Anda di halaman 1dari 10

Canadian Electrical Association

Engineering and Operating Division


Power System Planning and Operating Section
April 1996
Montral, Canada

Fundamental Reliability Considerations in the


Design, Manufacturing and Application of
Multifunction Digital Relays for Generator Protection
by
Charles J. Mozina and Dr. Murty V.V.S. Yalla
Beckwith Electric Co., Inc.
6190-118th Avenue North
Largo, FL 34643-3724 USA

SUMMARY
A major concern in the application of multifunction digital relays for the protection of generators is that almost
all the electrical protection, including both primary and the backup relay functions, are embodied in one digital
package. The failure of that package results in the loss of virtually all generator electrical protection. This paper
discusses how multifunction relays can be designed and manufactured to minimize such failures. It describes the
role of self-diagnostics in determining the health of the relay. Most importantly, it proposes cost-effective application strategies which can be employed to survive an in-service multifunction relay failure without loss of
generator protection.
Keywords: multifunction relay, self-diagnostics, mean-time-between-failures (MTBF), redundant protection
systems.

INTRODUCTION
As all relay engineers are aware, protective relay technology over the past twenty-five years or more has
evolved from single-function electromechanical relays to static relays and finally to digital relays. The first
digital relays were single-function units. However, as microprocessors became more powerful, designers soon
saw the economic advantage of designing multifunction relays. In these relays, virtually all protective functions
for a specific protective zone are incorporated into a single hardware platform. Figure 1 illustrates the number of
protective functions which can be installed on a single hardware platform for generator protection. A failure of
the hardware platform will typically disable all protective functions within a protective zone. Therefore an important issue in the application of multifunction digital relaying is how to handle having all the eggs in one basket.
The installation of both independent primary and backup protection is one of the most fundamental concepts of
protective relaying.
Utility System

52
Unit

IN

50

BF-N

52
Gen
Single
Hardware
Platform

81

27

59

24
27

50
BF

50

87

3
60FL

40

21

32

46

27

27

27TN

59N

M-3430

High-Impedance
Grounding

Figure 1

Protective Functions

Single
Hardware
Platform

In recent years, some manufacturers have argued that with self-diagnostics (the ability of the relay to check
itself), a relay failure would be immediately known and the protected piece of equipment could be removed from
service until the relay was replaced or repaired. Most users have found this philosophy unacceptable. This is
especially true in relation to generator protection. Even with a mean-time-between-failure rate of 70 years or
more (based on in-service operating experience with digital relays), the consequences of removing a major generator from service due to a single relay failure are unacceptable to most users. The loss of a major generator
immediately increases the cost of generation for a utility for the time the machine is out of service. The utility
compensates for this lost generation by either running less efficient generation in-house or purchasing more
expensive power off-system. Even the loss of a moderately-sized (200 MW) generator can cost a utility and its
customers $100,000 per day in added fuel or purchased power costs. In addition to the economic consequences,
many relay engineers fear the failure of a digital relay could occur concurrently with a protection event when the
relay is necessary to protect the generator.
This paper explores these reliability issues from the viewpoint of both a manufacturer as well as a user. It
discusses one manufacturers experience with in-service failures, as well as the design, manufacturing and testing
to reduce or eliminate such failures. The role that self-diagnostics can play in the development of application
strategies to survive a single relay failure is also presented.

DESIGN CONSIDERATIONS TO MINIMIZE FAILURES


In the 1960s, solid-state electronic protective relays using discrete components were developed. These relays
used many discrete components and associated interconnections and therefore were not as reliable as equivalent
electromechanical relays. Continued developments in the semiconductor industry led to the introduction of integrated circuits which combined complex electronic circuits into single chips. This use of integrated circuits
reduced the number of components and enhanced the reliability of the solid-state protective relays.
In the 1980s, the advent of microprocessors and high-speed digital signal processors brought a new generation of relay designs. These digital relay designs contained less hardware but required considerable software
development. Using self-diagnostics, these relays can detect most relay failures and alert maintenance personnel
using alarm indication.
Hardware Reliability
The block diagram in Figure 2 shows the hardware architecture of a digital multifunction relay used for
generator protection. The voltage inputs of the relay are scaled down from the nominal 120/69 V to a low level
determined by the ADC (analog-to-digital converter) input range. The current inputs to the relay are scaled down
from nominal 5/1 A and are converted to equivalent voltages. These scaled signals are filtered using a low-pass
filter to prevent aliasing of the high-frequency components into the fundamental frequency component. The
filtered signals are multiplexed using an analog multiplexer and amplified, if needed, using a programmable gain
amplifier. The multiplexed analog signal is sampled and converted to digital data using the ADC. The relay uses
a dual-processor architecture wherein the digital signal processor executes complex algorithm calculations and
the host processor performs all other tasks. Communication between the two processors is provided by the dualported memory. Flash memory is used for storing the program and RAM (random-access memory) is used for
temporary storage of variables, target information and oscillography. Contact inputs and outputs, user interface
(keyboard and liquid crystal display) and the serial communication ports (RS-232 and RS-485) are interfaced to
the host processor.
The digital signal processor executes a variety of signal-processing algorithms to estimate several parameters
of the digitized voltage and current signals and transfers them to dual-ported memory. The host processor receives these parameters from the dual-ported memory and performs relay logic and other timing functions to
generate appropriate trip or alarm output signals. The host processor, running under a multitasking operating
system, also performs several other tasks including: communications, setpoint updates, target updates, and user
interface.

Anti-Aliasing Low-Pass Filters (LPF)


VTs & CTs

va

2-Line by 24-Character
Liquid Crystal Display

vb

128K byte
RAM

Analog Multiplexer

vc

32K X 16
RAM

vn
Programmable
Gain Amplifier

ia

14-bit
Analog-to-Digital
Converter
(ADC)

256K byte FlashProgrammable


ROM

Digital Signal
Processor
(DSP)
TMS 320C52

2K byte
Dual-Ported
RAM

Host Processor
10 MHz Zilog 64181

MUX

512 byte
EEPROM
Address/Data Bus

8K byte RAM,
Clock with
battery
backup

MMI
Module
(Optional)

Target
Module
(Optional)

RS232 and RS485


Communication
ports

IRIG-B
Time Code
input

Relay
Outputs

Contact
Inputs

Power Supply

iA
Power Supply

iB

(Optional)

iC
i

Figure 2

Block Diagram

Possible hardware design problems can be identified by performing a worst-case analysis during the design
stage. Such problems, which include voltage and current stresses, extreme temperatures, power dissipation and
timing requirements, can then be corrected. This can greatly reduce hardware failures in the field. Failures can
also be reduced by using extended-temperature components, conservatively derating the components to lower
stress levels, and utilizing components from established and reliable vendors.
Providing backup for critical components can also enhance the reliability of the relay. The digital multifunction relay described above uses redundant power supplies. Both power supplies are continuously running in a hot
standby configuration and should one supply fail, the other will continue to provide required uninterrupted power
to the relay. The relay also sends an alarm indication about the power supply failure to alert maintenance personnel.
The analog signal inputs (voltage and current), contact status inputs, contact outputs, power inputs, and communication circuits must be conditioned and protected to withstand the harsh electrical and environmental conditions of the substation and power plant.
The design of relay input, output and power supply circuits must incorporate filtering to reduce EMI (electromagnetic interference). The primary method of reducing unwanted induced ac voltage is to bypass these voltages
to ground with capacitors. Other components, such as varistors, chokes and ferrite beads, are also applied to
suppress surge voltages and EMI.

Software Reliability
The reliability of software in the digital relay is critical to the overall reliability of the product. The majority of
the software problems in digital relays can be attributed to design and implementation errors. More than half of
all the errors occur long before the first line of code is written, i.e., during requirements analysis and top-level
design. Most of these errors are caused by poorly-defined requirements but very few errors are detected when
they occur.
A majority of the remaining errors occur during the detailed design phase of the development, mainly due to
poor translation of the users requirements into the programs and data. These problems can be minimized by
carefully planning and designing before coding starts, resulting in a more reliable product. A software quality
assurance plan must be carried out throughout the product development program. Test plans, documentation,
detailed software validation and audit programs can greatly reduce software errors. Product failures that are not
detected early in the design stage can be very costly to fix when they happen in the field.
Software verification and testing of multifunction relays offer unique challenges to relay manufacturers. Testing should be divided into several categories and should be conducted at various design phases. The following are
some of the key tests conducted on digital multifunction relays for generator protection.
1. Relay algorithm simulation testing
2. Static functional testing
3. Dynamic functional testing
4. Environmental and hardware-related tests
5. Beta-site installation and testing

SELF-DIAGNOSTICS
Self-diagnostics is one of the most important features of digital relays; it was not available in either electromechanical or static relay designs. The ability to detect and correct a failure before the protection system has to
operate contrasts to traditional protection systems where a relay failure remains undetected until it fails to operate
correctly during an event or until the next maintenance test. The quality of electronic components available today
is excellent; however, failure of these components can still occur. Digital relays can be designed to detect most of
these failures. The following are some of the most important self-diagnostic functions implemented on digital
multifunction relays.
1. Data acquisition system testing
Power supply voltages and ground are connected to the analog input channels of the multiplexer and checked
against warning and failure thresholds. This also verifies the analog data acquisition system including: multiplexer, programmable gain amplifier, and ADC. The ADCs conversion time is also checked to see if it is within
the specification.
2. Memory testing
The flash ROM contents are checked by calculating the checksum and comparing it to the pre-computed and
stored checksum. The checksum is calculated as the modulo-256 sum of all the bytes. The RAM is tested by
writing and reading a test pattern.
3. Setpoint testing
Setpoints are stored in the serial EEPROM and a copy of these setpoints is also stored in the RAM for
executing relay logic. Whenever any setpoint is changed, the checksum of the setpoints is calculated from the
contents of the EEPROM. This checksum is then compared with the calculated checksum of the setpoints stored
in the RAM every time a setpoint task is executed.
4. Watchdog timer
The relay hardware design includes a watchdog timer reset circuit to take the processor through an orderly
reset should the program get lost due to hardware/software glitches.

MANUFACTURING METHODS TO MINIMIZE FAILURES


Major efforts are made at every step of manufacturing to eliminate failures. At the component level, attempts
are made to weed out faulty components. Some components are 100% tested, while others are sample-tested.
The decision as to which type of testing to do is based on experience with the failures of that particular component. Beckwith Electric selects and uses components that are industrial-grade or better. Component selection and
approval comes after extensive testing by the Quality Assurance Department.
Once components are tested, the circuit boards are built. These are then tested to determine if there are any
component failures, poor solder connections, improperly installed components or open connections. Once this
test is passed, the relay is assembled and again tested. Each relay is heat-cycled for 100 hours. It is programmed
with factory settings and comprehensively tested with currents and voltages using a computer-driven, three-phase
test set. Each relay is also subjected to industry surge tests such as the SWC and Fast Transient Tests outlined in
ANSI/IEEE C37.90. To minimize the chances of static discharge failure due to handling of the components and
circuit boards, the floor of the plant has been covered with an anti-static coating in addition to using grounded
handstraps as a standard part of the manufacturing process.
Beckwith Electric has been building multifunction digital generator relays since 1989 and has over 1000 units
of our first generation of digital relays in-service around the world. Failure statistics are carefully kept to attempt
to determine if there is any pattern or specific components that fail. To date, we have had a total of 20 in-service
failures in over 13.6 million operating hours; our mean-time-between-failures (MTBF) rate is slightly over 74
years. We have not detected any pattern to these failures. All failures have been detected by self-diagnostics
operating as designed (the relay being automatically removed from service without tripping the generator). Each
year, as we put more relays in-service, our MTBF rate also increases.
Another way to look at these statistics is that if you have ten relays in-service for twenty years, you could
expect roughly one failure. This holds true, however, only if past performance is reflective of future performance.
Is there an aging factor? Does the number of years that the relay has been in service decrease the performance of
the relay? Most industry experts say no, but this has not been proven. Based on the performance to date, one can
say that this technology has an excellent reliability record.

LEVEL OF REDUNDANCY
Given the performance level of digital generator protection, what is the appropriate level of redundancy? On
larger generators protected by digital relays, the use of fully redundant systems is justified. Such a scheme is
shown in Figure 3.
This system has been adopted by a number of users, including two major manufacturers of large (100 to 150
MW) gas turbines. This level of redundancy is sufficient to allow the generator to remain in service if one relay
should fail. If a major generator is forced off-line due to a relay failure, the utility/generator owner will have to
either generate from less efficient machines or buy more expensive power off-system. Either action will result in
higher production costs of over $100,000 a day for the loss of a moderately-sized utility generator. Given these
costs, the addition of a second relay is certainly prudent even with MTBF rates that are 74 years or better. The
simultaneous failure of both relays is extremely rare. Even with two digital relays, the installation cost is generally less than half the cost of discrete static or electromechanical protection costs, due to panel space and wiring
cost savings. A typical panel comparison is shown in Figure 4.

Utility System

52
Unit

IN
BF-N

50

51N

M-3430

M-3420

52
Gen

AVR 1

24
81

27

59

24

81

27

AVR 2

27

50
BF

27

59

50
BF

50

87

50

87
3

46

50

32

51V

40

3
60FL

40

21

32

46

27

27

M-3420
27

27TN

59N

59N

M-3420

M-3430

High-Impedance
Grounding

Figure 3

Dual-Relay Protection Approach for Major Generators

60FL

Negative
Sequence
Relay Functions

Breaker
Failure/Flashover
Relay Functions

Third Harmonic
Neutral Undervoltage
Relay Function

40

40

ELEMENT
#1

ELEMENT
#2

21

21

21

AB

BC

CA

60FL

24

46

50BF
50N
3

27
TN

Loss of Field
Relay Functions

Phase Distance
Relay Functions
VT
Fuse-Loss
Detection

Volts per Hertz


Relay Function

27/59

87
GD

Ground
Differential
Relay Function
Inadvertent
Generator
Relay Function

Over/Under
Frequency
Relay Functions

59
59I

59

59

81
O/U

32

59
N

Phase Voltage
Relay Functions

RMS Overvoltage
Neutral
Relay Function

Directional Power
Relay Function

Figure 4

Panel Space Savings

The design of the self-diagnostics in the multifunction relay is such that if a failure is detected, the relay will
automatically take itself out of service and close its alarm output contact. The self-diagnostics is designed to
remove the relay from service without tripping the generator. To date, this design has been 100% successful with
no in-service failures resulting in the tripping of a generator. Also, all in-service failures were successfully
detected by the self-diagnostics.
Is dual protection necessary on all sizes of generators? The answer is clearly no. If a relay fails, the generator must be removed from service, by either manual or automatic tripping methods. If the cost of taking a
generator off-line for a few days to replace a relay is not significant, then a single relay is adequate. The generator owner must balance the cost of an additional relay against the probability of a relay failure over the life of the
installation. With a MTBF rate of 74 years or better, smaller generators can be protected with a single relay. Dual
protection is justified when the cost to the generator owner for the loss of the generator is significant.
Some people have suggested that important generators be protected using two-out-of-three logic. This type of
logic has been used at nuclear plants for some types of protection such as second-level voltage separation. It has
not been used to protect generators, even at nuclear plants. Figure 5 illustrates this logic.
The use of the third relay adds security against false tripping by requiring a second independent relay to
confirm that tripping is required. Thus, if a relay fails and gives a erroneous trip signal, no tripping will take
place because a second relay output is required. In our view, two-out-of-three logic is an unnecessary complication because of the self-diagnostics designed to remove the relay from service without tripping the generator.
With Beckwith Electrics first generation of digital relays, field experience to date has been 100% successful with
no in-service failures resulting in generator tripping.

(+)

CT

CT

CT

Relay
1

Relay
2

Relay
3

VT

Relay 1

Relay 2

Relay 3

Relay 2

Relay 3

Relay 1

86G Generator
Lockout Relay

(-)

Figure 5

Two-Out-Of-Three Logic

IMPACT OF SELF-DIAGNOSTICS ON PERIODIC MAINTENANCE


One of the major benefits of relay self-diagnostics is its impact on periodic maintenance. With conventional
electromechanical and solid-state electronic relays, the user has to verify that the relay is operating properly by
periodically injecting currents and voltages. Most utilities do this every two to three years. Another source of
frequent failure is the external wiring connections between primary relays to provide the logic required for
tripping. Generator protective relays are frequently supervised by VT potential failure (60) logic, generator circuit breaker position and generator terminal voltage. This logic frequently requires the use of numerous auxiliary
relays which reduces the overall system reliability. In todays modern multifunctional digital relay, this type of
logic is programmed into the relay. Once programmed, it is checked by the same self-diagnostics as is the
primary relay logic itself.
What type of periodic maintenance is meaningful for digital relays? We believe the user should periodically
check the inputs to the relay. Extensive input metering information can be accessed either via computer or locally
by the man-machine interface. This information indicates the relay is receiving proper input data. An example of
such a metering computer screen is shown in Figure 6.

120.0

120.0

0.0

5.000

5.000

5.000

5.000

5.000

5.000

1.0000

24.00

120.0

0.00

0.0000

24.00

Figure 6

120.0

0.010

0.0

3.00

5.000

0.000

0.000

0.00

0.00

0.00

1.00 LAG

0.00

0.0

60.00

24.00

0.00

Computer Metering Screen

100.0

24.00

0.00

The user should also periodically activate the digital relay trip output contacts to verify that they are working
and are wired to perform the desired external tripping and alarming. A convenient means should be provided to
sequentially activate each of the output relays to facilitate this type of trip testing. Both types of input and output
functional tests described above should be done on a periodic basis. The need to do costly and time-consuming
current and voltage injection testing has been significantly reduced by self-diagnostics. Many utilities have extended the period for this type of testing from two or three years to ten years or longer. This is a significant
maintenance cost savings provided by digital technology.

CONCLUSIONS
This paper describes how the design and manufacturing methods are used to reduce in-service failures of
digital multifunction generator relays by a major manufacturer. It presents the resulting failure statistics based on
over 13 million hours of in-service experience. Even with high reliability levels, the use of redundant protection
is recommended for major generators where digital multifunction relaying is the sole source of protection. To
determine the generator size at which a second redundant relay is justified, measure the cost of the generator loss
for the time it takes to install and commission a new relay.
The user must balance the costs of an additional relay against the probability of a relay failure over the life of
the installation. Two-out-of-three logic is an unnecessary complication because self-diagnostics is designed to
remove the failed relay from service without tripping. Field experience to date has been 100% successful with no
in-service failures resulting in generator tripping. The maintenance impact of self-diagnostics results in a major
savings allowing the user to substantially extend the current- and voltage-injection testing period. Functional
testing of the relay inputs and outputs, however, is recommended on a more frequent basis.

REFERENCES
[1]
[2]
[3]

A Digital Multifunction Relay for Intertie and Generator Protection, Murty V.V.S. Yalla and Donald L.
Hornak, Canadian Electrical Association, March 1992.
A Digital Multifunction Protective Relay, Murty V.V.S. Yalla, IEEE Transactions on Power Delivery,
Vol. 7 No. 1, January 1992, pp. 193-201.
Upgrading Generator Protection Using Digital Technology, Charles J. Mozina, Canadian Electrical Association, March 1995.

BIOGRAPHIES
Chuck Mozina is currently Manager of Application Engineering for Protection and Protection Systems for
Beckwith Electric Co. He is responsible for the application of Beckwith products and systems used in generator
protection and intertie protection, synchronizing and bus transfer schemes.
Chuck is an active member of the IEEE Power System Relay Committee and is the past chairman of the
Rotating Machinery Subcommittee. He is the U.S. representative to the CIGRE Study Committee 34 on System
Protection and chairs a CIGRE working group on generator protection. He also chaired the IEEE task force which
produced the tutorial The Protection of Synchronous Generators.
Chuck has a bachelor of science in electrical engineering from Purdue University and has authored a number
of papers and magazine articles on protective relaying. He has over 25 years of experience as a protection
engineer at Centerior Energy, a major investor-owned utility in Cleveland, Ohio. He is also a former instructor in
the Graduate School of Electrical Engineering at Cleveland State University.
Dr. Murty V. V. S. Yalla is currently Vice-President of Research and Development Engineering for Beckwith
Electric Co. where he is responsible for the development of new products in the areas of digital control and
protection of power apparatus, and the design enhancement and engineering support of current products. He had
previously served as Beckwith Electrics director of research and development, staff engineer and senior engineer.
Dr. Yalla is a senior member of IEEE and is active in the Power System Relaying Committee. He has published several research papers on digital protection in various international journals and is the co-author of three
patents. Dr. Yallas degrees, all in electrical engineering, include: a bachelor of science degree from Jawaharlal
Nehru Technological University, Kakinada, India; a master of science degree from the Indian Institute of Technology, Kanpur, India; and a doctorate from the University of New Brunswick, Canada.
Prior to joining Beckwith Electric in 1989, Dr. Yalla taught and conducted research in the digital protection of
power apparatus at Memorial University of Newfoundland, Canada.

Anda mungkin juga menyukai