The ongoing digitalisation of the power distribution grid will improve the operational support and automation that is believed to increase the system reliability. However, in an integrated and interdependent cyber-physical system, new threats appear which must be understood and dealt with.
The integrated Information and Communication Technology (ICT) and Power Grid (PG) system is defined to include the Distribution Management System (DMS), the data communication network, the software in the Intelligent Electronic Devices (IEDs), and physical elements in the power grid (breakers, power lines and disconnectors).
Of concern and interest are the causes and consequences of an inconsistent view between the physical PG and the ICT system. The article this post is based on, proposes a modelling approach to assess the overall dependability of a smart distribution grid (SDG), which is operated by an advanced digital surveillance and control system with distributed sensors and controllers.
Why do we need to assess the inconsistencies between DMS view and IED state?
The DMS depends on a correct view of the state of physical devices (and power flows and voltage quality). Correct state view is crucial for the controller to trigger the correct action and to change the state of the electric grid when needed, as well as for the human operators to correctly assess the state of the grid.
In figure 1(a) a principle sketch of the system considered in this case is given. IEDs are assumed to contain sensors (s) and a controller (c), which might be both interconnected and connected to a surveillance and control system via a communication network. Therefore, the state of the electronic device is observed by a sensor. In a centralised system, the sensor signals from all devices are sent via the communication network to the surveillance and control system, which processes and decides appropriate actions to change the state of the electronic device accordingly (or other actions to restore power supply, regulate voltage, change the power flow). A control message is then sent to each of the IEDs via the same communication network to activate the action.
Figure 1(b) shows an example of (vertical) inconsistencies (in red) between the surveillance and control view and the state of a physical disconnector position of an IED. The disconnector can be closed, while the surveillance and control system believe it is open, and vice versa.
Taxonomy for evaluation of smart distribution grids
We introduce the necessary terminology to describe the causes of failures in such an integrated system, and the consequences of inconsistencies between ICT view and state of the power grid.
The continuously running software instances on an IED, and in a surveillance and control system is typically stateful with an internal state that dynamically evolved over a sequence inputs (sensor data and controller commands). The subsystem in the ICT part of figure 2 (a Moore/Mealy model) illustrates that any combination of a wrong input signal (sensor data 1), a misconfiguration (2), or a faulty logic of the software (3), will introduce an error in the state space of the software, or an inconsistency (4) in the data of the system. This will again lead to a wrong output signal (5) (a control command). Note that the fault activation may be conditioned by a specific set of internal states of the software, and hence, it is the combination of the internal state and the input signal, logic, and configuration, which causes the fault activation.
Failure causes classification for SDGs
Various failure causes (denoted faults in the ICT terminology) might affect different parts of the system in figure 1(a). In Norway, all faults are reported in the national data management system (FASIT), classified according to well specified failure cause categories. In a combined ICT and power grid system, alternative classifications of failure causes apply, and in this article, we use external and internal failure causes.
External failure causes: environment (weather-related causes), operating stresses (stresses above critical level such as excessive load of the ICT system), human errors performed by people outside of the organisation either intended (malicious attack and intrusion) or unintended.
Internal failure causes: related to components themselves or the grid or telecom operator. It includes internal fault in equipment (such as a stuck disconnector), or interaction or operational mistakes, accidentally made by staff or hired personnel that are operating or maintaining a system. These failure causes (faults) are:
- Permanent (solid, persistent) – fault will remain unless it is removed by some intervention.
- Transient (present short time) – fault disappears without intervention. A transient fault for instance on a power line will disappear after an automatic reclosure of the circuit breaker.
- Intermittent (comes and goes) – transient fault that recurs. It can develop into a permanent fault, e.g., a crack in an insulator that results in flash-over in damp weather.
- Design (logical) – are human made faults during specification, design and implementation of hardware and software.
- Software faults commonly referred to as bugs (Bohr (permanent, consistent) and Mandelbugs/Heisenbugs (transient)), and are logical mistakes or inadequacy introduced during specification design and implementation, in configuration and installation/deployment, or in running instantiation of the stateful software system.
Example: Assessing DMS-disconnector inconsistencies
To illustrate and assess the causes of information inconsistencies, a modelling approach is taken. The behaviour of the model is as described below:
- Disconnectors may not switch on command (physically stuck or software fault).
- Disconnectors can switch without command (software fault).
- Sensors can send wrong value, no value or delay value.
- Communication system can be down when needed (equipment failure, congestion, bad radio link).
To study the effects of faults in physical disconnectors and software bugs in the DMS, a simulation study is conducted for measuring the information inconsistencies between the DMS view and the physical state of the disconnector. The metric that is used is sensing inconsistency, which is the (stationary) probability that the observed state of a device deviates from the real state of the same device. The model can be used to wisely invest in sensors and controllers that will improve the overall dependability of the system, e.g., how the security of electricity supply will be improved.
The example study in our paper looked at the direct and high impact of the value failure, where the signal from a sensor, or a controller message has a valid, but incorrect value. We have also observed that software bugs in the DMS affects the state consistency less if the disconnector status are updated frequently. The model is flexible and can be scaled up to assess systems consisting of multiple IEDs and add different failure modes and causes.
About the author: Romina Muka
Romina Muka is an NTNU PhD candidate funded by CINELDI – Centre for Intelligent Electricity Distribution. Her PhD research is focused in optimal deployment of sensors and controllers for the operation of the next generation distribution grid (with new intelligent electronic devices).
This work has been funded by CINELDI – Centre for intelligent electricity distribution, an 8-year Research Centre under the FME-scheme (Centre for Environment-friendly Energy Research, 257626/E20). The authors gratefully acknowledge the financial support from the Research Council of Norway and the CINELDI partners.