Editorial

Reliability and Redundancy - are you ready for Simplicity?

Changes in technology are forcing protection, automation and control specialists to look at how they can apply well established protection principles and philosophies that were proven in the XXth century to communications based systems, while maintaining or even improving their reliability.

That was the reason to focus this  issue of the magazine on the subjects of reliability and redundancy and invite  experts from different countries to discuss them. One of the key requirements  for any protection and control system is to ensure that any short circuit fault  or other abnormal system condition will be cleared in a way that will minimize  its effect on utilities' or customers' equipment. In many cases people focus on  the reliability of the protection and control system. This is very important,  but not sufficient. We should always keep in mind that the protection cannot  clear the fault by itself. It needs to interface with the process in order to  detect an abnormal system condition and execute an action to clear it. That is  why we need to think about the reliability of the fault clearing system.


  If we look at the definition of  reliability in the IEC 60050 International Electrotechnical Vocabulary, it is  "the ability of an item to perform a required function under given  conditions for a given time interval." One of the most common methods  of improving the reliability of the fault clearing system is through  redundancy. If someone tells us that we need to use a redundant system, we need  to first ask the question "Redundancy of what?". The fault clearing  system includes current and voltage instrument transformers, analog and control  circuits, relays, batteries and breakers. Which of these should be redundant?


  To answer this question, we need to  think about the importance of the substation to the electric power system; the  maximum fault clearing time that is not going to endanger the stability of the  system; the protection philosophy and how much money we can spend. However,  this is not the complete picture.


  If redundant relays are required, we  need to decide if they should be identical or different, and this raises the  issue of common mode failure because simple duplication of two devices does not  mean that the protection system will never fail. The common mode failure can be  a hardware or operating principle issue. That is why many utilities apply the  principle two relays with different operating principles and from different  manufacturers. This solves many of the issues discussed earlier but like  everything in life it has a price:



       
  • Utility personnel need to be trained  in using different devices and software tools

  •    

  •       Devices of different types need to be  kept in stock in case of failure

  •    

  •       The engineering process is more  complicated


That is why some utilities accept the  practice of using protection devices with different operating principles, but  from the same manufacturer and family of products. This eliminates the common  mode failure problem of the operating principle and the need for using  different software tools. However, common mode failure of the hardware is still  a possibility. If we use two identical relays, we need to deal with the  possibility of common mode failure of both operating principle and hardware. To  decide if this is acceptable, we need to determine what would be the  consequences of the failure of both relays to clear the fault.


  Today things get even more  interesting. IEC 61850 is shifting protection systems from hard wired to  communications based solutions. The protection and control engineers need to  consider the reliability of a fault clearing system that also includes merging  units and Ethernet switches. We need to think about the reliability of the  different possible communications architectures and the impact of their failure  on the performance of the system.


  Moreover, this is not all we have  to consider. Time synchronization within the substation and between substations  also plays an important role that needs to be evaluated. We must decide if we need  redundant clocks and what they should be. We need to think about what happens  if the GPS system fails due to a sun storm or any other reason. Nevertheless  this is what makes our lives so interesting. This is why we always need to  think, we need to learn, we need to innovate - all to avoid the sleepless  nights. Of course, when the fault occurs and everything works as we designed it  to work, we experience the feeling of satisfaction that money cannot buy.


“Simplicity is  prerequisite for reliability.”


  Edsger  Dijkstra (1930 – 2002)



PDF Version

BeijingSifang June 2016