IEEE PSRC, WG I 19Redundancy Considerations for Protective Relaying SystemsMembers: Solveig Ward (Chair), Bryan Gwyn (Co-Chair), Galina Antonova, Alex Apostolov, Tom Austin,Phil Beaumont, Bob Beresh, Dave Bradt, Gustavo Brunello, Dac-Phuoc Bui, Matt Carden, Randy Cunico,Alla Deronja, Walt Elmore, Rafael Garcia, Bob Haas, Ameed Hanbali, Rob Harris, Pat Heavey, GeneHenneberg, Chris Huntley, Fred Ipock,Gerald Johnson, Sungsoo Kim, Gary Kobet, Jeff Long, AaronMartin, Craig McClure, Jeff McElray, Michael Mendik, George Moskos, Chuck Mozina, Jim Niemira, JimO‘Brien, Neil Saia, Sam Sambasivan, Sinan Saygin, Tony Seegers, Don Sevcik, Mark Simon, JackSoehren, Bob Stuart, Jonathan Sykes, Damien Tholomier, Steve Turner, Joe Uchiyama, James Wang,Don Ware, Tom Wiedman, Ray Young, John Zipp, Eric Udren1

TABLE OF CONTENTS1Introduction . 42What is redundancy? . 42.1Definitions . 42.2Purpose of redundancy. 42.3Redundancy versus backup . 52.4Redundancy‟s influence on reliability . 52.4.1Dependability and security example . 52.5Good engineering practices . 72.6Economic considerations . 82.7Asset management . 82.8Outage time . 82.9Restoration time . 82.10 Mean Time to Repair (MTTR) . 92.10.1Hardware MTTR . 92.10.2Software MTTR . 92.10.3Time to repair dictates degree of redundancy required . 103Differences Depending on Application Area . power system . 10Industry practices . 11Degree of redundancy required . 12Transmission protection . 12Special Protection Schemes . 14Control function in protective relays . 14Application Redundancy. 144.1Hardware for fully redundant systems . 144.1.1Protection Systems „A‟ and „B‟. 154.1.2Instrument transformers . 164.1.3Batteries. 174.1.4Physical separation . 194.1.5Redundancy applications in protection systems . 194.1.6Ethernet LANs with IEC 61850 GOOSE messaging . 244.2Diversity . 264.2.1Different operating principles . 274.2.2Different manufacturers . 274.2.3Different communication channels . 274.3Coupling redundancy for Power Line Carrier (PLC) . 274.3.1Best coupling systems for redundancy: . 284.4Switched redundancy. 294.5Voting schemes . 304.6Changes due to microprocessor technology . 314.7Electromechanical schemes . 325Examples (real life events) . 335. of events that have had an effect on the operability of protection schemes . 33Redundancy with common mode failure . 34Lack of redundant auxiliary relays . 34Lack of redundancy during construction. 34

6NERC Reliability Requirements . 347Conclusions . 358References . 35Appendix A - Review of present practices (Regional Reliability Organizations and PSRC Guides)Appendix B – National Grid‟s Requirements for Physical Separation3

1IntroductionReliability is always of concern for protective relay systems and redundancy plays an important role forreliability. Reliability is a compromise between security and dependability. Security is the ability to properlyrestrain from tripping when not called for. Dependability is the ability to trip when required. While securityis not improved by increased redundancy, dependability is. Clearly, the impact on the power system whena protection device is not functioning when required is much less severe when there is a redundant devicethat takes over the job. If the two redundant devices are of equal performance, there should be nodetrimental effect at all on power system operations, and a non-functioning device would just need to berepaired or replaced.Local redundancy of components plays a major role in elevating the reliability of protection systems;however, it is not the only mitigation that can be used to improve the reliability. Remote protectionsystems may provide adequate protection system reliability in some situations, provided that remoteprotection can detect faults and provide clearing times that meet performance requirements. It is the taskof the protection and the planning engineers to determine the proper solution for each element (lines,buses, transformers).This report provides the relay engineer with information about what factors to consider when determiningredundancy requirements. In addition, the report addresses differences depending on application area,present practices and provides real world examples.Note. Different users have different terminology for referring to the redundant protection systems. Theymay be called "System 1" and "System 2," "System A" and "System B," “Primary” and “Secondary” orsometimes "Primary" and "Backup." This latter terminology, "Primary" and "Backup", implies, althoughunintentionally, that one of the two systems serves the main function of protection and the other serves toassist in the case of failure of the first system, analogous to carrying an undersized spare tire in the trunkof a car in case of a flat. In actual practice, the redundant systems are each fully capable, each system isable to detect and clear faults on its own, and each system serves as a backup to the other. For thepurpose of the present report, the terms "System A" and "System B" will be used for referring to theredundant relaying systems. This selection of this terminology is intended to provide a consistentterminology to aid the reader's understanding of the topics of discussion in the remainder of the report, butis not intended to indicate a consensus or preference for this terminology throughout the industry.2What is redundancy?2.1DefinitionsThe following definitions are based on The Authoritative Dictionary of IEEE Standards Terms (IEEE 1002000 seventh edition) and the International Electrotechnical Vocabulary (IEC 60050).Redundancy is the existence of more than one means for performing a given function.Dependability is the facet of reliability that relates to the degree of certainty that a relay or relay systemwill operate, or perform, correctly.Reliability is a combination of dependability and security. Note that reliability denotes certainty of correctoperation together with assurance against incorrect operation from all extraneous causes.Security is that facet of reliability that relates to the degree of certainty that a relay or relay system will notoperate incorrectly. Note that ―cyber security‖ is a separate issue that relates to electronic access.2.2Purpose of redundancyRedundancy is required for several reasons including governmental and regulatory requirements, ensurereliability, maintain customer satisfaction, increase system stability, and for maintenance purposes. Theseissues are dealt with in the remainder of this document.4

2.3Redundancy versus backupOlder documents, such as The Transmission and Distribution Electrical Reference Book do not make adistinction between backup and redundancy: ―The measures employed in practice vary all the way fromcomplete duplication of relays at one extreme to no backup at all at the other extreme.‖ However,common convention today is to define a redundant system as a second (or third) system that hasessentially equal performance to the primary system applied. A backup system, while covering the zoneprotected by the primary equipment, will provide a lower degree of performance, e.g. less speed or lessselectivity.However, note that the two (or three) redundant systems do not always have to be of identicalperformance provided that any one of the redundant systems fulfill the requirements for the applicationwith regards to operating time, selectivity, etc. For example, if stability studies have determined that a linecan be adequately protected by stepped distance protection, a Main 1 distance pilot relay in combinationwith a Main 2 stepped distance relay can be considered a redundant protection system.2.4Redundancy‟s influence on reliabilityReliability of a protection system is a combination of dependability and security. For protective relays,dependability is the ability to trip for a fault within its protective zone while security is the ability to refrainfrom tripping when there is no fault in the protective zone.Redundancy will increase dependability since the required operation can be carried out by the redundantsystem. A failure of a single system will not affect operation.Typically, redundancy will decrease security as the added device(s) will increase the risk for an unwantedoperation. A failure (causing overtripping) of either system will produce a false trip. However, combiningredundancy and duplicated devices, as in the voting scheme described in Section 4.5, will result inincreased dependability and increased security.Redundancy does not influence dependability and security to the same degree. The optimal degree ofdependability and security, and consequently redundancy, has to be determined based on the impact of afalse trip versus the impact of lack of trip for a fault. For example, the power system may not be greatlyaffected by a line protection‘s incorrect tripping for a fault outside the protected line since automaticreclosing can quickly restore service. However, a false trip of a bus protection may not be as easilymitigated.2.4.1Dependability and security exampleWhile not practical to use, it could be of interest to illustrate the concepts by looking at the two extre