ReliabilityAnalysisofPowerSystembasedonGeneralizedStochasticPetriNets Juliano S. A. Carneiro, Luca Ferrarini Dipartimento di Elettronica e Informazione Politecnico di Milano Piazza Leonardo da Vinci 32, 20133, Milan, Italy Abstract— Hidden failures in protection schemes, the tradi- tional N − 1 security criterion and the introduction of the electricity market are usually major causes in the recent wide area blackouts. In the present work, we address the reliabilityanalysisofpower systems using the GeneralizedStochasticPetriNets (GSPN). The proposed modeling approach considers not only the most common failures ofpowersystem elements, i.e. short-circuit, breakdown, lightning, but also the improper operations of protection schemes. In addition, the dependency on the system operating conditions has been introduced according to the GSPN formalism (marking-dependency), which allows for the propagation of harmful events. At last, well-known techniques such as reachability graph might be used to retrieve the reliability information of the system under investigation. I. I NTRODUCTION The reliabilityof electric power systems is currently under- going numerous investigations, mainly after the latest wide area blackouts. Essentially, the introduction of electricity market and also the old-fashioned protection schemes have been recognized as the major causes of catastrophic events. In fact, the electrical market trends toward a more efficient production, transmission and distribution of energy, and thus exploiting fully the electric resources. On the other side, such a concept shortens drastically the safety guards ofpower systems and requires novel operating criteria to keep them safe. Nevertheless, the protection schemes are still basedon the classical “N-1 criterion”, once extremely efficient, but currently inadequate to face with critical operating conditions created by this modern market-driven organization. Studies conduced by NERC, UTCE and others revealed that protection system failures are often involved in the most seri- ous blackouts. Generally, the impact of a particular hazardous event is minimized if the occurrence is promptly identified and eliminated as soon as possible [2]. This procedure helps to prevent “N-k contingencies” caused by cascading effects [1], [4], [10], and then it reduces the probability of catastrophic failures in power systems. Clearly, the protection system plays an important role in this scenario, since it avoids the disturbance propagation by removing the damaged component and/or section from the rest of the grid. There are two sorts of safety requirements concerning the protection systems: the dependability, which is the ability to operate correctly when required, and the security, which means the ability to refrain from unnecessary tripping (undesired tripping). The dependability is achieved by redundant protec- tion schemes and has often taken priority with respect to the security. However, security aspects have become particularly important after the introduction of the electricity market. For example, the line power flows during either heavy load conditions or maintenance operations can induce undesired tripping of distance protections. In this case, a line tripping will lead to an additional stress in the system that might contribute to widespread blackouts. This simple example illustrates a case of hidden failures, defined in [11] as: a defect such as a component failure, inappropriate setting or incorrect external connection that remains undetected until some other system event causes the hidden failure to initiate a cascading outage. It is worth noting that hidden failures cannot be easily de- tected and frequently lead to large outages [5], [9]. Moreover, the example shows that a given disturbance might produce different consequences depending on the powersystem state. In conclusion, the reliabilityof protection schemes, understood as the union of dependability and security, and its dependency on the system operating conditions, deserve all attention when analyzing and designing modern power systems [12]. The Petri Net (PN) paradigm is suitable to represent event- driven systems, which are characterized by a set of states (configurations) and a set of evolution rules (events). Many authors used different types of PNs to model reliability aspects in wide application fields [4], [6], [7]. In this paper, we present a formal model basedonGeneralizedStochasticPetriNets (GPSN) for the reliabilityanalysisof transmission power systems. II. G ENERALIZED S TOCHASTIC P ETRI N ETS PetriNets are extremely useful for performance evaluation and description of distributed systems characterized by sequen- tiality, concurrency, synchronization, among others. Specifi- cally, the GSPN [8] is one of the several extension of standard PNs and is obtained by allowing transitions to belong to two different classes: immediate transitions and timed transitions. Immediate transitions fire in zero time once they are enabled. Timed transitions fire after a random, exponentially distributed enabling time. Formally, a GPSN can be defined as follows: Definition 1: A GSPN is an 8-tuple: N = {P, T, Π,I,O,H,W,M 0 } where: • P is the set of places; • T is the set of transitions, T = T im ∪ T tim ; T im ∩ T tim = ∅ where T im means immediate transitions and T tim means timed transitions; • Π:T → N is the priority function that maps transitions onto natural numbers representing their priority levels, ∀t k ∈ T tim , Π(t k )=0; ∀t k ∈ T im , Π(t k ) > 0; • I,O,H : T → Bag(P ), are the input, output and inhibition functions, respectively. Bag(P) is the multiset on P; • W :(T × M) → + is the stochastic function that maps transitions onto real numbers representing their firing rates depending on the marking M, W (t k ,M)= λ k ,ift k ∈ T tim ω k ,ift k ∈ T im • M 0 : P → N is the initial marking, a function that associates each place with a natural number. The dynamic evolution of the PN marking that is governed by transition firings that, once enabled, remove tokens from upstream places and add them to downstream places. In short, a transition t k has concession if and only if (i) each input place contains a number of tokens greater or equal than a given threshold, and (ii) each inhibitor place contains a number of tokens strictly smaller than a given threshold. Definition 2 (Concession): Transition t k has concession in marking M if and only if: ∀p ∈ • t k ,M(p) ≥ I(t k ,p) ∧∀p ∈ ◦ t k ,M(p) ≤ H(t k ,p) Instead, a transition t k is said to be enabled if it has concession in marking M , and if no other transition t j ∈ T of priority Π j > Π k exists that has concession in the same marking M. Definition 3 (Enabling): Transition t k is enabled in mark- ing M if and only if: • t k has concession in marking M and, • Π(t k ) > Π(t j ), ∀t j ∈ T that have concession. When transition t k fires, it deletes from each place in its input set • t k as many tokens as the multiplicity of the arc connecting that place to t k , and adds to each place in its output set t k • as many tokens as the multiplicity of the arc connecting t k to that place. Definition 4 (Firing): The firing of transition t k , enabled in marking M, produces marking M such that: M = M + O(t k ) − I(t k ) The GSPN just introduced consists in a powerful tool to model power systems. Phenomena like component failure, short-circuit, lightning, etc, are always present in real systems and occur randomly. Such events, together with control and protection actions, can be suitable represented through the GSPN, as described in the following sections. III. G ENERAL M ODEL S TRUCTURE The general model representing the powersystem under investigation is composed of three major blocks: Electrical Topology Network (ETN), Stochastic Model Network (SMN) and Current Evaluation Network (CEN). These sub-networks communicate and exchange the required information to repre- sent and describe the powersystem evolution. Basically, the SMN acts as the “core” of the general model, while ETN and CEN support the logical and stochastic evolution of the SMN. A. Electrical Topology Network The Electrical Topology Network computes the electrical connectivity of each component of the system. Essentially, the ETN operates basedon the information regarding the states of the components, e.g. open/closed for circuit breakers, out-of- order/working for lines and transformers. Such information come from the SMN though appropriate signal connectors, as will be discussed later. In addition, the ETN has the physical location of generation groups in order to identify the supplied components. Informally, the strategy used to compute the electrical connectivity can be so outlined: starting from the generation groups (GEN), the search algorithm identifies step by step the graphs representing lines (L), station bars (SB) and trans- formers (T) connected to at least one generation point. For such scope, we created a modular basic element that contains two places: the electrical state (E ST) and the physical state (P ST), as shown in the box of Fig. 1. The former place is marked when the component is connected to a generation point, whereas the latter place is marked if the the component state permits the electrical connectivity (data available in the SMN). Beside the places, the basic element is endowed with immediate transitions that propagate the token representing the electrical connection as far as possible. In short, the evolution of ETN 1 , illustrated in Fig. 1, can be described as follows: 1) A message is sent to the ETN after changing the state of a component of the SMN; 2) The ETN clears all electrical places once the message from the ETN is received; 3) A token diffusion starts from the generation points and establishes a new electrical topology. B. Stochastic Model Network The Stochastic Model Network is composed of several sub- blocks interconnected among them. Such sub-blocks represent the different components of the transmission grid, whereas their interconnections symbolize the logical interactions. The construction rule for each sub-block follows two steps: 1) Identification and description of states (configurations); 2) Specification of transitions (events). The result of such a procedure can be then synthesized in a Markov Chain enriched by extra elements. The function of such elements regards the conditioning of internal transitions 1 Note the station bar contains only the electrical state. That because we decided to not consider the bus breaking. Fig. 1. An example of the Electrical Topology Network according to external events. To clarify these concepts, we proceed with some modeling examples of the most important components of transmission systems: power lines, protection schemes, circuit breakers, bus bars and transformers. 1) Transmission Line Model: The model takes into account the fact that the line can be short-circuited temporally (L SC ) or permanently (L SC P ). Furthermore, the line can be either hit by lightnings (L F LASH ), or it can be broken (L FAIL ),or clearly it can be in normal state (L OK ). Note that the states just introduced are mutually exclusive, which means that short- circuit, lightning and breaking cannot happen contemporane- ously. The evolution of line model (Fig. 2 (a)) is governed by the following discrete events (temporized/immediate transitions): TL F LASH Line is struck by a lightning; TL F OK Lightning extinguishes autonomously and the line returns to normal state; TL SC Line goes from the normal state to short- circuit with ground; TL SC OK Short-circuit extinguishes autonomously; tL SC E Short-circuit extinguishes after the interven- tion of protections (immediate transition); TL SC P Line goes from normal state to permanent short-circuit with ground; TL SC REP Line is repaired to eliminate the permanent short-circuit; TL FAIL Line failure (normally caused by an object); TL REP Line is restored to normal state; TL F SC Line goes to short-circuit because of a light- ning. The energy of the lightning is consid- ered to be discharged to the ground; TL F FAIL Line failure caused by a lightning. The effect of the lightning is extinguished; TL SC FAIL Line failure due to short-circuit (normally caused by the breaking of an insulator). 2) Protection Model: The protection model is unique for all components. It recognizes a failure in the element under control and commands the associated breaker to open. As mentioned before, the protection model must describe both dependability and security aspects. Therefore, the protection not only can be damaged (failure to operate), but also can be subjected to undesired tripping (operate when not required). In addition, the protection model includes the Breaker Failure Device (BFD). This element, located in every bus of the system, recognizes failures in a breaker opening and orders the remaining interrupters connected to that particular bus station to open. The overall behavior of the protection model, as well as its resultant Petri Net (Fig. 2 (b)), can be summarized as follows: TP FAIL Protection failure; TP REP Protection is repaired; TP TRIP Protection identifies properly a failure in the component under control; TP UT Protection commands the breaker opening in absence of failure (undesired tripping); TP READY Protection returns to normal state when the fault is eliminated; TBFD FAIL BFD failure; TBFD REP Protection is repaired; TBFD TRIP BDF identifies a failure in the breaker opening and commands the remaining in- terruptors to open; TBFD READY BFD returns to normal state when the fault is eliminated; The Fig. 2 exemplifies some of the interconnections among the internal blocks of the SMN. In particular, the place (P OK ) is used to condition the protection tripping (TP TRIP ). Moreover, it imposes constraints to the resetting of both pro- tection (TP READY ) and BFD (TBFD READY ). The place (I OP EN ), instead, indicates an open breaker and it is used to coordinate the protection and the BFD operation. 3) Circuit Breaker Model: The breaker has been modeled with a similar approach. It consists of four main logical states: open, closed, stuck closed and stuck open. Automatic circuit reclosers (I RECLOSE ) are also considered and have been included inside the breaker model. The reclosers interrupt and reclose an ac circuit with a preset sequence of trip- ping/reclosing to eliminate temporally faults. After the first opening, the breaker is automatic closed by the fast recloser (TI CLOSE ). If the breaker opens again (permanent fault), then it can be closed only through the transition (TI CLOSE2 ). Such a transition will be conditioned to the fact that the lines attached to it are in normal state. The PN model of the circuit breaker is sketched in Fig. 2 (c) and the transitions from one state to another one are reported below: TI OP EN Breaker opening triggered by the associated protection; TI CLOSE Fast reclosure of the breaker; TI CLOSE2 Reclosure of the breaker conditioned by the normal state of connected elements; TI STUCK O Breaker stuck in open condition; TI REP O Breaker reparation (set to open state); Fig. 2. Stochastic Model Network. (a) Line model. (b) Protection model. (c) Circuit breaker model. TI STUCK C Breaker stuck in closed condition; TI REP C Breaker reparation (set to closed state); TI REC END Fast recloser resetting. 4) Station bus and transformers: Similarly, also bars and transformers have been modeled. In short, the station bus can be either hit by lightning or short-circuited, whereas the transformers can be short-circuited or broken down. Details are here omitted for the sake of simplicity. To the present time, the stochastic transitions were supposed to have constant probability of firing. However, there is a strong correlation between the operating conditions ofpower systems and the probability of harmful events. To consider this dependency, we developed the CEN described next. C. Current Evaluation Network The scope of the Current Evaluation Network is to condition the firing probability ofstochastic transition defined in the SMN according to the current flowing in the transmission system. That could be done by associating a piecewise con- stant function to the firing rate ofstochastic transitions with dependency on the electrical topology. In the GSPN formalism, it is possible to work with parame- ters of transitions that are marking-dependent. In other words, the firing rate λ k of timed transitions, as well the weight ω k of immediate transitions, can be evaluated as the product of a nominal rate (or weight in the case of immediate transitions) and a dependency function defined in terms of the marking of the places that are connected to a transition through its input and inhibition functions. The idea here consists in introducing a new place p s in the SMN for each component that contains a transition with marking-dependency. Such a place summarizes, by means of its marking M(p s ), the marking of a finite generic set of places C = {p n ,p n−1 , ···,p 1 ,p 0 }. Afterwards, it can be used to condition the parameters of a transition according to the GSPN formalism. TABLE I E NCODING EXAMPLE M(C)=(M p2 , M p1 , M p0 ) M(p s ) (0,0,0) 1 (0,0,1) 2 (0,1,0) 3 ··· ··· (1,1,1) 8 For simplicity, let us suppose to work with safe PetriNets (1-bounded places) and that M 0 is the initial marking, then the number of tokens in the place p s is computed by (1): ∀M ∈ M 0 | M(p s )=1+ n i=0 M(p i ) · 2 i (1) which is nothing more than the binary encoding of the string M(C)=(M(p n ),M(p n−1 ), ···,M(p 1 ),M(p 0 )) plus 1. As an example, let M(C) be a set of three places. Then, we have the mapping reported in Table I. Once defined the encoding strategy, the GPSN should be extended to introduced the marking-dependency. Essentially, we must include the place p s and an appropriate set of arcs such that the following relations hold true: M 0 (p s )=1+ n i=0 M 0 (p i ) · 2 i (2) ∀p i ∈ C ⎧ ⎨ ⎩ (∀t ∈ • p i ) t 2 i −→ p s (3) (∀t ∈ p i • ) p s 2 i −→ t (4) The initial marking of the place p s is given by (2), while the number of tokens is updated as: (3) for input arcs, and (4) for output arcs. A graphic interpretation is shown in the Fig. 3. Fig. 3. An example of conditioned transition. Dashed elements represent the extra place p s and the auxiliary arcs inserted for conditioning procedure. Fig. 4. Firing rate of timed transitions as a function of current. The Table I defines an auxiliary function f i that associates the current level flowing in a component with the marking of place p s . Such a function will to be used later as the input of another function, called f t , which specifies the firing rating according to the current in the component: Electrical Topology ≡ M(p s ) f i −→ i f t −→ λ t One possible alternative to describe the function f t is depicted in Fig. 4. The firing rate λ k grows monotonically from zero to the maximum value according to the measured current. By changing dynamically the firing rate ofstochastic tran- sitions, we are able to describe not only the dependency of operating conditions, but also the cascading effects. The transitions to be conditioned are listed in Table II. Uparrow and downarrow indicate that the firing probability increases and decreases proportionally to the current, respectively. In the next section we present an illustrative example summarizing the introduced concepts. The purpose here is to provide some implementation/simulation hints rather than present a real case study. The subsequent reliability assessment can be done using reachabiliy graphs obtained from a GSPN simulation tool, such as GreatSPN [3]. IV. A N ILLUSTRATIVE EXAMPLE In this section we provide a guide to exemplify the most important features of the proposed modeling approach. In TABLE II C ONDITIONED TRANSITIONS Component Transition Firing Rate Line TL SC ↑ TL SC FAIL ↑ TL FAIL ↑ TL SC OK ↓ Transformer TT SC ↑ TT SC FAIL ↑ TT FAIL ↑ TT SC OK ↓ Bar TB SC ↑ TB SC OK ↓ Protection TP UP ↑ TP FAIL ↑ Breaker TI ST UCK C ↑ TI OP EN ↓ particular, we illustrate the dependency of undesired tripping on the current flowing in the component under control. Let us consider the network shown in the left bottom of Fig. 5. It is composed of: 6 transmission lines, 5 bars, 13 circuit breaker, 11 protection modules, 5 BFDs and pair of generator/load. Note that BFDs, protections and reclosures have been omitted for clearness, as well as the interconnections with the SMN counterpart. The Fig. 5 illustrates also the equivalent ETN of the example. Due to the large dimension of SMN, just a small section of the overall network is depicted in Fig. 2. Specifically, Fig. 2 reports the stochastic model of the line L 1 and its associated protection, besides the breaker I 2 . The interconnections among the three components is also evidenced, but those with the ETN have been removed for clarity. In order to simplify our analysis, we suppose that only the lines L 1 , L 5 and L 6 can break down, and the protection of L1 can be exposed of undesired tripping. For such a modeling choice, the possible system configurations and the respective line currents, besides the marking of auxiliary place M(p s ), are reported in Table III. Since we decided to condition only the transition TP UT of the protection of line L 1 , then we only need the information contained in the column I 1 of Table III. This column resumes the current of L 1 on each one of the possible configurations and denotes the constant piecewise function f i defined before. Concerning the function f t representing the probability of undesired tripping of line L 1 , we decided to use the example depicted in Fig. 4. Note that currents in series branches of the electrical circuit are the same and so the number of columns in Table III can be significantly reduced in real systems. Furthermore, many configurations lead to identical currents and thus clustering procedures can be used to reduced the table dimension. Finally, after implementing the powersystem model in a GSPN simulator environment, the reliabilityanalysis can be performed straightforwardly using the reachability graph. Fig. 5. Electrical Topology Network TABLE III P OSSIBLE CONFIGURATIONS Configuration Current Encoding L 1 L 5 L 6 I 1 I 2 I 3 I 4 I 5 I 6 M(p s ) 000 a a 0 b 0 a 0 c 0 d 0 e 0 1 001 b a 1 3a 1 a 1 a 1 4a 1 0 2 010a 2 a 2 a 2 a 2 02a 2 3 01100000 0 4 10003a 3 0 a 3 2a 3 a 3 5 1010 a 5 00a 5 0 6 1100 a 6 0 a 6 0 a 6 7 11100000 0 8 a Working b Failure V. C ONCLUSION This paper describes a modeling approach basedon the GPSN to perform reliability analyses. The proposed model is capable to represent complex phenomena ofpower systems such as cascading events and protection hidden failures. The most important components of transmission systems have been modeled in a modular fashion. Such approach enhances the usability of basic elements and allows to built complex systems by drag-and-drop the desired components. The major drawback of the proposed methodology regards the scalability. When implementing large power systems, the number of tangible markings (states), and consequently the reachability graph, may grow quite fast. R EFERENCES [1] Z. Bie and X. Wang, “Evaluation ofpowersystem cascading outages,” in International Conference onPowerSystem Technology, 2002. Pro- ceedings. PowerCon 2002., vol. 1, October 2002, pp. 415–419. [2] Q. Chen, “The probability, identification, and prevention of rare events in power systems,” Ph.D. dissertation, Iowa State University, 2004. [3] G. Chiola, , G.Franceschinis, R. Gaeta, and M. Ribaudo, “Greatspn 1.7: Graphical editor and analyzer for timed and stochasticpetri nets.” Performance Evaluation, special issue on Performance Modeling Tools, vol. 24, no. 1-2, pp. 47–68, 1995. [4] I. Dobson, B. Carreras, V. Lynch, and D. Newman, “Complex systems analysisof series of blackouts: cascading failure, criticality, and self- organization,” in Bulk PowerSystem Dynamics and Control, August 2004, pp. 438–451. [5] D. Elizondo, J. de La Ree, A. Phadke, and S. Horowitz, “Hidden failures in protection systems and their impact on wide-area disturbances,” in IEEE Power Engineering Society Winter Meeting, 2001, vol. 2, 2001, pp. 710–714. [6] L. Ferrarini, J. Carneiro, S. Radaelli, and E. Ciapessoni, “Dependability analysisofpowersystem protections using stochastic hybrid simulation with modelica,” in IEEE International Conference on Robotics and Automation, 2007, April 2007, pp. 1584–1589. [7] N. G. Leveson and J. L. Stolzy, “Safety analysis using petri nets,” IEEE Trans. Softw. Eng., vol. 13, no. 3, pp. 386–397, 1987. [8] M. A. Marsan, G.Balbo, G.Conte, S.Donatelli, and G.Franceschinis, Modelling with GeneralizedStochasticPetri Nets. John Wiley & Sons, 1995. [9] A. Phadke and J. Thorp, “Expose hidden failures to prevent cascading outages,” IEEE Computer Applications in Power, vol. 9, no. 3, pp. 20– 23, 1996. [10] J. D. L. Ree, L. Yilu, L. Mili, A. G. Phadke, and L. Dasilva, “Catas- trophic failures in power systems: causes, analyses, and countermea- sures,” Proceedings of the IEEE, vol. 93, no. 5, pp. 956–964, 2005. [11] S. Tamronglak, S. Horowitz, A. Phadke, and J. Thorp, “Anatomy ofpowersystem blackouts: preventive relaying strategies,” IEEE Transac- tion onPower Delivery, vol. 11, no. 2, pp. 708–715, 1996. [12] X. Yu and C. Singh, “A practical approach for integrated powersystem vulnerability analysis with protection failures,” IEEE Transactions onPower Systems, vol. 19, no. 4, pp. 1811–1820, 2004. . Reliability Analysis of Power System based on Generalized Stochastic Petri Nets Juliano S. A. Carneiro, Luca Ferrarini Dipartimento di Elettronica. reliability analysis of power systems using the Generalized Stochastic Petri Nets (GSPN). The proposed modeling approach considers not only the most common failures