iec61850 preliminary

5/23/2018 IEC61850 Preliminary

1/43

1. What IEC 61850 is, and what it is not

Substations designed in the past made use of protectionand control schemes implemented with single-function,electromechanical or static devices and hard-wired relay logic.SCADA functions were centralized and limited to monitoring ofcircuit loadings, bus voltages, aggregated alarms, control ofcircuit breakers and tap changers, etc. Disturbance recordingand sequence-of-event data if available was centralized andlocal to the substation.

With the advent of microprocessor-based multi-functionIntelligent Electronic Devices (IEDs) came the opportunityto move more functionality into fewer devices; resulting in

simpler designs with reduced wiring. In addition, owing tocommunication capabilities of the IEDs more information couldbe made remotely available; translating into fewer visits to thesubstation.

Microprocessor-based protection solutions have beensuccessful because they oered substantial cost savings whiletting very well into pre-existing frameworks of relay application.A modern microprocessor-based IED replaces an entire panelof electro-mechanical relays with external wiring intact, andinternal dc wiring replaced by integrated relay logic. Usersretained total control over the degree of integration of variousfunctions, while interoperability with the existing environment

(instrument transformers, other relays, control switches, etc.)has been maintained using traditional hard-wired connections.Distributed functions are rare, and restricted mainly to theSCADA realm.

In terms of SCADA integration, the rst generation of suchsystems achieved moderate success especially in cases wherethe end-user could lock into a solution from a single vendor.Integrating systems made up of IEDs from multiple vendorsinvariably led to interoperability issues on the SCADA side.Integration solutions tended to be customized. Owners of suchsystems were faced with long-term support and maintenance

issues. During this period two leading protocols emerged: DNP3.0 and IEC 60870.

Beginning in the early 1990s, initiatives were undertaken todevelop a communications architecture that would facilitatethe design of systems for protection, control, monitoring, anddiagnostics in the substation. The primary goals were to simplifydevelopment of these multi-vendor substation automationsystems and to achieve higher levels of integration reducing evenfurther the amount of engineering and wiring required. Theseinitiatives have culminated in the release of EPRI-sponsoredUtility Communications Architecture, or UCA, specication, aprecursor of the 61850 international standard. After decades

of competing protocols and integration challenges, 61was created by an International Electrotechnical Commis

working group consisting of vendors, utilities, and consultawho were focused on the development of a standard in whdevices from all vendors could be connected together to shdata, services, and functions.

The vision of 61850 is extremely broad. While starting witnext generation SCADA protocol, the concept encourages facilitates advanced applications in protection and controthe extent of blending in non-conventional CTs and VTs the overall scheme by providing for a standardized wayexchanging information digitally between the producers recipients of this information. The 61850 phrase becam

designator for the next generation substation system withigher degree of integration, reduced cost, greater exibcommunication networks replacing hard-wired connectiplug-and-play functionality, reduced construction commissioning time, and other advantages. While manythese benets are delivered by the SCADA part of the 61alone, there is an expectation that the other visionary elemeof the package are also mandatory and ready for extendeployment.

The 61850 Standard makes extensive use of the concof virtualization. Data that is produced by IEDs is presenin a standardized format. In this way IED functions beco

generic from the point of view of the system designer but underlying functions retain vendor specic characteristics tmay be unique and proprietary in nature. The available dis also logically partitioned according to groupings that shobe familiar to relay and SCADA engineers (protection, metersupervisory control, etc.). The data is self describing in natobviating the need for memory maps and allowing the integrto browse a device for the needed data. Presented data hattributes that are common across vendor platforms.

Additionally, the 61850 series standardizes the mechaniby which data is accessed and exchanged within substation. The IEC 61850 concept standardizes SCADA d

and services, as well as encourages peer-to-peer exchanginformation between the IEDs: Included are mechanismsreporting and logging of information, mechanisms for passcritical messages such as tripping signals between deviand mechanisms for transfer of voltage and current samfrom process-level devices (microprocessor-based CTs & VTsprotection devices. The design of automation functions requa considerable amount of conguration of the constituent IECurrently, when building multi-vendor automation systethe designer is confronted with one or more conguration tfrom each vendor. The 61850 series addresses this by dena description language for substation conguration (Substa

IEC 61850

A Practical Application Primer for Protection Engineers

Bogdan Kasztenny, James Whatley, Eric A. Udren, John Burger, Dale Finney, Mark Adamiak


2/4346

Conguration Language, SCL). SCL permits the developmentof tools that can be used to describe the substation at a highlevel (single line diagram). These tools are also envisioned tocongure reports/logs, control commands, critical peer-to-peer messages and sampled analog values. Vendor specicconguration tools must interface with system level tools usingstandard SCL les.

While the 61850 series facilitates the implementation of

functions (protection schemes, control schemes, etc.) thatare distributed amongst several IEDs (possibly from dierentvendors), the specication does not attempt to standardize thefunctions themselves in any detail. It is left to the end user toimpose his or her own engineering practices and philosophiesto the particular application. Correspondingly, the 61850Standard makes few requirements as to which data modelsand data items are to be made available in a particular IED.The allocation of data models as well as much of the data thatmakes up the models is left to the IED vendor. This creates apotential disconnect between the vendor and the end-user. Itis therefore critical for the system designer to carefully checkspecications when selecting IEDs.

Similarly, the 61850 Standard details the attributes of thedata exchanged between devices. These attributes includeinformation on the quality of the data and information on theoperating state of the source of the data (for example, normalversus test). Decisions on the response of a function that ispresented with degraded data are outside the scope of theStandard. Additionally, the Standard permits the congurationof timing priorities for messages passed between devices. It is,for the most part, left to the designer to determine what level ofpriority is required for the application.

The Standard denes the description language (SCL) to

be used by conguration tools, while the functionality of thetools themselves is outside the scope of the Standard. Moreimportantly the overall engineering processes are not denedand are likely to be dierent than those of the past. Much ofthe IED settings will remain in the domain of the manufacturerspecic IED conguration tool. There will (at least initially) besome conicts created. Undoubtedly, engineering processesand the corresponding conguration tools will have to evolvein unison.

The IEC standard itself does not oer any particular systemarchitecture to follow. Instead it describes several building

blocks with the hope they will t the future architecture whilethe latter is conceived. This is not a signicant issue for functionsintegrated between SCADA and IEDs, but presents an obstaclefor functions executed between IEDs and their remote inputsand outputs.

Some of the functions that have been implemented in thepast will map easily into the IEC 61850 domain. Others willnot. In some cases, long-held, underlying principles of systemprotection will have to be re-examined.

This paper seeks to identify signicant issues arising asdeployment moves forward, presents possible solutions in some

cases and gives direction for further investigation in others.

2. Industry Trends and Expectations

Todays utilities are under considerable cost pressure. In realm of protection and control, modern microprocessor-bamulti-function devices oer great savings by simplifying padesign, eliminating a number of traditionally installed devand associated wiring, eliminating RTUs, and simplify

substation SCADA systems.

The cost of a device providing a complete set of Protecand Control (P&C) functions for a given zone of protection dropped dramatically in the last two decades. Nonethethe cost of a nished installed panel with primary and bacprotection and independent breaker fail / autoreclose relayremains in the 50 to100 thousand dollar range. It is clear tvast majority of this cost is associated with engineering eld labor, and not with the cost of the raw material.

On the other hand, shortages and aging of the experienworkforce coupled with a lack of inow of new graduawill create a large-scale problem in the 5 to 10 year horizThis is within the time perspective of todays utility managwho started to realize that the retrot schedules driven by age of the secondary equipment, availability of experienengineering sta, and the expected cost of retrots and nprojects do not converge.

With reserve margins low in many regions of the glooutages required to complete retrots or integrate a substation, are already, and will remain, dicult to obtain. This a growing need and expectation of a substantial reductiothe duration of P&C projects.

This need has sparked discussions around new ngeneration P&C solutions that would reduce the engineecosts, cut the eld labor, and shorten the required outtime. Many utilities have decided to set up task forces withmandate to evaluate existing technologies and trends anwork out more ecient ways of engineering P&C systems. Qoften, the above trends and expectations are labeled 618In reality the IEC 61850 implies one of possible solutionsproviding set of standardized building blocks, with the hopeblocks will t the future P&C architecture.

Means to achieve the benets of the next generation

system include eliminating RTUs and associated wiring in faof using only protection IEDs as interfaces with the primequipment, standardizing P&C designs for better re-usabdeploying pre-assembled and pre-tested drop-in conhouses, simplifying designs by migrating auxiliary devices sas control switches, annunciation, metering and other functinto protection IEDs, replacing stand-alone Digital FRecorders (DFRs) and Sequence of Events (SOEs) recorders wdistributed records collected from protection IEDs, migraall substation communication into a single media of Etheretc. This alone allows for substantial cost savings and is besuccessfully implemented by many utilities using modern I


3/43

and existing SCADA protocols for integration and automation.

It seems, however, that under the cost and manpowerpressure, the industry is getting ready for more aggressivesteps beyond what is being done today by forward-lookingutilities. Replacement of switchyard wiring with plug-and-playber-based solutions, replacement of inter-IED wiring includingcritical protection signaling with peer-to-peer communications,real-time sharing of processed analog signals between IEDs

for further elimination of the hardware that interfaces with theprimary equipment are discussed.

Substantial cost is associated with copper wiring ($10/point,100 points on an average panel, tens to hundreds of metersof control cables per panel). Given the bandwidth of ber-based signaling, the potential for plug-and-play assembly ofber-based architectures, and much lower cost of ber versuscopper on the per signal basis, the next generation P&C solutionis often viewed as eliminating copper and replacing it withber. At the same time, ber technology has been constantlyadvancing; driven by high volume applications in both theconsumer (e.g. cable TV, Internet, telecom) and industrial (e.g.

transportation, factory oor automation) markets. Deployingber-based networks no longer requires pioneering approaches,unique skill sets, or expensive, specialized equipment. Instead,o-the-shelf relatively mature solutions have emerged forlaying out, patching, and terminating ber cables. Overall theber technology seems to have enough momentum to growinto mission-critical applications including the outdoor high-voltage substation environment.

Considerable cost is perceived to be associated withintegration of various devices for automation and SCADApurposes. Savings are expected by migrating to a better, nextgeneration protocol compared with the existing DNP 3.0

and IEC 60870. Major areas of improvement that have beenidentied include object orientation (organization of data), self-description of data, using single high-speed communicationmedia (Ethernet), and better station-level conguration tools.

The leading protocols widely used today recognize the needimprovement and continue to evolve. For example, DNP canused over Ethernet; and work is under way to incorporate soform of self-description into DNP.

The economic expectation derived from industry convergeon a single global protocol is high, regardless as to how protocol compares with the existing multitude of protocolsmajor vendors tend to operate globally these days. Opportu

to support just one substation protocol would allow thto focus better and invest more eort in a single standsolution.

The IEC 61850 is viewed as the single answer to the abexpectations and emerging trends.

3. The Vision of IEC 61850

In the beginning, the vision of IEC61850 was to deneinteroperable communication system for the exchangeinformation between devices within a substation. Figurshows the interfaces originally identied to be within scop

the Standard, specically, process measurement (e.g. voltacurrents, status) to device, device to station level, deto device, and device to Technical Services. Each interfbrought with it dierent requirements for performance, Quaof Service, and reliability. Identied but not yet implemeninterfaces are the Station Level to Control Center and LoDevice to Remote Device (other substation) communication

The structure chosen to implement this system was International Standards Organizations 7-layer communicamodel. Specically, the goal was to populate each of the laywhen needed, with existing standards that met the identifunctional requirements. It was recognized that die

communication proles would be needed for the varcommunication paths that existed between devices. The primprotocols chosen for the various layers include Ethernet, Internet Protocol (IP), the Transmission Control Protocol (T

Process Interface

Protection & Control

Process Interface

Protection & Control

Function A Function B

HV Equipment

Process Level

Bay Level

Station Level

Control Center Technical Services

Bay Level

Station Bus

Process Bus

Fig. 1.IEC 61850 Substation AutomationInterface Model.


4/4348

and the Manufacturing Messaging Specication (MMS). Thevarious proles actually dened by IEC61850 are shown inFigure 2. Note that the device to station level link which doesnot have specic performance requirements, uses a traditionalTCP/IP transport and network layer whereas the device todevice proles, which requires fast (


5/43

a Virtual Local Area Network or VLAN. This dataow restrictionis achieved by adding 4 bytes to the Ethernet data frame perthe IEEE 802.1Q standard. Once identied as an extendedEthernet frame, a device (switch/bridge-router) in the networkcan decode the VLAN ID or VID. This ID is read by the device anddirected to those ports programmed with the same VLAN ID thuspartitioning the physical network into logical sub-networks.

The third area addressed by the IEC GOOSE is that of

Ethernet Priority in communication. Ethernet has traditionallybeen known as non deterministic in that collisions on ashared wire made the delivery time of a message a randomvariable. With the introduction of Layer 2 full-duplex switchtechnology, Ethernet collisions no longer exist. Switches receiveall messages and store and forward them to the destinationlocations as programmed. It is possible for a single port tohave several messages queued for delivery which would adda certain amount of delay in the processing of a message.Ethernet Priority, however, even removes this delay in mostcases. Upon receipt of an Ethernet message with high priority,the received message is moved into a high-priority queue andmessages in the high-priority queues are sent before those in

the lower priority queues resulting in a higher Quality of Servicefor the GOOSE messages. However, potential delays of criticalmessages such as GOOSE/GSSE, all with the same high priorityassigned, could be a factor. Guidance for using the providedpriority mechanisms and testing to validate the desiredperformance are not dened yet.

GOOSE messages incorporate quality and test bits. Theformer are meant to signify the goodness of data; the latterare meant to facilitate testing of distributed schemes. TheStandard, however, does not mandate the creation of or theresponse to those bits, leaving such issues to the user.

GOOSE messages typically incorporate channel monitoringby a simple method of sending messages even in the quiescentstate. If a message does not arrive in a pre-dened window,communication loss is declared and the incoming signals arereplaced by pre-dened values including on, o, last valid, etc.

The UCA binary GOOSE triggered transmission upon statechange. Similarly, the IEC GOOSE species that a GOOSEmessage is to be triggered not only on a status change but alsoon a data change (i.e. change of an analog value greater thatthe dead band setting for the data item).

3.4 Virtual AC wiring Sampled Values

One of the most forward-looking elements in the IEC61850vision is that of providing an interface between the process ofvoltage, current, and status measurement and the protectionand control devices in the substation. This interface is denedin the Standard as the Process Bus. IEC61850 denes howsamples of voltage and current can be transmitted over anEthernet communication channel.

The primary driver for this interface is the continuingemergence of non-conventional current and voltagetransformers. Although available for over 15 years, the general

adoption of such devices has been stymied accordingsome for lack of an inter-operable solution.

The concept of a Process Bus has a wider application, thouIf elimination of copper eld wiring is a target, there will bneed to digitize the raw process information in the switchyclose to the primary equipment, and ship it digitally betwdevices in need of this information. This applies to traditioCTs and VTs as well as other mostly binary (on/o) informa

in the yard. This capability is essential for success of the procbus concept, since the utility industry cannot make a busincase for replacement of all the existing instrument transformat the same time that protection and control systems in control buildings are being upgraded.

It seems that the existing version of the Process Bus (P9-1 and 9-2) is primarily driven by a much narrower applica

with non-conventional CTs and VTs.

3.5 Interoperable Format of IED and SubstatioConfguration

The 61850 Standard hints at a set of engineering tools address various tasks required in the design and implementaof a substation automation system. These include prodesign, conguration and documentation tools. The Standdoes not attempt to dene the tools themselves. Insteaddenes a model of the IEDs and their communication servand denes a common le format for the description of model. This standardized le format is used for the exchaof information between the various engineering softwThese les have the potential to replace the schemawiring diagrams and point lists currently used to develop document the substation design.

Project design tools are used in the planning stages osubstation automation system. The system designer can spethe substation primary equipment in the form of a single diagram. The high-level functional requirements of the sysare dened here as well as the signaling requirements toprimary equipment. At this point, pre-congured devices (Ithat will be used to implement the automation system malso be selected and assigned.

Conguration tools are used to parameterize the various Ito produce a working system. This task may be further brodown into the conguration of substation level functions

parameters (system congurator) and the congurationautonomous IED parameters (IED congurator). The syscongurator makes use of the specications developedthe project design tool. The system congurator also utilstandardized les that describe the capabilities of the IThese tools also are responsible for the transfer of conguration to the IED and for management and archivinIED congurations.

Documentation tools are responsible for the automgeneration of standardized documentation that is specic tosubstation automation project . These tools are again subdivi


6/4350

into tools for documentation of the external equipment (i.e. CADtools) and tools for documentation of IED parameters. CADtools are used to develop AC and DC schematic diagrams forfunctions that are external to the IEDs and to document (list) thephysical connections to the substation automation system. IEDparameter documentation includes lists of signals that interfacewith substation equipment, internal logic, and parameters.

3.6 Envisioned Design Process for IEC 61850 P&CSystem

One could envision a greatly streamlined design processusing the tools described in the previous subsection. Theultimate design process could be envisioned as follows:

The design standards group converts its standard substationdesign into a 61850 document. This le would consist of asingle line diagram showing the primary equipment populatedwith logical nodes representing the required functionality forthe substation.

The projects engineer would use this master le to create adesign for a specic substation using a generic project designtool. This could entail copy-and-paste operations to addadditional bays, for instance. The resulting le might become atender document distributed to various substation automationvendors. The engineer involved in bidding would import thedocument into a system conguration tool and map the logicalnodes to physical devices of choice. The modied le maybecome part of a bid document showing the location of IEDsand their associated functions.

After the project has been awarded, detailed engineering

would commence. The substation integrator would import thele used for bidding into a substation conguration tool. Atthis level, the communications services of the IEDs would becongured for the implementation of distributed functions. Datasets could be created by drilling down into specic logical nodesto select the desired data (self-described). The resulting GOOSEmessages could interconnect devices through a simple drag-and-drop process. Report applications (SCADA) and sampledvalue applications (process bus) would be implemented in asimilar fashion.

After all system level functions have been implemented, theoutput le would be exported to the IED conguration tool.

Here the remainder of the IED parameters would be congured.The output le from the IED congurator would be ready fordownload into the IED and could be used to automaticallygenerate the documentation for the project.

The above describes a process in which little engineering eortis duplicated or repeated, and the entire project is delivered inan electronic format that starts as a bidding document andgrows into detail design equivalent to IED settings as it goes

through various design stages.

4. Unanswered Questions WhatsMissing?

From the beginning, the scope of the IEC 61850 project to dene a protocol for the communication of informatSpecications for the actual design, commissioning, operaand maintenance aspects of a complete system architecappropriate for integrated substation applications were part of the scope. This section will attempt to highlight soof the areas where further development is required in ordefacilitate delivery of a complete, working system capableutilizing the vision of IEC 61850.

4.1 High-Level Requirements for NextGeneration P&C System

Given the way protection and control systems are deploand operated today, the following are highly desirable featuof the anticipated next generation protection solution. following statements apply mainly to the protection asp

and not to the relatively complete, and mature client-se(SCADA) portion of the 61850 set of protocols. A key elemenany design is to rst establish the basic functional requiremethese in turn will permit development of appropriate solutiThe following items are intended to address some of threquirements:

Availability. The protection architecture of an integrasystem shall have availability equal or better than todsystems. Given the extremely high reliability of instrumtransformers, connecting cables, and interposing/lockrelays, todays availability is primarily driven by the fairates of multi-function IEDs, and is expected to be in the ra

of 100 years of MTTF. There is a dramatic impact of the counelectronic devices comprising a fully integrated system (mergunits, Ethernet switches, time synchronization sources) onavailability of the system. A successful architecture will havbe engineered to retain equivalently high availability regardof the number of devices in the scheme. Not meeting requirement will be damaging to the concept and its presmomentum, and may result in erasing all initial savingsincreasing the subsequent cost of ownership.

Cost-eciency. Microprocessor-based relays have badopted despite the reduced performance of early mocompared with the preceding generation of static

electromechanical relays, because of their attractive initial pequation. A successful architecture will have to prove signicreduction of the total cost of installation and ownership. Tshall account not only for the initial engineering, construcand material cost of a solution meeting all other requiremeavailability in particular, but also for cost of maintaining eelectronic equipment that replaces virtually maintenance-items such as cables and associated drawings, pushbuttinterposing relays, etc. It is the cost equation that separates wis technically possible from what is eventually manufactugiven a chance to mature, and be deployed in the eld.


7/43


8/43

OneLiner

Short circuit and relay coordination

for transmission systems.

Breaker Rating Module

Checks breaker rating using IEC

and ANSI/IEEE standards.

Power Flow

Full-featured power flow for

transmission systems.

DistriView

Load flow, short circuit, relay

coordination and motor starting

for distribution systems.

Relay Database

Customizable database for rela

information.

Line Constants Program

Calculates electrical paramete

for lines and cables.

Utilities engineering software Proven in over 250 utilities worldwide

ASPEN 34 N. San Mateo Dr., San Mateo, CA 94401 USA 650 -347-3997 [email protected] www.aspeninc.co

ASPENsoftware

get the job done right,effortlessly.


9/43

Purpose-driven design. Implementation details, the intendedfocus of the 61850 Standard, are secondary compared with thechallenges of architecting a robust system. The overall systemdesign should to be purpose-driven, with cost and simplicationbeing primary targets.

Switchyard wiring oers the biggest saving opportunity.With non-conventional CTs/VTs being adopted very slowly,the practical solution for cost-ecient substitution of the yard

copper wiring focuses around placing electronic devices in theyard to interface with physical secondary signals at their origin.This presents a challenging task in terms of architecting thesystem particularly in the area of redundancy. Presently theIEC 61850 Standard species that a single failure shall not takedown the communication but the document does not addressthe issue of architectures required to obtain a high degree ofavailability. Additionally, issues such as stand-by data, dynamicdata substitution, etc. are not addressed. Much work remains tobe done to turn these concepts into reality so practical systemscan be delivered.

Another signicant saving opportunity is in the area of lockout

relays. The Standard does not acknowledge existence of lockoutrelays, nor does it address the issue of practical implementationof the lockout functionality in the soft space.

Overall, the cost and simplication benets need to drivepractical architectures, and those architectures should drivethe interoperability standards. When reversed, the unfortunateresult may be a lack of important features and/or theintroduction of concepts that will never be used.

Another aspect of a purpose-driven design is to use righttools for a given problem. This requires in-dept knowledge ofprotection and control engineering and must not be done from

a generic and oversimplied perspective of moving real-timedata between various devices. A successful system will haveto be designed to overlap with and take advantage of the waythe primary equipment is designed, operated, and regulated byvarious agencies, i.e. taking into account this particular processto be controlled known as a power substation.

Advancements in technology must be closely monitored andold assumptions must be critically re-visited. For example:

With a limited number of signals belonging to a given zone ofprotection (characteristic of the process), and the cost of ber

being very low already (evolving technology), what is the role ofEthernet switches on the process bus level, i.e. in the real timecritical network intended for protection?

Or, assuming secondary signals are produced by traditionalinstrument transformers, and elimination of the yard wiringis one of the primary targets for the new architecture, whilesystems A and B remain independent, what is the value ofinteroperability for the sampled values?

Or, if interfacing with physical signals at their origin is a part ofthe solution, why does the envisioned communication protocolseem to be heavily biased towards uni-directional transmissionof fast analog values, instead of bi-directional transmission of

co-existing binary and analog values?

Segregation of Functions. Todays solutions show a gdegree of separation. Protection systems A and B are separazones of protection within each system are separated; a gzone can be protected with a single device manufactureda single vendor; a given IED can be maintained with miniminteractions with other devices (breaker failure is a exception); rmware upgrades can be performed with littl

no interactions with other devices; a given application canengineered using minimal and well dened interfacing powith other applications; a given IED can be set up using a sinset up software, etc. The above is too often taken for granbut could be jeopardized when using communication-basolutions that go too far. A successful architecture will hto maintain simple separation boundaries between elemeor users will become overwhelmed with complexity interactions while engineering their protection and consystems.

Separation of Secondary Equipment/Manufacturers. This a practical value in limiting the number of pieces of second

equipment interacting with one another, and reducingsimplifying the interactions themselves while fullling mission critical task of protecting the power system. Todarchitectures depend on a small number of devices or signfor protection. In particular in order to protect a given zonis required to synchronize measurements for the few signthat bound the zone. This is done internally to the relay, does not involve synchronization to an absolute timesynchronization among all signals in the substation. Atodays solutions do not require third party devices to prodand move data required for protection. Dependency on sdevices must be considered substandard in terms of oveavailability of the system, complexity, separation of funct

and equipment manufacturers, upgradeability, etc. and sbe avoided at all cost unless necessary to achieve a mvalued goal. Today relay manufacturers attend to all sortunderlying processes taking place in a modern relay. Succomplex product is controlled by a single rmware, testeda whole, engineered to work optimally as a system, suppoby a single set up program, and guaranteed by a single venSome concepts promoted by the IEC 61850 seem to gothe opposite direction. For example, a solution that requfour devices (merging unit(-s), Ethernet switch(-s), protecIED(-s), and source(-s) of time/synchronization) coming fseveral vendors; having each its own rmware and a step

program, may face signicant acceptance problems. Buildtightly coupled systems out of several microprocessor-badevices by several vendors brings extra risk and compleprobably doubling with each new type of device, or nvendor adds to the equation. For example consider the exerof troubleshooting a GPS-supported line current dierenscheme, with communication converters, and multiplexWhen one assumes that each of the four system componecould be supplied by dierent vendors, the signicance of issue becomes evident all parties may comply to applicastandards, and still the system may have problems. The uis ultimately accountable for making it work. Maintaincontrol of type test integrity becomes very convoluted


10/4354

from a responsibility standpoint, nobody is in charge. Thereis no easy way to control the impact of a change in any oneelement, especially after the system goes in. The overheadcost associated with working with several other vendors whiledeveloping or modifying products will get eventually passed onthe user. Given the complexity of the 61850 proposals the initialproduct ne-tuning phase is not going to subside quickly.

Maintainability. Todays systems are engineered by users

to meet their operational and maintenance criteria. This ispossible after decades of accumulated experience and owingto common denominator interfaces between the relaysin the form of copper wires or simple serial protocols, andrelative indierence of the way the relays, including IEDs, aredesigned, on the operational and maintenance proceduresat various utilities. By migrating the input and output signalsinto communication media, the user experience and trainingbase will have to be signicantly re-visited. Even more, theissue of maintainability and testability of the system will shifttowards inner workings of the IEDs, putting more burden onmanufacturers in order to facilitate the processes traditionallyunder the full control of users. Both the new architectures and

communication protocols will have to be designed to aid thisprocess. The IEC 61850 Standard does not address this issue itrestrains from suggesting any practical architectures and stopsshort of mandating the response of compliant devices to testvalues or substituted data, making these concepts of a verylow value. The above assumes that users would accept testingor isolation performed in software. Those who would insist onphysical testing and/or isolation are left without any practicalsuggestions.

Determinism. Protection is considered a mission criticaltask, designed for worst-case scenarios in both primary andsecondary systems. As such it requires high level of determinism,

and must be designed assuming worst-case scenario withinthe secondary system itself. Determinism is required to makethe engineering task possible (example: worst-case messagedelivery time for calculations of the coordinating timer in ablocking scheme, or a trip time of a breaker fail scheme); butalso to guarantee that the initially commissioned version doesnot deteriorate as the system is expanded, devices replacedwith dierent models or from dierent vendors, rmware isupgraded, critical communication settings are altered, etc.A solution that requires re-engineering or re-testing of largeportion of the scheme each time a rmware on an Ethernetswitch is upgraded, or a new bay is retrotted and added into the

highly integrated communication based P&C system will faceacceptance problems if determinism cannot be guaranteed.Lack of determinism and/or lack of future-proof solutions couldresult in extra engineering, troubleshooting, and testing afterthe system is initially commissioned to the extent that initialcost savings will be jeopardized.

Right degree of interoperability. Today users acceptproprietary solutions as long as the size of the proprietarysubsystem is small enough, practically limited to a single zone ofprotection. Indeed, todays transformer or line IEDs are entirelyproprietary in terms of collecting their data from standardizedanalog interfaces, processing it, and executing their controls.

The need for digital interoperability within the substation exin two areas only: client-server SCADA protocol, and peerpeer binary signals for interlocking, breaker fail initiate, areclose initiate, closing and perhaps tripping. A successolution needs to deliver on interoperability in the areas tare required while addressing all practical aspects suchperformance, ease of use, future-proong, determintestability, and maintainability.

Clear design responsibilities. By proposing cercommunication-based concepts for exchanging real-tprotection-critical information between devices, but restrainitself from providing any architectural proposals for the system, or addressing specic operational requirements, IEC 61850 Standard invites various parties from users, throequipment vendors, to independent software companies, a group design activity for the mission critical system knoas power system protection. Involvement of users shallnoticed the concept was meant to address the problemunderstaed utilities, high cost of engineering, and lackstandardized P&C solutions.

Given its complexity and performance requirementssuccessful solution will have to come from parties focusedthe complete system, not on its detached elements. Substandevelopment cost may be required to complete the task, wthe outcome being a considerable paradigm shift faacceptance challenges from both users and regulators. Ccooperation and risk sharing between users and manufactuwill be required for the concept to succeed.

Again, the preceding observations apply to protecfunctionalities, and not to the relatively simple and ma

client-server (SCADA) portion of the 61850 set of protocols.

4.2 Allocation of IEDs and P&C Functions toZones of Protection

Protection engineers are accustomed to long-standing rfor applying protective relay units, more recently multifunctioboxes, to the various zones of protection. Some of these rare based on hardware unit failure impact criteria that remrelevant regardless of how the relays are networked for dcommunications. However, the combination of design featuin the latest generation of microprocessor relays, and the conconnectivity of IEC 61850 communications (especially GOO

GSSE messaging) provide the tools to meet these criteriabetter ways and with less equipment than before. Note thatIEC 61850 Standard advises the user that redundancy wilrequired, but it does not specify how to architect or interconnthe relays and IEDs. In the ensuing text, interconnecarchitectures and other issues are illustrated.

It is assumed that, for a critical bulk power transmisssubstation or line, two totally isolated redundant systemsbe required so that there is no credible single point of faithat can disable both systems. We call these System A System B rather than Primary and Backup, since either muscapable of the entire protection job if the other has failed o


11/43

out of service. NERC reliability criteria demand this redundancyto guard against the impact of single failures, and NERC oersspecic implementation guidelines. It is noted here that someof those guidelines are derived from traditional protectionand control architectures, and that the technical requirementfor no single point of failure can be met by entirely dierentapproaches.

Some utilities use more than two redundant systems, but

adding more equipment than needed does not always help it certainly increases the number of failures and repairs todeal with. The technical capabilities of a P&C system basedon a 61850 LAN has technical features that can reduce thejustication for these third and fourth tiers of redundant relays,as we explain further below.

Refer to Figure 3. Here we see a typical ring bus with threelines and a transformer connected. Ring buses or breaker-and-a-half buses are notable for the fact that each zone of protection a line, bus, or transformer is fed by multiple breakers. Eachbreaker must have its own control and protection features.Accordingly, the traditional architecture for such a substation

features zone protection panels, having only the relay(s) andcontrol auxiliaries that apply to that line, bus, or transformer. Foreach zone that is important to power system security, there areat least two separate redundant relay panels. There are separatebreaker panels, one per breaker, where all the breaker-oriented

protection and control functions and auxiliary devices areinstalled. These typically include breaker and disconnect switchcontrols for operators, breaker failure protection, automaticreclosing, and lockout switches for breaker failure actions. AsFigure 3 shows, a breaker panel interacts with each of the twoadjacent zone protection panel pairs, for example to receivebreaker failure initiation or reclosing initiation. Similarly, eachprotection panel pair interacts with the two or more breaker

panels for the breakers connecting to the zone.

Looking at this standard design, it is clear that early-generamicroprocessor relays with line protection plus breaker faiand reclosing were not useful (they are potentially usefulless critical subtransmission and distribution applications wha line is fed by a single breaker from the bus, and a commfailure of line and breaker protection will have only localimpact on the power system). However, the latest generatio

microprocessor relays from several manufacturers have breafunctions for two breakers, with a separate set of current inchannels for each breaker. Zone currents are summed frombreaker inputs.

These next generation relays can be applied in the nearchitecture of Figure 4. Here, the breaker functions residthe zone relay boxes, eliminating the breaker panels and separate breaker control and protection equipment. While failure of a relay unit can also take out the breaker functincluded in it, note that there are now redundant functionseach breaker not a feature of the old Figure 3 architectTherefore, the new architecture meets agency reliability crit

for no single point of failure, and with far fewer relay uthan before. In many cases, there are four redundant breafunction groups for each breaker more than we need; socan be turned o for simplicity.

None of these new arrangements for distribution of breafunctions are directly related to use of a LAN with IEC 61messaging. However, a pair of redundant 61850 Ethernet Lprovides the means for communications and control amthe breaker and zone functions that would require complex confusing wiring and mounting of auxiliary devices. GOOGSSE high-speed control messages are especially suitedbreaker failure initiation, breaker lockout actions when a brea

C

D

Line NW RelayPanel 3

B

ABkr A RelayPanel

Xfmr SW Relay

Panel 2

Bkr B RelayPanel

Bkr C RelayPanel

Bkr D RelayPanel



Line NE RelayPanel 3


Line SE RelayPanel 3

Line SE RelayPanel 1

Line SE Relay

Panel 2

Xfmr SW RelayPanel 3

Xfmr SW Relay

Panel 1

Bkr E Relay

E

Panel


Fig. 3.Conventional Architecturefor Zone and BreakerPanels.


12/4356

failure occurs, reclosing initiation, reclosing function controltransfer if the normal relay with line reclosing responsibilityfails, and assignment of local manual control functions to relaypushbuttons (as a backup to a substation computer that wouldbe designed into a modern substation for operator use). It isthese architectural opportunities and the cost savings theyyield that help users to make a business case for the benets ofdesigning a new substation using 61850 LAN communications.In the example here, we eliminated ve breaker panels, and a

mass of wiring and auxiliary devices, nishing with an installationhaving only 8 zone relays on a small number of panels.

There is another important benet of the new architecture

with its dual redundant 61850 LAN communications that is notapparent from the gures. An important feature of the GOOSE orGSSE messaging is that messages are transmitted periodicallyfrom each relay that broadcasts, to all of the subscribing relayson the network. Normally, the messages are telling the receivingdevices that nothing unusual has happened and that nothingneed be done. However, the periodic transmission of theseno-action messages monitors the performance of the controlconnection, and any failure of a relay or a LAN component (e.g

optical ber, or Ethernet switch port) can generate an immediatealarm to maintenance personnel. While the second redundantsystem and its LAN continue to protect, the failure of the rstcan be rapidly repaired.

On top of this capability, the relay processes these GOOSEmessages through the same hardware and outputs that areused for other protective operations. Therefore, if the relayprocessor is running, and is routinely operating its output forzone protection or for manual SCADA control, then we know thatwe have a completely monitored and tested chain of functionsthat will carry out a major lockout action if needed.

Note that conventional wiring and lockout switches hno such overall self-monitoring capability. Furthermfunctionally testing a device like a lockout switch is so awkwand disruptive to power system operation that it is raif ever done we tend to hope these devices will be trand reliable, but we are not sure about them. Because of ability to demonstrate that two redundant systems are surwork, and can rapidly repair one that fails, we have a caseavoiding the use of three or four redundant systems. Taking

simplication cuts the purchased equipment by a third to a hreduces long-term maintenance costs by a similar amoand yields oor space, inventory management, and settincoordination management benets.

While the developers of 61850 were aware of thopportunities and designed the system to bring them to usthey are not written into the Standard, or other public dompublications. It takes some application experience and insto get these important benets.

4.3 AC Signals

The cost of copper cabling typically applied by most util

(engineering, drafting, materials and installation) represea signicant fraction of the total cost of a substation. Digsolutions that replace many copper cables with relatively ber optic communications cables are therefore very attracand have the potential to save considerable amountsmoney.

Long cabling applied today has some impact on quality ofused AC signals. CT saturation is the prime example. Howewith the extremely low burden of modern microprocesbased relays dramatic reduction of AC cabling does make much dierence. Other non-ideal behavior associawith instrument transformers aecting AC signals, such

E

C

D

B

A

Line NW Relay 1

Bkr BBkr A

Line NW Relay 2

Bkr BBkr A

Line SE Relay 1

Bkr DBkr C

Line SE Relay 2

Bkr DBkr C

Xfmr SW Relay 1

Bkr D Bkr A Bkr ABkr D

Xfmr SW Relay 2

Line NE Relay 1

Bkr CBkr B

Line NE Relay 2

Bkr CBkr B

Bkr E Bkr E

Fig. 4.Use of Microprocessor ZoneRelays with Multiple BreakerFunctions Included.


13/43

frequency and transient response are typically dealt with viaimproved protection algorithms that can better cope with signaldistortions attributed to long cabling.

Non-conventional instrument transformers promise bettersignal quality, but those benets are not dependent on usingdigital communications to distribute the signals. Lesson learnedfrom successful adoption of microprocessor-based relaysmakes one believe that it will be unquestionable cost saving

rather than better performance that would bring the non-conventional transformers into the mainstream application.

Safety issues such as rising potentials are more of aproblem and could be eliminated or reduced when usingcommunications-based AC signals. In this context, despite their15 years of existence, the non-conventional transformers areyet to see their widespread adoption.

It is important to consider how ber systems can bedeployed without sacricing the high reliability currentlyenjoyed with copper. Important considerations are thenumber of devices connected to any one communications

link, time synchronization, response to loss and recovery of thesynchronization source, dependence on any one master clockthat could be unavailable, element removal for maintenance,availability of test software, and ultimately, user acceptance.

A signicant unanswered question is the actual designmethodology required, both at the system and device levels, tomake the change from the traditional copper cable approach tocarrying AC signals to the digital alternative. When making thistransition from traditional substation practice employing manycopper cables individually wired to instrument transformers, animportant consideration is the type of AC signal to be carriedand the associated performance requirements. AC Signals

used by P&C systems fall into two general categories timeaveraged and instantaneous.

Time averaged signals are those that inherently undergosome sort of integration process as part of the basic signalacquisition or later as part of the calculation or applicationwhere the signal is used. Examples of time averaged signalsare operating measurement telemetry, such as per-phaseAmperes or three-phase Megawatts. Time averaged signalstypically experience latencies in the range of 1 to 4 seconds,with no detriment to the end application or user. Applicationsbased on remotely accessed time average values on the client-

server basis have been used for decades initially via RTUs andrecently using protection IEDs.

Instantaneous signals are those which are utilized in time-critical applications such as protective relay algorithms andtypically contain sampled values of power system AC quantitiessent in real-time. An example of an instantaneous signal is thesecondary voltage of a capacitive voltage transformer used in adistance relay algorithm. In this case, permissible data latencymay be less than 100 microseconds.

It is taken for granted that copper based signals can easilybe shared. It is not so with communication based signals. One

of the fundamental architectural issues is how to provideoverlapping zones of protection, with mandated redundabut without multiplying the number of required IEDs of vartypes (merging units, Ethernet switches, time synchronizameans, IEDs) to the extent of ridiculously low reliabilitavailability of the complete system. The point-to-point 61process bus suggestion (part 9.1) calls for an unreasonably hnumber of merging units. The switch-able (LAN-based) 61process bus suggestion (part 9.2) yields a convoluted sche

with time synchronization, LAN, testability and maintainabissues.

When carried on a communications network, signal latenare introduced by the communications medium itself, in addito latencies introduced by the signal acquisition interface end processing application. At any given time, these latenmay be static or random, depending on the communicattopology deployed. Latencies may also change as a reof system re-conguration or fail-over, for example followa communications device failure in a redundant systCommunications latencies are therefore of consideraconcern in the design of any substation LAN-based or po

to-point topology because these extra delays, if not careexamined, may fundamentally alter or impair the performaof the end application. Complicating matters is the fact tcommunications latencies are often dicult to measureeven predict. LAN architectures and issues are discussed lin this section.

The usual approach to managing communications latewith time averaged signals is to factor the worst-case expeclatency into the overall response required by the applicatThe solution is not so simple with instantaneous AC signPractical usage of instantaneous signals requires accusynchronization of measurements at all involved locations.

example a distance functions requires the voltage and cursignals be synchronized. If delivered by two independdevices, these signals must be referenced to the same tbase. Time synchronization issues are discussed later in section.

Treatment of lost data is a signicant aspect in the line algorithm. As each expected packet can be lost or arrive aa variable time delay, the algorithm must be smart enougwait for pending data and abandon at a given point in twhen the maximum delay time is exceeded.

Another consideration when making the transition fP&C systems using individually copper cabled instrumtransformers to solutions relying on digital communicatis fault tolerance. The existing copper solutions have advantage of being extremely reliable from the overall stapoint of view, because there are very few common faimodes, short of a re in a cable trench. Availability of distribuP&C architectures utilizing ber-based AC signals are discuslater in this section.

All of these issues are solvable and must be resolvedparallel with the IEC 61850 Standard, but the quest to realizepotential cost savings will require concerted engineering e


14/4358

A weakness of the 61850 vision in the context of the processbus, is the absence of workable architectures that would satisfya long list of technical, operational, and regulatory issues.Acceptable architectures may require specic tools, or broadlydened rules for communications. These rules are obviously notthere, and what has been specied only enables lab-projects

for connecting a merging unit to a compliant IED.

4.4 DC Signals

Another unanswered question is how to eectively implementa digital alternative to the conventional hard-wired connectionof discrete DC signals within the substation. DC signals used byP&C systems also fall into two general categories those thatindicate the current state of an element or system, and thosethat represent time-critical actions, such as protection trips.

The rst category includes signals such as alarm and statuspoints used by SCADA systems and the state of discreteconditions such as switchgear interlocks, position of reclosureselections, etc., but does not include the status of breakerauxiliary switches used in breaker failure and other critical

protection applications. Signals used by control systems aregenerally one order of magnitude less critical with respect todelivery time than those used by primary protection systems.Inherent latency times for status signals are typically in therange of 15-20ms, whereas alarm and condition states mayhave acceptable latency times of 1.0 s or more. Existingcommunications performance in practically any topology(point-to-point, star LAN, bus LAN, etc.) is quite capable ofmeeting this level of performance in control systems of up to1000 points or more.

The second category poses a much more signicant design

and application challenge for emerging communications-based alternatives. This category includes most input andoutput signals used by primary protection and teleprotectionsystems. Backup protections generally do not require this levelof performance. Category two signals are considered to bethose that require reliable delivery in less than 4.0 ms, under theworst-case guaranteed system trac conditions. If we assumethat the portion of protection circuitry between existing relaysand the associated switchgear is implemented with auxiliaryrelays and miles of wire and cable, the fastest protection tripsignal times are typically 4.0 ms and are determined by thechoice of auxiliary relay used for high-speed applications. Thisis frequently used as a benchmark when evaluating digital

alternatives. Developers of the current generation of IEDs havegenerally met this level of performance for the execution ofdiscrete internal logic, analogous to separate auxiliary relaylogic. However, current substations still use many thousands ofdollars worth of DC cable to interface IEDs to switchgear andother devices in the switchyard and within the relay building.

From a cost point of view, the same incentive exists toeliminate or reduce DC copper cabling as there is with ACcabling. Similar communications latency considerations applyalso, except the need for time stamping is generally limited tothe appropriate identication of discrete events. In the case ofdiscrete protection trip signals, communications performance

is impacted by the extremely random nature of this trac.example, say a substation runs normally for two years then suddenly a bus fault occurs, followed by a breaker faiImmediately, many IEDs start sending huge amounts of traand the communications infrastructure suddenly reaches % of capacity. Some signals may therefore experience dor even become lost if the design doesnt anticipate this tof response.

Converting discrete signals formerly carried via copper wto their LAN-based equivalent messages also signicachanges the failure mode from the perspective of the receivdevice. In a traditional wired circuit, a contact closes at sending end and an auxiliary relay coil picks-up at the receivend. The auxiliary relay remains energized for the entire lenof time the sending contact is closed. The length of time sending contact is closed also conveys information and in is the basis for many time co-ordination and backup-schemIn a LAN-based scheme, this transaction is replaced by disccommands sent digitally over the network. A message is ssignifying the on state and another message may be slater signifying the o state. The receiving application m

keep track of the context of these messages. If, for examthe system fails and the o message is never received, receiving application could be stranded in an undesirastate for an extended period, unlike the wired system in wthe receiver will fail safe and turn itself o. Thereforepractical message delivery system for a substation-LAN bamessaging protocol must include additional features sucha regular heartbeat message or other equivalent strategidentify the continuity of the sender. The receiver also needhave a strategy permitting it to go back to the reset or defstate upon loss of the heartbeat message.

An additional factor aecting reliable message deliv

is the choice of the LAN architecture itself and the varredundancy strategies that may be established. For examsimple networks connected with shared media switches mcause collisions to occur between messages sent nesimultaneously, thus impairing message delivery of oneall of the sending stations. Switch networks greatly imprthe situation, but each system type still needs to be careevaluated with respect to the performance of critical trac

The network architecture or topology also has a bearingthe reliability of message delivery in a digital substation. example, many older SCADA architectures were based on

master-slave concept, in which the slave devices essentare data senders and discrete I/O devices only. Many nesubstation integration architectures are based on the peerpeer concept, in which system elements exchange informabut are also capable of autonomous behaviour on their ow

Solutions that replace DC cabling with ber ocommunication solutions are becoming available. It is paramothat the application topologies proposed carefully consand ultimately specify explicitly the maximum performaany given combination of IEDs, eld acquisition devices communications elements is capable of. Simple applicarules are required for consistent deployment on actual proje


15/43

Appropriate redundancy or equivalent strategies are alsorequired to guarantee acceptable overall system reliabilitydespite the consolidation of signals on a multiplexed bearermedia instead of over many simple and discrete wires. Fiberalternatives also oer signicant advantages over DC cableswith respect to immunity against (induced) interference andtransient (capacitive) eects that tend to be troublesome withthe current generation of IEDs and teleprotection equipment.The potential exposure to battery grounds is also signicantly

reduced.

4.5 LAN Architectures and Issues

As communications in the substation (and beyond) takes on amore critical role in the protection and control tasks of the utility,the enterprise communication architecture must be designedto meet the same critical design requirements of the equipmentwith which it is connecting. Specically, the communicationequipment must meet the same environmental and electricalspecications as the protection and control equipment.

In addition to the electrical and environmental specications,

the communication system must be available to communicatebetween the various IEDs in or between substations. Thedesign for high-availability starts with redundancy in thecommunications from the IED. Redundancy in the IED can beachieved either through redundant port or redundant media.With redundant ports, there are two completely independentEthernet ports built into the IED with each port having its ownEthernet MAC address and separate IP addresses. With twosets of addresses, the IED must constantly monitor both portsfor information received and channel it to the appropriateprocess.

A second option for redundancy is that of redundant media.In this implementation, there is only one Ethernet port (one MACaddress, one IP address) that is dynamically switched from aprimary ber port to a secondary output port. The switchingis based on the loss of Ethernet link pulses on the primaryconnection.

Given redundant Ethernet on the IED, the next area toaddress with redundancy is the Ethernet connection junction.In todays implementations, it is almost a given that the

connection between Ethernet ports will be performed byEthernet Switch. A switch operates at a logical level in communication hierarchy, that is, a switch receives an Ethepacket, reads the contents, and then decides how the conteshould be processed and forwarded. In the processing of packet, the switch rst determines if the packet shouldprocessed at all (a security feature to inhibit just anyone funplugging an IED and plugging in a laptop in a substatIf the packet is to be processed, should it be processed w

priority (a Quality of Service feature of Ethernet) and shoube delivered to only specic ports (Ethernet Virtual LAN optioIn the redundant architecture, each Ethernet output of theshould be connected to dierent switches so that if a switch fcommunication to the IED can automatically be transferredthe back-up communication port on the IED. The two switcnow need to be linked together so that a message receivedone switch can be transmitted to any device connected onother switch.

In order to optimize communication between switches, recommended that the up-link port be operated at a higspeed than that of the feeder ports. For example, if the fee

ports operated at 10MB, it is recommended that the Link pbetween switches operate at 100MB or faster. Similarly, iffeeder ports are operating at 100MB, it is recommended tthe Link ports be operated at 1GB.

Typically, an Ethernet switch can connect from 12 toIEDs. For substations containing more IEDs that this vamultiple switches need to be linked together on a primary secondary port basis, again with a connection between group of primary and back-up switches. This conguration a drawback in that if one of the switches being used to connthe primary group of switches to the back-up group fails, connection to the back-up group is lost. This failure m

can be eliminated by connecting the groups together at bends, eectively forming a loop. In general, Ethernet does operate in loops; however, most switches in use today opean Ethernet algorithm known as Spanning Tree. This algoriis designed to detect any loops and to logically break the lat a point. More specically, there is a variant of the SpannTree algorithm known as Rapid Spanning Tree that can derings and x breaks in structures in as little as 5ms. The resulLAN architecture is shown in Figure 5.

Switch 1

Switch 1b

Switch 2

Switch 2b

Switch N

Switch Nb

IEDsIEDs

IEDs

IEDsIEDs

IEDs

IEDsIEDs

IEDs

Switch 1

Switch 1b

Switch 2

Switch 2b

Switch N

Switch Nb

IEDsIEDs

IEDs

IEDsIEDs

IEDs

IEDsIEDs

IEDs

Primary LAN

Secondary LAN

Fig. 5.Practical LAN architecture.


16/4360

Many experienced protection engineers nd discussion ofthese data communications issues to be dense and perhapsintimidating, because until now they have not faced the needto understand the behavior and performance characteristicsof substation components like Ethernet switches. Furthermore,there is no part of the IEC 61850 Standard that guides designersand users on these network architecture subtleties. Weencourage users to recognize that unavoidably, as P&C designtechnology moves forward, the behavior and characteristics

of components like Ethernet switches will be as important tounderstand as those of protective relays if the P&C systemis to achieve its availability, dependability, security, andmaintainability goals. It is important for protection engineersto understand that the basics of IT networks are not dicult tounderstand, and that learning how to handle networking issuesis no more dicult than learning about any new generation ofrelays. Incidentally, P&C engineering groups need to achievepeace and mutual understanding with the utility IT department,which can help with substation-enterprise integration, andwhich needs to understand the features of substation LANmessaging that are critical to power system security.

We explained above the existence of multiple ports in a typicalmodern managed switch, each port having its own queue ofincoming and outgoing messages so that we never face theproblem of collisions and lost messages. We also explainedhow new switches complying with the Ethernet standard IEEE801.2Q can recognize priority and VLAN elds in the messagepackets (e.g. GOOSE messages) and can express-route orselectively route critical messages. There is more to considerfrom a relaying point of view. For example, full utilization of thetwo redundant P&C systems require that GOOSE messagespass between them, and that substation host devices andinterfaces to the utility WAN be able to communicate withdevices in both System A and System B. To do this, the designer

needs to take advantage of the isolation that the ports of theEthernet switches in System A and in System B can provide,and to interconnect them in a way that avoids single points offailure that could interfere with data communications in bothSystems A and B. The designer needs to consider not onlypassive failures, like a broken ber, dead port, or failed switch; but also active failures of communicating devices that jabberunwanted message trac or turn on emitters continuously.Switches and networking equipment could provide tools tohandle these contingencies.

Maintenance personnel also will need to gain enoughunderstanding of communication architectures including

both physical topology and control mechanisms for data. Forexample, consider a relay that has primary and failover berconnections to two dierent ports on two dierent Ethernetswitches in System A as we described above. A technician whodisconnects the primary ber, or turns o the switch to whichit is connected, may think that he has disabled backup trippingGOOSE commands from this relay to others on the LAN. He thenmay proceed to test the relay in ways that generate backuptripping request messages. He needs to understand that therelay may have detected the disconnected primary channeland failed over to the completely functional backup ber andswitch all the messages will be delivered on time to subscribed

relays in Systems A and B, possibly yielding unexpected

undesired tripping from the testing work.

4.6 Time Synchronization Architectures and Issu

A very important unanswered question is how will accurcoordinated time services be delivered to all elements processes within the whole integrated system? Advanconcepts within the IEC 61850 set of standards sugg

digitizing protection input signals, currents and voltages, atplace of origin and providing the protection and control syswith real-time stream of samples using a standardized prot(process bus).

The idea of further reducing wiring substations by substituswitchyard cables with ber optic cables is very attraceconomically. This could be accomplished by applying nconventional CTs/VTs and moving analog signals via ber merging units for de-coding, and subsequent digitization presentation as the process-bus data. Alternatively, traditiosecondary signals could be connected to dedicated interfacdevices in the yard for digitization and transport via digital

into the control house.

In both instances, protection relays as known today wilpresented with information taken at various physical locatby various interfacing devices. This requires data takenindependent locations to be time aligned. Protection functresponding to signal magnitudes, such as overcurrentundervoltage, do not require time alignment. But a vmajority of functions would not operate properly if their insignals were not time aligned. For example, a distance funcrequires voltages and currents to be aligned; a synchro-chfunction requires the two compared voltages to have a comm

reference; transformer dierential calls for all the used curreto be time aligned as well, etc.

Today, the requirement of time alignment is achievedsynchronous sampling of all input signals of a relay inside IED itself. This idea could be carried forward only if a gimerging unit processes all signals required by a given IED. would basically create one-to-one correspondence betwmerging units and IEDs, and poses a question of why combine the merging units with the IED, yielding a new tof IED that works with analog, ber-based inputs producedhigh voltage sensors of non-traditional CTs/VTs.

The operation of time alignment can be understood eias hard synchronization with respect to time, or ssynchronization of devices with respect to one anothecould be implemented as precise time stamping of otherwasynchronously taken samples, or taking samples of all sigexactly at the same time instant.

In either case, availability of protection is dependentsynchronization. This is a vital, often overlooked issue impacthe system architecture and overall reliability of the schemefact, this is one of the central technical challenges that neebe resolved to eectively implement the process bus conce


17/43

The recipient devices must be designed to cope with lost dataand potentially variable time latencies for packets coming fromdierent sources. Complexity of existing line current dierentialschemes is a good extrapolation of the technical challenges inthis area. The IEC standard does have cognizance of this issueand does require the manufacturer compensate for lter delaysbut the implementation details are left to the manufacturer.

The start up procedure when the device wakes up and

start communicating while synchronizing itself is particularlyexigent, especially if the involved pieces of equipment comefrom dierent vendors.

A protection scheme based on external source ofsynchronization depends entirely on availability and quality ofsuch synchronization source. In the reliability model, this sourceis connected in series with the other elements and substantiallyimpacts the overall reliability of the system. In order to avoiddiminishing the reliability such a source would inevitably haveto be duplicated. Duplicating the synchronization clock is nota trivial task as the two clocks will have to maintain mutualsynchronism so that when one of them fails and recovers,

the system rides through such conditions without a glitch.Additionally, loss of synchronization of one clock with theGPS satellites while the other is still connected needs to beaddressed.

The IEC 61850 concept addresses the issue of time accuracyand denes ve dierent levels of time accuracy. The Standardpermits usage of SNTP for time synchronization over networkfor time stamping for SCADA purposes. The SNTP method,capable of reaching about 1ms accuracy, is not precise enoughfor samples of currents and voltages and the Standard doesnot oer solutions as to how to achieve the required accuracy.Options to be considered are: an externally provided IRIG-

B synchronization signal; a precise, network-based openstandard such as the IEEE 1588; or a proprietary network basedprotocol.

It seems that complying with the high-accuracy timespecications of IEC 61850 requires using an externalsynchronization source, i.e. IRIG-B inputs. This in turn, requiresdelivering (redundant) time signal(-s) to all devices that needto be synchronized. Such signals must be driven from twoindependent (redundant), but mutually-synchronized clocks(contradictory to some extent). If these clocks are driven fromthe GPS receivers to provide for absolute time reference, issues

arise when the GPS signal is lost and recovered. Obviouslythe protection system does not require absolute time to workproperly (except some applications of line current dierentialrelays), and should function normally without the GPS signal.If the GPS signal is lost and subsequently recovered, theredundant clocks will have two, partially contradictory controlgoals: catch up to the actual absolute time, and prevent anytime jumps for the devices synchronized using the timing lines.This adds unnecessary complexity into the system.

Alternatively, the two clocks (either IRIG-B or network-based)do not have to be synchronized, but would switch-over shouldone of them fail. Again the process of switching over will

have to be well designed in order to provide for a robust safe solution. The IEC 61850 assumes the synchronizing synchronized devices to be independent pieces of equipmtypically design by dierent vendors and still work awlefor this mission-critical system.

Some IED manufacturers are probing the idea of using IEEE 1588 network time synchronization protocol for the procbus applications. This creates problems for interoperability

devices would have to adopt this method, or use their oalternative method of synchronization. If the latter concepadopted, the user is aected by extra complexity and vendspecic solutions. Also, one needs to make sure devices ncompliant with the IEEE 1588, are not inadvertently aectedthe embedded, network based time synchronization protoThe IEEE 1588 method requires Ethernet switches to suppoand in todays technology, this creates extra cost for the swmanufacturers.

Another theoretically possible alternative is to use a soluin which all devices on the network synchronize slowly to eother (no master or absolute time) using a phase lock l

approach and large inertia of their internal clocks. This mayan excellent solution for an isolated deterministic network of3 devices, but would not work well in a large non-determinnetwork with tens or hundreds of devices. Not to mention tsuch a method is not mandated by the IEC 61850 Standas a universal, compliant way of time synchronization for process bus, and will have to remain proprietary.

Presently the issue of time synchronization is solved internto an IED. Reliability of the technical solution is already incluin the overall Mean Time To Failure (MTTF) of the device. The udoes not need to engineer or maintain any protection-grtime synchronization means. And availability of protectio

not subject to availability and quality of external time sourIt would be benecial if these attributes were retained in nprotection architectures.

The minimum requirement for time alignment in the protecrealm is to align signals within a given zone of protectMoreover, only relative alignment is needed. Given the respotime of protective relays, this calls for relative time stampwith an arbitrary time index that could roll over after onetwo power cycles. This could be achieved in much simways compared with a generic, hard synch o all devices insubstation to a source of absolute time.

In the implementation of the Process Bus (part 9-2), Standard has the option of either a relative time stamp oabsolute time stamp. In this application, a full absolute time staof 64 bits is typically unnecessary information but is requif the information is to be used as part of a Synchrophacalculation. In the initial implementation agreement, onrelative time stamp, based on the Fraction of Second, is uWhen applying this information to Synchrophasors, informaon leap second (one full second can be added or deletedthe GPS system to adjust to planetary rotation) and tquality is also required. Additionally, when correlating samdata between multiple merging units (especially betw


18/4362

substations), complete absolute time information and timequality will be required. Careful engineering decisions on how toaccomplish this will be needed as the Standard moves forward.The full timing information is not required by protection, but ifembedded it could cause harm by revealing weaknesses in the

applied IEDs, and the need for extra testing.

4.7 Reliability and Availability of Protection

Availability and reliability of protection are not impactedwhen using microprocessor-based protective relays as knowntoday, and applied to both protection and control within theSCADA realm of the IEC 61850.

When pursuing distributed architectures based on the conceptof a process bus with the intent of eliminating copper wiring inthe yard and replacing it with ber optics solution, availabilityand reliability of protection is a fundamental consideration, andone of the key barriers to overcome.

For example, consider Figure 6 showing a benchmarksubstation of Figure A-1, and focus on AC signals associated

with protection IEDs around breakers CB-1 and CB-2. Thisexample pictures realistically the concepts of overlapping zonesof protection, redundancy and separation of the A&B systems(for simplicity lockout relays are neglected, just two trip coilsare shown, the breaker fail devices are separate from the zonerelays and are not redundant). The gure clearly illustrates thereason for extensive eld wiring: redundancy and overlappingprotection zones.

Figure 7 presents a hypothetical architecture in which eachAC signal is digitized by a separate merging unit. SeparateMUs are used to provide for the DC signal interface (MU-11through 14). The A&B systems are kept separate. Consider

the availability of the LINE 1 protection system A. This zone

depends on availability of MUs 1, 8, 10 for measurement MUs 11 and 14 for tripping, Ethernet LAN A for communicatiand Line IED for overall processing - not to mention the tsynchronization source for the AC related MUs (1,8 and Composed out of seven of todays IEDs such a line protecsystem would have an MTTF on an order of magnitude locompared with todays relays (see Annex B).

Figure 8 presents a sample architecture with one breaker

(MU) that interfaces two currents and DC signals. Now only MUS per breaker are required. Still the line protection is a sysinvolving ve IEDs (MUs 1, 3, 6, Ethernet switch, IED). Note tthe BF function depends on three devices (MU-1, LAN A, BF IThis becomes a aw that reduces dramatically availabilitthe BF function, and calls for solutions in a form of redundhardware, or equivalent.

Figure 9 further eliminates MUs 5 and 6 by wiring the voltsignals to MU-3 and 4 (typically a relatively short distacompared with the distance from the yard all the way to control house). Still the line protection depends on four IEDve counting the time synchronization source. As explai

in Annex B, the expected reliability of the scheme is there. Besides MUs 3 and 4 become equivalent to todmicroprocessor-based relays in complexity. They supcurrent and voltage inputs as well as digital inputs and outcontacts. The question arises: why not provide the compfunctionality in such a yard device, eliminating the needall the other IEDs. The obvious acceptance and maintenaissues may be easier to overcome compared with the solutiof Figures 6 through 9.

It is strongly recommended that concepts building arothe process bus and substituting copper with ber, particulfor the yard wiring, are presented in the context of actual co

of CT, VTs, giving consideration to overlapping protection zoredundancy and separation of the A&B systems. Once

CT-2CT-1 CT-3 CT-4 CT-6CT-5 CT-7 CT-8

LINE 1

CB-2CB-1

VT-1

(abc)

VT-2

(abc)

LINE 1

IED B

LINE 1

IED A

XFMR 1

IED B

XFMR 1

IED A

XFMR 2

IED B

XFMR 2

IED A

BF CB-1

IEDBF CB-2

IED

coilb

coila

coila

coilb

Fig. 6.Selected breaker from thebenchmark of Figure A-1.


19/43

architecture is presented, an IED count can be approximated,and reliability study should be conducted in order to validatethe solution.

Annex B calculates Mean Time To Failure values for severalhypothetical systems based on the process bus conceptassuming arbitrary MTTF data for the system components. Itcould be seen that the MTTF calculations drive a certain vision

of a distributed protection system.

Annex B proves what is intuitively obvious: a process protection system set up with o-the-shelf compone(merging units fed from non-conventional instrumtransformers, explicitly synchronized via their IRIG-B inpand communicating via Ethernet network) would have reliabnumbers decimated by an order of magnitude compa

VT-1

(abc)

VT-2

(abc)


LINE 1

CB-2CB-1

BF CB-1

IED

BF CB-2

IED

coilb

coila

XFMR 1

IED B

XFMR 1

IED A

XFMR 2

IED B

XFMR 2

IED A

LINE 1

IED B

LINE 1

IED A

MU-2

MU-9

MU-10

MU-11

MU-12

MU-1

MU-3

MU-4

MU-5

MU-6

MU-7

MU-8

coila

coilb

MU-13

MU-14

PROCESS BUS ETHERNET, A

PROCESS BUS ETHERNET, B

Fig. 7.

A hypothetical process bus architecturefor the system of Fig.6.

VT-1

(abc)

VT-2

(abc)


LINE 1

CB-2CB-1

BF CB-1

IED

BF CB-2

IED

coilb

coila

XFMR 1

IED B

XFMR 1

IED A

XFMR 2

IED B

XFMR 2

IED A

LINE 1

IED B

LINE 1

IED A

MU-5

MU-6

PROCESS BUS ETHERNET, A

PROCESS BUS ETHERNET, B

coila

coilb

MU-1

MU-2

MU-3

MU-4

Fig. 8.A hypothetical process bus architecturefor the system of Fig.6.


20/4364

with todays microprocessor-based relays. This is because ofsubstantial increase in the total part count and complexity ofsuch a distributed system as compared with todays integratedmicroprocessor-based relays. A successful system for replacingcopper wires with ber optics would have to keep the total partcount and complexity at the level of todays relays.

There are challenges in designing such a system primarilytime synchronization, and sharing data from merging units tomultiple IEDs without an explicit network, while keeping the total

count of merging units (interfacing devices) at a reasonablelevel.

It is justied to assume relay vendors have alreadyconceptualized or are working on the solutions. It is quiteobvious that the interoperability protocols of the IEC 61850 inthe areas of process bus and peer-to-peer communication areof little help in solving this architectural/reliability puzzle.

4.8 Overall System Performance

Another unanswered question is that of determiningand verifying the overall level of performance of a set of

interoperating IEC 61850-based devices as a complete system.Although the 61850 Standard does classify the performanceof an individual IED with respect to the required responsetimes for individual message types (as would be determinedin a benchmark conformance test of an individual IED), thereis currently no guidance available on how to characterizemessage delivery performance across a whole integratedsystem. As an example, consider an integrated P&C system fora 230 kV transmission substation with say 12 circuit breakers.There are currently no simple and easy to apply design metricsthat would allow the designer to determine on paper in advanceif the integrated design as a complete system will actually work

for this particular topology or architecture. Based on currpractice, the system would very likely have to be pre-assembin a factory or lab setting and undergo a series of complicatests before delivery to site.

The question remains as to how would the same exerciserepeated in say ve years when the in-service station neto be expanded to 16 breakers? This ad-hoc type of procwould be very expensive if it had to be repeated for e

and every project, with no quantiable guarantees of oveperformance, especially for protection-critical trip and initiasignals. The cost and diculty of executing these tests malso inadvertently place an articial limit on creative desbecause each novel idea could undermine the experience bdeveloped around a previously known conguration, creatindisincentive to its adoption.

Practical system level application advice is totally missinis therefore essential that simple, easy to apply and consistIEC 61850 design rules be developed so users can determwith certainty that a collection of W IEDs from X manufactucongured in one of Y topologies will work for a switchyar

up to Z power system elements.

4.9 Failure Management

System integrity and failure management

iec61850 preliminary

Documents

scada functions

integration solutions

terms of scada integration

control switches

degree of integration

integration challenges

control ofcircuit breakers

fewer devices