2.1 Sequential Incident Propagation Process

In the process of replacement of the central chiller (GB-Z050), one breaker (NB- S02 -18) has been expanded to the loss of offsite power (LOOP). As shown in figures (1 and 2) ⓵ The CB (NB-S02-18) did not open due to insufficient lubrication on the CB’s open latch contacts and the central chiller pump was still running. Only, the central chiller lubrication oil pump stopped caused the bearing temperature of the chiller to gradually rise (the bearing high temperature alarm was activated) as, the bearing temperature was highly increased resulting in motor winding overheating. In this state, the central chiller instantaneous ground fault relay (50GS, setting 30A, and operating time 0.1 seconds) pick-up the fault and activated the CB (NB-S02-18) but it wasn’t operated. ⓶ The fault current generated due to motor winding overheating caused the upstream ground fault overcurrent relay (51N residual type) to trip the CB (NB-S02-01) after specified intentional time delay. ⓷ At that time, the operator thought that the cause of the failure has been cleared and tried switching to the alternative power source to restore the voltage loss by closing the CB (NB-S02-03) to continue supplying power from the start-up transformer (SUT#2). Due to the ground fault occurred in (A, C phases) caused by motor winding overheating the ground overcurrent relay (51N, residual type, 120A, operating time 3 seconds) pick-up the fault and the CB (NB-S02-03) was tripped, the operator attempted twice manually reclosing the CB (NB-S02-03) to recover the low voltage of the 4.16 kV medium voltage non-safety bus without causes of fault being resolved. ⓸ In the second attempt of reclosing the CB (NB-S02-03) the ground fault occurred under the same conditions as in the first reclosing of the CB but, the CB (NB-S02-03) wasn’t open due to current transformer (CT) saturation. At that time, the neutral overcurrent protection relay of the start-up transformer (51NB, 200A, set value 0.59 seconds of operation time) pick-up the fault and the switchyard breakers (7F00) and (7F71) were opened, also the safety bus (PB-S02) lost power. ⓹ Subsequently, the under voltage relay (27) of the (PB-S02) safety bus breaker checked the voltage loss and the emergency diesel generator (EDG) 'B' was automatically started to supply power to the safety buses. So, the malfunction of the central chiller (NB-S02-03) CB was extended in a chain leading to loss of offsite power (LOOP) event.

2.2 Incident Main Causes

2.2.1 Causes of Unopened Chiller Circuit Breaker

The medium voltage 4.16 kV non-safety bus experienced low voltage due to the failure of shutting down the central chiller pump during replacement operation, it is found that the opening coil of the CB (NB-S02-18) was failed to rotate the opening latch due to stuck of open latch roller. The visual inspection of open latch rollers and open latch contacts figures out that the surface was not clean also insufficient lubrication of contact surfaces lead to a failure of the CB opening. Based on the report result analysis of the Korean Institute of Nuclear Safety (KINS) together with the manufacturer of the Breaker (GE), After checking the mechanical deformation of the opening mechanism and the internal control circuit, the investigation team declared that the insufficient lubrication for the breaker drive mechanism and the open rod and the open latch roller contact area were poorly lubricated, which resulted in the failure of the CB open signal.

2.2.2 Causes of Switchyard Circuit Breaker opening

The operator of the nuclear power plant attempted twice manually switching to the alternate power source by closing the CB (NB-S02-03) SUT side to recover the loss of voltage produced on the medium voltage 4.16 kV non-safety bus (NB-S02) without causes of the fault being resolved on the non-safety bus (NB-S02). During the first manual reclosing of the CB (NB-S02-03) SUT side, the breaker operates normally and closed to restore the loss of power in the non-safety bus (NB-S02-03) but as the causes of ground fault was not resolved, after about 4 seconds of manual reclosing, the ground overcurrent relay (51N, 120A, operating time 3 seconds) is activated and the CB (NB-S02-03) SUT side automatically opened. When the CB opened after the first manual reclosing, the operator tried the second manual reclosing of the same CB, with the same ground fault overcurrent at the 4.16 kV non-safety bus (NB-S02) but at that time the CB wasn’t open and the ground fault relay (51NB) of the start-up transformer (SUT#2) was operated and the switchyard breakers (7F00) and (7F71) were opened. According to the results of the Korean Institute of Nuclear Safety (KINS) investigation report, (see figures 3 and 4) the waveform of the fault current generated at the time of the first manual closing of the CB (NB-S02-03) is recorded as sine-wave and did not show any saturation form, but during the second reclosing of the CB (NB-S02-03) the fault current waveform was partially distorted and decreased due to the fault current generated during the first manual reclosing of the CB indicating the occurrence of CT saturation connected to the ground fault relay (51N).

3.1 Existing Electrical Protection and Control System

The current protection coordination for the central chiller motor pump is achieved using time over current relay (51) for incoming feeders, and instantaneous time overcurrent relay (50) and time overcurrent relay (51) for branch feeders. The coordination time interval (CTI) between the downstream and the upstream protection devices has to be considered and followed According to IEEE, the CTI between downstream and upstream protection devices, should be about 200~250 ms. This CTI cause late trip of the upstream circuit breaker when the circuit breaker of downstream relay fails to trip^[4][5]. The existing fault clearing time by the circuit breaker of the upstream feeder relay in case of failure of the CB of the downstream relay can be calculated as shown in Table 1;

As shown in Fig. 5 when a fault occurs in the motor feeder circuit it would take 131 ms for the CB of the downstream relay (50) up to 381 ms of the CB of the upstream relay to pick up and clear the fault, that means in case of downstream CB failure to trip, the fault occurred in the motor continued about 381 ms until the upstream CB pickup and remove the fault, resulted in release of substantial thermal energy during short circuit fault causing thermal overheating of the motor stator windings.

The existing relay coordination curve between downstream and upstream circuit breakers for the central chiller water pump motor circuit of Hanbit NPP unit (2) was shown in Fig. 6.

In the following paragraphs, there is going to be much more explanation about improvement of the existing electrical protection system to prevent cascading failure in NPP’s electrical protection power system.

3.2 Breaker Failure in Conventional Architecture

Using a breaker-failure trip to trigger a breaker trip lockout relay is a common stance. This could be the 86B bus lock-out relay with suitable targeted breaker failure or a specialized 86BF lockout relay. The electro-mechanical lockout relay negatively affects the system reliability as it is a potential point of failure. In addition, the lockout relay contributes about one cycle to the clearing time of the breaker-failure.

3.3 Prevention of Cascading Failure Using IEC61850

IEC 61850 is a communication protocol that can give many benefits to the NPP electric power system, not only cost savings but also design improvement. However, in the MV system of NPPs, electrical system protection is relying on the time-current curve (TCC) coordination in the case of overcurrent fault. Using IEC61850 can significantly reduce communication time, which is critical when the fault occurs. IEC 61850 provides fast communication by using designated communication types; MMS, GOOSE and SV ^[6]. GOOSE is the fastest message among the three types of IEC 61850 communication types by using 2 OSI layers only. GOOSE message is especially for the urgent actions like trip, interlocking signals. On the other hand, Korean NPPs have applied digital relays since Shin-Kori 3&4 nuclear power plant. The digital relay is intelligent electronic device and it supports IEC 61850 communication functions. So, communication between IEDs with IEC 61850 is applicable on the MV system without additional device installation ^[7].

3.3.1 Communication-Based Breaker Failure Protection

The IEC61850 based GOOSE scheme allows continuous communication between IEDs, once the overcurrent relay detects a fault, it initiates a direct transfer trip (DTT) signal to the upstream circuit breaker to clear the fault ^[8]. DTT needs to be dependable during fault conditions to allow the trip signal to be received correctly. This type of peer to peer communications based breaker failure protection can be applied in different ways:

• As a function in IEDs that initiates the breaker failure protection when it receives the trip signal from the relay protecting the faulted power system equipment.

• As a built-in function in the protective IED that detected the fault and issued the trip signal.

3.3.2 Implementation of Circuit Breaker Failure in IEC 61850 environment

Fig. 7 shows the data communication between relays using IEC61850 environment, when a fault occurs in the downstream feeder. The downstream relay will detect a fault and will issue a tripping GOOSE message to clear the fault. The CBF function will respond to these GOOSE message and the breaker failure timer will start. In case of breaker failure, the breaker failure function will point out this failure and a GOOSE message will be sent over the LAN network to trip upstream breakers and initiate DTT to the upstream relay to clear the fault. When the IED initiates a trip signal, it starts a timer and monitoring the CB current. If the current does not go away in a predefined time, the IED issues a re-trip or trips the upstream breakers to isolate the faulted one. After the downstream relay gets a tripping signal but doesn’t received tripping signal from the breaker, the downstream relay shall send a breaker failure initiate signal (BFI) through a GOOSE message to the upstream relay to force it to trip the upstream circuit breaker, nevertheless the blocking timer has expired or not ^[9].

In order to achieve this kind of communication, IEC61850 defines specific protective features as (LN), a specific category of specified attributes to each logical node are also defined. LN can also be currently located in different types of IEDs. Calculations of voltage, current and condition are transmitted to the relays via a process bus that is an ethernet channel of communication. The RBRF class is confined to circuit breaker failure (CBF) protection as per IEC61850-7-4, see Table 2. The IEC61850 standard documents define the attributes, (OpIn) corresponds to re-trip order from the RBRF to the broken CB (stage I or inner trip), (OpEx) corresponds to the corresponding breaker tripping command (stage II or external trip), And FailMod deals with the assessment of breaker malfunction by current status, This LN's specifications are described in IEC 61850 part 5.

In case of fault, LN transfer a message to the RBRF (initiated by the CBF), and the RBRF triggers the timer. The RBRF gives a message via the network to the XCBRs (logical node for circuit breaker) to trip the upstream CB if the downstream breaker fails to trip / clear the fault. All upstream XCBR register to and receive this message at the same time to implement next required actions. The RBRF information communication with other logical nodes is shown in Figure 8. Blocks IHMI, CALH, ITCI, RBRF, XCBR and Pxyz are logical nodes ((Pxyz stands for the main protection (e.g., PIOC for instantaneous overcurrent)); Table 3 gives functional descriptions of each logical nodes.

The RBRF receives from the protection LNs a trigger signal. The RBRF transmits four kinds of signals:

• Data about the fault is transmitted via IHMI and ITCI.

• trip indication transmitted through IHMI, ITCI and CALH.

• Settings are sent to IHMI and ITCI.

• All subscribed breakers (XCBR) receive Trip Commands through PIOC, PTOC and a coordination signal was published through CILO signal.

The first three classes of signals were transmitted to upstream logical nodes, which are indicators to monitor and record bay-level events. The last signals are defensive and the most important.as reliable communication links between the RBRF and the XCBRs subscribed are highly essential ^[10].

3.3.3 IEC61850 based zone selective interlocking

ZSI is based on currents comparison between protective zones. It has a communication control logic system between downstream and upstream breakers. The IEC61850 GOOSE based ZSI scheme always concern about blocking time. It is used to improve the level of protection in the electrical protection power system, through communication between protective relays across the protected zones to reduce the fault clearing time. During ground fault or phase fault conditions the protective devices electronic interlocking allows the devices close to the fault to override its preset time delay automatically and clear the fault without intentional time delay ^[11]. As illustrated in Fig. 9, when a short circuit fault occurs at the central chiller motor, both the faulted downstream relay and the upstream relay detect the fault. In order to block tripping the main breaker (NB-S02-01) and avoid loss of power for the whole bus, the faulted downstream relay of the CB (NB-S02-18) sends a blocking signal to block the upstream relay from tripping the upstream main CB (NB-S02-01) and averting the whole bus power losses. After fault clearance, fault is not detected any more, but if a fault is not cleared and both the downstream feeder relay and upstream relay still detecting the fault, the main upstream relay will trip the main CB (NB-S02-01) as a backup protection.

The result is that other devices remain unaffected by the fault and the fault is cleared more rapidly than the existing protection system without using ZSI. The main advantage of applying IEC61850 based ZSI is to reduce blocking time between the downstream and upstream relay to its minimum without affecting relays operations. Accordingly, we need to consider the opening time and communication time between the downstream CB (NB-S02-18) and the upstream CB (NB-S02-01) that requires extended blocking time to give the feeder breakers a time to operate first and isolate the fault. For majority of the relays the internal rationale execution time from overcurrent relays to pick up the fault till the time to send a GOOSE messaging within 2 ms up to 10ms based on network traffics, it is also the same from receiving a GOOSE to trip the upstream breaker. The relay contact responding time is about 8 ms. If we consider medium voltage five-cycle circuit breaker that would add additional (83ms) for 60Hz system. Depending on network configuration and design, the overall travelling time among the downstream relay and the main upstream relay depending on the distance between the relays and the Ethernet network would be about 20 ms ^[12]. So, the fault clearing time between the downstream and upstream feeder relays using ZSI can be calculated as shown in Table 4;

As a result, by applying IEC61850 based ZSI, the fault clearing time of the upstream CB would be 151 ms for five cycle CB. This time is quite greatly faster compared to the existing protection time 381 ms which results in decreasing the motor thermal overheating caused by short circuit fault current.