Power System Security

Syllabus: Introduction, factors affecting system security,

power system contingency analysis, and detection of network problems. Network sensitivity methods, calculation of network sensitivity factor, connecting generator dispatch by sensitivity methods, contingency ranking.

INTRODUCTION Security is an important aspect in the successful operation of a power system. System security involves many precautions and practices suitably designed, to keep the system operating, when any of its components fail. Apart from economizing the fuel cost and minimizing emission of gases like , , etc., the power system should be operationally secure.

An operationally secure power system is one with low probability of system collapse or equipment damage. If the failures are cascaded, the system as a whole or its major parts may completely collapse. This state of the system is normally referred to as blackout. All these aspects are dealt in the security constrained power system optimization (SCO). Since security and economy normally have conflicting requirements, it is inappropriate to treat them separately. They have to be dealt with together.

Incorporating security function, the utility company has to aim at economic operation. The energy management system (EMS) has to operate the system at minimum cost, with the guaranteed alleviation (reduction) of emergency conditions. The emergency condition will depend on the severity of violations of operating limits like, branch flows and bus voltage limits etc,. The most severe violations result from contingencies. Therefore, an important part of security study revolves around the power systems ability to withstand the effects of contingencies.

A particular system state is said to be secure only with reference to one or more specific contingency cases and a given set of quantities monitored for violation. Most power systems are operated in such a way that any single contingency will not leave other components heavily overloaded, so that cascading of failures are avoided. Most of the security related functions deal with static snapshots of the power system. They have to be executed at intervals compatible with the rate of change of system state. This quasi-static approach is, to a large extent, the only practical approach at present, since dynamic analysis and

optimization are considerably more difficult and computationally more time consuming. System security comprises of three major functions carried out in an energy control centre. They are, (i) system monitoring, (ii) contingency analysis, and (iii) corrective action analysis. (i) System monitoring: System monitoring supplies the power system operators or power dispatchers with pertinent up to date information on the conditions of the power system on real time basis as load and generation change.

In every substation, telemetry systems measure, monitor and transmit the data like, voltages, currents, frequency, current flows, generator outputs, transformer tap positions, the status of circuit breakers & switches in a transmission network. Digital computers then process the telemetered data and place them in a data base form and inform the operators in case of an overload or out of limit voltage. Important data are also displayed on large size monitors. Alarms or warnings are also given if required. State estimation techniques are normally used to combine telemetered data to give

the best estimate (in statistical sense) of the current system condition or state. Such systems often work with supervisory control systems to help operators to control, circuit breakers, operate switches and taps remotely. These systems together are called SCADA (supervisory control and data acquisition) systems. (ii) Contingency analysis: This is the second major security function. Modern computers installed in power station have contingency analysis programs stored in them. These programs foresee the possible system outages before they occur and alert the operators to any

potential overloads or serious voltage violations. For each outage to be studied, along with the procedures to set up the load flow data combined with a standard LF program, a simplest form of contingency analysis is employed. This allows the system operators to locate defensive operating states where no single contingency event will generate overloads and/or voltage violations. Operating constraints which may be employed in the ED (economic dispatch) and UC (unit commitment) programs can be evolved from this analysis. Thus contingency analysis carries out

emergency identification and what if simulations. (iii) Corrective action analysis: This is the third major security function. This enables the operator to change the operation of the power system if a contingency analysis program predicts a serious problem in the event of the occurrence of a certain outage. Thus it provides preventive and postcontingency control. A simple example of corrective action is the shifting of generation from one station to another. This may result in change in power flows and causes a change in loading on overloaded lines.

Thus, the three functions, (i) system monitoring, (ii) contingency analysis, and (iii) corrective action analysis together consist of a very complex set of tools that help in the secured operation of a power system.

Power System Classification /

State

Power System Static Security Levels

A formal classification of power system security levels to define relevant

functions of the Energy Management System (EMS) was developed initially. Then, a more practical static security level diagram by incorporating correctively secure (Level 2) and correctable emergency security levels (Level 4) was developed. The figure below shows such a practical static security level diagram.

Arrowed lines represent involuntary transitions between Levels 1 to 5 due to contingencies. Levels 1 and 2 represent normal power system operation. Level 1 has the ideal security but is too conservative and costly. The power system survives any of the credible

contingencies without relying on any post-contingency corrective action. Level 2 is more economical, but depends on post-contingency corrective rescheduling to alleviate (reduce) violations without loss of load, within a specified period of time. Post contingency operating limits might be different from their pre-contingency values. The removal of violations from Level 4 normally requires EMS directed corrective rescheduling or remedial action bringing the system to Level 3, from where it can return to either Level 1 or 2 by further EMS directed preventive

rescheduling depending upon the desired operational security objectives.

Power States

System

Operating

More than 99% of the time, the power system is found in its normal state. The system is said to be in normal state if, (i) all the loads are met, (ii) the frequency and bus voltage magnitudes are within the prescribed limits and (iii) no components of the power system are overloaded. Secure Normal State: The equality between generation and demand is a

fundamental prerequisite for system normalcy and is indicated by the symbol E. E refers to equality constraints i.e., the power balance and flow equations are satisfied and frequency and voltage constancy observed. Certain inequality must also be observed in the normal state. The symbol I refer to inequality constraints and imply that the system is operating within rated limits of the components i.e., generator and transformer loads must not exceed the rated values and transmission lines must not be loaded above their thermal or static stability limit.

Insecure normal state: If a system suffers from any event like, sudden increase of load, its security level reduces. Then the system would switch to insecure normal state. The E and I would still be satisfied. However, with preventive control strategy, the operator takes control actions to return the system to its normal state. Emergency State: In the insecure normal state, if some additional disturbance occurs or in normal state a major disturbance is encountered (e.g., tripping of tie line or loss of an additional generator), then the system will enter to emergency state.

In this state the system remains intact, i.e., E is still satisfied but I change to , (e.g., overloads of system components). The subscript v refers to the constraint violation. By means of corrective control (like generator rescheduling) the operator would try to relieve the transition due to normal state overload situations. If corrective control is not possible, then emergency control (like, generator major rescheduling / load shedding) is restored to. Cascade State: If the emergency control fails, then a series of cascading events may lead to the cascade (extreme) state. Typically, the system would breakup into

islands, each of which would be operating at their own frequencies. Both E and I would then changes to Ev and Iv respectively and the system will result in a blackout. Restorative State: A series of resynchronization controls are required to restart generators and gradually generators pickup the loads. This is a long process and the state of the system is called restorative state. The various transitions due to disturbances, as well as various control actions are shown in the figure below. In practice, the power system never remains in the normal state due to disturbances. Hence, preventive /

corrective control actions are required to bring back the system to the normal state.

(Various operating states and control actions of a power system)

SECURITY ANALYSIS

System security is monitored at the energy control centre by carrying out two major functions. They are, (i) Security assessment which gives the security level of the system operating state. (ii) Security control .which determines the appropriate security constrained scheduling required to optimally attain the target security level. These security functions can be executed in real time and study modes. Real time application functions require high computing speed and reliability. The static security level of a power system is characterized by the presence

of emergency operating conditions (limit violations) in its actual (pre-contingency) or potential (post-contingency) operating states. System security assessment is the process by which any such violations are detected. System security assessment involves two functions. (i) system monitoring and (ii) contingency analysis. System monitoring provides the operator with pertinent up to date information on the current conditions of the power system. In its simplest form, this just detects violations in the actual system operating state. further

Contingency analysis is much more demanding and normally performed in three distinct states i. contingency definition, ii. contingency selection and iii. contingency evaluation. Contingency definition: This gives the list of contingencies to be processed whose probability of occurrence is high. This list, which is usually large, is in terms of network changes. i.e., branch and/or injection outages. These contingencies are ranked in rough order of severity employing contingency selection algorithms to shorten the list.

Not much accuracy is required in the results. Therefore an approximate (linear) system model where results are obtained at high speed is used. Contingency evaluation is then performed (using AC power flow) on the successive individual cases in decreasing order of severity. The evaluation process is continued up to the point where no post-contingency violations are encountered. Hence, the purpose of contingency analysis is to identify the list of contingencies that, if occur, would create violations in system operating states. They are ranked in the order of severity.

Security control:

It is the second major security function. It allows the operator to change the power system operation, if the contingency analysis program predicts a serious problem indicating that certain outage may occur. Normally the security control is achieved through Security Constrained Optimization (SCO) program.

Modeling Analysis

for

Contingency

Limits on line flows and bus voltages are of most interest in contingency analysis. Since these are soft limits, developing

limited accuracy models and solutions are justified. The most fundamental approximate load flow model is the NR model shown below.

The normally preferred DC load flow model in its incremental version is shown below.

This model assumes voltages to remain constant after contingencies. However, this is not true for weak systems. The utility has to pre-specify whether it wants

to monitor post-contingency steady state conditions immediately after the outage (system inertial response) or after the automatic controls (governor, AGC, ED) have responded. Depending upon this decision, different participation factors are used to allocate the MW generation among the remaining units. The reactive problem tends to be more nonlinear and voltages are also influenced by active power flows. FDLF is normally the best for this purpose since its Jacobian matrix is constant and single line outages can be modeled using the matrix inversion lemma.

The model often used is

Contingency Selection
There are two main approaches for selection. Direct Methods These involve screening and direct ranking of contingency cases. They monitor the appropriate post-contingent quantities (flows, voltages). The severity measure is often a performance index. Indirect Methods

These give the values of the contingency case severity indices for ranking, without calculating the monitored contingent quantities directly. Simulation of line outage is more complex than a generator outage, since line outage results in a change in system configurations. The inverse matrix modification lemma (IMML) or compensation method is used throughout the contingency analysis field. The IMML helps in calculating the effects of network changes due to contingencies, without reconstructing and re-factorizing or inverting the base case network matrix. It is also possible to achieve computational economy by

getting only local solutions by calculating the inverse elements in the vicinity of the contingencies. The question is how far one should go. Some form of sensitivity analysis may be used. The problem of studying hundreds of possible outages becomes very difficult to solve if it is desired to present the results quickly so that corrective actions can be taken. One of the simplest ways of obtaining a quick calculation of possible overloads is to use network sensitivity factors. These factors show the approximate change in line flows for changes in generation on the network configuration and are derived from DC load flow.

They are of two types. 1. Generation shift distribution factors 2. Line outage distribution factors In a practical situation when a contingency causing emergency occurs, control action to alleviate (reduce) limit violations is always taken, if such a capability exists and a protective system permits time to do so. The security control function (which is normally achieved by SCO) responds to each insecure contingency case, usually in decreasing order of severity by 1. Rescheduling the pre-contingency operating state to alleviate the

2.

3.

emergency resulting from the contingency, and/or Developing a post-contingency control strategy that will eliminate the emergency, or Taking no action, on the basis that post-contingency emergency is small and/or probability of its occurrence is very low.

A specific security control function, then, is designed to 1. Operate in real time or study mode. 2. Schedule active or reactive power controls or both 3. Achieve a defined security level 4. Minimize a defined operational objective.

So far, only a small proportion of network on optimal power flow has taken into account the security constraints. The most successful applications are to the security constrained MW dispatch OPF sub-problem. The contingency constrained voltage/VAR rescheduling problem still remains to be solved to a satisfactory degree. The total number of contingency constraints imposed on SCO is enormous. The SCO or contingency constrained OPF problem is solved with or without first optimizing with respect to the base case (pre-contingency) constraints.

The general procedure adopted is as follows. 1. Contingency analysis is carried out and cases with violations or near violations are identified. 2. The SCO problem is then solved. 3. The rescheduling in Step 1 might have created new violations and therefore Step 1 should be repeated till no violations exist. Hence, SCO represents a potentially massive additional computing effort. There is still great potential for further improvement in power system security control.

Better problem formulations, theory, computer solution methods and implementation techniques are required.

CONTINGENCY ANALYSIS
In the past many widespread blackouts have occurred in interconnected power systems. Therefore, it is necessary to ensure that power systems should be operated most economically such that power is delivered reliably. Reliable operation implies that there is adequate power generation and the same can be transmitted reliably to the loads.

Most power systems are designed with enough redundancy (flexibility) so that they can withstand all major failure events. Here, the possible consequences of the two main failure events and the remedial actions required for them are explained. The events are, 1. line outages and 2. generating unit failures. To explain the problem briefly, consider the five bus system with its load flow results shown below.

AC line flow for sample 5 bus system

A power flow of 24.7 MW and 3.6 MVAR on the line from bus 2 to bus 3 can be seen. At present, only the MW loading of the line is considered. Simulation of line outage is more complex than a generator outage, since

line outage results in a change in system configurations. Examine what will happen if the line from bus 2 to bus 4 were to open. The resulting line flows and voltages are shown in line diagram below.

Post-outage AC Load Flow (Line between 2 and 4 is open)

It may be noted that the flow on the line 2 to 3 has increased to 37.5 MW and that

most of the other line flows are also changed. It may also be noted that bus voltage magnitudes also get affected, particularly at bus 4, the change is almost 2% less from 1.0236 to 1.0068 pu. Suppose the line from bus 2 to bus 5 were to open. Now the maximum change (almost 10%) in voltage is seen at bus 5.

Post-outage AC Load Flow (Line between 2 and 5 is open)

Line diagram below is an example of generator outage and is selected to explain the fact that generator outages can also result in changes in line flows and bus voltages.

Post-outage AC Load Flow (Generator 2 outage, lost generation is picked up by generator 1)

In the above case, all the generation lost from bus 2 is picked up on the generator at bus 1. Had there been more than 2 generators in the sample system say at bus 3 also, it was possible that the loss of generation on bus 2 is made up by an increase in generation at buses 1 and 3. The differences in line flows and bus voltages would show how the lost generation is shared by the remaining units is quite significant. It is important to know which line or unit outages will render line flows or voltages to cross the limits. To find the effects of outages, contingency analysis techniques are employed. Contingency analysis models,

single failure events i.e., one line outages or one unit outages) or multiple equipment failure events (failure of multiple unit or lines or their combination) one after another until all credible outages are considered. For each outage, all lines and voltages in the network are checked against their respective limits. The flow chart below illustrates the method for carrying out a contingency analysis.

One of the important problems is the selection of all credible outages. Execution time to analyze several thousand outages is typically 1 min. An approximate model such as DC load flow may be used to get speedy solution. If voltage is also required, then full AC load flow analysis has to be carried out.

SENSITIVITY FACTORS
A security analysis program is run in a load dispatch centre of power system. The program is run very quickly to help the system operators. Speedy analysis can be done by developing an approximate system model and using a

computer having multiple processors or vector processors. The system may be adequately described. An equivalent should be used for neighboring systems connected through tie-lines. All non-violation cases are eliminated and complete exact program is run for critical cases only. This can be done by using techniques such as contingency selection or contingency screening or contingency ranking. Thus, it will be easy to warn the system operators in advance and alert them to take corrective action if one or more outages result in serious overloads or any violations.

One of the simplest ways to present a quick calculation of possible overloads is to employ linear network sensitivity factors. These factors give the approximate change in line flows for changes in generation in the system and can be calculated from the DC load flow. Sensitivity factors are mainly of two types. 1. Generation shift factors 2. Line outage distribution factors Use of these factors is described below. 1. The generation shift factors These are denoted by as and are defined

where, = Change in MW power flow on line when a change in generation, takes place at the bus. Here, it is assumed that is fully compensated by an equal and opposite change in generation at the slack (reference) bus, with all other generators remaining fixed at their original power generations. The factor then gives the sensitivity of the line flow to a change in generation at bus. Now, let a large generating unit outage occurs and assume that all the lost

generation would be supplied by the slack bus generation. Then,

and the new power flow on each line could be calculated using a precalculated set of factors as given below.

The values of line flows obtained from this equation can be compared to their limits and those violating their limit can be informed to the operator for necessary control action.

The generation shift sensitivity factors are linear estimates of the change in line flow with a change in power at a bus. Thus, the effects of simultaneous changes on a given number of generating buses can be computed using the principle of superposition. Assume that the loss of the generator is to be made up by governor action on all generators of the interconnected system and pick up in proportion to their maximum MW ratings. Thus, the proportion of generation pick up from unit k (k i) would be

where, = maximum MW rating for generator = proportionality factor for pick up unit when unit fails. line flow, the

on

Now, for checking the flow equation is,

In the equation, it is assumed that no unit will violate its maximum limit. For unit limit violation, algorithm can easily be modified.

Line outage factors

distribution

The line outage distribution factors can be used for checking if the line overloads when some of the other lines are lost. The line outage distribution factor is defined as,

where, = line outage distribution factor when monitoring line after an outage of line. = change in MW flow on line.

= pre-contingency line flow on line. If pre-contingency line flows on lines 1 and i, the power flow on line l with line i can be found out employing d factors.

Here, = pre-contingency or preoutage flows on lines l and i respectively, = power flow on out. Thus one can check quickly by precalculating d factors for all the lines for line with line

overloading for the outage of a particular line. This can be repeated for the outage of each line one by one and overloads can be found out for corrective action. Note that a line flow can be positive or negative. Hence, f should be checked against as well as . Line flows can be found out using telemetry systems or with state estimation techniques. If the network undergoes any significant structural change, the sensitivity factors must be updated.

Example:

Find the generation shift factors and the line outage distribution

factors for the five bus sample network discussed earlier.

Solution:
Table 1. The [x] matrix for the five bus sample system. Bus 1 is reference.

Table 2. The generation shift distribution factors.

Table 3. The line outage distribution factors.

The line flows calculated by the sensitivity methods, are reasonably close to the values calculated by the full AC load flows. However, the calculations carried out by sensitivity methods are faster than those made by full AC load flow methods. Therefore they are used for real time monitoring and control of

power systems. However, where reactive power flows are mainly required, a full AC load flow method (NR / FDLF) is preferred for contingency analysis. The simplest AC security analysis procedure merely needs to run an AC load flow analysis for each possible unit, line and transformer outage. One normally does ranking or short listing of most likely bad cases which are likely to result in an overload or voltage limit violation and other cases need not be analyzed. Any good PI (performance index) can be selected and is used for ranking. One such PI is

For large n, PI will be a small number if all line flows are within limit and will be large if one or more lines are overloaded. For n = 1 exact calculations can be done for PI. PI table can be ordered from largest value to least. Suitable number of candidates then can be chosen for further analysis. If voltages are to be included, then the following PI can be employed.

Here, is the difference between the voltage magnitudes as obtained at the

end of the 1P1Q FDLF algorithm. is the value fixed by the utility. Largest value of PI is placed at the top. The security analysis may now be started for the desired number of cases down the ranking list.

8.7 POWER SYSTEM SECURITY By power system security, we understand a qualified absence of risk of disruption of continued system operation. Security may be defined from a control point of view as the probability of the system's operating point remaining in a viable state space, given the probabilities of changes in the system (contingencies) and its environment (weather, customer demands, etc.).

Security can be defined in terms of how it is monitored or measured, as the ability of a system to withstand without serious consequences any one of a preselected list of credible disturbances (contingencies). Conversely, insecurity at any point in time can be defined as the level of risk of disruption of a system's continued operation. Power systems are interconnected for improved economy and availability of supplies across extensive areas. Small individual systems would be individually more at risk, but widespread disruptions would not be possible. On the other hand, interconnections make widespread disruptions possible.

Operation of interconnected power systems demands nearly precise synchronism in the rotational speed of many thousands of large interconnected generating units, even as they are controlled to continuously follow significant changes in customer demand. There is considerable rotational energy involved, and the result of any cascading loss of synchronism among major system elements or subsystems can be disastrous. Regardless of changes in system load or sudden disconnection of equipment from the system, synchronized operation

requires proper functioning of machine governors, and that operating conditions of all equipment remain within physical capabilities. The risk of cascading outages still exists, despite improvements made since the 1965 northeast blackout in the United States. Many factors increase the risks involved in interconnected system operation: Wide swings in the costs of fuels result in significant changes in the geographic patterns of generation relative to load. This leads to transmission of electric energy over longer distances in patterns other than those for which the transmission networks had been originally designed. Rising costs due to inflation and increasing environmental concerns constrain any relief through further transmission construction. Thus, transmission, as well as generation, must be operated closer to design limits, with smaller safety (security)

margins. Relaxation of energy regulation to permit sales of electric energy by independent power producers, together with increasing pressure for essentially uncontrolled access to the bulk power transmission network. Development of the Concept of Security Prior to the 1965 Northeast blackout, system security was part of reliability assured at the system planning stage by providing a strong system that could ride out any credible disturbances without serious disruption. It is no longer economically feasible to design systems to this standard. At that time, power system operators made sure that sufficient spinning reserve was on line to cover unexpected load increases or potential loss of generation and to examine the impact of removing a line or other apparatus for maintenance. Whenever possible, the operator attempted to maintain a desirable voltage profile by balancing VARs in the system.

Security monitoring is perceived as that of monitoring, through contingency analysis, the conditional transition of the system into an emergency state. Two Perspectives of Security Assessment There is a need to clarify the roles of security assessment in the