CH 2 Power System Security

7/28/2019 CH 2 Power System Security

1/61

Power System SecuritySyllabus:Introduction, factors affecting system security,

power system contingency analysis, and detection ofnetwork problems. Network sensitivity methods,

calculation of network sensitivity factor, connecting

generator dispatch by sensitivity methods, contingency

ranking.

INTRODUCTION

Security is an important aspect in the

successful operation of a power system.

System security involves many

precautions and practices suitably

designed, to keep the system operating,

when any of its components fail.

Apart from economizing the fuel costand minimizing emission of gases like

, , etc., the power

system should be operationally secure.


2/61

An operationally secure power system

is one with low probability of system

collapse or equipment damage.

If the failures are cascaded, the system as

a whole or its major parts may

completely collapse.

This state of the system is normally

referred to as blackout.

All these aspects are dealt in the security

constrained power system optimization(SCO).

Since security and economy normally

have conflicting requirements, it is

inappropriate to treat them separately.They have to be dealt with together.


3/61

Incorporating security function, the

utility company has to aim at economic

operation.

The energy management system (EMS)

has to operate the system at minimum

cost, with the guaranteed alleviation

(reduction) of emergency conditions.

The emergency condition will depend on

the severity of violations of operating

limits like, branch flows and bus voltage

limits etc,. The most severe violations

result from contingencies.

Therefore, an important part of security

study revolves around the powersystems ability to withstand the effects

of contingencies.


4/61

A particular system state is said to be

secure only with reference to one or more

specific contingency cases and a given

set of quantities monitored for violation.

Most power systems are operated in such

a way that any single contingency will

not leave other components heavily

overloaded, so that cascading of failures

are avoided.

Most of the security related functions

deal with static snapshots of the power

system. They have to be executed at

intervals compatible with the rate of

change of system state.

This quasi-static approach is, to a large

extent, the only practical approach at

present, since dynamic analysis and


5/61

optimization are considerably more

difficult and computationally more time

consuming.

System security comprises of three major

functions carried out in an energy control

centre. They are,

(i) system monitoring,

(ii) contingency analysis, and

(iii) corrective action analysis.

(i) System monitoring: System

monitoring supplies the power system

operators or power dispatchers with

pertinent up to date information on the

conditions of the power system on real

time basis as load and generation change.


6/61

In every substation, telemetry systems

measure, monitor and transmit the data

like, voltages, currents, frequency,

current flows, generator outputs,

transformer tap positions, the status of

circuit breakers & switches in a

transmission network. Digital computers

then process the telemetered data and

place them in a data base form and

inform the operators in case of an

overload or out of limit voltage.Important data are also displayed on

large size monitors. Alarms or warnings

are also given if required.

State estimation techniques are normally

used to combine telemetered data to give


7/61

the best estimate (in statistical sense) of

the current system condition or state.

Such systems often work with

supervisory control systems to help

operators to control, circuit breakers,

operate switches and taps remotely.

These systems together are called

SCADA (supervisory control and data

acquisition) systems.

(ii) Contingency analysis: This is the

second major security function. Modern

computers installed in power station have

contingency analysis programs stored in

them. These programs foresee the

possible system outages before they

occur and alert the operators to any


8/61

potential overloads or serious voltage

violations.

For each outage to be studied, along with

the procedures to set up the load flow

data combined with a standard LF

program, a simplest form of contingency

analysis is employed.

This allows the system operators to

locate defensive operating states where

no single contingency event will generate

overloads and/or voltage violations.

Operating constraints which may be

employed in the ED (economic dispatch)

and UC (unit commitment) programs canbe evolved from this analysis. Thus

contingency analysis carries out


9/61

emergency identification and what if

simulations.

(iii) Corrective action analysis: This is

the third major security function. This

enables the operator to change the

operation of the power system if a

contingency analysis program predicts a

serious problem in the event of the

occurrence of a certain outage.

Thus it provides preventive and post-

contingency control.

A simple example of corrective action is

the shifting of generation from one

station to another. This may result inchange in power flows and causes a

change in loading on overloaded lines.


10/61

Thus, the three functions, (i) system

monitoring, (ii) contingency analysis,

and (iii) corrective action analysis

together consist of a very complex set of

tools that help in the secured operation of

a power system.

Power System State

Classification /

Power System Static Security

Levels

A formal classification of power system

security levels to define relevant


11/61

functions of the Energy Management

System (EMS) was developed initially.

Then, a more practical static security

level diagram by incorporating

correctively secure (Level 2) and

correctable emergency security levels

(Level 4) was developed. The figure

below shows such a practical static

security level diagram.


12/61

Arrowed lines represent involuntarytransitions between Levels 1 to 5 due to

contingencies.

Levels 1 and 2 represent normal power

system operation.Level 1 has the ideal security but is too

conservative and costly. The power

system survives any of the credible


13/61

contingencies without relying on any

post-contingency corrective action.

Level 2 is more economical, but depends

on post-contingency corrective

rescheduling to alleviate (reduce)violations without loss of load, within a

specified period of time. Post

contingency operating limits might be

different from their pre-contingency

values.

The removal of violations from Level 4

normally requires EMS directed

corrective rescheduling or remedialaction bringing the system to Level 3,

from where it can return to either Level 1

or 2 by further EMS directed preventive


14/61

rescheduling depending upon the

desired operational security objectives.

Power System Operating

States

More than 99% of the time, the power

system is found in its normal state. The

system is said to be in normal state if,

(i)

all the loads are met,(ii) the frequency and bus voltage

magnitudes are within the

prescribed limits and

(iii) no components of the powersystem are overloaded.

Secure Normal State: The equality

between generation and demand is a


15/61

fundamental prerequisite for system

normalcy and is indicated by the symbol

E. E refers to equality constraints i.e.,

the power balance and flow equations are

satisfied and frequency and voltage

constancy observed.

Certain inequality must also be observed

in the normal state.

The symbol I refer to inequality

constraints and imply that the system is

operating within rated limits of the

components i.e., generator and

transformer loads must not exceed the

rated values and transmission lines must

not be loaded above their thermal or

static stability limit.


16/61

Insecure normal state: If a system

suffers from any event like, sudden

increase of load, its security level

reduces. Then the system would switch

to insecure normal state. The E and

I would still be satisfied.

However, with preventive control

strategy, the operator takes control

actions to return the system to its normal

state.

Emergency State: In the insecure

normal state, if some additional

disturbance occurs or in normal state a

major disturbance is encountered (e.g.,

tripping of tie line or loss of an additional

generator), then the system will enter to

emergency state.


17/61

In this state the system remains intact,

i.e., E is still satisfied but I change to

, (e.g., overloads of system

components). The subscript v refers to

the constraint violation.

By means of corrective control (like

generator rescheduling) the operator

would try to relieve the transition due to

normal state overload situations. If

corrective control is not possible, then

emergency control (like, generator major

rescheduling / load shedding) is restored

to.

Cascade State: If the emergency control

fails, then a series of cascading events

may lead to the cascade (extreme) state.

Typically, the system would breakup into


18/61

islands, each of which would be

operating at their own frequencies. Both

E and I would then changes to Ev

and Iv respectively and the system will

result in a blackout.

Restorative State: A series of

resynchronization controls are required

to restart generators and gradually

generators pickup the loads. This is a

long process and the state of the system

is called restorative state. The various

transitions due to disturbances, as well as

various control actions are shown in the

figure below.

In practice, the power system never

remains in the normal state due to

disturbances. Hence, preventive /


19/61

corrective control actions are required to

bring back the system to the normal state.

(Various operating states and control actions of a power

system)

SECURITY ANALYSIS


20/61

System security is monitored at the

energy control centre by carrying out two

major functions. They are,

(i) Security assessment whichgives the security level of the

system operating state.

(ii) Security control .whichdetermines the appropriate security

constrained scheduling required to

optimally attain the target security

level.

These security functions can be executed

in real time and study modes.

Real time application functions requirehigh computing speed and reliability.

The static security level of a power

system is characterized by the presence


21/61

of emergency operating conditions (limit

violations) in its actual (pre-contingency)

or potential (post-contingency) operating

states.

System security assessment is the process

by which any such violations are

detected.

System security assessment further

involves two functions.

(i) system monitoring and(ii) contingency analysis.System monitoring provides the operator

with pertinent up to date information on

the current conditions of the powersystem. In its simplest form, this just

detects violations in the actual system

operating state.


22/61

Contingency analysis is much more

demanding and normally performed in

three distinct states

i. contingency definition,ii.

contingency selection and

iii. contingency evaluation.

Contingency definition: This gives the

list of contingencies to be processedwhose probability of occurrence is high.

This list, which is usually large, is in

terms of network changes. i.e., branch

and/or injection outages. Thesecontingencies are ranked in rough order

of severity employing contingency

selection algorithms to shorten the list.


23/61

Not much accuracy is required in the

results. Therefore an approximate (linear)

system model where results are obtained

at high speed is used.

Contingency evaluation is then

performed (using AC power flow) on the

successive individual cases in decreasing

order of severity. The evaluation process

is continued up to the point where no

post-contingency violations are

encountered.

Hence, the purpose of contingency

analysis is to identify the list of

contingencies that, if occur, would create

violations in system operating states.

They are ranked in the order of severity.


24/61

Security control: It is the secondmajor security function. It allows the

operator to change the power system

operation, if the contingency analysis

program predicts a serious problemindicating that certain outage may occur.

Normally the security control is achieved

through Security Constrained

Optimization (SCO) program.

Modeling for Contingency

Analysis

Limits on line flows and bus voltages are

of most interest in contingency analysis.

Since these are soft limits, developing


25/61

limited accuracy models and solutions

are justified.

The most fundamental approximate load

flow model is the NR model shown

below.

The normally preferred DC load flow

model in its incremental version is shown

below.

This model assumes voltages to remain

constant after contingencies. However,

this is not true for weak systems. The

utility has to pre-specify whether it wants


26/61

to monitor post-contingency steady

state conditions immediately after the

outage (system inertial response) or after

the automatic controls (governor, AGC,

ED) have responded. Depending upon

this decision, different participation

factors are used to allocate the MW

generation among the remaining units.

The reactive problem tends to be more

nonlinear and voltages are also

influenced by active power flows.

FDLF is normally the best for this

purpose since its Jacobian matrix isconstant and single line outages can be

modeled using the matrix inversion

lemma.


27/61

The model often used is

Contingency Selection

There are two main approaches for

selection.

Direct Methods

These involve screening and directranking of contingency cases. They

monitor the appropriate post-contingent

quantities (flows, voltages). The severity

measure is often a performance index.Indirect Methods


28/61

These give the values of the contingency

case severity indices for ranking, without

calculating the monitored contingent

quantities directly.

Simulation of line outage is more

complex than a generator outage, since

line outage results in a change in system

configurations. The inverse matrix

modification lemma (IMML) or

compensation method is used

throughout the contingency analysis

field. The IMML helps in calculating the

effects of network changes due to

contingencies, without reconstructing

and re-factorizing or inverting the base

case network matrix. It is also possible to

achieve computational economy by


29/61

getting only local solutions by

calculating the inverse elements in the

vicinity of the contingencies. The

question is how far one should go. Some

form of sensitivity analysis may be used.

The problem of studying hundreds of

possible outages becomes very difficult

to solve if it is desired to present the

results quickly so that corrective actions

can be taken. One of the simplest ways of

obtaining a quick calculation of possible

overloads is to use network sensitivity

factors. These factors show the

approximate change in line flows for

changes in generation on the network

configuration and are derived from DC

load flow.


30/61

They are of two types.

1. Generation shift distribution factors

2. Line outage distribution factors

In a practical situation when a

contingency causing emergency occurs,

control action to alleviate (reduce) limitviolations is always taken, if such a

capability exists and a protective system

permits time to do so.

The security control function (which isnormally achieved by SCO) responds to

each insecure contingency case, usually

in decreasing order of severity by

1. Rescheduling the pre-contingencyoperating state to alleviate the


31/61

emergency resulting from the

contingency, and/or

2. Developing a post-contingencycontrol strategy that will eliminate

the emergency, or

3. Taking no action, on the basis thatpost-contingency emergency is

small and/or probability of its

occurrence is very low.

A specific security control function, then,

is designed to

1. Operate in real time or study mode.2. Schedule active or reactive power

controls or both

3. Achieve a defined security level4. Minimize a defined operational

objective.


32/61

So far, only a small proportion of

network on optimal power flow has taken

into account the security constraints.

The most successful applications are to

the security constrained MW dispatch

OPF sub-problem.

The contingency constrained

voltage/VAR rescheduling problem still

remains to be solved to a satisfactory

degree.

The total number of contingency

constraints imposed on SCO is

enormous. The SCO or contingency

constrained OPF problem is solved withor without first optimizing with respect

to the base case (pre-contingency)

constraints.


33/61

The general procedure adopted is as

follows.

1. Contingency analysis is carried outand cases with violations or near

violations are identified.

2. The SCO problem is then solved.3. The rescheduling in Step 1 might

have created new violations and

therefore Step 1 should be repeated

till no violations exist.

Hence, SCO represents a potentially

massive additional computing effort.

There is still great potential for further

improvement in power system security

control.


34/61

Better problem formulations, theory,

computer solution methods and

implementation techniques are required.

CONTINGENCY ANALYSIS

In the past many widespread blackouts

have occurred in interconnected power

systems.

Therefore, it is necessary to ensure thatpower systems should be operated most

economically such that power is

delivered reliably.

Reliable operation implies that there isadequate power generation and the same

can be transmitted reliably to the loads.


35/61

Most power systems are designed with

enough redundancy (flexibility) so that

they can withstand all major failure

events.

Here, the possible consequences of the

two main failure events and the remedial

actions required for them are explained.

The events are,

1. line outages and2. generating unit failures.

To explain the problem briefly, consider

the five bus system with its load flow

results shown below.


36/61

AC line f low for sample 5 bus system

A power flow of 24.7 MW and 3.6

MVAR on the line from bus 2 to bus 3can be seen.

At present, only the MW loading of the

line is considered.

Simulation of line outage is more

complex than a generator outage, since


37/61

line outage results in a change in system

configurations.

Examine what will happen if the line

from bus 2 to bus 4 were to open. The

resulting line flows and voltages are

shown in line diagram below.

Post-outage AC Load F low (L ine between 2and 4 is open)

It may be noted that the flow on the line

2 to 3 has increased to 37.5 MW and that


38/61

most of the other line flows are also

changed. It may also be noted that bus

voltage magnitudes also get affected,

particularly at bus 4, the change is almost

2% less from 1.0236 to 1.0068 pu.

Suppose the line from bus 2 to bus 5

were to open. Now the maximum change

(almost 10%) in voltage is seen at bus 5.


39/61

Post-outage AC Load F low (L ine between 2

and 5 is open)

Line diagram below is an example of

generator outage and is selected to

explain the fact that generator outages

can also result in changes in line flows

and bus voltages.

Post-outage AC Load Flow (Generator 2

outage, lost generation is picked up by

generator 1)


40/61

In the above case, all the generation lost

from bus 2 is picked up on the generator

at bus 1. Had there been more than 2

generators in the sample system say at

bus 3 also, it was possible that the loss of

generation on bus 2 is made up by an

increase in generation at buses 1 and 3.

The differences in line flows and bus

voltages would show how the lost

generation is shared by the remaining

units is quite significant.

It is important to know which line or unit

outages will render line flows or voltages

to cross the limits.

To find the effects of outages,

contingency analysis techniques are

employed. Contingency analysis models,


41/61

single failure events i.e., one line outages

or one unit outages) or multiple

equipment failure events (failure of

multiple unit or lines or their

combination) one after another until all

credible outages are considered.

For each outage, all lines and voltages in

the network are checked against their

respective limits.

The flow chart below illustrates the

method for carrying out a contingency

analysis.


42/61


43/61

One of the important problems is the

selection of all credible outages.

Execution time to analyze several

thousand outages is typically 1 min. An

approximate model such as DC load flow

may be used to get speedy solution. If

voltage is also required, then full AC

load flow analysis has to be carried out.

SENSITIVITY FACTORS

A security analysis program is run in a

load dispatch centre of power system.

The program is run very quickly to help

the system operators. Speedy analysis

can be done by developing an

approximate system model and using a


44/61

computer having multiple processors or

vector processors. The system may be

adequately described. An equivalent

should be used for neighboring systems

connected through tie-lines.

All non-violation cases are eliminated

and complete exact program is run for

critical cases only. This can be done by

using techniques such as contingency

selection or contingency screening or

contingency ranking.

Thus, it will be easy to warn the system

operators in advance and alert them to

take corrective action if one or more

outages result in serious overloads or any

violations.


45/61

One of the simplest ways to present a

quick calculation of possible overloads is

to employ linear network sensitivity

factors. These factors give the

approximate change in line flows for

changes in generation in the system and

can be calculated from the DC load flow.

Sensitivity factors are mainly of two

types.

1. Generation shift factors2. Line outage distribution factors

Use of these factors is described below.

1. The generation shift factors

These are denoted by and are definedas


46/61

where,

= Change in MW power flow on line

when a change in generation,

takes place at the

bus.Here, it is assumed that is fully

compensated by an equal and opposite

change in generation at the slack

(reference) bus, with all other generatorsremaining fixed at their original power

generations. The factor then gives the

sensitivity of the line flow to a

change in generation at

bus.

Now, let a large generating unit outage

occurs and assume that all the lost


47/61

generation would be supplied by the

slack bus generation. Then,

and the new power flow on each line

could be calculated using a pre-

calculated set of factors as givenbelow.

The values of line flows obtained from

this equation can be compared to theirlimits and those violating their limit can

be informed to the operator for necessary

control action.


48/61

The generation shift sensitivity factors

are linear estimates of the change in line

flow with a change in power at a bus.

Thus, the effects of simultaneous

changes on a given number of generating

buses can be computed using the

principle of superposition.

Assume that the loss of the generator

is to be made up by governor action on

all generators of the interconnected

system and pick up in proportion to their

maximum MW ratings.

Thus, the proportion of generation pick

up from unit k (k i) would be


49/61

where,

= maximum MW rating for

generator

= proportionality factor for pick up

on unit when unit fails.

Now, for checking the line flow, the

flow equation is,

In the equation, it is assumed that no unit

will violate its maximum limit. For unit

limit violation, algorithm can easily be

modified.


50/61

Line outage distribution

factorsThe line outage distribution factors can

be used for checking if the line overloads

when some of the other lines are lost.

The line outage distribution factor is

defined as,

where,

= line outage distribution factor

when monitoring line after an outage

of line.

= change in MW flow on line.


51/61

= pre-contingency line flow on

line.If pre-contingency line flows on lines 1

and i, the power flow on line l with line i

can be found out employing d factors.

Here,

= pre-contingency or pre-outage flows on lines l and i

respectively,

= power flow on

line with

lineout.

Thus one can check quickly by pre-

calculating d factors for all the lines for


52/61

overloading for the outage of a particular

line. This can be repeated for the outage

of each line one by one and overloads

can be found out for corrective action.

Note that a line flow can be positive or

negative. Hence, f should be checked

against as well as . Line

flows can be found out using telemetry

systems or with state estimation

techniques.If the network undergoes any significant

structural change, the sensitivity factors

must be updated.

Example: Find the generation shiftfactors and the line outage distribution


53/61

factors for the five bus sample network

discussed earlier.

Solution:

Table 1. The [x] matrix for the five bus

sample system. Bus 1 is reference.

Table 2. The generation shift distributionfactors.


54/61

Table 3. The line outage distribution

factors.

The line flows calculated by the

sensitivity methods, are reasonably close

to the values calculated by the full AC

load flows. However, the calculations

carried out by sensitivity methods are

faster than those made by full AC load

flow methods. Therefore they are used

for real time monitoring and control of


55/61

power systems. However, where reactive

power flows are mainly required, a full

AC load flow method (NR / FDLF) is

preferred for contingency analysis.

The simplest AC security analysis

procedure merely needs to run an AC

load flow analysis for each possible unit,

line and transformer outage. One

normally does ranking or short listing of

most likely bad cases which are likely to

result in an overload or voltage limit

violation and other cases need not be

analyzed. Any good PI (performance

index) can be selected and is used for

ranking. One such PI is


56/61

For large n, PI will be a small number if

all line flows are within limit and will be

large if one or more lines are overloaded.

For n = 1 exact calculations can be done

for PI. PI table can be ordered from

largest value to least. Suitable number of

candidates then can be chosen for further

analysis.

If voltages are to be included, then the

following PI can be employed.

Here, is the difference betweenthe voltage magnitudes as obtained at the


57/61

end of the 1P1Q FDLF algorithm.

is the value fixed by the utility.Largest value of PI is placed at the top.

The security analysis may now be started

for the desired number of cases down the

ranking list.

8.7 POWER SYSTEM SECURITY

By power system security, we understand a qualified

absence of risk of disruption of continued system

operation. Security may be defined from a control point of

view as the probability of the system's operating point

remaining in a viable state space, given the probabilities

of changes in the system (contingencies) and its

environment (weather, customer demands, etc.).


58/61

Security can be defined in terms of how it is monitored or

measured, as the ability of a system to withstand without

serious consequences any one of a preselected list of

credible disturbances (contingencies). Conversely,insecurity at any point in time can be defined as the level

of risk of disruption of a system's continued operation.

Power systems are interconnected for improved economy

and availability of supplies across extensive areas. Small

individual systems would be individually more at risk, but

widespread disruptions would not be possible.

On the other hand, interconnections make widespread

disruptions possible.

Operation of interconnected power systems demands

nearly precise synchronism in the rotational speed of

many thousands of large interconnectedgenerating units, even as they are controlled to

continuously follow significant

changes in customer demand. There is considerable

rotational energy involved,

and the result of any cascading loss of synchronism

among major systemelements or subsystems can be disastrous.

Regardless of changes in system load

or sudden disconnection of equipment from the

system, synchronized operation


59/61

requires proper functioning of machine governors,

and that operating conditions

of all equipment remain within physical capabilities.

The risk of cascading outages still exists, despite

improvements made

since the 1965 northeast blackout in the United

States. Many factors increase

the risks involved in interconnected system

operation:

Wide swings in the costs of fuels result in

significant changes in

the geographic patterns of generation relative to

load. This leads to

transmission of electric energy over longer distances

in patterns

other than those for which the transmission networks

had been

originally designed.

Rising costs due to inflation and increasing

environmental

concerns constrain any relief through further

transmission

construction. Thus, transmission, as well as

generation, must be

operated closer to design limits, with smaller safety

(security)


60/61

margins.

Relaxation of energy regulation to permit sales of

electric energy

by independent power producers, together with

increasing pressure

for essentially uncontrolled access to the bulk power

transmission

network.

Development of the Concept of SecurityPrior to the 1965 Northeast blackout, system

security was part of

reliability assured at the system planning stage by

providing a strong system that

could ride out any credible disturbances without

serious disruption. It is no

longer economically feasible to design systems to

this standard. At that time,

power system operators made sure that sufficient

spinning reserve was on line to

cover unexpected load increases or potential loss of

generation and to examine

the impact of removing a line or other apparatus formaintenance. Whenever

possible, the operator attempted to maintain a

desirable voltage profile by

balancing VARs in the system.


61/61

Security monitoring is perceived as that of

monitoring, through

contingency analysis, the conditional transition of

the system into an emergency

state.

Two Perspectives of Security AssessmentThere is a need to clarify the roles of security

assessment in the

CH 2 Power System Security

Documents