Table 4.

4: Failure modes, effects analysis and detection methods for the test system
Failure Effect(s)
Equipment Function Failure Mode(s) Failure Cause(s) Detection method
Local Effect(s) System Effects(s)
Loss of electrical Short circuits; decrease of power
efficiency Moisture, Humidity Short circuits Visual inspection
quality
Fracture of the Infrared thermographic
copper bar scanning
Break of the No energy supply from the faulty bus; Infrared thermographic
Loss of structural support insulators Bus bar break; no
possible unstable conditions in the scanning
Collect electric integrity electrical connection
power system
energy from the Human sabotage Physical surveillance
incoming feeders Cracking of Infrared thermographic
Bus bar connection welds scanning
and distribute
them to the Possible unstable conditions in the Infrared thermographic
outgoing feeders Loss of electrical Degradation of the power system; decrease of power
continuity Arc flash scanning (not the best
physical structure quality solution)
Power relays
Short circuits Short circuits; decrease of power
36

between bus bars Short circuits detection, signal

quality
analysis
Electrical
disturbances Harmonics Signal analysis
Increase of energy
Ohmic heating Decrease of power quality
losses Signal analysis
(overload)
Grid operation outside of the optimal
Insulation failure Insulation aging Short circuits Electrical test
operating conditions; short circuits
Carry load and Decrease of power
Manufacturing Electrical test and
fault current quality; no energy quality assessment
imperfection
supply
safely and Grid operation outside of the optimal
reliably, without Decrease of power operating conditions; power quality
Cable Incorrect quality; no energy Visual inspection
overheating or Cable integrity installation decrease; no energy supply from the
causing damage supply
defect faulty cable; short circuits; loss of
to the Excessive heat efficiency
environment (saturation); line
Lightnings jumping; cable Weather monitoring
breakdown
Cable breakdown Line jumping; cable
(human sabotage) Weather monitoring
breakdown
 Failure Effect(s)
Equipment Function Failure Mode(s) Failure Cause(s) Detection method
Local Effect(s) System Effects(s)
Overload Electrical monitoring
Excessive heat
Power relays
Short circuits (saturation)
transients Grid operation outside of the optimal detection, signal
Electrical operation analysis
Cable (cont.) operating conditions; loss of
failure
Shield damage Loss of efficiency efficiency; decrease of power quality Current signal analysis
Decrease of volume
resistivity and dielectric Visual inspection,
Moisture strength in XLPE electrical tests
insulation
Possible damage in other equipment;
Inability to open and/or concerns about physical securities;
Insulation failure Loss of dielectric Electrical test
properties close circuit with fault grid operation outside of the optimal
currents
operating conditions
Improper manual Spurious or improper Possible downstream grid Inspection after
Wrong operation installation opening or closure; disconnection; possible damage in installation
(Spurious opening
37

power quality decrease other equipment; power system Visual inspection,

and closure) Improper sizing
instability; power quality decrease operational test
Protect an Possible downstream grid
electrical circuit Overload Wrong current cut disconnection; power system Signal analysis
from damage; instability
CB Possible damage in other equipment;
interrupt current Bushing Lightning Phase to ground Weather monitoring
flow after a fault breakdown internal fault concerns about physical securities;
grid operation outside of the optimal Power relays
is detected External short
circuit detection, signal
operating conditions analysis
Heat, oxidation, CB damage ; inability Possible damage in other equipment; Periodic visual
Bushing terminal acidity and moisture inspection
hot spot to open and/or close concerns about physical securities;
Mechanical stress circuit with fault grid operation outside of the optimal
due to external currents operating conditions Operational test
short circuit
conditions
Short circuits to Possible damage in other equipment;
Loss of dielectric ground; CB damage; Sensors for leakage
strength in Heat, oxidation, concerns about physical securities;
acidity and moisture inability to open and/or currents, power factor
bushings grid operation outside of the optimal
close circuit with fault and capacitance tests
currents operating conditions
 Failure Effect(s)
Equipment Function Failure Mode(s) Failure Cause(s) Detection method
Local Effect(s) System Effects(s)
Visual inspection,
Corrosion
Possible damage in other equipment; operational test
Mechanical failure Inability to open and/or
concerns about physical securities; Visual inspection,
in operating Dirt/contamination close circuit with fault
grid operation outside of the optimal operational test
mechanism currents
operating conditions
CB (cont.) Visual inspection,
Lack of lubrication
operational test
CB damage; inability to Possible damage in other equipment; Visual inspection,
Contacts Contact wear
open and/or close concerns about physical securities; operational test
degradation
Electrical treeing circuit with fault grid operation outside of the optimal Infrared thermographic
(partial discharges) currents operating conditions scanning
Lightning Phase to ground Decrease of power quality; wrong Weather monitoring
Bushing
internal fault; output power; short circuits in power Power relays
breakdown External short
circuit transformer damage network detection, signal
analysis
38

Heat, oxidation, Visual inspection

acidity and moisture Decrease of power quality; wrong
Bushing terminal Internal short circuits;
output power; short circuits in power
hot spot Mechanical stress transformer damage
Step up or step due to external network
short circuit Operational test
down and provide
conditions
a secondary
Transformer
output voltage Loss of dielectric Sensors for leakage
strength in Heat, oxidation, Internal short circuits; System losses increase; decrease of
which is within acidity and moisture transformer damage currents, power factor
bushings power quality
statutory limits and capacitance tests
Magnetic-Core Harmonics Degraded operation of Power network operation outside of Signal analysis
delamination Corrosion the transformer optimal operating conditions Operational test
Winding Overheating; loss of Increase system losses; catastrophic
Overload Signal analysis;
overheating efficiency; explosion event (fire, explosions, . . . )
Tap changer Corrosion Visual Inspection
mechanical failure Power network operation outside of
Dirt/contamination Wrong output power Visual Inspection
in drive optimal operating conditions
mechanism Friction Visual Inspection
 Failure Effect(s)
Equipment Function Failure Mode(s) Failure Cause(s) Detection method
Local Effect(s) System Effects(s)
Tap changer Contact wear Power network operation outside of Operational test
contacts Wrong output power
Electrical treeing optimal operating conditions Infrared thermographic
degradation
(partial discharges) scanning
Vibration-induced Over-heating and Sensor detection
damage damage in surronding
Corrosion components due to oil Possible downstream network Visual Inspection
Tank rupture
leakage; loss of disconnection; no energy supply
Infrared thermographic
Cracking of welds transformer function scanning
Power relays
detection, signal
Short circuits and analysis, infrared
Windings isolation overloads thermographic
Transformer Flash over of the Power network operation outside of
degradation or scanning (thermal
(cont.) windings optimal operating conditions analysis)
39

breakdown
Oil contamination Oil analysis
Oil moisture Oil analysis
Decrease of power quality; wrong
Distortion, Power relays
loosening or output power; short circuits in power
Internal short circuits; detection, signal
Short circuits transformer damage network; power network operation
displacement of analysis, capacitance
the windings outside of optimal operating
change
conditions
Human sabotage Serious damage in the Physical surveillance
Transformer Internal short circuit substation; personnel Possible downstream network Signal analysis
explosion injuries or death disconnection; no energy supply Infrared thermographic
Overheating
scanning
Cooling pipes Overheating; degraded Infrared thermographic
Cooling system obstruction operation of the Possible downstream network scanning
failure transformer; possible disconnection; no energy supply Infrared thermographic
Damaged fans
transformer explosion scanning
 Failure Effect(s)
Equipment Function Failure Mode(s) Failure Cause(s) Detection method
Local Effect(s) System Effects(s)
Poor
communication
between HMI and Impossibility to monitor Real-time monitoring
other cyber No system monitoring; corrective
and/or control the grid
components and/or preventive manual commands
in real-time via manual
Operational failure Human error are not properly executed, or can’t –
operation; wrong
even be impossible to execute
control commands Software malfunctions
Poor software detection; inability to
Primary tool by design execute manual
actions
which operators
HMI HMI disconnection
coordinate and
from the
control the grid communication No system monitoring; corrective
Remote network; impossibility and/or preventive manual commands Loss of power; HMI
Power outage disconnection of to monitor and/or
power are not properly executed, or can’t blackout
control the grid in even be impossible to execute
real-time by manual
operation
40

EMS applications run under Erroneous/illogical

Direct human inadvertent commands; inadvertent commands made
intrusion: faulty without operator’s
operations in the power system,
Security failure commands Loss of integrity consent; firewall block;
(cyberattacks) which can lead to partial losses of attempt to pass the
energy; possible blackout firewall
Human Vengeance –
Hardware device Performance Multicast traffic Communication Delay in system response; EMS Network congestion
that centralizes decrease network congestion; applications are compromised due to
communications Blocking (High delays in data transfer low communication performance Inspection after
traffic loads) installation
among multiple
connected Corrupted data; poor
Bad SW data processing;
SW devices and configuration Incorrect SW function
select paths to or SW malfunction Decrease in communication network cyber-network system
transfer Operational failure SW is locked up performance; EMS applications fail or Uncontrollable SW
information inside (SW blackout) are compromised (non-optimal asset
Network congestion;
the cyber network management)
Module failure loss of access to SW blackout
through network database (if central SW
connections fails)
 Failure Effect(s)
Equipment Function Failure Mode(s) Failure Cause(s) Detection method
Local Effect(s) System Effects(s)
Communication
network becomes
unavailable to redirect
Broadcast of the important data for
excessive amount the system operation; EMS applications fail or are
Network/Cyber of messages in compromised (non-optimal asset Broadcast of
large volume of data excessive amount of
storm uncontrollable way management); decrease in
saturating the network data detection
(misleading communication network performance
capacity; major
information)
consumption of
SW (cont.) processor computation
resources
Remote Switch disconnection EMS applications fail or are Loss of power; SW
Power outage disconnection of from communication
power network compromised blackout

Firewall block; attempt

Faulty signal EMS applications run under fallacious to pass the firewall;
Security failure injections Loss of data integrity information; inadvertent operations in suspicious system
(cyberattacks) the power system behaviour; existence
of corrupted data
41

Lower storage
capacity or Large amount of data
Data overload is lost; defective EMS applications are compromised SV has low data
unexpected large storage capacity
amount of data to storage of data
Computing storage
system platform Overheating and Temperature
used for various high humidity monitoring
network
communication Hard drive crash SV blackout
SCADA system failure; IT
applications / Impossibility to access
Hardware crash Hardware sabotage malfunction; EMS applications fail or Physical surveillance
SV computer system’s information
Physical disaster are compromised
program or
(such as fire,
device that earthquake, Weather monitoring
provides lightning or
functionality for flooding)
other programs
Software Impossibility to access IT malfunction; EMS applications fail
or devices Data errors malfunction Unexpected behaviour
system’s information or are compromised
Remote Impossibility to access SCADA system failure; EMS
Power outage disconnection of Loss of power
power system’s information applications fail or are compromised
 Failure Effect(s)
Equipment Function Failure Mode(s) Failure Cause(s) Detection method
Local Effect(s) System Effects(s)
Firewall block; attempt
Denial of service to pass the firewall;
attack (DoS) suspicious system
behaviour
Loss of data integrity; EMS applications run under fallacious Firewall block; attempt
SV (cont.) Security failure Hacking for deleted or corrupted information; inadvertent operations in to pass the firewall;
sensitive data the power system; loss of integrity suspicious system
information
behaviour
Firewall block; attempt
Malicious software to pass the firewall;
infection suspicious system
behaviour
EMS applications run under lack of
Communication Defective or even no information (non-optimal asset Inability to get EB
Error Poor signal with SV transmission of data management); inadvertent operations reading
in the power system
Record of abrupt drop
in power supply;
42

Manual comparison between

manipulation EMS applications run under lack of registered and
Electronic device Power expected load
Incorrect data information (non-optimal asset
used to record consumption diagrams
acquisition management); loss of efficiency; loss
and communicate misreading
Significant of power quality Comparison between
electric energy measurement error, registered and
EB or even inability to
consumption for expected load
measure power
monitoring and consumption diagrams
controlling
purposes Comparison between
Improper EB
Incorrect data EMS applications run under lack of registered and
programming and
acquisition, or even no information (non-optimal asset expected load
parameterization
diagrams
Operation failure data acquisition management); inadvertent operations
Erroneous in the power system EB test and quality
installation assessment
Power supply failure No data acquisition –

’Catastrophic’ Degradation of
surrounding smart EMS applications run under lack of
failure (burning, Temperature
Temperature stress meter components; information (non-optimal asset
melting or monitoring
personnel injuries or management)
explosion) death
 Failure Effect(s)
Equipment Function Failure Mode(s) Failure Cause(s) Detection method
Local Effect(s) System Effects(s)
Hacking for
personnel sensitive Attempt to pass the
information or faulty Energy management applications are SM security system;
EB (cont.) Security failure Loss of data integrity
information based on fallacious information existence of corrupted
injection data
(cyberattack)

Damaged Inability to establish

Incorrect data communication with
transducers processing due to IED
erroneous or
Poor
communication incomplete data Inability to establish
between IED and acquisition; inadequate communication with
remaining IED
cyber-network processing of data;
inability to Corrupted communications; EMS
Signal processing communicate with applications fail or are compromised Inability to establish
Communication error (corrupted communication with
control center unit (non-optimal asset management);
failure data) IED
decrease in communication network
Communication performance; SCADA system failure
network becomes
43

Interface device
unavailable to redirect
responsible for the important data for
collecting data the system operation; Broadcast of
from the electrical Network/Cyber large volume of data
storm excessive amount of
IED equipment and saturating the network data detection
capacity; major
receiving and
consumption of
applying a control processor computation
command from resources
the operator No power component
I/O port damage EMS applications fail or are Loss of data
Monitoring failure status monitoring compromised (non-optimal asset
Significant Error in monitoring management); SCADA system failure Incongruous or
measurement error power components corrupted data
Inability to apply
Inability to control Operational test
control commands EMS applications fail or are
Control failure power system
Software error compromised; SCADA system failure
(Defective data operation Operational test
processing)
IED disconnection from EMS applications fail or are
Remote cyber and power
Power outage network; inability to compromised; loss of control in the Loss of power
disconnection of downstream network area; SCADA
power communicate with
control center unit. system failure
 Failure Effect(s)
Equipment Function Failure Mode(s) Failure Cause(s) Detection method
Local Effect(s) System Effects(s)
Firewall block; attempt
Hacking for
to pass the firewall;
personnel sensitive
existence of corrupted
information EMS applications run under fallacious data
IED (cont.) Security failure Loss of integrity information; loss of integrity; SCADA
system failure Firewall block; attempt
Faulty information
to pass the firewall;
injection
existence of corrupted
(cyberattack)
data
Excessive traffic/ Delays in data Deterioration of communication Deterioration in
Cross talk congestion of communication; network performance; EMS communication
Physical (overload)
packets corrupted signal applications are compromised network performance
component
responsible for Manufacturing EMS applications are compromised Electrical test and
Network link assuring a imperfection Delays in data quality assessment
Network link (non-optimal asset management);
- Ethernet message is sent communication; no
44

integrity defect RJ45 degradation decrease in communication network Visual inspection

link from one network data transmission
performance
node to another Incorrect Inspection after
node (local installation installation
distances) Cable break; loss of EMS applications are compromised
Network link External damage communication (non-optimal asset management);
breakdown between No communication
(accidents) decrease in communication network
cyber-equipment performance
Stress, corrosion or Deterioration of communication
Physical Fracture fatigue due to No data transmission network performance; EMS No communication
component microcracks applications fail or are compromised
responsible for
Network link Lead-bonds Delays in data Deterioration of communication Visual inspection;
assuring a degradation in Temperature stress communication; network performance; EMS
- optical fiber communication
message is sent plated contacts corrupted signal applications fail or are compromised problems
from one network
Electro-chemical Delays in data Deterioration of network performance;
node to another
Humidity induced oxidation of communication; No communication
node (long transmitters and corrupted signal; no EMS applications fail or are
distances) receivers data transmission compromised
4.4 Failure Rates of Failure Modes

In order to obtain the final FMEA table with obtained RPN for each failure mode, failure rates of power
and cyber equipment must be distributed accordingly to each failure mode defined in section 4.2.

In the literature, it was verified the lack of this kind of data for power and cyber equipment. Even data
found in EDP Distribuição, a company with interests in the field, was inconclusive. In this dissertation,
to work around this problem, equipment’s failure rates defined in Tables 4.1 and 4.3 are subjectively
discriminated into failure modes’ rates.

A failure rate distribution is proposed in Tables 4.5 and 4.6 for power and cyber equipment, respec-
tively.

Table 4.5: Proposed failure rates for power equipment’s failure modes
Equipment Failure mode Failure distribution [%] Failure rate [f/yr] OCC

Loss of electrical efficiency 25 0,0025 4

Loss of structural integrity 50 0,005 5
Bus
Loss of electrical continuity 10 0,001 4
Electrical disturbances 15 0,0015 4

Insulation failure 10 0,0108 5

Cable Cable integrity defect 50 0,054 7
Electrical operation failure 40 0,0432 6

Insulation failure 10 0,0023 4

Wrong operation (spurious opening 15 0,0035 5
or closing)
Circuit Breaker Bushing breakdown 5 0,0012 4
Bushing terminal hot spot 10 0,0023 4
Loss of dielectric strength 5 0,0012 4
Mechanical failure in operating 35 0,0081 5
mechanism
Contacts degradation 20 0,0046 5

Bushing breakdown 10 0,001 4

Bushing terminal hot spot 15 0,0015 4
Loss of dielectric strength in bush- 10 0,001 4
ings
Magnetic-Core delamination 7,5 0,00075 4
Winding overheating 12,5 0,00125 4
Transformer
Tap changer mechanical failure in 5 0,0005 3
drive mechanism
Tap changer contacts degradation 2,5 0,00025 3
Tank rupture 2 0,0002 3
Windings’ isolation degradation 15 0,0015 4
Distortion, loosening or displace- 15 0,0015 4
ment of the windings
Transformer explosion 0,5 5E-05 1
Cooling system failure 5 0,0005 3

45