Electricity Generation and Distribution 101

greenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread

In an earlier thread I was asked if I could comment on the apparent disconnect between the complexity of the grid vs its simplicity. This is actually quite a complex subject covering a very simple principle, but I shall try to describe in laymens terms what is actually happening between the power station and the switch in your home.

The topic may be easier to understand if it is broken down into its component parts, so I shall post a numer of short items dealing with the various parts of the issues as I see them. In the process I may enter fields that I have little actual knowledge of, and in these cases I would welcome assistance from anyone who is better informed than I.

The issues that I see relate to Generators, Turbines, Prime energy source, Transformers, Transmission systems, Distribution systems, protection and control systems. I shall attempt to explain each of these issues, however I must point out that most of my experience has been in hydro generation, and systems control in New Zealand. I have had some experience in thermal station dispatch, but I have only theoretical knowlege of nuclear power. I do not have personal knowledge about the USA grid or it HVDC interconnections, although we do have a similar grid system with HVDC interconnect here in New Zealand, only on a much smaller scale.

I will also add that I am a Polly, but that is mainly because I live in a rural area that is almost self sufficient. I would probably be much more concerned if I lived in a large city and was dependent on outside providers for the basic neccessities of life. It has always been my philosophy that if something doesn't work, then fix it. If it can't be fixed then find some other way to achieve the result.

For my own Y2K preparations I will have 6 candles on hand, a spare battery for the torch, and (just in case I have been wrong about the power industry) a wind up alarm clock. I already live on one and half acres of land, with two wells, a 3000 gal water tank, and our own septic tank sewerage system. It will be summer during the roll-over, but we still have around 6 months supply of firewood left over from the winter, so we should be OK.

Just keep watching this thread for the information on electricity.

Malcolm

-- Malcolm Taylor (taylorm@es.co.nz), October 30, 1999

Answers

Looking foreward to this. Start if you would with the dangers of back starting big industrial users and the attendant threat to the grid. Caught your stuff at Rick Cowle's on the subject. What is resistive load?

-- Carlos (riffraff1@cybertime.net), October 30, 1999.

Electricity Generation.

Many of you will have performed an experiment in high school physics, where you connected a wire to a sensitive voltmeter and either a very sensitive ampmeter or a galvenometer. You then passed a magnet across the wire and watched the neddles on the instruments move. You were generating electricity.

If you moved the magnet faster then you increased the volts. Or if you coiled the wire a number of times you increased the volts by the number of turns in the wire. Or if you used a stronger magnet then you again incresed the volts.

If you used a thicker wire then you increased the current, or if you used a number of wires then you also increased the current. The volts measured multiplied by the current produced equalled the amount of power that you were generating.

The generator in a power station works in exactly the same way. It has a number of large strips of copper (wound into coils) distributed around the circumference of the generator. This set of large wires is called the stator, and all the power generated is produced here. There is a large magnet spinning rapidly inside the stator so that the magnet field is cut by every single turn in each of its three coils, but rather than a permanent magnet like the one used in high school experiments, this one is a large electro-magnet set in such a way that its magnetic field is adjustable. The speed at which the rotor rotates depends on the system frequency (60Hz in USA), and the number of pairs of rotor poles, The more poles it has the slower it needs to spin. Just like in a bar magnet for every North pole there must be a South pole, so in rotor the poles must also be in pairs. A two pole generator (typical for a thermal generator) would spin at 3600 RPM. (60hz times 60 seconds per minute). A 48 pole hydro generator would spin at 150 RPM.

So the generator has a number of large wires, with each wire being inercepted by a rapidly moving magnetic field,and power is produced. Although there are many types of generators they all use the same basic principles. The voltages produced at the terminals of large commercial generators can vary greatly. Most plant I have worked with have had terminal voltages of either 11KV, 13.5 KV or 16.5KV.

If the generator was always supplying the same perfect load at the same voltage, then it would need no controls at all. But in practice, nothing is perfect, and the load is likely to vary, faults may occur, and so some control is needed. However the only controllable aspect of a generator is the rotor. We can control the current (called excitation) used to make the magnetic field, and hence have a small amount of control over the terminal voltage setpoint.

(I know that the engineers in this forum are going to start jumping up and down here and tell me that when a generator is just one small part of a large grid that its terminal voltage cannot be altered by changing the excitation. But if anyone here would like to write a primer on reactive power then please feel free.)

In very early generators the excitation current was controlled by altering a rheostat (often by hand) untill AVRs (Automatic Voltage Regulators) were invented. Today these AVRs can be very sophisticated with one of the most common forms being direct control of the firing angle of SCRs (silicon controlled rectifiers) actually built into the rotor itself. Although this is electronic control, it needs to be very fast in its operation. Too fast to rely on any form of computer logic, but just just simple (although very large scale) electronics.

However, adjusting the voltage setpoint at which the AVR is operting may be achieved via computer control, but this is carried out externally to the generator itself. A failure of any computerised components external to the generator will not change any generator settings, but may affect the ability to alter any settings.

The actual amount of power produced is controlled in the turbine, and not in the generator. So Turbines will be the subject of the next short primer.

There are of course a number of ancillary items in a generator that assist with montoring, reliablity, protection, lubrication etc. But these vary greatly from installation to installation. Some generators require outside energy sources to run lubrication and cooling water pumps, while others are completely self contained. Some may use PLCs to control the starting and stopping of pumps, while others will use simple pressure switches. There is such a large range of different types all with different specifications that it is impossible to comment on all types

Malcolm.

-- Malcolm Taylor (taylorm@es.co.nz), October 30, 1999.


I shouldn't comment on this thread, as I have zero knowledge of the subject, and don't want to waste space on the server, but I will. Also, it is early in the thread, and I have no idea of how it will turn out. Thousands of unchecked embedded chips, 15% error rate in remediated code. Trains, oil production, refineries, & pipelines. That about say's it all.

-- FLAME AWAY (BLehman202@aol.com), October 30, 1999.

Flame away, You are right, you shouldn't comment on this thread. You just spout a bunch of words on a subject you are clueless in.

Malcolm, You say;

Electricity Generation. "Many of you will have performed an experiment in high school physics, where you connected a wire to a sensitive voltmeter and either a very sensitive ampmeter or a galvenometer. You then passed a magnet across the wire and watched the neddles on the instruments move. You were generating electricity."

Not in this country they don't.... teach high school physics, or in college either. IT's are not required to learn this stuff, they do take a lot of courses in how to manipulate management into putting up more money and accept late and low quality products.

New is out about that now, due to Y2K, the IT industry is considered a joke and businesses is going back to hiring programmers and technitions who know how to do the work. They are dropping their over paid, under qualified "glorified data processors".

On that note please continue with your attempt to teach. It may be the only instruction most people will ever get in the subject.

-- Cherri (sams@brigadoon.com), October 30, 1999.


So far so good Malcolm,don't stop now.

-- been there and still doin it. (iam@the powerstation.now), October 30, 1999.


Malcolm,

Good start!

Other folks,

Please let Malcolm get through his presentation. There will be plenty of time for questions, supplementary discussions, etc.

Jerry

-- Jerry B (skeptic76@erols.com), October 30, 1999.


Malcolm,

You are my kind of Polly.

1 1/2 acres of land,

candles,

spare batteries,

two wells,

3000 gal water tank,

6 months of firewood.

Yes, if every polly & DGI preped like you, we wouldn't have much of a problem. Ya think?

I am looking forward to reading more.....

-- bulldog (sniffin@around.com), October 30, 1999.


Malcolm, I've just got to put my two cents Cdn (.67 cent U.S.) in here. First, thank you so much for all you have contributed over on Rick's forum--I've read as much as I could of your writing with enthusiasm and appreciation.

Second, I agree not to interrupt further as you go through your lesson. However, when it fits in, can you please address what could happen when/if loss of load hits a generation/distribution power system?

Thanks again.

-- Rachel Gibson (rgibson@hotmail.com), October 30, 1999.


Resistive Load (for Carlos), short version: All current into it is dissipated. REAL power. Current at any instant is Power/Voltage. As oppposed to NON-resistive loads (anything with a magnetic coil or a capacitor in it.) Such loads will draw HIGHER currents than calculated from Power/Voltage. Power Co's often supply the extra current without measuring it or charging for it, but their generator (or YOUR GENERATOR) has to supply it. Examples for resistive loads: heater, toaster, lightbulb. Examples for non-resistsive loads; motors, fluorescent lights, power supplies, chargers. Do not confuse this with start-up current characteristics, that is different altogether.

-- wfk (ing.el@ret.com), October 30, 1999.

I started this thread because it was suggested that there could be a demand for a simple explanation of how the electrical system works, but I must admit that I am already overwhelmed by the fantastic reponse. I shall certainly continue with one or two sections each day, and would ask that if there are any other industry proffessionals out there who would like to chip in, your efforts would be appreciated.

Carlos and Rachel; Your questions are actually related, and I will deal with them later on in this series.

Bulldog; I am sorry to have to inform you, that the land, the wells, the water tank, etc are not preps. They are just our normal way way of life. Its how we like to live. :)

-- Malcolm Taylor (taylorm@es.co.nz), October 30, 1999.



Turbines:

The turbine attached to a generator (also called the prime mover) is merely a device to convert the energy from the driving fluid to rotational mechanical energy which is able to spin the generator's rotor. The type of turbine used depends on the pressure, temperature and volume of the driving fluid, and the rotational speed of the generator that it is driving. (The fluid may be superheated steam, exhaust gas from a jet engine, or water from a hydro dam). The turbine comprises of an outer case, a runner or series of runners (the piece that spins), an actuator controlling the inlet gates or valves, and a governor.

The simplest type of turbine is a water wheel like that used in some older types of mills. Water falls down a race and impacts on a wheel causing it to turn. Turbines have come a long way since those early designs and now have no physical relationship to a water wheel at all. Yet the basic principle still applies. A high pressure, moving fluid causes a wheel of some description to spin.

The most common type of turbine that is in use today is the steam turbine that is used in thermal and nuclear power stations. This steam turbine is really three turbines in one. The steam is just very hot water that has been vapourised, and is pushed at very high temperatures and pressures through the control mechanism into the high pressure (HP) stage of the turbine. The steam is so compressed and so hot, that if it could leak out of the supply pipes it would be invisible yet it can set fire to a rag held close to it. (this is a common way of searching for leaks)

The HP turbine runner is quite small, and looks similar to a turbine in a jet engine. As the fluid passes through this stage it loses some of its energy, and drops its pressure to a more intermediate level. Because it not now so compressed, but still has the same mass of water in it, the steam requires a larger volume with the result that the pipework is larger, and the next turbine stage is also larger. The second stage of the turbine is th IP (Intermediate Pressure) stage, and similarly there is an LP (Low Pressure) stage where everything is larger still. Following the low pressure stage is a condensor where the steam is condensed back into water.

A hydro turbine appears to be much simpler having only a single stage runner, and yet is considerably more efficient at recovering energy. In fact the hydro runner must be chosen even more carefully as it is often converting energy from a much heavier column of fluid.

The inlet control mechanism, called the actuator, is operated by high pressure oil fed into hydraulic rams which are able to move the control gates from fully open to fully closed extremely rapidly. The amount of oil flowing into or out of the actuator rams is controlled by the governor which is a device with two main roles. First, it is a speed control device. When the governor detects a change in turbine speed it will attempt to correct that change by allowing more or less fluid into the turbine. Its second function is a generation control device, because the total amount of power produced by the generator is closely equivilent to pressure multiplied by the weight of fluid passing through the turbine.

Hence the govenor is the second control function available to power station operators in controlling the amount and quality of power produced. Nothing that I have talked about so far in this section has used any electronic controlls at all, but once we start examining the governor and the way that it is controlled we can start to find electronics being used.

Early governors used rotating weights to control a pilot valve which in turn would allow more or less governor oil into the turbine actuator. But more recent governors use pure;y electronic controls to achieve the same result. There are electronic speed tranducers on the turbine shaft to measure the speed. Signal amplifiers and comparators to determine any speed drift from the load setpoint. Other components to dampen out any signal noise and adjust the speed droop characteristics of the governor. So at this stage in a modern governor is the first opportunity for Y2K issues to occur. Some governors will have these control and data functions programmed in, but most will still be mainly mechanical or electro-mechanical in nature. Although there should be no need for any date/time function to be used, modern governors should be checked as a matter of course.

However, it is the man machine interface between the governor controls, (and the excitation controls in the previous section) which are often part of SCADA or EMS, that have the greatest potential to be affected by Y2K issues.

The next section will look at where the steam or driving fluid comes from, The prime energy source.

Malcolm

-- Malcolm Taylor (taylorm@es.co.nz), October 30, 1999.


Prime Energy Source. (Some like it hot, others not)

No matter how efficient a turbine/generator combination is, it is not going to do anything without a source of energy. Some sources of energy are easy to obtain and need no controls, like the water from a dam or the steam from a geothermal field, but other sources of energy require fuel to burnt in a boiler, or a nuclear reaction to be managed in a reactor. It is these latter one that comprise most of the sources used throughout the world, and it is also these same ones that have the greatest potential to be affected by Y2K issues.

The simplest fuel of all is hydro. The water is held behind a dam, and flows through pipes called penstocks to the turbine. The only control required outside the turbine is at the top end of the penstock where there is a headgate. This gate is normally fully open or fully closed. Closing the gate can be done remotely via SCADA where a signal is sent to trip a closing solenoid, or it can be sent automatically via a protection relay. Opening is usually carried out manually. A failure of the SCADA would simply mean that no remote close was available, but automatic closing from protection would still be available.

The next simplest source is geothermal steam. This steam is created deep within the earth in volcanic regions and is brought to the surface in deep wells. The geothermal fluid is flashed to a slightly lower pressure in fluid seperators to ensure that only dry steam is fed to the turbines. Like a hydro system the only control required is a valve at the wellhead which is either open or closed, just like a hydro headgate.

So both of these systems are very simple and have no need for embedded systems that may malfunction. But the next group of thermal stations that need boiler to burn their fuel, or reactors to generate the steam may have more embedded systems that need to be checked.

A modern fossil fueled station will require a fuel source which is usually Coal, oil, or gas. I will not deal here with the source of the fuel as supply line are not something that I know much about. So I'll leave that part of the discussion to others. However one part of the fuel line that is inside a coal fired station is relevent to this discussion. Coal in its natural lumpy state is not suitable as a fuel. It must first be ground down into a very fine powder. The coal powder produced is known as PV (pulverised fuel), and it is extremly explosive when mixed with air. It is much more explosive than fuel oil, and must be treated fairly carefully. For this reason any modern fossil fuel boiler must have a burner management system which is correctly set up for the type of fuel being used. I have seen the results of two boiler explosions in power stations, one caused by a gas flash back, and the other was a PV explosion on boiler ignition. The gas explosion was seen by fishermen almost 100 miles out to sea, yet that boiler was able to be repaired. The PV explosion destroyed the boiler to the extent that repairs were not possible and the whole station was eventually decommissioned.

Modern burner management systems control the amount of fuel/air mix, the angle of burner tilt and the flame stability. These functions are often computer controlled, but with operator input via SCADA or DCS. A failure of a burner management system should cause the boiler to trip and stop producing steam, however a failure of the SCADA should allow all functions to contiue normally at the last good setpoint.

Inside the boiler the extreme temperatures heat the water in the boiler tubes to create superheated steam as required by the turbine. But it isn't simply piped from the boiler to the turbine. There is an intermediate vessel called a Drum which actually has a mix of water and steam. This water is not like your ordinary tap water though, it only exists as water because of the extremly high pressure it is held at. It works like a small reservoir between the boiler and the turbine. If the turbine requires more steam rapidly, the turbine governor will cause the actuator to open further, releasing more steam into the turbine. This will tend to lower the steam pressure in the supply pipes, and hence in the drum, and immeditely some of the water in the drum will flash off into superheated steam to maintain the supply. The drum has level protection (an embedded system that does not usually use any chips) which will cause a boiler/turbine trip if it gets out of its allowable range.

Note that not one of the embedded sytems used in fuel, burner or boiler management has any need of a date/time function within the system, and the testing done within our company has not turned up any that would cause an unplanned trip. However the SCADA, EMS and/or DCS systems do require a date/time tag and it is once again these system which may be a cause of concern. The failure of these control systems should not cause any loss of generation, but may simply lock the unit at its last setting unless changed manually.

Malcolm



-- Malcolm Taylor (taylorm@es.co.nz), October 30, 1999.


Embedded systems have no need for a date, but they have dates anyway!

Malcom, always remember...in Electric Power, it's the IMAGINARY part that KILLS!!



-- K. Stevens (kstevens@ It's ALL going away in January.com), October 30, 1999.


Excellent job Malcolm. Excellent.

K Stevens:

No it's not the imaginary part that kills, it's the current. You have it confused.

-- The Engineer (The Engineer@tech.com), November 01, 1999.


Transformers.

The sections up to now have dealt with producing the energy, but the electricity that leaves the generator terminals is at a voltage that is suitable to the generator, but not suitable for transmission. So the last major pieces of heavy electrical equipment at the power station are the transformers. The purpose of the transformer is to take the high current, high voltage output from the generators, and transform it to a lower current, very high voltage suitable for transmission.

The transformer has a low hysteresis ferro core, surrounded by two copper coils, and immersed in oil. The copper coils are not normally connected to each other, but are simply coupled magnetically, so there are no moving parts in the basic transformer. However, there is usually a system known as OLTC (for On Load Tap Changer) which enables the ratio of turns in one of the coils to be altered while the transformer is in operation, thus allowing the generator to always operate at its best output voltage irrespective of any changes in the line voltage. (The OLTC can also be changed to alter the amount of reactive power produced, but reactive power is a bit complex for this discussion). Changing the OLTC is carried out via SCADA or a similar remote control system, and there are usually no embedded systems within the transformer to automate this process.

Automatic controls which can occur within the transformer are usually for protection against electrical faults, or heat build up. Many transformers will have two oil circulating pumps, with a relay so that if one pump fails then the other will start. Cooling water pumps will also have a similar automatic changeover. Cooling fans may be permanently on, or just switch on when the oil temperature reaches a set value. I guess these are all embedded systems, but they are generally electro-mechanical relays, and even if electronic relays were used there would be little need for any time based logic.

Malcolm

-- Malcolm Taylor (taylorm@es.co.nz), November 01, 1999.



I had intended to leave discussion on protection and control systems till last, but it appears that a number of people have specific queries that do relate to these areas. therefore I'll try and cover these parts next.

I must also apologise for not adding anything to the discussion at all yesterday. Unfortunately we are currently experiencing a level 2 flood in our hydro catchment, which meant I was on duty in the area control room from 7:00 am yesterday morning untill after midnight, then back in to work at 8:00 am again this morning through to mid afternoon. Fortunately, I now have a nice long break before the last few days preparation for the rollover.

Malcolm

-- Malcolm Taylor (taylorm@es.co.nz), November 01, 1999.


Malcolm,

We will forgive you for not adding to the discussion yesterday, but don't let it happen again. :-)

Kidding aside, thank you for resuming. I, for one, will save questions and concerns about the flood.

Jerry

-- Jerry B (skptic76@erols.com), November 01, 1999.


Protection. (not something thats kept in your wallet for six months just in case you get lucky).

In the electricity industry, protection refers to systems that are designed to disconnect faulty equipment before too much damage is caused. Even in your own home you have electrical protection in the form of fuses, circuit breakers and residual current detectors. These devices are designed to cut off the supply of electricity when a fault occurs in a particular area, without cutting off the supply to your whole neighbourhood. The protection systems in Power stations (and substations) work in exactly the same way. However the type of protection that operates, and the order that protection operates, can give system engineers a good idea as to the cause of the fault.

Time to go back to some real basics. I had assumed that physics would be taught in US high schools in the same manner that it is taught here in NZ, but I have been told that it is not a basic subject for most students in USA. In the section on generators, and again in transformers, I mentioned the coupling between electricity and magnetism. These two effects are so closely related that in many respects they are the same subject. Pass a wire through a magnetic field and you produce electricity. Pass a current through a wire and you produce a magnetic field. This principle is the basis on which most electrical protection depends.

If we wind enough wire into a tight coil, and pass a sufficiently large electric current through it then we have a magnet. This magnet can then be used to operate a small switch. A large current and the switch is "on", a small current (or no current) and the switch is "off". This type of switch is called a relay.

There are two basic types of relay, "normally open" or "normally closed". Most generators will use one or more normally open relays as "Tripping" relays. These are sensitive relays which are only energised when some other relay operates. Their purpose is detect that another relay has operated, and to energise a tripping coil in a circuit breaker, causing the circuit breaker to open and disconnect its associated generator, turbine, boiler, or any plant that it is protecting. Other relays will be used to detect fault conditions such as overcurrent, over voltage, under voltage, under frequency, unit differential (*a description of what these terms mean will be added at the end of this post), overall differential, burner management problems, loss of cooling water, abnormal oil levels, bucholz faults etc. Some relays will have a mechanicalor electrical timer associated with them to prevent tripping on transient faults, or to allow more immediate protection to clear the fault first. The list of items that can be protected by relays is enormous, but the important thing is that these protection systems are embedded systems that DO NOT require any computer chips. They detect a fault, and send a signal to the relevent tripping relay.

They do, however, often send another signal as well. The other signal is an input to the unit PLC, an embedded system that does use programmable chips. This signal is then time tagged, and passed back to the control system as an event or alarm to the data logger. Any Y2K implications can occur at this point if the PLC has its own RTC, but in most cases the timing signal will be from the control system to the PLC. Whichever is the case, the PLC does not normally send any trip signals to the tripping relay, so an unremediated PLC would not cause a unit to trip.

One of the reasons why protection systems are not normally computerised is simply because of the speed that they must detect faults and operate, but also because, in most cases, they must be proportional to whaterever they are measuring. This requirement means that analogue systems are generally preferrable to digital systems. As an example: The heating effect of electricl current in a conductor is proportional to the square of the current. Therefore a generator may run at its maximum rated current for many years, but when it goes into an overloaded state it starts to heat up rapidly. It is not necessary to disconnect a generator as soon as it reaches an overloaded state, but the longer it is there, the hotter it will get. Therefore it will have an inverse time overcurrent relay. This is one that operates very slowly at moderate overloads, but will operate quickly at higher overloads, and very rapidly under fault conditions.

In short, protection is designed to detect an abnormal condition, disconnect and/or shutdown the plant if the fault if sever enough, and signal that a fault condition has occured. It must also allow transient conditions to clear without causing a trip, and not disconnect for faults outside the area that the protection is monitoring. These requirements generally mean that electro-mechanical or analogue systems are much more suitable than digital ones, and are also imune to Y2K issues.

*Differential faults occur when there is more electrical current entering a zone than is leaving it. This is a bit like counting the number of cars enetering a section of freeway, and subtracting the number of cars leaving it. Once you get more cars entering than are leaving its safe to assume that there is blockage somewhere.

A bucholz fault occurs when explosive gas is being produced inside a transformer. The bucholz relay detects a gas build up and trips the unit.

Overcurrent occurs when the current passing a point exceeds a nominal value.

Overvoltage and undervoltage occurs when the voltage is too high or too low.

Malcolm

-- Malcolm Taylor (taylorm@es.co.nz), November 02, 1999.


Hi Malcolm,

Thanks for the great description of how various parts of the electrical generating and distribution system works.

I have a question or two, though.

First off, you mentioned that transformers have taps to adjust the voltage, and these taps are adjusted remotely from a SCADA. I assume that there's some sort of actuator that actually does the adjusting under SCADA command. In my experience with other control systems, when an actuator is commanded to do something, there's feedback from a sensor to tell the control system whether or not the change was made -- and the date/time it occurred (this with flow valves). Does the same feedback occur with the actuators on these transformers?

Do the transformers have temperature sensors that report back to the SCADA?

Along the same lines, I didn't see any mention of the capacitors used for phase adjustment. As I understand it, there are capacitor banks that are switched in/out when needed, again controlled (with feedback?) from the SCADA. Is this done, in your experience?

-- Dean -- from (almost) Duh Moines (dtmiller@midiowa.net), November 02, 1999.


Dean, This section will answer most of your questions regarding feedback between SCADA and the systems that it controls. Capacitor banks and their purpose will be covered in Distribution.

Control systems.

I'll refer to SCADA (Supervisory, Control And Data Aquisition), but that can be taken to include EMS (Energy Management System), AGC (Automatic Generator Control) and DCS (Distributed Control Systems) as well.

My background has been primarily in generation and system control, I am not in any way an expert in SCADA, although I have used many types of different control systems. Perhaps the best way for me to deal with this part of the topic is to describe some of my experiences in power station control, then try to answer any questions that come up.

When I left university over 25 years ago, I was content that I knew quite a lot about maths, physics and computer science. I obtained employment in the operations section of a small group of power ststions, and soon found myself handling a pick and shovel, (cleaning out water races). After a year of learning, from the bottom up, just where there water comes from, I was finally allowed into a very old power station and given an oil rag and a grease gun.

During this period the shift operator would sometimes allow me to start or stop a turbine. It was turn this wheel 6 times and hold it untill the RPM reaches that orange line, then turn it back untill the RPM is stable at 250. Pull down this lever to unlock the hand wheel, and report to the station operator that the turbine is on governor control. Take this long handle and reach down into the pit and turn off the stator heaters. Climb up onto the pedastal and check that the oil rings are circulating... etc.

After another year I was allowed into the control room where we had remote control of 4 stations, and manual control of the one I've just described. The remote control systems back then were not computerised, but were actually hard wired all the way. One station (our newest one) did have some analogue logic and we were impressed by how much we could do compared to the others. The group went through an upgrade which meant new control sytems for 3 of the remote stations, decommissioning the old manual station, and adding new generators and control systems to the newest station.

This was my first introduction to a rudimentry SCADA system. It was still analogue rather than digital, but it did allow us to have a much greater degree of control and informationfeedback than ever before. We could send a start signal to a generator, and watch it perform all of its checks and go through its start up sequence. The start sequencer would today be called a PLC (programmable logic controller), but the programming back then was built in right at the design stage.

As my carreer moved up in the power industry I was involved in commissioning one of the first digital SCADA systems in New Zealand (by Westinghouse). I helped draw the screen layouts, and wrote the training manual for the operators. Now I was really amazed at how far computers had come. We could read almost any information on any part of the system at any time. Phase currents, rotor currents, Transformer temperatures, cooling water flow data was all right there on screen. If the data reporting point had a fault the screen would still show the last known good data, but would change colour to indicate that the data should not be relied on. We could get information on flow structures 45 miles away in a second, and we could change settings on equipment 30 miles away in the other direction a few seconds later. Fortunately, that particular system did not prove to be very reliable so that everyone still got plenty of hands on practice. The cause of the lack of reliability was not due to Westinghouse's computer equipment, but was due to poor communications between the SCADA and the RTUs (remote Terminal Units) out in the field.

The RTUs are a small embedded system which receives data from the PLCs, or provides input to the PLCs, time tags the event, and passes the information to (or from) the SCADA. Note that time tagging is performed at this point, but because it is very important that the SCADA receive all events in the correct sequence, the RTC (real time clock) in the RTU must be continuously updated from the SCADA. Thus changing the date or time in the SCADA would also imediately change the date/time in the RTU. I cannot comment if this system is universal, but I would be suprised if changes made at any SCADA site could not be immediately passed on to remote sites.

From this station I moved into system control, where my duties included national dispatch, grid control, and energy planning. We did have an old 8 bit Perkin Elmer computer, but the control function relied on us ringing each power station every hour to confirm that what we could see on our analogue dials was correct, or to dispatch a new generation setpoint. Grid control was very similar in that switching instructions were given verbally to operators in the field, and we would manually dress our mimic board. Not long after I started in system control we had a major fault which caused a massive blackout over most of New Zealands North Island. Using just our verbal commands to operators, and manually dressing our board we restored all power within 3 1/2 hours. Shortly after this event we received our SCADA system, and slowly all sites became SCADA controlled. With around 2/3 of sites on SCADA control we had another major fault, losing supply to about half of the area of the earlier one. This time, using SCADA where possible, we restored supply in around 5 hours. From this we concluded that using SCADA allows for more precise control, but is not always as fast, or as secure, as doing the job manually.

I am now a Production Controller for a large generating company, and we have a number of modern control systems. When we started check ing Y2K compliance we intially found that most of our systems were not compliant. In some instances a fix was relatively simple, but in one or two cases the fix caused more problems than the fault. Our SCADA had to be replaced, and one system that we are unable to fix in time for the rollover is now running quite happily with a 1989 date.

One of our biggest issues has been trying to determine just what the effects would be of having non compliant systems. Our IT section have stated that if its not Y2K compliant then it will fail, however testing has shown that that is not always the case. With the control system that we have rolled back 10 years, the effect on the rollover is that it will time tag events as happening in 1900 rather than 2000. This would not be a big issue if that were all that happened, but in doing so it will automatically sort the events into the order of occurance, decide that 1900 is a long time ago, and achive the events rather than display them on screen. So running 10 years behind is a good compromise.

If anyone has any specific questions on control systems, I'll try to answer them within the scope of my knowledge, but maybe someone more involved with these systems can assist.

Next section will be Transmission and distribution.

Malcolm

-- Malcolm Taylor (taylorm@es.co.nz), November 02, 1999.


Transmission networks.

The transmission network, or grid, is just a network of wires to move the power from where its generated to where its needed.

Each power line circuit consists of 3 conductors made of copper or aluminium, one for each phase, and at each end of the circuit there is a set of switchgear consisting of a circuit breaker, an isolator (or disconnector) and an earth switch. There will be a set of VTs (voltage transformers), a set of CTs (current transformers) and in some cases a PLC filter. This PLC is not an embedded system, it stands for Power Line Carrier, and is a communications system where a signal is superimposed onto the power line, and filtered out again at the receiving end. It isusually used for protection systems, but can also be used as a carrier for voice transmission.

The transmission circuit will terminate at a bus bar along with other circuits, and from the bus bar will be interconnecting transformer banks to change the voltage to either match other transmission circuits, or distribution system voltages.

Although man can design power transmission systems, the electricity will always obey the laws of physics, and no matter what we do we cannot change that fact. Therefore we must design and operate the transmission networks within those natural laws.

When current passes through a conductor, there are some losses due to resistance in the circuit resulting in heat produced. These losses are in proportion to the square of the current, so a highly loaded line will have much higher losses than a lightly loaded line. However there is another law of electricity that says "the sum of currents entering a point must equal the sum of currents leaving a point". With a transmission circuit this means that the number of electrons entering one end of a circuit must equal the number of electrons leaving the other end. So the losses do not show up as lost current, they show up as a reduced voltage at the receiving end.

There is another strange effect that occurs in the circuit. Because there are 3 phases, the 3 wires act a bit like a capacitor in an electronic circuit, and because the path is never exactly straight, the power line also acts like a coil. As you can see, each circuit has resistance, capacitance and inductance, just like many electronic circuits. The combination of these three influences means that there can be a slight phase shift between the voltage and the current at the recieving end. In order to correct this phase shift, and to assist with supporting the voltage, there will often be capacitor banks at strategic locations.

Despite the change in voltage that can occur at differing spots within the grid, there is one thing that will always remain constant, and that is the frequency. If you have a frequency of 60 Hz at one point in a grid, then it will be 60 Hz at all points. If something happens to lower the frequency to 59 Hz at one point, then it will fall to 59 Hz at all points. It is this physical law that enables all generation to be connected, and to work in unison in maintaining supply throught a power network.

Each circuit has to have protection that can detect and isolate a fault that may be many miles, or even hundreds of miles away. However it must have sufficient discrimination to allow closer protection to the fault to operate first, and it should be able to determine whether it is a transient fault, or a permanent one.

One type of protection built into power lines to achieve these aims is distance protection. It compares the increase in current due to a fault to the drop in voltage. A fault close to the source will cause a large drop in voltage, but one in another power line a long distance away will only cause a small voltage drop. Using this discrimination, the protection will operate after a set time depending on which zone it sees the fault in. A zone 1 fault would be immediate, but a zone 2 fault may not cause an operation unless it has been there for at least 1 second, and a zone 3 fault may last 5 seconds before causing an operation. The actual time will vary from area to area, and from circuit to circuit.

When the protection does operate it will send a trip signal to the circuit breaker, and will also signal the RTU that a tripping has occured. The RTU will time tag the event, and pass the data on to the SCADA. Note that the RTU cannot pass a trip signal back to the protection. The operator or controller can send a trip signal to the circuit breaker via SCADA, and that will be time tagged at the SCADA and passed to the RTU which would then pass the signal on to tripping coil in the circuit breaker. The RTU does not have any logic would cause a spurious tripping signal to be sent to the Circuit breaker.

A failure of either the SCADA or RTU would simply mean loss of remote control, not loss of the circuit.

So the transmission system would be one of the more robust parts of the whole grid. It is extremely simple, and unlike the distribution system (next session) is almost immune to squirrels (or possums here in New Zealand).

Malcolm

-- Malcolm Taylor (taylorm@es.co.nz), November 02, 1999.


Dustribution Systems. (Power to the people)

Once again this is one area of the industry that I have not been closely involved in, so I shall talk in general terms only, and based on what I am familiar with in New Zealand. I may not be able to answer specific questions.

The transmission lines will terminate at one or more bus bars in a large substation within a few miles of you (the consumer). The very high voltages used for transmission are now reduced to intermediate voltages suitable for local powerlines (called feeders) via underground cables, or overhead lines on either small pylons or wooden poles. Typical voltages are 110 KV for cities, 66 or 33KV for suburbs or smaller towns, and down to 11 KV for local distribution. Somewhere very close to where you live (probably within yds) there is a local transformer which brings the voltage right down to your household requirements. The feeder lines will still have circuit breakers, and some form of protection, but this may be limited to overcurrent or earth fault relay. Lower voltages will have unitised (or canned) circuit breakers, which are a circuit breaker and protection unit built into a single housing. In the lowest voltage ranges fuses are still quite common.

Remote control of the feeder circuit breakers, and some unitised breakers is still possible via SCADA, but right down at the end of the line all operations are manual. There is one major exception, and that may be right inside your house. Some power distributers have the ability to cut off some load in your house during peak periods via a system known as Ripple Control. Usually the only load you would have on this system is your hot water, but often the time at which the load shedding occurs is set by a computer. So here is a potential Y2K issue that would not cut all power to you, but may leave you without any hot water. And cold showers in the middle of winter may not be what you really desire.

In general I believe that the distribution system is very resistant to Y2K issues, but is at risk from such things as small animals (squirrels or possums) climbing up on to transformers, or sober drivers hitting power poles (they say that 40% of accidents are caused by drunk drivers, so the other 60% must be caused by sober drivers).

Malcolm

-- Malcolm Taylor (taylorm@es.co.nz), November 03, 1999.


Putting it all together. (The final story)

So far I have have tried to show how simple the electricty system is. Some parts are made more complex because we want to increase the efficiency, or pass more power through a smaller piece piece of equipment, but in general the whole subject of electric generation, transmission and distribution is quite simple.

What has happened though is that many generators have synchronised together, power lines have become interconnected, and electricity is perceived by consumers as always being there on demand. When you turn on a switch in your house you expect that there will be sufficient quantity of electricity, at an appropriate quality to meet your requirements. What you probably do not recognise is that every time you turn on a switch, either someone else must turn off a switch, or the entire geneartion system must changeits out put to meet your demand. Now doesn't that give you a sense of power? Just by turning on your computer you have made 3000 generator increase their output. Of course the change is so incredibly small that it could not be measured, but it has stii happened.

Integrated actions of a grid:

Consider a single generator capable of generating 200 MW, supplying a single consumer (a large factory or oil refinery) taking 100MW at 11 KV, and connected by a single power line. The generator is at 60 HZ and 11 KV, and at full load, and the generator is a fairly simple one without any automatic functions at all. If the factory suddenly switched in a 10 MW heater, so that it now requires 110 MW, the generator would be unable to supply. Remember right back in the section on generators where I said haw the voltage can be chaged by changing the speed? In this case the generator would start to slow down and lower the voltage. The generator speed (and frequency) would stabilise at 54 hz, where the lower voltage would now be able to meet the demand on it.

However, this generator has a governor which will see the speed falling away, and will open the turbine gates to produce more output. The automatic voltage regulator will see the voltage falling and will increase the excitation to the rotor and increase the terminal voltage. With this example the isolated system I have described will settle down at 59.7 Hz (5% permanent speed droop for the engineers), and the voltage will remain at 11 KV. The difference in the generators capability between the 100 MW it was producing initially and the 200 MW it was capable of is called spinning reserve.

Now lets make this small system a bit mor complex. Instead of a single 200 MW generator, lets have 1000 of them capable of 200,000 MW. And instead of a single factory or oil refinery using 100 MW, lets have 100 of them. In addition lets have 2000 cities with domestic load each taking 90 MW, and the whole network is interconnected with 1000 power lines. The total demand is 190,000 MW, so we have 10,000 MW of spinning reserve. If the same factory that initially switched in 10 MW extra did so again, the speed of all the generators would once again fall. But this time the frequency would only fall to 59.9968 HZ without any governors. With governor action the frequency will stabilise at 59.9998 Hz. In other words, all generators have slowed down slightly, but it is impossible to measure.

The stations with AGC will detect this very slight fall, and increase the governor settings to return the frequency to 60 Hz.

Now consider the same situation with 190,000 MW demand, and 200,000 MW available. Each generator is producing 190 of the 200 MW it is capable of, when calamity strikes. A Y2k fault affects 50 of these generators simultaneously, and for some obscure reason which no-one has forseen they trip off line. We now have 950 generators producing 190 MW each for a total of 180,000 MW, but the demand has remained at 190,000 MW. (all factories and refineries are immune to Y2K). There is not enough energy being produced, and the frequency will start to fall, and all the remaining governors will react to increase output. The frequency will settle down at 59.995 Hz. There will be an initial swing, and possibly a small voltage surge, but only very sensitive equipment would be able to detect it.

Thus the grid would remain very robust and continue to supply power of a standard quality.

Complete Collapse:

OK, so the impossible happens and the entire grid fails. At some critcal low frequency all generators will trip off line and there is nothing left connected. This is an extremely unlikely event, but it is one that can happen at almost any time. The operators in the power stations are very busy stabilising their plant. Reactors have scrammed, Thermal plant has tripped off and the safety valves are blowing, Hydro plant has tripped, gone to overspeed (I'm purposely making this just as bad as it can be), and dropped the headgates on all operating plant. The country is black.

The system controllers looking after the grid will immediately open all line circuit breakers that have not already tripped. they will be looking over their events log to find the source of cascade, and will clear the bus (open all circuit breakers including transformers, bus couplers half breakers, etc). They will next assign a single station, usually a hydro station as black start.

Meanwhile operators at the affected stations will be looking after their own plant. Thermal plant (and nuke) will be barring, and hydro stations will be priming penstocks and getting available plant that wasn't running up to speed ready to close in.

The black start station will confirm that all line breakers are open, then start a single generator (if they haven't already started all of them), and close its circuit breaker onto the bus. There is now a single bus at grid voltage and frequency.

System Control will liven a single line from the black start station to a small load center. (up to 15% of the capability of the generator) This gives something for the generator to work against and helps provide a more stable platform for further restoration. A further generator will be connected, and anothe line will be livened to a different generating station. While the second generating station is connecting its plant, some more load can be connected. Piece by piece the grid is rebuilt. Generation plant, lines, load, more generation, more lines, more load. The only part or parts of the grid not to be reconnected will be the initial cause of the fault.

The controllers do have a few other issues to contend with. like voltage profiles, reactive power flows etc. But the basic principle remains the same.

I hope This series has helped to give an idea of how simple an integrated power grid is, even though there can be some indivual complex issues involved. The whole concept of a grid is that it follows the laws of nature, and no matter how smart man may be, no matter how complex or how simple the computer code may be, the laws of nature will always surpass the laws of man.

Questions Please

Malcolm.

-- Malcolm Taylor (taylorm@es.co.nz), November 04, 1999.


You seem to be saying that, while blackouts are certainly real, the grid has never been at risk from Y2K-mode failures -- if at risk, a very, very minor risk. Why, then, was there ever such concern about the grid? It was expressed early on by people within the industry themselves, many credible. It was expressed by intelligence agencies and has been expressed about "foreign" countries as recently as two months ago. Do you attribute this, based on your analysis, to sheer ignorance of something that, the way you describe it, sounds so "obvious"? Or what?

-- Questioner (Inquiring@Minds.Want.To.Know), November 04, 1999.

Malcolm, thanks for the effort. One question. Discussing recovery from the "worst-case" scenario above, you write:

"The system controllers looking after the grid will immediately open all line circuit breakers that have not already tripped. they will be looking over their events log to find the source of cascade, and will clear the bus (open all circuit breakers including transformers, bus couplers half breakers, etc)."

What if the "events logger" is not Y2k-compliant? I have heard from a reliable source (a person who works for the manufacturer of the logger) that these loggers will simply not work at rollover. This, in effect, leaves everyone "in the dark" as to the root cause. Care to comment?

-- Trying to (underst@nd.itall), November 04, 1999.


Malcolm,

Thanks very much! Now, I have to go back and reread this thread and see what questions remain.

Jerry

-- Jerry B (skeptic76@erols.com), November 04, 1999.


Good points, good lessons. Thank you for your time, and I hope the flood troubles are behind you..

The devil, as the good Admiral Rickover always said, lies in the details. You are, in general, describing the "proper" way of runing things: generating power, transmitting it, and distributing it. If all components in these systems were properly remediated and thoroughly tested, and if all operators at all the controls and centers in the system were thoroughly drilled in abnormal and emergency systems, then I too would expect few problems. Things would continue operating as you describe, and there would be few disruptions in power.

If problems occur, recovery could begin as you describe, with each station linking back to others. (Good point on stability: one threat from islanding utilities is that the massive load now inplace that tends to stabilize the generators is greatly reduced. Thus, loss of a generator at a companion plant, or loss of a load (after islanding) has a much greater effect at the remaining generaating stations.)

What remediation has been done has eliminated many problems. I think that fact cannot be disputed: NO company or utility worldwide has EVR reported that they found no problems. Therefore, we can conclude that there are serious and significant threats from y2k-induced failures in the control of the generation equipment, in the control of the transmission system(s), and in the control of the distribution systems.

Let us leave aside the obvious y2k-induced threats in business-end operations: failures in programming, billing of customers, receipt of payments, paying (and receiving taxes and otehr government interfaces), venders, retirement and "people support" functions for their employees, etc.

These are only critical in the utility remaining in business, not in generating power.

---

In abnormal times, in an unremediated system, failures can occur at any point where any signal is received or generated: the result of failure may be a nuisense, an irritation, or a danger. even a fialure "as-is" - where nothing results (no increase in sensed pressure, or no change in throttle position of a control valve, for example) can be tolerated ONLY as long as the existing load and systems remain unchanged. Failure, however, is assured in such a failed system, as soon as operating conditions change.

Station startup is one such extreme example. Station shutdown another: but even minor load changes that only affect the lube oil temperature (thus the cooling water throttle vavle position), or hydrogen cooling loads, or condensate level in the condensor - or whatever - up to and including the water level in the boiler - will affect the plant.

If everything were remediated properly, these problems would be eliminated: but EVRYBODY (except the nuclear plants) is relying on self-reported data, un-audited (again, except at nuclear plants) and untested. The design data, maintenance data, and maintenance history at most fossil plants is poor and incomplete as changes have been made over time and venders go out of business or are bought by other companies.

relying on vender data (in non-nuclear systems) has been shown to be incorrect in many (not all) instances: companies have often reported failures of components that the vender "reported were compliant": caused by incomplete vender data, differences in the processor installed (even with the same part number), and differences between vender lot designs.

Remedation, testing of components themselves, and thorough testing of the integrated systems have been done: but in any case, cannot actually "catch" all potential failures. Thus, the uncertain questin remains: how effective has the current remediation effort been?

How many utilities are accurately reporting their status? How many are relying themselves on incorrect, incomplete, or inadequate vender data? How many are doing the best job they can, but didn't have time to do a thorough job under time pressure from the government? How many have done a good job, but simply missed even ONE component that will shut them down for how long a time?

Testing could have resolved these issues - but testing the grid controls HAS NOT been done anywhere.

Re-read please your excellent description below: and notice that none of these actions (admitting that "blackstarts" would likely be the exception) and notice that you have assumed that all these tasks can be done.

But, none have been drilled. None have been practiced. None can be safely done (without subsequent extreme and "permanent" - more than 30 days - damage to rotating and control equipment) without the remote controls and sensors and control and feedback circuitry that is itself the very source of the original problem.

In other words, you are assuming that the utilites can recover using existing controls and remote sensors using a grid already available: but they have not proved their ability to recover from the uncertain conditions likely to be present after failure of other components.

For example, you are assuming that fossil plants have the ability to black start themselves. Using what to light off their own plant? Most have no emergency genrator capable of the hotel loads needed to rehat the plant until it becomes self-sufficient.

You are assuming that the distribution system can respond to and control verying loads - but are assuming no secondary failures in any of the distributed systems (or control centers, or sensors, or the controls themselves) that are also vunerable to failure.

__

< Meanwhile operators at the affected stations will be looking after their own plant. Thermal plant (and nuke) will be barring, and hydro stations will be priming penstocks and getting available plant that wasn't running up to speed ready to close in.

The black start station will confirm that all line breakers are open, then start a single generator (if they haven't already started all of them), and close its circuit breaker onto the bus. There is now a single bus at grid voltage and frequency.

System Control will liven a single line from the black start station to a small load center. (up to 15% of the capability of the generator) This gives something for the generator to work against and helps provide a more stable platform for further restoration. A further generator will be connected, and anothe line will be livened to a different generating station. While the second generating station is connecting its plant, some more load can be connected. Piece by piece the grid is rebuilt. Generation plant, lines, load, more generation, more lines, more load. The only part or parts of the grid not to be reconnected will be the initial cause of the fault. >>

---

A final quesion: In your last sentance above: how will "they" determine " the initial cause of the fault" if several areas fail insequence, or at the same time. Restarting will only cause subesequent failures, if the actual problem has not been eliminated.

Thus, I believe that the power will be intermittant, coming up and down for a while as each problem is discovered, isolated, tried to be fixed, then actually fixed, then the next problem is found - perhaps stabilizing in three-four days in many areas, perhaps as long as a week in most areas, with certain areas more or less permanently isolated for much longer times.



-- Robert A. Cook, PE (Marietta, GA) (cook.r@csaatl.com), November 04, 1999.


Robert,

Something seems to be missing from your sentence:

"Re-read please your excellent description below: and notice that none of these actions (admitting that "blackstarts" would likely be the exception) and notice that you have assumed that all these tasks can be done. "

Jerry

-- Jerry B (skeptic76@erols.com), November 04, 1999.


Thank you Jerry:

I cut-and-pasted his (Malcolm's) recovery description, but it evidently was inserted in the wrong place. Oops.

Look at the <<...>> quoted part of my post.

What I wanted you (the reader) to notice was that all of these actions themselves require good information, accurate readouts and displays, good reactions and diagnostic abilities on the part of the system and power plant operators, and working systems, controllers, indicators, logs, and circuits.

And all of these are subject to failure.

-- Robert A. Cook, PE (Marietta, GA) (cook.r@csaatl.com), November 04, 1999.


Robert,

I had found the cut and pasted part, but there still seems to be something missing between the two occurrances of "and notice" in your sentence:

"Re-read please your excellent description below: and notice that none of these actions (admitting that "blackstarts" would likely be the exception) and notice that you have assumed that all these tasks can be done."

Jerry

-- Jerry B (skeptic76@erols.com), November 04, 1999.


Malcolm,

Thanks again.

A few questions:

1. Would it be approximately correct to summarize that, except for telecoms (for SCADA, or voice, communications to remote sites), and fuel deliveries for fossil fuel plants, most potential Y2K problems are at the generation sites, and most of such potential problems can be circumvented manually if telecoms are up?

My next few questions are about how things work regardless of any potential Y2K concerns.

2. Regarding "a set of VTs (voltage transformers), a set of CTs (current transformers)" in the transmission discussion: please clarify a bit. The names almost suggest that all of the voltage goes through the VTs, and all of the current goes through the CTs, but I imagine that's not what is actually happening. :-)

3. While loads are shifting, and generator RPM are being adjusted to compensate, what kind of devices or methods keep the phases from different generators in sync? I assume that if out of sync voltages meet at some common point, something nasty would happen.

Jerry

-- Jerry B (skeptic76@erols.com), November 04, 1999.


Questioner,

I cannot say that the grid has never been at risk, but certainly there have been assumptions made which in many instances just went too far. There may still be some generators that have not checked/tested all of their embedded systems, or that may not have a suitable contingency plan in the event that their control systems fail.

I have been involved in our Y2K work for over two years, and when I first joined the Y2K effort I was sure that our stations were in trouble. We were told horror stories of test being carried out on equipment that had no need to know a date, but on rollover the equipment died. And we had thousands of items to check. However as our program moved forward we found that very items were at risk, and with many of those that were at risk, there were none that would actually cause a generator to trip. There was one exception to this which I have already reported on.

However as recently as last week while talking to one of our IT people about a control system that is not compliant (and that we have rolled back 10 years), I was told that the failure would result in loss of the power station. This showed the IT person's lack of knowledge of the actual station operation, as all that would actually have happened is that the events recorder would not report correctly. The station could still be controlled remotely, and it would not even have been neccessary to go to manual. I believe that it is this type of belief (lose a component - lose the station) that has fostered a lot of the fear of losing the grid.

Malcolm

-- Malcolm Taylor (taylorm@es.co.nz), November 04, 1999.


Trying to, I would certainly hope that by now all control centers have their events logger fully remediated, or at the very least would have developed a work around. I understand that have heard from someone who works for ONE manufacturer of loggers that their product is not compliant, but please don't think that makes ALL loggers non compliant. It is also neccessary to diferentiate between event logging which usually happens within a SCADA, and data logging which may happen almost anywhere.

However, if the control center has no form of working event logger then they will "pressure test" each section of line or bus prior to loading it. This procedure adds around 30 seconds to each step, but it does determine if a circuit is healthy before placing it on load. Prior to SCADA we had to pressure test all the time, and it is still practiced here in NZ to pressure test any equipment that is being returned to service after fault repairs.

Malcolm

Malcolm, thanks for the effort. One question. Discussing recovery from the "worst-case" scenario above, you write:

"The system controllers looking after the grid will immediately open all line circuit breakers that have not already tripped. they will be looking over their events log to find the source of cascade, and will clear the bus (open all circuit breakers including transformers, bus couplers half breakers, etc)."

What if the "events logger" is not Y2k-compliant? I have heard from a reliable source (a person who works for the manufacturer of the logger) that these loggers will simply not work at rollover. This, in effect, leaves everyone "in the dark" as to the root cause. Care to comment?

-- Trying to

-- Malcolm Taylor (taylorm@es.co.nz), November 04, 1999.


Robert, Thankfully it was only a minor flood, (level 2 is the second lowest category) and flows are now down to only 15% above normal maximum operating flows. You have asked some very pertinent questions here which I'll try to answer.

Yes, I have tried to concentrate on "normal operations" with all components running successfully, however I have made comment on where I believe Y2K issues could affect normal operations. Certainly all operators that I know of ARE fully trained and drilled in abnormal situations, because it is during unusual events when an operator really earns his pay. If everything just worked perfectly all of the time, then there would be no need for operators, or controllers, and everything could be computerised.

I have not commented on business applications such as billing etc, as that is not critical to the supply of power to the grid. If billing systems do fail, then either the company concerned will have to fix it very fast, or the level of unemployment will fall overnight with thousands of new jobs being created. (perhaps the IT people who couln't fix the software can find employment as accounts clerks).

You say "... failures can occur at any point where any signal is received or generated:" This is not quite correct. Failure can only occur due to Y2K issues if the source, or receiver of the signal is digital and uses a time base for some reason. In most cases where signal are generated, the source is either a relay or a transducer with no time component, and hence would be immune to Y2K. The receiver of the signal may be a PLC or an RTU, but any time based issues here are likely to involve time tagging and not calculations.

You then say "...the result of failure may be a nuisense, an irritation, or a danger. even a fialure "as-is" - where nothing results (no increase in sensed pressure, or no change in throttle position of a control valve, for example) can be tolerated ONLY as long as the existing load and systems remain unchanged. Failure, however, is assured in such a failed system, as soon as operating conditions change."

It has been my experience that failure is NOT assured just because conditions change. The normal built-in facilities within the governors, AVRs, burner management systems etc will allow for changing conditions without any detriment to the running of the plant.

You comment that "... EVRYBODY (except the nuclear plants) is relying on self-reported data, un-audited (again, except at nuclear plants) and untested."

Perhaps some stations have not tested as much as they should have, but I would have reservations in accepting "EVERYBODY" as being correct. I agree that testing carried out so far may not have detected ALL possible faults, and that is why we have contingency plans in place. I cannot answer your questions as to "How many utilities ....." etc. The answer to that will have to wait untill january when we see the results. :)

If you re-read the part on grid restoration you will note that I said how one station (the black start station) will begin the re-livening process. As parts of the grid become live, then power will be available for the fossil fueled stations to re-light. In fact the local demands of a fossil fueled station are just the sort of base load required to maintain stability while livening up another section of the grid. To answer your final question about How will they know where the faults occured, see my response to "Trying to " above.

Malcolm

-- Malcolm Taylor (taylorm@es.co.nz), November 04, 1999.


Jerry,

I believe that the majority of Y2K issues with the entire electricity system would be in power stations, rather than in the substations or control centers. I'm not trying to say that they are entirely immune, but that, they are less likely to affected in a way that could cause loss of supply. VTs and CTS are very small transformers that are used for metering and protection purposes. They do not interfer in any way with the transmission of current (or voltage) but effectively measure what is flowing. A VT is situated between a phase an earth, and outputs a voltage (often around 110 volts) which is directly proportional to the voltage being measured. Where extremely high voltages are being measured, the voltage is first divided in a bank of capacitors to reduced the part being measured to a lower value.

A CT is in a bushing which is fitted around a conductor, and it outputs a current which is in proportion to the current being measured. In short, you are correct in that all of the voltage is across (but not in) the VT, and all of the current does pass through (but not in) the CT, and the outputs are at a much lower measurable value.

There are no devices or methods needed to keep the generators in sych. Once sychronised and closed initially, the magnetic coupling is sufficient to maintain synch. Without going into too great an explantion of reactive power, phase angles and rotor angles, a simple explanation would be: If a generator tried to get out sych by spinning its rotor too fast or too slow, then the voltage induced in the stator (in phase with the current) would start to fall. As the power being produced hasn't changed, then the current must rise, and a higher current means a stronger magnetic field being produced in the stator. And as the rotor is just one big rotating magnet anyway, then it would rapidly be pulled back into line with the rotating magnet field in the stator. Thus it is almost impossible for a generator to get out of synch.

It can happen though, if the turbine is producing a high amount of power, and the magnetic field in the rotor is allowed to drop to such a stage that it can no longer stay in synch, then the generator will "pole slip". Protection devices built into the excitation will first try to prevent the field from dropping so low, and if the magnetic field did fail then field failure relays would operate to trip the generator off line.

Malcolm.

-- Malcolm Taylor (taylorm@es.co.nz), November 04, 1999.


Malcolm,

Thanks again for all the time, effort, and patience that you have put into this thread.

Now I'll have to work my way from basic EM to your summary of generators staying in sync. :-)

BTW, I forgot to mention what appears to be a typo in the putting it all together post. The sentence was: "With this example the isolated system I have described will settle down at 59.7 Hz (5% permanent speed droop for the engineers), and the voltage will remain at 11 KV." I asssume that the 5% was a typo of .5% .

After the questions have settled down, I will probably be inclined to initiate another thread to alert others on this forum that this thread has been completed, along with Q & A. I am guesssing that some may have noticed it while it was in progress, but may have forgotten to check up on it the various sections were added.

Jerry

-- Jerry B (skeptic76@erols.com), November 05, 1999.


If I missed this in the text I apologize. My understanding is that a cascade failure used to ber controled by the relay system you described as WELL AS an ability to pull a plant out of line by main controler intervention. My furhter understanding is that this intervention path has been heavily automated and computerized, giving rise to the possibility of damage to the generating facilities due to their not being pulled in time.

Am I all wet??

Chuck who WILL reread the above and THIS TIME be able to keep his head above water. I LOVE it when I get challenged!

OH, BTW SOME of us (the older ones) DID see the electricity experiments in school but it was in Industrial Arts (AKA Shop).

(Das used to teach it!)

-- Chuck, a night driver (rienzoo@en.com), November 05, 1999.


This is most interesting. I need to come back when I have more time and it is not so late to study this.

One thing strikes me about this thread is the disconnect between the technical and the corporate mentality, the CEOs, vice-presidents, and so forth who might be more concerned about lining their pockets than doing Y2K repair work, or, as in the case of PG&E, diverting many millions of dollars away from safety concerns and keeping their hardware up to snuff so as to increase profit.

I've written about this, at length, in "Connecting With PG&E," which is at my website, http://www.homestead.com/buttecounty2k and the link is on page 2.

It seems that without taking corporate attitudes into consideration of possible technical failures, it's like talking about the specs of a fast moving car but not mentioning the drunken driver piloting same.

-- johno (jobriy2k@yahoo.com), November 05, 1999.


Thank you for the comments, and replies. Al are appreciated.

Agree, testing is easiest done witht he plant of-line/isolated; that's why the grid itself has not be tested or "drilled" thoroughly. Individual plants, in some/many/most cases - take your pick, nobody here is saying anything specific - may or may not have set ahead and tested what they can.

In several cases, the dates (for process controllers, logging devices, etc.) have been left ahead - the plant, once running "post 2000", was left in next year. (Don't know how they'll reset dates, I assume they would do this after the dust clears and time is avialable.)

The grid itself (its control stations, its controllers, its systems and monitors and sensors) has not (here) been tested thoroughly. What will happen (at local time at turnover) at GMT at turnover, and as subsequent loads change through the weekend is unknown.

I agree that the ensors themselves are usually not date/time sensitive - it is the processor that reads and uses the data stream coming from the sensor that is most at risk. For example, I'm looking at a 3-D CAD model of a 2040 ton-per-day ammonia plant in Trinidad.

The big transfer pumps are tripped off by a signal processor that receives input from 9 different parameters: including high vapor pressure, high differential pressure, low lube oil pressure, high lube oil pressure, high temperature, low flow, high discharge pressure, etc.

Failure in any one of these sensors, or inthe logic of how these signals are processed, or in the safety trip processor itself at the date change will dump the system. That is: shutdown the entire plant and vent all affected high pressure systems to the stack.

One system, one plant, one trip - from only one bad or intermittant signal that acts up.

Power plants are much less complex - like most petrochemical plants and paper mills, this ammonia plant has its own power plant in the middle of it - but the principle is the same. A shutdown could occur from unexpected sources that are difficult to troubleshoot and eliminate.

For example, the dams (hydro-electric plants) are near the "top of the food chain" - they rely on nothing but water, gravity and their own control systems to produce power. But, could you - at your station - do a black start if you were isolated from the grid?

Once the residual primary problems at each station and at each distribution center have been found and eliminated, then the inter-relationship problems/coordination and communication problems (and those have also been little drilled and tested here) can be found and eliminated.

Obviously, we don't know what the residual problems will be - if we knew, they would be eliminated now! My experience in computer software specifications, testing, development, and installation at customer sites tells me that there are dozens of residuals at each plant and distribution center, perhaps hundreds in each utility, and thousands in the national systems.

Some will be minor and never be found and actually don't affect anything. Soem will be minor that won't have an impact until much later - and that impact may itself be minor or catastrophic. Some will be major and easy to fix or reset.

Some will be major and take a longer time to replace. Like the feed-reg valve at nuclear plants that failed and tripped the plant on low water pressure. This valve cannot be safely operated manually for long periods of time, and must be replaced. Which requires a plant shutdown.

Now, at several nuclear plants, this valve was tested, found at fault, and replaced. What has happened at the thousands of non-nuclear plants and petro-chemical plants? They too use this valve and ones like it, but have all plants successfully replaced it?

Only then general recovery can begin.

-- Robert A. Cook, PE (Marietta, GA) (cook.r@csaatl.com), November 05, 1999.


Jerry, many thanks for your comments.

When you wrote "BTW, I forgot to mention what appears to be a typo in the putting it all together post. The sentence was: "With this example the isolated system I have described will settle down at 59.7 Hz (5% permanent speed droop for the engineers), and the voltage will remain at 11 KV." I asssume that the 5% was a typo of .5%" , That was not a typo. A 5% permanent speed droop means that a 5% change in speed will result in the governor changing the turbine gates by 100%. Thus a change in demand of 10% will result in a .5% change in speed, and frequency.

Malcolm

-- Malcolm Taylor (taylorm@es.co.nz), November 05, 1999.


Chuck,

When you wrote " My understanding is that a cascade failure used to be controled by the relay system you described as WELL AS an ability to pull a plant out of line by main controller intervention. My furhter understanding is that this intervention path has been heavily automated and computerized, giving rise to the possibility of damage to the generating facilities due to their not being pulled in time.", You may be correct as regards to USA. I have not seen this degree of computerising that you suggest, but I must admit that it is possible.

One of the reasons that we have not opted for computerising is any of our protection systems is that they must operate fast and reliably. Electro-mechanical relays do that best, and are not as prone to failure as are computerised systems.

Malcolm

-- Malcolm Taylor (taylorm@es.co.nz), November 05, 1999.


Robert, you asked "For example, the dams (hydro-electric plants) are near the "top of the food chain" - they rely on nothing but water, gravity and their own control systems to produce power. But, could you - at your station - do a black start if you were isolated from the grid?"

At our hydro stations we do have the ability to do a black start, and we have practised it under a variety of circumstances. The average time from when we are told to black start to having a generator connected and feeding some local service is 2 1/2 minutes.

Of the 14 hydro stations that I have worked at, 7 have full black start capability, 1 should have full black start capability, but has whenever we tried we just had a single shot, and if that failed then another attempt would not work. Another does have black start capability as far as the generators are concerned, but as the station is remote and unmanned, there is no way to actually close the circuit breaker on the bus without voltage to synchronise to.

Malcolm

Malcolm

-- Malcolm Taylor (taylorm@es.co.nz), November 05, 1999.


Good answer, that's exactly the kind of contingency planning (actually DOING the emergency startup's) that has NOT been done here.

More correctly, if ANY utility here (other than nuclear plants) has "black-started-drilled" its workers in emergency startup and recovery procedures, NOBODY has said anything. I'm hoping at least a few have, but have no evidence of it. Nor is their requirement to do so by NERC or the EPA.

See why it's important to do the emergency operations on each shift (so every operator has practiced the "unusual" jobs and work-arounds and "exceptions" like that one-start plant) and so backup planning isn't "surprised" by wierd failures.

Or at least, so when "wierd failures" and symptoms do occur, the operators can better minimize their effects.

-- Robert A. Cook, PE (Marietta, GA) (cook.r@csaatl.com), November 05, 1999.


Malcolm,

I think I've got it. The phrase "speed droop" apparently has a specific meaning to electrical power engineers, and is not simply a colloquial expression. It seems to be a shorthand reference to the slope of a RPM/current curve of a particular generator-prime energy source configuration.

Thanks again.

Jerry

-- Jerry B (skeptic76@erols.com), November 05, 1999.


Jerry, Your understanding on "Speed Droop" is fairly close. It is a characteristic that is often adjustable within the governor.Here in NZ we have 6% speed droop set on our thermal plant, 4% on some hydro plant, and 3% on the remainder. I believe uSA uses an average of 5%.

Malcolm

-- Malcolm Taylor (Taylorm@es.co.nz), November 06, 1999.


Dear Malcolm, I had posted a question on the front page about frying my refrigerator just as you were writing your primer. Then I found your thread and read it. Instead of ingesting all the details I'm left with some general ideas of where failures might ocurr and how significant they might be. Like some of the others who responded I wonder how this translates to the United States where the grid is more complex and [they say] more computerized. Perhaps your other readers would agree that it has been virtually impossible to get real answers from the corporate and government representatives here. I gave up and have been left to induction and deduction.

My question: I have a house with a computer and modem, a refrigerator, many lights, an electric oven, a water pump and various other things plugged into the outlet. Would you recommend that I unplug any of these items? For what time period? If a large number of people unplugged would that serve to save their appliances or would that create problems for the system?

I am going to a church meeting Thursday and would like to have your angle by then.

Also, do you have any connections with people like yourself in the U.S. that you could compare notes with?

Thanks. Becky

-- Becky (rmbolte@wvadventures.net), November 09, 1999.


Becky, I can not advise you on what you should or shouldn't do, but I can only provide information as I know it, and from there you must make your own decisions. The USA grid is certainly a lot larger than we have here in NZ, but I do not believe that it is more complex. If you can imagine New Zealand overlaid onto the eastern USA, then our northern extremities would be in Boston, and the southern end of the country would be in Miami. The complexity that we face is that our entire population is less than 4 million people, but 3/4 of these are in the very north of the country, and 2/3 of our electricity generation is in the very south. So we continuously have the situation of transferring electricity long distances to the consumers.

On your comment that USA is more computerised than we are, I must agree. I have been reliably informed by a well qualified person in USA that the American grid does make use of computerised protection to a much greater degree than we do in NZ.

On the matter of your appliances, it appears that you are running very similar appliances to what we are over here. Our house is also on a pump, and we have the same type of electrical loads that you do. During the roll-over my computer will be turned off (I'll be asleep as I'm on duty at the power station early the next morning) but I'll be leaving all other appliances switched on.

The danger to appliances would be that a very high voltage spike could damage sensitive electronics, or a prolanged period of low frequency and voltage could cause damage to motors in appliances such as fridge or freezer. However, if the frequency did stay low for a period of time then it is likely that protection systems would start disconnecting load in order to assist in recovery.

The biggest danger to the grid is if too many consumers decide to shut everything down and hence cause generators to be taken off line. When the same consumers switch back on the generation may not be instantly available, and they may cause the very situation that they hoped to avoid.

Whatever you decide I wish you well.

Malcolm.

-- Malcolm Taylor (taylorm@es.co.nz), November 10, 1999.


To the top.

-- Jerry B (skeptic76@erols.com), November 12, 1999.

Well, Malcolm, as I promised, I've not interrupted throughout your excellent process description, for which I thank you immensely. However, what you say here: "The biggest danger to the grid is if too many consumers decide to shut everything down and hence cause generators to be taken off line. When the same consumers switch back on the generation may not be instantly available, and they may cause the very situation that they hoped to avoid." seems to sum up the primary concern voiced a year ago by a spokesperson for TransAlta Utilities (the company that is purchasing large amounts of food for its employees). The "loss of load" caused by households unplugging their freezers will be a drop in the bucket compared to the corporations shutting down either deliberately or accidentally for rollover.

Public notice has already been given that several chem plants in both Canada and the U.S. plan to shut down for rollover. Rumour is extending the shutdown to all refineries and chem plants. Have you any idea how that scenario will affect the ability of the three North American grids to remain in operation?

And, in a similar vein, what plans are in place to accommodate the aluminum smelter in your country?

-- Rachel Gibson (rgibson@hotmail.com), November 13, 1999.


Rachel, I can not be too sure what effect that the chem plants and refineries shutting down for the roll-over will have on the North American grids. If they just do it in an ad-hoc fashion then it will be very difficult for the grid controllers and dispatchers to maintain a solid and reliable generation profile. However if they co-ordinate with their generation companies in advance then it should not have too great of an effect.

It is actually the domestic demand that will be the hardest to predict, and may swamp the carefully prepared plans of the larger users. That is why I would not reccommend that everyone shut down all of their appliances at any given time, or all start them again at some other given time.

Here in New Zealand our large aluminium smelter will continue its normal production right through.

Malcolm.

-- Malcolm Taylor (taylorm@es.co.nz), November 13, 1999.


Moderation questions? read the FAQ