422

IEEE TRANSACTIONS ON RELIABILITY, VOL. 41, NO. 3, 1992 SEPTEMBER

An Improved Model for Protective-Sy stem Reliability

P. M. Anderson, Fellow IEEE
Power Math Associates Inc., San Diego S. K. Agarwal, Senior Member IEEE Power Math Associates Inc., San Diego Protected Component "C"
Key Words - Protective system, Unreadiness probability,
Undetected fault, Failed-component isolation, Markov model

Reader Aids Purpose: Advance the state of the art Special math needed for explanations: Probability, Markov modeling Special math needed to use results: Probabillty Results useful to: Reliability,power-system, and protective-system analysts

'

Protectioln zone "z"

Figure 1. Protected Component, C, and Protection Zone, Z

Abstract - A Markov model extends and improves previous

models for determining the unreadiness probability and unavailability of a protective system, such as those found on electricpower transmission & distributionsystems. Improved defiitions of unreadiness probability and other relevant measures are proposed, based on a new Markov model of the system. This new model provides a more direct and physically important definition of unreadiness, and can be computed based on typical systemtransition rates. Using this model, it is possible to estimate the o p timal value of the protection inspection interval, viz, the time between inspections of the protective system. The model accounts for the operation of backup protection, the removal of protection for inspection, the occurrence of common-cause failures, and the usual clearing of faults.

1. INTRODUCTION
Consider a power-system component, such as a transmission line, represented by item C in figure 1. C is completely surrounded by circuit breakers, represented in figure 1 by square boxes, that can isolate C when it fails. The circuit breakers are controlled by protective relays located at the component terminals (stations A & B). These protective relays sense the component condition by means of input transducers, such as current and voltage transformers, located at the component terminals. Some protective systems also use communications between protective devices at the component terminals to assist in accurately detecting the failure of C . The protective system has 4 subsystems: input transducers, protective relays, communication systems, and physical contacts of the circuit breakers - all of which are referred to in this discussion simply as the protection or by P. The protected component, C, is surrounded by a protective zone, 2,shown as the dotted line in figure 1 . The boundaries of 2 are defined by the location of current transducers just outside the circuit breakers that are used to isolate C. Any ancillary equipment inside of 2 and connected to C is observed

by P is therefore included as part of C, including the circuit breaker enclosures, metering transformers, or other devices required for monitoring and control of C . The purpose of P is to detect failure of C and surgically to remove only C from service when it fails. When P operates as designed, any C failure that causes abnormal currents and voltages is detected by P , and results in command signals being sent to the circuit breakers to open and thereby isolate C . The isolated C can then be inspected, repaired, and returned to service. The protection might fail to operate in response to failures of C, which we designate as an operational failure [l]. P has another failure mode, where an order is given to isolate C when C is good. This mode of failure is sometimes called a security failure, a spurious operation, or a false trip [2]. Security failures are not considered in the this paper, which is restricted to operational failures. P monitors C at all times in order to detect any failure. However, C failures are relatively rare, so most of the time P takes no action at all except to continue monitoring. When P fails, however, it is unready to perform the isolation, which places all nearby components at hazard. Therefore, P i s inspected from time to time to assure that it remains good. Should C fail when P has previously failed, then C must be isolated by protective systems on adjacent components; this type of isolation is called backup protection, which is designed to operate at a slower speed than usual clearing. Backup clearing isolates the failed component C, but also isolates adjacent components X that are not failed, but must be tripped due to their connectionto C through breakers that can not be tripped because P is failed. Singh & Patton [3,4] proposed a method of defining an unreadiness probability, as the frequency of the transition to an unready state on component failure, compared to the sum of that frequency and the frequency of transitioning to the good state. This definition is based on a Markov model that recognizes all the various states of both C & P (see Notation). Their model did not represent all of the transitions that can occur when an unready condition exists.

0018-9529/92$03.0001992 IEEE

ANDERSON/AGARWAL: AN IMPROVED MODEL FOR PROTECTIVE-SYSTEM RELIABILITY

423

(Editors note: The acronydname AAI is assigned to the model proposed in this paper, for ease of referring to the model.) AAI extends the Singh & Patton model to include some of these details in a practical way. This results in a different Markov structure, and an improved probability definition that describes the effect of unreadiness.

Component Up

Component Down

2. NOTATION & ASSUMPTIONS

Notation

failure, repair rate of the protected component (C) failure, repair rate of the protective system ( P ) common-cause failure rate of P & C hcc inspection rate of the protective system 6P usual, backup switching rate of the protective system $N) $B manual switching rate to isolate only the failed *M component Prtsystem is in state i} Pi Pi ( N ) numerator of expression for Pi item is in a good state UP item is in an announced failed state DN item is in an unannounced failed state DU INSP item is being inspected and is therefore not available item is isolated and is therefore not available IS0

hc4c

XP+P

Other, standard notation is given in Information for Readers & Authors at the rear of each issue.
Assumptions

Figure 2. Markov Model of the Component & Protection

1. The failure & repair rates are constant. 2. All failures are mutually s-independent. Failures of the protection are s-independent of failures of the component. 3. The inspection interval (time between inspections) is an exponentially distributed r.v. 4. Switching rates are exponentially distributed r.v. s. 5. Inspection of the protection always detects failures and restores the protection to good-as-new. 6 . Inspection of the protection does not cause component failure.

Likewise, when P goes INSP, making the transition to state 5, it is unready to respond if C goes DN, since P is removed from service for inspection and testing. If C goes DN while the system is in either state 3 or 5, the transition is not detected by P , and backup protective systems on adjacent components must act to isolate C. This action causes a transition to state 4, where both P & C are DN. Backup protective systems order C , together with adjacent connected components X , to go I S 0 - with the transition to state 8 taking place at a rate governed by the backup protection, which is slower than usual detection and isolation. The system must be inspected, and the good adjacent components X restored to service, usually by manual switching, which transfers the system to state 7. From this point, P is repaired to UP with transition to state 6 . Then C is repaired to UP with transition to state 1, or P goes DN with transition back to state 7. Simultaneous repair can be considered by introducing a slight complication, but would result in little change since repair-time of C is usually long compared to repair-time of P . Some types of components, such as transformers, are removed from service for planned inspection and maintenance. Then the protection for that component is often inspected during the component maintenance outage, this being an ideal time to perform the task. This is represented by state 9. The possibility exists for a common-cause that forces both C & P to go DN. This causes the transition from state 1 to state 4. AA1 does not assume that an inspection of C reveals

3. MARKOV MODEL
Figure 2 shows the detailed states of C & P individually (see Notation), the general states (up, down) of C & P , and is the AA1 Markov model: State 1 represents usual operation with both C & P UP. When C goes DN, state 2 is entered briefly, while P detects the failure and orders the transition to state 6. This occurs at a usual switching rate, eg, 3-6 cycles (50-100 msec). In state 6 , the DN C is inspected, repaired, and returned to state 1, which usually takes several hours or, perhaps, days to complete. If P goes DU while in state 1, the transition is to state 3. P is unready to respond if C goes DN - the unreadiness condition [3].

424

IEEE TRANSACTIONS ON RELIABILITY, VOL. 41, NO. 3, 1992 SEPTEMBER

a DU P because: i) the two items are usually inspected and The state probabilities are computed by writing the closed repaired by different workers, and neither is trained in the form expressions for each state [5]. State 9 is ignored in cominspection of the other's equipment; ii) often, the inspec- puting the state probabilities as it does not appreciably affect tion of C does not involve P in any direct manner, eg, a the other state probabilities. The probability of system-state i is: transformer being outdoors and its protection being housed 8 0 in a control building. Pi = P i ( N ) / Pi(N). (5) It is difficult to determine exactly when the transition oci=l curs from state 1 to state 3. The existence of state 3 is known = PC PP $M $E $N + + PP) only after either P is taken out for inspection (transition from state 3 to state 5), or if C fails (transition from state 3 to state 4). This means that it is difficult to estimate the protection failure P 2 ( N ) = X P c PP $M $B (Xc + 0P)(XC + PPI c rate Xp. As a limiting case, the reciprocal of X p can be taken as the minimum of the mean time between inspections or the P3W) = X P P c PP $M $B $N (hc + PPI mean time between component failures. Often the manufacturer is able to estimate X p from the generic component data. + PP) p 4 ( N ) = XC hp PC PP $M $N

+
4.

Xcc P c PP
XC 0P PC

$M $N

(Xc

+ 0 (Xc + , )

PP)

PROBABILITY COMPUTATIONS

+
The following probabilities are defined, based on AA1 (figure 2). Up & down are shown in figure 2 for Component & Protection.
Abnormal Unavailability (AbUn) - Probability that both P & C are down:

PP $M $N

+0 , )

+
P5(N)

XC XP 0P PC PP $M $N

P C PP $M

$N

(hC

+
P6(N)

hp 0P PC PP $M $B $N

XC P ;

$M $B $A'(&

+6 , ) +0 , ) + k + XCC + 0 , )
0 , )
PC)

This unavailability is abnormal because it results from the outage of UP components in addition to the DN C . Therefore, it represents the effect of the unreadiness of P . Normal Unavailability (NorUn) - Probability that Cis down and P is up:

+ k c P;

$M $B $N (XC

+ +

XC XP P; $M $E $N
XC PP $A4 $B $N (XC

+0 , )

(XP

P7(N) = X XP c
Protective System Unavailability(ProtUn) - Probability that C is up and P is down:

PP $M $B $N
(XC

(Xc

XC $M $E $N

+ eP)[(hP +
-

- op+ hc + xCc + 0) ,
+ +
XC

hc Pci
PC)

ProtUn = P3

+ P5.

(3)

PP $M $B $N

+ +

Unreadiness Probability - Probability that P is not availablefor-use when it should be operable:

k C PP $M $B $N

PC)

Unreadiness Probability = ProtUn/(P1

+ P3 + P 5 )
+
+
+

= hCC

PC

PP $B $N (XC

+0 , )
PPI

(XC

PPI

A c

XP P c PP $B $N

(Xc

XC h P e P PC PP $B $N
XC eP PC PP $B $N

Unreadiness Probability is a conditional probability that P does not operate when it is called upon to do so. This definition is a variant of that in [3], which did not include Ps in either the numerator or denominator of (4). This situation was a result of their basic assumptions. The two definitions are identical if the interval between inspections is very large, but they differ for small inspection intervals. 13

(hC

From this analysis, any of the defined probabilities can be evaluated for any known system transition rates. Based on our study of AAI, we believe that the Abnormal Unavailability is an appropriate measure of the effect of the

ANDERSON/AGARWAL: AN IMPROVED MODEL FOR PROTECTIVE-SYSTEM RELIABILITY

425

unreadiness of P . This index is better than the Unreadiness Probability. We have observed that Unreadiness Probability decreases as Xc increases, which makes this quantity a poor index, a result also observed using the Singh & Patton definition. The Abnormal Unavailability, however increases as Xc increases, as one would anticipate, exhibits reasonable and illuminating behavior in response to variation of any system parameter.

5. COMPUTED RESULTS
To illustrate the nature of the results computed using AM, a family of curves representing the Abnormal Unavailability is plotted for various values of the interval between protective system inspections. Figures 3 - 5 show the results.

10"

100

10' IO* lo3 10' l'rutccLi2n Inspection Intervul, liours

lo6

Figure 4. Abnormal Unavailability as a Function of Inspection Interval [For several values of repair rate of PI

1' 0 '

loo

10' lop 10' 10' Protection Inspection Interval, houre

106

Figure 3. Abnormal Unavailability as a Function of Inspection Interval [For several values of failure rate of C]

IO-I

10"

10' loa 103 10' I'roleclion Iiinpcction Inlcrvol, liuure

10'

Figure 3 shows that an optimum inspection interval can be determined for a component protection based on the failure rate of that component. This is not the only factor to consider, however, as the reliability parameters of P are also important in determining the inspection interval. Figure 4 shows that the optimum inspection interval decreases appreciably if the inspections are performed in less time. This is a reasonable conclusion and suggests that future systems, using computer automated inspections with short inspection time, will require that the inspections be performed more frequently. Moreover, if the protection inspection duration is brief, corresponding to the lower curves, the unavailability is reduced. Figure 5 shows the variation of abnormal unavailability with typical parametric values of the failure rate of P . This family of curves shows, reasonably, that protective systems with high failure rates should be inspected more often, and that the

Figure 5. Abnormal Unavailability as a Function of Inspection Interval [For varying values of failure rate of pl

unavailability due to the high rates is greater than that for more reliable protective systems. These results are computed using practical values for the parameters and the switching times. All parameters are quoted in the figures. The usual switching rate, GN,corresponds to a mean switching time of 5 cycles, roughly 2 cycles for failure detection and 3 cycles for circuit breaker action. Backup switching time is taken as 10 cycles. The manual isolation time is taken as 10 hours and represents the time to dispatch personnel, travel time to the site, component inspection, and manual switching to reduce the isolation to C. For the given set of system transition rates, Xc, pa A,, p p , GN, GB, GM, one can determine the optimal inspection

426

IEEE TRANSACTIONS ON RELIABILITY, VOL. 41, NO. 3, 1992 SEPTEMBER

interval for P using AAI and the abnormal unavailability. The inspection interval is affected by A, & p p , as shown in figures 4 & 5 . The effect of the other parameters is not important in determining the inspection interval, suggesting that only the sensitive parameters need to be known accurately to optimize the inspection interval. Let X p = 0.1/year and p p = 0.1 /hour; the optimal interval = lo00 hours = 42 days. A comment on the reliability parameters used in the plotted examples is necessary. The failure rates used are typical of those observed for power-system protective-equipment, but parametric studies of a wide range above and below the nominal rates provide insight as to the effect of using such equipment with either very high or low failure rates. This suggests a form of risk analysis, where the cost of reliability improvement due to higher quality (possibly more expensive) equipment can be evaluated. The repair rates are varied over wide ranges to represent a range from rather long repair duration to very fast selftesting that might be typical of modem digital equipment. Switching times are also varied from fast switching performed by system operators to manual times that are delayed due to remotely located equipment and the need for time-consuming visual inspection of the failed component. Finally, AA1 is capable of representing any transition rates, but we have chosen rates that cover a rather wide range for illustrative purposes.

method of estimating Initial Test Intervals [7] for protective equipment.

REFERENCES
P. M. Anderson, Reliability of protective systems, IEEE Trans. Power Apparatus & Systems, vol PAS-103, 1984 Aug, pp 2207-2214. J. D. Grimes, On determining the reliability of protective relay systems, IEEE Trans. Reliability, vol R-19, 1970 Aug, pp 82-85. C. Singh, A. D. Patton, Protection system reliability modeling; unreadiness probability and mean duration of undetected faults, IEEE Trans. Reliability, vol R-29, 1980 Oct, pp 339-340. C. Singh, A. D. Patton, Supplement to [3], NAPS document No. 03662-C, 1980, 8 pages. S. Kumar (Agarwal), R. Billinton, Graph theory concepts in frequency and availability analysis, IEEE Trans. Reliability, vol R-34, 1985 Oct, pp 290-294. American National Standard, Definitionsfor Power Switchgear, ANSI /IEEE C37.100-1981, Pub. SH08375, 1981; IEEE. American National Standard, IEEE Guide for General Principles of Reliability Analysis of Nuclear Power Generating Stmon Safety Systems, ANSI/IEEE Std 352-1987; IEEE. American National Standard, IEEE Standard Criteria for the Periodic Surveillance Testing of Nuclear Power Generating Station Safety Systems, ANSI/IEEE Std 338-1987; IEEE. American National Standard, IEEE Standard Application of the SingleFailure Criterion to Nuclear Power Generating Station Safety Systems, ANSUIEEE Std 379-1988; IEEE. American National Standard, IEEE Standard Criteriafor Safety Systems for Nuclear Power Generating Stations, ANSIAEEE Std 603-1980; IEEE.

6. APPLICABLE STANDARDS
Several IEEE & ANSI standards define terms that are pertinent to our subject [6-lo]. Many definitions of protective equipment reliability and availability are in these references and apply to AAI, eg, Detectable Failures [9,10] Test Duration [8] Test Frequency [7] Test Interval [7,8] Test Schedule [7].

AUTHORS
Dr. P. M. Anderson; Power Math Associates Inc.; 12625 High Bluff Drive, Suite 103; San Diego, California 92130 USA. Paul M. Anderson (M50,SM56,F81) is the President and Principal Engineer of Power Math Associates Inc., an analytical consulting firm specializing in electric power systems. He has over 40 years of experience in power system analysis and specializes in system dynamic performance, system protection, network analysis, and system reliability. He taught electrical engineering at Iowa State University and at Arizona State University, devoting over 25 years to academic life, and was a Program Manager at the Electric Power Research Institute prior to embarking on a consulting career. Dr. Anderson is an IEEE Fellow and is listed in Whos Who in Engineering and Whos Who in America. Dr. S. K. Agarwal; Power Math Associates Inc.; 12625 High Bluff Drive, Suite 103; San Diego, California 92130 USA. Sudhir Kumar Agarwal (SM92) is a Senior Systems Analyst at Power Math Associates Inc. He is a graduate of the University of Saskatchewan, with a PhD in Power System Reliability, where he pursued research in analytic methods for large power-system reliability-evaluation. He has over 8 years of industrial experience, both in India & USA. His responsibilities focus on the improvementof analytic methods for reliability analysis in power systems, and the introduction of new models and techniques to make these methods more responsiveto the needs of the power industry. Dr. Agarwal is a Senior Member of IEEE and of the Indian Association for Reliability and Quality. Manuscript TR91-065 received 1991 April 23; revised 1991 November 26. IEEE Log Number 00708
4TRF

The definitions of False Tripping [6], Incorrect Relay Operation [6], and Security [6] (mentioned in the Introduction) are specifically excluded from AAI, which is limited to the study of operational failures. AA1 provides a means of determining the effect of an Unannounced Failure [6,7] wherein the failure is not detected until the next test. One definition, used in connection with power system protective devices, refers to the Dependability [6] of a relay or relay system as that facet of reliability that relates to the degree of certainty that a relay or relay system will operate correctly. This is applied in to systems where more than one failure mode is possible. AA1 is restricted to a single failure mode, hence this definition is not applicable. The standards specify the need for system modeling and mathematical analysis in order to evaluate the impact of testing intervals on the system reliability of a protective system [7]. We believe AA1 is a step toward meeting this requirement for power-system protective-systems, and might be used as a