Protecting against common mode faults by using different protection relays

Traditionally it is considered preferable to have backup protection for power systems which should be designed to avoid common-mode failure. Thus using a different protection function type, independent sets of CT/VTs, separate relays, a separate auxiliary power supply etc are to be considered, albeit not always economically justified depending on the asset being protected.

We are looking at the protection of an asset with main and backup protection on separate multifunction relays; however the supplier has suggested essentially the same relay for both, using different functions. Is there much merit, these days, in advocating for these relays to be from different manufacturers?

Arguments for are avoiding common mode failures in the device itself (e.g. manufacturing defects or firmware errors) and improving the cybersecurity (less likelihood that both devices will be incidentally compromised and less likelihood that both devices will be exploitable from unpatched vulnerabilities at the same time*) for devices which may be in place for decades.

Arguments against are that it adds complexity for the control scheme (physically and logically, even if they do use a harmonised protocol) and operators would have two different relays to navigate introducing a risk of human error. Further on cybersecurity the easiest and most likely way to cause problems with a compromised relay would be to cause it to trip, and changing the manufacturer of the other device will not prevent that (though it would make it easier to identify post-hoc).

Does anyone have any thoughts on this? Throwing it out there to make sure I'm not discussing it in an echo-chamber within the team.

*I am not a cyber-security expert, as I am sure you can tell

  • While not quite the same, the use of a common part is a certainly a concern for some high power systems, especially kahki coloured ones that get installed and then moved  at speed.
    The two competing factors of user familiarity and spares inventory on one side vs security & defence in depth from independent safety chains are something that gets resolved after the failure mode analysis - although for a new system with no real data that may be poor guesses in, poor predictions out.

    The safest system, cyberwise, is one where the external paths are eliminated or reduced to a minimum - perhaps  only connected during set up and needing someone to do something physical with a network cable to establish a link, or failing that through some kind of gateway 'data diode' that only lets traffic in (or only out) or maybe only between trusted places. Some commercial installations are truly sloppy in this regard.
    Mike.

  • Thanks Mike

    The safest system, cyberwise, is one where the external paths are eliminated or reduced to a minimum

    I agree. At present the system will be designed with minimum external paths, but cannot be eliminated (laptops etc), and there's a strong push towards integrating these devices more directly (with protection of course) into the SCADA so trying to design for that future eventuality.