Abstract

The essential power supply system is important for the nuclear safety and accident mitigation of the currently operating nuclear power plants. This system provides electrical power to the essential instrumentation and control systems of the nuclear power plant when all alternate current power sources are lost. This event is known as station blackout (SBO) event. Operational events of failure or deficiency of the essential power supply system are analyzed in this paper. The relevant events were searched and identified in four databases of operational events. The report includes events identified in French SAPIDE and German VERA operational events records for the time period 1996 to 2015. The International Atomic Energy Agency (IAEA) IRS and Nuclear Regulatory Commission (NRC) LER operational events databases were screened for relevant events that occurred in the period between 2000 and 2016. In total, 308 relevant events are identified in the SAPIDE, 103 in VERA, 56 in LER, and 15 in IRS operational events database. Classification and in-depth analysis were done on the identified events considering the following predefined categories: the plant status during the event, circumstances, affected equipment, cause of the event (direct and root), and implications of the event on plant safety. Main findings from the evaluation of the events are presented. Observations of the causes resulting in the events and potential actions that can decrease the number and consequences of the events are presented.

1. Introduction

The safety of the operating nuclear power plants is assured with the provision, in all operational states and events, of the three main safety functions [1]:(i)Control of reactivity(ii)Decay heat removal(iii)Radioactive materials containment.

These functions can be fulfilled by passive and active safety systems and features of the nuclear power plant (NPP). The active systems require external power (mechanical and/or electrical or others) for their activation and operation.

The design of the NPP electrical systems depends on multiple factors including reactor type and site and power grid characteristics and national legislative and requirements. Figure 1 shows an example of a NPP electrical energy distribution system based on power system configurations given in [2].

The NPP electrical energy distribution system, given on Figure 1, can be generally divided into offsite and on-site power system [2].

The on-site power system [3] consists of electrical systems that are required for safe and reliable operation of the NPP. The safety related on-site power subsystem is designed as class 1E and marked on Figure 1. This system consists of the electrical systems that directly support fulfilment of the basic safety functions. The safety related electrical subsystem consists of power busses of the Engineered Safety Features System and emergency power sources. The emergency power sources consist of alternate power sources—emergency diesel generators (EDG) and direct current sources—batteries. The EDGs are expected to start and provide electrical power when electrical power from the power grid or main generator is unavailable. The event of loss of electrical power from external power grid is named loss of offsite power (LOOP) event.

The failure of the plant EDG’s concurrently with the LOOP results in loss of all alternate power sources and is known as station blackout (SBO) event. During the SBO event the most important instrumentation and control systems are powered by the batteries for the time period referred to as station blackout cooping time [4].

The importance of the electrical power system and implications of the system failure on the plant safety were demonstrated by the events at the Fukushima Daiichi nuclear power plant [5].

2. Essential Power Supply System Design

The IAEA defines safety important I&C systems as those systems that are essential for prevention of the radiation exposure of site personnel or members of the public [8]. Examples of I&C systems important to safety include the following:(i)Reactor protection systems(ii)Reactor reactivity control systems and their monitoring systems(iii)Reactor cooling, emergency power supplies and containment isolation control and monitoring(iv)Control and monitoring(v)Accident monitoring instrumentation;

The essential I&C systems should be available during all operational states and design basis accident conditions. The essential I&C is powered, as shown on Figure 1, from the following sources through noninterruptible power supplies:(i)The plant generator during normal operation(ii)Offsite power grid in case of plant shutdown(iii)On-site emergency diesel generators when plant generator and offsite grid are lost(iv)Station batteries in case of loss of all other alternate current power sources.

The batteries are the ultimate source of electrical power in the nuclear power plant. They are electrochemical power sources that receive, store, and deliver direct current (DC) electrical energy. The cell is basic unit of a battery and includes an assembly of electrodes and electrolyte. The voltage of the battery cell depends on the electrochemical process utilized for generation of the electricity and varies from 2V for lead-acid cells up to 4V DC for the lithium-polymer cells. For the nuclear power plants, the lead-acid flooded tubular plate batteries shown on Figure 2 are utilized. The desired DC voltage is obtained with the connection of the batteries in series with insulated flexible or solid uninsulated connectors. For example, the 125-volt DC battery consists of 60 lead-acid cells connected in series. The battery is designed to be robust and environmentally and seismically qualified [3].

The voltage of the batteries depends on the design of the plant, with voltages of 125V DC [9] and 250V DC [10, 11] identified for the Generation III+ NPP designs.

Batteries are connected to the inverters that convert the direct current into alternating current. The inverters normally include the rectifiers that are utilized for the charging of the batteries. The inverters, rectifiers, and batteries are referred to as the noninterruptible essential power supply system.

The batteries capacity is normally expressed as station blackout cooping time that depends on [12] the redundancy of the on-site emergency AC power sources and their reliability, expected frequency of loss of offsite power, and expected offsite power restoration time. The guidance for analysis and assessment of station blackout cooping time is provided in Regulatory Guide 1.155 [4].

3. Events Identification and Classification Methodology

Four databases of the operational events were analyzed for operational events considering loss or deficiency of the essential I&C power system. The relevant events were assessed in two steps:(i)Databases screening(ii)Reviewing and identification of the relevant operational events.

Database screening utilized relevant “guidewords” and “keywords" that included standard names of the systems and components of the essential power system. After screening the databases, all identified events related to the noninterruptible power supply systems were reviewed. The final list of the events was classified in categories defined in this section.

The used methodology was utilized previously for identification of operational events of the diesel generators failures [13] and LOOP events [14].

The French SAPIDE database operated by IRSN and German VERA database managed by GRS were searched and analyzed for relevant events that were registered in the period 1.1.1996 to 31.12.2015.

The 308 operational events in SAPIDE database and 103 in VERA were identified and analyzed in the study.

It should be noted that different reporting ordinances are utilized for reporting of the operational events in SAPIDE and VERA database. As a consequence different types of events are included in the databases.

The NRC Licensee Event Reports (LERs) database was searched for the relevant events registered in years 2000-2015. The same reporting period was utilized in the screening and review of operational events in the IAEA Incident Reporting System (IRS) [15]. In total 56 relevant events were identified in the US NRC LERs database. From 47 events initially identified in the IAEA-IRS, 15 events were selected for detailed analysis.

Nine categories were defined and used for the classification of the identified events: plant status, circumstances, event type, failed equipment or concerned, detection of the event, direct cause and root cause of the event, plant consequences, and events duration. For categories “equipment failed” and the “consequences” the events were classified in multiple subcategories, and for others only single best matching subcategory was selected.

In the “plant status" category events were classified considering the operational mode of the plant before or during the event: power operation, hot shutdown, cold shutdown, and others.

In the “circumstances" the operational events were sorted considering the activity in the NPP when the event started: normal, shutdown or start-up operations, planned or preventive maintenance, repair, inspections and functional testing, fault finding, modifications, and others.

In the “event type" category the events were classified considering the type of loss of electrical power into: partial loss of power to essential I&C (not all trains), total loss of power to essential I&C (all trains), emergency busbars failures, degraded state/operation of the system, and others.

In “equipment failed" the following components are considered in the classification: batteries, inverter, rectifier, AC bus, DC bus, cable, transformer, electronics, generator, breakers, fuse, and others.

For each event the corresponding detection mode was identified within the category “detection of event" and classified into the following: periodic test/in-service inspection (ISI), maintenance, fault report in control room, work surveillance, supplementary inspection, and others.

In the “direct cause of event" category the events were classified into the following groups: electrical, mechanical and I&C deficiency, human factor, environmental causes, unknown, and others.

In the “root causes" category events were classified based on the causes resulting in the occurrence of the event: human performance related root causes, equipment related root causes, and others.

In the “consequences" category the following groups were defined: noncompliance with the technical specifications of the plant, reactor trip, material degradation, switching of internal lines, transient, others, and unknown.

In the “event duration" category events were classified according to their duration: longer than 2 hours, shorter than 2 hours, and undefined. This classification is based on the criteria set in the standard technical specifications of the Westinghouse Plants [16] where 2 hours is the maximum allowed time for restoration of one/both trains of DC power system.

The number of the events identified in the different categories is presented in the following sections.

4. Results

The following sections present the classification of the events in categories defined in Section 3.

4.1. Plant Status

Numbers of operational events in the evaluated databases classified considering “plant status” category are given in Table 1.

Largest number of events, as shown on Table 1, took place during the power operation. Second largest number is assessed for events registered during the hot shutdown.

The assessed number of events in given year is divided by the number of operating plants in given country. The obtained results are given in Figures 3, 4, and 5.

The assessed average number of events is 0.265 events per unit/year in the IRSN SAPIDE database and 0.263 events per unit/year in the GRS VERA database.

Average number of 0.033 events per unit/year is registered for events in NRC-LER database in the analyzed period.

The distribution of the events in the IRSN SAPIDE database by “plant status” category is given in Figure 6.

The power operation events followed by the cold and hot shutdown have largest number by “plant status” category. The power operation events contribute 55% to overall registered events as shown in Figure 6. The family “others” with 3 % share includes events where the plant status was not specified (e.g., after the discovery of a qualification gap, supplementary inspections were made in all NPPs without specifying the plant status).

The French NPPs are 80% of the time on power operational mode [17]. The occurrence of events during power operation (169 events) is larger than that for the remaining plant status categories (139 events). This can be attributed to the fact that many maintenance activities are scheduled during power operation mode.

The distribution of the events identified in GRS VERA database by “plant status” category is given in Figure 7. Equal number of events is identified for power operation and cold shutdown of the plant as shown in Figure 7. Obtained result is expected considering shorter power operation period of the German NPPs compared to other plants considered in the study. Furthermore, a lot of inspection and functional testing are scheduled during cold shutdown. Only 2% of the events occurred during start-up or shutdown operation as shown in Figure 7.

The events count and percentage distribution by plant status in US NRC LERs database are given in Figure 8.

Figure 8 shows that largest count in US NRC LERs is registered for events during power operation that contribute 86% of all registered events.

The distribution of the events from the IAEA-IRS by “plant status” category is given on Figure 9.

Figure 9 shows that the largest number of events in IAEA-IRS is registered for events during power operation with 73% share in all identified events. Only 2 events in cold shutdown, one event during hot shutdown, and one during unspecified state are identified.

The obtained results show that most of the events of loss of essential power system took place during power operation. Only the events identified in GRS VERA have equal share of power and cold shutdown state.

4.2. Circumstances

The distribution of the events according to the “circumstances" (i.e., the activity that was in progress at the plant when the event took place or was registered) is given in Figures 1013.

The “planned and preventive maintenance” activity with 32% share, as shown in Figure 10, has largest contribution to the “circumstances" for IRSN SAPIDE.

Largest share of events in GRS VERA, as shown in Figure 11, has the “inspection and functional testing” with 47% followed by the “normal operations” with 29% share.

Figure 12 shows that “normal operation” with 45%, “inspection and functional testing” with 23%, and “planned or preventive maintenance” activities with 20% have largest share for events in NRC-LER.

The “normal operation” with 40% share is the main activity for events identified in IAEA-IRS, as shown in Figure 13.

The “planned and preventive maintenance” in IRSN SAPIDE, “inspection and functional testing” in GRS VERA, and “normal operation” for US NRC LERs and IAEA-IRS operational events databases are assessed as most important “circumstances" for the identified events.

4.3. Event Type

The distribution of the events identified in IRSN SAPIDE by “event type” is given in Figure 14.

Figure 14 shows that “degraded state/operation of the power system” and “total loss of power to essential I&C” have largest number in the IRSN SAPIDE events.

Figure 15 shows the obtained results by “event type" for the GRS VERA events.

Figure 15 shows that almost half of the events (45%) led to a degraded state or emergency busbar failures. Similar number of the events led to an emergency busbar failure. Events of total loss of power to essential I&C were not observed. This is caused by the fact that in Germany NPPs perform a lot of periodic testing of the emergency power supply (every four weeks). During periodic testing and switching to the emergency power supply some events resulted from defects or problems with breakers.

Figure 16 shows the obtained results by “event type" for events in USNRC LERs.

Figure 16 shows that “partial loss of power" have largest share with 46% of all events. The “degraded state" has slightly smaller number of events. The “total loss of power" events account for 12% of all registered events. The identified number and share are observed as large considering the implications of this type of events.

Figure 17 shows the obtained results by “event type" for the IAEA-IRS events.

Figure 17 shows that “partial loss of power" events have largest share with 73% of all identified events.

The “degraded state" is the most frequent event type registered in the analyzed databases. The “total loss of power" event type is identified as important contributor to IRSN SAPIDE and US NRC LERs events. The emergency busbar failure is identified as important for the GRS VERA.

4.4. Equipment Failed

The number of events by “equipment failed” category in IRSN SAPIDE is given in Figure 18.

Figure 18 shows that largest number of events is registered for “DC bus” failures followed by the “inverter” failures.

The number of events by “equipment failed” identified in GRS VERA is given in Figure 19.

Figure 19 shows that “breakers” and “electronics” failures have largest contribution to the events in GRS VERA.

Results for the US NRC LERs events are given in Figure 20.

The “battery” and “inverter” failures followed by the “electronics” failures have largest contribution to events registered in the US NRC LERs as shown in Figure 20.

The “inverter” and “rectifier” failures followed by “battery” and “Fuse” failures have largest contribution to the IAEA-IRS events as shown on Figure 21.

The presented results show that different component failures in the analyzed databases resulted in the loss of essential power system. The potential causes for these differences are different designs of the plants power systems and corresponding operational procedures.

Most of the events are identified by the fault report in the control room in all four analyzed databases.

4.5. Direct Cause

Distribution of the events considering “direct cause” category for events in IRSN SAPIDE and GRS VERA are given in Figures 22 and 23, respectively.

The “Electrical deficiency” and “human factor” are most important direct causes for the events identified in both databases as shown in Figures 22 and 23.

Distributions of the events in US NRC LERs by “direct cause” are given in Figure 24.

The “electrical deficiency,” as shown in Figure 24, is the main direct cause for events in US NRC LERs. The “mechanical deficiency” has smaller share with other causes having minor contribution.

The “direct causes" for events registered in IAEA-IRS are given in Figure 25.

The “electrical deficiency” followed by “human factor” direct cause have largest number for events in IAEA-IRS as shown in Figure 25.

The results in this section show that “electrical deficiency” is the main direct cause of registered events in the analyzed databases.

4.6. Root Cause

Distribution of the events considering “root cause” category for events in IRSN SAPIDE is given in Figure 26.

Human performance related root causes start with “H” while equipment related root causes start with “E.”

Figure 26 shows that most of events from IRSN SAPIDE are related to the human failures. This is interesting result considering Figure 22 where “electrical deficiency” was identified as the most important direct cause. Human failures resulting from deficient procedures have largest share in the human failures root causes registered in the IRSN SAPIDE, as shown in Figure 26.

Obtained results for the events counts by “root cause" in the GRS VERA are given in Figure 27.

Largest number of events in Figure 27 is registered for electrical root causes. Obtained result complements the results in Figure 23 where electrical direct causes have largest contribution.

Distribution of the events considering “root cause” category for events in NRC-LER is given in Figure 28.

The largest share in the events in NRC-LER, as shown in Figure 28, has electrical equipment failure related causes resulting from the failures during design, manufacturing, and installation of the equipment followed by the failures after installation and equipment aging.

The events in IAEA-IRS classified according to “root cause" are presented in Figure 29.

Failures due to design, manufacturing, and installation of the equipment have largest number of the events in IAEA-IRS as shown in Figure 29

4.7. Consequences

Number of events by “consequences” in IRSN SAPIDE is given in Figure 30.

The “noncompliance with TS” followed by the events classified as “others,” as shown in Figure 30, has largest share in “consequences” in IRSN SAPIDE. This includes events with anticipated failure of the system due to qualification discrepancies or exceeding of the maintenance periodicity or the unavailability of DC switchboards isolation alarm.

Figure 31 shows obtained results for “consequences” in GRS VERA.

The “others” have largest share for events in GRS VERA as shown in Figure 31. This includes, in addition to events with no specifically named consequences, all events that have no consequences. The most common possibility for no consequences is that a deficiency was detected before the concerned system function was requested. This underlines that the concepts of periodic testing for power supply systems work well in German NPPs, because most of the deficiencies were detected before the system was requested.

Counts of events by “consequences” in NRC LERs are given in Figure 32.

The noncompliance with technical specifications and reactor trip are identified as most important “consequences” for events in US NRC-LER. Potential cause for this result is built in redundancy (at least two trains) in the design of the essential power systems of the US NPPs.

Distribution of “consequences" for events in IAEA-IRS is given in Figure 33.

Figure 33 shows that reactor trip was most frequent consequence for events registered in IAEA-IRS.

4.8. Event Duration

The distribution of the events identified in IRSN SAPIDE by “event duration” is given in Figure 34.

Figure 34 shows that in case of more than half of the events the electric power to the essential busses is restored within 2 hours following the start of the event.

Figure 35 shows that most of the events in GRS VERA have unspecified length. This is due to the different reporting criteria compared to the IRSN SAPIDE. In France, the chronology of facts provides details about the event duration whereas, in Germany, the event duration is not always specified.

Figure 35 shows that most of the reported events in GRS VERA were shorter than 2 hours.

The distribution of the events identified in NRC-LER by “event duration” is given in Figure 36.

Figure 36 shows that the largest number of events in US NRC LERs database was longer than 2 hours. This result is important because 2 hours is the maximum allowed time for restoration of one/both trains of essential power system before the power reduction or shutdown of the plant is required.

Data considering the length of the event was missing in IAEA-IRS database. Therefore analysis was not done for those events.

5. Discussion

There are significant differences among operational events databases considered in the study. The databases are different on multiple instances including reporting criteria, design of the NPPs, and different operational and regulatory frameworks.

Review and analysis of the relevant events were done in order to assess activities that can prevent or mitigate impact of loss of essential power system on the NPP operation and safety.

The most important lessons learned from the analyzed events are summarized here. The lessons learned are grouped based on the type of activity or affected component of the essential power system.

5.1. Environmental Conditions and Aggregate Effects

(i)Environmental conditions can affect functionality and capacity of the essential power system (for example, lower temperatures in battery rooms or high temperatures in inverter rooms).(ii)Environmental conditions may cause voltage transients and lead to the tripping of rectifiers.(iii)Aggregate effects of multiple factors (power battery temperatures, high electrolyte specific gravities, and marginal float voltages) over time can cause the loss of battery capacity.

5.2. Events outside Essential Power System Affecting the System

(i)Failures outside essential power system, due to the electrical connections, can propagate and affect multiple components within the essential power system.(ii)A time-lag changeover of auxiliary power busbars to the standby grid can affect essential power system and connected safety-relevant consumers.

5.3. Surveillance, Maintenance, and Procedures Issues

(i)Incomplete surveillance procedures for the essential power system can result in decreased awareness of applicable technical specification and notification requirements by the relevant staff.(ii)Human mistakes induced by outdated maintenance procedures after design modifications can affect the complete power supply.(iii)Human mistakes related to the correct identification and labelling of spare parts used during maintenance activities can result in failure of power supply.(iv)Failure of the inverter can cause significant operational challenges especially if the design of the essential power system is not single train fault-tolerant.(v)Installation of “safety related commercial grade" components without receiving the appropriate requalification within essential power system can result in failure of the system.

5.4. Aging and Degradation Phenomena

(i)The relays aging phenomenon should be considered in the preventive maintenance strategy that has to be adapted to the relays frequency of use.(ii)Different manufacturing deficiencies and age-related phenomenon (for example, plate shedding, sulphation phenomenon) can result in rapid decrease of batteries capacity within the essential power system after a period of operation in the floating mode.(iii)Heat related degradation of the wiring insulation due to the heat sources within the inverter cabinets can result in failure (short circuit) of the essential power system.(iv)Grease aging can result in mechanisms jamming of circuit breakers installed in essential power system and consequential loss of power to essential loads.(v)Accelerated aging of the core and nylon rods/nuts, due to a high operating temperature, can result in failure of the resistance of the inductors in the event of an earthquake. This discrepancy can lead to the inverter failure and loss of its powered switchboards.(vi)The physical phenomenon “whiskers” can result in short circuit and disabling of the DC part of the essential power system.(vii)The criteria set for the short (10 minutes) discharge tests during power operation are not correctly reflecting the true state of the batteries.

5.5. Fires and Essential Power System

(i)Fire due to electric arcs can cause short circuits in the control voltage supply of the circuit breakers.(ii)Fire due to electric arcs can cause the tripping of fuses within the essential power system.(iii)An inappropriate routing of cables can cause a failure of essential power system in case of an external disturbance caused by a fire.

5.6. Interconnections and Fixtures of Batteries

(i)The heat and arcing associated with the loose bolting can cause degradation over the life of the plant and subsequent failure of the busbars of essential power system.(ii)An inadequate fixing of batteries may cause cracks in battery cases.(iii)The loosening of electrical connections can lead to overheating and consequential equipment degradation of the essential power system.

6. Observations

General observations, identified in the analyzed events, are listed below. The actions proposed in these observations are expected to decrease the probability of having loss of essential power system or consequences resulting from such event. The observations are classified considering type of activity or affected system.

6.1. Environmental Conditions and Aggregate Effects

Adequate consideration of environmental conditions including temperature of the battery rooms in the plant procedures should be checked and verified. The essential power systems should be protected from the external and internal hazards that are identified as potential and relevant for the given location of the NPP. In case of intervention on the ventilation systems, it is necessary to ensure that the maximum temperatures of the different rooms are not reached or that compensatory measures are adapted to the temperature-sensitive equipment.

6.2. Events outside Essential Power System Affecting the System

Independence of the essential power system from offsite power sources should be considered in the design of the NPP electrical system in order to prevent propagation of faults, including electrical, on essential safety busses and the failure to deliver power to the essential loads.

It has to be examined whether a time-lag changeover of auxiliary power busbars to the standby grid will impermissibly impair operational and safety-relevant consumers. If necessary, remedial action has to be taken.

The rectifier voltage monitors used at the DC part may already effect the tripping and permanent disconnection of the rectifiers in a single occurrence of adverse operational voltage transients. The voltage monitoring should be converted into a system that will not trip and permanently disconnect the rectifiers until several excess voltages have occurred.

6.3. Surveillance, Maintenance, and Procedures Issues

The surveillance procedures for batteries should include clear action statements when batteries do not fulfil requirements/acceptance criteria set in technical specifications.

Training programs for maintenance personnel should include detail description of proper use of measuring and test equipment used for testing of essential power system including precautions against the use of grounded test equipment. The maintenance activities on the essential power system during power operation should be avoided. Risk sensitivity controls (evaluation of risk and consequences) are necessary in the case when maintenance cannot be avoided or delayed. Administrative prevention of work is recommended from being performed on the affected DC electrical distribution panels, and cables within the cable spreading room connected to the affected DC electrical distribution panels, when the associated DC bus is required to be operable. The systems/components of the essential power system should be clearly and visibly marked.

The actual state has to be taken into account during planning modification procedure and work surveillance, including potentially affected adjacent systems/components. It is recommended to check the in-house procedures for the labelling of used and stocked instrumentation and control equipment so that clear and type-accurate labelling which is still visible from outside even after the installation of the equipment is ensured, especially for safety-relevant areas. Compliance with these procedures should be checked by the representative inspections. The respective procedures should furthermore ensure that the documents are revised whenever types or type identifications are changed.

After work in the wiring of safety-relevant systems, the function tests are normally carried out. These tests should also include a check of the correct condition of the wiring. Furthermore, it is important to check not only the functioning of the system concerned but also the corresponding alarm signals.

The design of the essential power system should be reviewed considering single failure criterion, if operational experience or other information indicates potential noncompliance. Adequate separation of the DC power system trains should be implemented in the design. A failure analysis should be developed to ensure that multiple faults from a single harsh environment design basis event will not impact the safety related DC System. Indication for loss of power supply to essential instrumentation should be clearly indicated to the operators. The NPP should have procedures for operation in case of the loss of essential power system (with corresponding instrumentation) including alternative approaches for assessment of plant parameters and procedure for restoration of the power.

6.4. Aging and Degradation Phenomena

The relays aging phenomenon should be considered in the preventive maintenance strategy that has to adapt to the relays frequency of use.

Replacement of the batteries in case of identified loss of capacity due to age-related phenomenon (for example, plate shedding) is recommended. The temporarily remedied actions like electrical treatment of the battery (high level equalizing, single cell charging, and agitation) or addition of cells should be considered as interim fixes pending the delivery of replacement batteries.

Adequate testing procedures and guidelines need to be implemented in the NPP in order to timely identify degradation of the batteries. Procedure for the maintenance and testing of the batteries of the essential power system should include criteria for indication of degraded battery based on the capacity dropping from its average or previous test capacity.

The diversity in the design of the batteries including battery type, supplier, time of procurement, and implementation and in staging of the periodic testing can increase reliability of the essential power system.

The criteria set for the short (10 minutes) discharge tests with the unit on power are not accurately reflecting the true state of the batteries. The criteria and the scheduling of the tests need to be based on the curves obtained in successive discharges of the battery. The tests need to be carried out under the same conditions (current and time).

Preventive maintenance work instructions for inverters should include instructions for checking wiring state and functionality within the cabinets.

Maintenance programs for electrical equipment must take into account the phenomenon of grease aging.

The life duration of the electrochemical capacitors during design and maintenance should be considered with preferable use of electrochemical capacitors with long life duration.

It is recommended to take into account the whiskers phenomenon when designing electrical equipment.

In order to highlight the failures of the relays and to ensure that they will not compromise the operation of the actuators under exceptional power supply reference conditions, it is recommended to enhance the following: periodic testing of the safeguard actuators; periodic testing of the protection chains as part of their maintenance; strengthened permanent monitoring of the isolation of the auxiliary voltage networks.

The plant staff should promptly identify, fully analyze, and resolve in a timely manner unexpected safety significant trend and test data concerning vital battery operability.

6.5. Fires and Essential Power System

The settings of the protective equipment of the circuit breakers should be checked with regard to the selective clearing of electric arcs with low short-circuit currents. The faulty response of the protective equipment triggered by operational power transients has to be avoided.

The main bus shielding between the phases of the outgoing circuits of the circuit breaker should be checked and also upgraded if necessary.

The addition of further clearing conditions into the protective trip mechanism of the circuit breaker should be checked if the clearing of electric arcs cannot be ensured for the substations with sufficient reliability.

The routing of cables of the control voltage supply within the substation should be checked and optimised if necessary so that in case of a disturbance in a switching panel (e.g., fire), selective protective tripping within the substation will remain effective.

6.6. Interconnections and Fixtures of Batteries

The adequate electrical work plans, including those for connections, should be implemented in order to minimize the probability of having loose connections within the essential power system.

It is recommended to review the battery fixing with regard to tensions on the battery cases. Furthermore, it is recommended to improve the performance of fastening process with regard to the human factors.

It is recommended to regularly check the tightness of the electrical connections and perform thermographic inspection on the electrical connections.

7. Conclusions

The relevant events of essential power supply system failure or deficiency are identified and analyzed. Four databases of operational events were screened for the relevant events: IRSN SAPIDE, GRS VERA, IAEA-IRS, and NRC-LER operational events databases.

In total 308 relevant events are recognized in the IRSN SAPIDE, 103 in GRS VERA, 56 in NRC-LER, and 15 in IAEA-IRS operational events database.

The most of the events of loss of essential power in three analyzed databases (IRSN SAPIDE, NRC-LER, and IAEA-IRS) are identified in power operation mode. For the GRS VERA events, an equal share from power operation and cold shutdown events was identified.

The most important “circumstances” are the “planned and preventive maintenance” in IRSN SAPIDE, “inspection and functional testing” in GRS VERA, and “normal operation” for events in US NRC.

The “degraded state" event type has largest number in all analyzed databases. The “total loss of power" event type is identified as important contributor to IRSN SAPIDE and US NRC LERs events. The emergency busbar failure is identified as important event type in GRS VERA.

Different component failures resulted in loss of essential I&C power in the analyzed databases.

The “DC bus” failures and the “inverter” failures have largest contribution to the events registered in IRSN SAPIDE. The “breakers” and “electronics” failures within the system are largest contributors to the events from GRS VERA. “Battery” and “inverter” failures followed by the “electronics” failures are most important contributors to events from US NRC LERs. The “inverter” and “rectifier” failures followed by “battery” and “fuse” failures are identified as most important for events in IAEA-IRS. These differences in obtained results can be attributed to different design of the power system as well as different inspection and maintenance strategies in different countries.

Most of the relevant events in all four databases are identified by the fault report in the control room.

The “electrical deficiency” is most frequent direct cause for the identified events. The “human factors” direct cause was identified as important in events from SAPIDE and VERA database.

The electrical failures are identified as main root cause for events in GRS VERA, NRC-LER, and IAEA-IRS. Human failures root causes are identified as most important for events from IRSN SAPIDE. Human failures due to the deficient procedures have largest share in the human failures root causes registered in IRSN SAPIDE. Almost one-quarter of the events were caused by unknown electrical issues in GRS VERA followed by events caused by other electrical reasons. The largest share of events from NRC-LER and IAEA-IRS databases has electrical equipment failure events related to failures during design, manufacturing, and installation of the equipment.

The “noncompliance with technical specifications” followed by the events classified as “others” is most frequent “consequences” for events in IRSN SAPIDE. Most of the events in GRS VERA were attributed to the family “others” because deficiency was detected before the concerned system function was requested. The largest number of events in NRC-LER resulted in “noncompliance with technical specifications” followed by “reactor trip.” The “reactor trip” is most frequent for the events in IAEA-IRS.

The “event duration” shorter than 2 hours in IRSN SAPIDE, with undefined length for GRS VERA, and longer than 2 hours in US NRC LERs was assessed for the duration of identified events.

The main observations from the selected events and general recommendations for prevention and mitigation of the events resulting in loss of essential power system are presented.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Disclosure

The scientific output expressed in this article may not in any circumstance be regarded as stating an official position of the European Commission. Neither the European Commission nor any person acting on behalf of the Commission is responsible for the use which might be made of this publication.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research is supported partly by the European Union (EU) Framework Programme for Research and Innovation Horizon 2020 and partly by the Slovenian Research Agency (program P2-0026).