Dependability of MV and HV Protection Devices (no 175) by hamada1331


									                                          n° 175
                                          of MV and HV
Marielle Lemaire
Was awarded her IEG engineer’s
certificate, with an option in physics
engineering, in 1986. After two years
spent in a laboratory in TUCSON
university (Arizona), she joined
Merlin Gerin where she contributed to
development of static power converters.
As dependability specialist and French
expert in the WG7 work group of the
IEC «reliability of protection devices»
technical committee (TC 95), she has
been involved in development of
protection systems for medium voltage
installations for the past 5 years.

ECT 175 first issued august 1995
Cahier Technique Merlin Gerin n° 175 / p.2
dependability of MV and HV
of protection devices


1. Introduction                           Purpose of the document               p. 4
                                          Protection devices                    p. 4
                                          Dependability requirements:           p. 4
                                          a compromise between
                                          two undesirable events
2. Designing with dependability in mind   The terms used                        p. 6
                                          The reliability engineer's tools      p. 6
                                          Dependability resources               p. 8
3. Dependability as a part of a global    Software quality                      p. 11
quality approach                          Qualification of protection devices   p. 11
                                          Quality control                       p. 13
4. Analysis of experience feedback                                              p. 14
5. Conclusion                                                                   p. 14
6. Appendix                                                                     p. 15
7. Bibliography                                                                 p. 16

                                                                                        Cahier Technique Merlin Gerin n° 175 / p.3
1. introduction

purpose of the document                      Protection devices are produced              Continuity of energy supply is vital both
                                             either using electromechanical               for companies and electricity
This document presents the various
                                             technology (the oldest) or analog or         distributors. Untimely tripping of the
factors contributing to dependability
                                             digital electronic technology                protection device can cause
of protection devices in Medium                                                           considerable financial losses
                                             (known as static). A digital
and High Voltage networks, together
                                             protection device (microprocessor
with the methods which can be
                                             based) can perform, in addition to
implemented to meet dependability
                                             its main protection role, automation,
                                             measuring, self-monitoring and
It places special emphasis on:               communication functions. This
s taking dependability into                  device then forms a natural part of
consideration at the design stage;           control and monitoring systems
s the quality approach (software,            performing automation, status
qualification, manufacture) with             logging and mimic diagram functions
techniques adapted to the constraints        (see fig. 2).
encountered in Medium and High
s analysis of experience feedback.           dependability
This document complies with the              requirements:
techniques used in the nineties for          a compromise between two
designing the new Sepam protection
                                             undesirable events
                                             The function of the protection systems
                                             associated with the circuit-breaker is to
protection devices                           guarantee installation safety, while
The main functions of a protection           ensuring optimum continuity of
device are to detect network                 electrical power distribution.
faults by monitoring various                 As regards protection, two undesirable
parameters (current, voltage....)            events must never occur if this function
and to transmit a circuit-breaker            is to be fulfilled:
opening order should an abnormal             s first event to be avoided: failure of
situation be observed. A protection          the protection device to trip.
device generally protects one                The consequences of a non-eliminated
of the various components of an              fault can be disastrous (risk for
electrical distribution substation,          persons, destruction of electrical
such as an incomer, a line                   substations, production loss...). For
feeder, a motor or a transformer.            operational safety, the protection
In Medium and High Voltage, these            device must detect both selectively and
devices are often incorporated in the        promptly faults in the electrical network.
equipment containing the                     This event can be avoided by
circuit-breaker (see figure 1).              increasing availability of the protection
Environmental constraints are then           device.
                                                                                          fig. 1: protection device incorporated in a
severe (temperature, vibration,              s second event to be avoided: untimely       Medium and High Voltage equipment.
electromagnetic disturbances).               tripping of the protection device.

Cahier Technique Merlin Gerin n° 175 / p.4
                                                                                                 I on     O off                   trip                                                                                                                                                                    I on     O off                   trip

                                                                           A   V/Hz     ϕ
                                                                                      W/ϕ   Wh          clear     alarm   reset                                                                                                                                                     A   V/Hz     ϕ
                                                                                                                                                                                                                                                                                               W/ϕ   Wh          clear     alarm   reset

                                                                                                                MERLIN GERIN                                                                                                                                                                                             MERLIN GERIN

                                   I on     O off                   trip                                                                                       I on     O off                   trip                         I on     O off                   trip                                                                                                            I on     O off                   trip

             A   V/Hz     ϕ
                        W/ϕ   Wh          clear     alarm   reset                                                                        A   V/Hz     ϕ
                                                                                                                                                    W/ϕ   Wh          clear     alarm   reset          A   V/Hz     ϕ
                                                                                                                                                                                                                  W/ϕ   Wh          clear     alarm   reset                                                                                             A   V/Hz     ϕ
                                                                                                                                                                                                                                                                                                                                                                   W/ϕ   Wh          clear     alarm   reset

                                                  MERLIN GERIN                                                                                                                MERLIN GERIN                                                  MERLIN GERIN                                                                                                                                     MERLIN GERIN

fig. 2: example of a digital control and monitoring system of a substation.

(production shutdown, cost of                                                                                                                             s extreme temperatures,                                                                                      safety
non-distributed energy...). This event                                                                                                                    s vibrations due to circuit breaker
can be avoided by increasing safety                                                                                                                       operations,                                                                                                    100 %
of the protection device.                                                                                                                                 s corrosive atmospheres in industrial
Availability and safety are often oposite.                                                                                                                applications (chemistry, paper mills,
The best way for a plane not to                                                                                                                           cement plants...),
crash is for it to stay on the ground.                                                                                                                    s intense electromagnetic pulse fields                                                                                                                                                  (1)
Its safety is then absolute, but its                                                                                                                      (up to several dozen kV/m 1 metre from
availability zero! Conversely, a plane                                                                                                                    a HV or MV circuit breaker with rise
which is in the air too often, without                                                                                                                    times of the order of 5 ns).
maintenance, places people’s life in                                                                                                                      This extremely severe
danger. The design of any device calls                                                                                                                    environment and the fact that                                                                                         0                                                                                                                                         100 %
for a compromise between availability                                                                                                                     MV and HV networks supply many                                                                                                                                                                                                                              availability
and safety.                                                                                                                                               electrical power users make
Availability and safety are increased by                                                                                                                  controlled, optimised reliability                                                                          fig. 3: increasing reliability and
using the other two components of                                                                                                                         and maintenability an absolute                                                                             maintenability (1) increases availability and
                                                                                                                                                          necessity.                                                                                                 safety.
dependability: maintenability and
reliability (see fig. 3).                                                                                                                                 Protection devices using
Protection devices are subjected to                                                                                                                       microprocessors have enabled                                                                               s integration reduces wiring problems,
numerous aggressive factors which                                                                                                                         considerable headway to be made.                                                                           thus increasing reliability,
affect the undesirable events, e.g.:                                                                                                                      For example:                                                                                               s self-monitoring increases availability.

                                                                                                                                                                                                                                                                     Cahier Technique Merlin Gerin n° 175 / p.5
2. designing with dependability in mind

the terms used                               Availability is the ratio between                   dependability studies and proposes
                                             the time spent in the operating status              technical solutions compatible with the
As from the earliest stage in
                                             and the total reference time.                       specified level. An iterative approach
designing a protection device, the
                                             Readers interested in quantification                enables design to be modified until
Reliability, Safety, Availability and
                                             of dependability values can refer both              objectives are achieved.
Maintenability objectives must be
taken into account.                          to the appendix and Cahier Technique
                                             n° 144.
These terms are reviewed below:              To return to figure 3, one of the                   the reliability engineer’s
s availability is the likelihood that a      objectives of the protection device
protection device will be in a state to                                                          tools
                                             designer is to treat preventively as
perform its function, in given conditions,   many failures as possible                           Specialised techniques for
at a given time;                             (maintenability) to increase                        evaluating and modelling operational
s safety is the likelihood that              availability. As few events as possible             dependability allow design constraint
a protection device will not trip            should result in deterioration of                   objectives to be listed.
in an untimely manner, in given              protection device safety (the                       s the estimated reliability analysis
conditions, for a given period               self-monitoring concept and                         determines the failure rate of each
of time;                                     resources will be described in the                  component of the device in real
s reliability is the likelihood that a       following sections).                                operating conditions.
protection device will perform its
function in given conditions for a           As the networks to be protected are                 Reliability databases such as the
given period of time, i.e. mainly            MV and HV ones, their dependability                 Military Handbook 217
the capacity to trip when required           must be far higher than that of                     (MIL-HDBK-217) (see fig. 6) or the
and the capacity not to trip in              most LV equipment.                                  CNET booklet (RDF 93) are used for
untimely manner;                             A Preliminary Risk Analysis is                      this purpose and enable reliability of a
s maintenability is the likelihood that a    used to determine the undesirable                   circuit with several components to be
given active maintenance operation will      events linked to the functions                      calculated. If necessary, the designer
be performed in a given period of time.      performed by the protection device                  modifies the load rate of some of them,
These terms do not necessarily               (see fig. 5).                                       or uses components with a long
have the same meaning according              A team of specialists independent from              guaranteed lifetime (e.g. for chemical
to the standpoint: the protection            the design team, carries out estimated              capacitors).
device or the electrical installation.
Thus, availability and maintenability
of the protection device contribute
to safety of persons and equipment.                                                     operating
Safety of the protection device                                                         protection
contributes to availability of electrical
power distribution.                                               RELIABILITY                             MAINTENABILITY
                                                                  (serious failure)                       (repair)
NB: these definitions comply with                                       - λ-                                     -µ-
the International Electrotechnical
Vocabulary-VEI 191- and are
commonly used. A standard
currently being prepared                                                                  failure        detection and signalling
(WG 7 of TC 95) concerning                                                              protection
reliability of protection devices lays
down similar definitions, but                                    SAFETY                                           network fault
includes the notion of «functional
dependability» in reliability. However
dependability remains the term
englobing the others.                                      untimely                                                  failure to
                                                           tripping                                                      trip
The various possible statuses of the
protection device are shown in diagram
form in figure 4, together with their                    AVAILABILITY !                                              SAFETY !
consequences for electrical power            fig. 4: status graph for the protection device and consequences on electrical distribution.

Cahier Technique Merlin Gerin n° 175 / p.6
event to be avoided        effects                                  causes                                     prevention
untimely tripping          s untimely opening of                    s internal, for example:                   for example:
                           circuit-breaker                          s untimely detection of a                  s self-monitoring functions
                           s power unavailability                   fault,                                     s fall-back position
                           causing severe financial                 s untimely activation of the               s electromagnetic compatibility
                           losses (production shutdown...)          control mechanism                          s non-magnetic sensors
                                                                    s external, for example:
                                                                    s electromagnetic disturbances
                                                                    s sensor saturation
                                                                    s error in protection plan design
masking a                  s tripping an upstream                   s internal, for example:                   for example:
tripping order             protection level with possible local     s failure to detect a fault;               s self-monitoring functions
                           destruction of equipment                 s blocked control mechanism                s electromagnetic compatibility
                           s major destruction of equipment         s external, for example:                   s non-magnetic sensors
                           (fire...) if there is no upstream        s electromagnetic disturbances             s standby module
                           protection                               s sensor saturation                        s supervision of tripping circuit
                                                                    s loss of auxiliary supply                 s logic discrimination
                                                                    s circuit-breaker tripping circuit open
                                                                    s error in protection plan design

fig. 5: undesirable events relating to the protection function.

Microcircuits, gate/logic arrays and microprocessors
1. bipolar devices, digital and linear gate/logic arrays
2. MOS devices, digital and linear gate/logic arrays
3. microprocessors
λp = (C1 . pT + C2 . pE) pQ . pL failures/106 hours

bipolar digital and linear gate/logic array die complexity failure rate - C1
digital                                              linear                                               prog. logic array
no. gates                 C1                         no. transistors           C1                         no. gates                  C1
1 to 100                  .0025                      1 to 100                  .010                       up to 200                  .010
101 to 1,000              .0050                      101 to 300                .020                       201 to 1,000               .021
1,001 to 3,000            .010                       301 to 1,000              .040                       1,001 to 5,000             .042
3,001 to 10,000           .020                       1,001 to 10,000           .060
10,001 to 30,000          .040
30,001 to 60,000          .080

MOS digital and linear gate/logic array die complexity failure rate - C1
digital                                              linear                                               floating gate prog. logic array
no. gates                 C1                         no. transistor            C1                         no. cells, C               C1
1 to 100                  .010                       1 to 100                  .010                       up to 16 K                 .00085
101 to 1,000              .020                       101 to 300                .020                       16 K < C i 64 K            .0017
1,001 to 3,000            .040                       301 to 1,000              .040                       64 K < C i 256 K           .0034
3,001 to 10,000           .080                       1,001 to 10,000           .060                       256 K < C i 1M             .0068
10,001 to 30,000          .16
30,001 to 60,000          .29

die complexity failure rate - C1                     all other model parameters
no. bits     bipolar            MOS                  parameter              section
             C1                 C1                   pT                     5.8
up to 8      .060              .14                   C2                     5.9
up to 16     .12                .28                  pE, pQ, pL             5.10
up to 32     .24                .56

fig. 6 : example of reliability data as in the Military Handbook.

                                                                                                          Cahier Technique Merlin Gerin n° 175 / p.7
s the Failure Modes, their Effects and            These modelling processes enable                  s a check on integrity of information
their Criticity Analysis (FMECA)                  quantified simulation of operational              contained in the «program» and
conducted both on hardware and                    dependability, thus obtaining                     «constant data» memory boxes must
software, evaluates the effects of each           likelihoods for reliability, maintenability,      be performed on energising and then
known failure mode on equipment                   availability and safety of protection             cyclically during operation. This check
operation.                                        devices.                                          is made by calculating the Checksum
FMECA is used to correct certain                  Readers can find a more detailed                  with carrying over on the memory
malfunctioning risks and to specify               description of these various techniques           zones used. The checksum with carry
self-monitoring functions. It can be              in the references [Villemeur] or [RGE]            over covers 99.95 % for 128 bytes
performed at general function level               or [Pages-Gondran].                               (99.998 % for 128 Kbytes) for pasting
(the «protection» function), at                                                                     of address and of memory bits. For
elementary function level                                                                           volumes of information to be checked
(«overcurrent protection» function), at           dependability resources                           exceeding a hundred bytes, calculation
one of its subfunctions (see fig. 7) up to        Reliability, safety and maintenability of         of the Checksum with carry over is
the lowest level of the basic                     protection devices must be controlled             more efficient than calculation of
components (implanted on the                                                                        a CRC 16 for example (see reference
                                                  to guarantee optimum dependability of
electronic boards).                                                                                 [INRS]).
                                                  electrical installations.
                                                                                                    s a hardware and software watchdog
s the undesirable events concerning               As the objectives for these values are            must be fitted to detect blocking of the
protection devices are modelled using a           fixed, the protection device designer,            CPU (due to a component defect,
number of techniques:                             assisted by the reliability engineer,
s failure trees describe all the                                                                    interference or microprocessor
                                                  uses a certain number of resources to             overload). The validity of the watchdog
possible causes of a particular event to          achieve them:
be avoided (see fig. 8).                                                                            output signal must also be checked.
                                                  s thanks to the reliability engineer              The watchdog must cover failure of the
The failure tree is a boolean                     and his tools, he controls intrinsic
representation used to determine the                                                                microprocessor quartz and oscillator
                                                  reliability before and during                     (see fig. 11).
most critical paths to produce the                development;
event.                                                                                              s program cycle time must be
                                                  s thanks to self-monitoring, failure              controlled. If interruptions are used to
s Markov graphs are a behavioural
                                                  signalling and communication                      sequence cycles, it must be checked
representation showing operating
                                                  resources, he can:                                that these mechanisms are operating
status, downgraded operation and
                                                  s increase dependability by placing in            correctly.
equipment failure. Transitions
                                                  the fall-back position,                           s a check on supply voltage must be
between status are quantified by
                                                  s increase maintenability and
failure λ and repair (µ) rates. These                                                               continuously performed to anticipate
                                                  availability of the protection device.            possible voltage drops and stop the
graphs are used to calculate the
likelihoods of occupying failure                  Let us now look at the resources                  microprocessor «properly» (saving
status (see fig. 9).                              implemented:                                      parameters).
s Petri nets have the same purpose as             s self-monitoring                                 s if EEPROM memories are used, use
Markov graphs, i.e. modelling system              Efficiency and relevance of                       of this component must be monitored
status. They enable processing of more            self-monitoring are vital for                     by counting the number of writes which
complex systems whose transitions                 dependability of the protection device.           must not exceed 10,000.
between status do not necessarily obey            Below are examples of some resources              s false digital data must not be
exponential distribution (e.g. Weibull’s          enabling availability and safety to be            processed further to a failure in the
distribution) (see fig. 10)                       increased:                                        analog to digital conversion string.

function               failure mode                   effect on protection         detection resources       signalling
acquire the phase      false measured current:        protection device            the algorithm used        "natural" inhibition of
currents               continuous level               activated                    works on calculation      protection device
                       > tripping threshold           Æ untimely tripping          of current module
                                                                                   at 50 HZ
                                                                                   detection by              signal failure on front
                                                                                   periodical calculation    panel and by communication
                                                                                   of signal dc component
                       false measured current:        protection device            detection resources       signal
                       continuous level               unavailable                  are the same
                       < tripping threshold           Æ failure to trip if fault

fig. 7: FMECA table performed on a subfunction of the overcurrent protection device.

Cahier Technique Merlin Gerin n° 175 / p.8
                                                                                                           An efficient check consists in
                                                                                                           continuously verifying two reference
                                  failure to open of ciruit-breaker
                                   on electrical installation fault
                                                                                                           signals at the input of the multiplexer at
                                                                                                           two complementary addresses (100 %
                                                                                                           of failures of the Analog to Digital
                                                   ET                                                      Converter and 100 % of sticking at
                                                                                                           1 or 0 of the Multiplexer selection bits
   failure to open
                                                                                                           are thus detected).
  of circuit-breaker                                                                                       Many other detection devices are used,
                                                                                                           which are obviously very dependent on
                                                                                  presence of a
                                                                                      fault on             the technology used.
         OU                                                                       the electrical           s the reliable fall-back position
                                                                                    installation           The self-monitoring functions detect as
                                                                                                           many «major» failures as possible. A
                                                                                                           failure is said to be «major» if there is a
                                                                                                           risk of it causing incorrect operation of
                                                                                                           the protection device.

    unavailability               unavailability             unavailability              unavailability
     of breaking                  of tripping               of protection                of sensors        To check data integrity
        device                       circuit                    device
                                                                                                           A number of techniques can be used
                                                                                                           s parity check
                                                                                                           This consists in systematically making
fig. 8: simple example of a failure tree.                                                                  the number of bits transmitted even by
                                                                                                           completing the useful message by a
                                                                                                           «parity bit».
                            2λ                                          λ                                  The receiver can thus check the
                                                                                                           message if there is an error on a bit or
                                                                                                           3 bits. Alteration of an even number of
                                                                                                           bits cannot be detected.
    operation                                 downgraded                                    failure        s the CRC (Cyclic Redundancy Check)
                                               operation                                                   consists in adding to the useful
                                                                                                           information the rest of its division by a
                     (a single repairer)                                                                   polynomial standardised by the CCIT.
                                                                                                           For example, the degree 16 dividing
                             µ                                          µ                                  polynomial
fig. 9: example of a Markov graph for a system consisting of two redundant, repairable                     (X16 + X15 + X2 + 1=1100 0000 0000 0011)
components. If they are two electronic components (exponential reliability), the mean proper               used for the «CRC 16» can detect 16
                                                                                                           simultaneous errors.
operating time after repair is MUT =                                                                       s the Checksum consists in performing
                                           2 λ λ
                                                                                                           the binary sum of bytes and in adding
                                                                                                           the result (truncated on one or more
The Petri net represented                     P1                                   P1                      bytes) to the useful message.
has two places (P1, P2),                                                                                   The Checksum can be associated for
two transitions (T1, T2)                                                                                   example with the parity byte check....
and four arcs.
                                                                                                           Checking message integrity by the
This net represents the
behaviour of a repairable
                                                                                                           receiver is easier than for the CRC and
component, by assigning                                                                                    can be more efficient.
for example the following         T1                         T2              T1                       T2   To check proper running of a program
meanings to the places                                                                                     Often used in automation systems, the
and transitions:                                                                                           Watchdog technique consists in
P1: the component is in proper                                                                             periodically running a test instruction.
operating condition.
                                                                                                           Non-running of this instruction, within a
P2: the component is not working.
T1: the component has failed.
                                                                                                           given time, reveals a failure and causes
T2: the component has just                                                                                 an alarm and an equipment protection
                                              P2                                   P2                      device to trip.
been repaired.
                                                                                                           fig. 11: self-monitoring reduces protection
fig. 10: example of a Petri net for a system consisting of two redundant, repairable elements.             device unavailability time.

                                                                                                           Cahier Technique Merlin Gerin n° 175 / p.9
This type of failure must not degenerate      s supervision of status and electrical              the availability and safety needs of
into untimely tripping. The protection        quantities (measurements),                          electrical distribution are exceptionally
device places itself in a reliable,           s supervision of devices (switchgear                high:
predetermined fall-back position to           position, temperature, pressure,....)               s severe environment
prevent passage of random orders.             s processing of alarms,                             Protection systems are sometimes
The operator is informed of this «fall-       s remote control of switching devices,              installed in exceptional environments
back» position and can immediately            s automatic reconfiguration of                      which exceed specified constraints for
perform maintenance to restore the            networks after fault,                               equipment:
availability of the protection device.        s management of consumed energy as                  - temperature,
At the same time, a «minor» failure, for      a function of distributors’ tarifs,                 - vibration...
example a peripheral failure (display or      s editing operating reports,                        In each case, needs must be specially
setting console) is signalled, but does       s allocating energy costs to the various            identified by the engineering and
not affect availability of the protection     site consumers.                                     design department. A customised
device.                                       s ease of maintenance                               solution is then proposed:
s failure signalling                          s self-monitoring, signalling,                      - special varnish on electronic boards,
The self-monitoring functions must            communication facilitate knowledge of               - specific maintenance contract,
provide suitable diagnostic resources to      failure status, thus allowing immediate             s an exceptional dependability need
enable a prompt resumption of                 maintenance action,                                 A standby module can provide
operating status of the faulty protection     s self-diagnostics enable the                       protection in the event of:
device, i.e.:                                 troubleshooter to know the origin of the
                                                                                                  - a supply fault,
s provide the operator with external,         failure, thus resulting in rapid
                                                                                                  - a wiring fault,
clear and global information on the           troubleshooting,
                                                                                                  - a trip release fault,
status of his protection device,              s the programmed functions,
                                                                                                  - main protection device not working.
s provide the manufacturer, during a          customising the protection device in
maintenance operation, or even after          terms of applications/functions                     Another solution is to backup the
return to the works of the faulty             performed, are stored in a detachable               protection device with an «or» circuit in
protection device, with internal, clear       cartridge. This enables immediate                   the breaking device control circuit.
and precise information on the status of      resumption of operation after                       Installation safety is considerably
the protection device.                        replacement of the physical part (hard)             increased, and electrical power
For example, failure of the protection        which is standardised.                              availability is not reduced when
device may be signalled by:                   s special cases                                     protection systems with reliable fall-
s a front panel indicator light,              Reliability of the protection device may            back position are used.
s a WatchDog relay output,                    not be sufficient if it is subject to               As an extreme solution, 2/3 vote
s a message on the front panel                exceptionally aggressive factors or if              systems can be considered.
s internally saved information detailing
failure origin,
s a message via the communication             electromechanical or analog protection
system when the protection device is                                                                       !     internal failure        time
                                              commissioning                                                      not detected
part of a control and monitoring system.
This is a considerable advantage over
older protection devices which could
remain in a state of failure for long
                                                                            1                          2                             3
periods of time without the operator                                                                             installation
being aware of this (see fig. 12) and         periodical maintenances 1, 2, 3...
                                                                                                                 not protected
which thus provided no information on
the origin of the failure.
s a tendency to adopt supervision and
control and monitoring systems                digital protection
As stated earlier, digital protection can                                                                  !     internal failure        time
incorporate automation and                    commissioning                                                      detected
communication functions. It thus
becomes one of the links in the
supervision and control and monitoring
system of the electrical installation, thus
simplifying operation by enabling             no periodical maintenance                                     unavailability limited
supervision, operation and                                                                                  to maintenance time
management of the distribution
                                              fig. 12: self-monitoring reduces protection device unavailability time.

Cahier Technique Merlin Gerin n° 175 / p.10
3. dependability as a part of a global quality approach

software quality                              qualification of protection                        equipment in current pulses of a
A large part of digital protection device                                                        few dozen amps and a very steep
                                              devices                                            front of the order of a nanosecond,
functions are performed by the
                                              Before protection devices are                      s radioelectric transmitters
software. Control of software quality is
                                              released on the market, they                       (e.g. walkie-talkies) generate
thus crucial to achieve global
                                              undergo a complete qualification.                  fields of several dozen V/m 1 metre
dependability objectives.
                                              Some qualification criteria specific to            away.
Software quality is controlled by using
                                              the Medium and High Voltage                        Readers wishing to learn more
a rigorous development method.
                                              environment are detailed below.                    about Electromagnetic Compatibility
This method, resulting from the
recommendations laid down by French           s immunity to electromagnetic                      (EMC) can consult Cahier Technique
(AFCIQ) and international (IEEE)              disturbances (conducted and                         n° 149.
organisations, stipulates:                    radiated).                                         Internal electrical stress withstand
                                              The electrical disturbances                        standards define the immunity levels
s breakdown of development into a             encountered in electrical substations              required for operation of protection
series of phases (see fig.13):                have a number of origins:                          systems in electrical substations.
s specification,                              s lightning strokes falling directly on            These levels correspond to the
s preliminary design,                         lines or close to the substation can               withstands defined by IEC 255
s detailed design,                            generate overvoltages of some                      standards or are even more severe.
s coding,                                     hundred kV and rise fronts of the order            Compliance with the severity level
s unit tests,                                 of a microsecond,                                  defined is checked by tests. Four
s integration and integration tests,          s normal operation of switchgear, on               types of tests are performed:
s validation.                                 opening and closing of the MV                      s damped oscillatory wave
Each phase has a set of documents             and HV breaking device causes                      (IEC 255-22-1) severity:
used and produced during the phase.           «switching operation» overvoltages                 class III, 2.5 kV,
These documents formalise the studies         (damped oscillatory wave). These
                                              overvoltages can cause electrical pulse            s rapid transients (IEC 255-22-4)
conducted in each phase and must be                                                              severity: class IV, 4 kV,
validated before moving on to the next        fields of the order of 10 kV/m 1 metre
phase.                                        from the circuit-breaker.                          s electrostatic discharge
                                              s the human operator can cause                     (IEC 255-22-2)severity:
s use of design and coding methods            electrostatic discharge resulting on the           class III, 8 kV,
and rules aiming at obtaining a
 high software structuration level
 (e.g. SADT implemented in the ASA
or MACH tool).
s use of software configuration                       software              software validation plan                  software
management tools enabling                            specification                                                    validation
management of all software
components and in particular
control of the respective evolutions
and versions of all these components                          preliminary         software integration        software
(e.g. CMS tool).                                                design                 plan                  integration
Moreover, code reviewing methods
are used to great advantage. A
reviewer critically reads the code and
                                                                       detailed        test          unit
makes his observations. This «manual»
                                                                        design         plan          tests
analysis is still one of the most efficient
methods for discovering software errors
Finally, once each software has been
integrated and validated, a final                                                     coding
qualification phase conducted by a
team other than the development team
                                              fig. 13: the software development cycle (V-shaped).
ensures a last efficient check.

                                                                                                 Cahier Technique Merlin Gerin n° 175 / p.11
s radiated fields (IEC -255-22-3)               The functions performed by protection                s generate the corresponding signals
severity: greater than class III, 30 V/m        systems are complex. Proper operation                and apply them to the protection
(see fig. 14)                                   of protection devices must be                        device to be tested. An analysis is
NB: the rapid transient test is the             guaranteed for all the phenomena                     then made of the behaviour of the
transciption in «conducted» mode of             which can occur on electrical networks.              protection devices subjected to
«radiated» electromagnetic pulse fields,        An efficient laboratory for performing               conditions identical to those that
generated during switchgear                     tests on protection devices is essential             they will encounter on the real
operations.                                     (see fig. 15).                                       network.
In addition to EMC tests, protection            The Kirchhoff laboratory enables real                Digital simulation of electrical networks
devices undergo «real-life» situation           life reproduction of phenomena such as               in the Kirchhoff laboratory uses two
tests. For example, after placing               they occur on electrical networks                    softwares:
the device in the Low Voltage                   (see fig. 16).                                       s EMTP (ElectroMagnetic Transient
compartment of a Medium and High                This laboratory is equipped with a                   Program), a program for calculating
Voltage cubicle, roughly one hundred            digital simulator used to:                           transient        phenomena.           This
circuit-breaker opening and closing             s calculate currents and voltages on                 international software enables,
operations, on a load imposing arc              the network, when a short-circuit,                   from an equipment library (transformers,
breaking under a small inductive                insulation failure or device switching               lines, machines,...) modelling of all
current (switching operation                    operation occurs,                                    kinds of electrical networks, simulation of
overvoltages due to current pinching)
were performed.
                                                                                                                                  work station
During these tests, untimely tripping of
the protection device must not occur.                                            computing of network
s the Kirchhoff laboratory: protection                                           transients
device testing

                                                                                      simulation software
                                                conversion of                         MORGAT, EMTP
                                                waveforms into
                                                real time signals


fig. 14: electromagnetic disturbance tests in                             current and                               recording
anechoic chamber.                                                             voltage                            of protection
                                                                          adapted to                           device outputs
                                                                         device input

                                                                    current and
                                                               arbitrary waveform
                                                                                                                                 device under
                                                               generator                                                         test

                                                                                 device under

fig. 15: Kirchhoff protection device testing
laboratory.                                     fig. 16: description of the protection device test system.

Cahier Technique Merlin Gerin n° 175 / p.12
faults or device switching operation and      After the in-situ test, the boards are     Final testing ensures that the
precise calculation of evolution in current   burnt in under combined thermal            assembled boards dialogue correctly
and voltage,                                  and electrical stresses. Burn-in           with each other and that the
s MORGAT, an electrical network               eliminates teething faults in              configuration achieved really
simulator, developed and distributed          electronic equipment and reduces the       does correspond with the customer’s
by EDF. This software allows both fine        length of the early period so that these   order. All the expected functions
analysis of network behaviour and             faults appear in manufacture rather        are thus activated by stimuli applied
control of the «real time» aspect of the      than during operation. Likewise, the       to the interfaces of the device produced.
Kirchhoff laboratory. Currents and            fault statistics are used by the quality   In addition to the systematic checks
voltages, calculated at different points      department so that rapid action can be     made on production, qualification tests
of the simulated electrical network, are      taken for any drift in manufacturing       are repeated periodically on a
converted into analog signals for             quality.                                   representative sample of the range.
application to the protection device to
be tested.

quality control
Protection devices undergo
numerous quality control tests during
production and at the end of
For example electronic boards undergo
initial inspection on the dielectric test
bay performing insulation tests.
They are then directed to the in-situ
tester (see fig. 17).
The in-situ test checks proper
operation and implantation of each
electronic board component. It
indicates mainly manufacturing
defects and certain component
defects. It provides an implicit
dignostics and ensures prompt repair
of the board. The results are then used
by the quality department and allow
rapid detection of any drift in
component or board manufacturing              fig. 17: in-situ tester.



                                                                                         Cahier Technique Merlin Gerin n° 175 / p.13
4. analysis of experience feedback

To ensure significant experience              customers’ premises. Operational            from the data book
feedback, a very large installed              reliability (calculated on experience       MIL-HDBK-217E). This difference
equipment base must be in operation           feedback) is only relevant if failure can   was probably the result of
when reliability is excellent. Operating      be detected, is detected and recorded.      deliberately pessimistic and
failure data can then be analysed.            Failure data, resulting from an installed   sometimes anachronistic reliability
Analysis of experience feedback is vital      equipment base which has no                 data books (electronic component
to:                                           self-monitoring functions and
                                                                                          technologies and quality evolve at a
s assess operational reliability of           in frequent periodical maintenance,
                                              may not be representative of real           great pace).
s validate the dependability studies          reliability.                                Recent updates to reliability
conducted during design;                      Operational reliability data on             data books have considerably
s cumulate technical experience to             an installed base of digital               reduced the difference between the
progress;                                     protection devices are relevant             operational and estimated reliability
s possess a dialogue basis between            due to the self-monitoring function.        results.
the manufacturer and the operator.            It has been observed that                   Today, the MTBF corresponding to
Experience feedback relies on reliable        operational reliability is                  untimely tripping or failure to trip of the
and orderly gathering of information          at least greater by a factor 10 than        protection device is several hundred
relating to incidents occurring at            estimated reliability (calculated           years.

5. conclusion

Medium and High Voltage network               characteristics, of which the most          The work of reliability and quality
protection devices perform a vital            significant are:                            engineers, at the design stage,
dependability function. They have to          s proper protection of MV and               ensures that the digital protection
guarantee protection of persons and           HV equipment and networks, by               devices out on the market today meet
equipment, while ensuring availability of     algorithms adapted to the various           all these requirements.
electrical power. Their malfunctions can      protection functions;                       Today, taking advantage from
inflict severe financial losses on            s simplicity of implemenation,              development of digital
operators. It is thus of prime importance     operation and maintenance;                  communications (bus) and
that they meet high reliability, safety,      s reliability in severe environments, as    supervision, the functions of protection
availability and maintenability               well as:                                    devices extend to the control and
standards.                                    s ability to perform self-monitoring,       monitoring domain for optimised
Consequently, protection devices must         s possession of a reliable fall-back        management of electrical power
meet certain technical and industrial         position.                                   distribution.

Cahier Technique Merlin Gerin n° 175 / p.14
6. appendix

Mean times characterising                  The likelihoods                             Example:
dependability (see fig. 18):               Reliability, R(t) is the likelihood         If a device has a MTTF of a 100 years,
The MTTF (Mean Time To first Failure)      that the system will not fail               its failure rate λ = 1 / MTTF is 10-2/
                                           over a time t.                              year. The likelihood of failure each year
is the mean time a device operates
                                           Maintenability is the likelihood            is thus 1 %. This also means that out
properly before failure.
                                                                                       of 100 devices in operation, on average
The MTTR (Mean Time To Repair) is          that the system will be repaired in a
                                                                                       1 device will break down each year!
the mean repair time.                      time t.
                                                                                       A MTTF (or MTBF) of a 100 years on
                                           Availability is the likelihood              no account means that the system will
The MTBF (Mean Time Between                that the system will operate at
Failure) is the mean time between                                                      not fail for 100 years. The MTTF cannot
                                           a time t.                                   therefore be compared to a guarantee
two failures (for a repairable
                                           Safety is the likelihood that a             period or to a lifetime...
                                           disastrous event will be avoided.
The MDT (Mean Down Time) is the            A quantity which is the failure
mean failure time including detection of   rate λ (t) is normally used for working
failure, intervention time, repair time                                                     MTTF                 MTBF
                                           purposes. This is the likelihood
and resumption of operation time.          to break down in the next instant,                             MDT        MUT
The MUP (Mean Up Time) is the mean         bearing in mind that the system has not
time a device operates properly after      failed.
repair.                                    For electronic components, the failure
The MTBF term is wrongly translated        rate follows an evolution in time known              failure         operating
as the mean proper operation time.         as the «bathtub» curve. During the
This definition actually belongs to the    «useful life» period, the component             failure status           operating status
MTTF! The confusion stems from the         does not age and its failure rate is
                                                                                       fig. 18: diagram of mean times,
fact that the MTTR (of the order of a      constant in time. The following
                                                                                       established for a system requiring no
few hours) is often tiny compared with     fundamental relationships are then          interruption in operation for preventive
the MTTF (of the order of several          obtained:                                   maintenance.
thousand hours).                           Reliability R(t) = e λt and MTTF = 1 / λ.

                                                                                       Cahier Technique Merlin Gerin n° 175 / p.15
7. bibliography

Publications                                  Standards                                 Merlin Gerin's Cahiers Techniques
                                              s IEC 255                                 s Introduction to dependability design
s Reliability design approach for
                                              Electrical relays                         Cahier Technique n° 144
protection and control equipment for
                                              s part 22: Electrical disturbance tests   P. BONNEFOI 1991.
MV distribution networks.
                                              for measuring relayus and protection
Second International Conference on                                                      s EMC: electromagnetic compatibility
the Reliability of Transmission and                                                     Cahier Technique n° 149
                                              - section 1: 1 MHz burst disturbance
Distribution Equipment,                                                                 F. VAILLANT 1991.
M. LEMAIRE, J.C. TOBIAS,                                                                s MV public distribution networks
                                              - section 2: Electrostatic discharge
march 1995.                                                                             worldwide
s Electrical disturbance tests for            - section 3: Radiated electromagnetic     Cahier Technique n° 155
measuring relays and protection               field disturbance tests,                  C. PURE 1991.
equipment.                                    - section 4: Fast transient disturbance   s Design of industrial networks in HV
Part 1: 1 MHz burst disturbance tests.        test.                                     Cahier Technique n° 169
Eyrolles EDF.                                                                           G. THOMASSET.
                                              s VEI 191.
                                                                                        s Protection devices of industrial and
s Fiabilité des systèmes                                                                tertiary HVA networks
Eyrolles EDF                                                                            Cahier Technique n° 174
A. PAGES, M. GONDRAN, 1980.                                                             A. SASTRE.
s Autotest d'une mémoire programme :
deux solutions
Electronique n° 4, janvier 1991.
s Military Handbook 217 -F-
Department Of Defense, USA.
s Recueils de données de fiabilité des
composants électroniques, RDF 93

                                                                                        Réal. : Illustration Technique Lyon -
Cahier Technique Merlin Gerin n° 175 / p.16                                             DTE - 08/95 - 2 500 - Imprimeur : Clerc

To top