electrical installation dependability studies

n°184electricalinstallationdependabilitystudies

E/CT 184 first issued September 1997

Sylvie LOGIACO

An ISTG Engineer (InstituteScientifique et Technique deGrenoble) graduating in 1987, shewas initially involved in risk analysisin the chemicals industry ; atPechiney, then at Atochem.With Schneider since 1991, she ispart of the centre of excellence forDependability for which she hascarried out a large number ofdependability studies on electricaland monitoring and controlinstallations.

Cahier Technique Merlin Gerin n° 184 / p.2

glossary

Availability:Percentage of time for which thesystem functions correctly.

Dependability:Generic term which combines theindependent variables of reliability,availability, maintainability andsafety.

Hasard analysis:Based on the functional analysis, this isthe analysis of the failures that canoccur in a system (in practice it is asynonym for «dependability study»).

Feedback of experience:Operational reliability data collectedduring failure of equipment inoperation.

Maintainability:The aptitude of a system to be repairedquickly.

Reliability:The aptitude of a system to functioncorrectly for as long as possible.

Safety:The aptitude of a system to not putpeople in danger.


electrical installationdependability studies

contents

1. Introduction General p. 4Dependability studies p. 6

2. How a study is carried out The chronological order ofphases p. 9Expression and analysis ofthe requirements p. 9Functional analysis of a system p. 10Failure mode analysis p. 11Reliability data p. 11Modelling p. 12Dependability criteriaassessment calculations p. 14

3. Examples of studies Comparing two electricalnetwork configurations ina factory p. 15The interest of remotemonitoring and controlin an EHV substation p. 17

4. Dependability tools Dependability study packages p. 20Modelling tools p. 20

5. Conclusion p. 216. Bibliography p. 22

In both the industrial and tertiarysectors, the quality of power supply isof increasing importance. The quality ofthe electricity product, besidesimperfections such as variations involtage and harmonic distortion, isbasically characterised by theavailability of the electrical energy.Loss of power is always annoying, but itcan be particularly penalising forinformation systems (computing -monitoring and control); they can evenhave disastrous consequences forcertain processes and in certain casesendanger people's lives.

Dependability studies enable electricalavailability requirements to beincorporated in the choice of electricalnetwork to be installed. They alsoenable two different installationconfigurations to be compared ... themost expensive one is not alwaysbetter ...The aim of this «Cahier Technique» isshow how dependability studies areperformed: methodology and tools. Twoexamples of studies are given: that ofan electrical network in a factory andthat of the monitoring and controlsystem of a high voltage substation.These studies are becomingincreasingly easy to perform thanks tocomputing «tools».


1. introduction

generalThe voltage at the terminals of a currentconsumer can be affected byphenomena originating in the distributor'snetwork, the electrical installation of asubscriber connected to that network orthe electrical installation of the user whois suffering the disturbance.

Disturbances in the electricityproduct

c the main characteristics of thevoltage supplied by both the MV andLV public distribution network are thosedefined by European standardEN 50160. This details the tolerancesthat must be guaranteed for bothvoltage and frequency as well as thedisturbance levels that are usuallyencountered; e.g. harmonic distortion.The table in figure 1 details thestandard's recommended values.At any moment in time therefore, thequality of the energy supplied to thecurrent consumers in an installation canbe affected by various disturbances,either imposed by the external supplynetwork or self-generated within theinternal distribution network.The operations of current consumersthat are either independent or federatedin systems are affected by thesedisturbances.

c malfunctions and the type and cost ofthe damage incurred depend both onthe type of current consumers and onthe installation's criticality level. Thus, amomentary break in supply to a criticalcurrent consumer can have seriousconsequences on the installation'soperation without it being intrinsicallyaffected.

c in all cases, a study detailing theeffects of the suspected disturbancesmust be performed. Measures must betaken to limit their consequences.

c the table in figure 2 shows thedisturbances that can usually be foundin electrical networks, their causes andthe solutions that are possible toreduce their effects.

c the reduction of the effects ofharmonics, Flicker, voltage imbalances,

standard EN 50160 low voltage supply

frequency 50 Hz ± 1% for 95% of a week50 Hz + 4%, - 6% for 100% of a week

voltage amplitude for each one week period, 95% of the average effective valuesover 10 minutes must be within the range of Un ± 10%

rapid voltage from 5% to 10% of Unvariations (4 to 6% in medium voltage)

voltage drops c amplitude: between 10% and 99% of Un(indicative values) most voltage drops are <60% of Un

c duration: between 10 ms and 1 minute,most voltage drops < 1s

c number: several tens to 1 thousand per year

brief loss of power c amplitude: 100% of Un(indicative values) c duration: up to 3 minutes,

70% are less than 1sc number: several tens to several hundreds per year

long loss of power c amplitude: 100% of Un(indicative values) c duration: over 3 minutes,

c number: between 10 and 50 per year

fig. 1: network disturbances : values found in the standard.

frequency variations and overvoltages isachieved by installing equipment suitedto each case. The design and choice ofconnection points for such equipmentare decided by performing detailedstudies that are outside the scope of thisdocument (see bibliography).

Loss of power

For industrial processes and lowvoltage systems this is increasinglydifficult to tolerate since it generatesunacceptable costs.

c immunity to loss of power requiresdedicated equipment such asuninterruptible power supplies andindependent generator sets. Thisequipment is generally not enough toresolve all the problems. The networkconfiguration, automatic powerrestoring control devices, the level ofreliability of the equipment, theselectivity of protection devices as wellas the maintenance policy, all play animportant role in reducing andeliminating down time.Minimising loss of power requiresreliability / dependability studies to beperformed that take account of all thesefactors as well as the frequency and

duration of the loss of power that isacceptable to the installation.These studies enable the best suitedconfiguration and equipment to bedetermined for the operator'srequirements. They generally requirethe current consumers or systems to beclassed according to their sensitivitylevel as well as distinguishing between:v current consumers that acceptprolonged stoppage: 1 or more hours(non priority),v current consumers acceptingstoppages of several minutes long(priority),v current consumers which must havethe power restored to them afterseveral seconds (essential)v current consumers not accepting anybreak in supply (vital),As an example, figure 3 shows thesimplified diagram of a network in whichthis distinction has been performed:v vital current consumers not toleratingthe slightest break in supply, aresupplied power through anuninterruptible power supply.v power is restored to essential currentconsumers a few seconds after network

Cahier Technique Merlin Gerin n°184 /p.5

disturbance possible causes main effects possible solutions

frequency c supply network c variation in speed of motors c UPSvariations c grouped operation of c malfunctioning of electronic

independent generators equipment

rapid voltage c supply network c lighting flicker c increasing short circuit powervariations c arc furnace c variation in speed of motors c modifying the installation configuration

c welding machinec load surge

voltage drops c supply network c extinction of discharge lamps c UPSc high load c malfunctioning of regulators c increasing short circuit powerdemands c speed variation, stopping c modifying the installation configurationc external and of motorsinternal faults c switching of contactors

c disturbances in digital electronics systemsc malfunctioning of power electronics

brief and long c supply network c equipment stoppage c UPSloss of power c reclosing operations c installation stoppage c independent generators

c internal faults c loss of production c modifying the network configurationc source switching c switching of contactors c setting up of a maintenance policy

c various malfunctions

voltage c supply network c overheating of motors and alternators c increasing short circuit powerimbalances c many single phase c modifying the network configuration

loads c balancing of single phase loadsc rebalancing devices

overvoltages c lightening c breakdown of equipment c lightening arrestorsc switchgear operation c choice of insulation levelc insulation fault c control of the resistance of earthing electrodes

harmonics c supply network c overheating and damaging of equipment, c increasing short circuit powerc a lot of non linear mainly motors and capacitors c modifying the installation configurationcurrent consumers c malfunctioning of power electronics c filtering

fig. 2: disturbances in networks, causes, effects and solutions.

failure, as soon as the voltage andfrequency of the generator set havestabilised,v power is restored to priority currentconsumers once the essential currentconsumers have been started up,v power is not restored to non-prioritycurrent consumers, which accept a longbreak in power supply, until the externalnetwork is functioning again.By appropriate selection of theconfiguration and the automatic sourceswitching control devices (see. «CahierTechnique» n°161) we can optimise thepositioning and dimensioning of backup and replacement supplies in orderto meet operating constraints.It should be remembered that thechoice of neutral earthing arrangementis an important factor; it is clearlyestablished that for current consumersrequiring a high level of availability, it ishighly advisable to use the isolatedneutral arrangement since it enablescontinuity of supply on the occurrence

fig. 3: a reliable power supply. Simplified network diagram.

TRG

UPS

backed-up

sourcechangeover switch

no back-up

grid supply

independent source

load restorable

load shedding

several hours

non-priority

down time:

types:

several mins.

priority

several secs.

essential

none(high quality)

vital


of an initial insulation fault (see.«Cahiers Techniques» n°172 andn°173).

dependability studiesBefore looking at electricalnetwork dependability studies, it wouldbe useful to recap on several

dependability:Dependability is a generic idea thatmeasures the quality of service, providedby a system, so that the user can havejustified confidence in it. Justifiedconfidence is achieved throughquantitative and qualitative analyses of thevarious features of the service providedby the system. These features are basedon the probability parameters definedbelow.

reliability:the probability that a unit is able accomplisha required function, under given conditions,during a given interval of time [t1,t2] ; writtenR(t1, t2).

availability:the probability that a unit is in a state thatenables it to accomplish a required functionunder given conditions and at a givenmoment in time, t ; written D(t).

maintainability:the probability that a given maintenanceaction can be carried out within a given time[t1, t2].

safety:the probability of avoiding an event withhazardous consequences within a giventime [t1,t2].

failure rate:the probability that a unit loses its abilityto accomplish a function during theinterval [t, t+dt], knowing that it has notfailed between [0, t] ; it is written λ(t).

the equivalent failure rate:the value or a constant failure rate: λeq forwhich the reliability of the system in time t isequal to R(t) - λeq is a «constantapproximation» of λ(t).

MTTF (Mean Time to Failure):the average time of correct operation beforethe first failure.

MTBF (Mean Time Between Failure):the average time between two failures in arepairable system.

MUT (Mean Up Time):the average time of correct operationbetween two failures in a repairable system.

MTTR (Mean Time To Repair):the average time required to repair.

fig. 4: definitions.

definitions of the terms used by reliabilityspecialists, even if everyone knows thedefinitions of the words: reliable,available, maintenance and safety(see fig. 4 and 5).It is also necessary to detail theapplicational scope and generalfeatures of such studies.

Scope and features of studiesccccc applicational scope:studies are carried out on all types ofelectrical networks, from low voltage tohigh voltage, and on their monitoringand control systems.The networks may be:v single feeder

MDT (Mean Down Time):the average time for which the system isnot available. It includes the time to detectthe fault, the time for the maintenanceservice team to get to the fault, the time toget the replacement parts for theequipment to be repaired and the time torepair.

the repair rate:the inverse of the mean time to repair.

FMEA (Failure Modes and EffectsAnalysis):this enables the effects to be analysed of thefailure of components on the system.

model:graphical representation of the combinationof failures found during an FMEA and oftheir maintenance process.

undesirable event:system failure that must be analysed inorder for the user to feel justified confidencein the system. This system failure gaugesthe quality of service,

fig. 5: relations between the various values that characterise the reliability, maintainability and availability of a machine.

correct operation correct operationrepairing

MTTR

MDTMTTF

MTBF

MUT

waiting

initialfailure

secondfailure

startof work

restarting

time0


preliminary study detailed study

accuracy of 1 single failure type failures divided into familiesassumptions (1 frequency, 1 average duration) according to their effect on the system.

accuracy of the consequences of the failures the consequences of the failures aremodelling are combined into major families analysed in depth.

v double feeder (see fig. 6a),v double busbar (see fig. 6b),v loop (see fig 6c),v and with or without reconfiguration orload shedding.

c characteristic features of studies:studies are tailor made to takeaccount of the expressedrequirements.They are set up in terms of:- accuracy of study,- type of analysis,- type of dependability criteria,v the accuracy of study(see fig. 7):- brief or preliminary study:

fig. 6: network configurations.

fig. 7: differences between a preliminary study and an in-depth study.dependability

criteria

simpleand minimalconfiguration

satisfyingof dependability

criteria

new configuration

no

yes

fig. 8: design assistance.

GG

turbo-alternator

a. double line feeder b. double busbars c. loop

this is a pessimistic study generallyused to quickly make technicalchoices- very detailed studies that takeaccount of as many factors aspossible.Taking account of all theoperating modes, detailed analysis ofpossible failure modes and theirconsequences, modelling themalfunctioning behaviour of thesystem.

v the types of analysis- design assistance in assessingthe dependability criteria(see fig. 8),


- comparison of configurations (seefig. 9),- qualitative configuration analysis.v the types of criteria to be quantified(see fig. 10)- the average number of hours that thesystem functions correctly (MUT):- the average number of hours that thesystem functions before not supplyingcertain current consumers for the firsttime (MTTF)- the probability of no longer supplyingpower to certain current consumers(availability),- the average number of failures perhour during a year (λeq),- an average repair time (1/µeq),- the optimal frequency of preventivemaintenance,- the calculation of replacement partkits.These criteria enable an assessment tobe made of the system's performancelevel and thus to determine theconfiguration that meets dependabilitycriteria without forgetting economicconstraints.

fig. 10 : illustration of dependability assessment criteria.

GE

UPS SC*

current consumer n°1

current consumer n°2

we can calculate:

- the probability that GE does not start when powersupply is lost.

- the optimum preventivemaintenance frequencyfor the GE.

- the number of minutesa year that current consumern°1 is not supplied.

- the average number of hoursbefore current consumern°2 will no longer have power.

* SC= Static contactor

generator setpublic network

fig. 9: configuration comparison.

dependabilitycriteria

choseconfiguration A

choseconfiguration B

no

yes

configurationA

configurationB

configuration A's dependability

criteria are nearer the objectives

configuration B


2. how a study is carried out

the chronological order ofphasesWhatever the requirement expressedby the designer or operator of anelectrical installation, a dependabilitystudy will include the following phases(see fig. 11):c expression and analysis of therequirements,c functional analysis of the system,c failure modes analysis,c modelling,c calculation or assessment ofdependability criteria.

In most cases, this procedure must beperformed several times:c twice if we want to compare twolayouts,c n times if we want to determine aconfiguration that is adapted torequirements taking account oftechnical and economic constraints.

expression and analysis ofrequirementsAs discussed at the end of the previouschapter, the study initiator must detail(see fig. 12):c what the study involves ; e.g:substation monitoring and control, andprovide the design elements that hehas in his possession.c the type of request (type of analysisrequired), e.g.:v a demonstration of the confidencelevel that we can assign to a powersupply for a critical process (orientingus towards a type of study, types ofcriteria to be assessed),v the search for objective criteriamaking technical and economicanalysis possible,v the determination of the most suitableconfiguration to meet requirements(orienting us towards a type ofanalysis),v support for a specific equipment design.These points can be combined ; inother words a company can search forthe configuration best suited to itsneeds to supply power to a criticalprocess as part of a technical andeconomic analysis.

fig. 11: the chronological order of phases in performing a dependability study.

analysis of the customer requirement

criteria to beassessed

network points where thecriteria wil be assessed

systemspecifications

functional analysis of the system

functions and componentsinvolved

failure mode analysis

possible systemfailures

search for data

- failure rate of components- time to repair- functional frequencies

modelling key

data

assessment ofdependability

criteria required

qualitativeanalysis

study phase

phase conclusions

to perform the phase

data requiredto perform the

next phase

fig. 12: information required for the study.

expression of requirement

expressed in terms of

type ofanalysis

studyaccuracy

criteria to be assessed

determination and classificationof the representative and/or strategic current consumers

in the system

leading to the carrying out of a customised study

to target the network pointsat which will be calculatedthe dependability criteria


Faced with the questions: where, tosupply what, what is the criticality andthe admissible down time, the customermust think in terms of, for example,safety and loss of production orinformation.

c the risk:for an insurance company the idea ofrisk corresponds to the seriousness(moral, social or economic) of the eventin question. In terms of loss ofproduction, the estimate of the risk isquite simple: the product of theprobability of the occurrence and thecost of an event gives a good idea ofcriticity. The assessment of the riskenables the price to pay to becalculated: loss of profits, insurance oroptimised electrical installation.

c formalising of requirements(see fig. 13): a means of expressing therequirements involves classifying thevarious current consumers according tothe down time that they can withstand(none, a few seconds, a few minutes, afew hours).

functional analysis of thesystemFunctional analysis describes in bothgraphical and written terms the roleof the network and/or its constituentparts.

fig. 13: the availability specifications to be provided by the customer.

fig. 14: functional block diagrams.

monitoringand control

power supply B

power supply A

MV electrical supply

normalsupply

GE

stand-by stand-by

MV

This analysis leads to two complemen-tary descriptions of the network:c one description using functionalblock diagrams (see fig. 14), whoseaim is to present the systemconfiguration and the functional linksbetween the various parts of thesystem.

c a behavioural description (see fig. 15)whose aim is to describe thesequence of the various possiblestates.The main purpose is to identify theevents that induce the system tochange. The model developed duringthe course of this analysis notably

the various current consumers in consideration

officeheating

minorevent

computersno break greater

than 20 msbeyond this:

criticalevent

tank cooling

stoppage possiblefor 1 hour max.

beyond this:loss of tank

contentsdisastrous event

oven n°1

process

oven n°2

stoppage possiblefor 3 mins max.


contentsdisastrous event

stoppage possiblefor 3 mins max.


contentscritical event


equipment failure mode failure rate time torepair,frequency ofpreventivemaintenance

circuit breaker c blocked closed λ1 µ1, —c spuriously open λ2

generator set c failure in operation λ4 µ2, 6 monthsc failure on start-up λ5

transformer c failure in operation λ6 µ3, X months

highlights the various reconfigurationpoints in the system.

This second analysis enables accountto be taken of functional aspects whenthey interact with malfunctionalaspects.

failure mode analysisThis analysis aims to provide:c the list of possible failure modes foreach of the items identified in thefunctional analysis,c their causes of occurrence (onecause is enough),c the consequences of these failureson the system (also called singleevents),c the failure rate associated with eachfailure mode as part of a quantitativestudy.

The results are presented in table form(see fig. 16).This analysis can be considered as thefirst stage of modelling.

reliability dataAs part of a quantitative analysis, it isnecessary to have probability datafor the failure of the system'sequipment.The probability characteristics are thencombined with the failure modes.These are:c the failure rate and how it is brokendown according to the failure mode,c the average time to repair associatedwith the frequency of preventivemaintenance (see fig. 17).

Failure ratesRemember that this involvesquantifying the probability that there willbe a failure between [t, t+dt], knowingthat there has been no failure before t.Schneider Electric has a database builtup from several sources:c internal studies and analysis ofequipment returned to the factory afterfailure,c failure statistics observed by utilitiescompanies and other manufacturers,c reliability data,v for non-electronic components:- IEEE 500 (feedback of experiencefrom nuclear power stations in theUSA),

fig. 15: behavioural description in the form of a Petri network.

fig. 16: failure mode analysis.

functions failure mode causes effects on the system

power supply loss of normal mode c power supply failure switch over to stand-byfeeder c transformer failure

c spurious circuitbreaker tripping

stand-by loss of stand-by mode c failure of GE in loss of electricityin operation operation supply

c spurious circuitbreaker tripping

c transformer failure

normal mode failure and c GE does not start upstand-by mode is not c circuit breaker isavailable blocked open

fig. 17: fictive summary of the reliability data required for a study.

? loss of power supply A

! switch to power supply B

? loss of power supply B

! start-up of GE

This Petri network expressesthe fact that in the case of lossof power supply A, the networkis switched to the power supply B.If power supply B fails, then theGE start-up.


- NPRD91 (feedback of experiencefrom military and non-military systemsin the USA),v for electronic equipment, the data isgenerally obtained by calculation fromthe Military Handbook 217 (F) or fromreliability data from the NationalCentre for TelecommunicationsStudies.

Some components have a constantfailure rate (λ) over time throughout aperiod of their life. In other words theprobability of failure is independent oftime ; this is the case of electroniccomponents (exponential law).Electrotechnical components age, or inother words their failure rate is notconstant over time. Data mostcommonly available supposes constantrates.The use of data that is non-specific tothe system being studied and ofconstant failure rates even if certaincomponents age is, nonetheless, veryattractive since it enables validcomparisons to be made betweensystems.The fact of finding a configuration thatis 10 times more reliable than another,10 times more available ... means thatthis configuration is ten times better forthe criteria in question ; the relativevalue is often more important than theabsolute value.Schneider Electric's reliabilitydatabase has the aim of gatheringtogether as much data as possible.Validity criteria have been set up toguarantee the quality of the dataincluded. We ensure:c the way that feedback of data wascarried out, on what data it was based,c the preliminary calculation methodused, the conditions of use,temperature, environment, etcIn time, this work provides us withreliability data to study any installationor to be able to obtain them byextrapolation.

The mean times to repairdepend mainly on the company'smaintenance policy. Decisive choicesnotably include the possibility ofinventory, the times when the repair

teams are present, the frequency ofpreventive maintenance, the type ofmaintenance contract with suppliers,etc.

The impact of the variation of thesemaintenance policy-based parameterson the system's performance level canbe dealt with by a specific analysis.

Functional reconfigurationsIn the instance of functionalreconfigurations, when functionalaspects interact with those that aremalfunctional (e.g. in the case of tariffbased load shedding) the frequency ofthese reconfigurations is included in themodelling process.

modellingThe malfunctioning of the network isrepresented by a model. The model is agraphical representation of the

combinations of events determined bythe analysis of failure modes which, forexample, contribute to the loss ofelectrical supply for certain currentconsumers and to their repairprocedures.This model enables:c discussions with the customer tovalidate our understanding of the waythe network malfunctions,c qualitative analysis of the networkperformance levels, by the search forcommon modes, of the simplestcombinations which contribute to theevent in question,c assessment of the network'sperformance levels by calculatingdependability criteria.Various techniques are availableaccording to the configuration of thesystem being studied, the undesirableevents in question, the criteria to be

fig. 18: fault tree modelling. The fact that the GE failure only makes sense if there is loss ofEDF supply does not initially appear.

loss of electrical supply

loss power supply GE failure

TD GE

AND

TD PS

D: circuit breakerT: transformerPS: power supply

peakevent

intermediaryevents

baseevent

OR OR


assessed and the assumptions takenaccount of in the model(s).

The main modelling techniquesccccc combination:the combining of single events.This is the case of fault tree diagrams(see fig. 18).A fault tree diagram breaks downevents into single events.The immediate causes of the loss ofelectrical supply are therefore sought,these are intermediary events.The causes of these intermediaryevents are then sought in turn.The break-down continues in this wayuntil it becomes impossible or until itserves no further purpose.Terminal events are called basicevents.The breaking down of an event intocausal events is performed usinglogical operators or so called gates (theAND gate, the OR gate).The fault tree diagram in figure 18expresses the fact that in the givennetwork, there is a total loss ofelectrical power if there is a loss of«power supply» and loss of the«generator sets».In this type of modelling exercise, noaccount is taken of the fact that thefailure of the generator sets is onlysignificant if there is loss of «powersupply» beforehand.Networks with reconfigurationpossibilities and complex maintenancestrategies are difficult to model usingthe fault tree method.

ccccc combination and sequential:the combining of single events whilsttaking account of the moment in timewhen the events occur.v Markovian type (see fig. 19).This type of model is commonlyrepresented by a graph that showsthe various possible states in thesystem.The arrows that link the system statesare quantified by rates, which can bethe failure rates, the repair rates or therepresentative operating modefrequencies.These rates represent the probabilitythat the system changes status

fig. 19: modelling of malfunctions in the form of a Markov diagram λa, λb and µ are assumed tobe constant.

status 1correct

operation

failure of power supply failure of GE's

repair

status 2power supplyfailure/start-up

of GE's

status 3failure of

power supply GE's do not

start up

status 4loss of power

supply

µ2

repairµ1

repairµ3

λbλa

λc loss of power

supply, GE's do not start up

λa: frequency at which there is loss power supplyλb: frequency of GE failureµ: frequency of repair

between time t and t+dt.The graph in figure 19 shows the factthat the system can have any one offour operating status:- status 1: correct operation,- status 2: failure of «power supply»and the generator sets have started up,- status 3: failure of «power supply»and the generator sets have not startedup,- status 4: when the generator setshave failed in operation with the powersupply also failed.Markovian modelling assumes that thefrequencies (or rates), which enablepassage from one status to another,are constant.The calculating algorithms associated

with this modelling technique can onlybe applied under these conditions.This limit leads us to makeassumptions and therefore to representthe reality of the situation to a greateror lesser extent.v other types.The procedure used is generally that ofa Petri network.The network is represented by places,transitions and tokens.The crossing of a transition via a tokencorresponds to a possible functional ormalfunctional system event.These transitions can be associatedwith any type of probability law.Simulation is the only way to enablecalculations to be resolved.


selection criteria fault tree diagram Markov graph Pétri network

interaction of the resolution impossible or false under certain conditions, suitableoperating mode in depending on the algorithms used resolution can be impossible or falsemodelling depending on the algorithm used

numerical dispersion resolution impossible or false under certain conditions, suitableof data depending on the algorithms used; resolution can be impossible or false

no problem if simulation depending on the algorithm used

the timing of the failures no suitable suitableis important

estimate involving simulation time which can be suitable simulation time whichrare events prohibitive, no problem in the case can be prohibitive

of analytical resolution

estimate of:c MUT - suitable suitablec MTTF suitable suitable suitablec D(t) - suitable -c D(∞) suitable (analytical calc.) suitable suitablec average D at t suitable (simulation) - suitablec MTTR - suitable suitablec λeq - suitable suitable

fig. 21: criteria used to select the type of modelling used.

The Pétri network in figure 20represents the various failure modesthat the system may be subject to:- associated with transition n°1 is theprobability of «power supply failure»,- associated with transition n°2 is theprobability of the starting up and thenon starting up of the generator sets,- associated with transition n°3 is theprobability of failure of the generatorsets in operation.

Criteria used to select a modellingtype:figure 21 shows these modellingtechniques in table form.

dependability criteriaassessment calculationsTwo different techniques can be used.c analytical resolution:v for states graphs,v for fault tree diagrams.When systems are large or complex,analytical resolution may beimpossible.c system component behavioursimulation (operation or failure):v for Petri networks,v for fault tree diagrams.To achieve accuracy, a large number ofsimulations must be carried out and thecalculation time may be prohibitive if

the measurement estimate is related torare events.The modelling of a system using a Petrinetwork is the model most closely

representing the actual operation of thesystem being studied. But in view of thelimits related to simulation, thistechnique is not systematically used.

fig. 20: modelling using a Petri network.

power supply failure

time torepair

time torepair

time torepair

P=probability ofGE's not starting up

1P=probability ofstart-up of GE's

1

2

failure of GE's in operation

3


3. examples of studies

comparing two electricalnetwork configurations in afactoryc presentation of the factory:A drinking water production plantsupplies 100 000 m3/day at off peaktimes, 300 jours/year and200 000 m3/day at peak times, 65 daysa year.Production of water is performed using4 production plants, each capable ofsupplying 100 000 m3/day.Each plant is associated with sixtypes of current consumers : R1, R2,R3, R4, R5 and R6 (pumps,disinfectors, etc.) which must worksimultaneously in order to ensureproduction (ref. fig. 22).The current consumers ensuring theoperation of each plant can bedistinguished in the following manner:R1a,…, R6a for plant n° 1

fig. 22: functional diagram of the original installation. Certain penalising common modes are not shown.

R1b,…, R6b for plant n° 2R1c,…, R6c for plant n° 3R1d,…, R6d for plant n° 4To ensure operation at off-peak times,only one plant is required ; during peaktimes, two plants are required.

c analysis of the enquiry, therequirementsAfter two meetings with the customer,the specialists have determined:v that the following was required:- a proposal for a new LV electricalnetwork configuration, the configurationof the MV (5.5 kV) should change verylittle,- proof that the proposed layout was atleast as good as the old in terms ofcertain dependability criteria.v that the dependability criteria to beassessed were:- the probability of simultaneouslylosing electrical supply to currentconsumers n°1 and n°6,

- the probability of losing electricalsupply to current consumers n°3.

c functional analysisGeneral considerations concerning thenetwork operation:v the site is supplied by twoindependent power supply feeders.Two generator sets are there on stand-by in the case of failure of the powersupply feeders,v in normal operation, the site issupplied by the power supply feeder A.If this feeder fails, then the systemswitches to power supply feeder B. Ifboth power supply feeders fail, thegenerator sets start up,v there are two levels of production, off-peak and peak. In the case of peakproduction, the power of the generatorsets is not sufficient to ensureproduction.v the power supply split between currentconsumers is such that the availability is

R6a......R6d R5a......R5d

5,5 kV

400 V

JDB3

T3

R4a......R4d R3a......R3d

5,5 kV

400 V

JDB4

T4

R2a......R2d R1a......R1d

5,5 kV

400 V

JDB5

T5

20 kV

MV switchboard 1

MV switchboard 2

power supply Bpower supply A G1 G2

5,5 kV

T2

20 kV

5,5 kV

T1

5,5 kV

400 V

JDB6

T6


in the old network, there are failures thatcontribute directly to the loss of electricalpower supply.If this system only worked in off-peakconditions, this ratio would be virtuallythe same since the system works mostlyin off-peak conditions, thus explaining itspreponderance in the overall result.If the system only works in peakconditions, it is around 50 times moreprobable to lose electrical supply tocurrent consumers 1 and 6 with the oldnetwork. In the case of peak conditions,it is MV related faults that predominateand this part of the network cannot bechanged very much.v on the frequency of loss of supply tocurrent consumers n°1 and 6:- off-peak operation 22- peak operation 21- overall 21v on the frequency of loss of supply tocurrent consumers n°3:- off-peak operation 18- peak operation 21- overall 20The improved performance of the newnetwork is less pronounced in terms offrequency of failure.Calculation parameters used in aprobability of unavailability are thefrequency of failure and the time torepair. The failures which directlycontribute to the loss of power have aneffect on the unavailability time which isproportional to their time to repair.The new network makes it possible forbackground preventive maintenance tobe carried, in other words withoutinterrupting the plant's normaloperation.

ccccc additional assessmentsIt seemed interesting to assess someadditional criteria to compare the twoconfigurations.v the relative probability of losing peakoperating conditionsIn the case of peak operatingconditions, the economic stakes arehigh. The criteria assessed above donot measure this risk. It is entirelyfeasible to lose peak production evenwith current consumers 1, 6 and 3supplied power.The probability of losing peak operationis four times less with the new network.The improvement is less pronouncedthan the other calculated criteria, sincethe main failures occur in the MV partwhich remains unmodified.

not very good. Thus, for example a faulton the busbar JDB3 knocks out allcurrent consumers of type R5 and R6.Production is stopped and no other plantcan operate,v the existing electrical network wassuch that that there were commonmode busbars. A short circuit acrossthese busbars made anyreconfigurations inoperative.The probability of a busbar short circuitis low, but since the system had highreconfiguring possibilities this failuremode becomes preponderant. Thecommon modes occur at coupling level,during reconfigurations involvingtransformer T4.v for the new network, the currentconsumers have been separated sothat it is possible to supply off-peakdemand with the current consumersassociated with one single transformerand peak demand with the currentconsumers associated with twotransformers.Figure 23 presents the proposednetwork layout and figure 24 itsfunctional analysis.

c results analysisThe improvement in results obtainedwith the proposed network ishighlighted by giving the improvementratios, with the existing network beingused as a reference.Besides the probabilities of thesimultaneous loss of current consumers1 and 6 and the loss of currentconsumers 3, we have assessed theirfrequency of loss. Also calculated : theoptimum maintenance frequency for thegenerator sets and the contribution ofthe MV and LV networks to theundesirable events.Here are the obtained improvements :v on the relative probability ofsimultaneously losing supply to currentconsumers n° 1 and 6:- off-peak operation 110- peak operation 55- overall 105v on the relative probability of losingsupply to current consumers n° 3:- off-peak operation 99- peak operation 54- overall 97Overall, the probability of losing electricalsupply to current consumers n°1 and 6 is100 times greater with the old networkthan with the proposed network. Indeed,

fig. 23: functional diagram of the newconfiguration.

GE1power supply A

power supply B

MVswitchboard 1

MVswitchboard 2

GE2

20 kV

T1 T2

5,5 kV

20 kV

5,5 kV

R1d R2d...................R6d

5,5 kV

plant n°4400 V

R1c R2c...................R6c

5,5 kV

plant n°3400 V

R1b R2b...................R6b

5,5 kV

plant n°2400 V

R1a R2a...................R6a

5,5 kV

plant n°1400 V


v the optimum preventive maintenancefrequencyThe graph resulting from thecalculations (see fig. 25) shows theimpact of preventive maintenancefrequency of the generator sets on theprobability that they will be availablewhen they are required.For a maintenance frequency of6 months, the graph shows that there isa trough in the probability of unavailabilityin the event of a loss of power.v contribution of the MV and LV parts tothe undesirable events for the proposednetwork.The MV part has a much highercontribution than the LV part (around99.9% compared with 0.1%).Since the MV network has not beenmodified, its preventive maintenancemust be optimised ; moreover, it wouldbe greatly preferable to have a qualitymonitoring and control system on theMV network.

the interest of remotemonitoring and control inan EHV substationc analysis of the enquiry, therequirementsSchneider is carrying out preliminarydependability studies as part of anexport monitoring and control offer foran EHV substation. The following

fig. 24: functional analysis of the new configuration.

fig. 25: unavailability of a generator set when power is down as a function of the periodicity ofmaintenance.

preliminary study had to determinewhich configuration would enable theachievement of dependabilityobjectives that had been set by thecustomer in terms of the loss ofmonitoring and control.The objective was to determinewhether it was necessary toincorporate a stand-by remote workstation.

power supplyA

transformer20 kV/5.5 kV

currentconsumersn°6a, 5a, 4a3a, 2a, 1a

power supplyB

generatorsets

transformer20 kV/5.5 kV

protection devices

protection devices

couplingcurrent

consumersn°7

currentconsumers

n°8

currentconsumers

n°8

currentconsumers

n°7

T5 T3

currentconsumersn°6b, 5b, 4b3b, 2b, 1b

currentconsumersn°6c, 5c, 4c3c, 2c, 1c

currentconsumersn°6d, 5d, 4d3d, 2d, 1d

T6 T4

1 month 6 months 1 year 2 years 5 years

P(failure when power down)


fig. 27: monitoring and control configuration of an EHV substation with access and remote work station.

fig. 26: base monitoring and control configuration of an EHV substation.

sorties TOR

entrées TOR

entrées analogiques

unité centrale

automate

communication

sorties TOR

entrées TOR


unité centrale

automate

communication

console

work station

communication

on/off outputs

on/off inputs

analogical inputs

central processor

on/off outputs

on/off inputs

analogical inputs

central processor

PLC* (*Programmable Logic Controller)

communication

PLC*

communication4 PLC's*

level 2

level 1

network

sorties TOR

entrées TOR


unité centrale

automate

communication

sorties TOR

entrées TOR


unité centrale

automate

communication

console

work station

communication

on/off outputs

on/off inputs

analogical inputs

central processor

central processor

PLC* (*Programmable Logic Controller)

communication

on/off outputs

on/off inputs

analogical inputs

PLC*

communication4 PLC's*

level 2

level 1

network

link

communication

central processor

to level 3


c functional analysisThe monitoring and control of the EHVsubstation in question includes:v four plc's which acquire datas on thestatus of the substation'selectrotechnical equipment and whichpass on the control orders (level 1),v a work station enabling visualisationof the substation's status and thesending of control orders (level 2),v and possibly, a remote work station.The remote workstation is therefore onstand-by with respect to thesubstation's own work station.Figure 26 shows the basic solutioncorresponding to one single level 2work station.Figure 27 shows the solution with a linkto a remote work station.

c results analysisthe selected monitoring and controlsystem must have a probability ofunavailability of less than 10-4 att=1200 hours. This means theequipment must be non-functional forless than 7 minutes over 1200 hours ofoperation (50 days).The undesirable event - loss ofmonitoring and control - has beenbroken down into three undesirableevents corresponding to calculations of:v the probability of totally losingmonitoring and control (common mode),v the probability of losing at least on/offinformation,v the probability of losing at leastanalogic information,or in other words three calculations foreach configuration.The equipment is divided into twoclasses:v equipment for which we havereplacement parts (n),v equipment for which we do not havereplacement parts (s).Two calculations are performed for eachundesirable event, to show the impact ofthe choice of the average repair time onthe end result (see fig. 28).Hypothesis 2 is the most realistic one;it is these times that will be taken intoaccount to choose between the twosolutions.

MDT for equipment of type n MDT for equipment of type s

hypothesis 1 1 hour 3 hours

hypothesis 2 4 hours 12 hours

fig. 28: two hypotheses for the average time to repair.

fig. 29: bar chart of the unavailability of the two solutions (the orange line corresponds to theobjective to be achieved, it is achieved if the bar chart is to the left of the line).

As figure 29 shows;v the solution without the remotestation does not enable the requiredavailability to be achieved,v the solution with remote monitoringand control enables the objectives to be

base solution:

analogic inputs

on/off inputs/outputs

common modes

solution with link to level 3:

analogic inputs

on/off inputs/outputs

common modes

hypothesis 1

hypothesis 2

0 1E-4 2E-4 3E-4 4E-4 5E-4 6E-4

unavailability at t = 1200 h

objective

achieved for on/off inputs and thecommon modes ; but the probability oflosing at least one analogic inputremains greater than the target objective.


dependability studypackagesCertain tools automatically generate adependability study from the functionalanalysis of the system and the failuremodes of its components.A model is generated which enablesevaluation of the dependability criteria.These tools are useful for complexsystems and/or repetitive systems.They enable a database to be createdon the failure modes of the componentsand on the consequences of thesefailures when possible. (see. fig. 30).

modelling toolsTwo types of tools (see. fig. 31):c simulation tools,c analytical calculation tools.Comment: a Markov graph can veryeasily be transformed into a Pétrinetwork and be used for simulation. Asopposed to a Pétri network, a graphcan be associated, but in this case thetransitions must be «Markovised»: in aMarkov graph the frequency ofoccurrence of the transitions arenecessarily constant.Schneider currently has a PC graphicalinterface called PCDM whichautomatically generates the file definingthe Markov graph or the Pétri networkthat has been drawn (ref. fig. 32).This provides time savings andimproved reliability of data entry.The Petri network modelling techniqueis that which currently best approachesthe real behaviour of the system. Theacceleration of the simulation of Petrinetworks, notably using MOCA-RPsoftware, is the subject of a thesiswhose initial findings have beenpresented at the ESREL 96 congress(European Safety Reliability).In the near future, the use of Petrinetworks will no longer be limited bythe simulation time they require.

tool modelling calculation main featuresname technique resolution technique

Adélia fault tree c analytical tool developed by Schneider Electricc simulation to model the malfunctions in

electrical network components. Itintegrates an electrical networkmalfunction database. Thedescription of the network and of theundesirable event automaticallygenerates the correspondingfault tree.

Sofia fault tree c analytical tool developed by SGTE Sofrenten.(logical polynomial) Automatic generation of a fault

tree and associated FMEA, by afunctional description of the systemand the creation of an associatedmalfunction database.

fig. 30 : two types of tools regularly used by Schneider Electri for dependability study.

modelling type simulation tool analytical calculation tool

Markov graph super Cabdeveloped by ELF AQUITAINE

Petri network MOCA-RDdeveloped by Microcab

fig. 31: the modelling tools.

fig. 32: PCDM graphical interface - Markov graph.

4. dependability tools


5. conclusion

Requirements have progressed interms of quality of electricity supply.Taking account of the considerableimprovements that have been made inmethods and equipment, users areentitled today to demand a high level ofavailability.To achieve this objective with justifiedconfidence, dependability studies arenecessary.They enable optimisation ofc the configuration of the electricalnetwork,

c of the monitoring and control system,c of the maintenance policy.They enable solutions to be chosenthat are tailored to achieve the requiredavailability threshold as cost effectivelyas possible.Often the study can be limited to a keypoint in the installation, responsible forthe major part of the globalunavailability.In many cases, it is interesting to call ina specialist. The advice they mayprovide could prove decisive.

Dependability can be broken down interms of:c safety,c reliability,c availability,c maintainability.Safety requirements initially imposeddependability studies on hazardousapplications : rail and air transport,nuclear power stations, etc. If we addthe requirements of reliability,availability and maintainability, manyother sectors are concerned.


bibliography

Standards

c IEC 50: International electrotechnicalvocabulary - general index.

c IEC 271/UTE C 20310: List of basicterms, definitions and relatedmathematics for reliability.

c IEC 300: Reliability andmaintainability management.

c IEC 305/UTE C20321 à 327:Characteristics of string insulator unitsof the cap and pin type.

c IEC 362: Guide for the collection ofreliability, availability and maintainabilitydata from field performance ofelectronic items.

c IEC 671: Periodic tests andmonitoring of the protection system ofnuclear reactors.

c IEC 706/X 60310 and 60312: Guideon maintainability of equipment.

c IEC 812/X 60510: Analysistechniques for system reliability -Procedure for failure mode and effectsanalysis (FMEA).

c CEI 863/X 60520 : Prévision descaractéristiques de fiabilité,maintenabilité et disponibilité.

c IEC 880: Software for computers inthe safety systems of nuclear powerstations.

c IEC 987: Programmed digitalcomputers important to safety fornuclear power stations.

c IEC 1165: Application of Markovtechniques.

c IEC 1226: Nuclear power plants ;instrumentation and control systemsimportant for safety ; classification.

c NF C 71-011 : Sûreté defonctionnement des logiciels -Généralité

c NF C 71-012 : Sûreté defonctionnement des logiciels -Contraintes sur le logiciel.

c NF C 71-013 : Sûreté defonctionnement des logiciels -Méthodes appropriées aux analyses desécurité.

Miscellaneous publications

[1] «Fiabilité des systèmes»A. Pagès et M. GondranEyrolles 1983

[2] «Sûreté de fonctionnement dessystèmes industriels»A. VillemeurEyrolles 1988

[3] Recueils de données de fiabilité :

c Military Handbook 217 FDepartment of Defense (US)

c Recueil de données de fiabilité duCNET(Centre National d’Etudes desTélécommunications)1993

c IEEE 493 et 500 (Institute ofElectrical and Electronics Engineers)1980 et 1984

c IEEE Guide to the collection andpresentation of electronic sensingcomponent, and mechanical equipmentreliability data for nuclear-powergenerating stations

c Document NPRD91 (NonelectronicsParts Reliability Data)du Reliability Analysis Center(Department of Defense US)

1991

[4] Recommandations:

c MIL-STD 882 B

c MIL-STD 1623

Merlin Gerin Cahier Techniques

c Méthode de développement d’unlogiciel de sûretéCahier Technique n° 117 -A. JOURDIL et R. GALERA 1982

c Introduction to dependability design,Cahier Technique n° 144P. BONNEFOI

c Sûreté et distribution électriqueCahier Technique n° 148 - G. GATINE

c High availability and LV switchboards,Cahier Technique n° 156O. BOUJU

c Automatic transfering of powersupplies in HV and LV networksCahier Technique n° 161G. THOMASSET

c Energy-based discriminationfor LV protective devices,Cahier Technique n° CT167R. MOREL, M. SERPINET

c Dependability of MV and HVprotective devices,Cahier Technique n° 175M. LEMAIRE

Schneider's participation in variousworking groups

c statistical group of IEC committee 56(reliability standards),

c software dependability with theEuropean EWICS-T7 group : computerand critical applications,

c groupe de travail de l’AFCET sur lasûreté de fonctionnement dessystèmes informatiques,

c participation à la mise à jour durecueil de fiabilité du CNET,

c IFIP working group 10.4. Dependablecomputing.

Cahier Technique Merlin Gerin n° 184 / p.24Real.: Sodipe - ValenceDTE - 09-97 - 1500 - Printing: CLERC

electrical installation dependability studies

Documents