12 2006 A New Tool For Reliability Studies of Electrical Networks

A new tool for reliability studies of electrical

networks with stand-by redundancies: OPALE

E. Breton, M. Bouissou, J. Aupied
Research engineers, EDF R&D


During the last 30 years, EDF has acquired a thorough ELECTRICAL SYSTEMS
experience in modelling reliability and safety of nuclear power
plants. Relying on this experience, R&D division decided to A. Studied test Case
carry out reliability studies of electrical systems in order to To show the main difficulties due to the existence of a
optimise EDF’s electrical network asset management. stand-by redundancy on a simple case, we are going to study
But this type of system, usually with stand-by redundancies, the case of an electrical system made up of a normal train, and
is difficult to treat with classic reliability methods like fault- an emergency train powered by a diesel generator.
trees or reliability block diagrams. Network
This paper presents a tool called OPALE, based on innovative
methods developed by EDF R&D. A demonstration of OPALE is
done on a complex electrical network with stand-by
Index Terms: availability, BDMP, electrical network, OPALE,
reliability, Markov graph, stand-by redundancy, substation. Tr1

C ALCULATION of the dependability (reliability and
availability) of a static network with active redundancies is
possible with classic probabilistic methods, such as fault-trees
or reliability block diagrams. But it is much more difficult to Studied Point
determine the dependability of a network with stand-by FIGURE 1: STUDIED NETWORK
redundancies and dynamic reconfigurations. Unfortunately, in
The studied undesirable event is the loss of supply of the
the field of electrical networks, active redundancies are very
Low Voltage Distribution Board (LVDB) during a time greater
rare. Indeed, most of electrical failures have to be isolated with
than the time needed to start the Diesel Engine Source (DiES).
a circuit breaker, which can fail to open. To take into account
An automatic change-over permits to switch between the
stand-by redundancies, refusal of opening for circuit breakers,
normal train and the emergency train. The circuit breaker CB2 is
refusal of functioning for automation system and protection
initially open. A short circuit on the transformer or the network
relays, without using Monte-Carlo simulation and its huge
can be propagated on the LVDB only if there is a refusal of
needs in computing power, two methods were identified:
opening of the circuit breaker CB1. The reconfiguration
• Event trees,
procedure may fail because of one of the following events:
• Markov graphs
• Refusal of opening of CB1 (γ1)
These two methods, which present some disadvantages, are
• Refusal of starting of DiES (γd)
compared on a test-case representative of existing difficulties.
• Refusal of closing of CB2 ( γ2)
We use this example firstly, to show the limitations of event
During the time needed to repair the main train (Tr1 or
trees and secondly to introduce an innovative way of using
Network), DiES also can fail (λd, µ d).
Markov graphs, thanks to a new formalism called BDMP
(Boolean logic Driven Markov Process)®. Finally, we B. Difficulties with classic methods
demonstrate the tool OPALE, which automates fully the Static fault-trees or reliability block diagrams are powerful
construction of a BDMP and dependability calculations, from tools to resolve cases without reconfiguration, and without
the input of the physical layout of an electrical system. temporary phases due to these reconfigurations. They are like
a camera, only able to take a picture of a situation.
The main difficulty in a case with reconfiguration due to a
stand-by redundancy is to take into account failures of the
emergency line only during the time of unavailability of the Initiator Undesirable
Generic Events (GE)
normal line, and not during the entire mission time. To take into Event (IE) Events (UE)

account this aspect, we have to use a sequential method like RO CB1 RS DiES RC CB2 Fail DiES
the event tree method. Another difficulty is to take into γ1 UE1
account potential failures during the reconfiguration. These γd UE2
potential “on demand” failures are described by a probability γ. γ2 UE3
Event trees and Markov graphs methods allow to describe a
dynamic system with reconfigurations and take, not a picture, λ 1-e-λdτ UE4
but a movie of the system (sequential functioning). (1-γ 1 )
(1-γ d)

A. Method λ = λNet + λTr1 e -λdτ OK

To use the event tree method, it is necessary to know all the
initial events liable to occur and their frequencies. FIGURE 2: EVENT TREE
Afterwards, for each initial event, the complete procedure of
emergency must be described to build an event tree. A good The probability of failure of the mission is :
knowledge of the system is required. So, the event tree can P (C un ) = ∑ P ( Sqi ) = 1 − ∑ P ( S ai )
model the sequential safety actions with their possible failures,

( )( )( ) (e )
i i

P (C un ) = 1 − 1 − γ × 1 − γ × 1 − γ ×
i.e. “on demand” and “in operation” failures. − λd τ
Moreover, the duration of operation of standby 1 d 2
components is to be defined. Generally, it is equal to the With τ : mean repair time of the normal train, estimated by
unavailability time of the normal train, which can be calculated
λ λ
λ τ λ τ
with a classical model (fault-tree for instance). the formula: τ = Tr1
+ Net
λ Tr1
λ Tr 1

The quantification of all the failure sequences of the Consequently, the equivalent failure rate for this part of the
emergency train is done by:
system is :
 
P (C un ) = P  U S qi  λ
= P(C un ) ×
+ (λ Tr 1 λ ) Net
 i  To determine the equivalent failure rate of the entire system,
Since the sequences are mutually exclusive, the probability we have to add the failure rates of LVDB and CB1. So, the
is: equivalent failure rate for the complete system is :
P (C un ) = ∑ P ( Sqi ) = 1 − ∑ P ( S ai )
i i
λ Syst
= λ eq + λ LVDB + λ CB1
With: In § VI. D. a numerical application is done and compared
• P(Cun ) = Probability to have an unacceptable with results obtained with the tool OPALE.

consequence (undesirable event), C. Conclusion on event tree method

• P ( Sqi ) = Probability of a failure sequence, The event tree method allows to resolve this simple case of
stand-by redundancy, in spite of the fact that one has to find
• P ( Sai ) = Probability of a success sequence. "manually" all initiators and sequences of success and failure
(and one event tree by inititating event must be built). It can be
B. Test case
a problem for the reproducibility of the study.
Initiating events: Moreover, this method is not suitable to do unavailability
• Fail(ure) of Network or Transformer calculations and is inapplicable in the case of cascade of
• SC on CB1 (SC = short-circuit) stand-by redundancies.
• SC on LVDB Another way to solve all these modelling problems (and
many others) is Markov models. But, Markov modeling is
SC on CB1 and LVDB are critical failures: there is not any usually severely limited because the number of states to
emergency solution to these failures, so there are no event consider is an exponential function of the number of
trees to build for these initiating events. The event tree of Fig. components in the system.
2 describes the sequences that can occur after a failure of the Consequently, a new formalism called Boolean logic Driven
network or of the transformer: Markov Processes (BDMP) [1], [2] was developed, which
enables the analyst to combine concepts inherited from fault
trees and Markov models. This very effective formalism has
allowed R&D’s dependability specialists to carry out easily the {Z i
( t ), Z 1i (t ), f 0i→1 , f 1i→ 0 }
reliability and availability study of electrical networks including
stand-by redundancies and reconfiguration procedures, for
{Z i
0 1
( t ), Z (t ) are two homogeneous Markov processes
EDF [3] and its customers [4]. with discrete state spaces. For k ∈ {0,1} , the state space of
Z ki (t ) is Ak .
For each Aki we will need to refer to a part Fki of the state
A. General
space Aki . In general, Fki will correspond to failure states of
The general idea of BDMP, as suggested by their name, is
to associate a Markov process (which represents the behavior the component or subsystem modeled by the process Pi .
of a component or a subsystem) to each leaf of a fault-tree. f 0i→1 and f 1i→0 are two probability transfer functions
This fault-tree is the structure function of the system. defined as follows:
What is really new with BDMP is that:
for any x ∈ A0i , f 0i→1 ( x ) is a probability distribution on
• the basic Markov processes have two "modes",
corresponding to the fact that the A1i , such that if x ∈ F0i , then Pr( f 0i→1 ( x) ∈ F1i ) = 1
components/subsystems that they model are
for any x ∈ A1i , f 1i→0 ( x ) is a probability distribution on
required or are in standby (of course, they can also
have only one mode, and the meaning of the A0i , such that if x ∈ F1i , then Pr( f 1i→ 0 ( x ) ∈ F0i ) = 1
modes may be different in some cases), Such a process is said to be "triggered" because it switches
• at any time, the choice of the mode of one of the instantaneously from one of its modes to the other, via the
Markov processes (unless it is independent) relevant transfer function, according to the state of some
depends on the value of a Boolean function of externally defined Boolean variable, called "process selector".
other processes. The process selectors are defined by means of triggers. The
An extreme case is when the processes are independent. function of a trigger is to modify the mode of the processes
This corresponds to a fault -tree, the leaves of which are associated to the leaves in the sub-tree under its target when
associated to independent Markov processes. the event which is the origin of the trigger changes from
A BDMP (F, r, T, (Pi)) is made of: a multi-top coherent fault- FALSE to TRUE (or conversely). The exact definition of the
tree F, a main top event r of F, a set of triggers T, a set of semantics of a BDMP (in particular when there are several
"triggered Markov processes" Pi associated to the basic triggers) is too complex to be explained in the present paper,
events (i.e. the leaves) of F, the definition of two categories of but it can be found in [2].
states for the processes P i. We give hereafter the two standard processes, which are
A trigger is represented graphically with a dotted line. The most often used in BDMP.
first element of a trigger is called its origin, and the second
element is called its target. Two triggers must not have the B. The warm standby repairable leaf
same target. This means that it is sometimes necessary to This process is used to model a component that can fail
create an additional gate (like G1 in Fig. 3) whose only function both when it is in standby and when it works (this mode
is to define the origin of a trigger. Fig. 3 is an example of corresponds to a process selector equal to 1), but with
graphical representation of all the notions of BDMP. In this different failure rates. This component can be repaired
example, we have a fault-tree with two tops: r (the main one) whatever its mode. When λs = 0 , the model represents in fact
and G1. The basic events are f1, f2, f3, and f4: they can belong a cold standby repairable component.
to one of the two standard triggered Markov processes λs λ
defined below. There is only one trigger, from G1 to G2. S µ F W µ F
Process 0 Process 1

The transfer functions simply state that when the value of

G1 G2 the process selector changes, the component goes from state
Standby to Working (or vice-versa) or remains in Failure state
with probability 1.
f 0→1 (S ) = {Pr(W ) = 1, Pr( F ) = 0} ,
f1 f2 f3 f4


f 0→1 ( F ) = {Pr( F ) = 1, Pr(W ) = 0}
Definition of a "triggered Markov process" (we have such
a process Pi associated to each basic event i of the fault-tree): f 1→0 (W ) = {Pr(S ) = 1, Pr( F ) = 0} ,
f 1→0 ( F ) = {Pr( F ) = 1, Pr( S) = 0}
Pi is the following set of elements:
To carry out dependability studies with KB3, a knowledge
C. The on-demand repairable failure leaf
base adapted to the problems involved in the studies to be
This model is used to represent an “on-demand” failure that carried out is needed. Such a knowledge base must contain a
can happen (with probability γ) when the process selector generic description of the different kinds of components that
changes from state 0 to state 1. might be encountered in the studies (description of possible
component failure modes and of their consequences on the
W µ F W µ F system). This single generic description is independent of the
Process 0 Process 1 topology of a given system and can therefore be used for all
f 0→1 (W ) = Pr(W ) = 1 − γ , Pr(F ) = γ , } system studies involving the problems dealt with.
BDMP constitute a very powerful modeling tool, but being
f 0→1 ( F ) = { Pr( F ) = 1, Pr(W ) = 0} capable of building them requires a minimum of training. As
f1→0 (W ) = { Pr(W ) = 1, Pr( F ) = 0} , they look very much like fault-trees, it seems natural to use the
f 1→ 0 ( F ) = {Pr(F ) = 1,Pr(W ) = 0}
KB3 ability to generate fault-trees from other graphic
representations (such as P&I diagrams of systems) to build
them automatically. This is how the OPALE tool works.
D. Application to our example B. The OPALE tool
Here is a simple BDMP that models precisely our system. With deregulation of the electrical market in France, the
The leaves with "S!" are of the type described in §IV. C. Commercial Branch of EDF decided to propose new customer
and the other ones are of the type described in § IV. B. (with a services in order to establish customer loyalty:
null standby failure rate). • Design of internal network
• Comparison of different improvements at the time
of renewal of private or public network
• Identification of weak points of the network.
These new offers include dependability studies . To
facilitate the development of these new offers, R&D division
! !
has decided to develop a tool, to allow electricians non-expert
AND in dependability modelling to do reliability studies. This new
F_CB1 F_LVDBoard tool, called OPALE, automates the evaluation of the reliability
and the availability of electrical networks. It is based on an
OR OR automatic transformation of the single line diagram of the
network into a dynamic BDMP model optimised in order to
OU_3 OU_1
moderate the combinatorial explosion of the model processing.
! ! ! ! It allows very large gains in the productivity of the study of
such systems and enables people who are not dependability
F_Transf F_Network F_CB2 F_DEng
specialists to do them.
S ! S ! S !
A. Input of the physical layout
As required by the Commercial Branch, the user of OPALE
can input the physical network into the software (see Fig. 6).

A. The KB3 modelling tool

In order to improve the quality, rapidity, and accessibility of
dependability studies, EDF R&D developed the KB3 program1.
KB3 automatically builds reliability models of the structural
type (fault trees or systems of Boolean equations) or
behavioural type (Markov graphs, Monte Carlo simulation
models, etc.) for studying a system on the basis of a graphic
description of the system layout, a description of system
missions, and a generic knowledge base.

A demonstration version of KB3 and of a BDMP tool can be
downloaded at http://rdsoft.edf.fr FIGURE 5: INTERFACE FOR DEPENDABILITY PARAMETERS
problem with the reconfiguration procedure.
The protection system of the network can also be described
in OPALE in order to take into account its failures , like refusal
of working for the protection, inadvertent opening of a circuit
breaker, problem with the automation, …
C. Presentation of the results
OPALE is able to give two types of results:
• General results (equivalent failure rate,
unavailability, MTTF, …),
• Detailed sequences leading to the undesirable
event and their contribution in unreliability and
D. Comparison of the results with the event tree method
Hereafter are results obtained both with the event tree
method and OPALE.
Lambda Repair Time
SC Network 2.00E-07 1
SC Transf 1.00E-07 24
SC CB1 et 2 1.00E-10 4
SC LVDB 1.00E-10 8
SC Deng 1.37E-06 4
SC = Short Circuit
Gamma Repair Time
Refusal of Opening CB 1 or 2 2.70E-04 4
Refusal of Starting DiES 3.40E-03 4
Refusal of Closing CB 2 2.70E-04 4
1) General results


Results of Opale Difference
tree method
The user of OPALE also has to input dependability
parameters, using the "object editor" of KB3, shown in Fig. 5. Equivalent Lambda System 1,385E -09 1,385E -09
One or several undesirable events can be defined via the MTTF 8,24E+04 ans 8,24E+04 ans 0,00%
use of "testers" of voltage, represented like bulbs. Rsyst(t) = P (No Failure during 1
9,999879E-01 9,999879E-01
B. Specification of stand-by redundancies
The next step is to specify functioning of the stand-by
2) Detailed sequences obtained with the event tree method
redundancies. To do this, we have to use a special formalism
as described hereafter:
Seq. Name Fail Rate

1 Network_CC or Transf_CC 1,01972E -09

Ref. Start. DiES
2 CB1_CC 1,00E-10
3 LV_Dist_Board_CC 1,00E-10
Network_CC or Transf_CC
4 8,10000E -11
Ref. Op CB1
Network_CC or Transf_CC
5 8,07028E -11
Ref. Clos. CB2
Network_CC or Transf_CC
6 3,54821E -12



This red arrow indicates that all the second part of the
network has to be put into operation only if the first part of the
network is down. Failures on DiES are only taken into account
if the network or the transformer is down AND if there is no
Proba Contrib in Cumulate
Seq. Name Rate Type of the
Asympt Rel. d Contrib A. Electrical network of a steel manufacturer site:
1 [Network_CC] 2,00E-07 EXP 2,26E-03 49,07% 49,07% 6,80E-10 ARCELOR, Sollac
[Bon Fct. : CB1_RO, 1,00E+00 INS
This complex electrical private network of a steel
Bon Fct. : CB2_RF, 1,00E+00 INS
Ref. Fct. : manufacturer site with protection system and stand-by
3,40E-03 INS
Diesel_Eng_DS] redundancies was studied in article [4].
2 [Transf_CC] 1,00E-07 EXP 1,13E-03 24,54% 73,61% 3,40E-10 ~ L1 ~ L2
[Bon Fct. : CB1_RO, 1,00E+00 INS 225 kV
Bon Fct. : CB2_RF, 1,00E+00 INS
Ref. Fct. :
3,40E-03 INS
3 [CB1_CC] 1,00E-10 EXP 3,33E-04 7,22% 80,83% 1,00E-10
B1 63 kV
4 [LV_Dist_Board_CC] 1,00E-10 EXP 3,33E-04 7,22% 88,05% 1,00E-10 B2
5 [Network_CC] 2,00E-07 EXP 1,79E-04 3,88% 91,93% 5,38E-11
[Ref. Fct. : CB1_RO, 2,70E-04 INS 1TA ~ 2TA
Bon Fct. : CB2_RF, 1,00E+00 INS ~ ~
Bon Fct. : Diesel_Eng_DS] 9,97E-01 INS ~ AEG 20 kV
6 [Network_CC] 2,00E-07 EXP 1,79E-04 3,88% 95,82% 5,38E-11
[Bon Fct. : CB1_RO, 1,00E+00 INS Emergency
Ref. Fct. : CB2_RF, 2,70E-04 INS
Bon Fct. : Diesel_Eng_DS] 9,97E-01 INS
7 [Transf_CC] 1,00E-07 EXP 8,96E-05 1,94% 97,76% 2,69E-11
[Ref. Fct. : CB1_RO, 2,70E-04 INS
Bon Fct. : CB2_RF, 1,00E+00 INS
Bon Fct. : Diesel_Eng_DS] 9,97E-01 INS
8 [Transf_CC] 1,00E-07 EXP 8,96E-05 1,94% 99,70% 2,69E-11
[Bon Fct. : CB1_RO, 1,00E+00 INS
Ref. Fct. : CB2_RF, 2,70E-04 INS
B. "d" substation : French distribution substation
Bon Fct. : Diesel_Eng_DS] 9,97E-01 INS This complex electrical substation with protection system
9 [Transf_CC] 1,00E-07 EXP 1,09E-05 0,24% 99,94% 3,27E-12
and stand -by redundancies was studied in article [3].
[Bon Fct. : CB1_RO, 1,00E+00 INS LIGNE 2
Bon Fct. : CB2_RF, 1,00E+00 INS
Bon Fct. : Diesel_Eng_DS] 9,97E-01 INS Parafoudre PaL1 PaL2
[Diesel_Eng_CC] 1,37E-06 EXP Transformateur
Combine de mesure TCM1 Protection de Distance
10 [Network_CC] 2,00E-07 EXP 9,09E-07 0,02% 99,96% 2,73E-13 + Protection de Secours
SMALT2 + Protection contre défauts résistants
[Bon Fct. : CB1_RO, 1,00E+00 INS Protection de Distance Sectionneur avec SMALT1
mise à la terre
Bon Fct. : CB2_RF, 1,00E+00 INS + Protection de Secours
+ Protection contre DJL2
Bon Fct. : Diesel_Eng_DS] 9,97E-01 INS défauts résistants Disjoncteur de ligne DJL1
[Diesel_Eng_CC] 1,37E-06 EXP Sectionneur d'aiguillage ligne SAL1
Sectionneur de Sectionnement
TT1 Fermé en fonctionnement normal
de tension
4) Conclusion Sectionneur d'aiguillage transfo SAT1 SAT2

General results are the same with OPALE and the event tree Disjoncteur de transfo DJT1 DJT2
method. About the detailed results, OPALE is able to give all Parafoudre PaT1 PaT2
the detailed sequences classified by contribution to the global PDI
Transfo de puissance Tr1
PDT Automate de permutation de Transformateur
unreliability. It is also possible to obtain results in
unavailability. This precision gives the possibility to detect
more easily weak points of the network. MASSE
Another important point is the automation of the modelling TSA TSA

of the network. With OPALE, the complex and error prone TC

construction of an event tree is replaced by the simple input of TT TT

Disjoncteur ouvert
the physical description of the system to be studied. EPAMI
en fonctionnement normal

Therefore, it allows very large gains in the productivity of

the study of such systems and enables people who are not
TC_dep1 TC_dep2 TC_dep3 TC_dep4 TC_dep1 TC_dep2 TC_dep3 TC_dep4 TC_dep1 TC_dep2 TC_dep3 TC_dep4 TC_dep1 TC_dep2 TC_dep3 TC_dep4
dependability specialists to do them.

Demi-RAME 1A Demi-RAME 1B Demi- RAME 2A Demi-RAME 2B


C. Others references
EDF R&D performed different types of studies, in several
Edouard BRETON is a research engineer of EDF R&D. He received a
countries: degree from the “Centre d’Etudes Supérieures Industrielles” engineering
• ESKOM (South Africa): HV substation studies. school, Paris. He has performed several studies in the field of HV, MV,
• Internet hostel (F): Internal electrical network. LV electrical network or system (industrial private network, EDF
• Offshore wind farm (F): Joining with the French network, …). At EDF R&D, he works on development of different
dependability software and is the technical back office for the
grid. commercial branch of EDF about dependability studies.
• London City Airport (UK): Study of the electrical
• Studies of internal electrical networks for Marc BOUISSOU is a senior engineer of EDF R&D, with a long
different customers (Printing works, Agro- experience in the reliability engineering field. He also holds an
appointment at CNRS (University of Marne la Vallée) as an associate
alimentary, Micro-electronics). research director. He has led the development of highly innovative
tools, to support the activities of reliability engineering, and PSAs for
