Remote Maintenance Testing in Digital Substations

Author: Alexander Apostolov, USA

Remote Testing System Components: To develop and implement a remote testing system, we need a set of components that meet the above listed requirements. (Figure 1).

Engineering station: The engineering station is located at a central or regional office and is used to allow the testing specialist to remotely access the test system in the remote substation.  It should have installed a remote access software with high level of cyber security that will provide access to the remote test system only to personnel with the required credentials. The decision to use remote control of a test computer located in the substation is driven by the elimination of the latency introduced by the wide area communications between the engineering station and the remote substation.

The Substation test computer is the host of the different testing tools, including a wide range of specialized test modules for automated testing of multifunctional protection, automation and control devices. The test computer interfaces with the remote engineering station over the secure remote access software.

The Remote Access Software allows the test specialist to take control of the substation test computer over a secure connection. It is very important to use the software with the highest level of cyber security and to enforce strong passwords and authentication.

Testing Tools: The maintenance testing of modern numerical protection devices usually requires the use of different test modules as a function of the reason for the test. The efficiency of the testing can be significantly improved if the testing specialists have developed standardized test plans for the different maintenance testing use-cases. The testing tools should support all IEC 61850 testing related features described earlier in the article and should allow the control of the test objects’ mode as required by the test.
Any number of test modules can be combined in a complete test plan to match the requirements of the functions to be tested. The individual tests are executed in the predefined order through the test devices under the control of the test computer.
The testing tool must ensure that all components of the substation protection and control system will return to their pre-test state after the completion of the test.
The testing tools have to be properly configured according to the Role Based Access Control (RBAC) rules in order to minimize the probability for human error, which can be critical when running maintenance tests in an energized substation.

Test Devices: The test computer controls one to many test devices. They are substation hardened and permanently installed test devices with IEC 61850 communications capabilities that can operate as IEC 61850 GOOSE and sampled values publishers and GOOSE subscribers in order to perform the testing of different protection functions under the control of the test computer.
The test devices should be capable to operate both as simulators of existing components of the substation protection and control system (used by the source reference of InRef) or as a test device simulating generic test signals (used by the test reference of InRef). One communication port of the test device is connected to a dedicated Ethernet switch used specifically by the substation test system for the interface with the test computer.
A second communication port of the test device is connected to the substation network for exchange of messages with the different protection, automation and control devices. This allows the test device to provide separation between the test computer (controlled from the remote engineering station) and the protection and control substation network.

Test LAN: The testing network is dedicated to the interface between the remote engineering station, the substation test computer and the permanently installed test devices. This is to ensure a higher level of cyber security considering that the communications between the engineering station and the substation are executed over a wide area network.

Engineering of the Test System:  The components of the test system that are permanently installed in the substation to support the remote testing have to be included in the overall engineering of the substation protection, automation and control system. This does not only apply to the communication interfaces that will ensure the required ability of the test system to publish and subscribe to IEC 61850 messages, but also to simulate substation IEDs or act as a generic test device.

Requirements for Isolation During Maintenance Testing
The requirements for isolation depend mainly on what is being tested and the purpose of the test. In conventional hardwired protection devices, the isolation is physical using a test switch that completely disconnects the tested device from the substation environment.
In an IEC 61850 based digital substation the physical isolation is not possible, so it is necessary to implement the test related features defined in the standard. These features are briefly described as follows

Test Mode of a Function: A logical node or a logical device can be put in test mode using the data object Mod of the LN or of LLN0. The behavior is explained in Figures 2 and 3. A command to operate can be either initiated by a control operation or by a GOOSE message that is interpreted by the subscriber as a command. If the command is initiated with the test flag set to FALSE, it will only be executed if the function (LN or logical device) is "ON". If the device is set to test more, it will not execute the command (Figure 2).

If the command is initiated with the test flag set to TRUE, it will not be executed, if the function is "ON". If the function is "TEST", the command will be executed and a wired output (a trip signal to a breaker) will be generated. If the function is set to "TEST-BLOCKED", the command will be processed; all the reactions (sending a command confirmation) will be produced, but no wired output to the process will be activated (Figure 3). The mode "TEST-BLOCKED" is particularly useful while performing tests with a device connected to the process.

Simulation of Messages: Another feature that has been added to Edition 2 is the possibility to subscribe to GOOSE messages or sampled value messages from simulation by test equipment. The approach is explained in Figure 3. GOOSE or sampled value messages have a flag indicating if the message is the original message or if it is a message produced by a simulation. On the other hand, the IED has in the logical node LPHD (the logical node for the physical device or IED) a data object defining if the IED shall receive the original GOOSE or sampled value messages or simulated ones. If the data object Sim is set to TRUE, the IED will receive for all GOOSE messages it is subscribing the ones with the simulation flag set to TRUE. If for a specific GOOSE message, no simulated message exists, it will continue to receive the original message. That feature can only be activated for the whole IED, since the IED shall receive either the simulated message or the original message. Receiving both messages at the same time would create a different load situation and therefore create wrong test results. (Figure 4).

Power. Flexible. Easergy.
Let?s start with organization in protection testing