WO2022200805A1 - Systems and methods for electrification security - Google Patents

Systems and methods for electrification security Download PDF

Info

Publication number
WO2022200805A1
WO2022200805A1 PCT/GB2022/050752 GB2022050752W WO2022200805A1 WO 2022200805 A1 WO2022200805 A1 WO 2022200805A1 GB 2022050752 W GB2022050752 W GB 2022050752W WO 2022200805 A1 WO2022200805 A1 WO 2022200805A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
electrification
control
control system
connection devices
Prior art date
Application number
PCT/GB2022/050752
Other languages
French (fr)
Inventor
Dominic BANHAM-HALL
Steven Pope
Oliver NENADOVIC
Paul Dickens
Original Assignee
Network Rail Infrastructure Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Network Rail Infrastructure Limited filed Critical Network Rail Infrastructure Limited
Publication of WO2022200805A1 publication Critical patent/WO2022200805A1/en

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B9/00Safety arrangements
    • G05B9/02Safety arrangements electric
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60MPOWER SUPPLY LINES, AND DEVICES ALONG RAILS, FOR ELECTRICALLY- PROPELLED VEHICLES
    • B60M3/00Feeding power to supply lines in contact with collector on vehicles; Arrangements for consuming regenerative power
    • B60M3/04Arrangements for cutting in and out of individual track sections
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02HEMERGENCY PROTECTIVE CIRCUIT ARRANGEMENTS
    • H02H7/00Emergency protective circuit arrangements specially adapted for specific types of electric machines or apparatus or for sectionalised protection of cable or line systems, and effecting automatic switching in the event of an undesired change from normal working conditions
    • H02H7/22Emergency protective circuit arrangements specially adapted for specific types of electric machines or apparatus or for sectionalised protection of cable or line systems, and effecting automatic switching in the event of an undesired change from normal working conditions for distribution gear, e.g. bus-bar systems; for switching devices

Definitions

  • the present invention is in the field of electrical power supply line safety, for example securely electrically isolating and/or earthing electrical power supply lines, for example for safely carrying out maintenance operations.
  • the invention is applicable to overhead and track based power supply systems and other electrification applications.
  • connection is opened, for example using a circuit breaker driven by an electric motor to drive electrical connectors apart.
  • This is often referred to in this field as a "disconnector”.
  • the terms “connector” and “disconnector” are used interchangeably here and have the same meaning unless otherwise stated.
  • the power to the disconnector motor is cut by an electrical relay.
  • the relay may be remotely controlled, but is more normally locally operated, typically via a low voltage switch control panel.
  • connection between power lines e.g. the disconnector
  • the connection between power lines may be manually operable, possibly with mechanical assistance such as a crank handle or lever, which may be useful if the motor or power supply fails. Therefore an operator may be able to re-apply power manually whilst “lineside”.
  • the disconnector's motor is housed in a cubicle which is locked, usually manually with a padlock, to prevent the lines becoming "live", i.e. carrying current, until the work is completed.
  • the isolation of the power lines is secured by removing power to motorised switch, and further restricting access to manually override the motor.
  • there is a switch in the disconnector's motor cubicle which is turned to "local” control or “off” and padlocked, or there is an on/off button which has a cap padlocked over it.
  • An open/close control signal might be issued for example from a remote terminal unit, described further below, but even it were to do so spuriously, a serial off switch would stop this from having any effect.
  • a problem here is that the motor may be distant from where the work is to take place, for example some kilometres distant, and therefore it would be advantageous if the locking of the motor housing could also be carried out remotely. This introduces new problems in terms of ensuring that the locking and potentially unlocking is achieved in a secure manner, for example resistant to hacking and malfunctioning.
  • Analogous problems may arise when a power line is earthed or otherwise shorted, also for example for safety reasons. In other words it may be desirable to ensure that a power line may not be physically disconnected from earth rather than reconnected to a power supply. In the following, isolation, earthing and other shorting are collectively referred to as electrical connections.
  • W02017000032A1 discloses a remote isolation system and a mobile device for use in such a system.
  • a control system enables remote isolation of equipment from an energy source by one or more mobile isolation devices.
  • an electrification security system for power line connections, the system comprising an electrification control system and a security control system.
  • the electrification control system is configured to control a plurality of connection devices associated with electrical power lines.
  • the security control system is configured to secure the state of connection devices controlled by the electrification control system.
  • the connection devices may for example be to isolate or earth one or more power lines.
  • the connection devices may comprise any of circuit breakers, earth connectors, short circuit connectors and other connectors known in the art of power generation.
  • the connectors may be bi-state devices, e.g. open or closed, or may have more states, for example with the possibility to make more than one connection or disconnection.
  • the electrification control system may be operated in a manner known in the art, for example it may form part of a known Supervisory Control and Data Acquisition "SCADA" system.
  • the security control system may be operated using a mobile device.
  • the isolation itself is not controlled from the mobile device. Rather, the securing of the isolation may be controlled from a mobile device.
  • the mobile device may additionally be used to verify that the isolation has been effected before the securing takes place. Additionally or alternatively the securing of earthing or other state of connection devices may be similarly controlled from the mobile device, with the option to check that the earthing has been effected before the securing takes place.
  • the electrification control system may comprise an electrification control server and the security control system may comprise a security server.
  • the electrification control system may comprise, or be configured to control, multiple electrification control switches operable in response to an instruction from the electrification control server to control respective connection devices.
  • the security control system may comprise, or be configured to control, at least one security switch operable in response to an instruction from the security server to control a respective security device.
  • the electrification control system and the security control system are logically separated. They typically comprise different input devices and operate using separate servers so that the electrification control system cannot be used to control security devices and the security control system cannot be used to control connection devices.
  • the two systems may share a common control unit. Further, the two systems may share a common hardware platform.
  • the security control system may be configured to be remotely operable, for example from a mobile device, such as a smart phone, tablet or any other suitable portable device. These are generally referred to here as "user" devices.
  • the electrification control system may also be remotely operated.
  • the electrification control switches may operate a motorised connector, for example between a power line and a power source or between a power line and earth.
  • a security switch may operate an electrically operated lock, for example to prevent access to the motorised connector. This therefore secures the electrification control system against manual override. Additionally or alternatively a securing switch may operate a relay or circuit breaker to disconnect power from a connector motor.
  • a security device may comprise a lock and relay/circuit breaker operable in tandem, e.g. simultaneously and/or in response to a single control signal, to disconnect power from a motor and prevent manual overriding of the state of one or more connection devices.
  • the system may comprise any number of electrification control switches and security switches, for example for respectively operating a motorised connector and an electrically operated lock. Although they are controlled from separate servers, these switches may be provided in a single control unit.
  • An existing system may be modified by adding a security system as described here.
  • a method of securing the secure the state of connection devices controlled by an electrification security system wherein the electrification security system comprises a plurality of connection devices configured to be controlled by the electrification control system and at least one security device configured to secure the state of one or more connection devices, the method comprising controlling the at least one security device via a dedicated security control server.
  • Figure 1 b shows the cubicle of figure 1 a in more detail.
  • Figures 2a and 2b together form a schematic block diagram of a system according to some embodiments of the invention.
  • FIG 3 shows schematically in more detail the operations of an electrification control server and security control server as shown in figures 2a and 2b.
  • Figure 4 is a schematic diagram showing how connection devices may be controlled by the electrification and security control systems of figures 2 and 3.
  • Figure 5 is a state diagram illustrating a method of operating a security server in a typical use case.
  • Figures 6 to 11 show possible architectures in which systems described here may be implemented.
  • FIG. 1 a shows in perspective a typical lineside disconnector motor cubicle 100 associated with a disconnector 101 in situ at a railway track.
  • Figure 1 b shows the cubicle 100 in more detail .
  • a motor inside the cubicle 100 is arranged to drive the disconnector 101 to open a high voltage electrical circuit.
  • An electrical relay switch is provided in the cubicle 100 to disconnect the motor from its power supply.
  • the relay may be controlled via a control unit and may therefore be remotely controllable, for example by an operator in a control room remote from the disconnector.
  • a switch 102 may be provided on the outside of the cubicle to operate the relay and remove power to the motor. Either way, a padlock may be applied to the cubicle and/or the switch 102 to secure the disconnection.
  • circuit breaker 155 is operable to connect or disconnect positive and negative supply rails 151 , 152 from a power source, not shown. In a typical implementation only one of the positive and negative connections is opened, usually the positive 152.
  • the circuit breaker 155 is operated by a motor 157 when connected to ac power 159.
  • a relay 160 operable from a control unit 170, such as a remote terminal unit "RTU" as is known in the art, is operable to remove power from the motor 157.
  • the cubicle 100 may house the circuit breaker 155, relay 160 and control unit 170 in addition to motor 157. Additionally or alternatively the positive and negative supply rails 151 , 152 may be short circuited by a connector 150, known in the art as a "circuit main short", for reasons including safety of lineside personnel. Connector 150 is shown in figure 4 to be operated by a motor 165 which may also be disconnected from its power supply 167 by a circuit breaker comprising relay 168. Motor 165 and relay 168 may also be housed in the cubicle 100.
  • this padlock may be replaced by an electrically operated lock which may be remotely operated, and one or both of the relay and the lock may be operated from a security control system, which is separate from an electrification control system as known in the art which controls connection/disconnection devices.
  • the remote operation may be via a mobile device.
  • the lock and the relay are combined in a single device which may replace both the relay and the padlock used in existing systems.
  • Connection/disconnection devices are referred to in the following collectively as "connection devices" and include but are not limited to earth connectors, short circuit connectors, and any other kinds of connectors and disconnectors, any of which may be motorised or not.
  • FIGs 2a and 2b show an electrification security system comprising two subsystems, an electrification control system 200 shown on the right and a security control system 300 shown on the left.
  • the electrification control system 200 functions to control electrical isolation of electrical power lines from a source and/or earthing of power lines.
  • the security control system may be configured to control physical access to one or more connection devices controlled by the electrification control system 200, such as motorised connectors and disconnectors, and/or the supply of power to one or motors which operate the connectors and disconnectors.
  • the security control system provides an additional control over access to and/or supply of power to connection devices controlled by the electrification control system.
  • the security control system may control one or more devices referred to here as "security devices".
  • a security device may comprise a device for controlling physical access, such as an electronic lock or bolt, or a relay or circuit breaker for disconnecting power to a connector motor, or a combination of these described further here.
  • the electrification control system 200 and the security control system 300 are logically separated.
  • the two systems may use the same communication channels, with messages for controlling electrical isolation and/or earthing using different headers or being otherwise differentiated from messages for controlling the security system.
  • These and/or any other measures for achieving the logical separation of the systems may ensure that instructions for the control of electrification are not acted on in the security system 300 and messages for the control of securing connections or disconnections are not acted on in the electrification control system 200, which could otherwise happen as a result of configuration errors or noise for example.
  • the electrification control system 200 may comprise or form part of a SCADA system as is known in the art.
  • the electrification control system 200 is shown to comprise an electrification control server 250, and electrification switches provided in a control unit 270, such as the RTU described with reference to figure 4. In the following it is assumed that multiple electrification switches are provided in the control unit 270, each of which may control a respective connection device.
  • the electrificaton switches in control unit 270 are operable in response to an instruction from the electrification control server 250.
  • Each electrification switch comprised in the control unit 270 may control a connector such a motorised disconnector, indicated at 280 in figure 2b or a circuit breaker of the kind described with reference to figure 4 or any other power line connector as is known in the art.
  • the security control system 300 is shown to comprise a security control server 350 and a security switch provided in the control unit 270 which as noted above may be a RTU as is known in the art.
  • a security switch is operable to operate a security device such as a lock to prevent access to one or more connection devices such as motorised disconnectors 280 or earth connectors, not shown, or a relay to remove power from a motor that drives a connector, or a combined lock/relay as described further here.
  • the lock may be for example a lock on a cubicle 100 housing the motorised connector(s).
  • a single security switch may be used to secure multiple isolations or earth connections or both, e.g. for multiple power lines.
  • Embodiments of the invention provide an electrification security system, and a method which comprises controlling at least one security device via a dedicated security control server such as the security control server 350. Any one or more of the functions of the security control server 350 described in the following may be included in a method according to the invention.
  • the electrification control system 200 may be overseen by an electrical control operator "ECO" 201 , shown in figure 2a, for example in a control room provided with equipment including displays 203 of the status of power lines in the network, computing devices and a user interface, not shown.
  • the control room equipment is connected to the electrification control server 250 via a local area network "LAN" 210 with firewalls 206, 212 at the interfaces between the LAN 210 and the control room equipment and server 250 respectively.
  • LAN 210 may be a fixed telecommunications network "FTN" and may be proprietary to the rail transport network or other environment in which the system is implemented. For example the FTN may be part of the existing SCADA infrastructure.
  • the system of figures 2a and 2b including the electrification control system 200 and the security control system 300 may comprise part of, or be integrated into, a centralised management system such as a Traction Power Centralised Management System "TPCMS" as is known in the rail transport industry.
  • TPCMS Traction Power Centralised Management System
  • the server 250 may take the form of a TPCMS server, optionally a virtual server.
  • Server 250 is thus shown to include, or be configured to provide, known components indicated at 251 , a database viewer 252, electrification switches control 253, a client interface 254 to the security control server 350 and communications hand off 255, for example Open Platform Communications "OPC" Unified Architecture hand off.
  • OPC Open Platform Communications
  • the security server 350 is configured to control remote securing and may also comprise a virtual server.
  • the electrification control server 250 and the security server may be provided in the same physical computing system but be logically separated.
  • the security server 350 may perform functions of isolation management as indicated at 351 and/or other connection management, not shown. It will be appreciated that the security server may be configured to communicate with multiple user devices 303 operated by multiple users such as lineside operator 301 . Thus the security server 350 is shown to include user management services 352 and user device management services 353 as is known in servers that communicate with multiple user devices operated by multiple users.
  • Security server 350 is shown to provide a server interface 354 to the server 250, complementary to client interface 254 in server 250, and communications hand-off 355 similar to hand off 255 in the electrification control server 250.
  • the security server 350 of figure 2a is configured to provide a mobile server 356 serving an application that may be installed on mobile devices 303 to enable the security control system to be operated from a mobile device.
  • each mobile device 303 is configured to communicate only with the security server and not with the electrification control server 250, so that control of securing is separated from control of the electrification such as isolation and/or earthing.
  • the electrification control server 250 and the security server 350 may be configured to perform other functions in addition to those shown that are not material to the present invention.
  • the security server 350 is configured as a client of the electrification control server 250. Both servers 250 and 350 have access to a common database 400.
  • the electrification control system 200 and the security control system 350 are shown to comprise an instance of a driver server 260, 360, shown as a Distributed Network Protocol 3 "DNP3" driver server.
  • a driver server 260, 360 shown as a Distributed Network Protocol 3 "DNP3" driver server.
  • Any suitable network protocol may be used. It should be noted here that it is not essential to provide separate driver servers for the electrification and security control systems. The logical separation of the respective systems can be achieved through the use of different headers in the DNP3 or other network protocol messages and this can be achieved for example using separate drivers which need not be on separate servers. Therefore instances of "driver server” may be replaced by "driver”. Each driver may provide an interface with switches in the control unit 270 associated with the electrification and security control systems respectively.
  • the driver servers 260, 360 communicate with the control unit 270 via the FTN 265 using separate communication channels, optionally via the same physical connections.
  • FTN 265 and LAN 210 may be the same or different communications networks to the field, e.g. lineside.
  • Firewalls 261 and 269 are positioned respectively between the driver servers 260, 360 and the FTN 265 and the FTN 265 and the control unit 270.
  • Each driver server may be comprised in the respective electrification control server or security control server.
  • the driver servers 260, 360 interface between the software operating on the electrification control server or security control server (e.g. using open platform communications "OPC") and a language that the RTUs understand (e.g. DNP3) combined with handling the sending and receiving of messages.
  • OPC open platform communications
  • the control unit 270 in the illustrated system comprises electrification switches such as isolation switches and earthing switches operable in response to an instruction from the electrification control server 200, which may have been instigated automatically or by the ECO 201 using control room equipment.
  • the control unit 270 may convert digital communications from a server, such as electrification server 250 and/or security server 350 or their respective driver servers 260. 360, to hard-wired or analogue outputs.
  • the electrification switches such as isolation switches and/or earthing switches operate one or more power line connectors, for example between a power line and a power source or earth. They may be configured in a one to one relationship such that one switch controls one connector, or any other relationship suitable to the application it is possible for only one isolation switch or only one earth switch to be provided. In other words systems described here are not limited to multiple electrical connections.
  • the control unit 270 further comprises at least one security switch operable in response to an instruction from the security server 300 instigated from mobile device 303.
  • the security switch is configured to secure the state of a corresponding connection device, for example to operate a lock to prevent access to one or more power line connectors and/or operate a relay to disconnect power from a connection device motor.
  • More than one security switch may be provided in the control unit 270. Each security switch may control a single connection device, or any other configuration of connection devices and switches may be implemented as required.
  • a security device controlled by a security switch may be operated to prevent access to one disconnector controlled by an electrification control switch and/or remove power from a motor operating disconnector.
  • a security device controlled by a security switch may be operated to prevent access to multiple disconnectors controlled by respective electrification control switches and/or remove power from multiple motors operating corresponding disconnectors.
  • Other relationships will be familiar to those skilled in the art. These will depend on the physical relationship between the connection devices controlled by the security switches and the electrification switches, for example locks or relays controlled by security control switches and disconnectors controlled by electrification control switches and housed in cubicles locked by the locks.
  • control unit 270 may be in direct communication with the devices controlled by the switches comprised in it.
  • an additional control unit 279 may be provided between the control unit 270 and the controlled connection devices. This may be for example an intelligent electronic device "IED" as is known in the art which may perform some of the functions of the control unit 270 and/or additional electrical protection functions.
  • IED intelligent electronic device
  • FIG 2b an additional control unit is shown as part of the electrification control system only. It is equally possible for an additional control unit to be provided as part of the security control system 300, optionally in a combined unit similar to the combined control unit 270.
  • Figure 2b shows a disconnector 280 which may be housed in a cubicle 100 which may be locked by a lock controlled by a security control switch.
  • the disconnector is controlled by the electrification control system and the lock is controlled by the security control system.
  • control room equipment need not be fixed and may also be replaced by one or more mobile devices.
  • operation of the electrification control system 200 is separate from the security control system, so that, for example, the mobile device 303 cannot be used to operate the electrification control system 200, and the control room or other equipment used to operate the electrification control system 200 cannot also be used to operate the security control system 300.
  • the ECO may be notified, typically via a written set of instructions, that the power lines are to be isolated, and will operate the control room equipment to send a message to the electrification control server 250 that the lines are to be isolated.
  • the electrification control server 250 sends a message to the control unit 270 to operate isolation switches comprised in the control unit corresponding to the identified power lines.
  • the isolation switches may be binary switches whose state is changed in response to the message from the electrification control server 250.
  • the change in state of an isolation switch in control unit 270 enables the operation of a motor in a motorised disconnector to physically isolate an identified power line. More usually, an "isolation" may require communication with multiple control units, with one control unit at each site. One or more of these control units may operate in the same manner as control unit 270 and comprise both electrification control switches and at least one security switch.
  • the ECO 201 As well as initiating the isolation, the ECO 201 notifies the lineside operator 301 of the isolation of the identified power lines. This would usually take place after the ECO has confirmation via the control room equipment that the isolation is complete.
  • the lineside operator has no control over the isolation itself.
  • the security server 350 has access to the database 400.
  • the lineside operator may use mobile device 303 querying security server 350 to consult the database 400 as to the isolation status of identified power lines.
  • the lineside operator 303 may instruct operation of the lock on the cubicle housing the disconnectors corresponding to the identified power lines after checking that the identified power lines are isolated.
  • the mobile device 303 receives read only indications from the isolation system. Also since the server is not able to control the isolation switches it has read only access to data in the database relating to the status of the isolation switches and optionally other components of the isolation system.
  • the operations controllable from the mobile device 303 may be limited to the control of a lock, e.g. an electromechanical lock, through the security control system which is a secondary independent control system to the electrification control system.
  • the systems described here are equally applicable to alternating current AC and direct current DC systems. They are particularly useful in high voltage systems, for example 750V DC or higher or 10KV AC or higher.
  • a system as shown in figures 2a and 2b may be implemented with little or no modification to an existing isolation/earthing system.
  • the security system may be provided as an add-on requiring nothing more than access to the security system database containing the status of the isolation and/or earthing switches.
  • the application server 500 is shown to perform functions of client interface proxy 510, securing functions proxy 511 , component update 512, Display control 513 and management system controls 514.
  • the security system server 600 is shown to perform functions of server interface proxy 610, isolation management 611 , user device manager 612, user manager 613, security device manager 614 and page management 615.
  • a possible message flow between items shown in figure 3 will now be described. This flow does not necessarily represent a chronological order of messages since, for example, messages may be delayed and the transmission of some messages does not necessarily require the receipt of others. This is further illustrated by the state diagram shown in figure 5 and described further below.
  • the example message flow is for sending a securing/unsecuring command to items in the field, e.g. connectors, disconnectors etc. as described elsewhere here.
  • a command [1] is transmitted from the mobile device client to the security server 600. This may be for example to secure multiple isolations and/or earth connections although it is possible in some systems for isolations and/or earth connections to be secured one at a time. Thus the command will usually identify multiple connection devices to be secured.
  • the command from the mobile device is routed [2] to the page manager 615, the page manager 615 identifies the mobile device and routes the command [3] to the user device manager 612.
  • the user device manager queries the database 400 [4] for the user device from which the command [1] was received and the database confirms [4] that the user device is approved.
  • An inhibit is written [7] to the application server 500 via the respective interface proxies 610, 710.
  • the inhibit relates to the connection devices identified in the initial command [1] and is acted on by the application server 500 to prevent the connect/disconnect status of the identified connection devices from being changed by the electrification control system.
  • the option to change the status of the identified devices may be disabled at the application client 502.
  • the component update function 512 is notified [8] of the inhibit.
  • the display control 512 is notified [9] of the inhibit, for example via the component update function.
  • a display may be updated to show that “Primary” (i.e. Server only) securing has been applied if the corresponding connection device has not yet been secured according to the command.
  • the electrification control server 500 confirms [10] to the security server 600, for example via respective interface proxies 510, 610 that the inhibit has been applied in the database.
  • the inhibit is translated to a command [11] to the connection device manager and the Isolation manager 611 .
  • the isolation manager 611 confirms the command [12] back to the database 400.
  • a database event log is updated [12], for example to confirm the command or any alarms described further below.
  • the database changes are enunciated [13] to the display control 513.
  • a screen update [14] is sent to the management system controls 514.
  • the screen update is sent to the ECO 201 , for example via an ECO workstation server [15] to the ECO's screen [16].
  • FIG 4 is a schematic diagram showing how connection devices may be controlled by the electrification and security control systems. Components shown in figures 2, 3 and 4 are indicated by the same reference numerals.
  • the security device manager 614 is shown to communicate with an OPC server 750 serving as protocol translator between the security device manager 614 and the control unit 270.
  • the control unit 270 is shown to comprise two RTUs which may comprise respective switches controlling security control devices and connection devices respectively. It is not necessary for the switches to be grouped in this way.
  • control unit 270 may validate the Master address in a command is the same as that for the security server and act on a command accordingly.
  • the control unit may be configured to only permit write controls from the security server to devices controlled by the security server and not to devices controlled by the electrification server.
  • a security device is an electrically operated lock.
  • a lock may be arranged to prevent physical access to the connection device which it secures, which in the example of figure 4 is the connector 150.
  • a relay which controls the power to a motor which operates a connection device may be controlled by the security system and form a security device as defined here, in addition to or alternatively to a lock.
  • a combined device comprising a lock and a relay configured to be operated simultaneously, which may be termed a disconnector lockout relay "DLR".
  • This combined device may be a bi-stable device in which in one state the lock and relay are operated to both prevent physical access and remove power from the motor, and in the other state allow physical access and connect power to the motor.
  • the combined device may be constructed from commonly available components and is readily configurable by a person skilled in the art.
  • Figure 4 shows only one security device for the sake of clarity but it will be appreciated that many security devices may be controlled from the same security system 300 in the same way that many connectors may be controlled from the same electrification system 200.
  • a DLR 800 is provided as a security device operable by the security system 300 to secure the connector 150, and another relay 160 is configured to be controlled by the electrification control system.
  • the connector 150 is secured by the DLR 800 but the motor 157 is not secured. It will be appreciated that the systems described here may be used to achieve any combination of secured and unsecured devices according to particular security requirements.
  • the securing of a connection or disconnection may be subject to some conditions.
  • a system may be configured such that remote securing is only possible if an earth/short indication to the security system server is valid, of good quality, and recent e.g. received within a preset time period.
  • This is an example and other conditions may be placed on the securing described here as appropriate to the application. Where such conditions are present, securing may be inhibited to the security system so that the operations from [1] onwards are only available when these conditions are met.
  • the system may be configured such that some conditions reported to the security system are alerted to the electrification system, as indicated by the alarm shown in figure 4.
  • An open or close command may be transmitted [20] from the electrification server 500 to the control unit 270 and the control unit 270 acts on the command to open the circuit breaker 155 [21] and operate the short circuit 150 [22]
  • the status of the circuit breaker 155 is reported back [23] to the control unit 270 and then [24] to the application server.
  • the status of the short circuit 150 is reported back to the control unit 270 [25] and from there to the security server 600.
  • the short circuit 150 is secured under the control of the security system 300 via security server 600.
  • the status of the short circuit 150 is reported to the control unit 270 [27] and the status of the combined security device 800 is reported to the control unit 270 [26].
  • a command to secure the short circuit is transmitted from the security server 600, in this example via the security device manager 614.
  • the control unit 270 outputs a securing command [26] to a DLR 800.
  • the DLR 800 reports its status e.g. "secured” to the control unit 270 [27]
  • the control unit is polled by or reports securing events to the security server 600 via the overhead power connection server 750 that a securing change of state has occurred.
  • Figure 5 is a state diagram for the security server 350/600 illustrating a method of operating a security server in a typical use case.
  • the term "isolation” is used but it will be appreciated that this is equally applicable to earthing or any other kind of connection described here.
  • user such as lineside operator 301 selects an isolation using a mobile device 303 and the server 600 receives the request for the isolation.
  • the request may refer to a single connection device but more usually it will identify a list of multiple connection devices to be secured, for example but not necessarily simultaneously.
  • the isolation relates to multiple connection devices.
  • the user is able to view via the mobile device 303 the status of the isolation, for example the open/closed status of the corresponding connection devices. At this stage the user can confirm the connection device list.
  • the server is either in state 52, awaiting confirmation of the connection device, or state 53 where the list of connection devices has been confirmed.
  • the user may at this stage confirm the connection device list, indicating that these devices are to be secured.
  • state 53 securing of the devices in the connection device list may be requested, again via the mobile device 303.
  • state 54 where the securing has not yet been requested by the user, the possibility to request the securing may be available or inhibited/disabled, for example depending on the open/close status of the corresponding connection devices, as indicated by state 56, or available as indicated by state 55 in which case the user can request remote securing, e.g. operation of corresponding security devices.
  • state 57 the requested securing is complete and at state 58 unsecuring is now possible. If remote securing is not complete the server may be in state 59 awaiting a feedback, e.g. confirmation that the securing is to be completed.
  • connection devices In order for securing to be carried out, in the systems shown here, connection devices have to have an inhibit applied, for example at the request of the ECO, and then they need to be reported to or accessible by the security control server with a unique identifier for the isolation or other state resulting from operation of the connection device.
  • connection devices and security devices are possible with any of the systems and methods described here.
  • Figure 4 shows one example, more are illustrated in figures 6 to 11 , others will become apparent to those skilled in the art.
  • a number of signal paths are indicated as follows: [00107] 1 a - SILO (safety integrity level 0) TPCMS Control Commands
  • FIG. 6 shows a possible AC architecture in which a control unit, designated as an RTU, communicates with two DLRs.
  • Each DLR may comprise a relay and lock configured to operate simultaneously under the control of the RTU.
  • any of a circuit breaker for AC, disconnector for DC and circuit main earth may be operated in the usual way by an electrification control system.
  • Two DLRs are provided to disconnect power from respective motors, one of which drives the circuit main earth and the other of which drives the disconnector.
  • the DLRs are examples of security devices that may be controlled by a security control system as described here.
  • circuit breakers for AC and DC as well as the circuit main earth may be controlled from one server forming part of an electrification control system, while the DLRs are controlled from a separate server forming part of a security control system.
  • the RTU may be part of a common control unit such as the control unit 270 of figure 2a which serves both the electrification control system and the security system.
  • FIG. 7 shows a possible AC architecture with substation RTU and legacy point to point "P2P" arrangement.
  • the control functions of the security control system, as well as optionally the electrification control system are shared over two different physical locations, one of which is lineside for example near a motorised overhead line switch "MOS" and the other of which may be further away.
  • a disconnector for DC and a circuit main earth are controlled by an electrification control system and DLRs for their respective motors are controlled by a separate security control system in a similar manner to the architecture of figure 6.
  • Figure 8 shows a possible AC architecture in which circuit breakers and a circuit main earth are controlled in a similar manner to the architecture of figure 6 from a substation, which need not be lineside.
  • a circuit breaker for DC and associated circuit main earth may be controlled in a similar manner to the architecture of figure 7.
  • Figure 9 shows a possible AC architecture with implementation of small RTUs with a three- position switch configuration.
  • the three-position switch may be controlled by an electrification control system as described here and power to a motor controlling the three position switch may be controlled by a security control system as described here.
  • Figure 10 shows a possible DC track feeder switch architecture in which a circuit breaker "CB" is controlled from a control substation and a disconnector and circuit main short are controlled from a separate control panel. Flere only the disconnector and circuit main short have an associated DLR that is controlled from a security control system as described here.
  • FIG 11 shows a possible DC negative short circuiting device "NSCD” Architecture with RTU.
  • a connector device in the form of a circuit main short has an associated DLR that is controlled from a security control system as described here.
  • a separate circuit breaker is outside the control of the security control system.
  • the position of the Circuit Main Short/NSCD can be used as an interlock to prevent the associated circuit breaker "CB" being closed.
  • any of the architectures shown in figure 4 and figures 6 to 11 a minimum number of DLRs and associated connection devices such as but not limited to circuit breakers, disconnectors and circuit main earths, is shown for purposes of clarity. It will be appreciated that a plurality of any of these kinds of devices may be controlled from an electrification control system and a security control system respectively.
  • a system may comprise a plurality of connector devices with one or more having an associated security device and at least one connector device that does not have an associated security device. Also some devices as described here may function as either a connector device or a security device.
  • figure 4 shows a relay 160 controlled by the electrification control system and therefore functioning as a connection device, as well as relay 168 controlled by the security control system.
  • an existing electrification security system may be modified to obtain the benefits of the systems described here.
  • a dedicated security control server may be used to control the at least one security device.
  • any of the systems described here may be configured to enable multiple connections and/or disconnections to be secured at the same time, for example as indicated in the device list described with reference to figure 5. Therefore multiple connections or disconnections may be secured with one user input on a mobile device, e.g. operation of one key. Therefore not only may the securing be performed remotely but also several securing operations may be accomplished simultaneously.
  • a security control server separate from the electrification control server enables the electrification and security to be decoupled.
  • One of many advantages of this separation is that it facilitates management of control of the security, for example a mobile device and/or user may be readily blocked from operating the security control system, independently of the electrification control system.
  • Any of the servers described here may be implemented in a computing system as is known in the art.
  • Any of the computing systems described herein may be combined in a single computing system with multiple functions, unless otherwise stated. Similarly the functions of any of the computing systems described herein may be distributed across multiple computing systems.
  • Some operations of the methods described herein may be performed by software in machine readable form e.g. in the form of a computer program comprising computer program code.
  • a computer readable medium which when implemented in a computing system cause the system to perform some or all of the operations of any of the methods described herein.
  • the computer readable medium may be in transitory or tangible (or non-transitory) form such as storage media include disks, thumb drives, memory cards etc.
  • the software can be suitable for execution on a parallel processor or a serial processor such that the method steps may be carried out in any suitable order, or simultaneously.
  • This application acknowledges that firmware and software can be valuable, separately tradable commodities. It is intended to encompass software, which runs on or controls “dumb” or standard hardware, to carry out the desired functions. It is also intended to encompass software which “describes” or defines the configuration of hardware, such as HDL (hardware description language) software, as is used for designing silicon chips, or for configuring universal programmable chips, to carry out desired functions.
  • HDL hardware description language

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Mechanical Engineering (AREA)
  • Remote Monitoring And Control Of Power-Distribution Networks (AREA)

Abstract

A system and method for securing the isolation or earthing of one or more electrical power lines comprises an electrification control system and a security control system. The electrification control system is configured to enable automated isolation of one or more of the power lines from a power source and/or automated earthing of one or more of the power lines. The security control system is configured to secure the isolation/earthing by the electrification control system. The two systems are logically separated and the security system may be accessible from a mobile device.

Description

SYSTEMS AND METHODS FOR ELECTRIFICATION SECURITY
[0001] The present invention is in the field of electrical power supply line safety, for example securely electrically isolating and/or earthing electrical power supply lines, for example for safely carrying out maintenance operations. The invention is applicable to overhead and track based power supply systems and other electrification applications.
Background
[0002] Currently, in order to interrupt power supplied by power lines, for example overhead power lines or electrified tracks, an electrical connection is opened, for example using a circuit breaker driven by an electric motor to drive electrical connectors apart. This is often referred to in this field as a "disconnector". The terms "connector" and "disconnector" are used interchangeably here and have the same meaning unless otherwise stated.
[0003] In some known installations, to ensure that the power cannot be reapplied, the power to the disconnector motor is cut by an electrical relay. The relay may be remotely controlled, but is more normally locally operated, typically via a low voltage switch control panel.
[0004] Typically the connection between power lines, e.g. the disconnector, may be manually operable, possibly with mechanical assistance such as a crank handle or lever, which may be useful if the motor or power supply fails. Therefore an operator may be able to re-apply power manually whilst "lineside".
[0005] In some circumstances, such as when carrying out maintenance work on the lines, additional measures are required to prevent line connections from being re-connected. In some known installations, the disconnector's motor is housed in a cubicle which is locked, usually manually with a padlock, to prevent the lines becoming "live", i.e. carrying current, until the work is completed. Thus the isolation of the power lines is secured by removing power to motorised switch, and further restricting access to manually override the motor. In other possible scenarios, there is a switch in the disconnector's motor cubicle, which is turned to "local" control or "off" and padlocked, or there is an on/off button which has a cap padlocked over it. An open/close control signal might be issued for example from a remote terminal unit, described further below, but even it were to do so spuriously, a serial off switch would stop this from having any effect.
[0006] A problem here is that the motor may be distant from where the work is to take place, for example some kilometres distant, and therefore it would be advantageous if the locking of the motor housing could also be carried out remotely. This introduces new problems in terms of ensuring that the locking and potentially unlocking is achieved in a secure manner, for example resistant to hacking and malfunctioning. [0007] Analogous problems may arise when a power line is earthed or otherwise shorted, also for example for safety reasons. In other words it may be desirable to ensure that a power line may not be physically disconnected from earth rather than reconnected to a power supply. In the following, isolation, earthing and other shorting are collectively referred to as electrical connections.
[0008] W02017000032A1 discloses a remote isolation system and a mobile device for use in such a system. Here, a control system enables remote isolation of equipment from an energy source by one or more mobile isolation devices.
[0009] Some embodiments of the invention described below solve some of these problems. However the invention is not limited to solutions to these problems and some embodiments of the invention solve other problems.
Summary
[0010] This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to determine the scope of the claimed subject matter.
[0011] In a first aspect there is provided in the following an electrification security system for power line connections, the system comprising an electrification control system and a security control system. The electrification control system is configured to control a plurality of connection devices associated with electrical power lines. The security control system is configured to secure the state of connection devices controlled by the electrification control system. The connection devices may for example be to isolate or earth one or more power lines. The connection devices may comprise any of circuit breakers, earth connectors, short circuit connectors and other connectors known in the art of power generation. The connectors may be bi-state devices, e.g. open or closed, or may have more states, for example with the possibility to make more than one connection or disconnection.
[0012] The electrification control system may be operated in a manner known in the art, for example it may form part of a known Supervisory Control and Data Acquisition "SCADA" system. The security control system may be operated using a mobile device. Thus in some of the systems described here, in contrast to the system described in W02017000032A1 , the isolation itself is not controlled from the mobile device. Rather, the securing of the isolation may be controlled from a mobile device. The mobile device may additionally be used to verify that the isolation has been effected before the securing takes place. Additionally or alternatively the securing of earthing or other state of connection devices may be similarly controlled from the mobile device, with the option to check that the earthing has been effected before the securing takes place. [0013] The electrification control system may comprise an electrification control server and the security control system may comprise a security server. The electrification control system may comprise, or be configured to control, multiple electrification control switches operable in response to an instruction from the electrification control server to control respective connection devices. The security control system may comprise, or be configured to control, at least one security switch operable in response to an instruction from the security server to control a respective security device.
[0014] In the systems described here, the electrification control system and the security control system are logically separated. They typically comprise different input devices and operate using separate servers so that the electrification control system cannot be used to control security devices and the security control system cannot be used to control connection devices. However the two systems may share a common control unit. Further, the two systems may share a common hardware platform.
[0015] The security control system may be configured to be remotely operable, for example from a mobile device, such as a smart phone, tablet or any other suitable portable device. These are generally referred to here as "user" devices. The electrification control system may also be remotely operated.
[0016] As with known isolation systems, the electrification control switches may operate a motorised connector, for example between a power line and a power source or between a power line and earth.
[0017] A security switch may operate an electrically operated lock, for example to prevent access to the motorised connector. This therefore secures the electrification control system against manual override. Additionally or alternatively a securing switch may operate a relay or circuit breaker to disconnect power from a connector motor. A security device may comprise a lock and relay/circuit breaker operable in tandem, e.g. simultaneously and/or in response to a single control signal, to disconnect power from a motor and prevent manual overriding of the state of one or more connection devices.
[0018] Notably the system may comprise any number of electrification control switches and security switches, for example for respectively operating a motorised connector and an electrically operated lock. Although they are controlled from separate servers, these switches may be provided in a single control unit.
[0019] An existing system may be modified by adding a security system as described here. Thus in another aspect there is provided here a method of securing the secure the state of connection devices controlled by an electrification security system, wherein the electrification security system comprises a plurality of connection devices configured to be controlled by the electrification control system and at least one security device configured to secure the state of one or more connection devices, the method comprising controlling the at least one security device via a dedicated security control server.
[0020] Features of different aspects and embodiments of the invention may be combined as appropriate, as would be apparent to a skilled person, and may be combined with any of the aspects of the invention.
Brief Description of the Drawings
[0021] Embodiments of the invention will be described, by way of example only and with reference to the following drawings, in which:
[0022] Figure 1 a shows in perspective a typical lineside disconnector motor cubicle 100 in situ at a railway track.
[0023] Figure 1 b shows the cubicle of figure 1 a in more detail.
[0024] Figures 2a and 2b together form a schematic block diagram of a system according to some embodiments of the invention.
[0025] Figure 3 shows schematically in more detail the operations of an electrification control server and security control server as shown in figures 2a and 2b.
[0026] Figure 4 is a schematic diagram showing how connection devices may be controlled by the electrification and security control systems of figures 2 and 3.
[0027] Figure 5 is a state diagram illustrating a method of operating a security server in a typical use case. [0028] Figures 6 to 11 show possible architectures in which systems described here may be implemented.
[0029] Common reference numerals are used throughout the figures to indicate similar features.
Detailed Description
[0030] Embodiments of the present invention are described below by way of example only. These examples represent the best ways of putting the invention into practice that are currently known to the applicant although they are not the only ways in which this could be achieved.
[0031] Figure 1 a shows in perspective a typical lineside disconnector motor cubicle 100 associated with a disconnector 101 in situ at a railway track. Figure 1 b shows the cubicle 100 in more detail . A motor inside the cubicle 100 is arranged to drive the disconnector 101 to open a high voltage electrical circuit. An electrical relay switch is provided in the cubicle 100 to disconnect the motor from its power supply. The relay may be controlled via a control unit and may therefore be remotely controllable, for example by an operator in a control room remote from the disconnector. Alternatively a switch 102 may be provided on the outside of the cubicle to operate the relay and remove power to the motor. Either way, a padlock may be applied to the cubicle and/or the switch 102 to secure the disconnection.
[0032] The foregoing is illustrated in the form of a circuit diagram in figure 4 which shows components which might be provided in an electrification substation 130. Here a connector in the form of circuit breaker 155 is operable to connect or disconnect positive and negative supply rails 151 , 152 from a power source, not shown. In a typical implementation only one of the positive and negative connections is opened, usually the positive 152. The circuit breaker 155 is operated by a motor 157 when connected to ac power 159. A relay 160 operable from a control unit 170, such as a remote terminal unit "RTU" as is known in the art, is operable to remove power from the motor 157. The cubicle 100 may house the circuit breaker 155, relay 160 and control unit 170 in addition to motor 157. Additionally or alternatively the positive and negative supply rails 151 , 152 may be short circuited by a connector 150, known in the art as a "circuit main short", for reasons including safety of lineside personnel. Connector 150 is shown in figure 4 to be operated by a motor 165 which may also be disconnected from its power supply 167 by a circuit breaker comprising relay 168. Motor 165 and relay 168 may also be housed in the cubicle 100.
[0033] In the systems to be described further below, this padlock may be replaced by an electrically operated lock which may be remotely operated, and one or both of the relay and the lock may be operated from a security control system, which is separate from an electrification control system as known in the art which controls connection/disconnection devices. The remote operation may be via a mobile device. In some implementations, the lock and the relay are combined in a single device which may replace both the relay and the padlock used in existing systems. Connection/disconnection devices are referred to in the following collectively as "connection devices" and include but are not limited to earth connectors, short circuit connectors, and any other kinds of connectors and disconnectors, any of which may be motorised or not.
[0034] An electrification security system and methods for securing the state of connection devices controlled by an electrification control system will now be described with reference to figures 2a, 2b and 3 to 11 .
[0035] Figures 2a and 2b show an electrification security system comprising two subsystems, an electrification control system 200 shown on the right and a security control system 300 shown on the left. The electrification control system 200 functions to control electrical isolation of electrical power lines from a source and/or earthing of power lines. The security control system may be configured to control physical access to one or more connection devices controlled by the electrification control system 200, such as motorised connectors and disconnectors, and/or the supply of power to one or motors which operate the connectors and disconnectors. Thus, while access to the electrification control system 200 may be controlled in various ways such as using software and user authentication for example, the security control system provides an additional control over access to and/or supply of power to connection devices controlled by the electrification control system. For this purpose the security control system may control one or more devices referred to here as "security devices". A security device may comprise a device for controlling physical access, such as an electronic lock or bolt, or a relay or circuit breaker for disconnecting power to a connector motor, or a combination of these described further here.
[0036] The electrification control system 200 and the security control system 300 are logically separated. For example, the two systems may use the same communication channels, with messages for controlling electrical isolation and/or earthing using different headers or being otherwise differentiated from messages for controlling the security system. These and/or any other measures for achieving the logical separation of the systems may ensure that instructions for the control of electrification are not acted on in the security system 300 and messages for the control of securing connections or disconnections are not acted on in the electrification control system 200, which could otherwise happen as a result of configuration errors or noise for example.
[0037] The electrification control system 200 may comprise or form part of a SCADA system as is known in the art. The electrification control system 200 is shown to comprise an electrification control server 250, and electrification switches provided in a control unit 270, such as the RTU described with reference to figure 4. In the following it is assumed that multiple electrification switches are provided in the control unit 270, each of which may control a respective connection device. The electrificaton switches in control unit 270 are operable in response to an instruction from the electrification control server 250. Each electrification switch comprised in the control unit 270 may control a connector such a motorised disconnector, indicated at 280 in figure 2b or a circuit breaker of the kind described with reference to figure 4 or any other power line connector as is known in the art.
[0038] The security control system 300 is shown to comprise a security control server 350 and a security switch provided in the control unit 270 which as noted above may be a RTU as is known in the art. In a typical system multiple security switches may be provided. Each security switch is operable to operate a security device such as a lock to prevent access to one or more connection devices such as motorised disconnectors 280 or earth connectors, not shown, or a relay to remove power from a motor that drives a connector, or a combined lock/relay as described further here. The lock may be for example a lock on a cubicle 100 housing the motorised connector(s). Thus in some systems a single security switch may be used to secure multiple isolations or earth connections or both, e.g. for multiple power lines. [0039] Embodiments of the invention provide an electrification security system, and a method which comprises controlling at least one security device via a dedicated security control server such as the security control server 350. Any one or more of the functions of the security control server 350 described in the following may be included in a method according to the invention.
[0040] Further components and the operation of the system shown in figures 2a and 2b will now be described in more detail with reference to the control of power to lines in a rail transport network. However it will be appreciated that similar systems may be used to control and secure the electrical isolation or earthing of any kind of power line or component.
[0041] In figures 2a and 2b operational communication paths that may be implemented in a known SCADA system are shown in solid lines, communication paths for implementation of remote securing are shown in long dashed lines, management interfacing communications are shown in short dashed lines and person to person communications are shown by a dotted line.
[0042] The electrification control system 200 may be overseen by an electrical control operator "ECO" 201 , shown in figure 2a, for example in a control room provided with equipment including displays 203 of the status of power lines in the network, computing devices and a user interface, not shown. The control room equipment is connected to the electrification control server 250 via a local area network "LAN" 210 with firewalls 206, 212 at the interfaces between the LAN 210 and the control room equipment and server 250 respectively. LAN 210 may be a fixed telecommunications network "FTN" and may be proprietary to the rail transport network or other environment in which the system is implemented. For example the FTN may be part of the existing SCADA infrastructure.
[0043] The system of figures 2a and 2b including the electrification control system 200 and the security control system 300 may comprise part of, or be integrated into, a centralised management system such as a Traction Power Centralised Management System "TPCMS" as is known in the rail transport industry. Thus the server 250 may take the form of a TPCMS server, optionally a virtual server. Server 250 is thus shown to include, or be configured to provide, known components indicated at 251 , a database viewer 252, electrification switches control 253, a client interface 254 to the security control server 350 and communications hand off 255, for example Open Platform Communications "OPC" Unified Architecture hand off.
[0044] Still referring to figure 2a, a lineside operator 301 may communicate with the server 350 of the security control system 300 using a mobile device 303. Device 303 may be a generic mobile device such as a smart phone or tablet computing device configured, e.g. using suitable software, to communicate with server 350. In the system of figure 2a, communication between the mobile device 303 and the security server 350 is via a public phone data network 304 and the LAN 210, with a firewall 306 at the interface between the public phone data network 304 and the LAN 210. [0045] All communications between components within the firewalls 206 and 306, for example those forming the FTN, may use non-wireless connections such as wires or fibre optic cables, generally referred to in the industry as security conduit.
[0046] The security server 350 is configured to control remote securing and may also comprise a virtual server. Thus for example the electrification control server 250 and the security server may be provided in the same physical computing system but be logically separated.
[0047] The security server 350 may perform functions of isolation management as indicated at 351 and/or other connection management, not shown. It will be appreciated that the security server may be configured to communicate with multiple user devices 303 operated by multiple users such as lineside operator 301 . Thus the security server 350 is shown to include user management services 352 and user device management services 353 as is known in servers that communicate with multiple user devices operated by multiple users.
[0048] Security server 350 is shown to provide a server interface 354 to the server 250, complementary to client interface 254 in server 250, and communications hand-off 355 similar to hand off 255 in the electrification control server 250.
[0049] Further, the security server 350 of figure 2a is configured to provide a mobile server 356 serving an application that may be installed on mobile devices 303 to enable the security control system to be operated from a mobile device. In the illustrated system each mobile device 303 is configured to communicate only with the security server and not with the electrification control server 250, so that control of securing is separated from control of the electrification such as isolation and/or earthing.
[0050] It will be appreciated that the electrification control server 250 and the security server 350 may be configured to perform other functions in addition to those shown that are not material to the present invention.
[0051] In the system shown in figure 2a the security server 350 is configured as a client of the electrification control server 250. Both servers 250 and 350 have access to a common database 400.
[0052] Referring now to figure 2b, the electrification control system 200 and the security control system 350 are shown to comprise an instance of a driver server 260, 360, shown as a Distributed Network Protocol 3 "DNP3" driver server. Any suitable network protocol may be used. It should be noted here that it is not essential to provide separate driver servers for the electrification and security control systems. The logical separation of the respective systems can be achieved through the use of different headers in the DNP3 or other network protocol messages and this can be achieved for example using separate drivers which need not be on separate servers. Therefore instances of "driver server" may be replaced by "driver". Each driver may provide an interface with switches in the control unit 270 associated with the electrification and security control systems respectively.
[0053] The driver servers 260, 360 communicate with the control unit 270 via the FTN 265 using separate communication channels, optionally via the same physical connections. FTN 265 and LAN 210 may be the same or different communications networks to the field, e.g. lineside. Firewalls 261 and 269 are positioned respectively between the driver servers 260, 360 and the FTN 265 and the FTN 265 and the control unit 270. Each driver server may be comprised in the respective electrification control server or security control server. The driver servers 260, 360 interface between the software operating on the electrification control server or security control server (e.g. using open platform communications "OPC") and a language that the RTUs understand (e.g. DNP3) combined with handling the sending and receiving of messages.
[0054] The control unit 270 in the illustrated system comprises electrification switches such as isolation switches and earthing switches operable in response to an instruction from the electrification control server 200, which may have been instigated automatically or by the ECO 201 using control room equipment. The control unit 270 may convert digital communications from a server, such as electrification server 250 and/or security server 350 or their respective driver servers 260. 360, to hard-wired or analogue outputs.
[0055] The electrification switches such as isolation switches and/or earthing switches operate one or more power line connectors, for example between a power line and a power source or earth. They may be configured in a one to one relationship such that one switch controls one connector, or any other relationship suitable to the application it is possible for only one isolation switch or only one earth switch to be provided. In other words systems described here are not limited to multiple electrical connections.
[0056] The control unit 270 further comprises at least one security switch operable in response to an instruction from the security server 300 instigated from mobile device 303. The security switch is configured to secure the state of a corresponding connection device, for example to operate a lock to prevent access to one or more power line connectors and/or operate a relay to disconnect power from a connection device motor. More than one security switch may be provided in the control unit 270. Each security switch may control a single connection device, or any other configuration of connection devices and switches may be implemented as required.
[0057] In figure 2b separate boards 271 , 371 are provided as is known in the art for functions such as power, telecomms, analogue and so on. Securing inputs and outputs to be described further here may be provided on separate boards. [0058] The switches described herein may be low voltage switches such as transistors or other semiconductor switches or electronic devices as known in the art and not shown or described in detail. The connection devices, such as but not limited to connectors, disconnectors and circuit breakers, may be mechanical connection devices in which connections are separated to create an open circuit or brought together to close a circuit connection. Connectors, disconnectors and circuit breakers are typically used in higher voltage systems. It is well known for low voltage switches to be used to control higher voltage connection devices.
[0059] Various relationships are possible in the systems described here between security switches comprised in the security system and electrification control switches comprised in the electrification control system 200 and the security and connection devices they control.
[0060] There may be a one to one relationship between security switches and electrification control switches so that, for example, a security device controlled by a security switch may be operated to prevent access to one disconnector controlled by an electrification control switch and/or remove power from a motor operating disconnector. There may be a many to one relationship whereby a security device controlled by a security switch may be operated to prevent access to multiple disconnectors controlled by respective electrification control switches and/or remove power from multiple motors operating corresponding disconnectors. Other relationships will be familiar to those skilled in the art. These will depend on the physical relationship between the connection devices controlled by the security switches and the electrification switches, for example locks or relays controlled by security control switches and disconnectors controlled by electrification control switches and housed in cubicles locked by the locks.
[0061] In some systems the control unit 270 may be in direct communication with the devices controlled by the switches comprised in it. In other systems, particularly for the connection devices controlled by the electrification control system, an additional control unit 279 may be provided between the control unit 270 and the controlled connection devices. This may be for example an intelligent electronic device "IED" as is known in the art which may perform some of the functions of the control unit 270 and/or additional electrical protection functions. In figure 2b an additional control unit is shown as part of the electrification control system only. It is equally possible for an additional control unit to be provided as part of the security control system 300, optionally in a combined unit similar to the combined control unit 270.
[0062] Figure 2b shows a disconnector 280 which may be housed in a cubicle 100 which may be locked by a lock controlled by a security control switch. The disconnector is controlled by the electrification control system and the lock is controlled by the security control system.
[0063] It should be noted that the control room equipment need not be fixed and may also be replaced by one or more mobile devices. However in the illustrated system the operation of the electrification control system 200 is separate from the security control system, so that, for example, the mobile device 303 cannot be used to operate the electrification control system 200, and the control room or other equipment used to operate the electrification control system 200 cannot also be used to operate the security control system 300.
[0064] An example of how the system of figures 2a and 2b may be operated will now be described. It is assumed in this example that certain identified power lines are to be isolated from their power supply in order for maintenance work to be carried out. The isolation of multiple power lines from power is generally referred to in the art as an "isolation" (singular) since it is typical for groups of power lines to be isolated at the same time for a particular maintenance operation to take place.
[0065] The ECO may be notified, typically via a written set of instructions, that the power lines are to be isolated, and will operate the control room equipment to send a message to the electrification control server 250 that the lines are to be isolated. The electrification control server 250 sends a message to the control unit 270 to operate isolation switches comprised in the control unit corresponding to the identified power lines. The isolation switches may be binary switches whose state is changed in response to the message from the electrification control server 250. The change in state of an isolation switch in control unit 270 enables the operation of a motor in a motorised disconnector to physically isolate an identified power line. More usually, an "isolation" may require communication with multiple control units, with one control unit at each site. One or more of these control units may operate in the same manner as control unit 270 and comprise both electrification control switches and at least one security switch.
[0066] The isolation status of power lines, their associated disconnectors, relays and switches is reported back to the electrification control server as is known in the art, and recorded in database 400.
[0067] As well as initiating the isolation, the ECO 201 notifies the lineside operator 301 of the isolation of the identified power lines. This would usually take place after the ECO has confirmation via the control room equipment that the isolation is complete.
[0068] In the illustrated system the lineside operator has no control over the isolation itself. The security server 350 has access to the database 400. The lineside operator may use mobile device 303 querying security server 350 to consult the database 400 as to the isolation status of identified power lines. The lineside operator 303 may instruct operation of the lock on the cubicle housing the disconnectors corresponding to the identified power lines after checking that the identified power lines are isolated.
[0069] As a result of the separation of the isolation and security control systems 200, 300, the mobile device 303 receives read only indications from the isolation system. Also since the server is not able to control the isolation switches it has read only access to data in the database relating to the status of the isolation switches and optionally other components of the isolation system. The operations controllable from the mobile device 303 may be limited to the control of a lock, e.g. an electromechanical lock, through the security control system which is a secondary independent control system to the electrification control system.
[0070] The security system 300 may be configured to alert the lineside operator 301 to operate the security system, e.g. an appropriate security device, when a particular isolation has taken place. Additionally or alternatively the security system 300 may be configured to prevent the lineside operator 301 from operating a particular security device or set of security devices unless a particular isolation or other connection has taken place. This is described further with reference to figure 5.
[0071] It will be appreciated that the system may be operated similarly in the case of earthing one or more power lines.
[0072] The systems described here are equally applicable to alternating current AC and direct current DC systems. They are particularly useful in high voltage systems, for example 750V DC or higher or 10KV AC or higher.
[0073] It will be appreciated that a system as shown in figures 2a and 2b may be implemented with little or no modification to an existing isolation/earthing system. The security system may be provided as an add-on requiring nothing more than access to the security system database containing the status of the isolation and/or earthing switches.
[0074] Further details of how the system of figures 2a and 2b may be configured and implemented will now be described with reference to figures 3 and 4.
[0075] Figure 3 shows, on the right side, an application server 500 that may be implemented in the electrification control server 250 of figure 2a, an application client 520 that may be implemented in control room equipment operated by ECO 201 , and database 400. On the left are shown a security system server 600 which may comprise the security system server 350 of figure 2a, a security client 602 that may be implemented on a mobile device 303 of a lineside operator 301 , and an active directory 700.
[0076] The application server 500 is shown to perform functions of client interface proxy 510, securing functions proxy 511 , component update 512, Display control 513 and management system controls 514. The security system server 600 is shown to perform functions of server interface proxy 610, isolation management 611 , user device manager 612, user manager 613, security device manager 614 and page management 615. [0077] A possible message flow between items shown in figure 3 will now be described. This flow does not necessarily represent a chronological order of messages since, for example, messages may be delayed and the transmission of some messages does not necessarily require the receipt of others. This is further illustrated by the state diagram shown in figure 5 and described further below.
[0078] The example message flow is for sending a securing/unsecuring command to items in the field, e.g. connectors, disconnectors etc. as described elsewhere here.
[0079] In the following items in square brackets correspond to the arrows between components shown in figure 3. It should be noted that some of these are bi-directional and may therefore represent different messages in each direction.
[0080] A command [1] is transmitted from the mobile device client to the security server 600. This may be for example to secure multiple isolations and/or earth connections although it is possible in some systems for isolations and/or earth connections to be secured one at a time. Thus the command will usually identify multiple connection devices to be secured.
[0081] The command from the mobile device is routed [2] to the page manager 615, the page manager 615 identifies the mobile device and routes the command [3] to the user device manager 612.
[0082] The user device manager queries the database 400 [4] for the user device from which the command [1] was received and the database confirms [4] that the user device is approved.
[0083] The page manager checks that the command is from an approved user by routing the command [5] to the user manager 613 which queries [6] the active directory 700 to check that the user login is valid. The active directory 700 confirms [6] that the login is valid.
[0084] An inhibit is written [7] to the application server 500 via the respective interface proxies 610, 710. The inhibit relates to the connection devices identified in the initial command [1] and is acted on by the application server 500 to prevent the connect/disconnect status of the identified connection devices from being changed by the electrification control system. For example, the option to change the status of the identified devices may be disabled at the application client 502.
[0085] The component update function 512 is notified [8] of the inhibit. The display control 512 is notified [9] of the inhibit, for example via the component update function. At this point a display may be updated to show that “Primary” (i.e. Server only) securing has been applied if the corresponding connection device has not yet been secured according to the command. [0086] When the database has been updated the electrification control server 500 confirms [10] to the security server 600, for example via respective interface proxies 510, 610 that the inhibit has been applied in the database.
[0087] The inhibit is translated to a command [11] to the connection device manager and the Isolation manager 611 . The isolation manager 611 confirms the command [12] back to the database 400. A database event log is updated [12], for example to confirm the command or any alarms described further below.
[0088] The database changes are enunciated [13] to the display control 513. A screen update [14] is sent to the management system controls 514. The screen update is sent to the ECO 201 , for example via an ECO workstation server [15] to the ECO's screen [16].
[0089] Figure 4 is a schematic diagram showing how connection devices may be controlled by the electrification and security control systems. Components shown in figures 2, 3 and 4 are indicated by the same reference numerals.
[0090] The security device manager 614 is shown to communicate with an OPC server 750 serving as protocol translator between the security device manager 614 and the control unit 270. The control unit 270 is shown to comprise two RTUs which may comprise respective switches controlling security control devices and connection devices respectively. It is not necessary for the switches to be grouped in this way.
[0091] The use of separate systems, in particular separate servers, enables the two RTUs to be combined in a single control unit without risk of cross communication between switches controlled by the respective systems. As noted elsewhere here, messages from the different servers may have different address headers or otherwise be differentiated. For example the control unit 270 may validate the Master address in a command is the same as that for the security server and act on a command accordingly. The control unit may be configured to only permit write controls from the security server to devices controlled by the security server and not to devices controlled by the electrification server.
[0092] A security device is an electrically operated lock. A lock may be arranged to prevent physical access to the connection device which it secures, which in the example of figure 4 is the connector 150. In the systems described here a relay which controls the power to a motor which operates a connection device may be controlled by the security system and form a security device as defined here, in addition to or alternatively to a lock.
[0093] In some systems a combined device may be provided comprising a lock and a relay configured to be operated simultaneously, which may be termed a disconnector lockout relay "DLR". This combined device may be a bi-stable device in which in one state the lock and relay are operated to both prevent physical access and remove power from the motor, and in the other state allow physical access and connect power to the motor. The combined device may be constructed from commonly available components and is readily configurable by a person skilled in the art.
[0094] Figure 4 shows only one security device for the sake of clarity but it will be appreciated that many security devices may be controlled from the same security system 300 in the same way that many connectors may be controlled from the same electrification system 200.
[0095] In the example of figure 4, a DLR 800 is provided as a security device operable by the security system 300 to secure the connector 150, and another relay 160 is configured to be controlled by the electrification control system. In the arrangement of figure 4 the connector 150 is secured by the DLR 800 but the motor 157 is not secured. It will be appreciated that the systems described here may be used to achieve any combination of secured and unsecured devices according to particular security requirements.
[0096] Some message flows are indicated in figure 4 and indicated below in square brackets. As with figure 3 they do not necessarily represent a chronological order.
[0097] The securing of a connection or disconnection may be subject to some conditions. For example, in the case of an earth or short circuit, a system may be configured such that remote securing is only possible if an earth/short indication to the security system server is valid, of good quality, and recent e.g. received within a preset time period. This is an example and other conditions may be placed on the securing described here as appropriate to the application. Where such conditions are present, securing may be inhibited to the security system so that the operations from [1] onwards are only available when these conditions are met.
[0098] The system may be configured such that some conditions reported to the security system are alerted to the electrification system, as indicated by the alarm shown in figure 4.
[0099] An open or close command may be transmitted [20] from the electrification server 500 to the control unit 270 and the control unit 270 acts on the command to open the circuit breaker 155 [21] and operate the short circuit 150 [22] The status of the circuit breaker 155 is reported back [23] to the control unit 270 and then [24] to the application server. The status of the short circuit 150 is reported back to the control unit 270 [25] and from there to the security server 600.
[00100] In this example only the short circuit 150 is secured under the control of the security system 300 via security server 600. The status of the short circuit 150 is reported to the control unit 270 [27] and the status of the combined security device 800 is reported to the control unit 270 [26].
[00101] In the security system 300 a command to secure the short circuit is transmitted from the security server 600, in this example via the security device manager 614. From here the control unit 270 outputs a securing command [26] to a DLR 800. The DLR 800 reports its status e.g. "secured" to the control unit 270 [27] The control unit is polled by or reports securing events to the security server 600 via the overhead power connection server 750 that a securing change of state has occurred.
[00102] Operations analogous to operations [12] to [16] may then take place to update the database as to the security status of connections. Figure 5 is a state diagram for the security server 350/600 illustrating a method of operating a security server in a typical use case.
[00103] In figure 5 the term "isolation" is used but it will be appreciated that this is equally applicable to earthing or any other kind of connection described here. At 51 user such as lineside operator 301 selects an isolation using a mobile device 303 and the server 600 receives the request for the isolation. The request may refer to a single connection device but more usually it will identify a list of multiple connection devices to be secured, for example but not necessarily simultaneously. In the description with reference to figure 5 it is assumed that the isolation relates to multiple connection devices. In response to the selection the user is able to view via the mobile device 303 the status of the isolation, for example the open/closed status of the corresponding connection devices. At this stage the user can confirm the connection device list. So for example the server is either in state 52, awaiting confirmation of the connection device, or state 53 where the list of connection devices has been confirmed. The user may at this stage confirm the connection device list, indicating that these devices are to be secured. In state 53 securing of the devices in the connection device list may be requested, again via the mobile device 303.
[00104] In state 54 where the securing has not yet been requested by the user, the possibility to request the securing may be available or inhibited/disabled, for example depending on the open/close status of the corresponding connection devices, as indicated by state 56, or available as indicated by state 55 in which case the user can request remote securing, e.g. operation of corresponding security devices. In state 57 the requested securing is complete and at state 58 unsecuring is now possible. If remote securing is not complete the server may be in state 59 awaiting a feedback, e.g. confirmation that the securing is to be completed.
[00105] In order for securing to be carried out, in the systems shown here, connection devices have to have an inhibit applied, for example at the request of the ECO, and then they need to be reported to or accessible by the security control server with a unique identifier for the isolation or other state resulting from operation of the connection device.
[00106] Various permutations of connection devices and security devices are possible with any of the systems and methods described here. Figure 4 shows one example, more are illustrated in figures 6 to 11 , others will become apparent to those skilled in the art. In figures 6 to 11 a number of signal paths are indicated as follows: [00107] 1 a - SILO (safety integrity level 0) TPCMS Control Commands
[00108] 1 b - SILO TPCMS Indications
[00109] 2a - SIL1 (safety integrity level 1 ) Remote Securing/Unsecuring Command (single DNP3 control point)
[00110] 2b — SIL1 Remote Securing Reliable Signal and SIL1 RS Earth / Continuity Reliable Signal.
[00111] Figure 6 shows a possible AC architecture in which a control unit, designated as an RTU, communicates with two DLRs. Each DLR may comprise a relay and lock configured to operate simultaneously under the control of the RTU. In the architecture of figure 6, any of a circuit breaker for AC, disconnector for DC and circuit main earth may be operated in the usual way by an electrification control system. Two DLRs are provided to disconnect power from respective motors, one of which drives the circuit main earth and the other of which drives the disconnector. The DLRs are examples of security devices that may be controlled by a security control system as described here. Thus the circuit breakers for AC and DC as well as the circuit main earth may be controlled from one server forming part of an electrification control system, while the DLRs are controlled from a separate server forming part of a security control system. The RTU may be part of a common control unit such as the control unit 270 of figure 2a which serves both the electrification control system and the security system.
[00112] Figure 7 shows a possible AC architecture with substation RTU and legacy point to point "P2P" arrangement. Here, in a similar manner to the RTU and IED described above, the control functions of the security control system, as well as optionally the electrification control system, are shared over two different physical locations, one of which is lineside for example near a motorised overhead line switch "MOS" and the other of which may be further away. Here a disconnector for DC and a circuit main earth are controlled by an electrification control system and DLRs for their respective motors are controlled by a separate security control system in a similar manner to the architecture of figure 6.
[00113] Figure 8 shows a possible AC architecture in which circuit breakers and a circuit main earth are controlled in a similar manner to the architecture of figure 6 from a substation, which need not be lineside. A circuit breaker for DC and associated circuit main earth may be controlled in a similar manner to the architecture of figure 7.
[00114] Figure 9 shows a possible AC architecture with implementation of small RTUs with a three- position switch configuration. Here the three-position switch may be controlled by an electrification control system as described here and power to a motor controlling the three position switch may be controlled by a security control system as described here. [00115] Figure 10 shows a possible DC track feeder switch architecture in which a circuit breaker "CB" is controlled from a control substation and a disconnector and circuit main short are controlled from a separate control panel. Flere only the disconnector and circuit main short have an associated DLR that is controlled from a security control system as described here.
[00116] Figure 11 shows a possible DC negative short circuiting device "NSCD" Architecture with RTU. Flere, a connector device in the form of a circuit main short has an associated DLR that is controlled from a security control system as described here. A separate circuit breaker is outside the control of the security control system. In this arrangement the position of the Circuit Main Short/NSCD can be used as an interlock to prevent the associated circuit breaker "CB" being closed.
[00117] In any of the architectures shown in figure 4 and figures 6 to 11 , a minimum number of DLRs and associated connection devices such as but not limited to circuit breakers, disconnectors and circuit main earths, is shown for purposes of clarity. It will be appreciated that a plurality of any of these kinds of devices may be controlled from an electrification control system and a security control system respectively.
[00118] It will be appreciated from figure 4 and figures 6 to 11 that a system may comprise a plurality of connector devices with one or more having an associated security device and at least one connector device that does not have an associated security device. Also some devices as described here may function as either a connector device or a security device. For example, figure 4 shows a relay 160 controlled by the electrification control system and therefore functioning as a connection device, as well as relay 168 controlled by the security control system.
[00119] In any of the architectures shown in figure 4 and figures 6 to 11 , any of the DLRs may be replaced by a relay only, for example to disconnect power from a motor associated with a connector device, or a lock only, for example to prevent physical access to a motor associated with a connector device. It is desirable in some circumstances but not always essential to provide both functions of removing power and preventing access.
[00120] By providing a separate server for the control of security, an existing electrification security system may be modified to obtain the benefits of the systems described here. For example, starting with an electrification system, comprising connection devices and at least one security device as described here, a dedicated security control server may be used to control the at least one security device.
[00121] The methods and systems described in the foregoing have a number of advantages over some existing systems.
[00122] In some known systems separate padlocks or other manually operated devices are required to be operated in order to make a track or power line section safe for a maintenance task. Any of the systems described here may be configured to enable multiple connections and/or disconnections to be secured at the same time, for example as indicated in the device list described with reference to figure 5. Therefore multiple connections or disconnections may be secured with one user input on a mobile device, e.g. operation of one key. Therefore not only may the securing be performed remotely but also several securing operations may be accomplished simultaneously.
[00123] The provision of a security control server separate from the electrification control server enables the electrification and security to be decoupled. One of many advantages of this separation is that it facilitates management of control of the security, for example a mobile device and/or user may be readily blocked from operating the security control system, independently of the electrification control system.
[00124] The separation of the security control system means that the validation of associated software is a simpler task than if it was integrated into an existing electrification control system.
[00125] The use of separate servers for electrification and security enables the use of a single control unit, for example RTU, for both electrification and security. The RTU is able to validate messages according to which server they originated from, and therefore ensure that messages are correctly routed. It is not necessary to provide, for example, separate control units for security and electrification respectively, and this minimises modifications required in the field.
[00126] Any of the servers described here may be implemented in a computing system as is known in the art.
[00127] Any of the computing systems described herein may be combined in a single computing system with multiple functions, unless otherwise stated. Similarly the functions of any of the computing systems described herein may be distributed across multiple computing systems.
[00128] Some operations of the methods described herein may be performed by software in machine readable form e.g. in the form of a computer program comprising computer program code. Thus some aspects of the invention provide a computer readable medium which when implemented in a computing system cause the system to perform some or all of the operations of any of the methods described herein. The computer readable medium may be in transitory or tangible (or non-transitory) form such as storage media include disks, thumb drives, memory cards etc. The software can be suitable for execution on a parallel processor or a serial processor such that the method steps may be carried out in any suitable order, or simultaneously.
[00129] This application acknowledges that firmware and software can be valuable, separately tradable commodities. It is intended to encompass software, which runs on or controls “dumb” or standard hardware, to carry out the desired functions. It is also intended to encompass software which “describes” or defines the configuration of hardware, such as HDL (hardware description language) software, as is used for designing silicon chips, or for configuring universal programmable chips, to carry out desired functions.
[00130] In the described embodiments of the invention the system may be implemented as any form of a computing and/or electronic system as noted elsewhere herein. Such a device may comprise one or more processors which may be microprocessors, controllers or any other suitable type of processors for processing computer executable instructions to control the operation of the device in order to gather and record routing information. In some examples, for example where a system on a chip architecture is used, the processors may include one or more fixed function blocks (also referred to as accelerators) which implement a part of the method in hardware (rather than software or firmware). Platform software comprising an operating system or any other suitable platform software may be provided at the computing-based device to enable application software to be executed on the device.
[00131] The term "computing system" is used herein to refer to any device with processing capability such that it can execute instructions. Those skilled in the art will realise that such processing capabilities may be incorporated into many different devices and therefore the term "computing system" includes PCs, servers, smart mobile telephones, personal digital assistants and many other devices.
[00132] Any reference to "an" item refers to one or more of those items unless otherwise stated. The term "comprising" is used herein to mean "including but not limited to".
[00133] Further, to the extent that the term "includes" is used, such term is intended to be inclusive in a manner similar to the term "comprising".
[00134] The order of the steps of the methods described herein is exemplary, but the steps may be carried out in any suitable order, or simultaneously where appropriate. Additionally, steps may be added or substituted in, or individual steps may be deleted from any of the methods without departing from the scope of the subject matter described herein. Aspects of any of the examples described above may be combined with aspects of any of the other examples described to form further examples.
[00135] It will be understood that the above description of a preferred embodiment is given by way of example only and that various modifications may be made by those skilled in the art. What has been described above includes examples of one or more embodiments. It is, of course, not possible to describe every conceivable modification and alteration of the above devices or methods for purposes of describing the aforementioned aspects, but one of ordinary skill in the art can recognize that many further modifications and permutations of various aspects are possible. Accordingly, the described aspects are intended to embrace all such alterations, modifications, and variations that fall within the scope of the appended claims.

Claims

Claims:
1 . An electrification security system for power line connections, the system comprising: an electrification control system configured to control a plurality of connection devices associated with electrical power lines; and a security control system configured to secure the state of connection devices controlled by the electrification control system.
2. The system of claim 1 wherein the electrification control system and the security control system are logically separated.
3. The system of claim 1 comprising a plurality of connection devices configured to be controlled by the electrification control system and at least one security device configured to be controlled by the security control system to secure the state of one or more connection devices.
4. The system of claim 3 wherein the plurality of connection devices comprise motorised connection devices.
5. The system of claim 3 or claim 4 wherein each connection device is operable to connect a power line to a power or voltage source or to earth.
6. The system of claim 3, 4 or 5 wherein the at least one security device comprises a lock arranged to prevent manual overriding of the state of one or more connection devices.
7. The system of any of claims 3 to 6 wherein the at least one security device comprises a circuit breaker operable to disconnect power from one or motors arranged to operate respective connection devices.
8. The system of any of claims 3 to 7 wherein the at least one security device comprises a combined lock and circuit breaker wherein the lock is arranged to prevent manual overriding of the state of one or more connection devices and the circuit breaker is operable to disconnect power from one or motors arranged to operate respective connection devices.
9. The system of any preceding claim wherein the electrification control system and the security control system comprise control servers and/or respective drivers.
10. The system of claim 9 wherein the electrification control system comprises multiple electrification control switches operable in response to an instruction from the electrification control server to control respective connection devices and the security control system comprises at least one security switch operable in response to an instruction from the security server to control a respective security device.
11. The system of claim 10 wherein the electrification control switches each control a respective connection device.
12. The system of claim 10 or claim 11 wherein the at least one security switch is configured to operate a security device to secure the state of a connection device.
13. The system of claim 10, 11 or 12 comprising a control unit arranged to receive communications from the electrification server and the security server 350 to control a plurality of connection devices configured to be controlled by the electrification control system and at least one security device configured to be controlled by the security control system.
14. The system of any preceding claim wherein the electrical connection control system is configured to record in a database the status of identified power lines.
15. The system of claim 14 configured such that the security control system has read-only access to the database.
16. The system of any preceding claim wherein the security control system is accessible from a mobile device.
17. The system of any preceding claim configured to secure the state of multiple connection devices at different locations simultaneously.
18. The system of any preceding claim wherein messages in the security control system and messages in the electrification control system use a common communication channel.
19. A method of securing the state of connection devices controlled by an electrification security system, wherein the electrification security system comprises a plurality of connection devices configured to be controlled by the electrification control system and at least one security device configured to secure the state of one or more connection devices, the method comprising controlling the at least one security device via a dedicated security control server.
20. The method of claim 19 comprising arranging the at least one security device to prevent manual overriding of the state of one or more of the connection devices.
21 . The method of claim 19 or claim 20 arranging the at least one security device to disconnect power from one or motors arranged to operate respective connection devices.
22. The system of any of claims 19 to 21 comprising arranging the at least one security device as a combined lock and circuit breaker wherein the lock is arranged to prevent manual overriding of the state of one or more connection devices and the circuit breaker is operable to disconnect power from one or motors arranged to operate respective connection devices.
23. The method of any of claims 19 to 22 comprising configuring the security control sever to be accessed from a mobile device.
24. The method of any of claims 19 to 23 comprising configuring the security control server to simultaneously secure the state of multiple connection devices.
25. A computer readable medium comprising instructions which when implemented in a computing system cause the computing system to implement a method as claimed in any of claims 19 to 24.
PCT/GB2022/050752 2021-03-25 2022-03-25 Systems and methods for electrification security WO2022200805A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB2104236.1A GB2605181B (en) 2021-03-25 2021-03-25 Systems and methods for electrification security
GB2104236.1 2021-03-25

Publications (1)

Publication Number Publication Date
WO2022200805A1 true WO2022200805A1 (en) 2022-09-29

Family

ID=75783599

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2022/050752 WO2022200805A1 (en) 2021-03-25 2022-03-25 Systems and methods for electrification security

Country Status (2)

Country Link
GB (1) GB2605181B (en)
WO (1) WO2022200805A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140232191A1 (en) * 2011-09-29 2014-08-21 Siemens Aktiengesellschaft Contact wire system for traction supply of an electric tractive vehicle
WO2017000032A1 (en) 2015-06-30 2017-01-05 Remsafe Pty Ltd A remote isolation system and mobile device for use in the remote isolation system
US20170003661A1 (en) * 2015-06-30 2017-01-05 Remsafe Pty Ltd Equipment Isolation System

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040264094A1 (en) * 2003-05-06 2004-12-30 Rahman Md Azizur Protective control method and apparatus for power devices
BRPI0511229A (en) * 2004-06-04 2007-11-27 Pozilok Holdings Pty Ltd locking method for locking at least one insulation element of a plant and locking system for isolating at least one insulation element of a plant
US20170003663A1 (en) * 2015-06-30 2017-01-05 Remsafe Pty Ltd Equipment Isolation System
JP2017093190A (en) * 2015-11-12 2017-05-25 ファナック株式会社 Motor drive device having abnormality determination function of main power supply voltage

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140232191A1 (en) * 2011-09-29 2014-08-21 Siemens Aktiengesellschaft Contact wire system for traction supply of an electric tractive vehicle
WO2017000032A1 (en) 2015-06-30 2017-01-05 Remsafe Pty Ltd A remote isolation system and mobile device for use in the remote isolation system
US20170003661A1 (en) * 2015-06-30 2017-01-05 Remsafe Pty Ltd Equipment Isolation System

Also Published As

Publication number Publication date
GB202104236D0 (en) 2021-05-12
GB2605181A (en) 2022-09-28
GB2605181B (en) 2023-03-29

Similar Documents

Publication Publication Date Title
EP3301784B1 (en) Intelligent power server applied to protection and control system for intelligent substation
US20150035358A1 (en) Electrical power management system and method
US20080137266A1 (en) Motor control center with power and data distribution bus
CN101689985B (en) Identifying improper cabling of devices
US9965013B1 (en) Switchgear controller device
JP2003299263A (en) Monitor control system
US20200344079A1 (en) Access Control Apparatus and Method Therefor
CN116455564A (en) Quantum encryption-based power distribution automation protection method and system
WO2022200805A1 (en) Systems and methods for electrification security
Poștovei et al. The evolution and challenges of modern Distributed Control Systems
CN112700995B (en) Power distribution room maintenance method and device
CN104732625A (en) Method and device for unlocking key management box on basis of fingerprint identification technology
US9823721B1 (en) Switchgear controller device
CN109445385B (en) Anti-misoperation system and method for cross power supply system of nuclear power station
CN112072796A (en) Double-emergency control system for switch cabinet of unattended substation
Sarry et al. Intelligent Interlocking of Switching Devices
EP2301125A1 (en) Method and system for rearranging sound conductors in parallel lines in power transmission
CN204270096U (en) A kind of double-bus Medium Voltage Switchgear supervisory system on the spot
CN105071534B (en) Breaker both sides isolator operation power supply smart feeding device
CN103219802A (en) Grid fault recovery system
Nair Implementation for IEC 61850 Functional Schemes
CN116466154B (en) Fault diagnosis method and device, storage medium and electronic equipment
CN212909115U (en) Double-emergency control system for switch cabinet of unattended substation
CN112201503B (en) Locking logic loop for connecting 750kV line with current-limiting reactor
Falahati et al. A Modular, Scalable Automation System for a Distribution Substation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22715148

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22715148

Country of ref document: EP

Kind code of ref document: A1