Remote Maintenance Testing in Digital Substations

Author: Alexander Apostolov, USA

Replacing the hard-wired interfaces with IEC 61850 based communications interfaces allows remote access to the substation for remote testing. The replacement of part or all the hardwired interfaces with communication links requires the development and implementation of methods and tools that maintain the same level of security during the testing process, while at the same time take advantage of all the benefits that IEC 61850 provides. All of the discussions in the article will be based on the following definitions, which are based on the research of many different definitions available on the Internet:

  • Effectiveness - the degree to which objectives are achieved, without consideration of the resources being used.
  • Efficiency - the extent to which a resource is used in order to effectively achieve an objective.

Maintenance Testing
One of the key requirements for correct maintenance testing is the reason for the test. Maintenance testing in general is testing which is performed to diagnose and identify equipment problems or confirm that different actions taken to change settings, upgrade or repair the protection device or another component of the fault clearing system have been effective. The tests to be included in the maintenance test will depend on which of the listed above measures have been implemented.
Maintenance testing can also be related to changes in firmware or addition of new equipment to the substation. In this case it will include installation and commissioning testing, so it is not considered as a topic of this article.

Maintenance Testing in Case of Incorrect Protection System Operation: Problems of the different elements of the fault clearing system can be of two main types – if the system does not operate when it has to and if it operates when it should not. These two types of problems are usually detected when the system is in service and an event occurs. The operation needs to be analyzed in order to determine the reason and take some corrective action to prevent future incorrect operation of the system.

Failure to Operate: The main role of a protection relay is to detect when a fault occurs in the electric power system and to take the necessary actions to clear the fault by disconnecting the faulty equipment from the rest of the system. In some cases, such as transmission line or distribution feeder faults of temporary nature the protection system may also attempt to restore the pre-fault system topology using autoreclosing functions. Failure to operate under fault conditions may have severe impact on the stability of the electric power system due to the increased duration of the fault caused by the operation of backup protection functions and the switching-off of healthy system components.

Undesired Operation:  As many system disturbances and blackouts have shown, one of their main causes have been operations of the protection system under non-fault conditions. These failures also need to be prevented since they may also have a negative impact on the stability of the electric power system and result in deterioration of the conditions and a wide area disturbance.

Maintenance Testing Requirements in Case of Incorrect Operation: The maintenance testing in case of incorrect operation are of two types:

  • Tests used to determine the reason for the operation
  • Tests used to confirm that a required corrective action has been successfully implemented
  • Determining the reason for the incorrect operation is typically done using as a first step replay of waveform records available from the relay itself or from other recording equipment at the substation. The second method is preferred for several reasons:
  • The record in the failed relay may be affected by the failure of the device itself or a component of the fault clearing system – for example instrument transformers or the wiring between them and the relay
  • The sampling rate of the recording by the relay may be too low which will not correctly represent the abnormal system condition

In some cases, comparison of the recording from the relay that operated incorrectly and the record from another device can indicate the reason for the operation and which component of the system has failed.
After the reason for the incorrect operation has been determined, a corrective action is required, followed by maintenance testing to ensure that the measure has been successful. The maintenance tests in this case can be based on replay of the same files used to determine the cause of the incorrect operation, or some other tests to verify changes in settings or programmable scheme logic using network system simulation.

Remote Testing Requirements and Benefits: IEC 61850 based digital substation allow a significant improvement in the efficiency of maintenance testing. This is the result of the availability of testing related features defined in the standard which allow the isolation of the test object and testing system from the rest of the live substation without the need for physical switching or connections of equipment in the live substation.
One of the benefits of digital substations is that all devices (PAC IEDs, substation computers and test devices) are connected to the substation communications network. If there are testing tools that are connected to the network in the substation on a permanent basis, it becomes possible to perform the tests from a remote location. This can be useful in many cases:

  • Long distance between the substation and the base of the test team
  • Difficult terrain with bad roads
  • Difficult weather conditions
  • Requirements for reduction of outage time because of maintenance

The remote testing improves the efficiency by eliminating the need to travel to the substation to perform the testing. This leads to the significant reduction in the time spent by the testing team in relation to a specific maintenance test.
Additional savings in time are the result of eliminating the need for connecting the test equipment to the test object. The ability to isolate only a function element that is being tested improves the efficiency of operation of the electric power system by eliminating the need for an outage during the testing.  To be able to perform remote testing the system needs to meet the following requirements:
Analog and digital interfaces between the process and the protection, automation and control system are communications based (IEC 61850 SVs and GOOSE)

  • Support of virtual isolation of test objects
  • Ability to test a subset of the protection function elements
  • Remote secured access to the substation’s test system
  • Isolation between the test computer and the substation station and process bus

Remote Testing System Components: To develop and implement a remote testing system, we need a set of components that meet the above listed requirements. (Figure 1).

Engineering station: The engineering station is located at a central or regional office and is used to allow the testing specialist to remotely access the test system in the remote substation.  It should have installed a remote access software with high level of cyber security that will provide access to the remote test system only to personnel with the required credentials. The decision to use remote control of a test computer located in the substation is driven by the elimination of the latency introduced by the wide area communications between the engineering station and the remote substation.

The Substation test computer is the host of the different testing tools, including a wide range of specialized test modules for automated testing of multifunctional protection, automation and control devices. The test computer interfaces with the remote engineering station over the secure remote access software.

The Remote Access Software allows the test specialist to take control of the substation test computer over a secure connection. It is very important to use the software with the highest level of cyber security and to enforce strong passwords and authentication.

Testing Tools: The maintenance testing of modern numerical protection devices usually requires the use of different test modules as a function of the reason for the test. The efficiency of the testing can be significantly improved if the testing specialists have developed standardized test plans for the different maintenance testing use-cases. The testing tools should support all IEC 61850 testing related features described earlier in the article and should allow the control of the test objects’ mode as required by the test.
Any number of test modules can be combined in a complete test plan to match the requirements of the functions to be tested. The individual tests are executed in the predefined order through the test devices under the control of the test computer.
The testing tool must ensure that all components of the substation protection and control system will return to their pre-test state after the completion of the test.
The testing tools have to be properly configured according to the Role Based Access Control (RBAC) rules in order to minimize the probability for human error, which can be critical when running maintenance tests in an energized substation.

Test Devices: The test computer controls one to many test devices. They are substation hardened and permanently installed test devices with IEC 61850 communications capabilities that can operate as IEC 61850 GOOSE and sampled values publishers and GOOSE subscribers in order to perform the testing of different protection functions under the control of the test computer.
The test devices should be capable to operate both as simulators of existing components of the substation protection and control system (used by the source reference of InRef) or as a test device simulating generic test signals (used by the test reference of InRef). One communication port of the test device is connected to a dedicated Ethernet switch used specifically by the substation test system for the interface with the test computer.
A second communication port of the test device is connected to the substation network for exchange of messages with the different protection, automation and control devices. This allows the test device to provide separation between the test computer (controlled from the remote engineering station) and the protection and control substation network.

Test LAN: The testing network is dedicated to the interface between the remote engineering station, the substation test computer and the permanently installed test devices. This is to ensure a higher level of cyber security considering that the communications between the engineering station and the substation are executed over a wide area network.

Engineering of the Test System:  The components of the test system that are permanently installed in the substation to support the remote testing have to be included in the overall engineering of the substation protection, automation and control system. This does not only apply to the communication interfaces that will ensure the required ability of the test system to publish and subscribe to IEC 61850 messages, but also to simulate substation IEDs or act as a generic test device.

Requirements for Isolation During Maintenance Testing
The requirements for isolation depend mainly on what is being tested and the purpose of the test. In conventional hardwired protection devices, the isolation is physical using a test switch that completely disconnects the tested device from the substation environment.
In an IEC 61850 based digital substation the physical isolation is not possible, so it is necessary to implement the test related features defined in the standard. These features are briefly described as follows

Test Mode of a Function: A logical node or a logical device can be put in test mode using the data object Mod of the LN or of LLN0. The behavior is explained in Figures 2 and 3. A command to operate can be either initiated by a control operation or by a GOOSE message that is interpreted by the subscriber as a command. If the command is initiated with the test flag set to FALSE, it will only be executed if the function (LN or logical device) is "ON". If the device is set to test more, it will not execute the command (Figure 2).

If the command is initiated with the test flag set to TRUE, it will not be executed, if the function is "ON". If the function is "TEST", the command will be executed and a wired output (a trip signal to a breaker) will be generated. If the function is set to "TEST-BLOCKED", the command will be processed; all the reactions (sending a command confirmation) will be produced, but no wired output to the process will be activated (Figure 3). The mode "TEST-BLOCKED" is particularly useful while performing tests with a device connected to the process.

Simulation of Messages: Another feature that has been added to Edition 2 is the possibility to subscribe to GOOSE messages or sampled value messages from simulation by test equipment. The approach is explained in Figure 3. GOOSE or sampled value messages have a flag indicating if the message is the original message or if it is a message produced by a simulation. On the other hand, the IED has in the logical node LPHD (the logical node for the physical device or IED) a data object defining if the IED shall receive the original GOOSE or sampled value messages or simulated ones. If the data object Sim is set to TRUE, the IED will receive for all GOOSE messages it is subscribing the ones with the simulation flag set to TRUE. If for a specific GOOSE message, no simulated message exists, it will continue to receive the original message. That feature can only be activated for the whole IED, since the IED shall receive either the simulated message or the original message. Receiving both messages at the same time would create a different load situation and therefore create wrong test results. (Figure 4).

Mirroring Control Information: A third feature that has been added is the mirroring of control information. This supports the possibility, to test and measure the performance of a control operation while the device is connected to the system. A control command is applied to a controllable data object. As soon as a command has been received, the device shall activate the data attribute opRcvd. The device shall then process the command. If the command is accepted, the data attribute opOk shall be activated with the same timing (e.g. pulse length) of the wired output. The data attribute tOpOk shall be the time stamp of the wired output and opOk.
These data attributes are produced independently if the wired output is produced or not – the wired output shall not be produced if the function is in mode TEST-BLOCKED. They allow therefore an evaluation of the function including the performance without producing an output. (Figure 5).

Isolating and Testing a Device in the System:  Combining the mechanisms described in the previous sections, it is possible to test a device that is connected to the system. We will explain that with a short example.
Let's assume we want to test the performance of a Main 1 protection that receives sampled values from a merging unit. In the LN LPHD of the Main 1 protection relay, the data object Sim shall be set to TRUE, the logical device for the protection function shall be set to the mode "TEST" and the logical node XCBR as interface to the circuit breaker shall be set to the mode "TEST-BLOCKED." A test device shall send sampled values with the same identification as the ones normally received by the protection relay but with the Simulation flag set to TRUE.
The protection device will now receive the sampled values from the test device and will initiate a trip. The XCBR will receive and process that trip; however, no output will be generated. The output can be verified through the data attribute XCBR.Pos.opOk and the timing can be measured through the data attribute XCBR.Pos.tOpOk. The same principle applies when the tested IED receives GOOSE messages. The real data received from a publishing IED or the simulated data received from the test devices will be available on the data bus depending on the value of Sim in LPHD.
The issue with this method is that all IED function elements using the simulated signals must be in Test mode, i.e. they will not be available to detect any abnormal condition during the testing. This can be avoided by using some advanced testing features.

Advanced Simulation Possibilities that can be used for remote maintenance testing of single function element, while the rest of the protection functions remain in service. The concept is explained in Figure 6. As described earlier, with Edition 2, the possibility to describe references to inputs of a logical node has been added. This is done through multiple instances of data objects InRef of the CDC ORG. That data object has two data attributes providing object references: one as a reference to the object normally used as input; the other one as a reference to a data object used for testing. By activating the data attribute tstEna, the function realized in the LN shall use the data object referred to by the test reference as input instead of the data object used for normal operation.
With that feature, it is possible to test a protection or logic function. Instead of simulating the position indications of the different switches as inputs, the logical node (in that example CILO), can be set to use inputs from a generic logical node GGIO in a test. The testing tool can now easily modify the different data objects of the LN GGIO to simulate the test patterns that shall be verified. That logical node can be external (the data objects being received through GOOSE messages) or it can be implemented in the IED itself for testing support.

The use of this feature will require the subscribing IED to be capable to carry simultaneously on the internal digital data bus both the data from the process and the generic test data from the test system. (Figure 7).
Data attribute setSrcRef specifies the object reference to the input that is normally used as input while setTstRev specifies the reference to data object used for testing. By setting the data attribute tstEna to TRUE, the application will use the test signal referred to by setTstRef instead of the data object referenced by setSrcRef used for normal operation. A function LN can have multiple instance of InRef for multiple inputs.

By means of switching over the input reference from the process signal, which may not be accessible or cannot be modified, to a signal which can be easily modified (tstEna set to TRUE), an application can be isolated on the input side from the process and fed with test signals (value and data quality information). This feature requires to have an extra function at hand which allows a controlled generation (i.e. from a front panel pushbutton) of these signals. In case this function is hosted in a device external to the IED under test, the data flow has to be engineered (GOOSE subscription) in the device configuration. InRef is applicable to all types of Data Objects including SVs.
This feature is different from the use of the Simulation mode which affects the entire IED and is limited to GOOSE communication, while ‘tstEna’ has effect on the information sourcing of a single input. Some signals subscribed by LD under test, may be not strictly necessary for the tests (i.e. SF6 pressure of CB, etc.). Ideally, the test set should be capable to generate all these input signals and the LN should be defined with an individual tstEna for every single input. This has to be included in the system design in the engineering phase. Consequence of this would be an "automatic" configuration of the test set depending on the characteristics of the feeder. Normally, all information can be found in the SCD file. 



Dr. Alexander Apostolov received his MS degree in Electrical Engineering, MS in Applied Mathematics and Ph.D. from the Technical University in Sofia, Bulgaria. He is Principal Engineer for OMICRON electronics in Los Angeles, CA. He is an IEEE Fellow and Member of the PSRC and Substations C0 Subcommittee. He is past Chairman of the Relay Communications Subcommittee, serves on many IEEE PES WGs. He is a member of IEC TC57 WGs 10, 17, 18, 19, Convenor of CIGRE WG B5.53 and member of several other CIGRE B5 WGs. He is a Distinguished Member of CIGRE. He holds 4 patents and has authored and presented more than 500 technical papers. He is an IEEE Distinguished Lecturer and Adjunct Professor at the Department of Electrical Engineering, Cape Peninsula University of Technology, Cape Town, S. Africa. He is Editor-in-Chief of PAC World Magazine.