**4. Lesson learned and important aspects of NPP power system protection design**

Events like the "318 Event" were seldom caused by one single reason. It can be seen from the above discussion that Taipower 3rd NPP was under multiple stresses before the event and there were mutiple mechanisms for the generation, amplification, and transfering of overvoltages which, combined with the operation practices and equipment history, eventually led to the explosion of CB#17 and total blackout of the NPP. Below are the key lessons learned from this event and their recommended preventive measure.

#### **4.1. Bus configuration and fault area isolation**

The "318 Event" was essentially triggered by a single equipment failure but leading to a complete blackout of the power plant. There are 2 key lessons learned from this event: (1) Explosion of CB#17 took down the adjacent CB#15 as well. (2) "Independent sources" are not always independent due to improper bus configuration.

For various reason such as space requirement, ease of maintenance, etc, switchgear panels are usually installed in the same room side by side. If this cannot be changed, during the risk evaluation process one must consider the N-1 condition being loss of "one group of equipment" instead of "one equipment" unless sufficient separation are provided between the equipments.

The "independence" of power sources need then be examined closely. If multiple sources or multiple buses can be taken down by a single failure such as permenant fault to ground, etc, they cannot be considered as independent sources and more backup needs to be added.

It should be noted that during the "318 Event", after the explosion of CB#17 the plant utility room was filled with smoke which makes the manual starting of other diesel generators extremely difficult. Not only were equipments under significant stress but also the human operators. It is thus recommended that the feasiblity of starting backup sources under utility room smoke condition be checked and that any manual operation required during this stage be as simple and straightforward as possible with proper interlock to reduce the chance of human error which may further escalate the event.
