Tuesday, April 28, 2015

What is “Control with Enhanced Security”?

The IEC 61850-7-2 Control Model defines several operation modes:

  • Status Only
  • Direct control
    - normal security: Operate, TimeActivatedOperate, Cancel
    - enhanced security: Operate, TimeActivatedOperate, Cancel, CommandTermination
  • SBO control (Select Before Operate)
    - normal security: Select, Operate, TimeActivatedOperate, Cancel
    - enhanced security: SelectWithValue, Operate, TimeActivatedOperate, Cancel, 
       CommandTermination

Have you ever tried to understand, implement, or use the option “Control with enhanced security”? The term can be quite misleading for people to believe that it has something to do with Cyber Security! No, it is not linked to that kind of security – even every operate command shall be secured by communication security measures.

So, what is it then? Usually I have explained it with the following slide.

image

Here is a one of many understandable use-cases for a specific switchgear (based on an email exchange with a very good friend of mine – a real switchgear expert … that believes in IEC 61850):

The proper name should be “Control with Confirmed Feedback”, so that any interlocks in the switchgear (can be abstract as well), need to be in the De-active state for the switchgear to report “Command Termination”, which would mean: the Control Element is now ready for another Operate service request.

A circuit breaker (CB) spring (drive) mechanism may work that it is only charged when the CB is Opened or Tripped. Then the energy in the spring mechanism would be enough to perform a Close Operation as well as a Trip Operation.

As the Trip mechanism does not need spring re-charging, it is instantaneous. However, there is a big delay after the Trip operation which is needed for the spring to charge or reset the mechanism again.

Although the indication of Trip will be instantaneous and reported spontaneously, however the switchgear cannot accept a new command since the spring mechanism is being recharged. During this time, the unit will not transmit the ‘Command Termination’ message so that a new command cannot be initiated. Once the spring is successfully charged, a ‘Command Termination’ message is transferred.

The CB mechanism example given above is one of many… there are some linear actuators which can Over-shoot during the process of operating the switch, this is then re-adjusted (i.e., brought to the normal position) after the instantaneous status change. The extra time needed to re-align actuator position (or to bring the actuator in the dead zone), will be the time after which the ‘command termination’ message is sent out.

Lesson learned: Ask always the domain experts!

Any question on IEC 61850?

No comments: