Premium Membership ♕

Save 50% on all EEP Academy courses with Enterprise Membership Plan and study specialized LV/MV/HV technical articles & guides.

Home / Technical Articles / Solving the architectural and reliability puzzle of a protection and control system

The basics of protection and control

Optimize it, but don’t complicate it!

This technical article discusses some of the basics of protection and control as successfully used for decades. Majority of these general requirements will have to be retained by new communication-based solutions.

Solving the architectural and reliability puzzle of a protection and control system
Solving the architectural and reliability puzzle of a protection and control system

It is important to distinguish between the key need, and the present way of accomplishing the need (current implementations are ways of meeting functional requirements, not the functional requirements themselves).

While users will have to re-think and adapt to different ways of accomplishing the basic requirements, architects of the new systems must factor in all the basic principles that constitute the protection and control engineering field.

This article touches on several key aspects in a simple arbitrary benchmark (Figure 1) for discussing both the principles and some of the new solutions.

Too often proposals for communications based protection systems tend to neglect the actual number and location of CTs, disregard the principle of overlapping zones, maintainability, redundancy and other practical aspects.

This technical article represents some of the really important observations in awesome work “IEC 61850 – A practical application primer for protection engineers” that protection engineers and other involved in protection & control design should pay attention.


  1. Zones of protection
  2. Allocation of IEDs to zones of protection
  3. Allocation of protection & control functions to IEDs
  4. AC signals
  5. DC signals
  6. Reliability and availability of protection

1. Zones of protection

The zone of protection refers to that primary equipment for which faults are detected by a given protection scheme. The protection scheme is defined by the relays and their measuring CTs and VTs. Interrupting devices (circuit breakers, circuit switchers, etc.) that are operated by the protection scheme must be arranged remove all sources of energy from within the protection zone.

Ideally, a protection zone is confined to a single primary device such as a transformer or a bus. Limitations on the location of instrument transformers and interrupting devices may result in larger zones.

Protection zones must overlap in order to provide coverage for all primary equipment. This typically results in breakers falling into multiple zones.

Go back to contents ↑

2. Allocation of IEDs to zones of protection

Typically an IED or relay is dedicated to the protection of a single zone. In this way a failure of this device or its algorithms compromises a single zone. IEDs may provide backup protection to other zones. In this case coordination is often required.

When required, redundant IEDs may be assigned to the same zone. Redundancy may also be extended to the DC supplies, measuring CTs, breaker trip coils, relay panels, and cable routings. Redundant IEDs may use different operating principles or be manufactured by different vendors.

Redundant protection generally provides increased reliability and shorter clearing time when compared with backup protection at the expense of increased cost and complexity.

Redundant protection also allows one lED to be taken from service for maintenance while the primary equipment remains in-service, protected by the other IED.

Possible benchmark case for new protection and control architectures
Figure 1 – Possible benchmark case for new protection and control architectures

The requirement to keep primary equipment in-service also affects the topology of the substation itself.

For instance 1½ breaker, ring bus, or double bus configurations are often implemented at higher voltage levels. In these cases it may be useful to allocate IEDs to breakers as well as to protection zones.

For instance, a 1½ breaker, line terminal may consist of redundant line distance or line differential IEDs protecting the transmission lines and an IED for each of the associated breakers.

The breaker IED is responsible for:

  1. Breaker failure,
  2. Auto-reclosure,
  3. Synchronized closing and
  4. Interlocking.
1 ½ breaker method
1 ½ breaker method

In future, the breaker IED could be considered to be the sole interface point for all protection and control functions associated with the breaker, including SCADA.

Routine maintenance can be carried out on each of the redundant line protections (one at a time) with all primary equipment in-service.

Additionally each breaker and its associated IED can be taken from service (one at a time) for maintenance purposes. There is a value in separating protection functions and keeping them aligned with the zones of the primary equipment.

Go back to contents ↑

3. Allocation of protection & control functions to IEDs

Conventional protection schemes were initially developed using good old electromechanical relays. These devices often performed one or two functions only on a per-phase basis. While these schemes required a lot of panel space and wiring, they also benefited from inherent redundancy.

For example, a feeder scheme could consist of three single-phase Time overcurrent (TOC) and Instantaneous overcurrent (IOC) relays and a ground IOC/TOC relay. This meant that 2 relays were expected to operate for many fault types (with the exception of a low magnitude ground fault).

In microprocessor relays much of this inherent redundancy is lost. As such, when the protection designer is assigning functions to a multifunction device, operator needs to consider the implications of the loss of all these functions when the IED fails. Conversely, integrating more functions into a single device results in fewer IEDs and a simpler overall design.

Historically, functions were separated within one protection group because there was no other choice. Integrating functions within a group doesn’t necessarily lessen reliability in a fully-duplicated scheme because common failures have always existed.

Example of allocating protection and control functions to IEDs
Figure 2 – Example of allocating protection and control functions to IEDs

For another example one can consider again the line terminal shown in Figure 2. Traditionally the functions shown in the breaker IED (synchrocheck, auto-reclose, and breaker failure) were not duplicated.

The protection designer may decide to reduce the number of IEDs by merging these functions into one of the line protection IEDs. If so, consideration must be given to the interruption of these functions during routine maintenance.

Another consideration is the potentially large tripping exposure to a malfunction. It is probably warranted to duplicate these functions in both IEDs.

However, this approach may require careful consideration. For example, allowing two auto-reclose schemes to operate in parallel could lead to unexpected and unwanted behavior especially for single-pole tripping.

Go back to contents ↑

4. AC signals

Most protection schemes utilize voltages and currents measured via conventional CTs and VTs. CTs typically have nominal secondary current ratings of 1A or 5A. VTs typically have nominal secondary phase-neutral voltage ratings of 57V to 120V.

CTs may serve several IEDs wired in series. If so, the protection designer needs to consider the consequence of a failure of a cable or CT on the overall scheme.

The IEDs of redundant systems are often fed from separate CTs. The cabling may be routed over different paths for additional redundancy. If the redundant IEDs share the same panel, the cabling may then terminate on different sides of the enclosure.

VT signals are more likely to be shared by multiple IEDs. If so, fuses are typically installed throughout the circuit. These devices must coordinate in order to ensure that a fault in the voltage circuit impacts as few IEDs as possible. VT fuse fail schemes should supervise protection schemes that are predisposed towards false operation for a failure in the voltage circuit.

Almost all protection applications require their input AC signals to be time-aligned. This calls for synchronization of measurements of these signals, either with respect to one another or with respect to the absolute time.

Today, this requirement is achieved by bringing all signals into a single lED and processing them synchronously within the device with respect to an internal arbitrary time scale.

With the exception of some line current differential applications, protection functions today do not depend on any external time synchronization source.

Go back to contents ↑

5. DC signals

Protection schemes often utilize signals from other schemes or from field devices (circuit breakers, etc.). Contacts are brought in from the station battery to feed auxiliary relay logic or the inputs of IEDs.

In large stations, miles of control cabling are sometimes required to route these signals. As such, station batteries are typically ungrounded and are equipped with battery ground detection in order to allow station personnel to detect and repair cable faults. Even so, incorrect status information due to faulty circuitry is inevitable and must be planned for in the design.

In general, a protection scheme should not produce a critical response (i.e. trip a breaker) based solely on a status input.

For example, in line distance applications, permissive transfer tripping is more secure than direct transfer tripping because the former requires a protection element to pickup simultaneous to receipt of the permissive signal.

In applications where this principle cannot be adhered to, the scheme should use multiple status signals for additional security.

For example, a scheme that uses both the normally open and normally closed breaker status contacts can be designed to discriminate between correct and abnormal indication.

In the redundant systems the signals for each scheme are usually derived from different devices or field contacts. These signals are segregated onto separate cables. The cables may be routed via different paths within the station. In very critical stations there may be separate batteries for the redundant systems. This reduces the system exposure to battery grounds.

Critical DC signals such as trip, close or breaker failure initiate can be equipped with test facilities to allow safe isolation of those signals from the rest of the system.

Go back to contents ↑

6. Reliability and availability of protection

Availability and reliability of protection are not impacted when using microprocessor-based protective relays as known today, and applied to both protection and control within the SCADA realm of the IEC 61850.

When pursuing distributed architectures based on the concept of a process bus with the intent of eliminating copper wiring in the yard and replacing it with fiber optics solution, availability and reliability of protection is a fundamental consideration, and one of the key barriers to overcome.

For example, consider Figure 3 showing a benchmark substation of Figure 1, and focus on AC signals associated with protection IEDs around breakers CB-1 and CB-2. This example pictures realistically the concepts of overlapping zones of protection, redundancy and separation of the A&B systems (for simplicity lockout relays are neglected, just two trip coils are shown, the breaker fail devices are separate from the zone relays and are not redundant).

The figure clearly illustrates the reason for extensive field wiring: redundancy and overlapping protection zones.

Selected breaker from the benchmark of Figure 1
Figure 3 – Selected breaker from the benchmark of Figure 1

Figure 7 presents a hypothetical architecture in which each AC signal is digitized by a separate merging unit. Separate MUs are used to provide for the DC signal interface (MU-11 through 14). The A&B systems are kept separate. Consider the availability of the LINE 1 protection system A.

This zone depends on availability of MUs 1, 8, 10 for measurement and MUs 11 and 14 for tripping, Ethernet LAN A for communications, and Line IED for overall processing – not to mention the time synchronization source for the AC related MUs 11,8 and 10).

Composed out of seven of today’s IEDs such a line protection system would have an MTTF on an order of magnitude lower compared with today’s relays (see Annex B).

A hypothetical process bus architecture for the system of Figure 3
Figure 4 – A hypothetical process bus architecture for the system of Figure 3

Figure 8 presents a sample architecture with one breaker IED (MU) that interfaces two currents and DC signals. Now only two MUS per breaker are required. Still the line protection is a system involving five IEDs IMUs 1, 3, 6, Ethernet switch, IED).

Note that the BF function depends on three devices (MU-1, LAN A, BF IED). This becomes a flaw that reduces dramatically availability of the BF function, and calls for solutions in a form of redundant hardware, or equivalent.

A hypothetical process bus architecture for the system of Figure 3
Figure 5 – A hypothetical process bus architecture for the system of Figure 3

Figure 9 further eliminates MUs 5 and 6 by wiring the voltage signals to MU-3 and 4 (typically a relatively short distance compared with the distance from the yard all the way to the control house). Still the line protection depends on four IEDs or five counting the time synchronization source.

MUs 3 and 4 become equivalent to today’s microprocessor-based relays in complexity. They support current and voltage inputs as well as digital inputs and output contacts.

A hypothetical process bus architecture for the system of Figure 3
Figure 6 – A hypothetical process bus architecture for the system of Figure 3

The question arises:

Why not provide the complete functionality in such a yard device, eliminating the need for all the other IEDs.

The obvious acceptance and maintenance issues may be easier to overcome compared with the solutions of Figures 3 through 6. It is strongly recommended that concepts building around the process bus and substituting copper with fiber, particularly for the yard wiring, are presented in the context of actual count of CT, VTs, giving consideration to overlapping protection zones, redundancy and separation of the A&B systems.

Once the architecture is presented, an IED count can be approximated, and reliability study should be conducted in order to validate the solution.

A process bus protection system set up with off-the-shelf components (merging units fed from non-conventional instrument transformers, explicitly synchronized via their IRIG-B inputs, and communicating via Ethernet network) would have reliability numbers decimated by an order of magnitude compared with today’s microprocessor-based relays.

This is because of substantial increase in the total part count and complexity of such a distributed system as compared with today’s integrated microprocessor-based relays.

A successful system for replacing copper wires with fiber optics would have to keep the total part count and complexity at the level of today’s relays. There are challenges in designing such a system primarily time synchronization, and sharing data from merging units to multiple IEDs without an explicit network, while keeping the total count of merging units )interfacing devices) at a reasonable level. It is justified to assume relay vendors have already conceptualized or are working on the solutions.

It is quite obvious that the interoperability protocols of the IEC 61850 in the areas of process bus and peer-to-peer communication are of little help in solving this architectural/reliability puzzle.

Go back to contents ↑


  1. IEC 61850 – A practical application primer for protection engineers by Bogdan Kasztenny, James Whatley, Eric A. Udren, John Burger, Dale Finney and Mark Adamiak

Premium Membership

Get access to premium HV/MV/LV technical articles, electrical engineering guides, research studies and much more! It helps you to shape up your technical skills in your everyday life as an electrical engineer.
More Information

Edvard Csanyi

Electrical engineer, programmer and founder of EEP. Highly specialized for design of LV/MV switchgears and LV high power busbar trunking (<6300A) in power substations, commercial buildings and industry facilities. Professional in AutoCAD programming.

Leave a Comment

Tell us what you're thinking. We care about your opinion! Please keep in mind that comments are moderated and rel="nofollow" is in use. So, please do not use a spammy keyword or a domain as your name, or it will be deleted. Let's have a professional and meaningful conversation instead. Thanks for dropping by!

54  −  forty four  =  

Learn How to Design Power Systems

Learn to design LV/MV/HV power systems through professional video courses. Lifetime access. Enjoy learning!

Subscribe to Weekly Newsletter

Subscribe to our Weekly Digest newsletter and receive free updates on new technical articles, video courses and guides (PDF).
EEP Academy Courses - A hand crafted cutting-edge electrical engineering knowledge