184-Electrical Installation Dependability Studies

8/11/2019 184-Electrical Installation Dependability Studies

1/24

n184

electricalinstallation

dependabilitystudies

E/CT 184first issued September 1997

Sylvie LOGIACO

An ISTG Engineer (InstituteScientifique et Technique deGrenoble) graduating in 1987, shewas initially involved in risk analysisin the chemicals industry ; atPechiney, then at Atochem.With Schneider since 1991, she is

part of the centre of excellence forDependability for which she hascarried out a large number ofdependability studies on electricaland monitoring and controlinstallations.


2/24

Cahier Technique Merlin Gerin n184 / p.2

glossary

Availability:

Percentage of time for which the

system functions correctly.

Dependability:Generic term which combines the

independent variables of reliability,

availability, maintainability and

safety.

Hasard analysis:Based on the functional analysis, this isthe analysis of the failures that canoccur in a system (in practice it is a

synonym for dependability study).

Feedback of experience:

Operational reliability data collectedduring failure of equipment inoperation.

Maintainability:The aptitude of a system to be repairedquickly.

Reliability:The aptitude of a system to functioncorrectly for as long as possible.

Safety:The aptitude of a system to not putpeople in danger.


3/24


electrical installationdependability studies

contents

1. Introduction General p. 4

Dependability studies p. 6

2. How a study is carried out The chronological order ofphases p. 9

Expression and analysis ofthe requirements p. 9

Functional analysis of a system p. 10

Failure mode analysis p. 11

Reliability data p. 11

Modelling p. 12

Dependability criteriaassessment calculations p. 14

3. Examples of studies Comparing two electricalnetwork configurations ina factory p. 15

The interest of remotemonitoring and controlin an EHV substation p. 17

4. Dependability tools Dependability study packages p. 20

Modelling tools p. 20

5. Conclusion p. 21

6. Bibliography p. 22

In both the industrial and tertiarysectors, the quality of power supply isof increasing importance. The quality ofthe electricity product, besides

imperfections such as variations involtage and harmonic distortion, isbasically characterised by theavailability of the electrical energy.Loss of power is always annoying, but itcan be particularly penalising forinformation systems (computing -monitoring and control); they can evenhave disastrous consequences forcertain processes and in certain casesendanger people's lives.

Dependability studies enable electricalavailability requirements to beincorporated in the choice of electrical

network to be installed. They alsoenable two different installationconfigurations to be compared ... themost expensive one is not alwaysbetter ...The aim of this Cahier Technique isshow how dependability studies areperformed: methodology and tools. Twoexamples of studies are given: that ofan electrical network in a factory andthat of the monitoring and controlsystem of a high voltage substation.These studies are becomingincreasingly easy to perform thanks to

computing tools.


4/24


1. introduction

generalThe voltage at the terminals of a currentconsumer can be affected byphenomena originating in the distributor'snetwork, the electrical installation of asubscriber connected to that network orthe electrical installation of the user whois suffering the disturbance.

Disturbances in the electricityproduct

cthe main characteristics of thevoltage supplied by both the MV andLV public distribution network are thosedefined by European standardEN 50160. This details the tolerancesthat must be guaranteed for bothvoltage and frequency as well as thedisturbance levels that are usuallyencountered; e.g. harmonic distortion.The table in figure 1 details thestandard's recommended values.

At any moment in time therefore, thequality of the energy supplied to thecurrent consumers in an installation canbe affected by various disturbances,either imposed by the external supplynetwork or self-generated within theinternal distribution network.The operations of current consumers

that are either independent or federated

in systems are affected by these

disturbances.

cmalfunctions and the type and cost of

the damage incurred depend both on

the type of current consumers and on

the installation's criticality level. Thus, a

momentary break in supply to a critical

current consumer can have serious

consequences on the installation's

operation without it being intrinsicallyaffected.

cin all cases, a study detailing theeffects of the suspected disturbancesmust be performed. Measures must betaken to limit their consequences.

cthe table in figure 2 shows thedisturbances that can usually be found

in electrical networks, their causes andthe solutions that are possible toreduce their effects.

cthe reduction of the effects ofharmonics, Flicker, voltage imbalances,

standard EN 50160 low voltage supply

frequency 50 Hz 1% for 95% of a week50 Hz + 4%, - 6% for 100% of a week

voltage amplitude for each one week period, 95% of the average effective valuesover 10 minutes must be within the range of Un 10%

rapid voltage from 5% to 10% of Unvariations (4 to 6% in medium voltage)

voltage drops camplitude: between 10% and 99% of Un(indicative values) most voltage drops are


5/24

Cahier Technique Merlin Gerin n184 /p.5

disturbance possible causes main effects possible solutions

frequency csupply network cvariation in speed of motors cUPS

variations c

grouped operation of c

malfunctioning of electronicindependent generators equipment

rapid voltage csupply network clighting flicker cincreasing short circuit powervariations carc furnace cvariation in speed of motors cmodifying the installation configuration

cwelding machinecload surge

voltage drops csupply network cextinction of discharge lamps cUPSchigh load cmalfunctioning of regulators cincreasing short circuit powerdemands cspeed variation, stopping cmodifying the installation configurationcexternal and of motorsinternal faults cswitching of contactors

cdisturbances in digital electronics systemscmalfunctioning of power electronics

brief and long csupply network cequipment stoppage cUPSloss of power creclosing operations cinstallation stoppage cindependent generators

cinternal faults closs of production cmodifying the network configurationcsource switching cswitching of contactors csetting up of a maintenance policy

cvarious malfunctions

voltage csupply network coverheating of motors and alternators cincreasing short circuit powerimbalances cmany single phase cmodifying the network configuration

loads cbalancing of single phase loadscrebalancing devices

overvoltages clightening cbreakdown of equipment clightening arrestorscswitchgear operation cchoice of insulation levelcinsulation fault ccontrol of the resistance of earthing electrodes

harmonics csupply network coverheating and damaging of equipment, cincreasing short circuit powerca lot of non linear mainly motors and capacitors cmodifying the installation configurationcurrent consumers cmalfunctioning of power electronics cfiltering

fig. 2: disturbances in networks, causes, effects and solutions.

failure, as soon as the voltage and

frequency of the generator set have

stabilised,

vpower is restored to prioritycurrentconsumers once the essential currentconsumers have been started up,

vpower is not restored to non-prioritycurrent consumers, which accept a longbreak in power supply, until the externalnetwork is functioning again.By appropriate selection of the

configuration and the automatic sourceswitching control devices (see. CahierTechnique n161) we can optimise thepositioning and dimensioning of backup and replacement supplies in orderto meet operating constraints.

It should be remembered that thechoice of neutral earthing arrangementis an important factor; it is clearlyestablished that for current consumersrequiring a high level of availability, it ishighly advisable to use the isolated

neutral arrangement since it enables

continuity of supply on the occurrencefig. 3: a reliable power supply. Simplified network diagram.

TR

G

UPS

backed-up

sourcechangeover switch

no back-up

grid supply

independent source

load restorable

load shedding

several hours

non-priority

down time:

types:

several mins.

priority

several secs.

essential

none(high quality)

vital


6/24


of an initial insulation fault (see.

Cahiers Techniques n172 and

n173).

dependability studiesBefore looking at electricalnetwork dependability studies, it would

be useful to recap on several

dependability:

Dependability is a generic idea that

measures the quality of service, provided

by a system, so that the user can have

justified confidence in it. Justifiedconfidence is achieved through

quantitative and qualitative analyses of thevarious features of the service provided

by the system. These features are basedon the probability parameters defined

below.

reliability:

the probability that a unit is able accomplisha required function, under given conditions,during a given interval of time [t1,t2] ; writtenR(t1, t2).

availability:

the probability that a unit is in a state thatenables it to accomplish a required functionunder given conditions and at a givenmoment in time, t ; written D(t).

maintainability:

the probability that a given maintenanceaction can be carried out within a given time[t1, t2].

safety:

the probability of avoiding an event withhazardous consequences within a giventime [t1,t2].

failure rate:

the probability that a unit loses its ability

to accomplish a function during theinterval [t, t+dt], knowing that it has notfailed between [0, t] ; it is written (t).

the equivalent failure rate:the value or a constant failure rate: eqforwhich the reliability of the system in time t isequal to R(t) - eqis a constantapproximation of (t).

MTTF (Mean Time to Failure):the average time of correct operation beforethe first failure.

MTBF (Mean Time Between Failure):the average time between two failures in arepairable system.

MUT (Mean Up Time):

the average time of correct operationbetween two failures in a repairable system.

MTTR (Mean Time To Repair):

the average time required to repair.

fig. 4: definitions.

definitions of the terms used by reliability

specialists, even if everyone knows the

definitions of the words: reliable,

available, maintenance and safety

(see fig. 4 and 5).

It is also necessary to detail the

applicational scope and general

features of such studies.

Scope and features of studies

cccccapplicational scope:studies are carried out on all types ofelectrical networks, from low voltage tohigh voltage, and on their monitoringand control systems.

The networks may be:

vsingle feeder

MDT (Mean Down Time):

the average time for which the system is

not available. It includes the time to detect

the fault, the time for the maintenance

service team to get to the fault, the time to

get the replacement parts for the

equipment to be repaired and the time torepair.

the repair rate:

the inverse of the mean time to repair.

FMEA (Failure Modes and Effects

Analysis):

this enables the effects to be analysed of the

failure of components on the system.

model:

graphical representation of the combination

of failures found during an FMEA and of

their maintenance process.

undesirable event:

system failure that must be analysed in

order for the user to feel justified confidence

in the system. This system failure gauges

the quality of service,

fig. 5: relations between the various values that characterise the reliability, maintainability and availability of a machine.

correct operation correct operationrepairing

MTTR

MDTMTTF

MTBF

MUT

waiting

initialfailure

secondfailure

startof work

restarting

time0


7/24


preliminary study detailed study

accuracy of 1 single failure type failures divided into families

assumptions (1 frequency, 1 average duration) according to their effect on the system.

accuracy of the consequences of the failures the consequences of the failures are

modelling are combined into major families analysed in depth.

vdouble feeder (see fig. 6a),

vdouble busbar (see fig. 6b),

vloop (see fig 6c),

vand with or without reconfiguration or

load shedding.

ccharacteristic features of studies:

studies are tailor made to take

account of the expressedrequirements.

They are set up in terms of:

- accuracy of study,

- type of analysis,

- type of dependability criteria,

vthe accuracy of study

(see fig. 7):

- brief or preliminary study:

fig. 6: network configurations.

fig. 7: differences between a preliminary study and an in-depth study.

dependability

criteria

simpleand minimalconfiguration

satisfyingof dependability

criteria

newconfiguration

no

yes

fig. 8: design assistance.

GG

turbo-alternator

a. double line feeder b. double busbars c. loop

this is a pessimistic study generally

used to quickly make technical

choices

- very detailed studies that take

account of as many factors as

possible.

Taking account of all the

operating modes, detailed analysis of

possible failure modes and their

consequences, modelling the

malfunctioning behaviour of the

system.

vthe types of analysis

- design assistance in assessing

the dependability criteria

(see fig. 8),


8/24


- comparison of configurations (see

fig. 9),

- qualitative configuration analysis.

vthe types of criteria to be quantified(see fig. 10)

- the average number of hours that thesystem functions correctly (MUT):

- the average number of hours that thesystem functions before not supplyingcertain current consumers for the firsttime (MTTF)

- the probability of no longer supplyingpower to certain current consumers(availability),

- the average number of failures perhour during a year (eq),- an average repair time (1/eq),

- the optimal frequency of preventivemaintenance,

- the calculation of replacement partkits.

These criteria enable an assessment tobe made of the system's performancelevel and thus to determine theconfiguration that meets dependabilitycriteria without forgetting economicconstraints.

fig. 10 : illustration of dependability assessment criteria.

GE

UPS SC*

current

consumer n1

current

consumer n2

we can calculate:

- the probability that GE

does not start when power

supply is lost.

- the optimum preventive

maintenance frequency

for the GE.

- the number of minutes

a year that current consumer

n1 is not supplied.

- the average number of hours

before current consumer

n2 will no longer have power.

* SC= Static contactor

generator setpublic network

fig. 9: configuration comparison.

dependability

criteria

chose

configuration A

chose

configuration B

no

yes

configuration

A

configuration

B

configurationA's dependability

criteria are nearer theobjectives

configuration B


9/24


2. how a study is carried out

the chronological order ofphasesWhatever the requirement expressedby the designer or operator of anelectrical installation, a dependabilitystudy will include the following phases(see fig. 11):cexpression and analysis of therequirements,cfunctional analysis of the system,cfailure modes analysis,cmodelling,

ccalculation or assessment ofdependability criteria.

In most cases, this procedure must beperformed several times:ctwice if we want to compare twolayouts,cn times if we want to determine aconfiguration that is adapted torequirements taking account oftechnical and economic constraints.

expression and analysis ofrequirementsAs discussed at the end of the previouschapter, the study initiator must detail(see fig. 12):cwhat the study involves ; e.g:substation monitoring and control, andprovide the design elements that hehas in his possession.cthe type of request (type of analysisrequired), e.g.:va demonstration of the confidencelevel that we can assign to a powersupply for a critical process (orientingus towards a type of study, types ofcriteria to be assessed),vthe search for objective criteriamaking technical and economicanalysis possible,vthe determination of the most suitableconfiguration to meet requirements(orienting us towards a type ofanalysis),vsupport for a specific equipment design.These points can be combined ; inother words a company can search forthe configuration best suited to itsneeds to supply power to a criticalprocess as part of a technical andeconomic analysis.

fig. 11: the chronological order of phases in performing a dependability study.

analysis of the customer requirement

criteria to beassessed

network points where thecriteria wil be assessed

systemspecifications

functional analysis of the system

functions and componentsinvolved

failure mode analysis

possible systemfailures

search for data

- failure rate of components- time to repair- functional frequencies

modelling key

data

assessment ofdependability

criteria required

qualitativeanalysis

study phase

phaseconclusions

to perform thephase

data requiredto perform the

next phase

fig. 12: information required for the study.

expression of

requirementexpressed in terms of

type ofanalysis

studyaccuracy

criteria to beassessed

determination and classification

of the representative and/orstrategic current consumersin the system

leading to the carrying outof a customised study

to target the network pointsat which will be calculatedthe dependability criteria


10/24


Faced with the questions: where, tosupply what, what is the criticality andthe admissible down time, the customermust think in terms of, for example,safety and loss of production orinformation.

cthe risk:for an insurance company the idea ofrisk corresponds to the seriousness(moral, social or economic) of the eventin question. In terms of loss ofproduction, the estimate of the risk isquite simple: the product of theprobability of the occurrence and thecost of an event gives a good idea ofcriticity. The assessment of the riskenables the price to pay to becalculated: loss of profits, insurance oroptimised electrical installation.

cformalising of requirements

(see fig. 13): a means of expressing therequirements involves classifying thevarious current consumers according tothe down time that they can withstand(none, a few seconds, a few minutes, afew hours).

functional analysis of thesystemFunctional analysis describes in bothgraphical and written terms the roleof the network and/or its constituentparts.

fig. 13: the availability specifications to be provided by the customer.

fig. 14: functional block diagrams.

monitoringand control

powersupply B powersupply A

MV electrical supply

normalsupply

GE

stand-by stand-by

MV

This analysis leads to two complemen-tary descriptions of the network:

cone description using functionalblock diagrams (see fig. 14), whoseaim is to present the systemconfiguration and the functional linksbetween the various parts of thesystem.

ca behavioural description (see fig. 15)whose aim is to describe thesequence of the various possiblestates.The main purpose is to identify theevents that induce the system tochange. The model developed duringthe course of this analysis notably

the various current consumers in consideration

officeheating

minorevent

computersno breakgreater

than 20 msbeyond this:

criticalevent

tank cooling

stoppage possiblefor 1 hour max.

beyond this:loss of tank

contentsdisastrous event

oven n1

process

oven n2

stoppage possiblefor 3 mins max.


contentsdisastrous event

stoppage possiblefor 3 mins max.


contentscritical event


11/24


equipment failure mode failure rate time torepair,frequency ofpreventivemaintenance

circuit breaker cblocked closed 1 1, cspuriously open 2

generator set cfailure in operation 4 2, 6 monthscfailure on start-up 5

transformer cfailure in operation 6 3, X months

highlights the various reconfiguration

points in the system.

This second analysis enables account

to be taken of functional aspects whenthey interact with malfunctional

aspects.

failure mode analysisThis analysis aims to provide:

cthe list of possible failure modes foreach of the items identified in the

functional analysis,

ctheir causes of occurrence (one

cause is enough),

cthe consequences of these failures

on the system (also called single

events),cthe failure rate associated with each

failure mode as part of a quantitative

study.

The results are presented in table form

(see fig. 16).

This analysis can be considered as the

first stage of modelling.

reliability dataAs part of a quantitative analysis, it is

necessary to have probability data

for the failure of the system's

equipment.

The probability characteristics are then

combined with the failure modes.

These are:

cthe failure rate and how it is broken

down according to the failure mode,

cthe average time to repair associated

with the frequency of preventive

maintenance (see fig. 17).

Failure rates

Remember that this involves

quantifying the probability that there will

be a failure between [t, t+dt], knowing

that there has been no failure before t.

Schneider Electric has a database built

up from several sources:

cinternal studies and analysis of

equipment returned to the factory after

failure,

cfailure statistics observed by utilities

companies and other manufacturers,

creliability data,

vfor non-electronic components:

- IEEE 500 (feedback of experience

from nuclear power stations in the

USA),

fig. 15: behavioural description in the form of a Petri network.

fig. 16: failure mode analysis.

functions failure mode causes effects on the system

power supply loss of normal mode cpower supply failure switch over to stand-byfeeder ctransformer failure

cspurious circuitbreaker tripping

stand-by loss of stand-by mode cfailure of GE in loss of electricityin operation operation supply

cspurious circuitbreaker tripping

ctransformer failure

normal mode failure and cGE does not start upstand-by mode is not ccircuit breaker isavailable blocked open

fig. 17: fictive summary of the reliability data required for a study.

? loss of power supply A

! switch to power supply B

? loss of power supply B

! start-up of GE

This Petri network expressesthe fact that in the case of lossof power supply A, the networkis switched to the power supply B.If power supply B fails, then theGE start-up.


12/24


- NPRD91 (feedback of experience

from military and non-military systems

in the USA),

vfor electronic equipment, the data is

generally obtained by calculation from

the Military Handbook 217 (F) or from

reliability data from the National

Centre for Telecommunications

Studies.

Some components have a constant

failure rate () over time throughout aperiod of their life. In other words the

probability of failure is independent of

time ; this is the case of electronic

components (exponential law).

Electrotechnical components age, or in

other words their failure rate is not

constant over time. Data mostcommonly available supposes constant

rates.

The use of data that is non-specific to

the system being studied and of

constant failure rates even if certain

components age is, nonetheless, very

attractive since it enables valid

comparisons to be made between

systems.

The fact of finding a configuration that

is 10 times more reliable than another,

10 times more available ... means that

this configuration is ten times better forthe criteria in question ; the relative

value is often more important than the

absolute value.

Schneider Electric's reliability

database has the aim of gathering

together as much data as possible.

Validity criteria have been set up to

guarantee the quality of the data

included. We ensure:

cthe way that feedback of data was

carried out, on what data it was based,

cthe preliminary calculation method

used, the conditions of use,

temperature, environment, etc

In time, this work provides us with

reliability data to study any installation

or to be able to obtain them by

extrapolation.

The mean times to repair

depend mainly on the company's

maintenance policy. Decisive choices

notably include the possibility of

inventory, the times when the repair

teams are present, the frequency of

preventive maintenance, the type of

maintenance contract with suppliers,

etc.

The impact of the variation of these

maintenance policy-based parameters

on the system's performance level can

be dealt with by a specific analysis.

Functional reconfigurations

In the instance of functional

reconfigurations, when functional

aspects interact with those that are

malfunctional (e.g. in the case of tariff

based load shedding) the frequency of

these reconfigurations is included in the

modelling process.

modellingThe malfunctioning of the network is

represented by a model. The model is a

graphical representation of the

combinations of events determined by

the analysis of failure modes which, for

example, contribute to the loss of

electrical supply for certain current

consumers and to their repair

procedures.

This model enables:

cdiscussions with the customer to

validate our understanding of the way

the network malfunctions,

cqualitative analysis of the network

performance levels, by the search for

common modes, of the simplest

combinations which contribute to the

event in question,

cassessment of the network's

performance levels by calculating

dependability criteria.

Various techniques are available

according to the configuration of the

system being studied, the undesirable

events in question, the criteria to be

fig. 18: fault tree modelling. The fact that the GE failure only makes sense if there is loss of

EDF supply does not initially appear.

loss of electrical supply

loss power supplyGE failure

TD GE

AND

TD PS

D: circuit breakerT: transformerPS: power supply

peakevent

intermediaryevents

baseevent

OR OR


13/24


assessed and the assumptions taken

account of in the model(s).

The main modelling techniques

ccccccombination:the combining of single events.

This is the case of fault tree diagrams

(see fig. 18).

A fault tree diagram breaks down

events into single events.

The immediate causes of the loss of

electrical supply are therefore sought,

these are intermediary events.

The causes of these intermediary

events are then sought in turn.

The break-down continues in this way

until it becomes impossible or until it

serves no further purpose.

Terminal events are called basic

events.

The breaking down of an event into

causal events is performed using

logical operators or so called gates (the

AND gate, the OR gate).

The fault tree diagram in figure 18

expresses the fact that in the given

network, there is a total loss of

electrical power if there is a loss of

power supply and loss of the

generator sets.

In this type of modelling exercise, no

account is taken of the fact that thefailure of the generator sets is only

significant if there is loss of power

supply beforehand.

Networks with reconfiguration

possibilities and complex maintenance

strategies are difficult to model using

the fault tree method.

ccccccombination and sequential:the combining of single events whilst

taking account of the moment in time

when the events occur.

vMarkovian type (see fig. 19).

This type of model is commonlyrepresented by a graph that shows

the various possible states in the

system.

The arrows that link the system states

are quantified by rates, which can bethe failure rates, the repair rates or the

representative operating mode

frequencies.

These rates represent the probability

that the system changes status

fig. 19: modelling of malfunctions in the form of a Markov diagram a, band are assumed tobe constant.

status 1correct

operation

failure of power supply failure of GE's

repair

status 2power supplyfailure/start-up

of GE's

status 3failure of

power supplyGE's do not

start up

status 4loss of power

supply

2

repair

1

repair

3

ba

clossof power

supply, GE's do not start up

a: frequency at which there is loss power supplyb: frequency of GE failure: frequency of repair

between time t and t+dt.

The graph in figure 19 shows the fact

that the system can have any one of

four operating status:

- status 1: correct operation,

- status 2: failure of power supply

and the generator sets have started up,

- status 3: failure of power supplyand the generator sets have not started

up,

- status 4: when the generator sets

have failed in operation with the power

supply also failed.

Markovian modelling assumes that the

frequencies (or rates), which enable

passage from one status to another,

are constant.

The calculating algorithms associated

with this modelling technique can only

be applied under these conditions.

This limit leads us to make

assumptions and therefore to represent

the reality of the situation to a greater

or lesser extent.

vother types.

The procedure used is generally that ofa Petri network.

The network is represented by places,

transitions and tokens.

The crossing of a transition via a token

corresponds to a possible functional or

malfunctional system event.

These transitions can be associated

with any type of probability law.

Simulation is the only way to enable

calculations to be resolved.


14/24


15/24


3. examples of studies

comparing two electricalnetwork configurations in afactory

cpresentation of the factory:A drinking water production plantsupplies 100 000 m3/day at off peaktimes, 300 jours/year and200 000 m3/day at peak times, 65 daysa year.Production of water is performed using4 production plants, each capable of

supplying 100 000 m3/day.Each plant is associated with sixtypes of current consumers : R1, R2,R3, R4, R5and R6(pumps,disinfectors, etc.) which must worksimultaneously in order to ensureproduction (ref. fig. 22).The current consumers ensuring theoperation of each plant can bedistinguished in the following manner:

R1a,, R6a for plant n1

fig. 22: functional diagram of the original installation. Certain penalising common modes are not shown.

R1b,, R6b for plant n2R1c,, R6c for plant n3R1d,, R6d for plant n4To ensure operation at off-peak times,only one plant is required ; during peaktimes, two plants are required.

canalysis of the enquiry, therequirementsAfter two meetings with the customer,the specialists have determined:vthat the following was required:- a proposal for a new LV electrical

network configuration, the configurationof the MV (5.5 kV) should change verylittle,- proof that the proposed layout was atleast as good as the old in terms ofcertain dependability criteria.vthat the dependability criteria to beassessed were:- the probability of simultaneouslylosing electrical supply to currentconsumers n1 and n6,

- the probability of losing electricalsupply to current consumers n3.

cfunctional analysisGeneral considerations concerning thenetwork operation:vthe site is supplied by twoindependent power supply feeders.Two generator sets are there on stand-by in the case of failure of the powersupply feeders,vin normal operation, the site issupplied by the power supply feeder A.

If this feeder fails, then the systemswitches to power supply feeder B. Ifboth power supply feeders fail, thegenerator sets start up,vthere are two levels of production, off-peak and peak. In the case of peakproduction, the power of the generatorsets is not sufficient to ensureproduction.vthe power supply split between currentconsumers is such that the availability is

R6a......R6d R5a......R5d

5,5 kV

400 V

JDB3

T3

R4a......R4d R3a......R3d

5,5 kV

400 V

JDB4

T4

R2a......R2d R1a......R1d

5,5 kV

400 V

JDB5

T5

20 kV

MVswitchboard 1

MVswitchboard 2

power supply Bpower supply A G1 G2

5,5 kV

T2

20 kV

5,5 kV

T1

5,5 kV

400 V

JDB6

T6


16/24


in the old network, there are failures thatcontribute directly to the loss of electricalpower supply.If this system only worked in off-peak

conditions, this ratio would be virtuallythe same since the system works mostlyin off-peak conditions, thus explaining itspreponderance in the overall result.If the system only works in peakconditions, it is around 50 times moreprobable to lose electrical supply tocurrent consumers 1 and 6 with the oldnetwork. In the case of peak conditions,it is MV related faults that predominateand this part of the network cannot bechanged very much.

von the frequency of loss of supply tocurrent consumers n1 and 6:

- off-peak operation 22- peak operation 21- overall 21

von the frequency of loss of supply tocurrent consumers n3:- off-peak operation 18- peak operation 21- overall 20The improved performance of the newnetwork is less pronounced in terms offrequency of failure.Calculation parameters used in aprobability of unavailability are thefrequency of failure and the time torepair. The failures which directlycontribute to the loss of power have aneffect on the unavailability time which isproportional to their time to repair.The new network makes it possible forbackground preventive maintenance tobe carried, in other words withoutinterrupting the plant's normaloperation.

cccccadditional assessmentsIt seemed interesting to assess someadditional criteria to compare the twoconfigurations.vthe relative probability of losing peakoperating conditionsIn the case of peak operatingconditions, the economic stakes arehigh. The criteria assessed above donot measure this risk. It is entirelyfeasible to lose peak production evenwith current consumers 1, 6 and 3supplied power.The probability of losing peak operationis four times less with the new network.The improvement is less pronouncedthan the other calculated criteria, sincethe main failures occur in the MV partwhich remains unmodified.

not very good. Thus, for example a faulton the busbar JDB3 knocks out allcurrent consumers of type R5and R6.Production is stopped and no other plant

can operate,vthe existing electrical network wassuch that that there were commonmode busbars. A short circuit acrossthese busbars made anyreconfigurations inoperative.The probability of a busbar short circuitis low, but since the system had highreconfiguring possibilities this failuremode becomes preponderant. Thecommon modes occur at coupling level,during reconfigurations involvingtransformer T4.vfor the new network, the current

consumers have been separated sothat it is possible to supply off-peakdemand with the current consumersassociated with one single transformerand peak demand with the currentconsumers associated with twotransformers.Figure 23 presents the proposednetwork layout and figure 24 itsfunctional analysis.

cresults analysisThe improvement in results obtainedwith the proposed network is

highlighted by giving the improvementratios, with the existing network beingused as a reference.Besides the probabilities of thesimultaneous loss of current consumers1 and 6 and the loss of currentconsumers 3, we have assessed theirfrequency of loss. Also calculated : theoptimum maintenance frequency for thegenerator sets and the contribution ofthe MV and LV networks to theundesirable events.Here are the obtained improvements :von the relative probability of

simultaneously losing supply to currentconsumers n1 and 6:- off-peak operation 110- peak operation 55- overall 105von the relative probability of losingsupply to current consumers n3:- off-peak operation 99- peak operation 54- overall 97Overall, the probability of losing electricalsupply to current consumers n1 and 6 is100 times greater with the old networkthan with the proposed network. Indeed,

fig. 23: functional diagram of the new

configuration.

GE1power

supply Apower

supply B

MVswitchboard 1

MVswitchboard 2

GE2

20 kV

T1 T2

5,5 kV

20 kV

5,5 kV

R1d R2d...................R6d

5,5 kV

plant n4

400 V

R1c R2c...................R6c

5,5 kV

plant n3

400 V

R1b R2b...................R6b

5,5 kV

plant n2400 V

R1a R2a...................R6a

5,5 kV

plant n1

400 V


17/24


18/24


fig. 27: monitoring and control configuration of an EHV substation with access and remote work station.

fig. 26: base monitoring and control configuration of an EHV substation.

sorties TOR

entres TOR

entres analogiques

unit centrale

automate

communication

sorties TOR

entres TOR

entres analogiques

unit centrale

automate

communication

console

work station

communication

on/off outputs

on/off inputs

analogical inputs

centralprocessor

on/off outputs

on/off inputs

analogical inputs

centralprocessor

PLC* (*Programmable Logic Controller)

communication

PLC*

communication4 PLC's*

level 2

level 1

network

sorties TOR

entres TOR

entres analogiques

unit centrale

automate

communication

sorties TOR

entres TOR

entres analogiques

unit centrale

automate

communication

console

work station

communication

on/off outputs

on/off inputs

analogical inputs

centralprocessor

centralprocessor

PLC* (*Programmable Logic Controller)

communication

on/off outputs

on/off inputs

analogical inputs

PLC*

communication4 PLC's*

level 2

level 1

network

link

communication

centralprocessor

to level 3


19/24


cfunctional analysisThe monitoring and control of the EHVsubstation in question includes:vfour plc's which acquire datas on the

status of the substation'selectrotechnical equipment and whichpass on the control orders (level 1),va work station enabling visualisationof the substation's status and thesending of control orders (level 2),vand possibly, a remote work station.The remote workstation is therefore onstand-by with respect to thesubstation's own work station.Figure 26 shows the basic solutioncorresponding to one single level 2work station.Figure 27 shows the solution with a linkto a remote work station.

cresults analysisthe selected monitoring and controlsystem must have a probability ofunavailability of less than 10-4att=1200 hours. This means theequipment must be non-functional forless than 7 minutes over 1200 hours ofoperation (50 days).The undesirable event - loss ofmonitoring and control - has beenbroken down into three undesirableevents corresponding to calculations of:

vthe probability of totally losingmonitoring and control (common mode),vthe probability of losing at least on/offinformation,vthe probability of losing at leastanalogic information,or in other words three calculations foreach configuration.The equipment is divided into twoclasses:vequipment for which we havereplacement parts (n),vequipment for which we do not havereplacement parts (s).

Two calculations are performed for eachundesirable event, to show the impact ofthe choice of the average repair time onthe end result (see fig. 28).

Hypothesis 2 is the most realistic one;it is these times that will be taken intoaccount to choose between the twosolutions.

MDT for equipment of type n MDT for equipment of type s

hypothesis 1 1 hour 3 hours

hypothesis 2 4 hours 12 hours

fig. 28: two hypotheses for the average time to repair.

fig. 29: bar chart of the unavailability of the two solutions (the orange line corresponds to the

objective to be achieved, it is achieved if the bar chart is to the left of the line).

As figure 29 shows;vthe solution without the remotestation does not enable the requiredavailability to be achieved,vthe solution with remote monitoringand control enables the objectives to be

base solution:

analogic inputs

on/off inputs/outputs

common modes

solution with link to level 3:

analogic inputs

on/off inputs/outputs

common modes

hypothesis 1

hypothesis 2

0 1E-4 2E-4 3E-4 4E-4 5E-4 6E-4

unavailability at t = 1200 h

objective

achieved for on/off inputs and thecommon modes ; but the probability oflosing at least one analogic inputremains greater than the target objective.


20/24


dependability studypackagesCertain tools automatically generate a

dependability study from the functional

analysis of the system and the failure

modes of its components.

A model is generated which enables

evaluation of the dependability criteria.

These tools are useful for complexsystems and/or repetitive systems.

They enable a database to be created

on the failure modes of the componentsand on the consequences of these

failures when possible. (see. fig. 30).

modelling toolsTwo types of tools (see. fig. 31):

csimulation tools,

canalytical calculation tools.

Comment: a Markov graph can very

easily be transformed into a Ptri

network and be used for simulation. As

opposed to a Ptri network, a graph

can be associated, but in this case the

transitions must be Markovised: in aMarkov graph the frequency of

occurrence of the transitions are

necessarily constant.

Schneider currently has a PC graphical

interface called PCDM whichautomatically generates the file defining

the Markov graph or the Ptri network

that has been drawn (ref. fig. 32).

This provides time savings and

improved reliability of data entry.

The Petri network modelling technique

is that which currently best approaches

the real behaviour of the system. Theacceleration of the simulation of Petri

networks, notably using MOCA-RP

software, is the subject of a thesis

whose initial findings have been

presented at the ESREL 96 congress

(European Safety Reliability).

In the near future, the use of Petri

networks will no longer be limited by

the simulation time they require.

tool modelling calculation main features

name technique resolution technique

Adlia fault tree canalytical tool developed by Schneider Electriccsimulation to model the malfunctions in

electrical network components. Itintegrates an electrical networkmalfunction database. Thedescription of the network and of theundesirable event automaticallygenerates the correspondingfault tree.

Sofia fault tree canalytical tool developed by SGTE Sofrenten.(logical polynomial) Automatic generation of a fault

tree and associated FMEA, by afunctional description of the systemand the creation of an associatedmalfunction database.

fig. 30 : two types of tools regularly used by Schneider Electri for dependability study.

modelling type simulation tool analytical calculation tool

Markov graph super Cabdeveloped by ELF AQUITAINE

Petri network MOCA-RDdeveloped by Microcab

fig. 31: the modelling tools.

fig. 32: PCDM graphical interface - Markov graph.

4. dependability tools


21/24


5. conclusion

Requirements have progressed interms of quality of electricity supply.Taking account of the considerableimprovements that have been made inmethods and equipment, users areentitled today to demand a high level ofavailability.To achieve this objective with justifiedconfidence, dependability studies arenecessary.

They enable optimisation ofcthe configuration of the electrical

network,

cof the monitoring and control system,cof the maintenance policy.They enable solutions to be chosenthat are tailored to achieve the requiredavailability threshold as cost effectivelyas possible.Often the study can be limited to a keypoint in the installation, responsible forthe major part of the globalunavailability.

In many cases, it is interesting to call ina specialist. The advice they may

provide could prove decisive.

Dependability can be broken down interms of:csafety,creliability,cavailability,cmaintainability.

Safety requirements initially imposeddependability studies on hazardousapplications : rail and air transport,nuclear power stations, etc. If we addthe requirements of reliability,availability and maintainability, many

other sectors are concerned.


22/24


bibliography

Standards

cIEC 50: International electrotechnicalvocabulary - general index.

cIEC 271/UTE C 20310: List of basicterms, definitions and relatedmathematics for reliability.

cIEC 300: Reliability andmaintainability management.

cIEC 305/UTE C20321 327:Characteristics of string insulator unitsof the cap and pin type.

cIEC 362: Guide for the collection ofreliability, availability and maintainabilitydata from field performance ofelectronic items.

cIEC 671: Periodic tests andmonitoring of the protection system ofnuclear reactors.

cIEC 706/X 60310 and 60312: Guideon maintainability of equipment.

cIEC 812/X 60510: Analysistechniques for system reliability -Procedure for failure mode and effectsanalysis (FMEA).

cCEI 863/X 60520 : Prvision descaractristiques de fiabilit,maintenabilit et disponibilit.

cIEC 880: Software for computers inthe safety systems of nuclear powerstations.

cIEC 987: Programmed digitalcomputers important to safety fornuclear power stations.

cIEC 1165: Application of Markovtechniques.

cIEC 1226: Nuclear power plants ;instrumentation and control systems

important for safety ; classification.cNF C 71-011 : Sret defonctionnement des logiciels -Gnralit

cNF C 71-012 : Sret defonctionnement des logiciels -Contraintes sur le logiciel.

cNF C 71-013 : Sret defonctionnement des logiciels -Mthodes appropries aux analyses descurit.

Miscellaneous publications

[1]Fiabilit des systmesA. Pags et M. GondranEyrolles 1983

[2]Sret de fonctionnement dessystmes industrielsA. VillemeurEyrolles 1988

[3]Recueils de donnes de fiabilit :

cMilitary Handbook 217 FDepartment of Defense (US)

cRecueil de donnes de fiabilit duCNET(Centre National dEtudes desTlcommunications)1993

cIEEE 493 et 500 (Institute ofElectrical and Electronics Engineers)1980 et 1984

cIEEE Guide to the collection andpresentation of electronic sensingcomponent, and mechanical equipmentreliability data for nuclear-powergenerating stations

cDocument NPRD91 (Nonelectronics

Parts Reliability Data)du Reliability Analysis Center(Department of Defense US)

1991

[4]Recommandations:

cMIL-STD 882 B

cMIL-STD 1623

Merlin Gerin Cahier Techniques

cMthode de dveloppement dunlogiciel de sretCahier Technique n117 -

A. JOURDIL et R. GALERA 1982cIntroduction to dependability design,Cahier Technique n144P. BONNEFOI

cSret et distribution lectriqueCahier Technique n148 - G. GATINE

cHigh availability and LV switchboards,Cahier Technique n156O. BOUJU

cAutomatic transfering of powersupplies in HV and LV networksCahier Technique n161G. THOMASSET

cEnergy-based discriminationfor LV protective devices,Cahier Technique nCT167R. MOREL, M. SERPINET

cDependability of MV and HVprotective devices,Cahier Technique n175M. LEMAIRE

Schneider's participation in variousworking groups

cstatistical group of IEC committee 56(reliability standards),

csoftware dependability with theEuropean EWICS-T7 group : computerand critical applications,

cgroupe de travail de lAFCET sur lasret de fonctionnement dessystmes informatiques,

cparticipation la mise jour du

recueil de fiabilit du CNET,cIFIP working group 10.4. Dependablecomputing.


23/24



24/24

Documents

184-Electrical Installation Dependability Studies