NERC-Protection Sistem Reliability - 1-14-09

A Technical Paper
Protection System Reliability

Redundancy of Protection System Elements
NERC System Protection and Control Task Force
November 2008
Table of Contents
1. Introduction.........................................................................................................................................................4
1.1 The Need for a Protection System Reliability (Redundancy) Standard........................................................5
2. Protection System Reliability.............................................................................................................................6

2.1 Dependability and Security ..........................................................................................................................6
2.2 Need for Protection Reliability ....................................................................................................................8
2.3 Protection System Redundancy ....................................................................................................................9
3. Reliability of the Bulk Electric System............................................................................................................11

3.1 2002 NERC Planning Standards................................................................................................................12
3.2 Clearing Times...........................................................................................................................................13
3.2.1 Normal Clearing Time ...........................................................................................................................14
3.2.2 Breaker Failure or Stuck Breaker Clearing Time ..................................................................................14
3.2.3 Delayed Clearing Time..........................................................................................................................15
3.2.4 Planning Standard Development............................................................................................................15
4. Proposed Protection System Reliability (Redundancy) Requirements ........................................................16

4.1 Evaluating BES Performance.....................................................................................................................17
4.2 Development of a Testing Methodology to Determine the Need for Redundancy......................................20
4.2.1 Determine Redundancy of the Protection System .................................................................................21
4.2.2 Determining Performance of the Protection System..............................................................................25
4.2.3 Compare BES Performance with Requirements of the TPL Standards .................................................27
4.2.4 Mitigate All Violations of the TPL Standards .......................................................................................28
5. Protection System Components .......................................................................................................................30

5.1 AC Current Source.....................................................................................................................................33
5.2 AC Voltage Source .....................................................................................................................................37
5.3 Protective Relay .........................................................................................................................................40
5.4 Communication Channel............................................................................................................................41
5.5 DC Control Circuitry .................................................................................................................................44
5.6 Auxiliary Relay...........................................................................................................................................46
5.7 Breaker Trip Coil .......................................................................................................................................47
5.8 DC Source ..................................................................................................................................................48
Appendix A – DC FAILURE (Loss of Station DC Supply)....................................................................................51
Appendix B – Excerpts from the 1997 NERC Transmission Planning Standards System Performance
Requirements 54
NERC 1997 Planning Standards Table 1................................................................................................................55
NERC Technical Paper on Protection System Reliability i

Redundancy of Protection System Elements November 18, 2008
NERC 2005 TPL Standards (Table I from TPL-001 – TPL-004) ............................................................................56
Appendix C – System Protection and Control Subcommittee.........................................................................58
List of Figures
Figure 2-1 — Dependability-Type Failure (no trip) of a Protection System ................................................ 7

Figure 2-2 — Security-Type Failure (overtrip) of a Protection System ....................................................... 8
Figure 2-3 — Non-Redundant Protection System ...................................................................................... 10
Figure 2-4 — Fully Redundant Protection System ..................................................................................... 10
Figure 4-1 — Acceptable Delayed Clearing Example................................................................................ 18
Figure 4-2 — Unacceptable Delayed Clearing Example............................................................................ 19
Figure 4-3 — Example 1 – Study of Protection System Reliability for Non-Redundant Systems............. 21
Figure 4-4 — Example 2 – Study of Protection System Reliability Redundancy for Redundant Systems 24
Figure 4-5 — Example 3 – Determining Protection Systems Performance ............................................... 26
Figure 5-1 — Strong Source System One Line .......................................................................................... 31
Figure 5-2 — Weak Source System One Line............................................................................................ 31
Figure 5-3 — Example of Redundant CTs ................................................................................................. 33
Figure 5-4 — Alternate CT Configuration with Single Point of Failure at the Main CT ..............................i
Figure 5-5 — Redundant CT Configuration ............................................................................................... 35
Figure 5-6 — AC Voltage Inputs................................................................................................................ 38
Figure 5-7 — Communication System ....................................................................................................... 42
Figure 5-8 — Faults Near a Generating Station.......................................................................................... 43
Figure 5-9 — Station DC Supply and DC Control Circuits Boundary....................................................... 45
Figure 5-10 — Non-Redundant DC Control Circuits ................................................................................. 46
Figure 5-11 — Trip Coil Development....................................................................................................... 48
Figure 5-12 — Station DC Supply and Monitoring.................................................................................... 50
Figure A-1 — Normal Clearing .................................................................................................................. 51
Figure A-2 — Complete Loss of DC with Remote Clearing...................................................................... 53
List of Tables
Table 4-3 — Example 1 – Study of Protection System Reliability for Non-Redundant Systems .............. 22
Table 4-4 — Example 2 – Study of Protection System Reliability Redundancy for Redundant Systems . 25
Table 4-5 — Example 3 – Determining Protection Systems Performance................................................. 26
Table 4.6 — Acceptable Clearing Times.................................................................................................... 28
This Technical Reference Paper was approved by the NERC Planning Committee on December 4, 2008.
NERC Technical Paper on Protection System Reliability ii

NERC Technical Paper on Protection System Reliability iii
1. Introduction
The 1997 NERC Planning Standards1 contained “Redundancy, in the context
tenets on Protection System redundancy that were of this paper, further specifies
not included in the Version 0 translation of those that the fault clearing will
standards. Consequently, the NERC Planning meet the system performance
Committee charged the System Protection and requirements of the NERC
Controls Task Force (SPCTF) in late 2005 with
Reliability Standards.”
preparing a Standard Authorization Request
(SAR), with associated justifying technical background material, to reintroduce Protection
System redundancy. This technical paper provides the background and support for the
development of that Protection System Reliability SAR.
The reliability of the Bulk Electric System (BES) is normally measured by determining the
performance of all the various power system elements and their ancillary systems. Protection
Systems, being ancillary systems, are critical to establishing and maintaining an adequate level
of BES reliability. The NERC reliability standards define the level of reliability to which each
owner must design the BES and this in turn, can be used to determine the performance
requirements of electric system elements such as breakers, and Protection Systems.
“…the Protection This paper, developed by the NERC System Protection and
Systems must operate Control Task Force (SPCTF), proposes Protection System
and clear faults reliability requirements and discusses the reasoning behind
within the required the requirements, provides examples and explanations
clearance time to concerning each requirement, and describes how to
determine the level of Protection System reliability necessary
satisfy the proposed
to meet each requirement. This paper also describes a
performance
collaborative and interactive process between the protection
requirements…”
and planning engineers to determine the required level of
Protection System performance. It should be noted that in parallel to this effort is an IEEE
PES/PSRC work group2 that is developing a special report addressing redundancy considerations
for relaying. SPCTF has a liaison relationship with that working group. The IEEE effort
concentrates on the Protection System elements while this paper concentrates on the BES
performance implications of Protection System redundancy.
1
NERC Planning Standard, Section III – System Protection and Control, September 1997
2
IEEE/PES/PSRC I19 Working Group
NERC Technical Paper on Protection System Reliability 4

This paper evaluates Protection System clearing times for a normal electric system configuration
(planned peak load conditions with all lines in service, typical generation dispatch, typical
interchange, and typical switching configuration) for a fault on one electric system element with
a Protection System component failure. For a component failure of the Protection System,
redundant local backup, and remote backup Protection Systems are evaluated to determine the
clearing time for the faulted electric system element under review. Due to the additional
complexities involved, the performance requirements of backup Protection Systems for other
electric system contingencies are not addressed in this paper.
1.1 The Need for a Protection System Reliability (Redundancy)

Standard
Protection System reliability has been incorporated in NERC standards for decades and, in most
situations, has been achieved through and referred to as redundancy. Redundancy is defined as
“the existence of more than one means for performing a given function3.” The NERC Planning
Standards (see Appendix C) contains references to “delayed clearing” and Protection System
failures, however, these terms were not clearly defined and often were interpreted to be
synonymous with operation of breaker failure protection. Breaker Failure protection has a
predictable result and designed tripping times. Protection System failures can lead to a more
severe system response as a result of longer fault clearing and more electric system elements
being removed from service to clear the fault. In later sections of the old planning standard4,
owners were required to incorporate redundancy in the Protection Systems as necessary to meet
the reliability performance table (Table I. Transmission Systems Standards; C Normal and
Contingency Conditions). References were made to various components of the Protection
Systems that needed to have redundancy but no requirements were listed.
The old standards were vague and incomplete and did not directly correlate the need for
redundancy to desired BES performance. It is necessary that a new approach be introduced to
address the performance of the Protection System and provide the owner with clear tests and
measures that can be used to determine when the application of redundancy is necessary. This
technical paper has been developed to provide clarity on Protection System redundancy
requirements, based on the relationship between performance of the Protection System and the
performance of the BES. The approach introduced in this paper moves away from a prescriptive
3
IEEE Standard C37.100-1992.
4
NERC Planning Standard, Section III – System Protection and Control, September 1997

requirement based on a certain class or category of Protection Systems for specific voltage levels
or generation amounts.
Local redundancy of components plays a major role in elevating the reliability of Protection
Systems; however, it is not the only mitigation that can be used to improve the reliability of
Protection Systems. Remote Protection Systems may provide adequate Protection System
reliability in some situations, provided that remote protection can detect faults and provide
clearing times that meet performance requirements. It is the task of the protection and the
planning engineers to determine the proper solution for each element (lines, buses, transformers)
and in most situations, there may not be any change required to the Protection Systems that are
currently installed. New and existing Protection Systems need to be examined and upgraded
when they lack the performance necessary to maintain an adequate level of BES reliability.
2. Protection System Reliability

2.1 Dependability and Security
There are two facets to Protection System reliability; dependability and security as defined by
IEEE standard C37.100–1992 and are shown below:
• Dependability — “The facet of reliability that relates to the degree of certainty that a relay
or relay system will operate correctly.” For purposes of this paper, dependability is a
measure of the degree of certainty that a protective system will operate correctly when
required, and at the designed speed. Dependability is a concern when a fault occurs within
the protected zone.
• Security — “That facet of reliability that relates to the degree of certainty that a relay or
relay system will not operate incorrectly.” For purposes of this paper, security is a measure
of the degree of certainty that a Protection System will not operate incorrectly or faster than
designed. Security is a concern for external faults and normal (unfaulted) operating
conditions.
Protection Systems must be fundamentally designed to be both dependable and secure because it
is presumed that components of the Protection System can sometimes fail. Overall design must
strike a balance between dependability and security.
To illustrate the concept of a dependability-based failure, refer to Figure 2–1. Dependability
based Protection System failures can result in longer fault clearing times and isolation of
additional elements of the electric system. The relay at Sub 2 on Line 1 has failed and cannot

operate to clear the fault. Backup and time delayed relaying will be required to clear this fault
and the loss of the generator is inevitable. Relaying at Sub 3 and Sub 4 will need to sense the
fault and operate. This gets more difficult as the apparent impedance from the sensing relay to
the fault gets larger and in some situations the remote relays will operate sequentially or may not
operate at all.
Figure 2-1 — Dependability-Type Failure (no trip) of a Protection System

In contrast, security-based Protection System failures can result in isolation of additional
elements of the electric system as shown in Figure 2–2, but typically do not result in increased
fault clearing time. In the last few years major system disturbances have been associated with
both dependability and security based Protection System failures. However, this generally
removes additional power system elements from service to clear the fault.
While redundancy reduces the probability of a dependability-based Protection System failure, it
also increases the probability of a security based Protection System failure. Multiple Protection
Systems provide a greater opportunity for an errant operation during a fault. For this reason,
Protection System designs must provide a balance between dependability and security.

Figure 2–2 — Security-Type Failure (overtrip) of a Protection System
2.2 Need for Protection Reliability

The electric system network designs are planned and constructed to limit failure modes and
equipment damage, and thereby enhance overall system reliability. The electric system is
designed to balance performance and minimize the total transport cost of energy, which requires
balancing of initial capital costs and long-term maintenance costs with the potential cost impact
of a Protection System failure.
The design of Protection Systems must consider redundant components as a means to increase
protection reliability, to minimize the impact of failures and allow the protection of an element to
be returned to an acceptable level of performance and reliability. When a critical element of the
electric system fails, the result can be catastrophic if additional equipment and Protection
Systems are not available to minimize the impact. Electric system elements can be damaged,
customer loads interrupted, instability on the grid can arise, and, in the worst case, blackouts can
occur. Some equipment can require long lead times to repair or replace and electric system
restoration can be time consuming if repair or replacement equipment is not readily available.
The power industry uses a practice of having redundant equipment available to quickly isolate
problems, and spare equipment to return the electric system to normal operation. The application
of breaker failure schemes with breaker-and-a-half, double-breaker lines, or main and transfer
buses is an example of this. These designs utilize redundant or backup breakers to isolate the
fault, and if one of the breakers is damaged and cannot quickly be retuned to service, it can be

isolated and the alternate breaker or bus can be used to restore the electric system to stable
operation.
It is not economically feasible to design an electric system to withstand all possible equipment
failures and abnormal operating conditions. Therefore, all electric systems must deploy highly
reliable Protection Systems that can quickly detect abnormal conditions and take appropriate
actions to ensure removal of electric system faults. Protection System reliability is normally
achieved by designing Protection Systems with adequate redundancy of equipment and
functional adaptability to minimize single component failures, such as automatically decreasing
the zone 2 timer for loss of a Protection System communication channel.
2.3 Protection System Redundancy

A fundamental concept of Relay Terminology
redundancy is that Protection Most Elements on the bulk power system are protected by
multiple Protection Systems and the names applied to the
Systems need to be designed such multiple protection systems include: Primary, Secondary,
that electric system faults will be Backup, Local Backup, Remote Backup, System A and B,
System 1 and 2.
cleared, even if a component of the
This paper refers to paired relaying systems as primary and
Protection System fails. secondary, #1 and #2, and A and B. Each of these
Redundancy is a system design that systems must meet the performance requirements, such as
minimum clearing times, but may have different operating
duplicates components and/or principals and equipment. For example, if high speed
systems to provide alternatives in operation and sensing on 100 percent of the line is needed,
both paired relaying systems are required to provide this
case one component and/or system type of performance.
fails. “Redundancy,” in the context Backup relaying provides a different role than paired
of this paper, further specifies that relayed systems and usually has less speed and maybe
less selectivity. In this paper, the term backup relaying
the fault clearing will meet the refers to protection that is installed to operate when paired
system performance requirements relaying systems are not available and can be located
locally or remotely.
of the NERC Reliability Standards.
Redundancy means that two or more functionally equivalent Protection Systems are used to
protect each electric system element. Redundancy can be achieved in a variety of ways
depending on the performance required and the infrastructure available. In some cases
redundancy means that there are two locally independent Protection Systems that have no
common single points of failure. This solution is usually applied when performance requires
high-speed isolation of faults, or if the electric system cannot withstand longer fault clearing
times and/or over-tripping for Protection System failures. When time delayed clearing of faults
is sufficient to meet reliability performance requirements, owners may deploy one primary and

one remote or local backup system to meet reliability levels. Owners often refer to these systems
as primary and secondary or backup systems. In both cases, the Protection Systems must
operate and clear faults within the required clearance time to satisfy the proposed
performance requirements (see section 4.0).
Figure 2–3 shows a simple non-redundant Protection System and Figure 2–4 shows a fully
redundant Protection System. It should be noted that the single Protection System shown in
Figure 2–3 could be sufficient to maintain reliability if there are sufficient remote backup
Protection Systems that can operate to isolate the fault and maintain reliability.
Figure 2–3 — Non-Redundant Protection System

------------------ DC CONTROL CIRCUITRY ------------------
STATION DC Fuse
Other
SOURCE Contacts
Fuse
Auxillary
Other Relay #1
Fuse Contacts
AC Current AC Current DC Main 1 Protective

PS
Source #2 Source #1 Tranmission Line Breaker Relay #1
Local
Breaker To Remote
Substation
Substation
Auxillary Breaker
Fuse
AC Voltage Source #2 Relay #1 Trip Coil #1
AC Voltage Source #1
Fuse
Communication Fuse
Channel #1
Protective (to Remote
Relay #1 Substation) Fuse
Other
Contacts
Protective Communication Fuse

Relay #2 Channel #2 Auxillary
(to Remote Other Relay #2
Substation) Fuse Contacts
DC Main 2 Protective
PS
Breaker Relay #2
Auxillary Breaker
Fuse
Relay #2 Trip Coil #2
Fuse
Fuse
SIMPLIFIED ONE LINE WITH RELAY INPUT/OUTPUTS SIMPLIFIED DC SCHEMATIC FOR RELAY AND BREAKER
Figure 2–4 — Fully Redundant Protection System

The following are some examples of redundant protection applications.
• Multiple Protection Systems of similar functionality (tripping speeds) may be used to satisfy
the performance requirements. For example, when high-speed clearing is required, the use of
a current differential scheme with a Permissive Overreach Transfer Trip (POTT) or
Directional Comparison Blocking (DCB) scheme as a second scheme can provide the
necessary redundancy.
• Multiple Protection Systems with varying functionality may be used if one system has
functionality in excess of what is needed to satisfy the performance requirements. For
example, the Protection Systems may consist of one pilot Protection System (for high speed
clearing of the entire circuit), with a second system using stepped-distance non-pilot
protection, if the stepped-distance system itself meets the requirements to satisfy the
performance requirements.
• Separate Protection Systems of varying functionality can be used where one system is
enabled upon failure of the other system. For example, high-speed overcurrent relays that are
enabled upon loss of a pilot communication system may be used if the overcurrent relays
satisfy the performance requirements. However, this application method may introduce a
possibility of over tripping due to the failure of the pilot scheme. Both failure modes must be
checked to assure that they meet performance requirements.
• Local or remote backup protection may be used to satisfy redundancy, where the backup
protection itself satisfies the reliability performance requirements.
3. Reliability of the Bulk Electric System

The reliability performance design requirements of the electric system are defined by the NERC
TPL standards for the planning horizon. That performance is based on various criteria that
determine acceptable conditions for BES performance under system normal conditions and after
various system contingencies.
NERC has also published a document that explains the concept of Adequate Level of Reliability
(ALR)5 across all planning and operating horizons, allowing various standards to reference and
use common concepts to determine reliability performance requirements. The adequate level of
reliability centers on the following criteria:
• The System remains within acceptable limits;
5
“Characteristics of a System with an Adequate Level of Reliability,” approved by the NERC Board of Trustees in
February 2008, and filed with the FERC.

• The System performs acceptably after credible contingencies6;
• The System limits instability and cascading outages;
• The System’s facilities are protected from severe damage; and
• The System’s integrity can be restored if it is lost.
To ensure that Protection Systems installed on the electric system meet those tenets, the
approach introduced in this paper requires Protection Systems to be designed such that no single
Protection System component failure would prevent the BES from meeting system performance
requirements in the NERC Reliability Standards.
• This Technical Paper is devoted to the methods for evaluating the application of Protection
System redundancy and its resultant impact on BES performance for faults occurring starting
from electric system normal conditions (planned peak load conditions with all lines in
service, typical generation dispatch, typical interchange, and typical switching
configuration). The need for redundancy is determined by examining Protection System
performance in light of Protection System element failures and whether or not the resultant
BES performance is acceptable to meet the proposed performance requirements (see Section
4.0 of this document).
This paper does not cover all aspects of Protection System reliability. For example, it does not
prescribe methods for setting the Protection System or the application of remote backup
protection, and does not address the potentially special protection needs of circuits that are part
of the “cranking path” for power system restoration.
3.1 2002 NERC Planning Standards

The current NERC Planning Standards (TPL-001 through TPL-004) were developed as part of
the “Version 0” standards in 2002. Those standards are soon to be consolidated into a single
standard that refines the categories of contingencies, applicable conditions, and performance
requirements. Changes under consideration include more prescriptive information regarding
how Protection Systems are to be considered. The Version 0 planning standards did not consider
Protection System failures for normal operation of the electric system, and separated outages and
conditions into four categories which are paraphrased below.
Category A — No Contingencies (all facilities in service)
• Facility rating must be maintained (thermal and voltage)
• The system must remain stable
6
Beyond the scope of this document.

• No Loss of demand or firm transfers allowed
• No Cascading allowed
Category B — Event resulting in the loss of a single element
A category B event can be a single-line-to-ground or three-phase fault with the Protection System
operating normally, with normal or designed clearing times. The transmission system is required to
remain stable with all equipment loaded to within its applicable operating limits, and with no load
shedding or cascading outages.
• No Loss of demand or firm transfers allowed
Category C — Events resulting in the loss of two or more elements.
A category C event can be a single-line-to-ground fault on a bus section or a breaker failure with the
Protection System operating normally, with normal or designed clearing times. It also can be
independent events when single-line-to-ground or three-phase faults occur on multiple elements with
time for manual system adjustments between events, or a single-line-to-ground fault with a Protection
System failure. In this case, some controlled load shedding is acceptable. Acceptable system
performance requires that:
• Only Planned or Controlled Loss of demand or firm transfers allowed
Category D — Extreme event resulting in two or more elements removed or cascading out of service
A category D event can be a catastrophic failure of a piece of equipment or a three-phase fault
preceding a breaker failure with a Protection System failure.
• Loss of Customer Demand and Generation may occur
• The system is not required to return to a stable operating point
Breaker Failure and Delayed Clearing

3.2 Clearing Times According to the NERC Glossary of Terms, Delayed
Fault Clearing is defined as “Fault clearing consistent
The planning engineer typically with correct operation of a breaker failure protection
considers three levels of Protection system and its associated breakers, or of a backup
protection system with an intentional time delay.”
System performance: Normal Clearing
For purposes of this paper, delayed clearing times are
Time, Breaker Failure Clearing Time, differentiated into the two components of that definition.
and Delayed Clearing Time. In the This section describes the differences.
planning standards, the performance For example, zone 2 clearing for a line end fault would
be considered normal clearing when the line is protected
requirements vary based on the combined by stepped-distance protection, but would be considered
probability of an electric system event delayed clearing when the line is protected by high-
speed pilot protection with stepped-distance protection
as backup if the high speed scheme did not operate.

occurring, and the level of Protection System performance under consideration.
Categories A and B in the 2005 Version 0 Standards consider that the Protection System operates
normally. Category C considers breaker failure and some delayed clearing times due to
Protection System failure. Category D takes in account multiple contingencies including breaker
failure and Protection System failure. The planning engineer must consult with the protection
engineer to correctly model the Protection System performance in those system studies.
3.2.1 Normal Clearing Time

Normal clearing time is a Protection System mode of operation that does not take into
consideration Protection System failure, and assumes that the Protection System is
fully functional and will operate as designed and intended. Normal clearing time for
the Protection System is based on the time in which each Protection System
component is expected and designed to operate. For example, a communication aided
Protection System is design to provide instantaneous operation (without intentional
time delay) for all faults on the line. The normal clearing time for this example might
be 4 cycles (2 cycles for relay time and 2 cycles for breaker time). Fault location
must also be considered in determining worst case clearing times. For example if a
line is protected by step distance protection (non-pilot), faults at the end of the line
would be cleared by time delayed relaying and the normal clearing time for this fault
might be 22 cycles (2 cycles for relay time, 18 cycles for intentional time delay, and 2
cycles for the breaker).
3.2.2 Breaker Failure or Stuck Breaker Clearing Time

Breaker Failure clearing time is a mode of operation that considers the Protection
System to be fully functional and will operate as designed and intended. However, it
also considers that a breaker needed to isolate the fault failed to operate (remained
closed or stuck). Planning engineers determine the critical clearing time for stuck
breaker and/or breaker failure conditions. The protection engineer will account for
this time when designing the breaker failure relaying protection. For example, the
planning engineer might determine that the critical breaker failure clearing time is 12
cycles and this might result in the protection engineer setting the breaker failure timer
at 8 cycles (2 cycles for relay time, 8 cycles for the breaker failure timer, and 2 cycles
for breaker tripping). In some cases the protection engineer may determine that the
critical clearing time cannot be achieved without compromising security of the
Protection System. In such cases, the planning engineer must design the electric
system around this constraint (e.g., installing two breakers in series to eliminate the

breaker failure contingency or constructing additional transmission elements to
improve system performance, thereby increasing the critical clearing time).
3.2.3 Delayed Clearing Time

Delayed clearing time is a mode of operation that is a result of a Protection System
failure to trip the breaker directly and/or initiate breaker failure logic. If a Protection
System fails to clear the fault or initiate breaker failure, other relaying, locally or
remote, will need to operate.
The protection engineer will need to closely examine all protection schemes locally
and remotely to determine how Protection System failures will be mitigated. The
worst case situation is that the Protection System failure did not trip or initiate breaker
failure protection. However, certain failure modes could delay the initiation of
breaker failure but not the transfer trip from the remote terminal. Only certain
component failures are proposed for consideration and only these failures need to be
studied and each component failure might provide different delayed clearing times.
A Protection System failure might result in local or remote relays operating and,
based on the particular substation, this could significantly extend clearing time.
3.2.4 Planning Standard Development

The revised planning standard presently under development7 provides for event
categories (P1 through P7) based on single or multiple contingencies, and has
differing performance requirements for steady-state and dynamic (stability)
conditions. P5 is the category that considers Protection System failure during a fault.
The proposed revision of the TPL standard uses two tables for the steady-state and
stability performance requirements (paraphrased below from the draft TPL standard).
Table 1 - Steady-State Performance
1. Facility Ratings shall not be exceeded. Planned system adjustments are
allowed to keep Facilities within the Facility Ratings, unless precluded in the
Requirements, if such adjustments are executable within the time duration
applicable to the Facility Ratings.
2. System steady state voltages and post-transient voltage deviation shall be
within acceptable limits established by the Planning Coordinator (or
Transmission Planner if more restrictive).
7
See the Standards portion of the NERC website at: http://www.nerc.com/page.php?cid=2|247|290

3. Voltage instability, cascading outages, and uncontrolled islanding shall not
occur.
4. Consequential Load and consequential generation loss is allowed, unless
precluded in the Requirements.
5. Simulate the removal of all elements that Protection Systems and controls are
expected to disconnect for each event.
6. Simulate Normal Clearing times unless otherwise specified.
Table 2 - Stability Performance
1. The System shall remain stable.
2. Dynamic voltages shall be within acceptable limits established by the
Planning Coordinator or Transmission Planner (if more restrictive)
3. Uncontrolled islanding and cascading outages shall not occur.
4. Simulate the removal of all elements that Protection Systems and controls are
expected to disconnect for each event.
5. Simulate Normal Clearing times unless otherwise specified.
4. Proposed Protection System Reliability (Redundancy)

Requirements
Protection System reliability must support the overall reliability requirements of the Bulk
Electric System. The approach introduced in this paper establishes a Protection System
Reliability (Redundancy) requirement in keeping with the tenets of Adequate Level of Reliability
(ALR). Since the planning standards define the reliability performance to which the BES should
be designed, those requirements can, in turn, be used to establish performance requirements for
the reliability of Protection Systems. The approach introduced in this paper addresses the
planning standard performance requirements that pertain to or rely on Protection System
performance.

The approach introduced in this Proposed Requirement
paper may appear to raise the For system normal pre-fault system conditions, the Protection
Systems must clear all single-line-to-ground and multi-phase
design requirements of all faults in a clearing time such that:
Protection Systems; however, it 1. System steady state voltages and post-transient voltage
deviations shall be within acceptable limits established by
only applies to those Protection the Planning Coordinator (or Transmission Planner if more
Systems for which a failure restrictive).
causes the BES performance to 2. Facility Ratings shall not be exceeded.

violate one of the four 3. The system must remain stable.
requirements above. In many 4. The protection system must not trip system elements
beyond those associated with the designed backup
situations, the Protection protection (local or remote), not including possible UFLS or
Systems already employs UVLS operation.
sufficient redundancy and will NOTE: The proposed requirement is intended to mimic the
performance requirements of the TPL standards. The TPL
not need to be upgraded or
Standards should be the defining document for codifying the
changed. In some other performance testing.
situations, where the Protection
System is not redundant, backup or remote relaying may be sufficient with no upgrades or
changes needed because Protection System failures do not result in violation of the BES
performance requirements specified in the TPL standards.
The approach introduced in this paper may raise Protection System design requirements for some
by calling for the examination of system performance in conjunction with specific levels of
Protection System performance. It then requires mitigation for those conditions where
Protection System component failures result in violation of the BES performance requirements.
4.1 Evaluating BES Performance

BES performance must meet the performance requirements specified in the TPL standards when
a single component failure occurs within the Protection System. When a single component
failure mode will prevent meeting the BES performance defined in the TPL standards, either the
Protection System or the electric system design must be modified.
Providing Protection System redundancy is one method for ensuring that the BES meets the
performance requirements of the TPL standards. Some examples are provided below to guide
the application of the Protection System Reliability Standard.

Figure 4–1 — Acceptable Delayed Clearing Example
1. Refer to Figure 4–1 — A power grid element (Line 1) requires a critical clearing time
(for stability) of 50 cycles, and the element is protected by a single local pilot aided
Protection System. Remote backup is available at Sub 3, Sub 4, and Sub 5 which will
clear all faults on the element within 40 cycles. Therefore, a failure of the local
protection on the element will not violate BES performance requirements (for voltage,
facility ratings, or stability), and local redundant protection is not necessary; the remote
backup protection provides the necessary reliability. Figure 4–1 illustrates what would
happen for a non-redundant Protection System failure at Sub #1 for a fault on Line #1.
2. Refer to Figure 4–2 — A power grid element (Line 1) requires a critical clearing time of
20 cycles and the remote backup is capable of clearing faults for this element in 30 to 60
cycles. The local Protection System has various single points of failure that will require
the remote backup schemes to clear the power grid element resulting in an unstable
system. This is an infraction of the “System Must Remain Stable” performance
requirements in the TPL standards. However, the failure must be tested for post transient
voltage violations and facility rating violations also. The approach introduced in this
paper would require the Protection System to be modified so that single component
failures do not result in a violation of the BES performance requirements in the TPL
standards. The Protection Engineer would then need to review the other proposed
requirements (see Section 5) to make appropriate changes to the Protection System.

Figure 4–2 — Unacceptable Delayed Clearing Example
3. A transmission line at a generating plant requires the isolation of faults in a critical
clearing time of 9 cycles (3 cycles plus breaker failure clearing time of 6 cycles). This
example requires high-speed clearing (communication-aided relaying systems) to meet
the 3-cycle clearing time and a breaker failure scheme capable of 6 cycle delay in order to
meet the BES performance requirements of the TPL standards. In this case, no time-
delayed backup system (either local or remote) can satisfy the 3-cycle requirement and
violations could occur to facility ratings, stability, and post transient voltage violations at
remote busses. The approach introduced in this paper would require redundant pilot
relaying systems, (see Section 5), to assure that faults are detected and cleared within 9
cycles, even with a failed breaker or primary Protection System failure.
4. A line at a generating plant has a critical clearing time of 4 cycles, where breaker failure
following an operation of a high-speed relaying system would result in system instability
which is a violation of the BES performance requirements of the TPL standards. In this
case, it may be necessary to add a redundant (series) breaker to meet the BES
performance requirements in addition to other redundant protection as described in the
third example above.

4.2 Development of a Testing Methodology to Determine the Need for
Redundancy
The protection and planning engineers must work collaboratively to determine the need for
Protection System redundancy. Portions of that process may be performed in parallel and may
be iterative in nature.
Roles of the Protection and Planning Engineer
• The protection engineer’s role is to determine the performance of the Protection System
through analysis of its failure modes and determine the operating times of the relaying.
• The planning engineer’s role is to determine if the clearing times provided by the protection
engineer satisfy the system performance requirements through transmission planning studies.
From the general discussion in Section 4.1, the following testing methodology has been
developed for assessing compliance with the BES performance requirements of the TPL
standards The order of these tests can be varied.
Methodology
• Determine Redundancy of the Protection Systems — Examine the Protection System for
redundancy of the following components - AC Current Source, AC Voltage Source,
Protective Relay, Communication Channel, DC Circuitry, Aux Trip Relay, Breaker Trip
Coil, and Station DC Source. If the owner has determined that the listed components are
redundant, no further action is needed except documentation.
• Ascertain the Performance of
Worst Case Fault Test
the Protection Systems —
The term ‘worst-case fault’ implies one of the four classical fault
Based on the determined types – line to ground, line to line to ground, line to line, and
three phase – with the location of the fault being placed where
redundancy of the Protection
it results in the worst electric system performance. This fault
System, determine the Protection may not be coincident with the location where a fault is hardest
to detect or creates the longest clearing time for the local or
System performance for a failure
remote backup protection system(s). The worst case fault
of each component listed above, typically must be identified through a collaborative effort
between the planning and protection engineers.
or determine the worst case
clearing time for Protection To minimize the effort, conservative assumptions regarding
fault clearing time may be made initially. When system
System failure. performance evaluated in the planning study meets the TPL
standards’ performance requirements no refinements to the
• Compare BES Performance initial assumptions are required. When system performance
with Required Performance — does not meet the TPL standards’ performance requirements,
the initial assumptions must be refined and the system
Determine if the clearing times performance re-evaluated. This iterative process continues
determined meet the BES until system performance meets the TPL standards’
performance requirements with conservative assumptions or
the worst fault location has been identified and evaluated using
actual clearing times.

performance requirements listed in the TPL standards.
• Mitigate all Violations — Modify the electric system or Protection System design to
eliminate any conditions identified for which the BES performance violates the requirements
in the TPL standards.
These steps should be repeated whenever Protection Systems or electric systems are modified in
some manner which changes the BES performance; such cases must be reviewed to assure that
the BES still meets the performance requirements specified in the TPL standards.
4.2.1 Determine Redundancy of the Protection System

The protection engineer will need to examine the following components - AC Current Source,
AC Voltage Source, Protective Relay, Communication Channel, DC Circuitry, Aux Trip Relay,
Breaker Trip Coil, and Station DC Source. Each component should be examined to determine
how the failure would impact operation of the Protection System.
Consider the two examples below. The first is an example of a non-redundant Protection System
with possible solutions for component failures. The second is an example for a fully redundant
Protection System.
Figure 4–3 — Example 1 – Study of Protection System Reliability for Non-

Redundant Systems

The following table is a non-exclusive list of possible impacts of dependability –based Protection
System component failures or removal of components from service during a fault.
Table 4–3 — Example 1 – Study of Protection System Reliability for Non‐Redundant Systems
Component Possible Impacts Solutions
1. Add redundant AC current input
Loss of AC current input to the protective and an additional relay or
relay usually disables the ability of the 2. Verify that time delayed remote
AC Current Source
Protection System to sense faults which clearing does not violate the BES
would result in delayed clearing times. performance requirements of the
TPL standards. standard)
Loss of AC voltage input to the protective
1. Add redundant AC voltage input
relay can disable the ability of the Protection
and an additional relay or
System from sensing some faults. A high
2. Verify that time delayed remote
AC Voltage Source speed current‐only relay will not be impacted
clearing does not violate the BES
by this failure and clearing times will depend
performance requirements of the
on application. Worst case scenarios require
TPL standards.
delayed clearing times to be considered.
1. Add redundant relay or
Loss of protective relay means that faults can 2. Verify that time‐delayed clearing
Protective Relay not be cleared locally which would result in does not violate the BES
delayed clearing times. performance requirements of the
TPL standards.
1. Add redundant communication
Loss of the communication channel of the channel and possibly additional
Protection System usually requires delayed relay and communication
Communication clearing times for some faults on the equipment or
channel transmission line (i.e. near the remote 2. Verify that time delayed clearing
terminal). Worst case scenarios may require does not violate the BES
delayed clearing times be considered. performance requirements of the
TPL standards.
Loss of DC circuitry will depend on what
1. Add additional DC circuits and
components are disabled. If multiple
separate critical components or
components are impacted by the loss of a
schemes or
single circuit the entire Protection could be
DC Circuitry 2. Verify that time delayed remote
disabled. It could be possible that impact to
clearing does not violate the BES
the Protection System could be minimal.
performance requirements of the
However, worst case scenarios may require
TPL standards.
remote delayed clearing times be considered.

Table 4–3 — Example 1 – Study of Protection System Reliability for Non‐Redundant Systems
Component Possible Impacts Solutions
Loss of auxiliary tripping relays may impact
the Protection System from providing a high
speed trip, and may not prevent the 1. Add additional auxiliary relays or
protection System from initiating breaker 2. Alter the scheme to provide
failure protection. The result might be a parallel tripping paths or
Auxiliary Tripping
clearing time that is longer than normal 3. Verify that time delayed remote
Relay
clearing times but less than delayed clearing clearing does not violate the BES
times. Worst case scenarios may require performance requirements of the
delayed clearing times be considered if TPL standards.
breaker failure is initiated by the auxiliary
relay.
1. Add additional trip coil on a
Loss of the breaker trip coil will cause the separate DC circuit or
breaker failure scheme to operate. If breaker 2. Provide breaker fail and remote
failure logic does not include removal of all clearing for faults or
Breaker Trip Coil
sources remote relaying may be needed to 3. Verify that time delayed remote
isolate the fault. Worst case scenarios may clearing does not violate the BES
require delayed clearing times be considered. performance requirements of the
TPL standards.
1. Add continuous and reported
Loss of the DC source prevents any relaying monitoring
from operating at the station. Therefore, 2. Add another DC source
Station DC Source remote backup clearing times must be 3. Verify that time delayed remote
determined and compared against the critical clearing does not violate the BES
clearing time for a fault at that station. performance requirements of the
TPL standards.

------------------ DC CONTROL CIRCUITRY ------------------
STATION DC Fuse
Other
SOURCE Contacts
Fuse
Auxillary
Other Relay #1
Fuse Contacts
AC Current AC Current DC Main 1 Protective

PS
Source #2 Source #1 Tranmission Line Breaker Relay #1
Local
Breaker To Remote
Substation
Substation
Auxillary Breaker
Fuse
AC Voltage Source #2 Relay #1 Trip Coil #1
Fuse
Communication Fuse
Channel #1
Protective (to Remote
Relay #1 Substation) Fuse
Other
Contacts
Protective Communication Fuse

Relay #2 Channel #2 Auxillary
(to Remote Other Relay #2
Substation) Fuse Contacts
DC Main 2 Protective
PS
Breaker Relay #2
Auxillary Breaker
Fuse
Relay #2 Trip Coil #2
Fuse
Fuse
SIMPLIFIED ONE LINE WITH RELAY INPUT/OUTPUTS SIMPLIFIED DC SCHEMATIC FOR RELAY AND BREAKER
Figure 4–4 — Example 2 – Study of Protection System Reliability Redundancy for

Redundant Systems

The following table is a non-exclusive list of possible impacts of dependability-based Protection
System component failures or removal of components from service during a fault.
Table 4–4 — Example 2 – Study of Protection System Reliability Redundancy
for Redundant Systems
Component Possible Impacts Solution
Fault clearing is not impacted by the loss of
No immediate action needed. Repair or
AC Current single AC current input. Redundant AC current
replacement must be made as soon as
Source sources provide functionally equivalent
possible.
protection.
Fault clearing is not impacted by the loss of
AC Voltage single AC voltage input. Redundant AC voltage
Source sources provide functionally equivalent
possible.
protection.
Fault clearing is not impacted by single relay No immediate action needed. Repair or
Protective
failure. Redundant relay provides functionally replacement must be made as soon as
Relay
equivalent protection. possible.
Fault clearing is not impacted by single
Communication communication channel failure. Redundant
channel communication channels provide functionally
possible.
equivalent protection.
Fault clearing is not impacted by loss of a single No immediate action needed. Repair or
DC Circuitry DC circuit. Redundant DC circuits provide replacement must be made as soon as
functionally equivalent protection. possible.
Fault clearing is not impacted by single
Auxiliary auxiliary relay failure. Redundant auxiliary
Tripping Relay relay provides functionally equivalent
possible.
protection.
Fault clearing is not impacted by loss of single No immediate action needed. Repair or
Breaker Trip
trip coil. Redundant trip coil relay provides replacement must be made as soon as
Coil
functionally equivalent protection. possible.
1. No immediate action needed. Repair
Failure of one of the redundant DC sources
or replacement must be made as
Station DC does not impact fault clearing times.
soon as possible.
Source
Failure of the single, fully monitored DC source 2. Take appropriate operator action and
will impact fault clearing times. emergency repairs must be made.
4.2.2 Determining Performance of the Protection System

The protection engineer can determine the performance of the Protection System by analyzing
failure modes of the Protection System components and the resulting Protection System
operating time. The clearing times should be categorized for the three performance categories:
Normal Clearing Times, Breaker Failure Clearing Times, and Delayed Clearing Times. The

definition of these times are shown and discussed in Section 3 above. The protection engineer
will document the operating times of the Protection Systems for all elements and then provide
the planning engineer with these operating times to permit the planning engineer to determine
BES performance based on case studies. Consider the example below.
GEN
Breaker
GEN
Bus 1 Breaker Breaker Relay
21 22 F4 GEN
Breaker Breaker
23 24
EQUIV.
Remote Breaker Line 1
Breaker 12
Bus 2
Remote Relay Relay
Relay 1a F1 1a
Sub 2
Sub 1
Breaker Breaker F5 Sub 3
25 26
Line 2 Breaker
EQUIV.
31
Relay Relay
2a F2 2a
Operate Times Relay Relay
F3 2b 2b
Normal Relay Time = 2 cycles
Breaker Breaker
Breaker Time = 2 cycles 27 28
Breaker Failure Timer = 10 cycles Line 3 Breaker

EQUIV.
41
Backup Zone 2 Relay Time = 20 cycles
Backup Zone 3 Relay Time = 60 cycles Relay
3a F6 Relay
3a
Sub 4
Figure 4–5 — Example 3 – Determining Protection Systems Performance
The following table is a non-exclusive list of possible clearing times of Protection Systems listed
in the examples above.
Table 4–5 — Example 3 – Determining Protection Systems Performance
(times are typical and will vary for each application)
Does the
Protection Worst Case Clearing Time
Fault Normal Clearing Breaker Failure
System have for Protection System
Loc. Time Clearing Time
single points of Failure
failure?
Sub 1

F1
BKR 12 Remote Bus
BRK 12 = 14 cycles YES
RLY 1a = 4 cycles Remote Relay = 22 cycles


Table 4–5 — Example 3 – Determining Protection Systems Performance
Does the
Protection Worst Case Clearing Time
Fault Normal Clearing Breaker Failure
System have for Protection System
Loc. Time Clearing Time
single points of Failure
failure?
Sub 2
Sub 2
GEN RLY = 62 cycles
F1 Sub 3
(cont.) BKR 23&24 BKR 23 = 14 cycles RLY 2a = 62 cycles
YES
RLY 1a = 4 cycles BKR 24 = 14 cycles RLY 2b = 62 cycles
Sub 4
RLY 3a = 62 cycles

Sub 2
BKR 25&26 Sub 2
RLY 2a = 4 cycles BKR 25 = 14 cycles
NO BKR 25&26
BRK 26 = 14 cycles
RLY 2b = 4 cycles RLY 2a or 2b = 4 cycles
F2
Sub 3
BKR 31 Sub 3
RLY 2a = 4 cycles BRK 31 = 14 cycles NO BKR 31
RLY 2b = 4 cycles RLY 2a or 2b = 4 cycles
Sub 2
Sub 1
RLY 1a = 62 cycles
BKR 21 = 14 cycles Sub 2
F3 BKR 21, 23, 25, BKR 23 = 14 cycles GEN RLY = 62 cycles
YES
& 27 = 4 cycles BKR 25 = 14 cycles Sub 3
BKR 27 = 14 cycles RLY 2a or 2b = 62 cycles
Sub 4
RLY 4a = 62 cycles
4.2.3 Compare BES Performance with Requirements of the TPL Standards

The BES performance must meet the performance expectations of the TPL standards for the
specified level of Protection System performance. In some situations the planner has already

determined the critical clearing time for a fault. Fault clearing times in the range of 5 to 20
cycles will probably require full redundancy of the local Protection Systems. Fault clearing
times that are longer than 20 cycles could provide the owner with the option of using remote
backup protection to clear the fault. This over-tripping must also be examined to determine if
there is any violation of the TPL standards’ performance requirements. Prior to the 2005
Version 0 standards, planners tested the system for Normal and Breaker Failure clearing times
and did not test for delayed clearing times because that was considered an extreme event.
Table 4.6 is a comparison of the relay performance clearing times and the acceptable system
clearing times from the examples above. It should be noted that the critical clearing time is not
met for the case with Protection System failure; an alternate designed would be required.
Table 4.6 — Acceptable Clearing Times
Actual Clearing Critical Clearing Violation of TPL‐
Line 1 – Fault F1
Time Time Standards
Normal Clearing Time 4 cycles 5 Cycles None
Breaker Failure Clearing Time 14 cycles 15 Cycles None,
Time Delayed Clearing Time‐ Protection
62 cycles 22 cycles Stability
System Failure
4.2.4 Mitigate All Violations of the TPL Standards

The planning engineer with support from the protection engineer can determine if the
performance of the BES meets the performance requirements of the TPL standards for the
specified level of Protection System performance. The performance of the Protection System is
directly related to the failure of the various components. If a Protection System is fully
redundant, no single protection component failure can impact the performance of the Protection
Systems. However, if all components are not redundant, then some component failures can
result in slower Protection System operation, potentially causing the performance of the BES to
violate the TPL standards’ performance requirements.
If a component failure prevents the Protection System from providing the required critical
clearing time, then two options are available.
• Providing local redundancy can mitigate the Protection System component failures. This
effectively makes the Protection System meet its designed operating time even when
experiencing a single component failure. This could mean adding another AC Current

Source, AC Voltage Source, Protective Relay, Communication Channel, DC Circuitry, Aux
Trip Relay, Breaker Trip Coil, or Station DC Source. Later sections will go into these
descriptions in more detail.
• The protection engineer can assess the potential for improving the delayed clearing time from
the remote backup protection and provide these revised values to the planner. The planning
engineer can restudy this condition and determine if the BES performance meets the
performance requirements of the TPL standards.
Planning engineers do not typically perform studies to identify delayed clearing times because
studies can be very extensive for the many different elements, clearing times, and fault locations.
However, the planning engineers do have the capability to study limiting conditions identified by
the protection engineer. With the method specified in this section, the planning engineer will not
have to run an infinite number of cases and can concentrate on the specific cases identified by
the protection engineer.
An iterative process can occur as the protection engineer determines possible delayed clearing
times and the electrical system components removed from service, and the planning engineer
assesses the resulting BES performance for comparison with performance requirements of the
TPL standards.
It will be necessary for the planning engineer and protection engineer to work collaboratively to
identify those clearing times that need to be restudied or where the Protection System needs to be
upgraded or modified to provide redundancy.

5. Protection System Components
Protection Systems are used to provide
Protection Components Addressed
protection of all electric system The legacy NERC Planning Standard III.A (1997)
elements. It is the primary job of a included a Measure specifying the need for separate AC
current inputs and separately fused DC control systems
Protection engineer to apply these if the loss of one of these elements would result in an
Protection Systems in a reliable event that did not meet system performance
requirements. The need for separate AC current inputs
manner to isolate all faults on the implies the need for separate relays and the need for
electric system. Protection Systems separately fused DC control systems implies the need
for separate trip paths including auxiliary lockout or
can be as simple as one relay that is tripping relays, if used. The old Standard IIIA also
applied to trip a breaker or very included guides regarding the use of dual trip coils and
communication systems. Recent and past Transmission
complicated and involve many System events with consequences that do not meet
functions and conditions and require modern system performance requirements have
occurred due to the failure of a single protection system
equipment to be installed at multiple component.
sites that use communication channels The list of components specified for performance tests in
to transmit data. There are some basic Section 5.0 of this technical paper were derived from the
historical standards, experience from system events,
components that make up most and the collective judgment of protection engineers
Protection Systems and these representing all the North American Reliability Regions.
The list of components is not intended to provide
components must be applied in a complete redundancy of protection system components
reliable manner. The NERC Glossary but rather provides a practical level of redundancy of
protection system components to meet the performance
of Terms lists the components of a requirements and expectations of the modern power
Protection Systems as: Protective system.
Relay, Associated Communication
System, voltage and current sensing devices, station DC supply, and DC control circuitry. The
old planning standard also made reference to these components.
This section has four goals:
• Provide explanation of the selection of Protection System component failures

• Provide explanation of the review process for each of the Protection System component
failures to determine if the approach introduced in this paper applies
• Provide examples demonstrating review of each Protection System component failure
• Provide some possible solutions that might fix a failure to comply to each of the Protection
System component failures
Proposed Requirement
Transmission Owners, Generation Owners, and Distribution
It is important to understand that Providers that own Protection Systems installed on the Bulk
an identical protective system Electric System shall assure that a failure of the following
components of Protection Systems will not prevent achieving
design installed across a power the BES performance requirements of the TPL standards. (The
system may cause different components are described in this section)

results with respect to the BES performance requirements in the TPL standards and the BES
performance required for specific single Protection System component failures - AC Current
Source, AC Voltage Source, Protective Relay, Communication Channel, DC Circuitry, Aux Trip
Relay, Breaker Trip Coil, and Station DC Source. Consider the following examples of a strong
source system with highly-concentrated generation and load (Figure 5–1) and a weak source
station where there are only two lines and there is high source impedance (Figure 5–2).
Figure 5–1 — Strong Source System One Line
Figure 5–2 — Weak Source System One Line

Most transmission owners have standard applications that are applied for bus protection. The
same identical protective scheme is used year after year for every bus protection application.
The bus standard (for example) might be one high-impedance relay with one auxiliary lockout

device. The approach introduced in this paper requires that the applicability of this design be
tested to insure that the TPL standards’ performance requirements are met for each application of
this bus protection scheme.
Example 1 – Refer to Figure 5–2, Assume that the first bus to be studied is at Sub 2. Sub 2 has
two transmission lines and a distribution transformer connected to the bus via a circuit switcher.
The protection engineer investigates the performance of the bus protection in clearing a fault on
the bus for a failure of a CT, or CCVT, or protective relay, or communications channel, or DC
control circuit, or auxiliary trip relay, or breaker trip coil, and DC source. The result is that there
is no violation of the TPL standards’ criteria for a fault on the bus and a Protection System
component failure. The remote line relays associated with the two lines at Sub 1 and Sub 3 trip
and lockout each line serving Sub 2 fast enough to meet all TPL standards’ BES performance
criteria.
Example 2 – Refer to Figure 5–1, A second bus study with an identical bus protection scheme
having three generators and ten lines on a strong source substation revealed that the TPL
standards’ criteria was violated due to low voltage and facility ratings after remote tripping
caused the lockout of the three units and seven lines.
The above example illustrates that the review process is both a detailed review of a protection
scheme on an individual application basis to determine fault clearing times for each applicable
failure mode, with a planning study for each protection review to determine if the power system
response still meets the BES performance requirements of the TPL standards for the clearing
time determined by the protection review.
Any applicable owners must assure that specific components (AC Current Source, AC Voltage
Source, Protective Relay, Communication Channel, DC Circuitry, Aux Trip Relay, Breaker Trip
Coil, and Station DC Source) failing one at a time must not violate the BES performance
requirements of the TPL standards for a worst-case fault on the facility covered by the Protection
System with the failed component. The performance or application of the breaker failure
relaying is not considered in this study. The Planning standards have maintained that the breaker
failure scheme need not be redundant. This is because breaker failure scheme is a backup to the
breaker operation. Therefore, a simultaneous breaker failure and a breaker failure scheme failure
are considered an extreme contingency.

5.1 AC Current Proposed Requirement
Source The failure or removal of any single AC current source and/or
related input to the Protection System excluding the loss of
At least two isolated and separate multiple CT secondary windings.
AC current sources (referred to Qualification: An event impacting multiple CT secondary

windings (i.e., a failure of either a complete free-standing CT or
as CT inputs) for Protection an entire bushing with multiple CTs) would be detected and
Systems are required to meet the isolated by protection that is not dependent on these CTs.
proposed requirement for CT
redundancy. Figure 5-3 shows a common arrangement that addresses the current measurement
redundancy requirement. CTs are required to provide totally separate secondary AC current
sources for each redundant Protection System. This is required so that a shorted, open, or
otherwise failed CT circuit will not remove all protection elements requiring current. Figure 5–3
below shows the use of four CTs from a breaker with bushing CTs to separate the current
measurement for the two Protection Systems for zones A & B.
Primary CT for Zone B
Backup CT for Zone B
CT-3 CT-4
ZONE A Breaker ZONE B
CT-1 CT-2
Backup CT for Zone A
Primary CT for Zone A
Figure 5–3 — Example of Redundant CTs

To assure that only one CT failure is addressed with each review, the proposed requirement
would be qualified to indicate that an event impacting multiple CT secondary windings (i.e. – a
failure of either a complete free-standing CT or an entire bushing with multiple CTs) would be
detected and isolated by protection that is not dependent on these CTs. Good engineering
practices should be followed in protection designs so that a failure of a complete free-standing
CT Column, an entire bushing of a breaker or transformer with multiple CTs would cause a fault
that would be detected and isolated by protection that is not dependent on these CTs. Some best
practices include flashover protection for a free-standing CT column, and overlapping zones of
protection for multiple CTs in adjacent or common wells.
The protective system failure of one CT circuit is a dependability type failure that makes all the
relays associated with that CT inoperable. This situation can occur for a shorted or for an open
CT circuit. The relays within this CT circuit or any auxiliary CT circuit connected to this main

CT must be considered as non-functioning. Each CT circuit must be considered to fail one CT a
time. All the Protection Systems connected directly or through auxiliary CTs must be considered
to be out of service. The worst-case fault in the protected zone must now be able to be cleared
by either local or remote protection without violating the performance requirements in the TPL
standards as introduced in this paper. The System Protection engineer will need to follow the
methodology as outlined in Section 4.2 to assess the failure of each CT.
Example 1 – An old breaker with only one three-phase set of CTs with 5/5 auxiliary CTs is
protecting a transmission line (Figure 5-4). The main CT and the auxiliary CT secondary circuits
each contain a protective scheme for the transmission line. A failure of the main CT circuit can
occur either by shorting the secondary at the breaker or at the point it enters the panel, or opening
the CT circuit anywhere. The outcome of taking this one CT failure into account is that both
transmission line relays will fail to operate for a fault on the protected line. The protection
engineer must determine the clearing time for the worst-case fault on the protected transmission
line. Typically a line end fault will result in the worst case clearing time. Note however, that a
fault location with faster clearing may result in worse system performance.
Sub 1
CT-L Sub 1 CT-B Line 1

EQUIV.
Breaker (5 miles)
Line Line
CT-AUX Relay Relay AC Voltage
5/5 Phase GND
Source
Line
Relay
Phase
Protection
Protection
System 1
Line System 2
Relay
GND
Figure 5-4 — Alternate CT Configuration with Single Point of Failure

at the Main CT
Some items to be considered are:
• Are there other local relays at the substation that will clear the fault and what is the operating
time of these relays?
• Are remote relays required to operate for this fault and what is the operating time of these
relays?

• If the local substation has many lines then remote relays may not be able to sense a line end
fault because the apparent impendence would be too great for the relay to detect.
• Sequential tripping of remote relays may be required to clear this fault.
A planning study must check to see if any violation of the BES performance requirements of the
TPL standards occurs for the worst case fault on the line. If violations occur, the owner of this
Protection System would need to find a solution for this example that will eliminate the violation
caused by one CT circuit failure.
Possible solution for this example might be the addition of a new CT into the existing breaker,
bushing slipover CTs, stand alone CT columns, or the replacement of the breaker with a breaker
having additional CTs. Each of these solutions requires that a CT be provided with appropriate
ratio, class, and thermal factor for the transmission line application.
Protective relays at the remote terminals can be adjusted or replaced so that they provide
sufficient backup clearing times to meet the BES performance requirements of the TPL
standards. If the relay reach is increased, the protection engineer should examine the relaying at
the remote sites to make sure that they meet the loadability requirements of PRC-023-1. The last
solution was presented to demonstrate that there are possible solutions other than the
straightforward CT additions.
Figure 5–5 — Redundant CT Configuration

Example 2 – A transmission line is protected by a breaker with two dedicated CTs available
(Figure 5–5) for line Protection Systems having similar functioning relays connected to each CT.
Assume for this example that each relay can provide protection of the transmission line and does

not violate the BES requirements of the TPL standards for a normal operation to clear a fault.
Failing one CT at a time will result in the same clearing times as a normal operation because the
remaining relay will not be impacted. Thus the approach introduced in this paper would not
result in any violation of its BES performance requirements in the TPL standards and the owner
of this Protection System meets the requirement for CT redundancy.

5.2 AC Voltage Source
At least two separate secondary
windings supplying voltages for The failure or removal of any single secondary AC voltage
Protection Systems are required to source and/or related input to the Protection System when
such voltage inputs are needed excluding the complete loss of
meet the proposed requirement for an entire CCVT, VT, or similar device with multiple secondary
AC voltage source redundancy windings.
when such voltage sources are Qualification: Separate secondary windings of a single CCVT,
etc, can be used to satisfy this requirement. An event
required to satisfy the BES impacting multiple AC voltage sources (i.e. – a failure of an
performance required in the TPL entire CCVT, VT, or similar element) will be detected and
isolated by other protection that is not dependent on these
standards. This is required so that voltages.
a shorted, open, or otherwise
failed voltage circuit will not remove all protection elements requiring voltage. This level of
redundancy is required only if the BES performance cannot meet the performance requirements
of the TPL standards when AC voltage is unavailable to all Protection Systems applied to the
protected zone.
Figure 5–6 below shows a potential device with two independent secondary voltage windings.
The two secondary voltage sources are utilized independently by the two protective relay
systems meeting the proposed requirement. Both Protection Systems in Figure 5–6 require
voltage measurements to perform their protective functions and must have separate secondary
sources as illustrated. The proposed requirement eliminates the possibility of a single point of
failure in the Protection Systems requiring voltage measurements to perform their intended
function. The proposed requirement does not prevent loss of voltage measurement to the
protective devices in the event of the failure of the main CCVT, VT, or similar device. Loss of
AC potential to relaying can cause the relaying to be more sensitive to remote faults and could
cause the relay system to over trip.

Figure 5–6 — AC Voltage Inputs
To minimize the effects of a failed AC voltage source, the redundant Protection System can use
protective devices that do not rely on AC voltage measurements to respond to system
disturbances. Substituting a Pilot Wire or Current Differential protective scheme for the relay 2
in Figure 5-6 would also be a method that would meet the proposed requirement without
requiring the use of the second potential secondary. To assure that only one VT winding failure
is addressed with each review, the proposed requirement would be qualified to indicate that
separate secondary windings of a single CCVT, etc, can be used to satisfy this requirement.
The protective system failure of one CCVT, VT, or similar device, creates a failure for
Protection Systems depending on Loss of Potential feature chosen. The proposed requirement is
based on the fact that potential source failures result in an increased chance of tripping without
fault or over-tripping during a fault in the area; not failure to trip. This is an additional reason
why the proposed requirement does not require multiple three-phase sets of CCVTs, VTs, or
similar devices. As discussed further below, the consequence of an over-trip will need to be
reviewed to ensure is does not cause violation of any BES performance requirements of the TPL
standards.
Each secondary voltage source failure should be analyzed to determine the Protection System
performance for the fault in the protected zone that results in the worst BES performance. The
proposed requirement of must be met unless the Protection System with the failed potential
source can still perform its intended protection function, or the local or remote Protection System
responding to the above failure has a clearing time that results in meeting all the BES
performance requirements of the TPL standards. If the relay will over-trip then the Protection
System performance should be analyzed for faults within the over-trip zone that results in the
worst electrical system performance to determine whether all the BES performance requirements
of the TPL standards will be met for the over-trip case.

Thus, one potential secondary circuit can be sufficient for a given zone of protection when both
relays for this zone require potential inputs, provided that all BES performance requirements of
the TPL standards will be met for all faults within or external to the protected zone when the
single AC voltage source fails.
The use of the Loss of Potential (LOP) feature of some relaying schemes can be utilized to
change to an alternate setting. If this alternate setting group will result in BES performance that
meets the requirements of the TPL standards then no further actions are required. This feature
can have both phase and ground non-directional overcurrent elements activate for the LOP
condition and operate at a definite time. The time might be picked to allow any high-speed
systems time to clear a fault in adjacent protection zones while operating much faster than
remote zone two timer settings. A best practice is to utilize the LOP feature to provide an alarm
to a 24/7 manned dispatch center which can initiate an investigation of the problem.
Example 1 – A transmission line has two Protection Systems and has one set of three-phase
potential devices with two secondary windings as separate sources. The failure of one secondary
potential source does not impact the operation of the overall protection of the line. Both
Protection Systems provide the same performance, so the failure of either secondary potential
source does not increase the clearing times.
Example 2 – The same Protection Systems as in the case above, but with only one secondary
winding connected to both relays. For this example, failure of the secondary potential source
removes both relays from normal operation. In this case it is required to determine whether all
BES performance requirements of the TPL standards will be met for all faults within or external
to the protected zone when the single AC voltage source fails. In this example the primary
microprocessor relay has been set to trip on special non-directional current elements that are
activated for loss of potential. The microprocessor relay is set to ensure tripping for all faults on
the protected line, which results in over-tripping for faults external to the protected line for loss
of potential. A planning study must determine that the BES performance meets all performance
requirements of the TPL standards when tripping for faults on the protected line is initiated by
the Loss of Potential feature on the primary relay, and when the Loss of Potential function on the
primary system over-trips for faults external to the protected line. Note that LOP elements area
not required to meet relay loadability requirements of standard PRC-023-1.
These examples demonstrate two of the ways that the line Protection System can be designed to
meet the requirements introduced in this paper.

5.3 Protective Relay
Each element of the electric system Proposed Requirement
must be protected by at least 2 The failure or removal of any single protective relay that is
relays. These relays can be located used to measure electrical quantities, sense an abnormal
condition such as a fault, and respond to the abnormal
at the same terminal or may be condition.
located at different terminals, but
both relays must provide the same performance and clearing times for faults on the element. The
protection engineer must examine the failure or the removal of one of these protective relays at a
time to determine if there is a violation of BES performance required by the TPL standards for
the worst case fault condition. The review process requires the removal of each local protective
relay one at a time for each protective zone to determine the clearing time provided by either
other local or remote backup protective relay schemes for the worst-case fault in that protection
zone. The second part of the review process requires a planning study be completed to
determine if any the TPL standards’ performance requirement violations occur for the clearing
time determined from the worst-case fault in the protection zone with the failed relay.
Example – Refer to the general examples in the opening paragraphs of section 5.0 (figures 5-1
and 5-2). These two examples described a bus Protection System that consisted of one high-
impedance relay and one lockout auxiliary device that were identical for two very different
applications. Both cases utilized remote backup Protection Systems to clear the worst-case bus
fault. Example 1 concludes that remote impedance relaying has a sufficient clearing time, trips
Line 1 and line 2 and will not cause any the TPL standards’ performance requirement violations.
Example 2 from Section 5 concludes that the number of system elements lost or the time
required to clear this fault causes BES performance requirement violations of the TPL standards
to occur with respect to facility ratings, thermal or voltage. These examples demonstrate clearly
how a protective relay failure can impact the BES and why it is important to apply appropriate
redundancy to Protection Systems to minimize the impact of a Protection System component
failure.
A possible solution to overcome the violations in Example 2 could be the addition of a second
bus protective scheme that eliminates the dependence on remote backup for a protective relay
failure. The additional relay must be installed in such a manner as to not cause it to fail
simultaneously due to any of the other seven component failure modes in the proposed
requirements.

5.4 Communication Channel
The communication systems for
each protective relay must The failure or removal of any single communication channel
remain independent from each and/or any single piece of related communications equipment, as
listed below, used for the Protection Systems when such
other as they are transmitted to communication between protective relays is needed to satisfy
the opposite terminal when the BES performance required in the TPL standards.
proposed requirement is • Communications functions for communications-aided
protection functions (i.e. pilot relaying systems).
applicable. • Communications functions for communications-directed
protection functions (i.e. direct transfer trip).
The proposed redundancy
requirement for independent or separately dependable communications is required when the
Protection System cannot meet the BES performance requirements of the TPL standards without
utilizing communication-aided protection. Refer to Section 4.1 case # 3 for an example. This
requirement acknowledges that failure-tolerant communications may be achieved either by
designing the application with no common-modes of failure or by designing the application such
that common-modes of failure will not prevent the Protection Systems from clearing faults to
satisfy the BES performance requirements of the TPL standards in the planning review for the
protection zone under review.
Fully independent communication channels are the hardest elements to provide for redundancy
when pilot channels are required to meet the BES performance requirements of the TPL
standards. It is recognized that some types of dual communications schemes have common
modes of failure that are rare in occurrence; those limitations are generally accepted. The design
of the overall Protection System must take such limitations into account even when
communications channels are “redundant.” For instance, if the same communication
technologies are used, it is recommended that the relay schemes selected have minimal channel-
dependency in order to trip successfully for fault conditions. Many other considerations, such as
the performance of the communications during faults and the impact of weather conditions on
the performance of the communications, need to be considered in the design of the Protection
System.
Some acceptable communication schemes are:
• Two power line carrier systems coupled to multiple phases of the line.
• Two microwave systems and paths with multiple antennas on a common tower.
• Two fiber paths between terminals (two fibers in the same cable are not acceptable)
• Two separate communication systems of different technologies and equipment (e.g., fiber
optic and digital microwave).

Figure 5–7 illustrates two independent communication aided Protection Systems with direct
transfer trip schemes. The figure indicates that the two schemes are Directional Comparison
Blocking (DCB) and Permissive Overreaching Transfer Trip (POTT), but there are many other
types of high-speed communication aided protective schemes available. A communications
aided system is provided for each Protection System and includes direct transfer trip for breaker
failure. The communication schemes need to be independently designed and implemented
between terminals in order to meet the proposed redundancy requirement.
XMT XMT
Transfer Transfer
Trip Trip
RCV Transfer Trip (TT) RCV
XMT XMT
Relay Relay
1 1
RCV RCV
Permissive Overreaching Transfer Trip (POTT)
Sub 1 Sub 2
TRIP COIL 1 TRIP COIL 1
CT-L Sub 1 Transmission Line Sub 2 CT-L
Breaker Breaker
CT-L CT-L
TRIP COIL 2 TRIP COIL 2
XMT XMT
Relay Relay
2 2
RCV RCV
Directional Comparison Blocking (DCB)
XMT XMT
Transfer Transfer
Trip Trip
RCV RCV
Transfer Trip (TT)
Figure 5–7 — Communication System

Dual pilot relaying may not be necessary to meet BES system performance requirements of the
TPL standards. Non-pilot relaying may be able to satisfy the BES performance requirements of
the TPL standards for some applications when the critical clearing times increase as the fault is
moved further from the local terminal. This may require special planning studies that might
result in eliminating the need for dual pilot relaying. These studies and assessments must be
done on a periodic basis or whenever system changes are made that might alter the ability of
non-pilot relaying to satisfy performance requirements. The Protection System communication
only needs to be redundant for power system responses that require high-speed clearing for the
worst-case fault in order to meet the BES performance requirements of the TPL standards.
The review process requires failing the communication channel to determine if the critical
clearing time for the worst-case fault within the zone requires dual pilot relay systems in order to
meet the BES performance requirements of the TPL standards. A planning study must be

performed to determine the critical clearing time for meeting all the BES performance
requirements of the TPL standards. When the clearing time required to meet BES performance
requirements of the TPL standards cannot be achieved without communication-aided protection,
then the need for independent and redundant communication channels is required.
Figure 5–8 — Faults Near a Generating Station

Example 1 – Figure 5–8 illustrates 4 substations of a larger electric system. Sub #1 has three
large generating units and a critical clearing time of 8 cycles for stability for faults close to the
generators. Faults in the red area, as shown on the drawing, will cause instability if not isolated
within 8 cycles. Faults in the green area, as shown on the drawing, will not cause instability for
delayed clearing times up to 25 cycles. The line Protection Systems and the breaker failure
system have been designed for each transmission line in order to meet the critical clearing time
for stability of these three generators. Dual high-speed pilot Protection Systems were utilized on
Line #2 to meet the 8 cycle critical clearing time for both pilot and direct transfer trip for breaker
failure. One communication medium was power line carrier and the other microwave. Line #1
and Line #3 have only one high-speed pilot Protection System and one step distance impedance
relay. The step distance impedance relay must provide high speed clearing for all faults on the
line within the red shaded area. Due to the short critical clearing time it was necessary to design
two independent high-speed relaying schemes for line #2 to meet the BES performance
requirements of the TPL standards.
Example 2 – If the power system can meet the BES performance requirements of the TPL
standards while experiencing an over trip for a communication failure, then it would be possible
to utilize dual on/off directional comparison blocking schemes (DCB) or equivalent. The

sensing relays for the DCB schemes or equivalent must be set to cover for pilot and direct
transfer trip channel failure without causing any ‘Loadability’ requirement violations.
5.5 DC Control Circuitry

The proposed requirement would
require mitigation for a failure of The failure or removal of any single element of the DC control
the DC control circuitry that is circuitry that is used for the Protection System.
used by the Protection Systems.
The DC control circuitry does not include the station DC supply (covered in Section 5.8) or the
breaker trip coils (covered in Section 5.7) but is considered to be all the DC circuits used by the
Protection System to trip a breaker. This section includes any DC distribution panels, fuses, and
breakers. This requires DC control circuits to be independently protected and coordinated, for
each redundant Protection System required. This requirement may precipitate the need for
multiple trip coils (See Section 5.7).
If the DC control circuitry for each Protection System is not properly designed and implemented,
all the protection for a power system element could be removed by the loss of one DC breaker or
fuse. Each DC control circuit must be reviewed to ensure that this does not occur if it results in a
violation of the BES performance requirements of the TPL standards. The object is to prevent the
outage of all the necessary protection for any one failure of the DC control circuits except for the
non- redundant battery and charger or trip coils which are covered in later sections.
The DC control circuitry has many failure modes. A short in the DC control circuit requires the
operation of a protective device (DC breaker or fuse) to remove the fault resulting in the loss of
all the Protection System components on the circuit simultaneously. An open in the DC control
circuit removes all Protection System components associated with that circuit from service
simultaneously. The DC control circuit for each Protection System must be reviewed to
determine how the failure of each DC control circuit impacts the protection for each Element. In
every failure mode the Protection Systems must meet the BES performance requirements of the
TPL standards.
Figure 5–9 demonstrates three DC circuit methods. Example 1 on the left has only one main
circuit with coordinated sub-circuits. This style control circuit does not meet the DC redundancy
control circuit requirements because the operation of one DC breaker can remove all Protection
Systems. Example 2 has two main circuits and coordinated sub-circuits and meets the proposed
DC redundancy control circuit requirement when paired Protection Systems are connected to
different breakers. Example 3 also meets the proposed requirement and is an example of a fully

redundant and separate DC Supply and DC control circuit system when paired Protection
Systems are connected to different DC panels and breakers.
Station DC Station DC Station DC Station DC

Supply Supply Supply 1 Supply 2
Station DC Supply Station DC Supply

DC Control Circuits DC Control Circuits
DC Panel DC Panel DC Panel DC Panel
#1 #2
DC DC DC DC DC
BKR BKR 1 BKR 2 BKR BKR
No. 1 Fuse Fuse No. 2 No. 1 Fuse Fuse No. 2 No. 1 Fuse Fuse No. 2
Example 1 Example 2 Example 3
Figure 5–9 — Station DC Supply and DC Control Circuits Boundary

Figure 5–10 depicts a Protection System that employs redundant relays, AC supply and dual
communication channels. The DC control circuitry is run from the DC Main that consists of a
single 60-ampere breaker connected to fuse panel. Individual fuses that coordinate with the 60-
ampere breaker are utilized to separate and isolate individual protective schemes. The opening
of the 60-ampere breaker will remove all the local protection (both relays) that is protecting the
transmission line. The loss of the Protection Systems on this transmission line must be tested
based on Section 4 and the resulting BES performance must meet the BES performance
requirements of the TPL standards for the worst-case fault within the zone or zones of protection
that are removed from service by opening the 60-ampere breaker.

Station DC
Supply AC Current AC Current
Local Source #2 Source #1
Station DC Supply Breaker
Substation
DC Control Circuits
DC Panel
DC
BKR
Protective
Protective
No. 1 Fuse Fuse No. 2 Relay #1 COMM CHANNEL 1
Relay #1
No. 3 Fuse Fuse No. 4 Protective
Protective Relay #2 COMM CHANNEL 2
No. 5 Fuse Fuse No. 6
Relay #2
REDUNDANT RELAYS, AC SOURCES, and

DC CONTROL CIRCUITRY
COMMUNICATIONS
Figure 5-10 — Non-Redundant DC Control Circuits

If the example above caused a BES performance requirement violation of the TPL standards for
the opening of the 60 amp breaker then it might be fixed by subdividing the 60-ampere circuit
into two 60-ampere breakers fed from the Station DC supply. Each protective relay and
associated DC control circuit should be separated with each one supplied from a different
breaker so that the opening of a single breaker does not remove both Protection Systems.
5.6 Auxiliary Relay

The auxiliary tripping relay is
typically used to expand available The failure or removal of any single auxiliary relay that is used
contacts or provide common for any of the above functions.
interface between dissimilar
Protection Systems. This requirement focuses on the auxiliary tripping device to determine if its
failure will violate the BES performance requirements of the TPL standards. The failure of
auxiliary tripping relays and lockout relays in particular can contribute to prolonging abnormal
power system condition. All auxiliary devices that impact the clearing time of faults on the
power system must be checked to determine if their failure, one at a time, will cause any BES
performance violations of the TPL standards.
Example – The examples described in the opening paragraphs of Section 5 consisted of one
high-impedance protective relay and one lockout auxiliary device protecting a bus for a strong

source system (refer to figure 5–1). In section 5.3 it was shown that a failure of the single bus
relay caused a violation of the TPL standards. The bus Protection System also had only one
auxiliary lockout relay. The failure of the auxiliary device or the protective relay for these
examples will cause the same violations of the TPL standards and the loss of the same system
elements. The solution is to add a second auxiliary relay and second protective relay and design
the Protection System so that a loss of one auxiliary relay or one protective relay does not cause
violations of the TPL standards. An additional solution would be to initiate breaker fail
protection from all the protective relaying that operates the auxiliary relay. For this solution, the
breaker failure time would need to meet the performance requirements of the TPL standards.
A related issue is the failure of an auxiliary device that provides both a trip and breaker failure
initiate. Assessment of such a design must take into account that the failure of such a device will
result in losing both the trip and breaker failure protection functions simultaneously. If that
system cannot meet BES performance requirements of the TPL standards, the design must be
changed to ensure that the failure of the auxiliary relay does not prevent tripping and breaker fail
initiation.
5.7 Breaker Trip Coil

The relay systems and each trip Proposed Requirement
coil must be operated from The failure or removal of any single breaker trip coil for any
breaker operated by the Protection System.
independent DC control circuits to
prevent a single point of failure. Refer to Figures 5–9 and 5–10 in Section 5.5 for the DC control
circuit review for the DC redundancy requirements.
This requirement focuses attention on the trip coil to make certain that its failure does not cause
any violation(s) of the BES performance requirements of the TPL standards. The breaker trip
coil provides the action that operates the breaker to clear the fault. Therefore, its failure to
operate will cause breaker failure or delayed clearing times.
The Protection System outputs must be studied to determine if trips are issued to independent
trip coils. If the Protection Systems issuing trip signals are duplicated to two independently
operated trip coils then for this case the review is complete for the failure of one independent trip
coil at a time because tripping will still be completed through the second path with exactly the
same clearing time. However, if this is not the case then the clearing time for the worst-case
fault in the zone(s) with the failed trip coil must be determined. A planning assessment must be
made to determine if failure of the trip coil results in a violation of the BES performance
requirements of the TPL standards.

Figure 5–11 — Trip Coil Development
Example – Figure 5-11 depicts a breaker having two trip coils. The breaker is in the middle of
overlapping zones of protection with 4 relay systems. Two of the systems are from line
protection and two are from bus protection. The four relays will operate trip coil #1 and an
auxiliary relay. The auxiliary relay operates trip coil #2 and provides breaker failure initiation
(BFI). Since the two trip coils are not completely independently operated by all protection, a
single failure can disable both trip coils and prevent BFI. This scheme has several single points
of failure: the loss of Fuse 1, the tripping of the DC Main Breaker. Both of these failures will
prevent tripping and breaker failure initiation. The procedure requires that the clearing time be
determined for the worst-case fault in the line or bus zones, and a planning study completed to
determine if the clearing time for the failure of the trip coils will result in meeting all the BES
performance requirements of the TPL standards.
In the example above if a violation of the TPL standards did occur, one approach would be to
make the two trip coils independent from one another. A properly designed breaker failure
scheme meeting all the requirements of the TPL standards and the proposed Protection System
redundancy requirements could be used to overcome a breaker with only one trip coil or two trip
coils operated in parallel.
5.8 DC Source
The station DC supply for tripping Proposed Requirement
has traditionally been and still is a The failure or removal of any single station battery, or single
charger, or other single DC source, where such losses are not
DC system consisting of a charger & centrally monitored for low voltage and battery open.
battery. In order for this reliability
proposed requirement to accommodate other new technologies the proposed requirement will
include the wording “other single DC source”. The Station DC Source will cover the charger,

station battery, or other DC source that is used for powering the Protection Systems and used for
tripping.
The Station DC supply is usually designed to withstand short outages to the charging system or
external supply. A charger failure results in the battery not being charged but it is assumed that
the batteries have been fully charged prior to the loss of the charger. A properly sized battery
should have the ability to provide the DC tripping and loading requirements of the substation
design criteria. If neither DC source is battery based, at least one DC source must be able to
provide the DC tripping and loading requirements of the substation equivalent to a battery.
However, there are failure modes of the DC system that can result in the immediate loss of all
DC supply. Refer to figure 5–12 that depicts a typical station DC supply consisting of an AC
supply, battery charger and batteries. The single station DC supply must be monitored
continuously for the loss of critical components that would prevent total loss of the station DC
supply. This monitoring must include battery open and low voltage and must be reported to a
manned 24/7 operations desk for immediate response. A single battery & charger system must
be monitored continuously for each of these failure modes. The use of monitoring significantly
reduces the risk of having a complete battery failure at the time of a fault. It is important that the
protection engineer understand the performance of the remote Protection Systems for the
complete loss of the local station DC supply. Appendix A provides a discussion that illustrates
the complete loss of station DC supply.
The protection engineer must determine if there is a violation of the BES performance
requirements of the TPL standards for the loss of a single charger or single battery failure. If the
failure of the single charger or single battery does not result in clearing times that violate the
BES performance requirements of the TPL standards for the worst case fault condition, then no
action is required. A substation that has two separate and redundant station DC sources meets
this scenario. For every station DC supply, two tests must be considered to determine if the
proposed requirement is met for a single source DC supply. The first test is to check and
determine that the single station DC supply is monitored for charger failure, low voltage and
open battery condition. The second test is to determine if the appropriate continuous alarming of
the station DC supply exists at this station. The alarm must also be communicated to the manned
24/7 operation center.

Station DC Supply
Monitor AC Monitor DC
Source Source
DC Control
(+)
AC Battery DC
Circuits
Souce Charger Supply
(-)
To other DC
Monitor Open Panels
Circuit in Battery
(-) (+) (-) (+)

DC Panel
Battery
DC DC
Cells BKR 1 BKR 2
(+) (+) (+) (+)
(-) (-) (-) (-)

Figure 5–12 — Station DC Supply and Monitoring

Consider this example: Figure 5–1 above depicts a large strong source substation with many
lines, generation and load. Figure 5–2 above depicts a weak source substation with two lines and
some load. Assume that each substation has only one station DC supply that is not monitored for
battery open. There is little doubt that the loss of a station DC supply for the large strong source
substation in Figure 5–1 would have greater impact to the system than the loss of the station DC
supply at the weak source substation in Figure 5–2. Worst case faults for these scenarios would
result in a violation for the strong source example and could result in no violation for the weak
source example. The strong source station requires a fix for the single charger or a single battery
failure. A separate battery and charger could be installed at the strong source substation or
battery open and low voltage monitors could be installed and connected to SCADA so that
operators can be notified of a loss of the stations battery.

Appendix A – DC FAILURE (Loss of Station DC Supply)
Owners should be aware that the complete loss of the station DC Supply will cause the loss of all
local tripping, SCADA control and observability, and could cause long delayed tripping.
RLY
EQUIV. BKR
Line 1 BKR
Sub 1
200 amps Line 5 Rated = 800 amps
RLY RLY RLY
EQUIV. BKR
Line 2 BKR BKR
Line 5 BKR EQUIV.
Sub 2 1000 amps Sub 6

200 amps
RLY
EQUIV. BKR
Line 3 BKR
Sub 3
200 amps
RLY RLY
EQUIV. BKR
Line 4 BKR BKR
Line 6 BKR EQUIV.
Sub 4 Sub 7
200 amps Sub 5 200 amps
Normal Opeation
Fault occurs on Line 5 at Sub 6
Relay at Sub 6 operates
Breaker at Sub 6 Opens Green shaded breakers opened by relay action.
Relay at Sub 5 operates
Breaker at Sub 5 Opens Yellow shaded relays operated for fault.
Figure A-1 — Normal Clearing

Consider the simple system in figure A-1. When all Protection Systems operate normally, a fault
is cleared by the line relaying and breakers at both ends of the transmission line. However,
consider that the station DC supply at Substation 5 (Sub 5) has failed and a fault occurs. There
are two scenarios that can unfold. Figure A-2 depicts that all the remote line terminals have
cleared to isolate the entire Sub 5. This assumes that the relaying at the remote ends of the
transmission lines can sense this fault and if necessary sequentially operate one at a time to
isolate this fault. This could take many seconds to isolate the fault. The worst case is that none
of the remote relays senses the original fault and the line eventually sags and creates a fault
closer to the substation until the remote relays sense the fault or an operator intervenes.
In those cases that the fault is not successfully cleared, there are several solutions that can be
considered:

• Modify remote relay(s) settings to see fault but meet loadability (with load encroachment),
and start sequential clearing sequence.
• Some relays could be replaced at the remote locations to accommodate sequential clearing.
• Modify the design at substation 5 to account for DC Battery failure:
o Add a second DC supply to selective Protection Systems to provide isolation of fault
or initiating sequential clearing.
o Size the battery charger such that charger has the capability to supply enough energy
to meet the required sequence of operations. This may include multiple trips and
reclosings for line faults. Note: Care should be taken when using this option. The
impact of depressed station service voltage as a result of the fault may limit the
capability of the charger. Additionally, the worst case from a depressed voltage
perspective will not be the far end fault which would make it necessary to identify the
closest fault that would also go un-cleared.
o Add redundant charger to account for DC battery charger failure. Note: Battery
charger failure is an issue that must be addressed only if charger function is not
remotely monitored and/ or the battery is not sized to accommodate the expected
worst case response time.

RLY
DC
EQUIV. BKR
Line 1 BKR Failure
NO
Sub 1
200 amps TRIP Line 5 Rated = 800 amps
RLY RLY RLY
EQUIV. BKR
Line 2 BKR BKR
Line 5 BKR EQUIV.
Sub 2 1000 amps Sub 6

200 amps
RLY
EQUIV. BKR
Line 3 BKR
Sub 3
200 amps
RLY RLY
EQUIV. BKR
Line 4 BKR BKR
Line 6 BKR EQUIV.
Sub 4 Sub 7
200 amps Sub 5 200 amps
LOSS of DC (operation)
Fault occurs on Line 5 at Sub 6
Relay at Sub 6 operates Green shaded breakers opened by relay action.
Breaker at Sub 6 Opens
Fault current from Sub 5 is above rating of line Yellow shaded relays operated for fault.
DC at Sub 5 is off and no tripping is available
Remote relaying must operate to protect line.
Figure A-2 — Complete Loss of DC with Remote Clearing

Appendix B – Excerpts from the 1997 NERC Transmission
Planning Standards System Performance Requirements
Section III. System Protection and Control
A. Transmission Protection Systems
STANDARD
S2. Transmission Protection Systems shall provide redundancy such that no single
Protection System component failure would prevent the interconnected
transmission systems from meeting the system performance requirements of the I.A.
Standards on Transmission Systems and associated Table I.
Measurement
M2. Where redundancy in the Protection Systems due to single Protection System
component failures is necessary to meet the system performance requirements of the
I.A. Standards on Transmission Systems and associated Table I, the transmission or
Protection System owners shall provide, as a minimum, separate ac current inputs
and separately fused dc control voltage with new or upgraded Protection System
installations. Breaker failure protections need not be duplicated.
Each Region shall also develop a plan for reviewing the need for redundancy in its
existing transmission Protection Systems and for implementing any required
redundancy. Documentation of the Protection System redundancy reviews shall be
provided to NERC, the Regions, and those entities responsible for the reliability of
the interconnected transmission systems on request.
Full (100 percent) Compliance Requirements
A. Where assessments (Standard III.A. S1, M1) show the need for transmission Protection
System redundancy due to single Protection System component failures, the transmission
or Protection System owner shall provide the required component redundancy to meet the
system performance requirements of Standard I.A. and associated Table I. These
redundancy requirements should include:
1) Separate ac current inputs
2) Separately fused dc control voltage
3) Other redundant components
Documentation of the planned implementation of the redundancy requirements

should be provided to NERC, the Regions, and those entities responsible for the
reliability of the interconnected transmission systems on request (within 30 days).

B. Each Region shall have a plan for reviewing the transmission or Protection System
owner’s assessments and for implementing the required component redundancy to
promote consistency among its members. The Regional plan along with documentation of
the redundancy reviews should be provided to NERC on request (within 30 days).
NERC 1997 Planning Standards Table 1

NERC 2005 TPL Standards (Table I from TPL-001 – TPL-004)

Appendix C – System Protection and Control Subcommittee
John L. Ciufo Henry (Hank) Miller
Chairman RE – RFC
Manager, P&C Strategies and Standards Principal Electrical Engineer
Hydro One, Inc. American Electric Power
Jonathan Sykes Deven Bhan
Vice-Chairman RE – MRO
Senior Principal Engineer, System Protection Electrical Engineer, System Protection
Salt River Project Western Area Power Administration
Michael J. McDonald John Mulhausen
Investor-Owned Utility RE – FRCC
Senior Principal Engineer, System Protection Manager, Design and Standards
Ameren Services Company Florida Power & Light Co.
William J. Miller Philip B. Winston
Investor-Owned Utility RE – SERC
Consulting Engineer Manager, Protection and Control
Exelon Corporation Georgia Power Company
James D. Roberts Dean Sikes
U.S. Federal RE – SPP
Transmission Planning Manager - Transmission Protection, Apparatus, & Metering
Tennessee Valley Authority Cleco Power
Sungsoo Kim Samuel Francis
Canada Provincial RE – TRE
Senior Protection Engineer Senior Director of Engineering
Ontario Power Generation Inc. Oncor Electric Delivery
Joe T. Uchiyama Baj Agrawal
U.S. Federal RE – WECC
Senior Electrical Engineer Principal Engineer
U.S. Bureau of Reclamation Arizona Public Service Company
Charles W. Rogers W. O. (Bill) Kennedy
Transmission Dependent Utility Canada Member-at-Large
Principal Engineer Principal
Consumers Energy Co. b7kennedy & Associates Inc.
Joseph M. Burdis Robert W. Cummings
ISO/RTO NERC Staff Coordinator
Senior Consultant / Engineer, Transmission Director of Event Analysis & Information Exchange
and Interconnection Planning NERC
PJM Interconnection, L.L.C.
Tom Wiedman
Jim Ingleson Subject Matter Expert – NERC Consultant
ISO/RTO President
Senior Electric System Planning Engineer Wiedman Power System Consulting, Ltd.
New York Independent System Operator
Jonathan D Gardell
Bryan J. Gwyn Subject Matter Expert – NERC Consultant
RE – NPCC Executive Advisor
Manager, Protection Standards and Support Quanta Technology
National Grid USA
Eric A Udren
Philip Tatro Subject Matter Expert
RE – NPCC Alternate Executive Advisor
Consulting Engineer Quanta Technology
National Grid USA

Murty Yalla Fred Ipock
Subject Matter Expert Correspondent
President Senior Engineer - Substations & Protection
Beckwith Electric Company Inc. City Utilities of Springfield, Missouri
David Angell Evan T. Sage
Correspondent Correspondent
T&D Planning Engineering Leader Senior Engineer
Idaho Power Company Potomac Electric Power Company
Hasnain Ashrafi Joe Spencer
Engineer Manager of Planning and Engineering
Sargent & Lundy SERC Reliability Corporation
Dac-Phuoc Bui Bob Stuart
Engineer Senior Director - Transmission
Hydro-Quebec TransÉnergie BrightSource Energy, Inc.
Jeanne Harshbarger
Correspondent
System Protection Engineer
Puget Sound Energy, Inc.


NERC-Protection Sistem Reliability - 1-14-09

Uploaded by

Copyright:

Available Formats

NERC-Protection Sistem Reliability - 1-14-09

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NERC-Protection Sistem Reliability - 1-14-09

Uploaded by

Copyright:

Available Formats

A Technical Paper

Protection System Reliability

NERC System Protection and Control Task Force

2. Protection System Reliability.............................................................................................................................6

3. Reliability of the Bulk Electric System............................................................................................................11

4. Proposed Protection System Reliability (Redundancy) Requirements ........................................................16

5. Protection System Components .......................................................................................................................30

Appendix A – DC FAILURE (Loss of Station DC Supply)....................................................................................51

NERC Technical Paper on Protection System Reliability i

Appendix C – System Protection and Control Subcommittee.........................................................................58

Figure 2-1 — Dependability-Type Failure (no trip) of a Protection System ................................................ 7

NERC Technical Paper on Protection System Reliability ii

NERC Technical Paper on Protection System Reliability 4

1.1 The Need for a Protection System Reliability (Redundancy)

NERC Technical Paper on Protection System Reliability 5

2. Protection System Reliability

NERC Technical Paper on Protection System Reliability 6

Figure 2-1 — Dependability-Type Failure (no trip) of a Protection System

NERC Technical Paper on Protection System Reliability 7

2.2 Need for Protection Reliability

NERC Technical Paper on Protection System Reliability 8

2.3 Protection System Redundancy

NERC Technical Paper on Protection System Reliability 9

Figure 2–3 — Non-Redundant Protection System

AC Current AC Current DC Main 1 Protective

Protective Communication Fuse

Figure 2–4 — Fully Redundant Protection System

NERC Technical Paper on Protection System Reliability 10

3. Reliability of the Bulk Electric System

• The System remains within acceptable limits;

NERC Technical Paper on Protection System Reliability 11

3.1 2002 NERC Planning Standards

NERC Technical Paper on Protection System Reliability 12

Breaker Failure and Delayed Clearing

NERC Technical Paper on Protection System Reliability 13

3.2.1 Normal Clearing Time

3.2.2 Breaker Failure or Stuck Breaker Clearing Time

NERC Technical Paper on Protection System Reliability 14

3.2.3 Delayed Clearing Time

3.2.4 Planning Standard Development

NERC Technical Paper on Protection System Reliability 15

4. Proposed Protection System Reliability (Redundancy)

NERC Technical Paper on Protection System Reliability 16

causes the BES performance to 2. Facility Ratings shall not be exceeded.

4.1 Evaluating BES Performance

NERC Technical Paper on Protection System Reliability 17

NERC Technical Paper on Protection System Reliability 18

NERC Technical Paper on Protection System Reliability 19

NERC Technical Paper on Protection System Reliability 20

4.2.1 Determine Redundancy of the Protection System

Figure 4–3 — Example 1 – Study of Protection System Reliability for Non-

NERC Technical Paper on Protection System Reliability 21

NERC Technical Paper on Protection System Reliability 22

NERC Technical Paper on Protection System Reliability 23

AC Current AC Current DC Main 1 Protective

Protective Communication Fuse

Figure 4–4 — Example 2 – Study of Protection System Reliability Redundancy for

NERC Technical Paper on Protection System Reliability 24

4.2.2 Determining Performance of the Protection System