This document discusses control objectives and strategies for power systems during different levels of emergencies. It defines five operating states for power systems: normal, alert, emergency, extremis, and restorative. In the emergency state, inequality constraints are violated and emergency control actions are needed to restore the system. Effective emergency control requires coordinated use of control methods like fault clearing, load shedding, and dynamic braking across control centers. Developing control objectives and algorithms that can achieve coordination between dispersed control techniques responding to local information is challenging.
1. Operating Under
Stress and strain
This, part two of the “blackout” series, defines control
Objectives for various levels and types of emergencies
In the U.S. today, complex power systems are able to
provide reliable electric service at low cost with the help
of automatic control-simultaneously tracking the
randomly varying systems load, optimizing generation
to minimize cost, and coordinating the action of many
independent control centers. When an emergency
develops in one of these systems, however, the picture
changes completely and new control objectives must be
met if the system is to be restored successfully to normal
operation.
The control objectives of a power system are related to
the level of security at which the system is operating,
and (see box on p. 50) as this level decreases below an
acceptable threshold, preventive measures must be taken
to restore the system to a robust state. It is rare that a
major system failure is the result of one catastrophic
disturbance that wipes out an apparently secure system.
Usually such failures are brought about by a reduced
level of security that renders the system vulnerable to
the cumulative effects of a sequence of moderate
disturbances. The systems have been designed and built
to operate as efficiently as possible under normal
circumstances. In the event of the loss of a piece of
major equipment (whether due to an internal fault or an
external event) whit its resultant instantaneous surges of
power, the system must be able to absorb these stresses
without further damage and to find a new balance of
energy flows. Coincidence of disturbances and/or hidden
weaknesses in system components or control functions
can combine to produce momentary local stresses
beyond any level of endurance to which the system
could possibly be designed within reasonable economic
limits.
Emergencies can strike suddenly-or build slowly.
During these emergencies, the “system operator”
(human or automatic) struggles to keep the system under
control to maintain balance between load and
generation, or demand and supply, through all available
means. However, there are two factors that can doom
these efforts to failure: time constraints-the inability to
respond quickly enough; and capacity constraints-
demand outstripping available supply. Recent blackouts
have been in the first category. But in January 1977,
several interconnected utilities appeared to be headed
toward a failure of the second kind when, in some areas
of the U.S., unusually severe winter temperatures froze
such crucial resources as coal piles and waterways and
greatly limited generating capacity. System frequency, a
sensitive measure of discrepancy between load and
generation, sagged to 59.84 Hz, and remained below 60
Hz for almost seven hours.
Lester H. Fink U.S. Department of Energy
Kjell Carlsen General Electric Company
---------------------------------------------------
During this period, the available power supply was
reduced to a critical level.
When the carefully constructed and maintained dynamic
system structure (see box on p. 51) begins to reel under
the impact of a major disturbance, and is on the verge of
disintegrating, the control regimes designed for normal
circumstances are no longer adequate, or relevant, and
new controls are necessary. However, before such
controls can be discussed, the general states of operation
of a power system should be considered.
States of operation.
Power system conditions are described by five operating
states, as show in Fig. 1, Three sets of generic equations-
one differential and two algebraic-govern power-system
operation: The differential set encodes the physical laws
governing the dynamic behaviour of the system’s
components. The two algebraic sets comprise “equality
constraints”, which refer to the system’s total load and
total generation, and “inequality constraints”, which
state that some system variables, such as currents and
voltages, must not exceed maximum levels representing
the limitations of physical equipment.
In the normal operating state, all constraints are
satisfied, indicating that the generation is adequate to
supply the existing total load demand, and that no
equipment is being overloaded. In this state, reserve
margins (for transmission as well as for generation) are
sufficient to provide an adequate level of security whit
respect to the stresses to which the system may be
subjected.
If the security level falls below some threshold of
adequacy, or if the probability of disturbance increases,
then the system enters the alert state. In this state, all
constraints would still be satisfied, but existing reserve
margins would be such that some disturbance could
result in a violation of some inequality constraints; e.g.,
equipment would be overloaded more or less severely
above its rated capabilities. In this (insecure) alert state,
preventive action can be taken to restore the system to
the normal state (see table 1).
If a sufficiently severe disturbance takes place before
such preventive action can be taken, the system enters
the emergency state. Here, inequality constraints are
violated, and system security would have been breached
since the “security level” would be below zero and
practically nonexistent. The system, however, would
still be intact, and emergency control action (“heroic
measures”) could be initiated in order to restore the
system to at least the alert state. If these measures are
not taken in time, or are ineffective, and if the initiating
disturbance or a subsequent one is severe enough to
overstress the system, the system then starts to
disintegrate and is in extremis (see Table 1). In this
state, equality as well as inequality constraints have been
2. violated; the system would no longer be intact, and
major portions of the system load would be lost.
Emergency control action should be directed toward
salvaging as many pieces of the system as possible from
total collapse. Once the collapse had been halted, if there
were any remaining equipment operating within rated
capability, or some equipment had been restarted
following total collapse, the system could enter the
restorative state, with control action being taken to pick
up all lost load and reconnect the system. From this
state, the system could transit to either the alert or to the
normal state, depending on circumstances.
So far, precise definitions characterizing the several
states discussed have not been provided. Without such
definitions, the indicated framework can be of heuristic
value only; judgment as to whether the system has
moved from one state to another will be subjective at
best, and possibly arbitrary. Nevertheless, even at this
level this framework can contribute significantly not
only by clarifying analyses of the histories of
disturbances but, more important, by providing some
guidance as to the controls to be effected under certain
circumstances or the operator decisions to be
implemented (see Fig. 1).
Given a consistent set of definitions of each state,
necessary and/or sufficient conditions for state
transitions could be identified. Such definitions could
simplify the problem involved in on line security
assessment and could provide considerable insight into
the design of control strategies proper to the several
states.
Emergency prevention
Historically, system security has been approached by
way of reliability planning and building systems that
could be inherently robust in the face of credible (and
some incredible) disturbances. Typically, the assessment
was carried out in the planning stage by way of
simulating the response of the projected system to a
number of hypothesized severe (worst case)
disturbances. Such tests have served as a means to
measure the strength and capacity of a system to
withstand the entire spectrum of disturbances under
stress conditions. Systems designed to such criteria have
proved reliable under all but the most unusual
circumstances.
However, no absolute guarantee of reliable performance
can be provided by the system planner for even the best
planned and constructed system. The system operator is
ultimately responsible for maintaining effective
operation of the system under all circumstances.
Following the Northeast blackout of 1965, increasing
attention was directed to the problem of security
assessment-the provision of data-gathering and
processing systems that would assist the operator in
anticipating potential trouble and then deciding how to
prevent it or to minimize its impact. Naturally, the
problem has been approached as suggest by established
planning procedures. Present test procedures consider
the given circumstances (loads, line flows, generating
capacity, spinning reserve, etc.) and then check to see
whether the system can withstand possible specific
disturbances-such as the loss of a major generating unit
or of one or more major transmission lines.
This planning oriented approach to such security
assessment involves two operations: gathering
information about the present status of the system (the
power system state estimation problem), and calculing
whether the system will maintain stable operation in the
face of a designated list of severe disturbances. These
operations, straightforward in a planning environment,
become very difficult to handle in an operating, real-life
situation by virtue of the vast amount of system-derived
data that must be processed, the practically limitless
number of contingencies (possible combinations of
equipment losses) that must be considered, and the
length of time needed to determine by simulation the
response of the system to any one (let alone all) of these
contingencies. Despite these procedural difficulties,
rudimentary security assessment programs are being
developed and some have been implemented.
Stateestimation programs filter incoming data on
generation, bus loads, on-line currents, and/or bus
voltages in order to provide an accurate picture of the
system´s condition. Contingency lists are carefully
assembled. The ability of the system to maintain stable,
steady-state operation following a disturbance is
assessed either by inspection of precalculated
distribution factors (approximate but very rapid) or by
on-line load flows (more accurate but more time
consuming). However, because of the time required for
simulation, it is not practical to calculate the system´s
stability performance during the transient period
between the predisturbance and postdisturbance steady
state.
These procedural problems-the amounts of data, the
number of contingencies, and the time required to assess
transient stability-could be resolved at a more basic level
by taking a more operator-oriented approach to security
assessment.
As has been mentioned, major system disruptions almost
invariably result from the inability of a system operating
at a reduced level of security to endure the consequences
of a series of less than major disturbances. Consider the
possibility of a sequence of rather minor events that may
result in the removal of equipment such as transmission
lines or generation units. This sequence of events will
gradually reduce the security level or the robustness of
the system to such an extent that even a normal
contingency may be all that is needed to cause a drastic
system failure. Even under normal operation, the outage
of individual pieces of equipment due to failure,
inadequate maintenance, etc., often reduces the system
to a state less secure, less robust than its design level.
It is necessary to distinguish between the static
description of system reliability (which serves as a basis
for system design and in large measure is still utilized as
a basis for security assessment) and the dynamic
interplay in real time between a fluctuating level of
security as a system responds to sequences of events and
the continualy changing contingent probability of
disturbances. In light of these considerations, the role of
security assessment might be viewed as providing to the
operator information on the changing reserve margins of
this equipment and on the continualy changing
probabilities of possible disturbances. Thus, the
traditional system planning approach, as well as the
system operator´s approach, must be used in emergency
prevention.
In addition to security assessment security
enchancement must also be taken into account. The
system operator must operate the system with (just)
enough marging to provide insurance against the
ultimate loss of power to a large portion of his
3. customers . he must take intoaccount not only the security
level of his system but also the possibility of disturbances
that may threaten and disrup the system. Thus, security
enhancement must remain the sole domain of the
operator. Experienced system operators continually make
structural readiustments to the system, increase or adjust
the level of operating reserves, and reschedule generation
to maintain necessary levels within critical geographical
areas. They take actions to provide the necessary
assurance that, with the given physical state of the system
and with the given contingent level of probability of
disturbances, the system will be able to react reliably and
to maintain its equilibrium. Table II lists, under the alert
state, control means that are appropiate and available to
the system operator for achieving his objetives in security
enhancement.
Emergency control
Once a system has entered the emergency state, the
deliberate control decisions and actions that are
appropiate to the normal, and even the alert, state are no
longer adequate, and more inmediate action may be
called for.
Power engineering literature over the last half-century is
replete with discussions of problems related to transient
stability, and the steady increase in our understanding of
those problems has been a major factor in the
achievement of the reliable systems to which we have
become accustomed. In recent years, the scope of those
discussions has extended to the detailed study of large
systems, which have been modeled in detail in order to
simulate their response to specific disturbances.
Until very recently, “emergency control” was identified
with local reflexive action for the prevention of transient
instability of individual machines. However, machine
instabilities do not constitute-and may not even be
significant factors in-major system blackouts. As noted
earlier, if the particular incident triggering the transition
to the emergency state has only local significance (such
as the instability and shutdown of a small generator),
return of the system to the alert state may be effected
solely by local control action-e.g., through operation of
protective devices. Even the loss of a major unit may be
accommodated by a sufficiently robust system without
serious aftermath. If, however, the incident that triggered
the state transition had been sufficiently severe relative to
the system´s security level, reflexive local control action,
whether or not succesful in preventing damage to the
equipment involved, will not adequately restore the
overall balance of the system. Lines or other major
equipment will be seriously overloaded, and more
powerful, coordinated action will be required.
Table II also lists control methods appropiate to the
emergency state that are at least potential candidates for
inclusion in emergency control regimes. Of all the
“immediate” and “heroic “ means listed, only fault
clearing has a long history of application.
Underfrequency relaying for load shedding has come into
fairly widespread use during the past decade (with
performance that has not always been satisfactory, or
even acceptable) and a large dynamic brake has been
installed on the Bonneville Power Administration system
in the northwestern part of the U.S. Although the
possibility of using other devices has been discussed,
they have all been viewed primarely as candidates for
more powerful local control action. They are, however, of
widely diverse characteristics, and may be classified
According to a variety of criteria: Topologically, some
involve interference with the flow of real energy into or
out of the (electrical) system, whereas others only affect
the paths of flow through the system.
From a time-domain perspective, all can be very fast
acting, but most can be sustained indefinitely. Each
distinction provides a useful perspective from which to
consider the devices relative usefulness, but incorporation
of such diverse control means into effective automatic
control regimes poses a variety of unsolved problems.
The inability to gather, analyze, and respond to data
reflecting the state of an entire system, combined with the
futility of trying to preanalyze and prepare open.loop
control actions to take care of the literally infinite
numberof emergency siuations that could occur, has led
us to focus exclusively on local emergency control. As a
result of this limitation, in extreme cases, the operator is
left to cope as best he can with the overall situation
without the aid of generalized emergency control.
The picture is now changing, however. Improved
understanding of power systems dynamics, advances in
communication and data-processing technologies, and
recent contributions of modern control theory have all
continued to make feasible the development of general
automatic control regimes appropiate to the emergency
state.
One class of problems resulting from the interaction of
individual methods of control deals with the achievement
of effective coordination in the use of multiple control
means within an area, in the functioning of local and
central (higher-level) control regimes, and in transitions
between the several operating states. Particularlyvexing
are the problems involved in achieving rapid coordinated
action from widely dispersed control techniques
responding individually to locally available information.
Pending further useful developments in the theory of
decentralized control, coordination between control
centers must be sought heuristically, but it cannot be
altogether neglected.
Another class of problems involves coordination between
means and ends. A definition of control objetives that are
both adequate to system operationalrequirements and
practicable for use in control synthesis must be
developed. In addition, associated control algorithms for
achieving those objetives must be formulated. A number
of possible approaches have already been suggested,
mostly in the context of normal state control, and more
will undoubtedly emerge for consideration. In this
connection, one consideration merits special mention.
The pervasively nonlinear and time-varying nature of
power systems, their inordinate complexity, which
requires that analytic models must be grossly simplified
to be usable, and the many contingencies that must be
handled combine to make the use of feedback type
(possibly even adaptive) control algorithms practically
indispensable. Classical optimal control methods
generating open-loop nonfeedback controls do not appear
practicable at present.
It must be stressed, however, that the emergency control
problem transcends the transient stability problem, and
that when the system is in the emergency state, whether
or not following a unit in transient stability coordinated
system wide action must be taken to restore it to at least
the alert state.
Recovery from emergencies
Once an emergency has progressed to the loss of system
4. Integrity, return to the normal state is realized by a
meticulous process of system restoration. At the present
state of the art, this remains a manual process that
requires careful andthorough advance planning if it is to
be achieved at all promptly. The design of the system
must be such that equipment lost from service during the
final states of an emergency, while the system is in
extremis, be protected from unnecessary damage. In
addition, all necessary means must be available for a
systematic restart of the system, even from a complete
blackout, and the operators must be thoroughly familiar
with the procedures for such a restart. The system must
lend itself to sectionalizing so that the load that has been
lost can be reenergized in blocks small enough to be
manageable; simultaneously, local energy sources at
generating stations must provide adequate power to
auxiliaries (such as pumps, exciters, etc.) required for
unit start-up.
Careful advance planning for system recovery following
a widespread blackout can do much to minimize its
duration and hence to limit the consequences.
I. Uncontrolled state transitions
Normal-alert
Nature of the transition: reduction in security level.
(Once the system has been stressed, and until an adequate margin has been restored, it is
more vulnerable to subsequent disturbances).
Possible causes:
1. Reductión in supply margin, possibly due to: unusual load increase, nonstart of
generating units, fuel shortage, loss of generating unit, derating due to
environmental constraints, derating due to auxiliary failure, rescheduled
maintenance.
2. Reduction in delivery margin, possibly due to: loss of transmission line or
transformer, unusual distribution of load, increase in power wheeling, derating
due to unusually hot weather.
3. Increased probability of disturbance, possibly due to approach or arrival of
severe storms, natural disasters (such as floods, earth-quakes), civil disturbances,
accidents.
Alert-emergency
Nature of the transition: violation of inequality constraints.
Relevant constraints: line flows (emergency ratings), component loads (emergency
ratings), voltage levels, system frequency, machine of bus voltage angles.
Proximate cause: malfunction and/or loss, temporary o permanent, of a major piece of
equipment.
Potential triggers: Internal electrical or mechanical failure, malfunction of protective or
control device, external events such as lightning, plane crash, etc.
Emergency-in extremis
Nature of the transition: loss of system integrity, violation of equality constraints.
Proximate cause: loss of ties resulting in formation of system island(s) that are
uncontrollable and/or unable to carry their internal load.
Potential triggers: prolonged overloading of critical lies, malfunction of protective
equipment, successive disturbances during emergency.
5. II. Control methods.
A. Alert state: preventive deliberate control to restore adequate reserve margins,
generation shifting (security dispatch), increased reserve, lie-line rescheduling,
manning of normally unmanned (sub) stations, voltage reduction (no siempre
efectivo o deseable).
B. Emergency state: inmediate control to clear equipment overloads, fault clearing,
fast valving, dynamic breaking, exciter control, dc modulation, load control,
capacitor switching, plus all controls mentioned in the alert state.
C. In extremis: heroic action to contain the disruption of the entire system, todo lo
anterior, mas tiro de carga, controlled islanding.
D. Restaurative state: deliberate (corrective) control to restablish a viable
functioning system, unit restarting and/or synchronization, load restoration,
resyncronization of areas.