Professional Documents
Culture Documents
E0c7 PDF
E0c7 PDF
The electric power grid can be modeled as a complex Several models have been constructed to analyze and
system of dynamic load and generation balances interpret the NERC disturbance data. Among them are
characterized by two types of stability. Steady-state Self-Organized Criticality (SOC) first proposed by
stability describes the nominal balancing of relatively Carreras, et al. [1] and later supported by collaborative
minor disturbances in load/generation fluctuations caused work with others [2,3,4]; Highly Optimized Tolerance
by normal start-up and shut-down events associated with (HOT) proposed by Carlson and Doyle [5]; and the DC-
the millions of appliances and equipment attached to the Fuse model recently proposed by Chen, Thorp, and
grid. Constraints on operating parameters – nominally Parashar [6]. All three approaches parameterize both the
voltage levels, current magnitudes and power flows – are slow and fast dynamics of the disturbance data, and
used to achieve steady-state equilibrium where the exhibit probability distribution functions with power law
generation input is matched to system losses and electrical scaling and power tails that can be modeled as a linear
outputs. Whereas, transient stability describes the power function of the power distribution exponent. Further
systems ability (or lack thereof) to absorb major research is needed to determine relative accuracy and
disturbances and return to a relatively balanced steady- benefits of each model, but initial results suggest that
state. Load shedding, generation shedding, and regional disturbance prediction is feasible if the right global
system conditions are accurately monitored and reported initiated load shedding of 300-400 MW and/or given
in a timely fashion. sufficient notification for operators in California to bring
auxiliary generation on line [7,8,9]. Data from [9] shows
In their comparison of the NERC data to SOC sandpiles,
several instances where a regional early warning system
Carreras, et al. concluded that (a) excluding weather
for electric power disturbances could have alerted
related disturbances had little effect on the modeling, and
operators to necessary actions prior to islanding, and thus
(b) correlations between blackouts can be attributed to
preserved service for the majority of customers. These
power system global dynamics rather than correlations in
actions could have prevented the cascading outages and
events that trigger outages [2]. The idea that random
subsequent islanding that affected 7.5M customers in 11
events (e.g., weather) can trigger a disturbance and still
U.S. states and two Canadian provinces, and cost an
have little effect on the model seems counter-intuitive, but
estimated $1.5B dollars in damages and lost service
is easily expla ined by recognizing the “near-critical”
revenues.
nature of the system and “near-trip” nature of system
events [3]: At the macro-economic level there are two approaches
to implementing a very wide-area (e.g., regional or
“If the system operates close to a ‘critical’
national) control/warning network: (1) strongly
point, some aspects of the response of the system centralized and (2) highly decentralized. Extreme
to random perturbation may have a universal examples at both ends of the spectrum would be the
character.” centralized DOD war-room model and the decentralized
This strongly suggests that understanding the near- Internet E-commerce model, respectively. For critical
critical global dynamics – and monitoring the near-trip applications, such as controlling inter-regional electric
events that occur within the system – may lead to power fluctuations, both approaches require very fast
predictive systems capable of providing warning that calculations, high speed communications, uniform or
steady-state equilibrium is in jeopardy and the system is homogenized information structures, a robust
on the verge of slipping into transient stability. communications infrastructure that is resilient to attack
Preliminary work has affirmed this suggestion and lends and natural phenomena, guaranteed quality of service
support to the claim that major disturbances are somewhat levels and service agreements, and an integrated trust
predictable. In their Markov model of a DC load flow hierarchy (or framework).
network, Dobson, et al. [4] define a system where: In a trusted computing network, trusted paths or
“Lines fail probabilistically and the consequent channels are opened between the sender and receiver so
redistribution of power flows is calculated … that information can be shared without compromising the
{such that} cascading line outages leading to a safe, reliable operation of the control functions of the
computing systems at either end of the communications
blackout are modeled and the lines involved in a
path. Hence, a trusted computing system requires:
blackout are predicted.”
• Access by trusted parties
II. Real-Time Predictive Modeling • Denial of access to unauthorized persons
Rapid progress in the modeling of electric power • Sender and receiver authentication
disturbance events is evident in the last two years of
research from the CIN/SI federal funding program. 1 This • Settings control and protection
progress lends hope that real-time predictive modeling of • Communications integrity and confidentiality
these events may be feasible in the near future. Such real-
time modeling may enable faster acting automated and • Accountability via access and alterations audit
manual controls during the early stages of a disturbance in logging
order to dampen oscillations and improve transient • Service policies and safeguards against denial of
stability. For example, an analysis of the 1996 West service
Coast cascading blackout suggests that an early warning
system operating within a 5-6 minute window could have • Mechanisms for both sender and receiver non-
repudiation
All of these mechanisms would have to be integrated
1. Complex Interactive Networks/Systems Initiative, a
into any type of wide-area trusted network early warning
DOD university research initiative.
system for electric power disturbances. In the next
section we list and discuss the barriers and obstacles to A. Absence of a Protection-Level Communications
implementing such a system. Infrastructure
From their analysis of the 1996 West Coast outages,
III. Barriers to an Electric Power Grudinin and Roytelman [7] conclude that a nationwide,
Disturbance Early Warning System centralized control system modeled after the Russian
Centralized Emergency Preventive Automatic Control
Despite 18 years of research and development in the (CEPAC) network would have been useful in diagnosing
area of trusted networked computer systems, robust, the power disturbances and may possibly have reduced
reliable computer networks for critical applications and the magnitude of the outage. In parallel arguments, (a)
infrastructures are still in their adolescence. Evidence of Birman [11] states that in order to run mission-critical
the defensive weakness and fragility of E-Commerce, applications across wide spatial areas we need to develop
telecommunications, and finance abound in the plethora a Virtual Overlay Network (VON) separate from any next
of cyber-attacks, intrusions, theft, and financial fraud generation Internet network that may evolve, (b)
conducted electronically every day throughout the United Stahlkopf and Wilhelm [8] argue for a Wide Area
States [10]. Further, the security and reliability of Measurement System (WAMS), and (c) EPRI has
military defense systems is becoming increasingly suspect proposed the Inter-control Center Communications
due to increasing incidents of cyber-espionage and Protocol (ICCP) as the base of an inter-regional
information warfare [10]. It is clear that the vulnerability communications infrastructure. The literal intent behind
of any networked computing system increases with the VON, WAMS, and ICCP is to segregate infrastructure-
number of network access points enabled within that related critical data communications (e.g., power system
system. Thus, a wide-area early warning network for protection) from non-critical communications like E-
electric power disturbances suffers from the same barriers commerce.
and obstacles seen in creating wide-area trusted
B. Fragility of Internet and Other
computing networks:
Telecommunications Infr astructures
• Absence of a wide-area protection-level
As an alternative to a separate protection-level
communications infrastructure
communications structure, several utilities and
• Fragility of the Internet and other engineering services have experimented with using the
telecommunications infrastructures Internet for access to control station data and substation
equipment. While Internet access is sufficient for casual
• Lack of network quality of service guarantees and observation and maintenance planning, it is unsuitable for
industrial strength service agreements real-time protection. The Internet is characterized by
• Immaturity, fragility, and lack of interoperability in “best-effort” non-deterministic delivery via unsecure
trust frameworks dynamic routing, and is vulnerable to snooping, hacking,
and deliberate overloading (e.g., denial of service flood
• Lack of requirements and standards for reporting attacks). These frailties preclude its use for any aspect of
below-threshold disturbance anomalies time-critical control applications. Other
telecommunications infrastructures include the Public
• The variety of control station and substation
Switched Telephone Networks (PSTN) and leased lines
communications protocols and their lack of
interoperability forming Asynchronous Transfer Mode (ATM) networks,
Frame -Relay Permanent Virtual Circuits (PVCs), and
• Socio-economic and political resistance to regulatory Frame -Relay Switched Virtual Circuits (SVCs). The
controls ATM and PVC solutions have reliability and quality of
service suitable for critical applications and are discussed
Optimistically, we would assume that the same
in the next subsection. PSTN and SVC solutions have
technologies for mitigating risk and imple menting
reliability and quality of service concerns, respectively,
interoperability in computer networks could be used for
that create questions about their use in real-time
control and protection in electric power systems.
applications.
Unfortunately, this is only partially true. The reliability
demands and time-critical nature of electric power C. Network Quality of Service and Industrial
systems place additional burdens on quality of service Strength Service Agreements
guarantees and high-speed authentication and trusted
There are two mechanisms for ensuring quality of
communications. We now elaborate on each of the above
service guarantees over a network: (1) leased resources
barriers.
sufficient to handle the maximum load, and (2) packet
prioritization that ensures priority packets are delivered at Faults on critical supply lines, switching errors, and
near minimum connection times. Implementing packet large apparatus failures are the most commo n causes of
prioritization on proprietary networks has been done for unstable power swings which leading to transient stability
many years, but on Ethernet networks this is still a oscillations. These swings are characterized by the loss of
research topic. As alternatives, several companies and synchronism between portions of the interconnected
organizations have implemented Ethernet TCP packets power systems such as that shown in Figure 2. During
over leased ATM or PVC lines. Fortunately, these two these swings, system voltages and currents can be quite
communications mechanisms do provide quality of large. The task of detecting these swings has been
service guarantees suitable for time -critical applications. traditionally performed by autonomous out-of-step block
Unfortunately, the end-to-end TCP flow-control necessary and trip-measuring elements in protective relaying located
for quality of service implementation can interfere with in critical substations. These elements and the associated
ATM and Frame-Relay packet construction, thereby logic detect and distinguish between recoverable and non-
causing an indeterminate degradation in service quality recoverable power swing conditions.
[12]. Further work is needed to better define quality of
service mechanisms within ATM and Frame-Relay
packets.
D. Immature, Fragile Trust Frameworks
At the heart of a wide-area early warning system will be Source S Source R
the means for communicating anomalies and disturbances
across spatial, economic, and governing boundaries.
Hence, trusted communication between sender and
receiver is a vital prerequisite before instigating any Figure 2. System Single-Line Diagram
control or protective action. There are three structures, or
frameworks, for establishing trusted interconnections During a fault, the real electrical power output of a
between computing systems: (1) Internet Protocol generator becomes less than the mechanical input to the
Security (IPSec), (2) Public Key Infrastructure (PKI), and generator. This unbalance of input power to output power
(3) an informal “web of trust.” IPSec is an effort of the increases the generator speed. The generator control
Internet Engineering Task Force (IETF) to add security systems sense this speed increase and sends control
mechanisms to the TCP/IP layers within the Ethernet signals to decrease the rotor speed in an attempt to match
protocol. PKI is an attempt to create a world-wide the input and output power. It may take many seconds for
infrastructure for secure communications based on the generator controls to effect this change (this is
asymmetric public-key cryptography. As an alternative to especially true in hydroelectric installations where the
PKI, the Pretty Good Privacy (PGP) group has prime mover controls are rather large mechanical
implemented and advocates an informal “web of trust” apparatus). From the perspective of the sending and
where trusted users vouch for and include others in receiving ends of the power system, suppose the
formalized lists of who to trust. Other mechanism for receiving-end of the power system is very load intensive
establishing trust levels and trust frameworks are being (e.g., California) and the sending-end is very generation
explored, but by-and-large all of these efforts are focused intensive (e.g., Pacific Northwest). During the fault
o n E-commerce and are not now sufficiently robust for shown in Figure 2, the receiving-end is slowing down due
electric power control systems. to a lack of received power. The sending-end during the
fault is speeding up. This condition where one end of the
E. Reporting Below-Threshold Anomalies system is slowing down while the other end is speeding
In electric power systems FERC requires utilities to up, sets the condition for power oscillations that can lead
report outages affecting 50,000 customers for 3 hours or to massive blackouts.
more, and in telephone communications the FCC requires With the fault cleared, the inequality of the sending and
utilities to report failures affecting 30,000 customers for receiving power requirements, and the increased
over 30 minutes. There are no reporting regulations or reactance results in a power swing. By this time the
requirements for wireless communications and mobile receiving-end has absorbed the additional sending-end
network failures. In none of these three domains are there rotor inertia energy. At this point, the power system is
any reporting requirements for “near-critical” conditions close to equilibrium but the electrical output of the
and “near-trip” events. Such data would clearly be useful sending-end has now exceeded its mechanical input and
in both modeling and predicting power system the swing reverses. The swing follows continues to a
disturbances, and modern digital protective relays have point somewhere below the mechanical/electrical
the capability to record and report these conditions.
equilibriu m point, where the power swing direction controllers, local PCs, and SCADA devices. Figure 3
reverses again. This oscillation continues unless shows an example substation configuration with varying
generator control action or system switching takes place. communication protocols within and external to the
From this discussion it should be obvious that several station. The diversity and lack of interoperability in these
instances of near-critical and near-trip conditions exist, communication protocols create obstacles for anyone
and that these conditions can be monitored to provide attempting to retrieve disturbance data (trip, near-trip,
real-time notification that the system is approaching critical, or near-critical) from the station.
instability.
G. Resistance to Regulatory Controls
F. Control and Substation Protocols With Minimal
Despite the calls for centralized control structures and
Interoperability
increased regulatory requirements (discussed earlier), it is
In a typical control station or substation you find a doubtful whether today’s socio-economic and political
plethora of communications protocols including a climate would support such actions. The failed
multitude of proprietary protocols as well as: EIA-232, deregulation attempt in California have slowed but not
EIA-485, Ethernet, Utility Communications Architecture stopped similar efforts in the Southeast U.S. Thus, it
(UCA), Distributed Network Protocol (DNP), Modicom’s seems that the electric power industry will undergo the
Modbus and Modbus-Plus, Profibus, Foundation same deregulatory actions and influences experienced by
Fie ldbus, and ControlNet. These protocols are used to U.S. telephone, railroad, and airline industries. It remains
connect the protection equipment such as breakers, questionable, however, if a keystone critical infrastructure
reclosers, relays and Intelligent Electronic Devices like the electric power grid should be stressed and
(IEDs), to control equipment like Remote Terminal Units jeopardized by deregulatory machinations.
(RTUs), Data Processing Units (DPUs), communications
F G
A
IED
IED Modem
C Remote Access
Remote Control IED
IED Network
Interface
IED
Local Control E Remote Access
B H
Substation
Controller
LAN 1 Network
Interface IED IED IED IED
F
D C
E G
Modem
Router to WAN Remote Monitoring Remote Access
A. Proprietary SCADA or Ethernet E. Local Ethernet or Internet
B. Proprietary, EIA232, EIA485, Ethernet, UCA, or ControlNet F. EIA-232
C. Proprietary G. V.32, V.34, WAP, or WEP
D. Ethernet H. DNP, Modbus, Profibus, or Fieldbus
Roytelman identified in 1997 as missing components to 2001, Maui, Hawaii, USA), IEEE Computer Society, Los
an improved wide-area automatic control system [7]. Alamitos, CA, 2001.
Thus, it would be ironic if failed deregulation efforts were 5. J. Carlson and J. Doyle, “Highly Optimized Tolerance: A
the impetus for adopting a centralized scheme for inter- Mechanism for Power Laws in Designed Systems,”
regional load balancing and protection. Physical Review E, Vol. 60(2), August 1999, pp. 1412-
1427.
V. Conclusion 6. J. Chen, J. Thorp, and M. Parashar, “Analysis of Electric
Power System Disturbance Data,” Proceedings of the 34 th
We are approaching an era in which electric power Hawaii International Conference on System Sciences, (Jan.
system anomalies can be modeled in real-time using data 3-6, 2001, Maui, Hawaii, USA), IEEE Computer Society,
from disturbances, near-critical conditions, and near-trip Los Alamitos, CA, 2001.
events. These models can then be used to prescribe 7. N. Grudinin and I. Roytelman, “Heading Off Emergencies
corrective actions to maintain steady-state equilibrium, or in Large Electric Grids,” IEEE Spectrum, Vol. 34(4), April
at least dampen transient-state fluctuations. Concurrent 1997, pp. 42-47.
with the research progress in modeling these events are 8. K. Stahlkopf and M. Wilhelm, “Tighter Controls for Busier
advances in networking technologies for high(er) speed Systems,” IEEE Spectrum, Vol. 34(4), April 1997, pp. 48-
wide-area trusted computing systems spanning a 52.
multitude of spatial, operational, and commercial
9. J. Daume, “Summer of Our Disconnects: 1996 Western
distances. Technological and socio-political barriers to Systems Coordinating Council Power System
the successful implementation of a wide-area electric Disturbances,” Paper #1, 24 th Annual Western Protective
power disturbance early warning system are similar to Relay Conference, (Oct. 21-23, Spokane, WA), 1997.
those of implementing a trusted wide-area computer
network for E-commerce or finance, but more exacting 10. CSI/FBI, 2000 CSI/FBI Computer Crime and Security
Survey, Computer Security Institute, 600 Harrison St., San
because of the ultra-fast time constraints inherent in Francisco, CA, 94107, 2000.
electric power system protection. So, while we can learn
from advances in computer networking, and we can glean 11. K. Birman, “The Next -Generation Internet: Unsafe at Any
technologies from that domain, we cannot implement Speed?,” IEEE Computer, Vol. 33(8), August 2000, pp. 54-
those solutions in toto. Thus, as we approach an ever 60.
increasing digital information society we must invest in 12. S. Dixit and Y. Ye, “Streamlining the Internet-Fiber
the electric power infrastructure that fuels our automation Connection, IEEE Spectrum, Vol. 38(4), Apr. 2001, pp. 52-
and quality of life. 57.
4. I. Dobson, B. Carreras, V. Lynch, and D. Newman, “An 17. E. Schweitzer, “Advancing the Quality of Protection,”
Initial Model of Complex Dynamics in Electric Power IEEE Computer Applications In Power, Vol. 11(1), January
System Blackouts,” Proceedings of the 34 th Hawaii 1998, pp. 12-13.
International Conference on System Sciences, (Jan. 3-6,