrate the importance of using the exact settings provided by
the manufacturer. It also demonstrates the importance of making sure that the manufacturer has the
correct circuit information, so that the correct setting can be calculated. The settings should be
revisited if the circuit parameters change (for example due to the addition of power factor correction
capacitor banks).
The rate of rise di/dt presents different maxima during the transient period. This is due to the shape of
the current during the transient which is in effect a sinusoid slightly rotated clockwise by the
exponential term. This yields higher absolute slopes in the half cycles when the current decreases
than in those where it increases (see Figure 6).
Parsons Brinckerhoff Ltd Page99 Final report draft3
PB Power Final Report
Figure 7 shows, on a different scale, the value of a parameter “trip” which is “true” (=1) when the
derivative of the current is above a certain setting. In the case of Figure 5, the tripping (di/dt)T has
been set correctly at 1500 kA/s. If, with the parameter values used in this example, the setting is
increased to 1570 kA/s, tripping does not occur in the first half cycle.
It should be noted that only the values of di/dt in those instants when the current flowing through the
limiter is between h and i2 are relevant to the tripping of the device.
2000
-1679-1692-1710
Time (sec)
di/dt
Figure 7
Rate of rise of current di/dt derived from Equation 4.
Parsons Brinckerhoff Ltd Page 100 Final report draft3
PB Power Final Report
Figure 8
Example of incorrect selection of (di/dt)T with failed trip in the first half cycle following the fault.
G&W Electric Device Setting
The G&W device requires only one setting, the current setting, to be reached in order to trip.
These are electronically sensed and triggered devices, and their operating properties are preset and
are not dependent on the conditions prior to or during the fault. These devices do not use rate-of-rise
of fault current as a tripping parameter, but instead, respond solely to current magnitude.
For specifics of fault sensing and trigger level setting as well as the methodology of trigger level
selection further references can be found in the attached paper “Triggered current limiters for closing
bus ties, bypassing reactors and improving power quality”.
Open on Fault
The appearance of a short-circuit fault on a circuit has exactly the same effect on the functioning of
the current limiting device as the closure of the circuit breaker represented in Figure 1 and treated in
Section 1.2.
A transient takes place during which the current limiter device is required to trip, in particular during
the first rise of the fault current (first half cycle).
Once the fault current limiting device has tripped, the feeder circuit breaker will be required to
interrupt a current which must be within its fault breaking rating.
Parsons Brinckerhoff Ltd Page 101 Final report draft3
PB Power Final Report
The opening of the circuit breaker takes place typically a minimum of 20 ms to 50 ms after the fault
appears on the system (relay operating time), depending on the protection relay type and settings
employed. This is well after the current limiting device should have operated.
Conclusion
Current limiting devices are being considered for applications where a feeder circuit breaker may be
otherwise subjected to fault levels above its ratings.
The current limiting device needs to trip within several milliseconds of the circuit breaker seeing a fault
on the circuit. This could be for a situation where the breaker is already closed and a short circuit
occurs, or it may be a situation where the circuit breaker is required to close onto an existing fault.
This paper has demonstrated that this can be achieved, even with a fully asymmetric fault current,
provided that the current limiting devices are set correctly. The interested reader can test this further
using the spreadsheet accompanying this paper.
The limitation of fault current by the limiting device will reduce both the fault make current and the fault
breaking current experienced by the circuit breaker. However, because the device acts so fast in
reducing the first peak value of the feeder current, the most direct benefit of a reliable current limiting
device would be that of reducing the fault make current.
Parsons Brinckerhoff Ltd Page 102 Final report draft3
PB Power Final Report
APPENDIX G
COMPLETED QUESTIONNAIRES
Parsons Brinckerhoff Ltd Page 103 Final report draft3
PB Power Final Report
(Please use extra sheets if necessary and attach any standard documentation which answers the
questions)
Questionnaire for Users of Fault Current Limiters
Product (type, specification, use)
1. Application / function of devices installed (please provide single line diagram)
Final connection to REC system .
2. Range of Ratings:- 6.6kV Voltage
Continuous Current
Interrupting Current (r.m.s. symm)
Current peak and I2t let through
Original design for let through limit of 50MVA. Calor Emag will have data.
3. Range of Settings:- Tripping Values
Setting Values
Parsons Brinckerhoff Ltd Page 104 Final report draft3
PB Power Final Report
(Please use extra sheets if necessary and attach any standard documentation which answers the
questions)
Questionnaire for Users of Fault Current Limiters
System design
4. The process for the design of the fault current limiter system. For example the involvement of the
third parties (manufacturer, consultant, regulator, distribution company etc) in the design or review
of the design.
5. Distribution company manufacturer.
6. To what extent the design process considered the potential failure of the fault current limiter and
the consequence of such failure.
Maintenance
7. The type and level of spares kept
6 inserts
1set of electronic modules
Parsons Brinckerhoff Ltd Page 105 Final report draft3
PB Power Final Report
(Please use extra sheets if necessary and attach any standard documentation which answers the
questions)
Questionnaire for Users of Fault Current Limiters
8. Maintenance carried out on the fault current limiter
a) Type of maintenance
Clean of main enclosure
b) Frequency (per year)
Annual
c) Duration of such maintenance and any impact on fault current limiter and system down
time
System down at this time, associated with testing approx. 4 hours
d) Whether or not the maintenance is carried out by the user's staff
Internal staff . Occasional check by Calor Emag (approx. 5/6 years)
9. Extent and coverage of self testing and periodical testing, recommended frequency of testing and
whether or not this can be carried out by the client's staff. Please identify any components which
cannot be tested regularly.
Annual calibration check. Verifies all settings - operational test, measurement element check,
blocking check and input circuits - which tests all system components except insert. (Dummy unit used)
Carried out by staff.
Installed inserts removed at 5 yearly interval for recharge, spares at 8 years. Return to
manufacturer
Calibration unit returned to manufacturer about every 6 years.
Parsons Brinckerhoff Ltd Page 106 Final report draft3
PB Power Final Report
(Please use extra sheets if necessary and attach any standard documentation which answers the
questions)
Questionnaire for Users of Fault Current Limiters
Operational experience
10. The year of first use of fault current limiters
1979
11. Number of fault current limiters currently in operational use.
2 - sets in series
12. Total fault current limiters device operational experience (device that has been in operation or
currently in operation x duration in operation for that particular device)
48 years ?
Parsons Brinckerhoff Ltd Page 107 Final report draft3
PB Power Final Report
(Please use extra sheets if necessary and attach any standard documentation which answers the
questions)
Questionnaire for Users of Fault Current Limiters
13. Number of demands on the fault current limiter (e.g. the number of over current fault) since the
device been installed.
In my time (1983 on) 3.
14. Number of spurious trips (operation of the device outside of design intent) recorded
Parsons Brinckerhoff Ltd Page 108 Final report draft3
PB Power Final Report
(Please use extra sheets if necessary and attach any standard documentation which answers the
questions)
Questionnaire for Users of Fault Current Limiters
a) Cause of spurious trip (This may be due to hardware failure, incorrect setting or
incorrect system design etc)
Hardware component drift. All devices uprated by supplier,
b) Applications in which spurious trips occurred
Return of whole site from ‘island mode'. Transformer inrush seen as fault.
c) Consequences of spurious trips to the system
Site shutdown
15. Number of failed trips (device failed to operate within design intent) recorded
None
Parsons Brinckerhoff Ltd Page 109 Final report draft3
PB Power Final Report
(Please use extra sheets if necessary and attach any standard documentation which answers the
questions)
Questionnaire for Users of Fault Current Limiters
a. Cause of failure (This may be due to hardware failure, incorrect setting or incorrect
system design etc)
b. Applications in which failed trips occurred
c. Consequences of failed trips to the system
16. Availability of the fault current limiter e.g. downtime due to planned maintenance and breakdown
maintenance
Typically 4 - 6 hours / year for above test/ clean .
17. Actual service life of fault current limiters and any component parts requiring more frequent
replacement.
5years
Parsons Brinckerhoff Ltd Page 110 Final report draft3
PB Power Final Report
(Please use extra sheets if necessary and attach any standard documentation which answers the
questions)
Questionnaire for Users of Fault Current Limiters
18. Records of hazardous incident (injury to people) associated with the fault current limiter during
transport, storage, operation, maintenance and disposal.
None occurred
19. Other comments with regards to the fault current limiter.
Parsons Brinckerhoff Ltd Page 111 Final report draft3