Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

Keynote Address:
Protection : The Conflicting Requirements
of Dependability and Security

Barrie Moor
Principal Engineer, Power System Protection Training

A fault on the electricity power system may endanger lives, damage the
affected equipment, or expose other equipment to damage. In its broadest
sense, the terminology of “a power system fault” would apply to any event that
threatens the normal operation of the power system. Typically the events
under consideration involve a breach of insulation as one component becomes
electrically connected to another component at a different potential. This, for
example, would apply to phase to ground or phase to phase faults due to
clashing conductors, contact by a tree, lightning strike, flash-over or puncture of
insulation, etc. However, please be aware that mechanical and thermal events
may also constitute a “fault”, via events such as simple overheating of a
transformer, generator overload, generator unbalanced loading or even system
under and over frequency events. In all cases, protection does not prevent
these events from occurring. We can minimize the possibility of such
occurrences via power system design, but acknowledging that, even with the
best design, such events will still occur. The protection system will then serve
to mitigate the consequences of those events.

Introduction
Considerations in specifying and designing a power system protection scheme
include:

• Safety : Power system employees and the general public alike.

• Minimise damage to the affected power system plant.
• Minimise the consequential damage to otherwise unaffected components of
the power system.
• Provide back-up to cover the (unlikely) event of a circuit breaker (CB) failing
to clear the fault.
• Only trip the faulted item of plant.
• Comply with all relevant acts and regulations.

4th Australasian High Voltage Conference – Perth 2015

1
Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

In addition, in the case of supply via the major distribution and transmission
corporations, the aspect of system stability becomes important, and in fact, this
requirement may well require higher performance from the protection system
than the forgoing. The real power (Megawatts) that is transmitted across the
power system is given by the equation:

V1 • V 2
P= • sin(φ)
X
Where:

• V1 = sending end voltage.

• V2 = receiving end voltage.
• X = reactance of the power system between send and receive ends.
• φ = angle between the send and receive end voltages.

As a result, we note that the voltage drop across the power system has little
effect on the real power flow (in fact, voltage drop basically governs the MVar
or reactive power flow). Instead, the reactance of the interconnecting power
system and the voltage angle difference are the dominant factors. Considering
this angle criteria, it must be maintained well below 90º as sin(φ) reaches its
maximum of 1.00 at 90º. Allowing for a feeder to drop out of service, and thus
for the reactance (X) from source to load to subsequently increase, requires a
good measure of safety on this angle.

In addition, we recognise that during a power system fault, this angle will
“wobble about”. A slow clearing fault could cause the power system to become
unstable. However, if the fault is cleared quickly, the power system will
maintain stability and the generators will remain in synchronism.

Alternatively, power system stability can also be improved by initially

transferring less power, thus with a smaller starting point of this angle, φ. That
is, we constrain the power system to a smaller power transfer and thus offset
the effects of slow clearing protection schemes.

Hence, the final two criteria for our protection scheme are that it must:

• Maintain system stability.

• Not introduce system constraints.

Hence, for connection to the National Electricity Grid (Eastern States), the
Australian National Electricity Rules (NER) provide “Automatic Access
Standards” as tabulated below:

4th Australasian High Voltage Conference – Perth 2015

2
Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

Maximum Fault Clearance Times (milliseconds from fault inception)

System Faulted End Remote End CB Fail

≥400kV 80 100 175

≥250kV to <400kV 100 120 250

>100kV to <250kV 120 220 430

≤100kV As necessary to prevent plant damage and meet

stability requirements

“Faulted End” refers to faults within the substation, or on the first 50% of outgoing
feeders. “Remote End” refers to faults on outgoing feeders, beyond the 50% point.

Note that these are the “Automatic Access Standard” times. It is not mandatory
that these times be met. What is mandatory (and will be automatically met if
the above times can be achieved), is to actually meet three criteria:

• Maintain system stability.

• Not introduce system constraints; ie. not to constrain power system inter or
intra regional power flows.
• And to meet both of the above even upon the failure of any one element of
the protection system.

The 3rd aspect basically mandates the installation of duplicate protection

schemes capable of detecting and clearing every power system fault. The
success of a single protection scheme to detect and clear a fault cannot be
guaranteed. Thus, introducing two protection schemes improves the
dependability of the overall protection system, namely its ability to operate
correctly for all faults for which it is intended to operate. But, we must also note
that protection schemes actually have two failure modes, namely:

• Failure to operate when required.

• Operation when not required.

Hence, improving the dependability of the protection system will simultaneously

reduce its security. By implementing a second scheme, we have thus also
introduced an additional failure mode whereby we have increased the
probability of some component of the overall protection system operating
incorrectly; ie. under circumstances when it should not do so.

4th Australasian High Voltage Conference – Perth 2015

3
Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

Protection Scheme Dependability and Security

Thus, we could define the reliability of the protection system via a combination
of both its dependability and its security. But we note that there will always be
a compromise between these two conflicting requirements. That is, as the
protection system becomes more dependable it must simultaneously become
less secure … and vice versa.

Dependability Security

In addition, note that security of the protection system does not simply refer to
not operating (or tripping) in the event of power system faults for which it was
not intended to operate. Security also requires maintaining protection scheme
stability under many other circumstances such as:

• Electrical noise.
• Normal human activities such as testing, etc.
• Vibration.
• Loss / restoration of DC auxiliary supply.
• Loss of input quantity (eg. VT voltage input).
• Relay component failure.

Dependability is enhanced by meeting the code requirement of duplication, but

also by ensuring:

• Quality of workmanship.
• Quality of components.
• Works testing.
• Maintenance.

Which will we favour? Well, for example, in the case of a 100km overhead
transmission line, it would not be unreasonable to expect 1 fault (lightning
strike, etc.) per year. Conversely, when considering protection to cover the
event of a CB failing to clear, one would note that such events are very rare,
perhaps once per decade even in a very large transmission system. But, the
consequences of such a CB Fail event will be enormous. Thus, in weighing the
protection design features associated with these conflicting requirements of

4th Australasian High Voltage Conference – Perth 2015

4
Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

dependability and security, it is necessary to make a somewhat qualitative

decision based on:

• The probability of the fault occurring.

• The consequences of failing to trip for that fault.
• The probability of security issues resulting in a spurious protection scheme
operation.
• The consequences of that spurious protection operation.

Fortunately, the technological advances of modern relays, microprocessor

design and system integration have led to a simultaneous improvement in
speed, sensitivity, dependability and security. We still have the “beam balance”
between dependability and security, but with modern relays and designs, we
have effectively raised the beam !!

Protection Scheme Duplication

In providing duplicate protection schemes, it is not just a matter of providing a
second protection relay. We need to consider all of the ancillary functions that
make up the protection scheme, including:

• DC Supplies:
− Separate batteries for the two protection systems … or
− Single, well maintained battery, and separately fused supplies to the two
protection systems.
• CTs:
− Separate secondary windings for the two schemes.
• VTs:
− Separate secondary windings to the two schemes … or
− Single secondary winding but with separately fused supplies to the two
schemes.
• CBs:
− Separate trip coils for the two schemes.
− CB Fail scheme to provide for overall CB failure.

This leaves us with a number of options, and the choice will be based on
economics, and our qualitative analysis of the probability and consequences of
system events (the need for dependability) and the probability and
consequences of maloperations (the need for security).

4th Australasian High Voltage Conference – Perth 2015

5
Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

Duplicate Main Protection

On transmission systems above 100kV, and certainly those of 220kV and
higher, typical protection design is based on duplicate main protection. In this
design, two protection schemes are implemented, with as much diversity as
possible, thus eliminating, as far as possible, any common modes of failure.
These will be high speed protection schemes, and it would be expected that
both schemes will trip for all system faults. Yes, we acknowledge that one
relay scheme will trip faster. However, within the circuit breaker opening time,
the second scheme will also operate. Hence, we expect to see both trip
indicators activated on the protection panel. Different organisations have
different terminology to describe these systems, some examples being:

• Main 1 and Main 2.

• “X” and “Y”.
• “A” and “B”.
• Set 1 and Set 2.

Hence, using the “X” / “Y” terminology, a typical duplicate main protection
scheme would have:

• “X” protection, supplied from the “X” battery, connected to the “X” CT & “X”
VT supplies and tripping the CB “X” trip coil via the “X” battery.
• “Y” protection, supplied from the “Y” battery, connected to the “Y” CT & “Y”
VT supplies and tripping the CB “Y” trip coil via the “Y” battery.
• And then, to cover the (remote) possibility of a CB failing to clear, we also
implement a CB Fail scheme, perhaps also duplicated.

Main and Back-up Protection

On distribution systems of 66kV and lower, typical protection design is likely to
be based on just a single high speed protection scheme. However,
acknowledging that failure of this single protection scheme is not only possible,
but also unacceptable, a second scheme is installed. This second, or back-up
scheme, will be less expensive, but slower to operate. Hence with this main /
back-up design, the back-up relay will only be expected to operate upon failure
of the main scheme. Two design options exist:

• Main & Local Backup Protection : A single high speed relay is installed
together with a slower back-up relay. Thus, normally only the high speed
relay will operate.
• Main & Remote Backup Protection : Single protection only is installed. This
is backed up by slower remote protection installation(s).

4th Australasian High Voltage Conference – Perth 2015

6
Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

Back-up Protection
In the case of the back-up protection philosophy, we must note that failure of
the main scheme to trip could be due to relay failure, DC system failure, CT or
VT supply failure, and also due to failure of the circuit breaker itself.

In the case of single main protection, in conjunction with a remote back-up

facility, all failure modes are accommodated. A remote relay trips upstream
CB(s), so there is absolutely no common mode cause of failure. Coordination
of the schemes is usually reasonably easy to achieve on pure radial systems.
This would apply to 11kV systems, and perhaps even to 33kV distribution
systems. It is how the supply to your house functions! However, on meshed
networks, perhaps of 33kV, but certainly likely on systems of 66kV and above,
coordination usually proves difficult to achieve.

Hence, the design comprising a single main protection relay, with remote back-
up, typically is applied to radial systems and thus:

• Protection equipment at substations remote from the fault is called upon to

clear the fault.
• It is economical … no extra schemes are required.
• The entire substation where the breaker or protection fails is lost.
• It is generally slow (400msec minimum to 5 sec).
• It provides backup for a failed CB.
• It provides backup for all modes of protection scheme failure.
• Settings:
− Are time consuming to calculate.
− Often need review.
− Often are not able to be made sensitive enough to achieve remote
coverage for all fault locations, especially on meshed networks where
infeed is a problem.
− Are sensitive to system configuration changes and expansions.

4th Australasian High Voltage Conference – Perth 2015

7
Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

Remote Back-up Protection

A

• Fault occurs on feeder B-E

• Protection at E trips CB
• Failure at B D
‒ Relay fail
‒ DC system fail
‒ CB fail
B C
• Relays trip feeders at A and D
• Fault now cleared
• Total loss of supply to B
• Total loss of supply to C
Clearance of the fault is effected
• Interconnectors all tripped by utilising protection equipment
• No additional systems required already existing at remote sites.
These operate in a time delayed
• Cheap and nasty !! E back-up function, clearing the
fault, but with a major disruption
to the network.

Hence, we note on the above meshed network, a CB failure results in a

massive and probably unacceptable disruption to network supply and security.

To overcome this, we elect to implement a design where main and local back-
up protections are implemented. This philosophy finds application on meshed
networks. With good diversity of protection equipment, and with good
secondary system design, common modes of failure can be reasonably
eliminated (Note that 100% elimination is not absolutely possible, eg. panel
fire(s) may disable both schemes). However, to accommodate the possibility of
failure of the circuit breaker itself, a CB fail scheme also is implemented.

Essentially, the CB Fail scheme is based on a simple philosophy whereby the

CB is expected to operate and interrupt the current flow within a manufacturer
specified time. CB Fail protection uses a simple time delay interlock feature:

• A scheme for locally detecting and dealing with failure of a circuit breaker to
clear a fault.
• Needs to be very secure, as it generally trips more than one circuit breaker,
perhaps an entire busbar or even an entire substation.

4th Australasian High Voltage Conference – Perth 2015

8
Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

However, we need to recognise that the CB Fail event is very rare. Also, note
that the CB Fail protection trips many circuit breakers. With these aspects in
mind, typical CB Fail protection design favours security. Hence, the simple CB
Fail timer philosophy will also be interlocked with a CB auxiliary contact (as
confirmation that the CB has actually failed to operate) or more likely, a CB
Current Check facility (as confirmation that the CB has actually failed to
interrupt the current flow):

Local Back-up & CBF Protection

A

• Fault occurs on feeder B-E

• Protection at E trips CB
• Failure at B is extremely unlikely
‒ Duplicate or back-up relays D
‒ Secure DC system
• But what if the CB itself fails at B
‒ Implement a CB Fail scheme
‒ CBF trips the next line of CBs
B C
• Requires that we have duplicate or
main/back-up relaying system
• Requires that we have duplicate or
a secure DC system
• Requires CBF system … 2 options
‒ Just a simple CB auxiliary contact
status and timer function. The CBF scheme monitors
‒ Just a simple CB current check current flow through the CB.
and timer function. If this continues for too long
after the CB should have
• Good value for money and not E tripped, backup tripping of the
nasty !! next line of CBs is initiated.

CB Auxiliary Contact for CBF Protection

• Advantages:
− The reset time of the relay plays no role, since the timer resets as soon
as the breaker opens.
− It works with low level faults, such as incipient faults in transformers, as
long as they are seen by the protection.
− It is easy to set - only a timer setting is required.
• Disadvantages:
− Does not provide for the case where the CB mechanism opens but fails
to clear the fault.

4th Australasian High Voltage Conference – Perth 2015

9
Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

CB Current Check Facility for CBF Protection

• Uses an overcurrent check relay to detect that current has stopped flowing.
• ie. Not that the CB has operated, but that it has actually interrupted the flow
of current.
• Overcurrent check relay must be specially designed to have fast reset time.
• Setting may be above load to provide additional security.

In either case … Local Back-up and CBF Protection:

• Limits the outage to a local bus.

• Is fast - 200msec or less, excluding CB time.
• Settings are:
− Simple to calculate.
− Quite forgiving.
− Rarely need to be reviewed.
− Not unduly sensitive to system configuration or generation pattern.
− Not unduly sensitive to system expansions.

Protection Zones
Some engineers have been known to refer to the “ART” of protection, rather
than the “Science”. The result is that there may be many “right” ways to
implement protection schemes, but the “art” that makes some implementations
correct (and some not so), is being able to:

• Discriminate between faults on different parts of the power system.

• Discriminate between faults and the general operational state of the power
system.

The easiest way to achieve the above is to consider the power system via
“zones” and to implement protection schemes to cover faults within those
zones. Some back-up functionality may also be provided to cover adjacent
zones and to provide remote back-up protection functionality. Thus, for
example, we may implement protection to cover faults within a feeder zone, or
a transformer zone, or a bus zone, etc.

4th Australasian High Voltage Conference – Perth 2015

10
Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

With reference to the above figure, note the selection of protection zones, but
also note the fact that the zones overlap. This is necessary, as otherwise there
would be small un-protected areas between the zones. Conversely, this design
has the draw back that a fault within one of those “overlap” areas will actually
result in operation of both protection schemes. The fault will be cleared, but
unnecessary tripping of circuit breakers in the second zone will also occur.
This cannot be avoided. But we must also note that such an “overlap zone”
fault is incredibly rare. Illustrated below is a simple arrangement to implement
duplicate feeder and duplicate bus zone protection, with the necessary overlap.

With the feeder protection connected to current transformers (CTs) on the bus
side of the CB, and bus protection connected to CTs on the feeder side, the
necessary overlap is achieved. A fault in this “overlap zone”, either side of the
CB, will trip both feeder and bus protection. This design, with CTs located on
both sides of the CB, can be achieved with dead tank CBs or in metal clad

4th Australasian High Voltage Conference – Perth 2015

11
Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

switchgear designs. However, typical high voltage air insulated substations

(AIS) designs have the CTs in a separate assembly to the circuit breaker. It is
uneconomic to install such equipment on both sides of the CB. Hence, a single
CT post, with 4 protection CT cores included, will be installed on just one side
of the CB, typically on the side “away” from the bus bar, as illustrated.
Nevertheless, note that overlapping of protection zones is still achieved.

This design has an additional weakness in that a fault in the small “zone”
between the CT and circuit breaker actually trips incorrectly. Such a fault is
extremely unlikely, but the outcome would be only tripping of the bus zone
protections, and failure to trip the feeder protection. The fault remains fed from
the other end of the feeder, while the bus is tripped unnecessarily. This is
referred to as a ‘blind spot”, or “small zone”, or “dead zone”. Special logic built
into the CB Fail current check protection schemes is used to ensure clearance
of such faults. The bus still trips unnecessarily, but the CB Fail scheme
ensures that the feeder remote end CB also trips to finally clear the fault.

Unit Protection
The unit protection scheme is the easiest way to achieve the desired protection
zones. By simply monitoring the current flow into, and out of, an item of plant,
the zone is established. As an analogy, if the water flowing into a pipe also
flows out, then there is no hole in the pipe. Hence, the zone of protection is
exactly defined by the location of the measurement devices, namely the current
transformers to measure the current flowing in and out.

The boundaries of operation of unit protection are:

• Exactly identifiable, usually by CT location.

• Independent of system configuration.
• Independent of generation pattern.
• Independent of relay setting.

4th Australasian High Voltage Conference – Perth 2015

12
Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

A number of schemes exist, as illustrated:

Relay measures all CT

Relay only measures CT
currents and determines
spill (mismatch) current.
the mismatch.

LZ Biased Diff
Relay
HZ Diff
Relay

Fdr Diff Fdr Diff

Relay Relay
Communication System

Relays at each end of the feeder network measure their individual

contribution and communicate that data to all remote end relays. Each
relay then independently computes the overall system mismatch.

In all cases:

• There is no need for time grading unit protection with other protection.
• There is virtually no need for regular review of settings.
• It does not place restrictions on load transfer.
• It does not provide remote backup for adjacent zones of protection.
• A means of communicating the boundary conditions to the relay is required.

Non-Unit Protection
In the non-unit scheme, we simply monitor the network at a single point. As an
analogy … If the water flowing into a pipe is normally 100l/min, and it suddenly
rises to 500 l/min, there must be a hole in the pipe. However, in such an
installation, boundaries of operation are indeterminate, and are dependent on:

• The relay setting.

• The system configuration (ie. the amount of transmission plant in service).
• The generation pattern.
• The load.

4th Australasian High Voltage Conference – Perth 2015

13
Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

For example, on systems operating up to 66kV, we may simply implement over

current protection which operates in a time coordinated manner when the
current flow exceeds pre-determined levels.

However, we have to recognise that when we allow for the inaccuracy of the
relays, the CTs and our theoretical calculations of fault current flow, the actual
zone of protection may exceed, or may fall short of, our nominal limit. In
addition, if current flow is likely to change with the amount of generating plant in
service, this adds another level of uncertainty of the actual reach of the zone
into the power system. Hence, simple over current protection is best suited to
distribution power systems where fault levels do not change significantly.

Hence, on higher voltage systems, perhaps from 66kV, and certainly from
110kV and above, a more sophisticated non-unit protection scheme may be
employed. By also including the voltage in the relay algorithm, the relay can
effectively determine the impedance of the system in either the forward or
reverse directions. The relay will be configured to “look” in the forward
direction, and thus will normally measure impedance to be that of the
connected feeder plus the series and parallel combination of out-going feeders
and load at the next substation. This value will be well in excess of 100% of
feeder impedance.

4th Australasian High Voltage Conference – Perth 2015

14
Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

However, in the event of a feeder fault, the voltage falls, current rises, and the
measured impedance will be less than 100% of feeder impedance. The
distance relay can operate. High speed tripping will be effected for faults up to
about 80% of feeder impedance.

Why 80%? We still need to recognise that there will still be uncertainty in the
actual exact “reach” of the relay, due to errors in all of the equipment and even
the accuracy with respect to the actual impedance of the feeder.

Hence, for example, a relay set to “see” 20 km into the power system, may only
see 18km, or it could see 22km, based on ±10% errors. The skill of the
protection engineer is to ensure that the minimum of 18km does meet the
protection needs of the system, while the possible maximum of 22km will never
cause a mal-trip for an event beyond the next substation. Thus, in this 20km
feeder example, we allow safety margins, whereby high speed tripping would
be effected for faults measured to be within the first 16km of the feeder. This is
known as “Zone 1”, and has sufficient safety margin to absolutely guarantee
that it will never trip for a fault beyond the feeder zone. From 16 to 24km,
“Zone 2” is implemented. Tripping will still be effected, but now with time
coordination to allow for the fact that this second zone can detect faults beyond
the end of the feeder, that is, on out-going feeders beyond the next substation.

4th Australasian High Voltage Conference – Perth 2015

15
Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

Nevertheless, in either simple current, or more complex distance relay designs,

we must note that non-unit protection:

• May provide backup for adjacent zones.

• Is simple - no communications required.
• Must be time graded with other protection.
• Must be reviewed regularly to ensure adequate fault coverage and
discrimination with other protection.
• Often puts load restrictions on the plant it is protecting.
• Will most likely require that protection signalling schemes be implemented
to meet AEMC regulation times for remote end fault clearance.

And, in conclusion, if our “Art of Protection” is good, maybe we can prevent

this:

4th Australasian High Voltage Conference – Perth 2015

16
Keynote Address: Protection_The Conflicting Requirements of Dependability and Security

Acknowledgements
Many of the Images, Tables, Figures, and Technical Discussions included in
this paper, and also the associated PowerPoint presentations, have been
sourced from and re-produced with the kind permission of the seminar author,
as follows:

• Transmission System Protection

Barrie Moor: 2001
• Protection of HV & EHV Transmission Systems
Barrie Moor: 2007-2015
• Fundamental Principles of Power System Protection
Barrie Moor: 2008-2015
• Differential Protection Essentials for HV Power Systems
Barrie Moor: 2010
• Generator and Power Station Protection
Barrie Moor: 2010-2015
• Basic Power System Protection
Barrie Moor: 2012-2015

For more details on the above seminars, please visit:

• www.powersystemprotection.com.au

email:

• bmoor@powersystemprotection.com.au

4th Australasian High Voltage Conference – Perth 2015

17