Professional Documents
Culture Documents
01 - Keynote Address - Protection Dependability and Security - V2
01 - Keynote Address - Protection Dependability and Security - V2
Keynote Address:
Protection : The Conflicting Requirements
of Dependability and Security
Barrie Moor
Principal Engineer, Power System Protection Training
A fault on the electricity power system may endanger lives, damage the
affected equipment, or expose other equipment to damage. In its broadest
sense, the terminology of “a power system fault” would apply to any event that
threatens the normal operation of the power system. Typically the events
under consideration involve a breach of insulation as one component becomes
electrically connected to another component at a different potential. This, for
example, would apply to phase to ground or phase to phase faults due to
clashing conductors, contact by a tree, lightning strike, flash-over or puncture of
insulation, etc. However, please be aware that mechanical and thermal events
may also constitute a “fault”, via events such as simple overheating of a
transformer, generator overload, generator unbalanced loading or even system
under and over frequency events. In all cases, protection does not prevent
these events from occurring. We can minimize the possibility of such
occurrences via power system design, but acknowledging that, even with the
best design, such events will still occur. The protection system will then serve
to mitigate the consequences of those events.
Introduction
Considerations in specifying and designing a power system protection scheme
include:
In addition, in the case of supply via the major distribution and transmission
corporations, the aspect of system stability becomes important, and in fact, this
requirement may well require higher performance from the protection system
than the forgoing. The real power (Megawatts) that is transmitted across the
power system is given by the equation:
V1 • V 2
P= • sin(φ)
X
Where:
As a result, we note that the voltage drop across the power system has little
effect on the real power flow (in fact, voltage drop basically governs the MVar
or reactive power flow). Instead, the reactance of the interconnecting power
system and the voltage angle difference are the dominant factors. Considering
this angle criteria, it must be maintained well below 90º as sin(φ) reaches its
maximum of 1.00 at 90º. Allowing for a feeder to drop out of service, and thus
for the reactance (X) from source to load to subsequently increase, requires a
good measure of safety on this angle.
In addition, we recognise that during a power system fault, this angle will
“wobble about”. A slow clearing fault could cause the power system to become
unstable. However, if the fault is cleared quickly, the power system will
maintain stability and the generators will remain in synchronism.
Hence, the final two criteria for our protection scheme are that it must:
Hence, for connection to the National Electricity Grid (Eastern States), the
Australian National Electricity Rules (NER) provide “Automatic Access
Standards” as tabulated below:
“Faulted End” refers to faults within the substation, or on the first 50% of outgoing
feeders. “Remote End” refers to faults on outgoing feeders, beyond the 50% point.
Note that these are the “Automatic Access Standard” times. It is not mandatory
that these times be met. What is mandatory (and will be automatically met if
the above times can be achieved), is to actually meet three criteria:
Dependability Security
In addition, note that security of the protection system does not simply refer to
not operating (or tripping) in the event of power system faults for which it was
not intended to operate. Security also requires maintaining protection scheme
stability under many other circumstances such as:
• Electrical noise.
• Normal human activities such as testing, etc.
• Vibration.
• Loss / restoration of DC auxiliary supply.
• Loss of input quantity (eg. VT voltage input).
• Relay component failure.
• Quality of workmanship.
• Quality of components.
• Works testing.
• Maintenance.
Which will we favour? Well, for example, in the case of a 100km overhead
transmission line, it would not be unreasonable to expect 1 fault (lightning
strike, etc.) per year. Conversely, when considering protection to cover the
event of a CB failing to clear, one would note that such events are very rare,
perhaps once per decade even in a very large transmission system. But, the
consequences of such a CB Fail event will be enormous. Thus, in weighing the
protection design features associated with these conflicting requirements of
• DC Supplies:
− Separate batteries for the two protection systems … or
− Single, well maintained battery, and separately fused supplies to the two
protection systems.
• CTs:
− Separate secondary windings for the two schemes.
• VTs:
− Separate secondary windings to the two schemes … or
− Single secondary winding but with separately fused supplies to the two
schemes.
• CBs:
− Separate trip coils for the two schemes.
− CB Fail scheme to provide for overall CB failure.
This leaves us with a number of options, and the choice will be based on
economics, and our qualitative analysis of the probability and consequences of
system events (the need for dependability) and the probability and
consequences of maloperations (the need for security).
Hence, using the “X” / “Y” terminology, a typical duplicate main protection
scheme would have:
• “X” protection, supplied from the “X” battery, connected to the “X” CT & “X”
VT supplies and tripping the CB “X” trip coil via the “X” battery.
• “Y” protection, supplied from the “Y” battery, connected to the “Y” CT & “Y”
VT supplies and tripping the CB “Y” trip coil via the “Y” battery.
• And then, to cover the (remote) possibility of a CB failing to clear, we also
implement a CB Fail scheme, perhaps also duplicated.
• Main & Local Backup Protection : A single high speed relay is installed
together with a slower back-up relay. Thus, normally only the high speed
relay will operate.
• Main & Remote Backup Protection : Single protection only is installed. This
is backed up by slower remote protection installation(s).
Back-up Protection
In the case of the back-up protection philosophy, we must note that failure of
the main scheme to trip could be due to relay failure, DC system failure, CT or
VT supply failure, and also due to failure of the circuit breaker itself.
Hence, the design comprising a single main protection relay, with remote back-
up, typically is applied to radial systems and thus:
To overcome this, we elect to implement a design where main and local back-
up protections are implemented. This philosophy finds application on meshed
networks. With good diversity of protection equipment, and with good
secondary system design, common modes of failure can be reasonably
eliminated (Note that 100% elimination is not absolutely possible, eg. panel
fire(s) may disable both schemes). However, to accommodate the possibility of
failure of the circuit breaker itself, a CB fail scheme also is implemented.
• A scheme for locally detecting and dealing with failure of a circuit breaker to
clear a fault.
• Needs to be very secure, as it generally trips more than one circuit breaker,
perhaps an entire busbar or even an entire substation.
However, we need to recognise that the CB Fail event is very rare. Also, note
that the CB Fail protection trips many circuit breakers. With these aspects in
mind, typical CB Fail protection design favours security. Hence, the simple CB
Fail timer philosophy will also be interlocked with a CB auxiliary contact (as
confirmation that the CB has actually failed to operate) or more likely, a CB
Current Check facility (as confirmation that the CB has actually failed to
interrupt the current flow):
• Advantages:
− The reset time of the relay plays no role, since the timer resets as soon
as the breaker opens.
− It works with low level faults, such as incipient faults in transformers, as
long as they are seen by the protection.
− It is easy to set - only a timer setting is required.
• Disadvantages:
− Does not provide for the case where the CB mechanism opens but fails
to clear the fault.
• Uses an overcurrent check relay to detect that current has stopped flowing.
• ie. Not that the CB has operated, but that it has actually interrupted the flow
of current.
• Overcurrent check relay must be specially designed to have fast reset time.
• Setting may be above load to provide additional security.
Protection Zones
Some engineers have been known to refer to the “ART” of protection, rather
than the “Science”. The result is that there may be many “right” ways to
implement protection schemes, but the “art” that makes some implementations
correct (and some not so), is being able to:
The easiest way to achieve the above is to consider the power system via
“zones” and to implement protection schemes to cover faults within those
zones. Some back-up functionality may also be provided to cover adjacent
zones and to provide remote back-up protection functionality. Thus, for
example, we may implement protection to cover faults within a feeder zone, or
a transformer zone, or a bus zone, etc.
With reference to the above figure, note the selection of protection zones, but
also note the fact that the zones overlap. This is necessary, as otherwise there
would be small un-protected areas between the zones. Conversely, this design
has the draw back that a fault within one of those “overlap” areas will actually
result in operation of both protection schemes. The fault will be cleared, but
unnecessary tripping of circuit breakers in the second zone will also occur.
This cannot be avoided. But we must also note that such an “overlap zone”
fault is incredibly rare. Illustrated below is a simple arrangement to implement
duplicate feeder and duplicate bus zone protection, with the necessary overlap.
With the feeder protection connected to current transformers (CTs) on the bus
side of the CB, and bus protection connected to CTs on the feeder side, the
necessary overlap is achieved. A fault in this “overlap zone”, either side of the
CB, will trip both feeder and bus protection. This design, with CTs located on
both sides of the CB, can be achieved with dead tank CBs or in metal clad
This design has an additional weakness in that a fault in the small “zone”
between the CT and circuit breaker actually trips incorrectly. Such a fault is
extremely unlikely, but the outcome would be only tripping of the bus zone
protections, and failure to trip the feeder protection. The fault remains fed from
the other end of the feeder, while the bus is tripped unnecessarily. This is
referred to as a ‘blind spot”, or “small zone”, or “dead zone”. Special logic built
into the CB Fail current check protection schemes is used to ensure clearance
of such faults. The bus still trips unnecessarily, but the CB Fail scheme
ensures that the feeder remote end CB also trips to finally clear the fault.
Unit Protection
The unit protection scheme is the easiest way to achieve the desired protection
zones. By simply monitoring the current flow into, and out of, an item of plant,
the zone is established. As an analogy, if the water flowing into a pipe also
flows out, then there is no hole in the pipe. Hence, the zone of protection is
exactly defined by the location of the measurement devices, namely the current
transformers to measure the current flowing in and out.
LZ Biased Diff
Relay
HZ Diff
Relay
In all cases:
• There is no need for time grading unit protection with other protection.
• There is virtually no need for regular review of settings.
• It does not place restrictions on load transfer.
• It does not provide remote backup for adjacent zones of protection.
• A means of communicating the boundary conditions to the relay is required.
Non-Unit Protection
In the non-unit scheme, we simply monitor the network at a single point. As an
analogy … If the water flowing into a pipe is normally 100l/min, and it suddenly
rises to 500 l/min, there must be a hole in the pipe. However, in such an
installation, boundaries of operation are indeterminate, and are dependent on:
However, we have to recognise that when we allow for the inaccuracy of the
relays, the CTs and our theoretical calculations of fault current flow, the actual
zone of protection may exceed, or may fall short of, our nominal limit. In
addition, if current flow is likely to change with the amount of generating plant in
service, this adds another level of uncertainty of the actual reach of the zone
into the power system. Hence, simple over current protection is best suited to
distribution power systems where fault levels do not change significantly.
Hence, on higher voltage systems, perhaps from 66kV, and certainly from
110kV and above, a more sophisticated non-unit protection scheme may be
employed. By also including the voltage in the relay algorithm, the relay can
effectively determine the impedance of the system in either the forward or
reverse directions. The relay will be configured to “look” in the forward
direction, and thus will normally measure impedance to be that of the
connected feeder plus the series and parallel combination of out-going feeders
and load at the next substation. This value will be well in excess of 100% of
feeder impedance.
However, in the event of a feeder fault, the voltage falls, current rises, and the
measured impedance will be less than 100% of feeder impedance. The
distance relay can operate. High speed tripping will be effected for faults up to
about 80% of feeder impedance.
Why 80%? We still need to recognise that there will still be uncertainty in the
actual exact “reach” of the relay, due to errors in all of the equipment and even
the accuracy with respect to the actual impedance of the feeder.
Hence, for example, a relay set to “see” 20 km into the power system, may only
see 18km, or it could see 22km, based on ±10% errors. The skill of the
protection engineer is to ensure that the minimum of 18km does meet the
protection needs of the system, while the possible maximum of 22km will never
cause a mal-trip for an event beyond the next substation. Thus, in this 20km
feeder example, we allow safety margins, whereby high speed tripping would
be effected for faults measured to be within the first 16km of the feeder. This is
known as “Zone 1”, and has sufficient safety margin to absolutely guarantee
that it will never trip for a fault beyond the feeder zone. From 16 to 24km,
“Zone 2” is implemented. Tripping will still be effected, but now with time
coordination to allow for the fact that this second zone can detect faults beyond
the end of the feeder, that is, on out-going feeders beyond the next substation.
Acknowledgements
Many of the Images, Tables, Figures, and Technical Discussions included in
this paper, and also the associated PowerPoint presentations, have been
sourced from and re-produced with the kind permission of the seminar author,
as follows:
• www.powersystemprotection.com.au
email:
• bmoor@powersystemprotection.com.au