Substations in high and medium-voltage power networks include primary equipment such as electrical cables, lines, bus bars, switches, power transformers and instrument transformers, which are generally arranged in switch yards and/or bays. Such primary equipment is operated in an automated way via a process control system, for example a substation automation system. A process control system or substation automation system may include secondary devices or control devices, among which intelligent electronic devices (IED) may be responsible for protection, control, and monitoring of the primary equipment. The secondary devices can be assigned to hierarchical levels, i.e. the station level, the bay level, and the process level, the latter being separated from the bay level by a so-called process interface. The station level of the substation automation system may include an operator workstation with a human-machine interface and a gateway to a network control center. Intelligent electronic devices on the bay level, also termed bay units or protection IEDs, in turn may be connected to each other within a bay and/or on the station level via an inter-bay or station bus primarily serving the purpose of exchanging commands and status information.
Exemplary secondary devices on the process level can include comprise sensors for voltage (VT), current (CT) and gas density measurements, contact probes for sensing switch and transformer tap changer positions and/or actuators (I/O) for changing transformer tap positions, or for controlling a switch gear like circuit breakers or disconnectors.
A communication standard for communication between the intelligent electronic devices of a substation has been introduced by the International Electronic Committee (IEC) as part of the standard IEC 61850 entitled “Communication networks and systems in substations”.
For non-time critical messages, IEC 61850-8-1 specifies the manufacturing message specification (MMS, ISO/IEC 9506) protocol based on a reduced open system interconnection (OSI) protocol stack with the transmission control protocol (TCP) and Internet protocol (IP) in the transport and network layer, respectively, and Ethernet as physical media.
For time critical messages, such as trip commands, IEC 61850-8-1 specifies the generic object oriented substation events (GOOSE) built directly on the Ethernet link layer of the communication stack. For very time critical signals at the process level such as measured analog voltage or currents IEC 61850-9-2 specifies the sampled values (SV) protocol which also builds directly on the Ethernet link layer.
Exemplary embodiments disclosed herein can relate to the field of control systems for power grids operations using the IEC 61850 standard. Control operations, such as closing or opening primary switches, can be performed by a substation operator through a station-SCADA system. Such commands may not be directly sent to the primary equipments, but rather to an intelligent electronic device which performs the associated control function (for example interlocking verification) and then executes the operation (for example open the breaker). Known substation automation architectures may be made of one IED per bay for control operations (see FIG. 1).
The control operations may be performed using the IEC 61850-8-1 protocol, meaning that communications between the station-SCADA system and any IED are based on MMS for control operations. Control operations may be based on the “select before operate” (SBO) principle. The operator first may send an order to select the primary equipment he wants to operate and then sends a second command to realize/execute the command. Finally, confirmation of the execution of the command may be sent back to the operator. Because of the SBO principle, control may be exclusive, i.e. only one IED can control primary equipment at the same time. Hence, and contrary to protection functions, the control functions in known substation automation systems are generally not duplicated (see FIG. 2). The protection functions may be duplicated due to reasons of safety. In the case that a protection function malfunctions, a redundant protection function may take over the tasks of the malfunction protection function.
Improving system reliability has been widely explored over the past decades. There can be four major forms of redundancy which may be (1) hardware redundancy, such as double or triple redundancy, (2) information redundancy, such as error detection and correction methods, (3) time redundancy, including transient fault detection methods such as Internet logic and (4) software redundancy, such as N-version programming. In the context of substation automation, the known approaches for redundancy may be based on the hardware and hot redundancy concept. The other possibility may be a hot-standby redundancy concept. In a hot-hot architecture, both IEDs are running in parallel, while for a hot-standby architecture the standby IED is taken into active use, when the hot IED fails. In known systems, both approaches can be realized by hard-wiring the inputs and outputs of both IEDs to the respective CT/VTs (sensor input) and breaker actuators (I/O).
The technological progress on software virtualization may allow executing two different software systems on the same device as if it was executed on two different physical devices. One can think about combining protection and control functionalities into one physical device and reduce the number of IED devices to provide a cleaner redundancy chain down to the primary equipment. To take full advantage of this new configuration, the control functions can be redundant as well (see FIG. 3). Further, a classical hot-hot redundancy may not be possible since the control operations should be exclusive, i.e. they should not be performed by two different IEDs at the same time (SBO, see above). Therefore, hot-standby redundancy architectures can be used. To this end, two main approaches may be considered for redundant control functions:
For any given bay, IEDs may be duplicated. The station-SCADA system may be aware of the duplicated IEDs and first may interact with the original ones and then switch to the duplicated ones in case of a fault. The main drawback of this architecture is the need to modify the SCADA system which can be a very complex task.
Another approach may be to have the duplicated IED checking at regular intervals the state of the original IED and in case of a failure to impersonate it, i.e. substituting its own IP address by the one of the original IED. While this approach is transparent towards the SCADA system, it can specify a complex task of impersonation at the IED level. Moreover, this task is even technically not durable with the operating systems running on the IEDs and can even be impossible if the original IED “freezes” without releasing its IP address.
While redundant control is feasible, the above main approaches may specify complex modifications on either the station-SCADA system or the IEDs side.