Why the DG Didn’t Connect and Why That’s Good

Introduction:  I had a colleague who was furious.  He had done trials or been on board a vessel during a fault and the standby diesel generators (DGs) didn’t connect.  “That’s what they are there for and what we depend on.”  I was surprised that he expected the DGs to connect, given the fault, and glad they didn’t try to.  There are a lot of silly assumptions in power management systems (PMSs), and this one is worth looking at.  The opposite of his question was the top electrical guy at a class society asking me how a certain cruise ship could have blacked out.  I’ve been failing to provide the desired answers to questions this week (1, 2, 3), so I will try to keep this short and simple.

Manual Synch:  I used to teach inexperienced, but senior, electricians how to do manual generator synchronization (no protections or automation), so I have seen all sorts of failure modes long before I got into DP.  Fortunately, the equipment was extremely robust, as it was on military vessels and meant to be rocket proof, not just bullet proof (ships made of special steel to withstand rocket fuel fires after the warhead explosion, systems built to keep running).  Generator speed and voltage control was manually adjusted droop, because isoch’s common failure modes weren’t acceptable.  People were taught to adjust the incoming generator’s voltage and speed slightly higher than the online generator(s), watch the synchroscope, get it turning in the right direction and at the right speed, trigger the breaker close when it was about 15 degrees from being matched, and then adjust the speed and voltage for balanced active and reactive power load sharing.  So, I have seen all kinds of malsynchronizations, active and reactive load sharing faults, and blackouts.  Sometimes, everything was all set to close, but there was a sudden load change and the synchronization was thrown off.  The smart people saw the change and backed off to wait for the plant to stabilize, but some people focused on pressing the button and closing the breaker.  You can guess which type had more malsynchronizations and blackouts.  Later on, we had manual permissive, which protected the operator from making mistakes by only allowing breaker closure when the frequency was in range and in synch and the voltage in range.  We discovered that the aggressive button pressers could still sometimes cause blackouts.

Auto Synch:  Modern automatic synchronization replaces the electrician, but still follows the same principles.  It needs to be cautious to avoid mismatches and malsynchronizations.  The incoming voltage needs to be in range and the bus voltage needs to be stable.  The incoming frequency needs to be in range and in synch, and the bus frequency needs to be stable.  The bus isn’t stable during an ongoing fault, so a DG can’t synch onto the switchboard.  If it tries, there is a high chance of malsychonization, and that makes everything worse, so you are stuck with the DGs that you had on the bus when an emergency situation destabilizes the power system.  This could be a voltage, speed, load, or PMS control fault or active load variation, but once it starts, you only have the DGs that you started with.  Split bus sometimes means the problems are only on one bus, but a storm or PMS fault can ruin that assumption.

“Standby”:  A lot of PMS efficiency comes from running minimum DGs with the assumption that DGs can be added when needed.  We just saw some examples where that isn’t true.  PMS is a fair weather friend and so are the standby DGs.  When things get bad, they are not available.  This is why the old hands pre-emptively add DGs as a storm approaches, why they add DGs when they start seeing initial signs of system instability, and why some PMSs start all DGs from some faults and none for even more serious faults.  You don’t want to try to synch onto high THD, pole slips, or very active load faults.  You want to ride through the fault and then add DGs, or clear the board and start again with everything stable (partial or full blackout recovery).  You want the synchronization to be conservative and not make things worse, which means you need to watch for developing problems, and add additional DGs before a fault yourself.  Redundancy costs fuel.  Be willing to pay it.

Standby to Blackout:  So what happened on the cruise ship?  If the synchronizers are conservative for good reason, what went wrong?  The synchronizer and synch check relay were tested and found to be working properly.  That means a couple things could have gone wrong, there was a sudden large load change between the breaker command and physical breaker closure that caused a change in synchronization, the generator breaker was sticky and its closure delayed, or both.  Either way, the oncoming DG closed out of synch with the rest of the DGs, and the resulting power instability blacked out the ship.  Conservative settings are not perfect, and the bus stability, breaker condition, and synchronizer function are vital.  It is good practice to have two separate synch check devices to ensure that malfunction of one cannot cause a malsynchronization.

Conclusion:  PMS assumes standby DGs can start, but they are both fair weather friends, and sometimes the cause of the problem, so watch for developing trouble and add DGs when useful.  Synchronization should be conservative to avoid faults, so some faults will block synchronization when dangerous, but some faults will still occur.  Don’t try to connect a DG when things are too flaky, as you might regret a confused relay granting your wish.  Synch relays, synch check relays, and breakers should be regularly tested and serviced.  Switchboard designers should ensure there is an independent synch check relay in the generator close circuit to prevent malsynchronization from a synchronizer or synch circuit fault.