#### Abstract

An integrated deterministic and probabilistic safety analysis (IDPSA) was carried out to assess the performances of the firefighting means to be applied in a nuclear power plant. The tools used in the analysis are the code FDS (Fire Dynamics Simulator) for fire simulation and the tool MCDET (Monte Carlo Dynamic Event Tree) for handling epistemic and aleatory uncertainties. The combination of both tools allowed for an improved modelling of a fire interacting with firefighting means while epistemic uncertainties because lack of knowledge and aleatory uncertainties due to the stochastic aspects of the performances of the firefighting means are simultaneously taken into account. The MCDET-FDS simulations provided a huge spectrum of fire sequences each associated with a conditional occurrence probability at each point in time. These results were used to derive probabilities of damage states based on failure criteria considering high temperatures of safety related targets and critical exposure times. The influence of epistemic uncertainties on the resulting probabilities was quantified. The paper describes the steps of the IDPSA and presents a selection of results. Focus is laid on the consideration of epistemic and aleatory uncertainties. Insights and lessons learned from the analysis are discussed.

#### 1. Introduction

IDPSA—frequently also called Dynamic PSA—can be regarded as a complementary analysis to the classical deterministic (DSA) and probabilistic (PSA) safety analyses [1, 2]. It makes extensive use of a deterministic dynamics code and applies advanced methods for an improved modeling and probabilistic assessment of complex systems with significant interactions between a process, hardware, software, firmware, and human actions [3]. An IDPSA is particularly suitable in the frame of a fire PSA, since sequences of a fire interacting with the means to be applied for firefighting can be realistically modelled while aleatory uncertainties due to the stochastic aspects of the performances of the firefighting means can be simultaneously taken into account. Besides aleatory uncertainties, epistemic uncertainties can be considered as well. They may refer to parameters of the applied deterministic dynamics code and to the reliability parameters used to quantify the stochastic performances of the firefighting means.

An appropriate tool to conduct an IDPSA is MCDET (Monte Carlo Dynamic Event Tree) which allows for performing Monte Carlo (MC) simulation, the Dynamic Event Tree (DET) approach or a combination of both [4, 5]. Since MCDET can in principal be coupled to any deterministic dynamics code, the open source and freely available code FDS (Fire Dynamics Simulator) from NIST [6] was selected to be applied for fire simulation. What makes MCDET particularly useful for a fire safety analysis is its Crew Module which allows for considering human actions such as those applied for firefighting as a time-dependent process [7, 8] which can interact with the process modelled by any dynamics code chosen to be combined with MCDET such as FDS.

In the past, MCDET was already applied to analyse and assess the plant behaviour during a station black-out scenario with power supply recovery [4]. In that application, MCDET was combined with the code MELCOR (version 1.8.5, [9]) for integrated severe accident simulation. In another application, MCDET was coupled to the thermal-hydraulics code ATHLET (mod 2.0, [10]) to assess the emergency operating procedure “Secondary Side Bleed and Feed” [7]. This procedure is to be employed in a pressurized water reactor (PWR) to achieve the protection goal of steam generator injection after the loss of feed-water supply.

The fire event selected to be analysed was assumed to occur in a compartment of a German reference nuclear power plant (NPP). The main question to be answered by the IDPSA was whether the plant specific firefighting means to be applied in case of a fire are able to protect those structures, systems, and components (SSC) in the compartment which are important to nuclear safety. Therefore, the most important analysis result was the probability of safety related SSC to be damaged by the fire. The influence of epistemic uncertainties on the probability was quantified.

Section 2 of this paper gives an overview on the methods implemented in MCDET. It is explained how these methods can be used to treat the aleatory and epistemic uncertainties of an IDPSA and how the influences of both types of uncertainties can be quantified. Details on the considered fire event, the plant specific firefighting means and on the modelling assumptions can be found in Section 3. The steps of the analysis and a selection of results are described in Section 4. Conclusions and lessons learned are presented in Section 5.

#### 2. Methods Implemented in MCDET

The tool MCDET allows for performing Monte Carlo (MC) simulation, the Dynamic Event Tree (DET) approach, or a combination of both. How these methods can be used to consider aleatory uncertainties and to quantify their influence on the results of a deterministic dynamics code is described in Section 2.1. The method to handle epistemic uncertainties in addition to aleatory uncertainties and to get a quantification of their influence is topic of Section 2.2.

##### 2.1. Consideration of Aleatory Uncertainties

Coupled with a deterministic dynamics code such as the FDS code, the tool MCDET can perform Monte Carlo (MC) simulation, the Dynamic Event Tree (DET) approach, or a combination of both [4, 5].

The DET approach is quite useful, if rare events like, for instance, the failures of safety systems which generally occur with small probabilities have to be considered. The first tool presented in literature which applied the DET approach is DYLAM [11, 12]. Other tools using the DET approach are, for instance, ADS-IDAC [13, 14], SCAIS [15, 16], ADAPT [17], and RAVEN [18].

The simulation of a DET starts with the calculation of a sequence running from the initial event until the occurrence of the first event for which aleatory uncertainties are to be taken into account (e.g., success/failure of a safety system). When this happens, a branching point is generated meaning that the calculations of all branches (alternative situations) which may arise at the corresponding point in time are launched, even those of low probabilities. For instance, at the point in time, when a safety system is demanded, both successful and failed operations of the system are considered and the corresponding simulation processes are launched. Each time when another event subjected to aleatory uncertainty occurs during the calculation of a branch, another branching point is generated and the simulations of the new branches are launched.

With MCDET, a conditional occurrence probability is assigned to each branch constructed in the course of a DET simulation. Multiplication of the conditional probabilities of all branches which made up a whole sequence finally gives the sequence probability. The probabilities of all sequences of a DET in general sum up to 1. If a probabilistic cut-off criterion was applied, the sum is smaller than 1, because all sequences with a conditional probability less than a given threshold value are ignored.

The DET approach avoids repeated calculations of dynamic situations shared by different sequences. Except for the first (root) sequence, any other sequence is calculated only from the time on where a corresponding branching occurs. The past history of a sequence is given by the parent sequence from which the sequence branches off, then, by the parent sequence of the parent sequence and so on.

One drawback of the DET approach is that a continuous variable like the timing of an event (e.g., the failure of a passive component) has to be discretized, if it is subjected to aleatory uncertainty. A coarse discretization would provide less accurate results. A detailed time discretization would lead to an exponential explosion of the number of branches. The accuracy of results derived from a more or less detailed discretization is difficult to quantify. To overcome this difficulty, MCDET allows for applying a combination of MC simulation and the DET approach which can adequately handle the aleatory uncertainty of any discrete or continuous variables and provide output data appropriate for quantifying the accuracy of the results, for instance, in terms of confidence intervals.

With MCDET coupled to a dynamics code, each DET is constructed on condition of values each randomly sampled for a continuous aleatory variable. Each new set of values for the continuous aleatory variables contributes to the generation of another DET. Result of this method is a sample of individual DETs, each constructed from a distinct set of values sampled for the continuous aleatory variables. The sampling of values for the continuous aleatory variables is not performed a priori, that is, before the calculation of a DET is launched. It is performed when needed in the course of the calculation. In this way, it is possible to treat not only the influence of aleatory uncertainties on the dynamics as calculated by the code but also the influence of the dynamics on aleatory uncertainties and to consider, for instance, a higher failure rate of a component, if a high temperature seriously aggravates the condition of the component.

From the conditional probabilities assigned to each sequence and the corresponding curves of safety related output quantities calculated by the dynamics code, the post-processing modules of MCDET can calculate the conditional DET-specific and the unconditional scenario-specific distributions of safety related quantities. These scenario-specific distributions are the means over the corresponding DET-specific distributions. The accuracy of the resulting mean distributions and probabilities can be quantified in terms of 90% or 95% confidence intervals.

Figure 1 comprises two schematical illustrations of the sample of DETs generated by MCDET. In Figure 1(a), each DET of the sample is represented in the time-event space with focus on the events subjected to aleatory uncertainty (e.g., failure-on-demand of the systems S1, S2, and S3, error of human actions HA1, or failure of a passive component PC). Timing and order of events might differ from DET to DET due to the influence of the different values sampled for MC simulation. Associated with each sequence of events is the process state at each point in time as calculated by the applied dynamics code and the corresponding conditional probability. In Figure 1(a), the state of a process variable and the corresponding probability are exemplarily considered at the end of problem time. The probabilities over the range of (e.g., from 0 to 10) obtained from all sequences of a DET constitute a distribution at each point in time (e.g., at the end of problem time as shown in Figure 1(a)). Figure 1(b) shows each DET in the time-state space where the focus is laid on the temporal evolution of the process variable for each sequence of event.

MCDET also allows for performing pure MC simulation to consider aleatory uncertainties of discrete or continuous variables. Regardless of whether MC simulation, the DET approach or a combination of both are applied, the probabilities of damage states (e.g., the probability of safety related SSC to be damaged by a fire) can be directly related to those process quantities of the dynamics code which are used to define failure criteria (e.g., high target temperatures and exposure times).

##### 2.2. Consideration of Epistemic Uncertainties

Like with continuous aleatory uncertainties, the influence of epistemic uncertainties is considered by Monte Carlo (MC) simulation. In a first step, the values of the parameters subjected to epistemic uncertainty (epistemic variables) are sampled. Then, for each element of that epistemic sample, a sample of individual DETs is generated. Each DET is constructed from the values of the epistemic sample element combined with respective values sampled for the continuous aleatory variables.

The approach applied to quantify the influence of epistemic uncertainties at least needs two distinct DETs to be simulated per vector of the epistemic sample. If this condition is fulfilled, the simulation results can be used to quantify the overall influence of the epistemic uncertainties on a representative value of the resulting scenario specific probability distribution. A useful representative value is the expected value of the probability distribution, especially if probabilities such as the probability of a damage state are to be provided as IDPSA results. These probabilities can be represented as expected values of appropriately chosen Bernoulli distributions. For instance, the probability of variable to exceed the value is the expected value of the Bernoulli variable with , if and , if .

The expected value of the scenario-specific distribution of a variable (Section 2.1) per epistemic vector is the mean over the expected values of the DET-specific probability distributions of the respective epistemic vector (Formula 1). varies as a function of the epistemic variables Ep, while varies as a function of both the epistemic variables Ep and the continuous aleatory variables : where denotes the conditional expectation of a variable ( or ) as a function of the epistemic variables .

Formula 1 is true due to the following relationship: where denotes the conditional expectation of variable as a function of the epistemic and continuous aleatory variables .

Formula 2 derives from the known equation for conditional expectations: where and denote two variables, is the expectation of , and the conditional expectation of as a function of .

A quantification of the epistemic uncertainty of the expected value of the scenario-specific distribution can be obtained by estimating the expectation and the variance of and by using the estimators, for instance, to derive the parameters of a distribution supposed to be appropriate for . If represents a probability, the Beta distribution might be an adequate distribution assumption.

The expectation can be estimated as the arithmetic mean over the expected values of the DET-specific probability distributions. This is based on the equation for conditional expectations (Formulae 1 and 3): The variance can be calculated from the following known equation: where denotes the variance of a variable ( or ) and is the expectation of the conditional variance of given .

The estimators of the mean and variance can also be applied to calculate well-known inequations from statistics such as those of Chebychev (Formula 6) or Cantelli (Formula 7. These inequations can then be used to quantify the epistemic uncertainty of in terms of conservative estimations, for instance, of a 95% interval or of the 5%- or 95%-quantiles:

Another alternative to quantify the epistemic uncertainty of is the calculation of two or one-sided (95%; 95%) tolerance limits [19]. The only requirement of this alternative is a minimum number of runs which account for the variations due to epistemic uncertainties [20]. For instance, at least 59 values for must be available to quantify the upper one-sided (95%; 95%) tolerance limit.

#### 3. Fire Event, Firefighting Means, and Modelling Assumptions

The fire event considered in the analysis and the assumptions of the corresponding FDS model are described in Section 3.1 of this Section. An overview on the plant specific firefighting means with emphasis on human actions and information on how these means were modelled are given in Section 3.2.

##### 3.1. Fire Event and Modelling Assumptions

The fire was assumed to occur in a compartment of a NPP including cooling and filtering equipment for pump lubrication oil and electrical cables routed below the ceiling. Since these cables carry out safety related functions, one aim of the analysis was to find out whether these cables can be sufficiently protected against the fire by the plant specific firefighting means. It was assumed that malfunction of the oil-heating system designated to heat up the pump lubrication oil in the start-up phase of the NPP causes an ignition of the oil.

The dimensions of the compartment where the fire was supposed to start are about w × l × h = 8 m × 6.2 m × 6 m. Compartment walls are from concrete. The compartment is divided into a lower and an upper level by a steel platform at 2.4 m height. This is where the electrical oil heater is located and the fire was assumed to start (Figure 2). The steel platform can be reached by steel stairs. The three compartment doors lead to the lower level of the compartment. It was assumed that one of these doors might be (randomly) left in open position. The corresponding probability was considered as epistemic uncertainty (Table 1). The mechanical air exchange by an air intake and an exhaust vent was considered to be 800 m^{3}/h. The air inlet duct (violet in Figure 2) has one diffusor above the fire and one to the lower level. The outlet duct (yellow in Figure 2) sucks air from the upper layer by two diffusors which can be closed by the fire damper. The fire damper at the exhaust vent was supposed to close after melting of a fusible link at 72°C. The probability of this mechanism to fail was considered as epistemic uncertainty (Table 1). If the outlet damper is closed, the mechanical air supply into the room was considered to be reduced to 400 m^{3}/h. This value was chosen to account for increased pressure losses, if the inlet air leaves the room via other leakages.

The fire simulation was performed by the Fire Dynamics Simulator (FDS) 6.0 [6]. FDS is a large-eddy simulation code for low-speed flows with emphasis on smoke and heat transport from fires. As input of FDS, the fire compartment was discretized in one mesh with a grid solution of 0.2 m in all three directions. The evolution of the fire depends on the leakage rate of the oil and was considered to be linear over time. The characteristic time to reach 1 MW heat release rate was varied from 250 s to 700 s (Table 1). Due to the assumed fire, the electrical cables below the ceiling are exposed to hot smoke and radiation. The thermal penetration of the cable material was described by the model for thermally induced electrical failure (THIEF) implemented in FDS. The THIEF model predicts the temperature of the inner cable jacket under the assumption that the cable is a homogeneous cylinder with one-dimensional heat transfer. The thermal properties—conductivity, specific heat, and density—of the assumed cable are independent of the temperature. In reality, both the thermal conductivity and the specific heat of polymers are temperature-dependent. In the analysis, conductivity, specific heat, density, and the depth of the cable insolation were considered as uncertain parameters with relevant influence (Table 1).

##### 3.2. Firefighting Means

If equipment and procedures work as intended, firefighting is a rather short process, because the compartment where the fire is assumed to occur is equipped with a fixed fire extinguishing system which suppresses the fire with a sufficiently large amount of water after actuation by the fire detection and alarm system. However, if the automatic actuation of the fixed fire extinguishing system fails, the firefighting process is complex and essentially depends on the manual firefighting means performed by the plant personnel in charge.

There are three states of the fire detection and alarm system which can be assumed as decisive for the manual firefighting means, namely, at least two detectors, only one detector or none of the detectors indicating an alarm signal to the control room. If at least two fire detectors send an alarm signal, the control room operator (shift leader) immediately instructs the shift fire patrol and the on-site fire brigade to inspect the compartment and to perform the necessary steps for fire suppression. If there is a signal by only one detector, the signal might be a faulty or spurious one (e.g., due to dust, steam, etc.). This is why the fire patrol trained for fighting incipient fires is instructed to inspect the fire compartment and to verify the fire. Suppose the fire patrol verifies the fire, the shift leader, who is immediately informed, calls the on-site fire brigade. In the mean-time, the fire patrol tries to suppress the fire either by a portable fire extinguisher or by manually actuating the fixed fire extinguishing system from outside the fire compartment. If none of the fire detectors sends an alarm, the detection of the fire depends on the shift patrol inspecting the compartment at a random time once during a shift.

The fire patrol usually is the first person who arrives at the fire compartment. His/her success of suppressing the fire with a portable fire extinguisher was assumed to depend on the local optical density of the smoke at 3.20 m height (0.80 m above the level of the platform). For optical densities below m^{−1}, it was assumed that the fire patrol can detect the fire and start to suppress it by means of a portable fire extinguisher after a delay of 10 s. For 0.1 m^{−1} < < 0.4 m^{−1}, it was assumed that the delay time until the fire source is detected and the suppression can be started increases with the optical density. The delay time was assumed to be times 100 seconds. For ≥ 0.4 m^{−1}, fire suppression with a portable fire extinguisher and without any personal protective equipment was supposed to be impossible due to reduced visibility and irritant smoke effects on eyes and breathing organs. The fire patrol does not wear personal protective equipment. The threshold value of 0.4 m^{−1} for the optical density was considered as epistemic uncertainty (Table 1). If fire suppression with a portable fire extinguisher is not possible, the fire patrol can try to manually actuate the fixed fire extinguishing system. If this does not work, the fire brigade has to extinguish the fire with their equipment.

Besides the reliability of the fire detection and alarm system and the performance of human actions, the success of firefighting mainly depends on the reliability of active fire barrier elements such as fire dampers or doors and of the fire extinguishing systems which can be manually actuated.

The Crew Module of MCDET was used to model and simulate the time-dependent process of the actions of the plant personnel in charge of firefighting. The model was constructed on the basis of documents from the reference NPP and walk-talk-throughs at locations relevant for firefighting. The aleatory uncertainties taken into account with regard to the performances of the crew members relate to the timings of rather simple actions to be applied for firefighting and to whether actions are successfully performed or not. A more detailed description of the model and the aleatory uncertainties can be found in [8].

#### 4. Analysis Steps and Results

The analysis presented here was rather complex. An overview on the main analysis steps is given in Section 4.1 of this Section. A selection of results can be found in Section 4.2.

##### 4.1. Analysis Steps

The first steps of the analysis focused on the stochastic performances of the crew members in charge of firefighting. The tool applied was just MCDET with its Crew Module. The corresponding simulations ran very fast and provided more than 100 DETs for each of several conditions. The conditions were identified as being decisive to the human actions applied for firefighting. They were given by the relevant states of the fire detection and alarm system (none, only one or at least two of the detectors operate as required) and by the fire progression (e.g., visibility of smoke in front of the door when shift personnel reaches the fire compartment or production of smoke in the fire compartment). Running MCDET and its Crew Module for a set of prescribed conditions related to the fire progression was necessary, since FDS was not applied in this part of the analysis.

From the DETs resulting from the simulations of MCDET only, various conditional distributions could be derived by using the corresponding postprocessing module of MCDET. The distributions refer to the timings of complex sequences of human actions such as the time period between fire alarm and the arrival of fire fighters at the fire compartment door or the time period between the arrival at the fire compartment door and the beginning of fire extinguishing. They express the stochastic variability of the timings and were used as input to the simulations performed in the second part of the analysis.

The second part of the analysis dealt with the modelling, simulation and evaluation of the interaction of the fire dynamics with relevant factors subjected to uncertainty and affecting the fire dynamics. The aleatory uncertainties taken into account refer to the timing and outcome (success/error) of human action related events, the operability of the fire detection and alarm system as well as to the functioning of active fire barrier elements (i.e., fire dampers and fire doors) and of the fire extinguishing systems which could be manually activated.

The main tools applied in the second part of the analysis were MCDET (without its Crew Module) and FDS. Modelling assumptions on the fire event were specified as input to FDS (Section 3.1) while the relevant parameters subjected to aleatory uncertainty as well as the corresponding distributions and branching information quantifying the aleatory uncertainty (Section 2.1) were entered as input to MCDET. The parameters considered as potentially important and subjected to epistemic uncertainty (Table 1) was part of the MCDET input as well. The values of these parameters were sampled by the tool SUSA 3.6 for uncertainty and sensitivity analysis [21] and, then, provided as input to MCDET.

The simulations of FDS and those of MCDET were supervised by the old version of the MCDET Scheduler which allowed for calculating each DET in one process. The simulation approach made extensive use of the restart capabilities of the FDS code.

Fire sequences were planned to run up to 1800 s (0.5 hours) after ignition. If the fire suppression had started in a sequence, the simulation of that sequence was stopped as soon as the temperature inside the jacket of safety related cables fell below 120°C. It was assumed that the fire is under control in that situation and that a temperature below 120°C does not cause any harm to the cables.

The output of the simulations comprised data of about 2400 different fire sequences from a sample of 120 individual DETs. Two distinct DETs were simulated per vector of the epistemic sample (cf. Section 2.2). That means the epistemic sample included 60 different vectors. For the evaluation of the output data, corresponding postprocessing modules of MCDET were applied.

##### 4.2. Analysis Results

The safety related targets which could be damaged and, therefore, were selected to be considered in the analysis, are I&C cables routed below the ceiling of the fire compartment (Section 3.1). The FDS output quantity used as indicator for cable damage is the temperature inside the jacket of the cables.

If the fixed fire extinguishing system of the compartment where the fire starts can be automatically actuated, the fire can be suppressed rather quickly without causing significant damage to the safety related targets (Section 3.2). The situation is more critical, if the automatic actuation of the fixed fire extinguishing system of the compartment fails. Therefore, the analysis focused on that condition. All results presented in the following refer exclusively to that condition. That means all probabilities presented are conditional probabilities.

Figure 3 shows the temporal evolution of the temperature inside the cable jacket for those sequences of all generated DETs where the fire detection and alarm system operates as required. Differences between the sequences are due to the overall influence of aleatory and epistemic uncertainties. Distinct colours used in Figure 3 indicate which sequences lead to successful fire suppression (green and red curves) and which not (black curves). Successful fire suppression can be performed either by the fire patrol (green curves) or by the fire brigade (red curves). The fire patrol can extinguish the fire by a portable fire extinguisher or by manually actuating the stationary fire extinguishing system from outside the fire compartment (Section 3.2). If the fire detection and alarm system operates as required, the fire patrol can suppress the fire mostly within 800 s (~13 min) after fire ignition. If the patrol fails to suppress the fire, the fire brigade can extinguish the fire with their equipment. The fire brigade succeeds to suppress the fire mostly within 800 to 1200 s (~13 to 20 min)—in some cases within 1200 to 1500 s (20 to 25 min)—after fire ignition.

For sequences without any fire extinguishing within 1800 s (black curves), three distinguished temperature clusters are clearly visible in Figure 3. In the first cluster, the temperature inside the cable jacket decreases below 100°C within 1800 s after ignition. The associated sequences are characterized by the corresponding fire damper operating as demanded and the fire door being closed (Section 3). The same is true for the sequences of the second cluster with a temperature on a level between 105°C and 120°C. The reasons for a smaller temperature decrease compared to that of the first cluster must be further investigated. In the third cluster, the temperature remains at a rather high level between 125°C and 150°C up to the end of simulation time (1800 s). This is the consequence of an open fire damper or an open fire door.

Figure 4 shows the overall distribution and two conditional distributions of the maximum temperature inside the cable jacket. The conditional distributions refer to the conditions, if the fire is successfully extinguished by the plant personnel or not. If the fire can be successfully suppressed, the maximum temperature can be reduced below 150°C with a mean probability of about 0.87. If the fire cannot be suppressed, the mean probability of a maximum temperature below 150°C is approx. 0.51. The main effect on the maximum temperature results from the actions of the fire patrol, because he/she can start the fire suppression quite early and therefore avoid a higher temperature maximum inside the cable jacket (cf. Figure 3). The overall distribution and the conditional distribution referring to fire suppression by the plant personnel are nearly identical. This is due to the very low conditional probability for failed fire suppression within 1800 s. The mean value is 5.97*E*-06.

Distributions referring to the time period with the temperature inside the cable jacket exceeding 160°C are shown in Figure 5. They indicate, for instance, that the time period is not longer than approximately 113 s with a mean probability of 0.95, if the fire can be successfully suppressed. This result is also applicable to the overall unconditional distribution because of the very high conditional probability for successful fire suppression. If the fire cannot be suppressed within 1800 s, the 95%-quantile of the time period is 192 s. The differences between the two conditional time distributions in Figure 5 seem to be not very large. Nevertheless, these differences might be relevant, if the time period with a high temperature inside the cable jacket is used as criterion for cable failure.

Estimates of the probability of the I&C cables to be damaged by the fire were derived on the basis of two different failure criteria. According to failure criterion 1, the cables were assumed to be damaged, if the temperature inside the cable jacket exceeds a critical value. With criterion 2, the failure of a cable was supposed to be determined by both a high level of the temperature inside the cable jacket and a critical time period with the temperature being on a high level. Reference values and uncertainty quantifications referring to the failure temperature (criterion 1) and the critical time periods (criterion 2) are specified in Table 1. It is emphasized that the specifications are used only for demonstration purposes. They were derived from available experimental data on failure temperatures of I&C cables [22] and should be checked for real applications, in particular, with respect to the critical time periods for given temperature levels.

The mean probability of I&C cables to be damaged by the fire was estimated to be 1.76*E*-02 based on failure criterion 1 and 4.12*E*-03 based on criterion 2 (Table 2). Figure 6 shows, for each criterion, the cumulative distribution of the cable failure probability calculated per epistemic sample vector. As mentioned in Section 4.1, the epistemic sample included 60 elements. The two distributions of differ significantly. According to the distribution related to the first criterion, the possible values for range from zero to 5.12*E*-01 and the (subjective) probability of to be zero—meaning that the critical temperature threshold is not exceeded—is relatively high. It can be concluded from the distribution related to the second criterion that even if the temperature always remains below the critical threshold, there are sequences with a temperature ranging on a relatively high level for a rather long time exceeding the critical time period. The probabilities for those sequences range up to 1.53*E*-02. Furthermore, it can be concluded, that if the temperature exceeds a critical threshold (e.g., with a relatively high probability of 5.12*E*-01), it is often only for a short time considered not being critical according to the second criterion.

Since 60 values are available to quantify the epistemic uncertainty of the probability , the one-sided upper (95%, 95%) tolerance limit could be calculated (see Section 3.2). Based on failure criterion 1, the (95%, 95%) tolerance limit according to Wilks formula [19] is 5.12*E*-01. The (95%, 95%) tolerance limit based on criterion 2 is 1.53*E*-02.

Estimates of the expectation and the variance of as a function of the epistemic uncertainties are derived based on the formulae in Section 3.2. They are given in Table 2. Applying these estimates to the inequation of Cantelli (Formula 7), the 95% quantile of is estimated to be 2.81E-01 based on criterion 1 and 3.00E-02 based on criterion 2. These estimates differ from the (95%, 95%) tolerance limits calculated according to Wilks formula. With regard to criterion 1, the tolerance limit is nearly two times higher, whereas it is two times smaller with regard to criterion 2.

If and are the expectation and the variance of the Beta distribution assumed to quantify the epistemic uncertainty of , the corresponding 95% quantile is given by 1.10*E*-01 according to criterion 1 and by 1.61 E-02 according to criterion 2. A comparison of the results from the applied approaches for epistemic uncertainty quantification underlines what was expected, namely, that the most conservative estimation of the epistemic uncertainty of is the tolerance limit (criterion 1) or the estimate of the 95% quantile derived from the inequation of Cantelli (criterion 2).

#### 5. Conclusions

An IDPSA was successfully performed to assess the performance of the firefighting means to be applied in a nuclear power plant. The application of advanced methods allowed for an improved modelling of the interaction between the fire and the firefighting means whilst simultaneously taking account of aleatory and epistemic uncertainties.

The analysis was performed in two parts. The first steps of the analysis focused on the performances of the crew members in charge of firefighting and made extensive use of the tool MCDET and its Crew module. The aleatory uncertainties taken into account relate to the timings of human actions to be applied for firefighting and to whether actions are successfully performed or not. The simulation results provided by MCDET and its Crew module were conditional distributions quantifying the aleatory uncertainties of the timings of complex sequences of human actions. These distributions were used as input to the subsequent analysis steps dealing with the fire dynamics interacting with the plant specific means designated to be applied for firefighting including the functions of fire extinguishing systems and active fire barriers. The aleatory uncertainties considered in that part of the analyses refer to the performances of these means. Epistemic uncertainties were taken into account as well and mainly relate to parameters of the code FDS applied for fire simulation.

From the huge amount of output data provided by the application of the coupling of the tools FDS and MCDET, many different distributions referring to the temporal evolution of the temperatures of safety related targets could be calculated. Main result was the probability of safety related SSC to be damaged by the fire. A realistic estimate of this probability was derived based on a failure criterion considering both critical target temperatures and exposure times. It may be used, for instance, in the subsequent steps of a fire safety analysis to assess the further consequences of the assumed fire.

The IDPSA performed with MCDET and FDS also allowed for quantifying the influence of epistemic uncertainties. Depending on the number of simulation runs which can be afforded to account for epistemic uncertainties, various quantification approaches could be applied. Appropriate approaches are the tolerance limits according to Wilks formula or the estimation of quantiles based on well-known inequations from statistics such as the inequations of Chebychev or Cantelli. The use of an inequation may be appropriate, if the minimum number of runs required for calculating tolerance limits cannot be afforded.

A standard PSA is not able to provide the kind of results which can be obtained by an MCDET analysis. It mainly relies on logical event tree/fault tree models which are static and, therefore, cannot adequately account for timing effects. Different from an MCDET analysis where the timing and order of stochastic events (e.g., with regard to firefighting means) are automatically calculated by a dynamics code (e.g., FDS) coupled to MCDET, a standard PSA requires the analyst to prescribe the chronological order of events. This may have the effect that potentially important sequences with another order of events are not considered at all, and therefore, the incompleteness uncertainty associated with the standard PSA model (which may be already high due to a deficient handling of timing effects) is further increased. Furthermore, in a standard PSA, the physical-chemical process (e.g., the fire evolution) is calculated just for a few selected sequences. For most of the sequences, the behaviour of the process is not known and must be estimated from the few available results. This makes it nearly impossible to consider complex interactions between a process and stochastic events, especially if the timing of events is important.

The main lesson learned from the MCDET analysis was the importance of having a well validated and tested dynamics model when performing an IDPSA. The amount of work necessary to make the model of the fire scenario implemented in FDS applicable with the combinations of input data provided by MCDET was higher than initially expected. Besides that, a lot of activities had to be spent to find a way of how to handle the limited restart capabilities of FDS in order to make the code running in combination with MCDET while simultaneously avoiding extensive calculation time and data storage. Nevertheless, the coupling of MCDET and FDS which is now available can be used for further IDPSAs performed in the frame of a fire safety analysis.

#### Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

#### Acknowledgments

The authors wish to thank their GRS colleagues B. Forell and M. Röwekamp for their useful contributions to this work which was sponsored by the Ministry of Economics and Technology (BMWi) within the frame of the Research and Development Project RS1198.