Towards a standardisation for digital inputs and outputs of protection functions in IEC 60255 series

Fully digitalized substations using IEC 61850 process bus are being introduced all over the world. Numerous utilities have featured pilot projects, demonstrators or even industrial scale deployment of these Fully Digital Protection, Automation and Control Systems (FD-PACS). Product standards such as profiles for Instrument Transformers have been developed and published (IEC 61869-6 and IEC 61869-9 by TC 38—Instrument Transformers). This raises the question about the standards for digitally interfaced protection functions. In 2016, IEC TC 95 (Measuring relays and protection equipment) charged a working group to investigate this subject and to elaborate recommendations concerning requirements and testing of protection IED with digital inputs and outputs for protection standards (IEC 60255-1xx series). For protection functions, publisher/subscriber based data streams are supposed to comply with IEC 61850 and IEC 61869 standards. This holds in particular for Sampled Values (SV) representing energising inputs of the protection function, and is also applicable to Generic Object Oriented Substation Event (GOOSE) which can be used for input or output of protection functions. Quality attributes of published data depend on the operational and connection status of the function and the hosting IED. In addition, protection functions have to take into account the information regarding the time synchronisation of the received SV and other parameters. This paper gives an overview of these features and the proposed way to take them into account in the IEC 60255 standard series. It describes the progress of WG 2 and relates it to existing standardization documents.


Introduction
Fully Digital Protection, Automation and Control Systems (FD-PACS) using IEC 61850 are being introduced all over the world. Numerous utilities have featured pilot projects, demonstrators [1,2] or even industrial scale deployment. Profiles for Instrument Transformers (ITs) have been developed and published by IEC TC 38 (Instrument Transformers), as product standards, and in particular: • IEC 61869-6 Additional general requirements for low-power instrument transformers [3]. • IEC 61869-9 Digital interface for instrument transformers [4]. • IEC 61869-13 Stand Alone Merging Units [5].
This raises the question about product standards for protection functions digitally interfaced with process interface equipment and with other functions of the PACS.
In 2016, IEC TC 95 (Measuring relays and protection equipment) charged Ad hoc WG 3 (AhWG3), to investigate this subject and to elaborate recommendations for requirements and testing of protection IED with digital

Open Access
Protection and Control of Modern Power Systems *Correspondence: pingfengma@126.com inputs and outputs for protection standards. This concerns IEC 60255, and specifically, the documents mainly dedicated to the functional part, known as IEC 60255-1xx series. Based on the recommendations given by AhWG3, TC 95 implemented WG 2 "Protection functions with Digital input/output" in 2019. WG 2 is missioned to provide standards and guidelines for this subject and to support the development and review of functional standards for protection functions (IEC 60255-1xx series).
This paper is an overview article describing the progress of the standardization working group. The objective of the document is to describe the subject of the work of WG 2 and to relate it to existing standardization documents. The methodology of work is transparent and corresponds to the development of a Technical Report of the IEC standardisation working group. It is compliant to IEC Directives and includes the circulation of working drafts among National Committees, and modifications and improvements of these documents based on the received comments.

Functional protection chain
Published or subscribed data streams of protection functions are required to comply with IEC 61850 and IEC 61869 standards (as seen in Fig. 1). This holds in particular for Sampled Values (SV) representing energising inputs of the protection function, and is also applicable to Generic Object Oriented System Event (GOOSE) which can be used for input (e.g., signals indicating circuit breaker position or circuit breaker failure) or output of protection functions (e.g., trip orders). The value of the data quality attribute of published data depends on the operational status of the protection function, the status of the communication interface and data streams of the function, and the hardware status of the hosting IED. In addition, protection functions may have to take into account the time synchronisation status of the subscribed SV. Figure 1 shows the functional chain of protection functions interfaced with a digital secondary system, highlighting the different applicable product standards. Although several configurations are possible to interface Instrument Transformers, the characteristics of their digital interface are described by IEC 61869-6 and IEC 61869-9. This interface is common to both of the following units: Regarding the fault clearance time, the acquisition time of the Merging Units and the transmission time of SV and GOOSE have to be considered in addition to the time required for the protection algorithm itself and for closing the trip contacts, as seen in Fig. 2. For a conventional PACS with hardwired protection IED, this significantly changes the definition, test and responsibilities for the fault clearing time.

Considerations for protection functions interfaced with digital input/output
Analysis of the functional chain of protection functions shows that the following elements also have to be considered [6] as according to Figs. 1 and 2: • The characteristics and transfer function including anti-aliasing filter and accuracy of the analog data  (current/voltage) contained in the SV stream are covered by IEC 61869 series (as seen in Fig. 4). • The overall performance of a functional protection chain depends on the design and the characteristics of the protection itself and the communication network. Even being partially covered by IEC 61850 standards and guidelines or best practices, no general statements over performance of the communication network can be given. A new or extended responsibility of the user and/or integrator for the correct design of the protection schemes has thus to be acknowledged. In the near future, the system integrators may be requested to provide an engineering document addressing the communication network performances, including latency, worst case analysis, reliability etc. • The expected behaviour of the protection function, if subscribed data or time synchronisation is in a non-nominal state or lost, has to be specified to avoid misunderstanding and minimise tests at commissioning. The corresponding tests have also to be defined. • No IEC standard currently covers the requirements for binary input / output IED used for interfacing binary inputs and outputs. The devices can be used to interface circuit breakers, disconnectors or other binary inputs (monitoring of auxiliary power supply contacts, etc.), and form part of the functional protection chain when interfaced with a conventional circuit breaker. • Protection function requirements on Current Transformers (CT), which are mandatory in IEC 60255-1xx relay protection standards, need to be adapted and translated into requirements for Merging Units, publishing the SV streams subscribed by protection functions.
On this base, the recommendations given by AhWG3 [6] can be separated in the following two categories: Performance characteristics have to be defined or adapted for protection functions with digital inputs and outputs in the relevant functional standards (IEC 60255-1xx series). In principle, all tests of IEC 60255-1xx series using ideal Instrument Transformers can be performed in a similar way and with the same electrotechnical power system model by injection of SVs. This concerns: • Operate time For a conventional protection IED, the operate time is defined as time between fault inception and relay operation measured on the trip contact. For digitally interfaced protection functions, this corresponds to the instant the SV corresponding to the fault inception is received by the device hosting the protection function, and the moment it publishes the trip GOOSE message. • Reset time The reset time is defined as time interval between the instant the fault disappears from the input signal and the reset of the trip output to normal state. • Reset ratio, which is the characteristic for the hysteresis between pick-up and reset of the protection function. • Stability tests, which are required to verify that the protection function does not trip untimely due to signals corresponding to a fault outside the protected zone. • Steady state accuracy tests for thresholds.
There is an important difference between tests with ideal CTs (and/or VTs) for conventional analog technology and tests with direct primary quantities using SV, as the former tests do include the performances of the analog input module and the internal A/D conversion of the protection IED. The tests using SV injection do not cover this module because it is implemented in the MU. The characteristics of the analog input circuits can be quite important, especially for protection functions that elaborate an instantaneous trip decision (differential protection, zone 1 distance protection, instantaneous overcurrent protection, etc.). Such characteristics have a direct relation with the transient performances of the MUs. The transient performances of the analog input module and internal A/D conversion are already considered in the protection relay algorithms. For these reasons, the part dedicated to the so called "merging unit requirements" will be a very important aspect for digitally interface protection functions described in IEC 60255-1xx series. Guidelines are required to express the definition of the performances in a standardized way, as it is today done for CTs, shown in Fig. 3 [7,8]. This approach still needs to be discussed within TC 95.
In order to determine the current transformer requirements for a particular protection function, the IED manufacturers need to perform tests with real Instrument Transformers. At the same time, in order to determine the MU requirements, it is necessary to implement models considering the characteristics of the MUs in the power system network simulator which publish the SV streams used for the test [8,12,13].
Another more intuitive difference between the two operate times is that in the first analog situation, the secondary quantities measured by the protection relay are in practice not delayed compared to the corresponding primary quantities. The time required for the A/D conversion of the analog secondary quantities is included in the measurement of the relay operate time. In the IEC 61850 numerical technology, this time is now outside the protection function, as the acquisition is performed by the Merging Unit. For this reason, the operate time measured from when the SV quantities representing the power system fault reach the protection relay, and when the protection relay issues the operate GOOSE message, will be called "operate time of the protection function in the hosting IED" (t p in Fig. 2). This concept will be described in more detail in Sect. 4.2.

Accuracy of the protection function
The accuracy declaration which can be found in IEC 60255-1xx series for protection IED with analog inputs covers the complete functional chain, including: • Input analog module in the protection device, • The A/D conversion, • The protection function itself.
The accuracy declaration for a protection function receiving a SV stream will only cover the protection function itself. In order to indicate the total accuracy, it is thus necessary to consider the requirements on the accuracy class of SAMU or LPIT. In case of SAMU, the accuracy class of the associated conventional Instrument Transformers needs to be considered as well, as this is already the case in protection IED with analog inputs. A correspondence table is provided in IEC 61869-13 [5].
In addition to accuracy requirements, the digitally interfaced protection function is supposed to verify elements that are not available in conventional technology, though, if implemented, will contribute to improve the dependability and security of the protection system. This also enables automatic substation supervision functions, allowing event driven maintenance of FD-PACS with reduced costs for routine maintenance tests. These elements include: • The synchronisation status of the incoming SV.
Depending on the protection function, it may be necessary to suspend the operation of the function if the SV is not globally or locally synchronised. In particular, this is the case for protection functions receiving SV streams from more than one Merging Unit with different time sources. • The quality data attribute (DA) and the detailed quality of the received SV. The expected behaviour of the protection function in case of non-nominal values of these attributes needs to be specified, and depend on the nature of the protection function. For example, clipping may be tolerable for overcurrent functions but may lead to suspension (blocking) of the operation of differential protection functions, similar to existing system when the communication is lost in line differential protection applications. • The supervision of the SV stream itself. If loss or jitter of SV exceed tolerable thresholds, the protection function should be blocked to prevent untimely operation. • The transfer function of the MU publishing the SV stream according to IEC 61869-9 [4] (as shown in Fig. 4). • In case of SAMU • The saturation characteristics of the conventional current transforms, • The time constant and transient behaviour of the SAMU, and in particular, its current input circuit [12,[14][15][16].
As mentioned before, for the characteristics of saturation, remanence and flux, a similar approach as in IEC 60255-1xx series can be taken. In this case, the manufacturers need indicate the required characteristics for the upstream analog acquisition chain for the protection function. The analog acquisition chain has to be verified that the protection function is compatible with the protocol profile of the SV stream (IEC 61869-9 or UCA 9-2LE, as shown in Table 1). It has to be noted that the preferred format of SV according to IEC 61869-9 is 2 ASDU per telegram with a fixed sample frequency of 4.8 kHz.

Missed samples, time synchronisation, network latency and jitter
Based on the requirements of IEC 61869-9, a jump of SmpCnt is possible if it is related to a resynchronisation. This has to be taken into account by the input processing of SV of the protection functions. It has also to state the acceptable number of consecutive missing or invalid samples. IEC61869-9 clause 6.902.2 [4] gives the maximum processing delay time limits of MU for publishing the sampled data, and for protection applications, it is 2 ms. As shown in Fig. 2, the delay of the PACS communication network also has to be considered for the maximum time delay of the SV seen by the input port of the protection function.  The average transmission time delay and jitter caused by the communication network need to be considered and the values depend on the design of the communication network and the characteristics of the network switches. They can be obtained by communication network system studies as seen in Fig. 2. For protection functions subscribing to one SV stream, the time delay causes a shift of the processing window, and thus impacts on the total trip time. The size of the input alignment table (input buffer) of the protection function is determined by the expected jitter.
For protection functions subscribing to more than one SV stream, the maximum relative time delay between the SV streams also defines the size of its input alignment table as shown in Fig. 5, which constitutes the input buffer for the protection function. The worst case would be a negligible time delay for the communication from one MU and a large transmission time delay for the connection from another MU.

Meaning of SV values with non-nominal quality attributes
The interpretation given in IEC 61869-9 [4] for the detailed quality attribute is to be applied for protection functions. Table 2 lists the DetailQual attributes as defined in IEC 61850-7-3, the corresponding requirements for SV published by MU according to IEC 61869-9, and the recommended application for protection functions.
Based on Table 2, the value range of analog energising quantities subscribed by protection functions and the associated detailed quality attributes are visualised in Fig. 6. An analog value which is not in line with the accuracy requirements is published as "questionable". This holds in particular for the case when the analog acquisition circuit saturates and signal clipping occurs.
With reference to Fig. 6, analog values transmitted via SV from a MU designed according to IEC 61869-9 shall not produce invalid data upon any combination of "outOfRange"-"Inaccurate" (as "overflow" is not used in IEC 61869).
Consistent with the behaviour defined in Table 2 and Fig. 6, the expected functional behaviour of a subscribing protection function has to be defined for each subscribed SV stream. This should be done aiming at a globally optimised performance of the PACS. A proper specification and validation of this aspect is a basic requirement for functional interoperability between MUs publishing SV and subscribing protection functions.
The functional interoperability between two or more applications is achieved when they are able to exchange information with each other by using the same communication protocol, and have a common understanding about the exchanged message.

Requirements regarding subscribed GOOSE
Protection functions may also use GOOSE messages subscribed by the hosting IED to perform time critical protection tasks, like blocking, acceleration (teleprotection schemes), direct intertrip order or start of breaker failure protection. The requirements and tests for these inputs are similar to those for protection functions with wired binary inputs. IEC 60255-1xx series have already required protection IED manufacturers to publish the protection function operate time for contact output and GOOSE publication, if applicable [8]. However, one big difference is that, for the SV described above, the subscribed GOOSE messages may have a non-nominal quality attribute and is required to specify the behaviour of the protection function. The famous sentence describing this situation is: "I receive a trip order, but the trip order also tells me "I am not sure", so what to do?".
The information "I am not sure" is contained in the quality attribute associated to the trip order, which is a binary signal. In the analog technology, protection engineers are not used to consider binary signals with a quality, i.e., contact open is open, and contact closed is closed. But this is not really true, as protection engineers know that a binary input should not be inverted inside the protection IED, because "zero" could mean "contact open" but also "contact closed and DC Voltage missing". Thus, protection engineers deal with Normally Open and Normally Closed contacts together for critical operations, and handle the clear "01" and "10" conditions for these double contacts, together with the erroneous "00" or "11", in order to make sure that "open is really open" and  "closed is really closed". All of this, to be more abstracted and formalized, is the meaning of handling the "quality associated to the communicated value". A generic "simple suspension (blocking) of operation" of the protection function for these cases is not acceptable, since this would potentially lead to very low overall availability of protection functions in PACS. In addition, most GOOSE inputs are not critical for the core protection function and can be ignored by using a safe default value to be defined. This has to be done for every input DO used by the protection function.
The Technical Report under preparation by WG2 proposes a formal approach for the specification on this behaviour as seen in Table 3, based on the Basic Application Profiles which are being defined under IEC 61850 (IEC TR 61850-7-6).

Requirements regarding published GOOSE
DO published by a protection function may also have associated non-nominal quality values. As for any other PACS function which is not directly interfaced with the process, most of the Detailed Quality attributes are not applicable. Normally, a protection function is expected to publish its DO as "Valid", even if some of the subscribed data from the function itself is non-nominal. The TR introduces the term of dynamically blocking of a protection function, and in this case, the DOs are published as valid by the protection function, with output value set to default.
As for the received GOOSE and SV, the expected behaviour of the protection function needs to be specified and tested.

Requirements regarding implementation of IEC 61850 communication interface
IEC 61850 communication interface is implemented on the IED level which hosts the protection function. Multifunctional IED are very common now. In order to have a meaningful separation of the functions implemented in one IED, it is possible to associate each implemented protection or automation function of the IED using more than one LN to one individual Logical Device. This facilitates management and testing of each function, allowing, e.g., to switch off one single function or to put one single function into test mode. Most of the requirements for IEC 61850 are driven by the architecture and characteristics of PACS rather than individual functions. Requirements of IEC 61850 interface related to protection functions may include: • Number of subscribed SV and GOOSE streams, • Capacity of the communication interface (e.g., 100 Mbit/s, 1Gbit/s), • Capacity to switch between several SV or GOOSE streams, e.g., a nominal stream and a test stream or redundant stream, • Implementation of test mode and/or simulation model [9].

Testing
Functional testing of the protection function should not be confused with the functional testing of the complete functional chain (see Figs. 1 and 2). For digitally interfaced protection functions, the latter is performed during PACS integration tests. The functional standard of a digitally interface protection function should only cover the functional test of the function itself, i.e., based on the inputs represented by the DO and SV subscribed by the function, and on the outputs represented by the DO published by the function. In addition to the "conventional" tests of the performance of the protection function, all the new features described in the previous sections for protection functions interfaced with digital secondary systems need to be tested [9]. This may require new features in test systems and the development of new tests in IEC 60255-1xx series. Users have to be aware that adequate testing of the other elements is also required, and in particular, SAMU and/or LPIT associated to their MU and the Binary Input/Output IED (BIOI).

Timeline and disclaims
The Technical Report prepared by the WG is also intended to enable organisations that do not have the full competence to handle IEC 61850 projects alone [17][18][19], to technically specify their IEC 61850 protection systems with reference to the Technical Report. Thus, this paper gives the estimated schedule for the document to be available, i.e., it is intended to circulate the updated draft considering the comments (≈1000) received in the first circulation, by end of 2021. Depending on the comments received, the final version can be envisaged for mid-2022.
On the other side, it has to be emphasised that this paper refers to the content of the Technical Report at the moment of writing (October 2021). As the process in IEC is long, and there is the general commitment to reach a wide consensus within the community, it is possible that some contents in this paper will be different from the final release of the Technical Report.

Conclusion
IEC TC95 AhWG3 has published recommendations [6] for the next steps in order to elaborate requirements for protection functions covered by TC 95 (IEC 60255 This should cover minimal requirements for making functions independent from each other in order to be testable, e.g., using one separate LD per function.
WG 2 is now formally installed and its work program has been defined on the base of the above recommendations.
With respect to requirements and tests applicable to all digitally interfaced protection functions, it has become clear that many of them are generic, i.e., not specific for a given protection function. For this reason, WG 2 has recommended to create a new part in IEC 60255 series covering general requirements of digitally interfaced protection functions. This part should contain mandatory requirements and tests for the following features: • Accuracy definitions for input energising quantities including effective range, operative range, rated quantities, etc. • Requirements for the digital interface of protection functions (IEC 61850 profile and IEC 61869-9 profile) • Definition of a frame for generic test procedures. WG 2 has also recommended to complete functional standards of IEC 60255 series as follows: • Add a specific clause for digitally interfaced protection functions in the clause "Influencing functions / conditions". This clause should define the requirements applicable to the protection function covered by the functional standard if the subscribed data is non-nominal or missing, including the definition of the Basic Application Profile (BAP) for the function (seen Table 3). • Add a subclause "Settings" to the clause "Functional Logic" (often clause 4.4 in IEC 60255 series). Settings are independent of the interface of a given protection function. If a protection function is digitally interfaced using IEC 61850, it should be encouraged to use the settings defined there. The subclause "settings" should provide a clear list and mapping between the different settings of the protection function covered in the functional standard and the settings provided in associated Logical Nodes defined in IEC 61850. All IEC 61850 based settings are based on primary values. • Split clause "Effective and Operating Ranges" (often clause 5.2 in IEC 60255 series) in two subclauses, one for protection functions with analogue inputs corresponding to the existing clause 5.2, and the other new subclause for protection functions using digital inputs.