SUMMARY
A major concern in the application of multifunction digital relays for the protection of generators is that almost
all the electrical protection, including both primary and the backup relay functions, are embodied in one digital
package. The failure of that package results in the loss of virtually all generator electrical protection. This paper
discusses how multifunction relays can be designed and manufactured to minimize such failures. It describes the
role of self-diagnostics in determining the health of the relay. Most importantly, it proposes cost-effective application strategies which can be employed to survive an in-service multifunction relay failure without loss of
generator protection.
Keywords: multifunction relay, self-diagnostics, mean-time-between-failures (MTBF), redundant protection
systems.
INTRODUCTION
As all relay engineers are aware, protective relay technology over the past twenty-five years or more has
evolved from single-function electromechanical relays to static relays and finally to digital relays. The first
digital relays were single-function units. However, as microprocessors became more powerful, designers soon
saw the economic advantage of designing multifunction relays. In these relays, virtually all protective functions
for a specific protective zone are incorporated into a single hardware platform. Figure 1 illustrates the number of
protective functions which can be installed on a single hardware platform for generator protection. A failure of
the hardware platform will typically disable all protective functions within a protective zone. Therefore an important issue in the application of multifunction digital relaying is how to handle having all the eggs in one basket.
The installation of both independent primary and backup protection is one of the most fundamental concepts of
protective relaying.
Utility System
52
Unit
IN
50
BF-N
52
Gen
Single
Hardware
Platform
81
27
59
24
27
50
BF
50
87
3
60FL
40
21
32
46
27
27
27TN
59N
M-3430
High-Impedance
Grounding
Figure 1
Protective Functions
Single
Hardware
Platform
In recent years, some manufacturers have argued that with self-diagnostics (the ability of the relay to check
itself), a relay failure would be immediately known and the protected piece of equipment could be removed from
service until the relay was replaced or repaired. Most users have found this philosophy unacceptable. This is
especially true in relation to generator protection. Even with a mean-time-between-failure rate of 70 years or
more (based on in-service operating experience with digital relays), the consequences of removing a major generator from service due to a single relay failure are unacceptable to most users. The loss of a major generator
immediately increases the cost of generation for a utility for the time the machine is out of service. The utility
compensates for this lost generation by either running less efficient generation in-house or purchasing more
expensive power off-system. Even the loss of a moderately-sized (200 MW) generator can cost a utility and its
customers $100,000 per day in added fuel or purchased power costs. In addition to the economic consequences,
many relay engineers fear the failure of a digital relay could occur concurrently with a protection event when the
relay is necessary to protect the generator.
This paper explores these reliability issues from the viewpoint of both a manufacturer as well as a user. It
discusses one manufacturers experience with in-service failures, as well as the design, manufacturing and testing
to reduce or eliminate such failures. The role that self-diagnostics can play in the development of application
strategies to survive a single relay failure is also presented.
va
2-Line by 24-Character
Liquid Crystal Display
vb
128K byte
RAM
Analog Multiplexer
vc
32K X 16
RAM
vn
Programmable
Gain Amplifier
ia
14-bit
Analog-to-Digital
Converter
(ADC)
Digital Signal
Processor
(DSP)
TMS 320C52
2K byte
Dual-Ported
RAM
Host Processor
10 MHz Zilog 64181
MUX
512 byte
EEPROM
Address/Data Bus
8K byte RAM,
Clock with
battery
backup
MMI
Module
(Optional)
Target
Module
(Optional)
IRIG-B
Time Code
input
Relay
Outputs
Contact
Inputs
Power Supply
iA
Power Supply
iB
(Optional)
iC
i
Figure 2
Block Diagram
Possible hardware design problems can be identified by performing a worst-case analysis during the design
stage. Such problems, which include voltage and current stresses, extreme temperatures, power dissipation and
timing requirements, can then be corrected. This can greatly reduce hardware failures in the field. Failures can
also be reduced by using extended-temperature components, conservatively derating the components to lower
stress levels, and utilizing components from established and reliable vendors.
Providing backup for critical components can also enhance the reliability of the relay. The digital multifunction relay described above uses redundant power supplies. Both power supplies are continuously running in a hot
standby configuration and should one supply fail, the other will continue to provide required uninterrupted power
to the relay. The relay also sends an alarm indication about the power supply failure to alert maintenance personnel.
The analog signal inputs (voltage and current), contact status inputs, contact outputs, power inputs, and communication circuits must be conditioned and protected to withstand the harsh electrical and environmental conditions of the substation and power plant.
The design of relay input, output and power supply circuits must incorporate filtering to reduce EMI (electromagnetic interference). The primary method of reducing unwanted induced ac voltage is to bypass these voltages
to ground with capacitors. Other components, such as varistors, chokes and ferrite beads, are also applied to
suppress surge voltages and EMI.
Software Reliability
The reliability of software in the digital relay is critical to the overall reliability of the product. The majority of
the software problems in digital relays can be attributed to design and implementation errors. More than half of
all the errors occur long before the first line of code is written, i.e., during requirements analysis and top-level
design. Most of these errors are caused by poorly-defined requirements but very few errors are detected when
they occur.
A majority of the remaining errors occur during the detailed design phase of the development, mainly due to
poor translation of the users requirements into the programs and data. These problems can be minimized by
carefully planning and designing before coding starts, resulting in a more reliable product. A software quality
assurance plan must be carried out throughout the product development program. Test plans, documentation,
detailed software validation and audit programs can greatly reduce software errors. Product failures that are not
detected early in the design stage can be very costly to fix when they happen in the field.
Software verification and testing of multifunction relays offer unique challenges to relay manufacturers. Testing should be divided into several categories and should be conducted at various design phases. The following are
some of the key tests conducted on digital multifunction relays for generator protection.
1. Relay algorithm simulation testing
2. Static functional testing
3. Dynamic functional testing
4. Environmental and hardware-related tests
5. Beta-site installation and testing
SELF-DIAGNOSTICS
Self-diagnostics is one of the most important features of digital relays; it was not available in either electromechanical or static relay designs. The ability to detect and correct a failure before the protection system has to
operate contrasts to traditional protection systems where a relay failure remains undetected until it fails to operate
correctly during an event or until the next maintenance test. The quality of electronic components available today
is excellent; however, failure of these components can still occur. Digital relays can be designed to detect most of
these failures. The following are some of the most important self-diagnostic functions implemented on digital
multifunction relays.
1. Data acquisition system testing
Power supply voltages and ground are connected to the analog input channels of the multiplexer and checked
against warning and failure thresholds. This also verifies the analog data acquisition system including: multiplexer, programmable gain amplifier, and ADC. The ADCs conversion time is also checked to see if it is within
the specification.
2. Memory testing
The flash ROM contents are checked by calculating the checksum and comparing it to the pre-computed and
stored checksum. The checksum is calculated as the modulo-256 sum of all the bytes. The RAM is tested by
writing and reading a test pattern.
3. Setpoint testing
Setpoints are stored in the serial EEPROM and a copy of these setpoints is also stored in the RAM for
executing relay logic. Whenever any setpoint is changed, the checksum of the setpoints is calculated from the
contents of the EEPROM. This checksum is then compared with the calculated checksum of the setpoints stored
in the RAM every time a setpoint task is executed.
4. Watchdog timer
The relay hardware design includes a watchdog timer reset circuit to take the processor through an orderly
reset should the program get lost due to hardware/software glitches.
LEVEL OF REDUNDANCY
Given the performance level of digital generator protection, what is the appropriate level of redundancy? On
larger generators protected by digital relays, the use of fully redundant systems is justified. Such a scheme is
shown in Figure 3.
This system has been adopted by a number of users, including two major manufacturers of large (100 to 150
MW) gas turbines. This level of redundancy is sufficient to allow the generator to remain in service if one relay
should fail. If a major generator is forced off-line due to a relay failure, the utility/generator owner will have to
either generate from less efficient machines or buy more expensive power off-system. Either action will result in
higher production costs of over $100,000 a day for the loss of a moderately-sized utility generator. Given these
costs, the addition of a second relay is certainly prudent even with MTBF rates that are 74 years or better. The
simultaneous failure of both relays is extremely rare. Even with two digital relays, the installation cost is generally less than half the cost of discrete static or electromechanical protection costs, due to panel space and wiring
cost savings. A typical panel comparison is shown in Figure 4.
Utility System
52
Unit
IN
BF-N
50
51N
M-3430
M-3420
52
Gen
AVR 1
24
81
27
59
24
81
27
AVR 2
27
50
BF
27
59
50
BF
50
87
50
87
3
46
50
32
51V
40
3
60FL
40
21
32
46
27
27
M-3420
27
27TN
59N
59N
M-3420
M-3430
High-Impedance
Grounding
Figure 3
60FL
Negative
Sequence
Relay Functions
Breaker
Failure/Flashover
Relay Functions
Third Harmonic
Neutral Undervoltage
Relay Function
40
40
ELEMENT
#1
ELEMENT
#2
21
21
21
AB
BC
CA
60FL
24
46
50BF
50N
3
27
TN
Loss of Field
Relay Functions
Phase Distance
Relay Functions
VT
Fuse-Loss
Detection
27/59
87
GD
Ground
Differential
Relay Function
Inadvertent
Generator
Relay Function
Over/Under
Frequency
Relay Functions
59
59I
59
59
81
O/U
32
59
N
Phase Voltage
Relay Functions
RMS Overvoltage
Neutral
Relay Function
Directional Power
Relay Function
Figure 4
The design of the self-diagnostics in the multifunction relay is such that if a failure is detected, the relay will
automatically take itself out of service and close its alarm output contact. The self-diagnostics is designed to
remove the relay from service without tripping the generator. To date, this design has been 100% successful with
no in-service failures resulting in the tripping of a generator. Also, all in-service failures were successfully
detected by the self-diagnostics.
Is dual protection necessary on all sizes of generators? The answer is clearly no. If a relay fails, the generator must be removed from service, by either manual or automatic tripping methods. If the cost of taking a
generator off-line for a few days to replace a relay is not significant, then a single relay is adequate. The generator owner must balance the cost of an additional relay against the probability of a relay failure over the life of the
installation. With a MTBF rate of 74 years or better, smaller generators can be protected with a single relay. Dual
protection is justified when the cost to the generator owner for the loss of the generator is significant.
Some people have suggested that important generators be protected using two-out-of-three logic. This type of
logic has been used at nuclear plants for some types of protection such as second-level voltage separation. It has
not been used to protect generators, even at nuclear plants. Figure 5 illustrates this logic.
The use of the third relay adds security against false tripping by requiring a second independent relay to
confirm that tripping is required. Thus, if a relay fails and gives a erroneous trip signal, no tripping will take
place because a second relay output is required. In our view, two-out-of-three logic is an unnecessary complication because of the self-diagnostics designed to remove the relay from service without tripping the generator.
With Beckwith Electrics first generation of digital relays, field experience to date has been 100% successful with
no in-service failures resulting in generator tripping.
(+)
CT
CT
CT
Relay
1
Relay
2
Relay
3
VT
Relay 1
Relay 2
Relay 3
Relay 2
Relay 3
Relay 1
86G Generator
Lockout Relay
(-)
Figure 5
Two-Out-Of-Three Logic
120.0
120.0
0.0
5.000
5.000
5.000
5.000
5.000
5.000
1.0000
24.00
120.0
0.00
0.0000
24.00
Figure 6
120.0
0.010
0.0
3.00
5.000
0.000
0.000
0.00
0.00
0.00
1.00 LAG
0.00
0.0
60.00
24.00
0.00
100.0
24.00
0.00
The user should also periodically activate the digital relay trip output contacts to verify that they are working
and are wired to perform the desired external tripping and alarming. A convenient means should be provided to
sequentially activate each of the output relays to facilitate this type of trip testing. Both types of input and output
functional tests described above should be done on a periodic basis. The need to do costly and time-consuming
current and voltage injection testing has been significantly reduced by self-diagnostics. Many utilities have extended the period for this type of testing from two or three years to ten years or longer. This is a significant
maintenance cost savings provided by digital technology.
CONCLUSIONS
This paper describes how the design and manufacturing methods are used to reduce in-service failures of
digital multifunction generator relays by a major manufacturer. It presents the resulting failure statistics based on
over 13 million hours of in-service experience. Even with high reliability levels, the use of redundant protection
is recommended for major generators where digital multifunction relaying is the sole source of protection. To
determine the generator size at which a second redundant relay is justified, measure the cost of the generator loss
for the time it takes to install and commission a new relay.
The user must balance the costs of an additional relay against the probability of a relay failure over the life of
the installation. Two-out-of-three logic is an unnecessary complication because self-diagnostics is designed to
remove the failed relay from service without tripping. Field experience to date has been 100% successful with no
in-service failures resulting in generator tripping. The maintenance impact of self-diagnostics results in a major
savings allowing the user to substantially extend the current- and voltage-injection testing period. Functional
testing of the relay inputs and outputs, however, is recommended on a more frequent basis.
REFERENCES
[1]
[2]
[3]
A Digital Multifunction Relay for Intertie and Generator Protection, Murty V.V.S. Yalla and Donald L.
Hornak, Canadian Electrical Association, March 1992.
A Digital Multifunction Protective Relay, Murty V.V.S. Yalla, IEEE Transactions on Power Delivery,
Vol. 7 No. 1, January 1992, pp. 193-201.
Upgrading Generator Protection Using Digital Technology, Charles J. Mozina, Canadian Electrical Association, March 1995.
BIOGRAPHIES
Chuck Mozina is currently Manager of Application Engineering for Protection and Protection Systems for
Beckwith Electric Co. He is responsible for the application of Beckwith products and systems used in generator
protection and intertie protection, synchronizing and bus transfer schemes.
Chuck is an active member of the IEEE Power System Relay Committee and is the past chairman of the
Rotating Machinery Subcommittee. He is the U.S. representative to the CIGRE Study Committee 34 on System
Protection and chairs a CIGRE working group on generator protection. He also chaired the IEEE task force which
produced the tutorial The Protection of Synchronous Generators.
Chuck has a bachelor of science in electrical engineering from Purdue University and has authored a number
of papers and magazine articles on protective relaying. He has over 25 years of experience as a protection
engineer at Centerior Energy, a major investor-owned utility in Cleveland, Ohio. He is also a former instructor in
the Graduate School of Electrical Engineering at Cleveland State University.
Dr. Murty V. V. S. Yalla is currently Vice-President of Research and Development Engineering for Beckwith
Electric Co. where he is responsible for the development of new products in the areas of digital control and
protection of power apparatus, and the design enhancement and engineering support of current products. He had
previously served as Beckwith Electrics director of research and development, staff engineer and senior engineer.
Dr. Yalla is a senior member of IEEE and is active in the Power System Relaying Committee. He has published several research papers on digital protection in various international journals and is the co-author of three
patents. Dr. Yallas degrees, all in electrical engineering, include: a bachelor of science degree from Jawaharlal
Nehru Technological University, Kakinada, India; a master of science degree from the Indian Institute of Technology, Kanpur, India; and a doctorate from the University of New Brunswick, Canada.
Prior to joining Beckwith Electric in 1989, Dr. Yalla taught and conducted research in the digital protection of
power apparatus at Memorial University of Newfoundland, Canada.