Professional Documents
Culture Documents
Self Supervision Techniques 670 Series Principles and Functions PDF
Self Supervision Techniques 670 Series Principles and Functions PDF
Self Supervision Techniques 670 Series Principles and Functions PDF
Trademarks
ABB is a registered trademark of ABB Group. All other brand or product names
mentioned in this document may be trademarks or registered trademarks of their
respective holders.
ABB AB
Substation Automation Products
SE-721 59 Västerås
Sweden
Telephone: +46 (0) 21 34 20 00
Facsimile: +46 (0) 21 14 69 18
www.abb.com/substationautomation
Disclaimer
The data, examples and diagrams in this manual are included solely for the
concept or product description and are not to be deemed as a statement of
guaranteed properties. All persons responsible for applying the equipment
addressed in this manual must satisfy themselves that each intended application
is suitable and acceptable, including that any applicable safety or other
operational requirements are complied with. In particular, any risks in
applications where a system failure and/or product failure would create a risk
for harm to property or persons (including but not limited to personal injuries or
death) shall be the sole responsibility of the person or entity applying the
equipment, and those so responsible are here by requested to ensure that all
measures are taken to exclude or mitigate such risks.
This document has been carefully checked by ABB but deviations cannot be
completely ruled out. In case any errors are detected, the reader is kindly
requested to notify the manufacturer. Other than under explicit contractual
commitments, in no event shall ABB be responsible or liable for any loss or
damage resulting from the use of this manual or the application of the
equipment.
Conformity
This product complies with the directive of the Council of the European
Communities on the approximation of the laws of the Member States relating to
electromagnetic compatibility (EMC Directive 2004/108/EC) and concerning
electrical equipment for use within specified voltage limits (Low-voltage
directive2006/95/EC).
This conformity is proved by tests conducted by ABB AB in accordance with
the generic standard EN 50263 for the EMC directive, and with the standards
EN60255-5 and/or EN 50178 for the low voltage directive.
This product is designed and produced for industrial use.
TABLE OF CONTENTS PAGE
1. Introduction 3
2. General 3
3. Self supervision in numerical relays 3
4. The Benefit of self supervision _________________________ 6
5. Self supervision in a modern line terminal 6
6. Self supervision with internal signals____________________7
7. Self supervision of hardware modules 8
7.1 Numerical module 8
7.2 Transformer input module 9
7.3 Analog to Digital conversion module 9
7.4a Binary input module with enhanced EMC capability 9
7.4b Binary input module for pulse counting______________10
7.5 Input/output module 10
7.6 Binary output module 10
7.7 Static output module 11
7.8 mA input module 11
7.9 GPS time synchronization module 12
7.10 Power supply module 12
7.11 Self supervision of communication modules 12
8. Self supervision of software
8.1 Self supervision functions 14
8.2 New self supervision methods 14
8.2.1 Error correcting code _______________________14
8.2.2 Fault tolerant file system ____________________14
8.3 Relion 670 series self supervision 14
8.4 Self supervision during start-up and stop 15
8.4 Self supervision during operation 15
9. Impact on dependability and security by self supervision 16
9.1 Dependability 16
9.2 Security 16
9.3 Impact of self supervision on single protection_________ 17
9.4 Impact of self supervision with redundant protection____ 17
10. Additional supervision via process signals 17
11. Conclusions 18
ABB AB 3
1. INTRODUCTION
One of the major benefits of microprocessor technology However, missing operations are much easier to deal
is that no additional hardware is required for the self with, e.g. via back-up systems.
supervision, a function that increases the availability
and reliability of the whole system, by ensuring that As statistics from both electromechanical relays and
product and system faults can be detected immediately. numerical is available, in this case from Norway, the
security and dependability can be analyzed. Also the
The self supervision can be performed by software impact of duplicated protection with reference to self
functions, utilizing standard features as watchdog supervision is available. The figures has been used for a
functions, checksum etc., and some extra software risk analysis reference to dependability, security and
functions, to get as much coverage as possible for the unavailability
self supervision. However, the self supervision must be
as simple as possible, to keep the reliability high. Main result Electromechanical Numerical
/ static
The current and voltage circuits, and the communication Single Redun- Single Redun-
links, can also be monitored continuously by an external dant dant
client such as a substation monitoring system (SMS) or Dependability 98.4 99.5 99.4 99.4
substation control system (SCS), for example by taking
Security 68.1 49.5 95.5 92.1
measuring values from Main 1 and Main 2 at regular
Unavailability 0.02 0.03 0.01 0.02
intervals during steady state conditions and comparing
of line C
these values. An other option is reporting to the control
center for comparison with the result from the state Figure 2. Result of risk analysis. The figures are given
estimation. It is also possible to monitor the dataflow in in %
the various communication systems connected to the
From figure 2 it can be seen that numerical protections
supervised device.
have the highest dependability and security. Note that a
single numerical protection has higher security than
Messages from the self supervision system can be
redundant electromechanical protection and the same as
available both locally and remotely, which further
duplicated numerical protection.
simplifies fault tracing, and cuts down the time for
repair, e.g. by identification of defective parts.
That the numerical protections are better is due to the
built-in self supervision of these protections, where
As an example of the improved availability with self
about 90% of all failures are assumed discovered
supervision, the Mean Time To Repair (MTTR) can be
immediately and thus repaired in 48 hours. In the
compared with conventional static or electro-
electromechanical/ static protection systems, all failures
mechanical equipment without supervision.
were assumed undiscovered until the next test or fault.
With a test interval of e.g. 2 years, the MTTR without
Another feature in numerical technology is the access to
supervision is approximately 1 year, since a fault will
an open information system, which for example
most likely not be detected until the next test is
increases the availability of the information from the
performed. With supervision, a fault can normally be
self supervision to be sent to a remote location, for
repaired within 48 hours, see figure 1 below. This
example to inform the maintenance organization.
means that the MTTR will be 2 days instead of 365
days, a significant improvement.
Routine Relay Routine
2 GENERAL
test fault test
The relay protection is a vital part of the fault clearing
Without self supervision Missing protection or system. However, periodical testing and self supervision
MTTR < 1- 5 years non selective operation
of the protection is important to secure the fault clearing
MTTR = Mean time to repair function.
With self supervision
MTTR < 2 days For relay equipment without self supervision, a fault is
Routine test interval 1- 5 years not detected until the equipment does not operate
correctly, or detected by maintenance testing. To reduce
Figure 1. Impact of self supervision. the risk for a missing function, periodical maintenance
testing is performed. The test interval is determined by
As an extra benefit the software based self supervision the probability for a fault in the equipment. Mean Time
has an inherent capability, which is very attractive for To Failure (MTTF), and by the fact that a fault in
protection and control equipment in an Electrical Power principle can be undetected for 50% of the time between
System: The risk for unwanted functions is test intervals, together with an evaluation of the
decreased. The error detection by the self supervision is acceptable probability of a missing fault clearing of a
normally used to block the equipment. primary fault.
By experience, the test interval for equipment without
Thus the probability for unwanted functions is self supervision has been in the range of 1- 4 years.
decreased, at the expense of missing operations.
ABB AB 4
Numerical Relays with self supervision will of course λ2 = Failure rate for self supervised components
decrease the need for manual testing. Thus, the The self supervision in modern numerical relay's can
maintenance cost can be reduced with maintained detect around 85- 90 % of all faults with the failure rate
security and dependability for fault clearing. A suitable taken for various components taken into account. The
test interval for numerical relays with self supervision non supervised components are mainly passive
has to be established, but test intervals of 4- 8 years are components such as interference suppression devices
used. and output relays, with very high MTTF (100-200
Years). The detection ability is almost as high as for
3 SELF SUPERVISION IN NUMERICAL RELAYS manual testing with secondary injection of test
Self supervision and self diagnosis are features, which quantities such as current and voltages for distance
are very difficult and expensive to implement in static protection. The detection ability for self supervision and
analogue equipment. Complexity increases and in turn manual testing can be complementary. I.e. the self
effectiveness decreases quickly to a point where it is not supervision detects fault which the manual testing does
technically or economically justified. not detect and vice versa.
In a microprocessor-based system, a certain processing However, the time for fault detection with self
time can be allocated to perform selected checks and supervision is in the order of seconds compared with the
verifications. The results can be compared e.g. with time to detect a fault with manual testing, which is in
previously obtained. Detected discrepancies can initiate the range of years, i.e. a fault can be hidden in average
corrective measures or deactivate certain functions or half the manual test interval, see figure 1. This
the whole equipment. This feature leads, properly difference makes the self supervision more effective
adapted, to maintenance by request rather than to a than manual testing.
maintenance routine testing of the relays.
The unavailability for redundant protection with
Self supervision can, as any system not cover 100 % of different detection ability in the self supervision,
the hardware, the supervision does not cover for combined with manual testing with the detection ability
example interference protection, output relays contacts α = 90 % and α= 98 % is shown in figure 2. The curve
etc. (some self supervision can be provided) The self shows only the unavailability with reference to
supervision versus manual testing is a matter of the capability to trip. Unwanted tripping is not considered.
complexity of the protection equipment. Less complex However, with numerical self supervision, the
function as over current protections can be self probability for unwanted tripping is also decreased
supervised to a very high degree, for more complex
functions such as distance protection or generator Unavailability
protection, a combination of self supervision, manual %
Mean Time Between Failure: MTBF 20 Year
supervision including evaluation of the protection Mean Time Between Repair: MTTR 48 hours
1,0
function performance, with information from
disturbance- and event recordings, and in some cases
Combined with manual test
manual testing will give the best result. every second year (α = 90 %)
It is important that the self supervision is designed with 0,5 Combined with manual test
an optimized performance with respect to detection every second year (α = 98 %)
ability versus the complexity and does not jeopardize
the integrity of protection function. This optimization is Self super-
limiting the detection degree for the self supervision in 0,1 vision α
complex protection functions. A rudimentary self 0 50 100 %
supervision function, as for example a " watch dog"
Figure 3. Unavailability for redundant protection
function has very limited detection ability, and thus
contributes in a limited way to increase the availability.
The Self supervision is in principal continuous. It has
The self supervision in numerical relay's can be
been in wide use since microprocessor based relays
designed with fairly high detection ability.
were introduced in the beginning of the last decade
(around 1980). In most case it supervises the software
The self supervision can be designed with reference to
with checksums and other methods, supervises the
the probability for a fault in different components. In
existence of certain signal or compares signals. It
principal active components are considered to have a
detects catastrophic failures immediately and hence can
higher fault rate than passive components.
be used to block the protection at a failure, i.e. prevents
the instantaneous incorrect function, which could occur
The detection ability α can be defined with reference to in static or electromechanical relays. Thus the
the different components failure rateλ. (Faults/year) probability for an unwanted function is decreased, and
α = λ2⋅ 100 the probability for a missing function is increased. The
λ1 + λ2 design is normally made to increase both security and
α = Detection ability in % dependability.
λ1= Failure rate for not self supervised components
ABB AB 5
The self supervision is normally designed to be as redundant protection functions due to the improvement
simple as possible, with a limited amount of extra in availability.
software and hardware. The advantage of this design
Substation Information
principle is that the failure rate is lower than in the
system (Intranet)
supervised circuits. False signals are not allowed; Station HMI
Scada
otherwise the benefit of the self supervision is lost.
However, most actions, alarm or blocking has to be
delayed by an appropriate time to avoid spurious
function of the self supervision, i.e. during transient Feeder A Load B Load C
Self
conditions or during interference. These delays are of no Super-
Control Protection Protection
consequence when calculating the unavailability. The Control vision
Monitoring Control
unavailability is determined by the mean time to repair. Monitoring Monitoring
(MTTR)
ABB AB 6
action is established a safe status, an alarm is given and 6 Self supervision with internal signals
an event registered for subsequent diagnostic analysis. Self supervision provides several status signals that tell
Important items of hardware, for example A/D about the condition of the RELION 670 devices. This
converters main and program memories, the power information is called internal signals. and are recorded
supply etc are subjected to various tests when the in the event recorder as internal events.
system is switched on and also during normal service. A
watchdog continuously monitors the integrity of the The internal signals can be divided into two groups. One
software functions. The exchange of data on the cPCI group handles signals that are always present in all type
and CAN bus is continuously supervised. of protection and control devices as standard signals.
Another group handles signals that are collected
• Normal micro-processor watchdog function.
depending on the hardware configuration. The standard
• Checking of digitized measuring signals.
signals are listed below. The hardware dependent
• Other alarms, for example hardware and time internal signals will be specified in section 7.
synchronization.
The self supervision status can be monitored from the Explanation of internal signals
local HMI (LCD- display) or a substation monitoring or
substation automation system Name of signal Reasons for activation
This signal will be active if one or more of
Under the Diagnostics menu in the local HMI the FAIL the following internal signals are active;
present information from the self supervision function INT—NUMFAIL, INT—LMDERROR,
can be reviewed. The information can be found under INT-WATCHDOG, INT—APPERROR,
INT—RTEERROR, INT- FTFERROR, or
Diagnostics\Internal Events or Diagnostics\IED any of the HW dependent signals
Status\General. Refer to the "Installation and This signal will be active if one or more of
WARNING the following internal signals are active;
Commissioning manual" for a detailed list of
INT—RTCERROR, INT—
supervision signals that can be generated and displayed EC61850ERROR,
in the local HMI. INT—TIMESYNCHERROR
NUMFAIL This signal will be active if one or more of
A self supervision summary can be obtained by means the following internal signals are active;
INT—WATCHDOG, INT—APPERROR,
of the potential free alarm contact (INTERNAL FAIL) INT-RTEERROR, INT—FTFERROR
located on the power supply module. The function of This signal will be active if one or more of
NUM/ WARNING the following internal signals are active;
this output relay is an OR-function between the INT- INT—RTCERROR, INT—
FAIL signals see figure 6. IEC61850ERROR
RTCERROR This signal will be active when there is an
The self supervision events are stored in the internal error with the real time clock or GPS.
event list, which is available on the HMI. Some also via TIMESYNCH This signal will be active when the source of
the communication ports. The self supervision uses the ERROR the time synchronization is lost, or when the
normal signal configuration with the CAN bus to the time system has to make a time reset.
input/output modules, transducer input module, power This signal will be active if the Runtime
supply module and the GPS module. (The CAN bus is a RTEERROR Engine failed to do some actions with the
standard from the automotive industry, Controller Area application threads. The actions can be
loading of settings or parameters for
Network.), see figure 6 components, changing of setting groups,
loading or unloading of application threads.
CAN bus 1Mbit/s This signal will be active if the IEC61850
IEC61850
A/D NUM ERROR stack did not succeed in some actions like
TRM reading IEC61850 configuration, startup etc.
cPCI bus This signal will be activated when the
132Mbyte WATCHDOG terminal has been under too heavy load for
at least 5 minutes. The operating systems
U GPS I/O I/O I/O I/O I/O I/O PSM background task is used for the
I measurement
OEM OEM
LDCM LDCM LMDERROR LON network interface, MIP/DPS, is in an
unrecoverable error state.
This signal will be active if one or more of
APPERROR the application threads are not in the
state that Runtime Engine expects. The
states can be CREATED, INITIALIZED,
RUNNING, etc.
Figure 6. Signal structure for self supervision SETCHGD This signal will generate an Internal
Event to the Internal Event list if any
settings are changed.
The communication between the A/D converter and the This signal will generate an Internal
SETGRPCHGD Event to the Internal Event list if any
various communication modules on the A/D module
setting groups are changed.
and the NUM(CPU) module uses a 132 Mbyte/second This signal will be active if both the
FTFERROR
high speed bus, the cPCI- bus. (Compact Peripheral working file and the backup file are
Component Interconnect). corrupted and can not be recovered.
ABB AB 7
Self supervision standard internal signals The self supervision of the hardware modules will be
FAIL Internal Fail status described module by module. The principal diagram of
WARNING Internal Warning status
the hardware self supervision is shown in figure 8.
GS
NUMFAIL CPU module Fail status I/O I/O
I/O Power
NUMWARNING CPU module Warning status I/O
supply
Power
7.1 NUM, Numerical module
Input
Module
Conversion
Module
Processing
Module
Synch
Module
I/O
Module
I/O
Module
I/O
Module
I/O
Module
I/O
Module
Input
Module
Supply
Module The self supervision central module is of course the
TRM AD1 NUM GSM BIM BIM BIM BOM BOM MIM PSM
CPU
CPU on the numerical module. The hardware
supervision of the numerical module is a small part of
Logics CAN
6I
1Mbit/s
the total self supervision. The internal watchdog in the
A/D
6U
CPU is used also to check the both hardware and
OEM
~
~ ~
~
LDCM
software on the NUM. The main description of the CPU
Comm-
uni-
cation
I/O
controlled self supervision is made under section 8.
I/O I/O I/O I/O mA
ABB AB 8
TRM A/D
A/D low
Main Controller/CPU type IBM
3200PowerPC 750FX, 600 MHz
A/D
Internal communication with cPCI bus 30 A/D high Controller
132Mbytes/second
Memory
Up to 128 Mb FLASH
MPC
Up to 256 Mb DRAM 2 360001
Cycle time in IED 670
1 or 3 ms for protection
8 or 100 ms for logic
7.3 ADM, Analog to Digital conversion Module The A/D controller also performs the normal task of
micro-processor watchdog functions as well as
• 12 analogue channels/ 1 A/D additional alarms, for example hardware and time
converter for each transformer
module
synchronization.
• Sigma-Delta principle for A/D
conversion
7.4a BIM Binary input module
• Sampling rate > 1 MHZ
• 16 Independent Binary Inputs
• No problem with anti-aliasing
• Increased interference immunity,
filter 2 x IEC for 50 ms
• Primary filter 5 kHz • Debounce filter, T = 5 ms
• Secondary filter 1 kHZ. • Oscillation suppression detection
Enables calibration with the within 1 s; > 0 - 40 Hz
transformer module also for • Not suitable for pulse counting
high speed protection functions.
• Threshold voltage 60% of
rated auxiliary voltage
Figure 11. ADM analog to digital conversion unit
[mA] Prolonged inrush current
30
ABB AB 9
7.4b BIMp Binary Input module for pulse counting BIM card and communicates with the CPU via the CAN
bus, see figure 15
• 16 Independent Binary Inputs
• Debounce filter, T = 5 ms
• Oscillation suppression detection
within 1 s; > 0 - 40 Hz
• Pulse counting available for all
inputs, for example for energy
metering
• Threshold voltage 60% of rated
auxiliary voltage
[m A]
30
The self supervision
signals from the micro
1
3,5 7 [ms]
DCfail controller are
connected directly
or transmitted via the
Figure 14. BIMp, binary input module for pulse CAN bus
counting
Figure 15 Self supervision of the BIM module
The binary inputs (also on IOM card) have a
debouncing, suppression function At power-up (before the system is in service) and during
T = 5 ms microcontroller reset, internal fail is also activated to
prevent incorrect actions. When the microcontroller is
running according to set criteria, the internal fail is
deactivated.
[mA]
30
Increased interference
immunity
1
35 70 [ms]
1s
Figure 16. IOM, input/output module
That the oscillations are within approved limits is The inputs have the same debouncing and oscillation
detected if the number of valid events within one second suppression functions as the BIM module.
< N= 0 – 40 Hz
The self supervision is similar to the BIM and BIMp
modules The self supervision is performed by the
<N microcontroller, which carries out the self supervision
functions for the IOM module and activates the internal
fail relay directly or/and communicates with the CPU
via the CAN bus, see figure 15
ABB AB 10
6 static binary outputs with
• 24 single or 12 Double pole 6 electromechanical change
Command Output Relays over relays in parallel
Figure 17 BOM Binary Output module Figure 19 SOM Static output module
ABB AB 11
the 64 kbit communication module for current
differential protection etc.
Substation control system
Communication client
The self supervision
signals from the micro Scada
controller are connected
directly to the internal fail
relay or transmitted via the
CAN bus
Feeder A Load B Load C
7.9 GSM, GPS time synchronization module Figure 24. Communication self supervision in client
The GSM has the same microcontroller as the other I/O
modules. However, the self supervision does not Ethernet communication module with one or two ports
activate the direct internal fail function. If the GSM The Ethernet module can be used for IEC 61850,
module fails, the current differential protection can TCP/IP or DNP. The self supervision activates a
switch to echo timing, and override an interruption in internal signal when there is an error in the IEC 61850
the GPS signal. device (Hardware), IEC61850ERROR, see section 6.
• For multiterminal current differential LON, SPA, IEC -103 communication modules
protection
GPS • 1 Mhz High Accuracy output; < 1μs
Normally the self supervision is carried out by the client
• Minute pulse / IRIG B- Accuracy
as for the Ethernet module. However for LON a self
<<1ms (Not suitable for differential supervision internal signal is available on the HMI,
protection)
• IEC 61850-8 synchronization
LMD ERROR, LON device error status. (Hardware
Connection
to antenna
- Accuracy < 1 ms fault)
• LON synchronization
- Accuracy < 2 ms Communication modules on Analog / Digital conversion Module
ABB AB 12
LDCM 64 k-bit communication module 8. SELF SUPERVISION BY SOFTWARE
LDCM stands for Line Differential Communication The software is structured in different levels according
Module. One to four 64 kbit communication modules to fig. 18
can be placed on the A/D and NUM modules.
• Application software containing a software library for
Each LDCM has an extensive communication self different functions, the Application Functional
supervision. Some of the self supervision signals are Library, AFL, programmable logic/ timers, HMI
available only on the HMI, but a number of the signals etc. including product specific configurations
can also be configured to the event recorder.
• Base software including general applications such as
self supervision etc
Application
Product specific configuration
AFL
Logic/timers HMI
Communication
Base software
Hardware
Figure 28. Software structure
Base software
The base software is close to the hardware,
incorporating basic elements such as start-up routines,
self supervision, operative system, etc. The operative
system is an embedded real time system, which enables
the safe execution of program code in real time.
ABB AB 13
For each type Relion 670 series device a product the message on the sender side. If the number of errors
specific configuration is made. The configuration is is within the permitted frames for of the code, the
made with a selection from the functions in the AFL, receiver can use the extra information to discover the
the required number of logic elements, AND gates, OR locations of the errors and correct them. Since the
gates, and timers as well as external communication and receiver does not have to ask the sender for
connections to the HMI. All the elements are then retransmission of the data, a back-channel is not
configured with connections between the functional necessary in forward error correction, so it is suitable
blocks and logics/timers to operate according to for simplex communication such as broadcasting etc.
requirements for the various applications, distance
protection, differential protection etc. The ECC does not affect the bit error rate and data rate .
8.1 Self supervision functions 8.2.2 Fault tolerant file system (FTF)
The signaling structure for the software is the same as The Fault-tolerant file system is an extension to the
for the hardware. The difference is that additional ordinary disc files to make them fault-tolerant. Once a
internal signals for ERROR and Warnings are fault-tolerant file has been successfully created, then it
available, which are the result of the software self is impossible to corrupt it (e.g. by disrupting the power
supervision supply where a fault tolerant file is in operation. The
data integrity of is achieved by maintaining two
GS
I/O
versions of the files, one original version and one
I/O
I/O Power backup version. All operations are to be performed on
supply either the original or the backup version, never on both
I/O
CAN I/O not configured at the same time.
CAN or I/O fail
Power fail The integrity of the data is normally verified by
CPU I/O Internal fail
OR checksum methods. If the original and backup versions
CPU Internal fail verify correctly, then the FTF is running correctly.
(Inverted signal)
cPCI
A/D
If the original and backup versions fail verification, the
FTF rectifies the discrepancy. If the original does not
I/O; Binary input and
output modules Errors Warnings verify, but the backup is OK, then the backup shall
GS; GPS synchronization (Internal events) replace the original and vice versa. This means that the
module Internal fail
FTF data will revert to the last good version in case of
Figure 30. Signal structure for software self supervision single errors.
The supervision is divided in different parts parts, one If errors are detected in both the original and the back-
that is performed at start of the protection and one that up the internal self supervision signal; FTF Fatal error
is performed continuously during normal service. The will generate an Internal FAIL, and block the relay.
main part of the supervision is made by the main
processor on the main processor module; another part is 8.3 RELION 670 self supervision
made by a processor on the A/D converter. The I/Os are Relion 670 series has a sophisticated self supervision.
supervised by the built in microcontroller, connected to On faults in the vital parts of the protection the relay is
the CAN bus. A basic function is of course the use of blocked. For some faults, functions not involved can
"watch dogs" for all the microprocessors as well as continue to operate. Also the application functional
control of the check sums for memories of the programs library contains functions that can connect back-up
and settings. function if specified, for example a distance function
can be used as back-up for the differential function if
8.2 New self supervision methods the communication fails. For faults that do not effect the
A couple of new methods compared with previous function a Warning is issued, for fatal ERRORS the
generations of numerical relays that improves the relays is blocked and an ERROR signal generated from
software supervision have been introduced in the the CPU, which gives internal fail.
RELION 670 series.
The principal diagram of the software self supervision,
8.2.1Error Correcting Code; ECC with Internal Error Signals is shown in figure 20 below.
Most of the RAM-memories in Relion 670 are provided
with "Error-Correcting Code (ECC) memory", which The external signal names are given under section 6, but
facilitates automatic error correction, larger then one bit. further explanations are available below.
This is achieved by special circuits that generate
checksums automatically. Also the information transfer
to and from the FLASH PROMS is supervised by Error
Correcting C methods.
ABB AB 14
IO fail
At start, the configuration is checked. During the
OR Set e.g. BIM 1 Error
IO stopped
Reset configuration with PCM 600, each modules type and
IO started
position is specified. If for example a I/O module is
e.g. IOM2 Error OR
e.g. IO (n) Error
OR
Internal
FAIL
missing or in the wrong position the self supervision
LON ERROR
will give internal fail. When the fault is rectified it is
FTF fatal error
OR
Watchdog NUMFAIL necessary to make a reconfiguration.
RTE fatal error
Internal
Set WARN
RTE Appl-fail
RTE OK Reset
OR Built-in HMI
IEC61850 not ready NUMWARNING -settings
OR
RTCERROR Set RTCERROR - general settings
RTC OK Reset - I/O modules
TIMESYNCHERROR
OR Set
TIMESYNCHERROR - Reconfigure
Time reset
SYNCH OK Reset Note. The check of configuration does not include the
SETCHGD
Settings changed
1 second pulse
SPA/LON and Ethernet communication modules. These
modules have self supervision on the communication
module itself.
Figure 31. Internal self supervision with internal signal
names. 8.5 Self supervision during operation
The self supervision in an integral part of the design, see
I/O signals ; fail, stopped or started can either be from the impact of dependability and security on self
the on board I/O microcontrollers watchdog or from the supervision in section 9.
CPU with reference to information exchange over the The supervision on the main CPU module is divided in
CAN bus. two groups. The faults which can cause unwanted trip
LON ERROR refers to a fault in the hardware of the are blocked and signaled as errors, and the remaining
LON driver. LON is one of the communication self supervision functions are connected for warning
alternatives for station communication
FTF fatal error. Fault tolerant file system error, see Program execution
section 4.4. The real time engine supervises that the program
Watchdog; The internal watchdog in the CPU execution is performed in correct sequence. If this is not
RTE fatal error. RTE stands for Run time engine. The the case a reset is sent to the main processor. The
function is program execution control, i.e. checks that watchdog function contributes to the integrity of the
the program runs according to specification. (Base application functions. The Real time engine also
software) supervises that the logic is executed correctly.
RTE application error; the Run time Engine also
controls that the application specific software is running A/D converter.
correctly. If the application execution is incorrect, the The main processor supervises, that data via the cCPI-
application error signal is given. bus is received with correct time frame and performs a
RTE OK. The programs are executed according to check sum control for each received set of data every
specification ms. (At start, the check is that data are received.). In
IEC 61850 not ready. This signal can be issued for a addition the A/D converter has an internal Power On -
number of reasons, for example the configuration from check. In addition the analogue signals are supervised
the Signal Matrix Tool (GOOSE) not downloaded by comparing output from two different A/D converters,
RTC Error. Real Time Clock or GPS not working see section 7.2
correctly, for example the back-up capacitor discharged.
RTC OK Memories
Synch ERROR. The external time synchronization The main check of the RAM, ROM and Flash prom
source is faulty. (If specified) memories is performed by the Fault Tolerant File
Time reset. To reset the time, for example from normal system, see section 8.2
time to daylight saving time
Synch OK. External source available I/O nodes.
Setting changed. The relay is blocked during setting The I/O nodes are indirectly supervised from the main
change CPU. On the I/O boards, the internal communication
(CAN bus) is supervised as well as Read/write RAM
8.4 Self supervision during start and stop. checks an ROM checksum. A watchdog function is also
The start and shut down of the protection at switching provided onboard the I/Os by a microcontroller.
on and off the dc supply voltage is made in sequence. In
this way correct data will always be available to the The I/Os have an 8051-compatible micro controller with
measuring elements, ensuring correct function at switch CAN interface. In the BOM the 80CE598 is used. This
on and switch off of the dc power supply, and blocking is a ROM-fewer devices that demands an external ROM
of the device to avoid incorrect function when for the firmware.
measuring data are unsecured. (During start a time-out
control is included.)
ABB AB 15
In addition to the execution of control signals, the 9.1 Dependability (ability to operate when needed):
microcontroller also has a number of watchdog Dependability is assured by forming a suitable operates
functions. Also power-up and power down functions are - restrain characteristic. For example in a differential
performed by the microcontroller. protection, all possible internal faults, the operate
(differential) current must be well above the operate -
The internal communication between the main CPU bias characteristic. Dependability can be enhanced by
module and the I/O boards including the power supply, incorporating several different sub-protections into the
GPS modules etc is carried out by a Master-Master application functional library
serial data bus, CAN bus. Each I/O module and the
CPU module have a special hardware circuit for the For example, the Negative Sequence Sensitive
communication control. The bus is continuously Differential Protection detects a small inter-turn faults
supervised. As soon as an incorrect message is detected, in transformers before they can develop into more
determined by a single node, the message is repeated. severe (and much more costly to repair!) faults
Via different built in facilities in the CAN bus excellent including transformer's iron core. Another example is
facilities for error detecting and correction is provided. the Unrestrained Negative Sequence Protection which is
I.e. a faulty node can be identified and disregarded, very fast and makes the Relion 670 transformer
without disturbing any other node. The error handling is protection type RET 670 one of the absolutely fastest
rather sophisticated, with counters for error messages, differential protections on the market.
bus.
9.2 Security (ability not to operate for external
Binary in Binary Output disturbances):
Most of the electronics is supervised. However, the
Binary in opto-coupler circuits and the Binary output All decisions on all decision levels must be confirmed
relays are not supervised. The probability for a fault was several times in succession in order to take a decision
considered to be too low to justify additional circuitry and go to the next level. The final trip command request
for self supervision. The final check to activate the I/O must be confirmed at least twice in order to issue a trip
input and output circuits cannot be performed, thus command on the output of the protection. In the current
limiting the self supervision possibilities. The binary differential protection type RE 670, five consecutive trip
input/outputs can only be checked by manual testing or decisions must be made before issuing an output close
by monitoring the performance during events in normal command.
service.
The so called "cross-block" is an excellent measure to
EMC- components. make a transformer differential protection more secure.
Additional components are used to improve the Even if a user does not apply it, it is temporarily
interference withstand capability, both for IEC tests and introduced when an external fault is detected by the
interference in service. Such components are not internal/external fault discriminator.
supervised. Typical components are MOV, metal oxide The harmonic block algorithm and the waveform
varistors, which limits the over voltages to a specified (pattern recognition) algorithms are excellent measures
level, capacitors which limits and slows down which prevent maloperation under normal events such
interference spikes. as energizing of the power transformer. The three-
section operate - restrain characteristic with a high slope
9. IMPACT ON DEPENDABILITY AND in the third section is a measure in order to prevent
SECURITY BY SELF SUPERVISION. maloperation due to CT saturation.
The impact on dependability and security are evaluated
at many levels of the application software, for example Sometimes the user can decide what to emphasize, the
if data are relevant or not, to trip or not to trip based on dependability or security. Such an example is the
consecutive or parallel decisions. directional characteristic of the internal/external fault
Dependability and Security are unfortunately in conflict, discriminator. In the following figure, the security is
for example, a trade off for a higher degree of security is higher that dependability:
inevitably a lower degree of dependability. An optimal
balance must be found. For example protection of
power transformers, where external faults are much
more common than the relatively few and rare between
faults and security is at least as important as
dependability.
ABB AB 16
%
Trajectory of local (Current Terminal 1) contribution to total neg. seq. diff. current
90
No directional
1,0
120 60
test done: Manual testing with
neither
external, Excursion two years interval I. Manual testing (α = 90 %)
nor internal 150 15ms 30 from 0 deg
fault due to
declared transient 0,1
II. Self supervision (α = 90 %)
26ms ct saturation
8ms
180 0
External 0.1
Internal 0,01
fault fault
region 0.2
210 330 declared
0.3 kA here 8 ms
after fault
0.4 kA
240 300
years
0 10 20
270
Local contribution to total negative sequence diff. current
Directional limit (within ± 60 degrees is an internal fault)
Figure 34. Probability of failure to operate for a single
protection.
Figure 32 Negative sequence protection
For numerical equipment the self supervision can be
In conventional schemes, security is enhanced by series given a α > 85 % with very limited influence on the
connection of protections at the cost of dependability complexity of the software. Thus, self supervision in
(and availability). On the other hand, dependability may numerical equipment significantly improves both
be increased with parallel protections, at the cost of security and dependability.
security. A rely with self supervision can be considered
to give improvements both in dependability and security When the resulting probability of failure to operate of a
according to figure 33 single protection manually tested cannot be accepted a
redundant protective relay has to be used. Only by
Probability of missing
function
redundant protective relays a substantial increase in the
Redundant relay scheme dependability can be achieved.
R R
with two relays in series
ABB AB 17
and 2 protective relay’s are "ideal", i.e. are not maintain a reliable fault clearing is manual maintenance
introducing any new risks for failure to operate. testing at regular intervals. Therefore, an advanced and
well-proven test system like the ABB COMBITEST
10. ADDITIONAL SUPERVISION VIA PROCESS together with regular manual tests including the whole
SIGNALS fault clearing system cannot be replaced with automatic
The process signals can also be utilized for self testing or supervision.
supervision connected to a binary output and to the
HMI, local or remote via a SMS or SCS system. However, the experience so far indicates that the
interval for manual tests can be significantly prolonged.
• The unsymmetry current check can be coupled to an The recommendation is maintenance intervals of 6 year.
alarm output and detects faulty parts in the current Also additional methods, e.g. supervision of the
circuits IL1, IL2, IL3. performance of the fault clearing including the
protection equipment via disturbance recorders and
Eventually also the following functions can be utilized, event recorders are new tools to check the fault clearing
but the difficulty is to distinguish between relevant and capability, which can prolong the interval for regular
irrelevant information. preventive manual maintenance testing.
The mean time to repair MTTR for the Relion 670
• The low voltage check can detect faulty parts in the series is > 100 years, which supports the conclusion that
voltage circuits for UL1,UL2, UL3 and be coupled to the regular maintenance intervals can be prolonged.
an output.
Main conclusion
• The disturbance recorder triggering facilities can Self supervision of protection and control
detect faults in the analogue inputs ( 5I, 5 U), <I >I,
<U, >U etc. and be connected an output. hardware and software reduces both
downtime as well as the maintenance costs,
• The overload function can detect faults in IL1, IL2, as the regular maintenance periods can be
IL3 and be connected to an output. extended.
In addition to the process signals, all phasor values are
available. The phasor values have not (yet) been utilized
for self supervision. However, the acceptable limits for
deviation or e.g. comparison between Main 1 and Main
2 can fairly easy be performed via an SMS or SCS
system.
11 Conclusions
The conclusion by a joint study of two utilities in
Sweden was that automatic testing or supervision
cannot fully replace manual testing when increased
dependability is concerned. The main reason is that not
the whole fault clearing system can be tested. Self
supervision will increase the dependability, security
and availability of the protection equipment, but will
have the main impact on security
ABB AB 18
Contact us
ABB AB
Substation Automation Products
SE-721 59 Västerås, Sweden
Phone +46 (0) 21 34 20 00
www.abb.com/substationautomation