dependability of mv and hv protection

7/28/2019 Dependability of MV and HV protection

http://slidepdf.com/reader/full/dependability-of-mv-and-hv-protection 1/16

n° 175

dependabilityof MV and HV

protectiondevices

ECT 175 (e) first issued august 1995

Marielle Lemaire

Was awarded her IEG engineer’scertificate, with an option in physicsengineering, in 1986. After two yearsspent in a laboratory in TUCSONuniversity (Arizona), she joinedMerlin Gerin where she contributed todevelopment of static power converters.As dependability specialist and French

expert in the WG7 work group of theIEC «reliability of protection devices»technical committee (TC 95), she hasbeen involved in development ofprotection systems for medium voltageinstallations for the past 5 years.



Cahier Technique Merlin Gerin n° 175 / p.2




dependability of MV and HVprotection devices

contents

1. Introduction Purpose of the document p. 4

Protection devices p. 4

Dependability requirements: p. 4a compromise betweentwo undesirable events

2. Designing with dependability in mind The terms used p. 6

The reliability engineer's tools p. 6

Dependability resources p. 8

3. Dependability as a part of a global Software quality p. 11

Qualification of protection devices p. 11

Quality control p. 13

4. Analysis of experience feedback p. 14

5. Conclusion p. 14

6. Appendix p. 15

7. Bibliography p. 16

quality approach




Protection devices are producedeither using electromechanicaltechnology (the oldest) or analog ordigital electronic technology(known as static). A digitalprotection device (microprocessorbased) can perform, in addition toits main protection role, automation,measuring, self-monitoring andcommunication functions. Thisdevice then forms a natural part of

control and monitoring systemsperforming automation, statuslogging and mimic diagram functions(see fig. 2).

dependabilityrequirements:a compromise between twoundesirable eventsThe function of the protection systemsassociated with the circuit-breaker is toguarantee installation safety, while

ensuring optimum continuity ofelectrical power distribution.As regards protection, two undesirableevents must never occur if this functionis to be fulfilled:

s first event to be avoided: failure ofthe protection device to trip.The consequences of a non-eliminatedfault can be disastrous (risk forpersons, destruction of electricalsubstations, production loss...). Foroperational safety, the protectiondevice must detect both selectively andpromptly faults in the electrical network.

This event can be avoided byincreasing availability of the protectiondevice.

s second event to be avoided: untimelytripping of the protection device.

purpose of the documentThis document presents the variousfactors contributing to dependabilityof protection devices in Mediumand High Voltage networks, togetherwith the methods which can beimplemented to meet dependabilityobjectives.

It places special emphasis on:

s taking dependability intoconsideration at the design stage;

s the quality approach (software,qualification, manufacture) withtechniques adapted to the constraintsencountered in Medium and HighVoltage;

s analysis of experience feedback.

This document complies with thetechniques used in the nineties fordesigning the new Sepam protectionrange.

protection devices

The main functions of a protectiondevice are to detect networkfaults by monitoring variousparameters (current, voltage....)and to transmit a circuit-breakeropening order should an abnormalsituation be observed. A protectiondevice generally protects oneof the various components of anelectrical distribution substation,such as an incomer, a linefeeder, a motor or a transformer.

In Medium and High Voltage, thesedevices are often incorporated in the

equipment containing thecircuit-breaker (see figure 1).

Environmental constraints are then

severe (temperature, vibration,

electromagnetic disturbances).

fig. 1: protection device incorporated in a

Medium and High Voltage equipment.

Continuity of energy supply is vital bothfor companies and electricitydistributors. Untimely tripping of theprotection device can causeconsiderable financial losses

1. introduction




(production shutdown, cost ofnon-distributed energy...). This eventcan be avoided by increasing safety

of the protection device.Availability and safety are often oposite.

The best way for a plane not tocrash is for it to stay on the ground.Its safety is then absolute, but itsavailability zero! Conversely, a planewhich is in the air too often, withoutmaintenance, places people’s life indanger. The design of any device callsfor a compromise between availabilityand safety.

Availability and safety are increased byusing the other two components of

dependability: maintenability andreliability (see fig. 3).

Protection devices are subjected tonumerous aggressive factors whichaffect the undesirable events, e.g.:

s extreme temperatures,

s vibrations due to circuit breaker

operations,

s corrosive atmospheres in industrialapplications (chemistry, paper mills,cement plants...),

s intense electromagnetic pulse fields(up to several dozen kV/m 1 metre from

a HV or MV circuit breaker with rise

times of the order of 5 ns).

This extremely severeenvironment and the fact thatMV and HV networks supply many

electrical power users make

controlled, optimised reliability

and maintenability an absolute

necessity.Protection devices using

microprocessors have enabled

considerable headway to be made.

For example:

G

A V /H z W /ϕϕ clear reset

I on trip

alarmWh

O off

MERLIN GERIN


I on trip

alarmWh

O off

MERLIN GERIN

A V / Hz W /ϕϕ clear reset

I on trip

alarmWh

O off

MERLIN GERIN


I on trip

alarmWh

O off

MERLIN GERIN


I on trip

alarmWh

O off

MERLIN GERIN


I on trip

alarmWh

O off

MERLIN GERIN

fig. 2: example of a digital control and monitoring system of a substation.

safety

availability

0

(1)

100 %

100 %

fig. 3: increasing reliability and

maintenability (1) increases availability and

safety.

s integration reduces wiring problems,thus increasing reliability,

s self-monitoring increases availability.




Availability is the ratio betweenthe time spent in the operating statusand the total reference time.Readers interested in quantificationof dependability values can refer bothto the appendix and Cahier Techniquen° 144.To return to figure 3, one of theobjectives of the protection devicedesigner is to treat preventively asmany failures as possible(maintenability) to increase

availability. As few events as possibleshould result in deterioration ofprotection device safety (theself-monitoring concept andresources will be described in thefollowing sections).

As the networks to be protected areMV and HV ones, their dependabilitymust be far higher than that ofmost LV equipment.

A Preliminary Risk Analysis isused to determine the undesirableevents linked to the functionsperformed by the protection device

(see fig. 5).A team of specialists independent fromthe design team, carries out estimated

dependability studies and proposestechnical solutions compatible with thespecified level. An iterative approachenables design to be modified untilobjectives are achieved.

the reliability engineer’s

toolsSpecialised techniques forevaluating and modelling operationaldependability allow design constraintobjectives to be listed.

s the estimated reliability analysisdetermines the failure rate of eachcomponent of the device in realoperating conditions.

Reliability databases such as theMilitary Handbook 217(MIL-HDBK-217) (see fig. 6) or theCNET booklet (RDF 93) are used forthis purpose and enable reliability of acircuit with several components to becalculated. If necessary, the designermodifies the load rate of some of them,

or uses components with a longguaranteed lifetime (e.g. for chemicalcapacitors).

the terms usedAs from the earliest stage indesigning a protection device, theReliability, Safety, Availability andMaintenability objectives must betaken into account.

These terms are reviewed below:s availability is the likelihood that aprotection device will be in a state toperform its function, in given conditions,at a given time;s safety is the likelihood thata protection device will not tripin an untimely manner, in givenconditions, for a given periodof time;s reliability is the likelihood that aprotection device will perform itsfunction in given conditions for agiven period of time, i.e. mainlythe capacity to trip when requiredand the capacity not to trip inuntimely manner;s maintenability is the likelihood that agiven active maintenance operation willbe performed in a given period of time.

These terms do not necessarilyhave the same meaning accordingto the standpoint: the protectiondevice or the electrical installation.

Thus, availability and maintenabilityof the protection device contributeto safety of persons and equipment.

Safety of the protection devicecontributes to availability of electricalpower distribution.

NB: these definitions comply withthe International ElectrotechnicalVocabulary-VEI 191- and are

commonly used. A standardcurrently being prepared(WG 7 of TC 95) concerningreliability of protection devices laysdown similar definitions, butincludes the notion of «functionaldependability» in reliability. Howeverdependability remains the termenglobing the others.

The various possible statuses of theprotection device are shown in diagramform in figure 4, together with theirconsequences for electrical powerdistribution.

2. designing with dependability in mind

fig. 4: status graph for the protection device and consequences on electrical distribution.

- λ - - µ -

operating

protection

failure

protection

detection and signalling

SAFETY

SAFETY !AVAILABILITY !

RELIABILITY

(serious failure)

MAINTENABILITY

(repair)

network fault

untimely

tripping

failure to

trip




event to be avoided effects causes prevention

untimely tripping s untimely opening of s internal, for example: for example:

circuit-breakers

untimely detection of as

self-monitoring functionss power unavailability fault, s fall-back position

causing severe financial s untimely activation of the s electromagnetic compatibility

losses (production shutdown...) control mechanism s non-magnetic sensors

s external, for example:

s electromagnetic disturbances

s sensor saturation

s error in protection plan design

masking a s tripping an upstream s internal, for example: for example:

tripping order protection level with possible local s failure to detect a fault; s self-monitoring functions

destruction of equipment s blocked control mechanism s electromagnetic compatibility

s major destruction of equipment s external, for example: s non-magnetic sensors

(fire...) if there is no upstream s electromagnetic disturbances s standby module

protection s sensor saturation s supervision of tripping circuit

s

loss of auxiliary supplys

logic discriminations circuit-breaker tripping circuit open

s error in protection plan design

fig. 6 : example of reliability data as in the Military Handbook.

fig. 5: undesirable events relating to the protection function.

Microcircuits, gate/logic arrays and microprocessors

Description

1. bipolar devices, digital and linear gate/logic arrays

2. MOS devices, digital and linear gate/logic arrays

3. microprocessors

λp = (C1 . pT + C2 . pE) pQ . pL failures/106 hours

microprocessordie complexity failure rate - C1

no. bits bipolar MOS

C1 C1

up to 8 .060 .14up to 16 .12 .28up to 32 .24 .56

all other model parameters

parameter section

pT 5.8

C2 5.9p

E, pQ, p

L 5.10

MOS digital and linear gate/logic array die complexity failure rate - C1

digital linear floating gate prog. logic array

no. gates C1 no. transistor C1 no. cells, C C1

1 to 100 .010 1 to 100 .010 up to 16 K .00085

101 to 1,000 .020 101 to 300 .020 16 K < C i 64 K .0017

1,001 to 3,000 .040 301 to 1,000 .040 64 K < C i 256 K .00343,001 to 10,000 .080 1,001 to 10,000 .060 256 K < C i 1M .0068

10,001 to 30,000 .1630,001 to 60,000 .29

bipolar digital and linear gate/logic array die complexity failure rate - C1

digital linear prog. logic array

no. gates C1 no. transistors C1 no. gates C1

1 to 100 .0025 1 to 100 .010 up to 200 .010101 to 1,000 .0050 101 to 300 .020 201 to 1,000 .021

1,001 to 3,000 .010 301 to 1,000 .040 1,001 to 5,000 .042

3,001 to 10,000 .020 1,001 to 10,000 .06010,001 to 30,000 .040

30,001 to 60,000 .080




s the Failure Modes, their Effects andtheir Criticity Analysis (FMECA)conducted both on hardware andsoftware, evaluates the effects of each

known failure mode on equipmentoperation.

FMECA is used to correct certainmalfunctioning risks and to specifyself-monitoring functions. It can beperformed at general function level(the «protection» function), atelementary function level(«overcurrent protection» function), atone of its subfunctions (see fig. 7) up tothe lowest level of the basiccomponents (implanted on theelectronic boards).

s

the undesirable events concerningprotection devices are modelled using anumber of techniques:s failure trees describe all thepossible causes of a particular event tobe avoided (see fig. 8).The failure tree is a booleanrepresentation used to determine themost critical paths to produce theevent.s Markov graphs are a behaviouralrepresentation showing operatingstatus, downgraded operation andequipment failure. Transitionsbetween status are quantified byfailure λ and repair (µ) rates. Thesegraphs are used to calculate thelikelihoods of occupying failurestatus (see fig. 9).s Petri nets have the same purpose asMarkov graphs, i.e. modelling systemstatus. They enable processing of morecomplex systems whose transitionsbetween status do not necessarily obeyexponential distribution (e.g. Weibull’sdistribution) (see fig. 10)

These modelling processes enablequantified simulation of operationaldependability, thus obtaininglikelihoods for reliability, maintenability,

availability and safety of protectiondevices.

Readers can find a more detaileddescription of these various techniquesin the references [Villemeur] or [RGE]or [Pages-Gondran].

dependability resourcesReliability, safety and maintenability ofprotection devices must be controlledto guarantee optimum dependability ofelectrical installations.

As the objectives for these values arefixed, the protection device designer,assisted by the reliability engineer,uses a certain number of resources toachieve them:s thanks to the reliability engineerand his tools, he controls intrinsicreliability before and duringdevelopment;s thanks to self-monitoring, failuresignalling and communicationresources, he can:

s increase dependability by placing inthe fall-back position,

s increase maintenability andavailability of the protection device.

Let us now look at the resourcesimplemented:s self-monitoringEfficiency and relevance ofself-monitoring are vital fordependability of the protection device.Below are examples of some resourcesenabling availability and safety to beincreased:

s a check on integrity of informationcontained in the «program» and«constant data» memory boxes mustbe performed on energising and then

cyclically during operation. This checkis made by calculating the Checksumwith carrying over on the memoryzones used. The checksum with carryover covers 99.95 % for 128 bytes(99.998 % for 128 Kbytes) for pastingof address and of memory bits. Forvolumes of information to be checkedexceeding a hundred bytes, calculationof the Checksum with carry over ismore efficient than calculation ofa CRC 16 for example (see reference[INRS]).s a hardware and software watchdog

must be fitted to detect blocking of theCPU (due to a component defect,interference or microprocessoroverload). The validity of the watchdogoutput signal must also be checked.The watchdog must cover failure of themicroprocessor quartz and oscillator(see fig. 11).s program cycle time must becontrolled. If interruptions are used tosequence cycles, it must be checkedthat these mechanisms are operatingcorrectly.

s a check on supply voltage must be

continuously performed to anticipatepossible voltage drops and stop themicroprocessor «properly» (savingparameters).s if EEPROM memories are used, useof this component must be monitoredby counting the number of writes whichmust not exceed 10,000.s false digital data must not beprocessed further to a failure in theanalog to digital conversion string.

fig. 7: FMECA table performed on a subfunction of the overcurrent protection device.

function failure mode effect on protection detection resources signallingacquire the phase false measured current: protection device the algorithm used "natural" inhibition of

currents continuous level activated works on calculation protection device

> tripping threshold Æ untimely tripping of current module

at 50 HZ

detection by signal failure on front

periodical calculation panel and by communication

of signal dc component

false measured current: protection device detection resources signal

continuous level unavailable are the same

< tripping threshold Æ failure to trip if fault

occurs




An efficient check consists incontinuously verifying two referencesignals at the input of the multiplexer attwo complementary addresses (100 %

of failures of the Analog to DigitalConverter and 100 % of sticking at1 or 0 of the Multiplexer selection bitsare thus detected).Many other detection devices are used,which are obviously very dependent onthe technology used.

s the reliable fall-back positionThe self-monitoring functions detect asmany «major» failures as possible. Afailure is said to be «major» if there is arisk of it causing incorrect operation ofthe protection device.

fig. 11: self-monitoring reduces protection

device unavailability time.

To check data integrity

A number of techniques can be useds parity checkThis consists in systematically makingthe number of bits transmitted even bycompleting the useful message by a«parity bit».The receiver can thus check themessage if there is an error on a bit or3 bits. Alteration of an even number ofbits cannot be detected.s the CRC (Cyclic Redundancy Check)

consists in adding to the usefulinformation the rest of its division by apolynomial standardised by the CCIT.For example, the degree 16 dividingpolynomial(X16 + X15 + X2 + 1=1100 0000 0000 0011)

used for the «CRC 16» can detect 16simultaneous errors.s the Checksum consists in performingthe binary sum of bytes and in addingthe result (truncated on one or morebytes) to the useful message.The Checksum can be associated forexample with the parity byte check....

Checking message integrity by thereceiver is easier than for the CRC andcan be more efficient.

To check proper running of a programOften used in automation systems, theWatchdog technique consists inperiodically running a test instruction.Non-running of this instruction, within agiven time, reveals a failure and causesan alarm and an equipment protectiondevice to trip.

failure to open of ciruit-breaker

on electrical installation fault

failure to open

of circuit-breaker

unavailabilityof tripping

circuit

ET

OU

presence of afault on

the electricalinstallation

unavailabilityof protection

device

unavailabilityof sensors

unavailabilityof breaking

device

fig. 8: simple example of a failure tree.

fig. 10: example of a Petri net for a system consisting of two redundant, repairable elements.

operation failuredowngraded

operation

2 λ

µ

λ

µ

(a single repairer)

fig. 9: example of a Markov graph for a system consisting of two redundant, repairable

components. If they are two electronic components (exponential reliability), the mean proper

operating time after repair is MUT =1

2 λ λ

P1

P2

T1 T2

P1

P2

T1 T2

The Petri net representedhas two places (P1, P2),two transitions (T1, T2)

and four arcs.This net represents thebehaviour of a repairablecomponent, by assigningfor example the followingmeanings to the placesand transitions:P1: the component is in properoperating condition.P2: the component is not working.T1: the component has failed.T2: the component has justbeen repaired.




This type of failure must not degenerateinto untimely tripping. The protectiondevice places itself in a reliable,predetermined fall-back position to

prevent passage of random orders.The operator is informed of this «fall-back» position and can immediatelyperform maintenance to restore theavailability of the protection device.At the same time, a «minor» failure, forexample a peripheral failure (display orsetting console) is signalled, but doesnot affect availability of the protectiondevice.

s failure signallingThe self-monitoring functions mustprovide suitable diagnostic resources toenable a prompt resumption of

operating status of the faulty protectiondevice, i.e.:s provide the operator with external,clear and global information on thestatus of his protection device,s provide the manufacturer, during amaintenance operation, or even afterreturn to the works of the faultyprotection device, with internal, clearand precise information on the status ofthe protection device.

For example, failure of the protectiondevice may be signalled by:s a front panel indicator light,s a WatchDog relay output,s a message on the front paneldisplay,s internally saved information detailingfailure origin,s a message via the communicationsystem when the protection device ispart of a control and monitoring system.

This is a considerable advantage overolder protection devices which couldremain in a state of failure for longperiods of time without the operatorbeing aware of this (see fig. 12) and

which thus provided no information onthe origin of the failure.

s a tendency to adopt supervision andcontrol and monitoring systemsAs stated earlier, digital protection canincorporate automation andcommunication functions. It thusbecomes one of the links in thesupervision and control and monitoringsystem of the electrical installation, thussimplifying operation by enablingsupervision, operation andmanagement of the distributionnetwork:

s supervision of status and electricalquantities (measurements),s supervision of devices (switchgearposition, temperature, pressure,....)

s processing of alarms,s remote control of switching devices,s automatic reconfiguration ofnetworks after fault,s management of consumed energy asa function of distributors’ tarifs,s editing operating reports,s allocating energy costs to the varioussite consumers.

s ease of maintenances self-monitoring, signalling,communication facilitate knowledge offailure status, thus allowing immediatemaintenance action,s self-diagnostics enable thetroubleshooter to know the origin of thefailure, thus resulting in rapidtroubleshooting,s the programmed functions,customising the protection device interms of applications/functionsperformed, are stored in a detachablecartridge. This enables immediateresumption of operation afterreplacement of the physical part (hard)which is standardised.

s special casesReliability of the protection device maynot be sufficient if it is subject toexceptionally aggressive factors or if

the availability and safety needs ofelectrical distribution are exceptionallyhigh:

s severe environmentProtection systems are sometimesinstalled in exceptional environmentswhich exceed specified constraints forequipment:- temperature,- vibration...In each case, needs must be speciallyidentified by the engineering anddesign department. A customisedsolution is then proposed:- special varnish on electronic boards,- specific maintenance contract,

s an exceptional dependability need

A standby module can provideprotection in the event of:- a supply fault,- a wiring fault,- a trip release fault,- main protection device not working.

Another solution is to backup theprotection device with an «or» circuit inthe breaking device control circuit.Installation safety is considerablyincreased, and electrical poweravailability is not reduced whenprotection systems with reliable fall-back position are used.

As an extreme solution, 2/3 votesystems can be considered.

fig. 12: self-monitoring reduces protection device unavailability time.

!

!

1 2 3

periodical maintenances 1, 2, 3...

commissioning

internal failure

not detected

installation

not protected

time

no periodical maintenance

digital protection

electromechanical or analog protection

commissioning

internal failure

detected

unavailability limited

to maintenance time

time




qualification of protectiondevicesBefore protection devices arereleased on the market, theyundergo a complete qualification.

Some qualification criteria specific tothe Medium and High Voltageenvironment are detailed below.

s immunity to electromagneticdisturbances (conducted and

radiated).The electrical disturbancesencountered in electrical substationshave a number of origins:s lightning strokes falling directly onlines or close to the substation cangenerate overvoltages of somehundred kV and rise fronts of the orderof a microsecond,s normal operation of switchgear, onopening and closing of the MVand HV breaking device causes«switching operation» overvoltages(damped oscillatory wave). These

overvoltages can cause electrical pulsefields of the order of 10 kV/m 1 metrefrom the circuit-breaker.s the human operator can causeelectrostatic discharge resulting on the

equipment in current pulses of afew dozen amps and a very steepfront of the order of a nanosecond,s radioelectric transmitters(e.g. walkie-talkies) generatefields of several dozen V/m 1 metreaway.

Readers wishing to learn moreabout Electromagnetic Compatibility(EMC) can consult Cahier Techniquen° 149.

Internal electrical stress withstandstandards define the immunity levelsrequired for operation of protectionsystems in electrical substations.These levels correspond to thewithstands defined by IEC 255standards or are even more severe.Compliance with the severity leveldefined is checked by tests. Fourtypes of tests are performed:

s damped oscillatory wave(IEC 255-22-1) severity:class III, 2.5 kV,

s rapid transients (IEC 255-22-4)severity: class IV, 4 kV,

s electrostatic discharge(IEC 255-22-2)severity:class III, 8 kV,

3. dependability as a part of a global quality approach

software qualityA large part of digital protection devicefunctions are performed by thesoftware. Control of software quality isthus crucial to achieve globaldependability objectives.

Software quality is controlled by usinga rigorous development method.This method, resulting from therecommendations laid down by French(AFCIQ) and international (IEEE)

organisations, stipulates:

s breakdown of development into aseries of phases (see fig.13):s specification,s preliminary design,s detailed design,s coding,s unit tests,s integration and integration tests,s validation.

Each phase has a set of documentsused and produced during the phase.

These documents formalise the studies

conducted in each phase and must bevalidated before moving on to the nextphase.

s use of design and coding methodsand rules aiming at obtaining ahigh software structuration level(e.g. SADT implemented in the ASAor MACH tool).

s use of software configurationmanagement tools enablingmanagement of all softwarecomponents and in particularcontrol of the respective evolutionsand versions of all these components(e.g. CMS tool).

Moreover, code reviewing methodsare used to great advantage. Areviewer critically reads the code andmakes his observations. This «manual»analysis is still one of the most efficientmethods for discovering software errors(bugs).

Finally, once each software has beenintegrated and validated, a finalqualification phase conducted by ateam other than the development teamensures a last efficient check.

software

specification

software validation plan

preliminary

design

software integration

plan

detailed

design

test

plan

software

validation

software

integration

unit

tests

coding

fig. 13: the software development cycle (V-shaped).




s radiated fields (IEC -255-22-3)severity: greater than class III, 30 V/m(see fig. 14)

NB: the rapid transient test is thetransciption in «conducted» mode of«radiated» electromagnetic pulse fields,generated during switchgearoperations.

In addition to EMC tests, protectiondevices undergo «real-life» situationtests. For example, after placingthe device in the Low Voltagecompartment of a Medium and HighVoltage cubicle, roughly one hundredcircuit-breaker opening and closingoperations, on a load imposing arcbreaking under a small inductive

current (switching operationovervoltages due to current pinching)were performed.

During these tests, untimely tripping ofthe protection device must not occur.

s the Kirchhoff laboratory: protectiondevice testing

fig. 15: Kirchhoff protection device testing

laboratory.

fig. 14: electromagnetic disturbance tests in

anechoic chamber.

The functions performed by protectionsystems are complex. Proper operationof protection devices must beguaranteed for all the phenomena

which can occur on electrical networks.An efficient laboratory for performingtests on protection devices is essential(see fig. 15).The Kirchhoff laboratory enables reallife reproduction of phenomena such asthey occur on electrical networks(see fig. 16).This laboratory is equipped with adigital simulator used to:s calculate currents and voltages onthe network, when a short-circuit,insulation failure or device switchingoperation occurs,

s generate the corresponding signalsand apply them to the protectiondevice to be tested. An analysis isthen made of the behaviour of the

protection devices subjected toconditions identical to those thatthey will encounter on the realnetwork.

Digital simulation of electrical networksin the Kirchhoff laboratory uses twosoftwares:s EMTP (ElectroMagnetic TransientProgram), a program for calculatingtransient phenomena. Thisinternational software enables,from an equipment library (transformers,lines, machines,...) modelling of allkinds of electrical networks, simulation of

fig. 16: description of the protection device test system.

work station

Computersimulation softwareMORGAT, EMTP

digital/analogconverter

datarecorder

current andvoltageamplifiers

protectiondevice undertest

current andvoltage

adapted toprotection

device inputlevels

computing of networktransients

conversion ofcomputedwaveforms intoanalog

real time signals

arbitrary waveformgenerator

protectiondevice undertest

recordingof protection

device outputs




Photographie

Photographie

faults or device switching operation andprecise calculation of evolution in currentand voltage,

s MORGAT, an electrical networksimulator, developed and distributedby EDF. This software allows both fineanalysis of network behaviour andcontrol of the «real time» aspect of theKirchhoff laboratory. Currents andvoltages, calculated at different pointsof the simulated electrical network, areconverted into analog signals forapplication to the protection device tobe tested.

quality controlProtection devices undergo

numerous quality control tests duringproduction and at the end ofproduction.

For example electronic boards undergoinitial inspection on the dielectric testbay performing insulation tests.They are then directed to the in-situtester (see fig. 17).

The in-situ test checks properoperation and implantation of eachelectronic board component. Itindicates mainly manufacturingdefects and certain componentdefects. It provides an implicitdignostics and ensures prompt repairof the board. The results are then usedby the quality department and allowrapid detection of any drift incomponent or board manufacturingquality.

Final testing ensures that theassembled boards dialogue correctlywith each other and that theconfiguration achieved really

does correspond with the customer’sorder. All the expected functionsare thus activated by stimuli appliedto the interfaces of the device produced.

In addition to the systematic checksmade on production, qualification testsare repeated periodically on arepresentative sample of the range.

fig. 17: in-situ tester.

After the in-situ test, the boards areburnt in under combined thermal

and electrical stresses. Burn-in

eliminates teething faults in

electronic equipment and reduces thelength of the early period so that these

faults appear in manufacture rather

than during operation. Likewise, the

fault statistics are used by the qualitydepartment so that rapid action can be

taken for any drift in manufacturingquality.

photo




customers’ premises. Operationalreliability (calculated on experiencefeedback) is only relevant if failure canbe detected, is detected and recorded.Failure data, resulting from an installedequipment base which has noself-monitoring functions andin frequent periodical maintenance,may not be representative of realreliability.

Operational reliability data onan installed base of digital

protection devices are relevantdue to the self-monitoring function.

It has been observed thatoperational reliability isat least greater by a factor 10 thanestimated reliability (calculated

characteristics, of which the mostsignificant are:s proper protection of MV andHV equipment and networks, byalgorithms adapted to the variousprotection functions;

s simplicity of implemenation,operation and maintenance;

s reliability in severe environments, aswell as:

s ability to perform self-monitoring,s possession of a reliable fall-backposition.

4. analysis of experience feedback

To ensure significant experiencefeedback, a very large installedequipment base must be in operationwhen reliability is excellent. Operatingfailure data can then be analysed.Analysis of experience feedback is vitalto:s assess operational reliability ofequipment;s validate the dependability studiesconducted during design;s cumulate technical experience to

progress;s possess a dialogue basis betweenthe manufacturer and the operator.

Experience feedback relies on reliableand orderly gathering of informationrelating to incidents occurring at

from the data book

MIL-HDBK-217E). This differencewas probably the result of

deliberately pessimistic and

sometimes anachronistic reliabilitydata books (electronic componenttechnologies and quality evolve at a

great pace).

Recent updates to reliabilitydata books have considerablyreduced the difference between the

operational and estimated reliabilityresults.

Today, the MTBF corresponding tountimely tripping or failure to trip of the

protection device is several hundred

years.

5. conclusion

Medium and High Voltage networkprotection devices perform a vitaldependability function. They have toguarantee protection of persons andequipment, while ensuring availability ofelectrical power. Their malfunctions caninflict severe financial losses onoperators. It is thus of prime importancethat they meet high reliability, safety,availability and maintenability

standards.Consequently, protection devices mustmeet certain technical and industrial

The work of reliability and qualityengineers, at the design stage,ensures that the digital protectiondevices out on the market today meetall these requirements.

Today, taking advantage fromdevelopment of digitalcommunications (bus) andsupervision, the functions of protectiondevices extend to the control and

monitoring domain for optimisedmanagement of electrical powerdistribution.




The likelihoods

Reliability, R(t) is the likelihood

that the system will not failover a time t.

Maintenability is the likelihood

that the system will be repaired in a

time t.

Availability is the likelihood

that the system will operate ata time t.

Safety is the likelihood that adisastrous event will be avoided.

A quantity which is the failurerate λ (t) is normally used for working

purposes. This is the likelihoodto break down in the next instant,

bearing in mind that the system has not

failed.

For electronic components, the failure

rate follows an evolution in time known

as the «bathtub» curve. During the«useful life» period, the component

does not age and its failure rate isconstant in time. The following

fundamental relationships are then

obtained:Reliability R(t) = e λt and MTTF = 1 / λ.

Example:If a device has a MTTF of a 100 years,its failure rate λ = 1 / MTTF is 10-2 / year. The likelihood of failure each yearis thus 1 %. This also means that outof 100 devices in operation, on average1 device will break down each year!A MTTF (or MTBF) of a 100 years onno account means that the system willnot fail for 100 years. The MTTF cannottherefore be compared to a guaranteeperiod or to a lifetime...

6. appendix

Mean times characterisingdependability (see fig. 18):

The MTTF (Mean Time To first Failure)is the mean time a device operatesproperly before failure.

The MTTR (Mean Time To Repair) isthe mean repair time.

The MTBF (Mean Time BetweenFailure) is the mean time betweentwo failures (for a repairablesystem).

The MDT (Mean Down Time) is themean failure time including detection offailure, intervention time, repair timeand resumption of operation time.

The MUP (Mean Up Time) is the meantime a device operates properly afterrepair.

The MTBF term is wrongly translatedas the mean proper operation time.This definition actually belongs to theMTTF! The confusion stems from thefact that the MTTR (of the order of afew hours) is often tiny compared with

the MTTF (of the order of severalthousand hours).

fig. 18: diagram of mean times,

established for a system requiring no

interruption in operation for preventive

maintenance.

MTTF MTBF

MDT MUT

failure operating

failure status operating status



7. bibliography

Publications

s Reliability design approach forprotection and control equipment forMV distribution networks.Second International Conference onthe Reliability of Transmission andDistribution Equipment,M. LEMAIRE, J.C. TOBIAS,march 1995.

s Electrical disturbance tests formeasuring relays and protection

equipment.Part 1: 1 MHz burst disturbance tests.Eyrolles EDF.A. VILLEMEUR, 1988.

s Fiabilité des systèmesEyrolles EDFA. PAGES, M. GONDRAN, 1980.

s Autotest d'une mémoire programme :deux solutionsElectronique n° 4, janvier 1991.

s Military Handbook 217 -F-Department Of Defense, USA.

s Recueils de données de fiabilité des

composants électroniques, RDF 93CNET.

Standardss IEC 255Electrical relayss part 22: Electrical disturbance testsfor measuring relayus and protectionequipment.- section 1: 1 MHz burst disturbancetests,- section 2: Electrostatic dischargetests,- section 3: Radiated electromagneticfield disturbance tests,

- section 4: Fast transient disturbancetest.

s VEI 191.

Merlin Gerin's Cahiers Techniques

s Introduction to dependability designCahier Technique n° 144P. BONNEFOI 1991.

s EMC: electromagnetic compatibilityCahier Technique n° 149F. VAILLANT 1991.

s MV public distribution networksworldwideCahier Technique n° 155C. PURE 1991.

s Design of industrial networks in HVCahier Technique n° 169G. THOMASSET.

s Protection devices of industrial andtertiary HVA networksCahier Technique n° 174A. SASTRE.

dependability of mv and hv protection

Documents