Reliability Engineering 9 (1984) 191-219

Reliability Evaluation of Protection Devices in Electrical

Power Systems

H. T. Yip, G. C. Weller
Relay Development Laboratory, GEC Measurements Ltd,
Stafford, Great Britain

and
R. N. Allan
Department of Electrical Engineering, UMIST,
P.O. Box 88, Manchester M60 1QD, Great Britain

(Received: 17 November 1983)

ABSTRACT

Electrical power is transmitted and d&tributed by a complex and

integrated network which is exposed to various types of faults. These
jaults are usually short-circuits which occur between phases and between
phases and earth. To protect the system against these faults, protection
systems, based on automatic relay devices, are incorporated into the
power system. This paper discusses the principles of these relay systems
and describes techniques that have been developed in order to evaluate the
reliability of the devices. The paper also discusses the principles of
monitoring and self-checking within the relay to reduce the probability of
an undetected dormant failure. All the concepts and techniques are
illustrated by the analysis of a typical distance protection relay.

A version of this paper was presented at the 4th National Reliability Engineering
Conference--Reliability '83, 6-8 July 1983, Birmingham, UK, and is reproduced by kind
permission of the organisers.
191
Reliability Engineering 0143-8174/84/$03.00 © Elsevier Applied Science Publishers Ltd,
England, 1984. Printed in Great Britain
192 H. T. Yip, G. ('. [4"eller, R. N. Allan

1 INTRODUCTION

1.1 Protection of a power system

In an electrical power generation and distribution system, the security of

supply has considerable value to the customer. Possibly the greatest
threat to this security is a short-circuit fault, which imposes a sudden and
sometimes violent change on the power system. The large current which
can flow under fault conditions can cause the localised release of a
considerable amount of energy, possibly causing fire at the fault location
and mechanical damage throughout the system, particularly to
transformer and machine windings.
To reduce the risk of damage due to short-circuit faults, protective gear
is used to detect and initiate removal of faults from the power system.
Direct-acting a.c. trips and fuses are commonly used at lower distribution
voltages, but protective relays are extensively used for major protective
functions, in conjunction with circuit breakers. Many different operating
conditions occur within power systems, and so to provide optimum
protection many different types of relay are needed, each responding to
different power system quantities. For example, observation of the
magnitude of the power system current is a sufficient basis for protection
in some cases, but measurement of power of impedance may be necessary
in others. 1
For protecting high-voltage overhead power transmission lines, the
measurement of impedance is the principle employed in a commonly-used
type of protection known as the distance relay. The distance relay is
designed to monitor the impedance of a given section of line
continuously. If a fault occurs, the impedance of the section of line falls
below a set level, and the relay responds within a few milliseconds by
sending a trip command to the circuit breaker to isolate the faulty section
of line.

1.2 Distance protection

A distance relay protects all three phases (A, B and C) of a transmission

line by measurements of the line currents and voltages at one end of the
line only (see Fig. 1). All types of short-circuits to earth and short-circuits
between phases are detected using these quantities, using impedance-
measuring circuits within the relay known as comparators. The operating
 Reliability of protection devices in power systems 193

ClRCUII
B~AI[ER

~: PROTECT[O SECIIONOFLINE _,

-i
GEN(RATOR ,,
Q CT I

]RANSMISSIOELINEI X - -

BUSBAR
V[

[RIP COMMANO

Fig. 1. Application of distance protection.

characteristic of a typical modern distance relay comparator 2 may be

described mathematically as a circle drawn on the impedance plane, as
shown in Fig. 2. The relay reach, or diameter of the circle, is adjusted to
match the impedance of the protected length of line both in magnitude
and angle. A short,circuit fault on the line reduces the line impedance to
less than the relay reach setting, while the presence of resistance in the
fault (for example, arc resistance) modifies the impedance angle as shown
in Fig. 2. If the measured impedance falls within the circle, the

6ELAY IMP[OAHCf

/ \ ~ ]YPICAL FAULI
/ RE ~ IMPEOANCEWIIH
ARC RESISIANC[Rr

Fig. 2. Impedance characteristic of a distance relay.

194 H. T. Yip, G. C. Welh, r, R. N. Allan

comparator sends an OPERATE signal via interface circuits to trip the

circuit breaker.
The comparator's circular operating characteristic is produced by
quantities V, derived from the line voltage, and IZ, derived from a replica
impedance Z fed with current I from the line current (see Fig. 3). The
quantity I Z is a replica of the voltage which would be presented to the relay
if a short-circuit fault were to occur at a location equivalent to the
relay reach setting. The replica impedance is the device which enables the
relay to protect a length of line using Icurrentt and voltage signals from
measuring transformers at one end of the line only.
The reach of the relay is set by adjusting the relative magnitudes of V
and IZ, and the characteristic angle 0 of the relay is set by adjusting the
phase angle of the replica impedance Z. Two composite signals, V - 1Z
and V / - 9 0 °, are produced, and the comparator determines whether
V - I Z is lagging or leading V / - 90 °. If V - I Z lags V/--:. 90 °, the fault
lies inside the characteristic, and the comparator issues a trip signal.
Conversely, if V - 1 Z leads V / - 9 0 °, the comparator restrains from
tripping. The V component of V - I Z is known as the restraining
quantity, while the signal V / - 90 ° is known as the polarising quantity or
VpOL-
A common type of distance relay has six main comparators, three for
detecting phase-earth faults, and three for phase-phase faults. In
addition to the main zone of protection (zone I), there are two further
zones with larger reach settings and time-delayed tripping. Zones 2 and 3
are provided for back-up protection of faults in adjoining sections of the

IX

IR

Fig. 3. Deviation of circular operating characteristic.

 Reliability of protection devices in power systems 195

transmission system, to guard against the possibility of the circuit breaker

adjacent to a fault failing to open. The time delayed zone 2 and zone 3
tripping is not normally regarded as redundant protection, but only a last
line ofdefence, since damage to power system plant may occur if the trip is
delayed. Zones 2 and 3 frequently use separate sets of comparators.
A disadvantage of distance relays in general is that the zone 1 reach is
invariably set to only 80 ~ of the length of the section of line to be
protected. This is to ensure that there is no danger of unwanted trips
caused by the zone 1 comparators overreaching into the next section of
line owing to tolerances in line parameters and errors in the current and
voltage transformers which feed the relay with signals from the line. The
remaining 20 ~ of the line is not covered by zone l, but only by zone 2
which would ordinarily give a time-delayed trip.
On high-voltage systems it is normal to provide facilities for signalling
between the two distance relays protecting the same section of the line
from opposite ends. Various schemes are possible for providing fast
tripping via the signalling channel for faults in the last 20 ~ of the line.
The most popular scheme is the permissive underreach scheme shown in
Fig. 4, where the detection of a fault by the zone 1 comparators at end Q
of the line causes a signal to be sent to the relay at end P. The relay at P
detects the fault with its continuously-measuring zone 2 comparators,
and, on receiving the signal, an instantaneous trip is produced at P.

I ZONE 2 = 120*1° OF"LINE >

I zoNE 1 80"/. OF LIN[

Q
u X m

J I

< ZONE 1 80"1o OF"LINF i

I

ZONE 2 120% OF"LINE I

I

SIGNAL SIN|" BY ZI El
F'AULI Ot'TECIEOIN Z2 fAULT ~T~IEO IN II
ANO SIGNAL RECEIV[O .'. TRIP C. 13.AI Q
• IRIP C.l:l. AT P
Fig. 4. Permissiveunderreach scheme.
196 H. T. Yip, G. C. Weller, R. N. Allan

1.3 Reliability considerations

A modern relay uses complex solid-state electronic circuits to satisfy the

increasingly stringent performance requirements of speed, sensitivity and
discrimination. An equally important requirement is that the relay should
have a high level of reliability. At the design stage, the manufacturer pays
close attention to such things as selection of appropriate components,
minimisation of internal heat dissipation, immunity from interference
and mechanical ruggedness, in order or provide a high level of inherent
reliability. In production, every relay undergoes rigorous quality control
procedures at component, sub-assembly and final test stages, in order to
eliminate early-life failures. This paper describes new, cost-effective
methods being used in the latest distance relay designs, or under
consideration for future designs, to make further improvements in
reliability.
A relay spends the majority of its life in an energised but quiescent state,
where it is monitoring a healthy live transmission line. If failure occurs in
the relay, it is likely to be during this quiescent state. Such failures are
normally only detected by routine inspection, by the relay failing to trip
when required, or by the relay operating inadvertently.
Well-proven reliability improvement methods include active or
standby redundancy. Although the concept of redundancy is sometimes
applied to protection systems by connecting two relays in parallel, this
concept is not generally applied to the internal design of relays because of
excessive cost and complexity. Another method for improving reliability
is to include built-in monitoring and self-checking facilities during the
design stage. The primary purpose of adding monitoring and sell'-
checking facilities to a relay is to detect any failure inside the relay as soon
as possible and to give an alarm. However, their methods and
performance are very different. Techniques of built-in monitoring and
self-checking are described in this paper, with an analysis showing the
benefits to be expected from the use of these techniques.

1.4 Scheme redundancy

Some degree of redundancy is provided by applying the distance

protection in a permissive underreach scheme, since the zone 1
comparators cover 80% of the line and the zone 2 comparators (in
conjunction with zone 1 at the far end of the line via the signalling
 Reliability of protection devices in power systems 197

channel) independently cover all of the line. The effect of this redundancy
is included in the analysis, although the influence of factors outside the
relay manufacturer's control, such as the reliability-of the circuit
breakers, signalling channel, etc., is outside the scope of the present paper
and has, therefore, been neglected.
The use of two sets of protection working in parallel has been
mentioned. This c o m m o n technique of duplicate protection uses two sets
of distance protection of the same or different type, or else one set of
distance protection with one set of protection based on a different
principle. An analysis of the improvement in overall protection reliability
resulting from this type of redundancy is included in the paper.

2 C O N C E P T S A N D EFFECTS OF RELAY F A I L U R E S

2.1 Failure modes of relays

The two most important failure outcomes of power system relays are:
(a) failure to trip when required;
(b) mal-trip when not required.
Other types of failure outcome include:
(c) correct trip, but incorrect operation of other outputs (e.g.
indicator lamps);
(d) spontaneous sending of incorrect outputs not involving mal-trips
(e.g. remote alarms).
The probability of occurrence of failures (c) and (d) is small, and will not
be considered in detail.
F r o m a reliability viewpoint, relays can reside in one of three states
which may be described as a successful state, a failed state such that
the relay tends to restrain from operation, and a failed state such that the
relay tends to operate.
A failed state such that the relay tends to restrain is caused by an
unrevealed fault. 3 Such a relay will remain in a dormant failure-to-trip
state until a power system fault occurs within the relevant section of line,
whereupon an actual failure to trip occurs, or until routine maintenance is
performed.
CONDI ] IONS
UNDER WHICH
RELAY IS
EXPECTED
NOT TO ~ - - - 7 ~ ..... .......
TRIP / /~ ~- /'"
.,-" /-t ~ ~f/~" \ / .".-.t
./ /~ _~_~ ' / 4 ° \

ItURE TO TRiP J
/
\ X'""/ @J 10 ]
\ (ffNOING"tO \ CORRECTLY
.TS E R AT F S

CONDITIONS ~ ~ "~ .~ E"

UNDER WHICH ~ i - - ~ ....
RELAY IS EXPECTED
1-(3 TRIP
INITIATING EVENTS STATES OF RELAYS COMPONENTS OUTCOMES

Fig. 5. In tiating events and failure outcomes of distance protection.

 Reliability of protection devices in power systems 199

A failed state such that the relay tends to operate may be caused either
by a revealed or by an unrevealed fault. A revealed fault will manifest itself
immediately as an instantaneous real-trip, whereas an unrevealed fault
will cause the relay to be in a potential mal-trip state, that is, a fault which
needs appropriate relay input conditions to occur before an actual mal-
trip is produced.
One example of a potential mal-trip is when the restraining voltage
c o m p o n e n t to the c o m p a r a t o r of a distance relayLcollapses due to failure
inside the relay. This causes the characteristic circle to open up into a
straight line. If the load current always flows in the importing direction,
mal-trip may never occur.
Failure to trip and potential mal-trips can be divided into several sub-
categories. This is due to different well-defined power system conditions
that can occur and different facilities that have to be built inside a m o d e r n
relay to cope with these conditions. Therefore, it is evident that many
failures within a relay require the occurrence of certain types of input
conditions or initiating events before they are revealed. The reliability
analysis must always take the initiating events to a relay into
consideration.

2.2 Initiating events and failure outcomes

A protective relay connected to a transmission line will be subjected to

two types of input conditions or initiating events. These are:

(a) conditions under which the relay is expected N O T to trip;

(b) conditions under which the relay is expected to trip.
The events leading to these conditions for a distance relay are shown in
Fig. 5.
The c o m p o n e n t s or modules of a relay will reside in one of three states:

(a) successful state;

(b) failed state such that the relay tends to restrain.
(c) failed state such that the relay tends to operate.

These states are also shown in Fig. 5.

Different outcomes can occur depending on the initiating events to the
relay and the various states of the components. These outcomes, failures
to trip and mal-trip, are illustrated in Fig. 5.
200 H. T. Yip, G. C. Weller, R. N. Allan

3 RELIABILITY INDICES OF RELAYS

3.1 Concepts

There are a number of indices that can be used to specify quantitatively

the reliability of components, modules and complete systems. These are
equally applicable to relays. These indices are well documented ~ and,
therefore, only a brief summary of the most important in terms of relays is
presented.

3.2 Failure rate

If the failure rates of the individual components are known, it is fairly

straightforward to evaluate the failure rates of a complete relay for its
different failure modes. The transformation from component data to
system prediction requires a knowledge not only of component data, but
also of system operation, system function, failure modes and effects and
suitable reliability models. The system aspects depend upon the relay and
must be ascertained during the design phase. Reliability models are
described in detail elsewhere. 4 A suitable source of component reliability
data which has been used in the present project is contained in
MI L-HDBK-217C.-S This source of information permits many factors to
be taken into account including environment, quality control, stress and
temperature.

3.3 Mean time to failure

The mean time to failure (MTTF) is a frequently used index in reliability

evaluation and can generally be calculated 4 fairly readily for any system
configuration. Relays generally do not contain any form of redundancy
and are, therefore, classed as series systems. In this case only, the value of
M T T F is the reciprocal of the effective failure rate of the system.

3.4 Availability

Neither the failure rate nor the M T T F takes into account the effect of
periodic maintenance or inspection. These indices do not, therefore,
adequately reflect the operational constraints of a relay since relays are
generally inspected at regular intervals. Furthermore, the indices will not
 Reliability of protection devices in power systems 201

reflect the benefits of such inspections nor the benefits created by built-in
monitoring or self-checking facilities.
A further index which is c o m m o n l y used to express the reliability of a
maintained system is termed 'availability'. This is a measure 4 of the
limiting state probability of being found in an operable state, and is
defined as:
A- /~ - MTTF
2+/~ MTTF+MTTR (1)
where
/~ = repair rate
2 = failure rate
M T T R = mean time to repair
Although availability takes repair rate, and hence maintainability, into
consideration, it was decided that it is inadequate for expressing the
reliability of power system relays. The reasons are:
(a) Most relay failures are unrevealed faults and the failures are
r a n d o m and unpredictable. A relay may fail shortly after periodic
maintenance and the fault remains hidden until another
maintenance inspection takes place. Mean time to repair (or more
appropriately in this case, the mean down time) is unpredictable
and hence availability is difficult to determine.
(b) Although relay manufacturers issue proper maintenance pro-
cedures and testing instructions, maintenance policies are largely
dependent on the users and the average time needed to check or
repair a relay is largely out of the control of relay manufacturers.

3.5 Average unavailability

Customers are generally concerned with the mean up time and ways of
detecting any relay failure. In such cases, a single index defined as 'average
unavailability' between consecutive tests proves very useful. This term is
also known 3 as 'mean fractional dead time'. If the time between periodic
inspections is To, and the cumulative failure distribution function 4 is Q(t),
then the average unavailability is:

U= ~
lf c Q(t)dt

=~ {1 - e x p ( - j ' 2 ( t ) d t ) } d t
202 H. T. Yip, G. C. Welh, r, R. N. Allan

In the case of exponentially distributed times-to-failure:

U=~ (1 - exp ( - 2 t ) ) d t

1
= 1 - ~ (1 - exp ( - 2T~))

__---2To if 2T~ ~ 1 (2)

2
It can be seen from eqn. (2) that average unavailability is directly
proportional to T c, the inspection interval; i.e., if the periodic inspection
is carried out more frequently and does not itself degrade the device, the
average unavailability will correspondingly decrease. For relays which are
periodically inspected, or for relays with built-in monitoring and self-
checking features, this index is clearly more appropriate.

3.6 Expected values

The primary function of a relay is to operate following a system fault and

hence to isolate the faulted section by tripping protection breakers.
Therefore, except for the case of instantaneous mal-trips, a failed relay
has no effect on the power system behaviour unless system conditions
change. It is, therefore, useful to take into account the occurrence
frequency of these system changes since this would identify the number of
occasions that problems would arise. This can be achieved by
transforming the average unavailabilities into expected values that
depend upon the conditions of the sections of the line that the relay is
protecting.
For example, the average unavailability of a relay to be in a failure-to-
trip state can be expressed as an expected number of failures to trip per
year, based on the fault rate of the transmission line, or mean time to fail
to trip. If the section of the transmission line being protected has a fault
rate of 1 fault per year, and the average unavailability of a relay to be in a
failure-to-trip state is 0.1, then,
Expected number of failures to trip per year
= 0'1 z 1 fault/year
= 0.1 failure to trip/year
1
Mean time to fail to trip = expected number of failures to trip/year
= 10 years
 Reliability of protection devices in power systems 203

4 METHODS OF MONITORING AND SELF-CHECKING

4.1 Monitoring techniques

Monitoring techniques normally operate continuously and can be used to

detect unavailability, and possibly tendency to cause mal-tripping, and
mal-tripping of relays. Methods of achieving monitoring are:
(a) Monitor those circuits with outputs which always remain the same
irrespective of the relay's input conditions. An example is the
power supply.
(b) Detect illogical operations of relays, e.g. zone 1 comparator picks
up, but zone 2 comparator does not pick up.
Monitoring facilities have the topological structure shown in Fig. 6.

4.2 Self-checking techniques

Self-checking facilities operate only periodically and for only a very short
time. They are used to check whether the relay is operative or not.
During self-checking either parts or the whole of the relay will be out of
service. Methods of doing self-checking are:
(a) Artificially produced voltages and/or currents corresponding to
the system failure conditions are applied to the primary inputs of
the relay.
(b) Testing signals are applied to the first stages of internal circuits of
the relay.
(c) Operational characteristics of the relay are changed momentarily
to force the relay to operate; e.g., the circular characteristic of a
distance relay is expanded to include the load impedance within its
boundary, so that the comparators are forced into operation.

MODULE A ,,._OUTPUT TO
OTHER MODULES

MONITORING CIRCUIT "--ALARM

M

Fig. 6. Monitoring structure.

204 H. T. Yip, G. C. Weller, R. N. Allan

(d) The operating criterion of the comparator is inverted so that the

measuring element is changed from its normal restraining
condition into an operating condition.
All self-checking methods have the topological structure shown in Fig. 7.
The self-checking circuit injects testing or control signals into the module
under test, monitors the outputs and disconnects the outputs from any
subsequent circuits. The last two self-checking methods make use of
signals derived from system voltages and currents to do the self-checking,
thus effectively checking some of the circuits in front of the comparator as
well as the comparator itself.

NORMALLY-CLOSED
CONTACT OUTPUT TO
MODULE A 0 C = TO OTHER MODULES

SELF - CHECKING
ClRCUITS

Fig. 7. Self-checking structure.

4.3 Advantages and disadvantages

Monitoring and self-checking have the ability to reduce the average

unavailabilities of failure-to-trip states and potential mal-trip states at
relatively little cost and complexity. There are some disadvantages
however:
(a) They may not be able to monitor or self-check every part of the
relay without excessive cost and complexity.
(b) Self-checking must take circuits 'off-line', thus creating temporary
unavailability.
These disadvantages, however, will depend largely on the ways these
facilities are designed and implemented. In general, if the design can be
simple and effective and involve few components, the probabilities of
failure will be correspondingly decreased.
 Reliability of protection devices in power systems 205

5 RELIABILITY ANALYSIS WITH M O N I T O R I N G AND

SELF-CHECKING

5.1 Concepts

An appropriate method for evaluating the reliability of relays containing

monitoring and/or self-checking is the conditional probability approach. 4
This approach may be expressed in general terms as:
n

P(A) = ~ P(AIB,). P(B,) (3)

i=1

where A represents failure of system A, B is a component in system A, B i

represents the ith mutually exclusive state of component B and n is the
total number of mutually exclusive states of component B.

5.2 Monitoring circuits

Consider module A of a relay having a failure rate (rate of encountering a

failure-to-trip state) of 2 , Let T~ be the time between periodic
inspections. Then, from eqn. (2):

UA ~_2ATff2
Suppose A now has a monitoring circuit M, having failure rate 2 M. Let .4'
represent module A together with M. Then, from eqns (2) and (3):
P(.'I') = P(.4'IM) • P(M) + P(A'IM ) . P(lf/l) (4)
i.e.,

UA -~0 (1 ~Tc'~ -+
•\ 2 2 2
_ ,~Tc ;tMT~
2 2 (5)
This evaluation is based upon an important assumption that the repair
time is negligible compared with the total time that the relay is connected
to the power system.
Consider a simple example in which 2A = 0.1 failure per year (f/yr),
206 H. T. Yip, G. C. Weller, R. N. Allan

Tc = I yr and the complexity of M is 1/5 that of A, i.e. 2 M = 0.02 f/yr.

Then:
t
U A = 0"05 and U a = 0"0005
The reduction in average unavailability is, therefore, 99 "o.

5.3 Self-checking circuits

Consider now the same module A, but this time with a self-checking
circuit S having a single failure m o d e with failure rate 2 s. Let T c be the
periodic inspection interval and T s the self-checking interval. Let A"
represent module A together with S. Then, from eqns (2) and (3):
P ( A " ) = P ( A " i S ) . P ( S ) + P ( A " IS). P ( S ) (6)

2 " 1-
UA" ~-- )~ATs + 2 2

The evaluation is again based on the assumption that the time taken to
perform self-checking is negligible compared with the time between
successive self-checkings.
If the same numerical example used above is considered, but this time
with 2 s = 0-02 f/yr and T s = 1 week, then"
UA = 0"05 and UA = 0'001 45

The reduction in average unavailability is, therefore, 97 ".i,.

In practice the self-checking circuit could exhibit more than one m o d e
of failure, e.g. resides in a d o r m a n t state, causes mal-trips, causes failures
to trip, gives false alarms. If these can be recognised, they can be included
in the analysis very readily by extending the two-state model used in eqn
(6) to multi-state representation as defined by eqn (3).

6 RELIABILITY ANALYSIS OF A DISTANCE RELAY

6.1 Description of the relay under study

A practical distance relay design incorporating optional monitoring and
self-checking was used to demonstrate the principles used in reliability
analysis, and to identify the degree of improvement in availability
obtained by the addition of monitoring and self-checking facilities. The
reliability block diagram of this relay is shown in Fig. 8. Some modules
 ='C)LARIZING MODULE

P-~TAGE INPUT MODULE

[-gT~

:TORS

,DULES

~ASE & N~Om~ I

SETTING MODLLE
_':UP,RENT INPUT MODULE ~,TOR i',4ODLLE

TO
, SCHEI~
LOGIC

:HEHE RiPPUIG
3GIC 4OWL[
L E V E L DE l ECqC)R ATC~
~ E

~ JPPL~HODUL[
((1)FIHIX+I ]0 AI L
• PO,~R I ~
'F Jt
I'I(JL)UL,~SEX[:~T lo 1
QIRI~IT INPUT + - - ~ - - - 5ell[ I'll.
tOGIC ~ - ~
COl~l1UUJCAIIOtl
WITH Till
OiliER 14EIAY
• -

~ig. 8. (eliability block diagram of distance relay. (*Under monitoring; ?under self-checking.)
o
.A
208 H. 7". Yip, G. ('. Weller, R. N. Allan

are divided into several sub-modules. For example, the voltage input
module is divided into VA, V~ and Vc sub-modules. This is because the
relay has independent circuits to measure separately the voltages and
currents of the three phases. The relay system may be briefly described as
follows. The current and voltage input modules take the current and
voltage supplies from the secondaries of the transmission line measuring
transformers. The d.c. power supply for the electronic circuits is derived
from the substation battery supply via the power supply module. Reach
settings are done by the phase and neutral setting module (common to
zones 1,2 and 3) and by the zone I setting module, zone 2 setting module
and zone 3 setting module (the latter module not shown). The polarising
module contains the phase shift circuits needed for the Vpoc signals to
the zone 1 and zone 2 comparators. The level detector module provides
controls on relay sensitivity and depends on a reference voltage supply
and (like the comparator modules) on a clock pulse generator. The
scheme logic module contains a microcomputer which provides the logic
necessary for the permissive underreach scheme, and the tripping module
provides the intert~ace with the operating coil of the circuit breaker.

6.2 Monitoring and self-checking facilities

As described earlier, the reliability of a relay should increase if monitoring

and self-checking facilities are included in its design. In a practical relay,
not all circuits could be monitored or self-checked at a reasonable
manufacturing cost. Those that were checked using these facilities are
identified in Fig. 9.
Modules or circuits under monitoring are:
(a) +5V, +12V, -12Vand + 2 4 V d . c . power supply ;
(b) level detector and c o m p a r a t o r clock pulse generator;
(c) level detector voltage reference:
(d) scheme logic's microcomputer and its on-board timer; and
(e) voltage input module.
Items (a) to (d) are c o m m o n elements which, if" they tail, will cause the
whole relay to be inoperative. Item (e) provides restraining voltage
components to all the comparators. If any of these voltage c o m p o n e n t s
fails, the relay will be in a potential mal-trip state.
In addition to the above monitoring facilities, the scheme logic is able
to monitor any illogical operation of the comparators. If any of the
 Reliability of protection devices in power systems 209

VOLTAGERt.EHLNCE I
ATLEVELDEIECIOR
MODULE
LEVELDETECIDR I
VOLTAGEREFERENCE
MONNO~NGCRCUT
• 24V~
LEVELDETECIDR LEVELDEIECIOR
I ANDCOMPARAD IR ANDCOMPAR AIOR ALARM
I CLOCKPULSE CLOCKMONITORING CIRCUIT
I GENERAIOR CIRCUIT
~ VOLTAGETRANSFORMERI .
SUPERVISION H
MODULE j I SCHEMELOG,CS'
•,2V I MICROCOFt~UTER MC
~
I ROCOMPUE
I RCLOCK
~IIOR~G [
• sv~ ,.~ ..... I I CIRCUIT

CHECKup;[
SIGNALS~
I COMPARATORS

Fig. 9. Reliability block diagram of monitoring and self-checking circuits.

comparators operates illogically, the scheme l'ogic will prevent tripping

and will give an alarm. This type of monitoring is illustrated in Fig. 10.
The self-checking procedure is initiated by the scheme logic once every
9 h (an arbitrary time). During self-checking, a signal will be sent to all the
comparators, causing their operating criteria to be inverted. If VpoL and
V - I Z signals are present at the inputs of the comparators, the output

ZONE2 COHPARATOR
I
I ZONEI COHPARAIOR
OPERATES I
OPERAIES

Y N Y N

FT (a)
Fig. I0. Monitoring technique to detect illogical operations.
210 H. T. Yip. G. C. lYeller, R. N. Allan

states of the comparators should be inverted, within the comparators'

operating time, after the self-checking signal is on. An alarm will be sent
if this is not so. Since this self-checking method will require signals VeoL
and V - I Z to be present, it will check some of the circuits feeding the
comparators as well.

6.3 Failure modes investigated

As stated previously, a relay can suffer several modes of failure including

failures to trip when required, potential mal-trips and instantaneous mal-
trips. In addition, the failures to trip can be subdivided into several
subcategories depending on the type of system fault. These system faults
comprise 4 types: phase earth faults, phase phase faults, phase phase
earth faults and three-phase faults. These subcategories are:
(a) failure-to-trip state for an A - E fault;
(b) failure-to-trip state for a B-E fault:
(c) failure-to-trip state for a C - E fault:
(d) failure-to-trip state for an A B fault;
(e) failure-to-trip state for a B C fault:
(f) failure-to-trip state for a C A fault:
(g) failure-to-trip state for an A--B-E fault:
(h) failure-to-trip state for a B C E fault;
(i) failure-to-trip state for a C A--E fault:
(j) failure-to-trip state for an A B C fault.
A, B, C represent the three phases and E represents earth.
The above events (a)--(j) are not mutually exclusive, because they have
c o m m o n elements. For instance, events (a) (j) will all occur if the power

I
RELAY FAILS TO TRIP FOR P - E FAULTS]
I

RELAY IN A FAILURE'TO-
ITO-TRtPSTATEFORI r]RIPSTA]EFOR B-E I IIRIP STATEFOR C-t I
[ A E FAULT J | FAULT l [ FAULT J

Fig. I !. Fault tree of relay failing to trip for phase earth faults.
 Reliability of protection devices in power systems 211

s u p p l y fails. Similarly, events (a), (d) a n d (f) will o c c u r if the I A e l e m e n t

fails. T h e s e effects were t a k e n into a c c o u n t in the detailed analysis. T h e
r e l a t i o n s h i p b e t w e e n the p h a s e - e a r t h faults a n d the r e l a y states is s h o w n
in the fault tree o f Fig. 11. Similar f a u l t trees c a n be c o n s t r u c t e d f o r the
o t h e r t y p e s o f p o w e r s y s t e m fault.

6.4 Analysis of relay modules or sub-modules

E a c h o f the m o d u l e s or s u b - m o d u l e s s h o w n in Figs 8 a n d 9 were a n a l y z e d

s e p a r a t e l y . T h e m o d u l e s or s u b - m o d u l e s t h e m s e l v e s d o n o t c o n t a i n
r e d u n d a n c y a n d , t h e r e f o r e , their effective failure rates c o u l d be f o u n d
v e r y easily f r o m a s u m m a t i o n o f the failure rates o f the individual

TABLE 1
Examples of Failure Rates of Modules or Sub-modules Using Data from MIL-HDBK-
217C
Module Sub-module Failure Failure rate Average
mode per 10 6 h unavailability

Voltage input VA PMT 0'275 624 0'001 207

module
Current input IA FTT 0.541 794 0.002 373
module
Phase and IAZp. FTT 0-674 599 0.002 955
neutral setting PMT 0.401 992 0.001 761
module
Zone 1 setting VAZ~ PMT 1.083 590 0.004 746
module (V - IZ)Azl FTT 0"073 139 0"000 320
Polarising VpOLA FTT 0.187 771 0.000 822
module
Zone 1 CPAz i FTT 0"064 290 0"000 282
comparator Clock generator FTT 0.333 894 0-001 462
module
Level detector LDLS A FTT 0.308 446 0.001 351
module Level detector FTT 0.124 182 0.000 544
voltage reference
Scheme logic FTT 2.422 588 0-010 611
module 1MT 0.018 086 0.000 079
Power supply FTT 1"468 336 0"006 431
module
Tripping module Phase A tripping FTT 0-412044 0"001 805
circuit

FTT = Failure-to-trip state; PMT =potential mal-trip state; IMT = instantaneous

mal-trip.
212 H.T. Yip. G. C. Weller, R. N. Allan

components. The data used to analyse each module or sub-module were

obtained from ref. 5 using parts stress analysis. Examples of the results
obtained for the effective failure rates are shown in Table 1. Since sub-
modules for different phases or different zones are either exactly the same
or very similar, only A phase and zone 1 sub-modules are shown. This
table also shows the average unavailability of these modules or sub-
modules using these effective failure rates (eqn (2)) and assuming an
inspection interval of 1 year.

6.5 Analysis of complete relay

In order to analyse the reliability of the relay, fault trees were constructed
for each relay failure mode, e.g. failure to trip, potential mal-trip. A
selection of these is shown in Figs. 12--15.
In the case of failure to trip, the effect of Z1 and Z2 protection zones
had to be taken into account since Z1 and Z2 protect 80 o~i;of the line
whilst Z2 protects an additional 20",. The method of satisfying this
effect is illustrated in Fig. 12 in which two modes of failure are coupled via
an exclusive OR gate, the two events leading to this gate being weighted

[FAILURE-TO-TRIP STATEFORA-E FAULTl

._.. ._1 .._1

Fig. 12. Fault tree of relay in a failure-to-trip state for A-E faults.
 Reliability of protection devices in power systems 213

by 0"8 and 0.2 respectively. This can be justified using, conditional

probability as follows:
P(relay fails to trip)
= P(line fault in 80 ~o of line)
x P(relay in a failure-to-trip state for Z1 and Z2)
+ P(line fault in 20 ~o of line)
x P(relay in a failure-to-trip state for Z2)
= 0.8P(line fault)
x/°(relay in a failure-to-trip state for Z1 and Z2)
+ 0.2P(line fault)
x P(relay in a failure-to-trip state for Z2)
= P(line fault)
x [0.8P(relay in a failure-to-trip state for Z1 and A2)
+ 0-2P(relay in a failure-to-trip state for Z2)]
Consequently:
P(measuring element fails) --0-8P(Z1 and Z2 elements fail)
+ 0.2P(Z2 elements fail)
This analysis assumes that the fault can occur equally likely at any
point on the line. This is a reasonable assumption, but the analysis can
easily be modified if the fault distribution is known.
Using the average unavailabilities given in Table l, the fault trees for
each failure mode and the concepts of monitoring and self-checking given
earlier, the average unavailability without monitoring and self-checking,

I COHMONELEMENTS
FAIL 1

+_
! AND I
\ COMPARA'FOR
l
\ CLOC~ /

Fig. 13. Fault tree for failures of the relay's common elements.
214 H. T. Yip. G. C. Weller, R. N. Allan

FAILURE-TO-TRIP STATE FOR

A-B-E FAULTS I

I eleM~
[ FAlu
Fig. 14. Fault tree of relay in a failure-to-trip state for A - B E faults

TABLE 2
Average Unavailabilities U of Various Failures of the Relay

Failure mode U without U with Reduction U with Furthur Total

monitoring monitoring "o in U monitoring reduction reduction
and sell: only and se!/: " in U ~',~ in U
cheek mg check ing
_ _ m •

F T T state
forA E
fault 0.050 189 0.031 357 37.5 0.029080 7-3 42.1
F T T state
for A - B
fault 0'048 707 0"029 843 38.7 0"027 562 7-6 43-4
F T T state
forA B E
fault 0.032282 0-016112 50.1 0.014831 8.0 54.1
F T T state
for A B-C
fault 0.026430 0.010263 61.2 0.009005 12.3 66.0
Instantaneous
mal-trip 0.000 079 0-000 079 0.0 0.000 079 0-0 0.0
Potential
mal-trip
state 0.051 702 0.023 387 54-8 0.023 387 0.0 54.8
False alarm by
monitoring or
sell-checking 0.002 457

Inspection interval = 1 year. Interval between self-checking = 9 h.

 Reliability of protection devices in power systems 215

[ REL~LINA POTENTIAL]
. TRip 51AT[

VOLT GF[AILS I
MODUt'
&
PHASE NBJIRAL SETTING
HOOULE FAILS OPERATNG
ZI RESIRAI,IING
| VOL1AGEFALLS
Z2 R[S P~INNG
VOLIAGEFA LS
i ~,~:A~,~FA~LS]

Fig. 15(a). Fault tree for potential real-trip without monitoring.

with monitoring but without self-checking and finally with both

monitoring and self-checking can be evaluated. These results are shown in
Table 2. It was assumed in this analysis that the interval between self-
checks was 9 h.
The effects of monitoring by the scheme logic to detect illogical
operations of the comparators have to be analysed with a different
approach. Figure 15(a) shows the fault tree of the relay in a potential mal-
trip state. The relay will be in a potential mal-trip state if any of the
restraining voltage components fail. However, with this type of
monitoring method, the zone 1 and zone 2 restraining voltage
components will have to fail together before the relay can mal-trip. This
causes the fault tree to change its structure, as shown in Fig. 15(b).

RELAY IN A POTENTtALI
HAL - TRIP S|AIE /

+
f
VOLTAGE
t
PHASE & NEUTRALSETTING
+
MODULEFALLS I HOOJI.EFALS OP[RATING ~:
IVOLTA~ fAILS I

Fig. 15(b). Fault tree for potential real-trip with monitoring.

216 H . T . Yip. G. 6'. Weller, R. ,¥. .41hm

T A B L E 3(a)
Mean Times to Fail to Trip in Years with a Single Relay

Scheme Type Fault Mean times t o / a i l m trip

q[ rate in years
jault per -
year Without With With
monitoring monitoring monitoring
and se([: only and serf:
check ing check htg

Overhead lines fault on P E 0339 59 94 101

I cct/50 km P P 0.304 68 110 119
P P E 0'023 1 347 2680 2932
P P P 0'002 18918 48719 55525

Note: P E = p h a s e earth; P P = p h a s e phase; P P E = p h a s e phase earth; P P P =

three-phase.

As discussed earlier, the average probability of failing to trip can be

converted into an expected number of failures to trip if the fault rate of a
line is known. Fault data from ref. 6 have been used which contain the
CEGB's system fault statistics over a 6 yr period (1968 1974) on 275 kV
lines. Assuming there is on average 1 pair of relays per 50 km of line, mean
times to fail to trip for the 4 types of power system fault are shown in
Table 3(a). Table 3(b) shows the mean times to fail-to-trip with duplicate
protection, assuming that they are of the same type of relay.

T A B L E 3(b)
Mean Times to Fail to Trip in Years with Duplicate Protection

Scheme Type Fault Mean times to .jail to trip

Q[ t'(IIC #1 I'eal'~
./ault per
)'d~lr Without With With
monitoring monitoring monitoring
and selj: only and serf
check ing checking

Overhead lines fault on P E 0-339 1 171 3000 3488

1cct/50km P P 0.304 1 387 3694 4330
P .P-E 0.023 41 721 t67 484 197666
P P P 0.002 715774 4747023 6165987
 Reliability of protection devices in power systems 217

6.6 Discussion of results

The results of the analysis have shown that:

(a) Monitoring facilities can reduce average unavailabilities of the
relay in various types of failure-to-trip states by 38-61 ~o and self-
checking facilities can further reduce them by 7-12 ~o. The overall
reductions are between 42 and 66~o. It can be seen that the
reductions due to self-checking are less than those due to
monitoring. This is because monitoring facilities test most of the
common elements, whereas self-checking facilities can only test
individual measuring elements.
(b) Average unavailability of the relay in a potential mal-trip state can
be reduced by 55 ~o. This is achieved by the voltage supervision
module and the simple monitoring method of detecting illogical
operations of comparators. The major constituents of potential
mal-trip will then be the failures of the zone 3 restraining voltages
and some circuits in the phase and neutral setting module.
(c) Instantaneous mal-trips cannot be prevented by monitoring or
self-checking, but their probabilities of occurrence are very small.
(d) Monitoring and self-checking facilities are based on simple
circuits or ideas; therefore they require only little additional costs.
The probabilities of failures that they can introduce, such as false
alarms, failures to trip and mal-trips, are also very small.
(e) With duplicate protection, the probabilities of failures to trip are
further reduced, making the figures of mean times to fail to trip
look even more favourable. However, the probability of the relay
system being in a potential real-trip state will be increased.

7 CONCLUSIONS
This paper has investigated the various failure modes of a complete
distance protection scheme. It was found that a relay can reside in a
failure-to-trip state, a potential mal-trip state, or can mal-trip
instantaneously. Failure-to-trip states and potential mal-trip states are
unrevealed faults. They are revealed when certain initiating events from
the power system occur, or during routine maintenance. It was found that
the majority of relay failures are of the unrevealed type. Since the interval
between routine maintenance checks is from several months to several
years, a relay can be in a failed state for a long time without being noticed.
218 H. 7. Yip. G. C. Weller, R. N. Allan

A single reliability index known as average unavailability has been

found appropriate to assess the reliability of such a system. Monitoring
and self-checking techniques are capable of detecting some failures inside
a relay and notifying the user by alarm; they therefore seem to be effective
means for detecting unrevealed faults. However, the ways to implement
them need careful consideration. This paper has surveyed some
techniques of performing monitoring and self-checking and has used a
method to assess their performance. It was found that these techniques
are very effective in reducing the average unavailabilities of various
unrevealed faults within a relay. The disadvantages are that these
techniques will increase the component count and hence the cost, and can
introduce additional failures such as false alarms, mal-trips or failures to
trip. In general, if the monitoring and self-checking facilities can be
implemented in a simple and effective manner, these side-effects can be
reduced.
This paper has made a detailed analysis of the performance of the
proposed monitoring and self-checking methods in a practical distance
relay. It was found that the combined effects of reducing average
unavailabilities of the relay in various failure-to-trip states and a potential
mal-trip state are satisfactory, and, because of their simple design, the
additional costs and failure probabilities introduced are very small.
However, it was found impossible to check every part of the relay,
especially some of the analogue circuitries, without disproportionate
increases in the cost and complexity of the self-checking circuits. With the
c o m m o n practice of having duplicate protection the reductions in the
probabilities of failures to trip are even more significant, but the
probability of potential mal-trip is correspondingly increased. This paper
proposed a novel yet simple monitoring method of preventing potential
mal-trip from actually occurring, by detecting any illogical operations of
the comparators by the scheme logic. The reduction of the average
unavailability of the relay in a potential mal-trip state by this method has
been found satisfactory.

REFERENCES
1. GEC Measurements Limited. Protective Relay Application Guide, Second
edition, March 1975.
2. Weller, G. C. et al. New principles for distance protective relays, l E E 2nd Int.
ConJl on Developments in Power System Protection, Publication No. 185,
June 1980, pp. 182-6.
 Reliability of protection devices in power systems 219

3. Green, A. E. and Bourne, A. J. Reliability Technology, John Wiley, 1972.

4. Billinton, R. and Allan, R. N. Reliability Evaluation of Engineering
Systems--Concepts and Techniques, Pitman Books, 1983.
5. MIL-HDBK-217C (Notice 1), Reliability Prediction of Electronic
Equipment, Department of Defense, USA, April 1979 and May 1980.
6. Light, B. R. Transient stability aspects of power system reliability, lEE Conj'.
on Reliability of Power Supply Systems, Publication No. 148, 1977, pp. 1014.