1. Introduction
Electrical transmission/distribution networks provide the essential power delivery service to the principal core infrastructures and services of a country. Disturbances affecting electrical networks in a particular area will affect its services provided to citizens and, in general, through the perturbation produced to other infrastructures and services (e.g., telecommunication networks, urban mobility, banking systems) to a large part of the community in an area that can also be much larger than the initial ones. Depending on the magnitude of disturbances, the impacts on the dependent services and on citizen activities and well-being can be significant.
In general, the disturbances of an electrical network can be the result of different events that may have more or less pronounced effects on the system functionality, from a light perturbation up to the complete disruption of one or more of its components. Perturbations may arise from different sources (natural or anthropic) and associated with different agents: physical (e.g., lightning, floods [
1], earthquakes, fires), or cyber (e.g., denial of services attacks affecting the RTU of an electric substation). These aspects are further worsened by the fact that perturbations could also affect other systems, which may generate negative feedbacks, thus amplifying the effects and reducing system capability to return to an equilibrium state. The electrical network disturbances may span from minor or routine disturbances as in normal conditions, that, in general, are mitigated and restored through protection and automation devices and/or by the operators’ interventions, to major disturbances, due to extreme meteorological, catastrophic events and cyber-attacks. In general, this kind of disturbance causes electrical network disruptions that last for hours. As reported in [
2], in Italy in February 2015, over 360,000 customers were left without power for more than 8 h, and more recently in the Abruzzo and Marche regions in January 2017, with disruptions that lasted over 72 h affecting 39,000 customers.
Nowadays, frameworks for resilience assessment are relevant for electrical operators as the demand of a resilient electrical delivery service is increasing and the requirements imposed by the electrical authorities are more and more strict. Moreover, electrical operators have to improve the efficiency of their operational procedures in order to adapt to the increase of user demand, the adoption of smart operative modes and the increase of competition among operators. The requested resilience assessment approaches can be divided in short term or electric utility-centric approaches where the objective is the evaluation of actual or hypothetical power grid design and the optimisation of normal, daily network operations and configurations) and long-term, strategic resilience assessment to help decision makers, infrastructure operators, public agencies which drive investments to establish better policies for the resilience improvement of the power grid and to improve the resilience of a specific region against natural disasters [
3,
4,
5,
6]. Moreover, resilience assessment frameworks will play a central role in the analysis of mitigation measures to contrast the increase of extreme and catastrophic events (
Figure 1) and the increase of the number and the dangerousness of cyber-attacks on industrial control systems (in Ukraine, 230,000 customers were without power for 6 h in one of the first attacks on a nation’s power grid [
7]).
Different definitions of resilience can be currently found [
8,
9,
10], each reflecting a different domain where the concept of resilience can be applied. An exhaustive literature review is out of the scope of the paper, however, in the context of this work, resilience can be defined as “the ability of a Critical Infrastructure (CI) system exposed to hazards to resist, absorb, accommodate to and recover from the effects of a hazard in a timely and efficient manner, for the preservation and restoration of essential societal services” [
11].
An analytical expression to measure resilience
R as for the above-mentioned definition, is a piecewise function that captures the reduction of the quality of service as a function of time
;
ranges from 0 (total loss of functionality) to 1 (no reduction in functionality). The equation for resilience proposed hereafter is modified after Bruneau and Reinhorn [
12] and represented mathematically as:
where
is the time of occurrence of the event and
is the recovery time (i.e., the time at which the full functionality of the system is regained and the
takes the unit value. According to (
1) resilience R is essentially a measurement of the total functionality lost in a system and recovered over time, when subjected to a crises event. Resilience can be estimated in terms of
at the individual component level, or at the system level.
There are four key properties outlined by [
12] that can influence
and therefore the extent to which a system will be more or less resilient, namely: (i)
robustness, a system’s or component’s ability to withstand stress; (ii)
redundancy, the substitutability of different elements within the system; (iii)
resourcefulness, the ability of a system to adapt in order to prevent or reduce disruption of the system and rapidity and/or the availability of necessary resources; (iv)
rapidity, the ability to respond to and mitigate disruption in a timely manner.
In this work, we propose an
operational metric to evaluate the resilience
R of electrical distribution networks that encompass all the above-mentioned resilience-building properties. The term “operational” indicates that the framework aims to assess the resilience of a network defining operational models that consider the different factors affecting the resilience of the network itself. Such factors span from the technological ones (e.g., the network topology, the functioning status of the SCADA system) to network management procedures adopted by the operators. In particular, the proposed framework can be considered an electric utility-centric approach for the assessment of the resilience of
large power distribution grids
also under normal, daily network operations (in contrast with the approach proposed in [
3] that considers the resilience of a power distribution grid limited to natural extreme events). According to [
13], where a system is said to perform in a resilient manner when “it can sustain required operations under both expected and unexpected conditions by adjusting its functioning prior to, during or following events (changes, disturbances and opportunities)”, the proposed resilience assessment approach also considers opportunities in the assessment process. Indeed, the proposed framework can be used to estimate the impact of: (i) technological improvements (e.g., a larger density and a wiser positioning of automatic devices along the network topology) and (ii) changes in operational configurations, as for example increasing the number of emergency technical crews available to manage and solve an EDN crisis. Moreover, as improving the resilience of a system considering the interdependent infrastructures systems and services [
14,
15] is a fundamental aspect, the proposed framework allows us to quantify the resilience of an EDN considering the availability of other services and infrastructures that may impact the performance of the power grid as, for instance, the telecommunication network providing the communication services to the SCADA system and the urban mobility infrastructure allowing the operations of the emergency technical crews.
In general terms, as it has been stressed in [
16] “the assessment of resilience should therefore identify the critical functionality of a system and evaluate the temporal profile of system recovery in response to adverse events”. The problem is thus shifted to the identification of a
state function whose measure can be associated to the resilience property. This function should be able to reproduce the behavior of the system during a perturbation and it should consider all factors (or system properties) influencing the resilience level of the system.
Similarly to [
12], in this work the considered metric is represented in
Figure 2 where the
quality of service (QoS) is defined as a quantitative metric for the resilience of EDNs on a temporal horizon.
The temporal behavior of the state function showed in
Figure 2 can be ideally divided into four phases:
Normal behavior and aging (). During this phase, in the absence of perturbations, the QoS of the system is optimal. The service is delivered thus producing the “wealth” of all users. Maintenance actions are required to maintain this optimal (or near-optimal) behavior. During this phase, events prediction and the set up of preparedness actions should be considered.
Shock (
). This phase follows a perturbation. From this point on, the QoS typically decays rapidly following an exponential behavior. The decay rate depends on the infrastructure and might vary from a few seconds to hours. In an EDN, for instance, protection devices and/or procedures require the disconnection or isolation of system components to avoid the spreading of the impact. The decay behavior of this phase could be affected by several factors: involvement of a large number of components, and possible negative feedbacks from interdependent networks [
17]. Shock phase ends up at time
corresponding to the time when CI operators starts acting on the network control and
where:
reaches the minimum.
Recovery ( where: ). This phase starts when the activity of contingency management is implemented to recovery from the fault through automatic and manual interventions in order to increase the QoS. Success in the recovery phase, however, could be hindered, again, by negative feedback arising from the losses in other services; they could reduce the efficiency of recovery strategies (i.e., the absence of tele-control functionality, reduced by a severe electric outage, would force the use of longer manual restoration procedures). In general, this phase has the primary goal to start supplying services to critical users through the rapidly deployable contingency actions.
Restoration ( where: ). This phase, which might extend on time scales larger than those of the previous phases, allows us to recover the full functionality of the network (i.e., the QoS before the perturbation, if possible). In principle, a wise and efficient restoration phase could also originate new properties of the network, which might produce a super-elastic behavior, i.e., allowing the system to gain a larger QoS with respect to that displayed before the crisis (i.e., a new network configuration could guarantee the service supply with lesser operational costs in term of electrical losses).
In this work we do not consider other actions (i.e., the long term activities enabling to rebuild disrupted items and/or improve existing infrastructures) but the actions needed to return, at least, at the function level of the system before the occurrence of the perturbation. The proposed state function or system performance curve is similar to the resilience model proposed in [
14,
18]. In our case, we clearly differentiate the recovery and restoration phase as this model is more suitable to describe the performance of an electrical network when affected by disturbances [
5,
6]. In this work, the performance of the EDN system is defined through a contingency indicator commonly used as a key performance indicator (KPI) to estimate the level of service continuity of an EDN that is the
customers minutes of interruption (
CMI) index [
19]. For each electrical substation impacted by a disturbance, the indicator is equal to the number of disconnected customers
d supplied by electrical substation times the time duration
of its disconnection expressed in terms of
(i.e.,
min). The CMI indicator is suitable to measure the performances of large and complex networks where, in general, it is very difficult—if not impossible—to obtain the detailed electrical model needed to compute detailed electrical quantities as power delivered and the power flows used in other quantitative resilience assessment frameworks [
20]. Indeed, the proposed quantitative resilience assessment model is a simulation-based approach that considers different factors/system properties that have a strong influence on the electrical distribution network performances; the factors are:
EDN-robustness of main components. The robustness of the EDN components has to do with their ability to withstand stress while sustaining limited or no damage. The structural hardening or in any case structural suitability of the main power delivery components, such as individual substations, transmission lines and distribution feeders, is a common approach to decrease vulnerability, i.e., their propensity to sustain damage if stressed, and enhance electric power system robustness. The magnitude of the loss of functionality at the time of the shock, i.e.,
of
Figure 2 mainly depends on the robustness of main EDN components;
EDN topology. The topology of the network has a significant impact on its robustness and functionality. For the EDN, the term topology encompasses both the graph structure of the network and the position of the switches along the distribution lines. Both the properties have an impact in determining the overall resilient response of the network ([
21] and references therein);
Tele-controlled devices. A large fraction of CI elements along the distribution network is tele-controlled, i.e., their control could be remotely performed by using telecommunication systems. Among them, “automatic” CI elements allow for a rapid decoupling of the faulted branch from the rest of the line. The lower the number of such units, the weaker the remote controllability of the system and the longer the required restoration time;
EDN-Telecommunication dependencies. The topology of the EDN-Telco interconnection, to discover how perturbation spreads on the different networks and which feedback should be expected;
Efficiency of remote-controlled devices. This can be achieved by redundant connections to telecommunication networks or private (and more secure) proprietary, wired communication networks;
Efficiency of restoration procedures. This can be achieved, for instance, by decreasing the time required to carry out the different restoration actions including tele-controlled and manual actions;
Number of available technical crews. The amount of technical resources available on the field when manual interventions on CI elements are required can lower the time of the intervention.
This work describes the resilience assessment results of a large EDN (the Rome metropolitan EDN) obtained with RecSIM, a tool developed within the projects RoMA (“Resilience enhancement Of a Metropilitan Area”, Italian project) and CIPRNet (“Critical Infrastructures Preparedness and Resilience Research Network”, EU FP7 project) in collaboration with Areti SpA, the electrical distribution operator of the metropolitan area of Rome.
Currently, RecSIM is a component of the CIPCast Decision Support System, referred hereafter as CIPCast-DSS [
22], developed as part of the CIPRNet project and one of the main platforms used within the European Infrastructure Simulation and Analysis Centre (EISAC) that aims to establish a collaborative, European-wide network of national centers, empowered by advanced technologies, to inform, support and empower the different players involved in the urban resilience enhancement and assessment [
23,
24]. Regarding the influence of energy systems and, in particular, of EDNs to contribute to implementing resilient cities, RecSIM is used to assess the speed of action and recovery of EDNs following a perturbation. RecSIM is part of the CIPCast-DSS, a large platform containing models and tools for decision makers in order to optimize the management of a crisis and/or to proactively improve the systems resilience relying on the platform situational awareness data and risk assessments results [
13,
25]. Similarly to what is proposed in [
26], where the authors developed a modeling and analysis tool allowing us to detect the critical chains of dependency in a inter-dependent scenario, the RecSIM tool performs a topology-based simulation of an EDN crisis by providing a prediction of its extension, of its impact in terms of KPI, the best strategy to recover the system functionality, thus being a valuable support to decision makers and infrastructure operators to estimate the effect of different security controls and thus to select the best actions that may contribute to an increase in the overall resilience.
The CIPCast DSS operates in two different modes:
situational awareness online mode and
simulation offline mode. In the former case, the platform uses different sources of data (e.g., weather forecast and now-casting data), basic territorial data (e.g., primary services, hospitals, roads) to anticipate, as much as possible, infrastructure networks contingencies (e.g., contingencies due to extreme weather conditions). In particular, in the situational awareness online mode the DSS needs to exchange data with the operator data center. For instance, the CIPCast DSS instance designed and deployed for the Metropolitan City of Rome established a secure communication channel with the ARETI SpA data center to constantly exchange data with it. More in particular, CIPCast DSS needs to update the EDN topology configuration on a regular basis, which may change due to issues such as maintenance interventions or for failure events. On the other hand, the ARETI SpA receives alerts in case the platform foresees possible outage scenarios involving the EDN. The CIPCast DSS platform can also be used to assess significant physical damage to infrastructure due to extreme events such as earthquakes (
Section 4). In the latter case (i.e., in the simulation offline mode), the platform can be used to assess the performances of the technological networks in synthetic scenarios such as synthetic earthquakes events. In both cases RecSIM receives input of a damage scenario (i.e., a set of electrical stations in the not-working state), the functioning state of other infrastructures (telecommunication networks and roads infrastructure) and, considering the actual EDN topology and the operator operation procedures, it computes the impact of the damage scenario on the EDN in term of the chosen KPI.
The present paper is organized as follows.
Section 2 introduces the operational resilience metric that has been used in RecSIM for the quantitative assessing of the resilience of EDNs. The same metric can be used to estimate the resilience of EDN during large crises due extreme natural events [
27,
28] and during daily, normal operations (that represents the main contribution of this paper). It is worth noting that the proposed resilience assessment approach, similar to [
17], considers the dependencies of EDNs with other urban infrastructure networks such as roads and telecommunications networks.
Section 3 describes the RecSIM model in detail, with the identification of its inputs and output results.
Section 4 describes how the CIPCast DSS assesses the physical damage that a shock might cause on EDN components and that will cause a loss of their functionality.
Section 5 summarizes the results of the operational resilience assessment of the electrical distribution network of the metropolitan area of the city of Rome.
The final discussion refers to the obtained results in terms of the potentiality of the RecSIM model to support EDN operators for the network management, for stress testing and also for planning activities.
2. Operational Resilience Metric for Electrical Distribution Networks
This section describes how to link the QoS time behavior with the measure of the resilience property. The estimation of the proposed QoS requires a model of the EDN allowing the assessment of the QoS as a function of the many different properties (that were introduced in the previous section) that influence the response of the system to a perturbation [
3,
4].
Formally, the EDN is represented by a node-weighted directed graph without loops and a telecommunication network providing tele-control functionality containing a number of BTS s.t. with , where:
vertex set with ;
represents an electric primary station (PS) containing high-to-medium tension transformers equipped with remote control functionality provided by a proprietary telecommunication network;
represents an electric secondary station () containing medium-to-low tension transformers equipped with remote controlled switches (that depend on some BTS ;
represents an electric secondary station () containing medium-to-low tension transformers equipped with automatic switches;
represents an electric secondary station () containing medium-to-low tension transformers without remote control functionality;
edge set where the generic represents the portion of an electrical line connecting the two electric stations and ;
weight set associated to each vertex where: (i) on represents a physically intact and fully available station, (ii) disc represents a physically intact and functionally unavailable station and (iii) dam represents a physically damaged and functionally unavailable station;
each is electrically supplied by a specific s.t. .
In the following, the QoS function described in
Section 1 is first formalized in order to describe and analyze the behavior of a medium-voltage (MV) line
l over the time horizon
. Then, the formulas to compute the operational resilience of the overall electrical distribution network are described.
The QoS function, describing a perturbed MV line, is represented by a piecewise linear function (
Figure 3). Let us assume that a perturbation affecting some electrical stations
occurs at time
(with
) and that, following the recovery operations, the MV line returns fully operational at time
. Let us consider the set
containing the local states
of each electric station
in the interval
.
Let us define the function measuring the overall state of the MV line L for s.t.:
. The QoS of the line reaches the maximum value if the line is not perturbed or when, after a perturbation, the line is completely restored within a time interval
T (pre and post disturbance green lines of
Figure 3).
. The QoS for the line l reaches the minimum value at time when there exists at least one in the line l is in the dam state. For EDN medium-voltage lines the QoS almost instantly reaches the minimum value (i.e., the zero value) because of the opening of protection devices that disconnect all electrical SS in the interested line.
for . The electrical utility operator using the SCADA system (if available) is able to restore the service in a number of substations of the line l. The time-to-restore by SCADA value is, in general, short. According to the electrical utility operator of the metropolitan area of Rome (Areti SpA) this value is approximately 3 min. The value r will depend on the number of substations that can be restored by remote actions. More of these substations are closer to the r value than they will be to M. Anyway, in general, there exist substations that cannot be restored using the SCADA system. In such case the electrical utility operator has to coordinate manual operations (e.g., to isolate a failure) using the available technical emergency teams. As is shown in the next section, the time-to-restore by manual operations depends on the availability of the technical crews and the state of congestion of the urban viability infrastructure. According to the operator, a value for this quantity is approximately 45 min.
Let us assume that the only way to repair a
damaged node is to replace it with a power generator (PG) to ensure electrical continuity to the node’s customers. Thus, in the proposed model, a damaged node will be not repaired during the simulation. In particular, the functioning status of a damage node is restored through the settlement of a PG (operation that requires time
T in the previous QoS formula). The disconnected nodes, in turn, are reconnected either through a tele-control operation (if available) or by dispatching technical crews to provide manual reconnection. Such interventions may require specific times, which are considered when defining a restoration sequence of interventions. The
function of a line
l, over the time horizon
, can be represented by the following function:
where
is the total number of customers connected to the line
l,
m is the number of substations on the line
l,
represents the number of customers of the
and
is a function that equals 1 if
} and 0 if
. It is worth recalling that
. The
metric can be appropriately normalized in order to be bounded to the
interval.
In other terms, in order to measure the impact of a perturbation on an MV line and in general on an EDN, our framework uses a parameter similar to the CMI index introduced in
Section 1, that measures the total loss area due to a perturbation as showed in
Figure 4. This index is denoted by
in the following. Indeed, the quantity
expressed in
kmin for a line
l is computed as follows:
where
,
and
(
d represents the customers that has to be reconnected through manual restoration procedures).
In case of a double failure on two distinct secondary substations on the same medium voltage line the
value can be computed as follow:
where
,
,
,
and
A double failure can be considered the worst case as, in general, this will result in a number of isolated substations. In this case, the only possibility to restore the power delivery to the final customers is to deploy mobile power generators. As indicated by the electrical operator, mobile power generator deployment is a time-consuming operation (the mean time to deploy a mobile power generator has been indicated as
). Then, the
value of
Figure 5 is greater than the total loss area of
Figure 4.
The terms
and
d of Equations (
3) and (
4) depend on the factors that have been indicated as influencing the resilience behavior of an MV line described in
Section 1. For example, the term
depends on the availability and efficiency of the SCADA system,
on the number of technical crews available and the urban viability state of congestion. The term
d depends, in general, on the network topology and the possibility to use other feeders during contingencies. Then, the total loss area can be used to measure the capability of the network to withstand the perturbation in terms of consequences that the EDN customers will suffer. Then, it would not be inappropriate to correlate the value of
with the inverse of the resilience indicator. In other terms:
In the proposed resilience assessment framework we use the basic Equations (
3) and (
4) to compute a resilience indicator of the entire electrical distribution network. In particular, the results obtained with the
analysis are described in [
29]. The resilience indicator for the
analysis has been computed considering the mean value of the
values computed considering in failure each substation of the electrical network. Denoting with L the set of the MV lines i and with N the total number of substations in the considered EDN, the resilience indicator has been computed as follows:
In general, RecSIM enables the capability to carry on a “crisis game” consisting in the estimate of all
values resulting from the application of different EDN perturbations. Each “crisis game” is carried out by configuring some parameters that will allow us to simulate different conditions as for example the unavailability of some SCADA system functions or urban traffic congestion impacting manual restoration procedures. The objective is to provide a quantitative method that, through a resilience indicator, allows analyzing variables in different operational conditions. Different kinds of analysis have been performed, as described in the following. The results of these analysis are discussed in
Section 5.
2.1. Resilience Assessment of EDN in the Case of Metropolitan Contingency Scenarios
In this analysis, RecSIM simulates network restoration procedures adopted in case of extraordinary network failures due to, for example, extreme weather conditions. These scenarios consider the failure of secondary substations and the possible restoration procedures that may be applied considering the available resources. Different failures cases have been considered:
. This case represents the usual power grid analysis where one substation is considered in failure for each simulation run.
worst case. In this case, for each MV line in the EDN, all the combinations of double failures on a single MV line have been considered. In general, each MV line can be fed by two or more primary substations. Then, if it is not possible to restore some substations on the normally configured MV line, the electrical operator can operate the electrical network switches to feed the isolated substations using the available next MV line(s). If this happens, the electrical network switches from the normal to a temporary configuration. The worst-case analysis considers double failures on a single MV line to prevent the electrical operator from switching from a normal to a temporary configuration.
Heuristic case. In this case, the substations configured in failure state have been chosen through an educated guess considering their effective rate of faults (as declared by the electrical operator). Indeed, statistics have been collected along several years and the number of observed faults normalized over the number of days of observation has been defined. This value is and indicates the rate of faults per day that can be assimilated to the daily probability that the specific substation goes in a damaged state. The heuristic perturbation scheme has thus been applied to the network by simulating M working days: in each day of operations, the damaged state of each substation has been sampled (as in a Monte Carlo scheme) by extracting a random number ( = [0,1]) and by comparing it with the value: if < the i-th substation is put in the damaged state, whereas it remains unperturbed elsewhere. The substation set in the damage state has been put simultaneously in the damaged state, in order to simulate the worst-case scenario. This procedure is repeated N times to scan each substation and then repeated M times to simulate different working days.
For each case, the resilience indicator is represented by the mean value of
with respect to the total number of simulation runs representing the total number of combinations. In particular, considering the
worst-case analysis, we define the set
containing all pairs of MV line identifiers that can be used to switch to temporary network configurations for service restoration during a crisis (i.e.,
represents the set of suitable backup feeders).
C is the total number of combinations for the
case; the resilience indicator is computed considering all possible double failures:
For the
analysis, the total number of combinations coincides with the total number of substations in the network, whereas in the heuristic case, the total number of combinations coincides with the total number of damaged configurations obtained through the Monte Carlo method, such as the simulation described above. In particular, this procedure generates very few damaged states, as the rate of faults of the substations is usually small. However, it generates cases where one (or even more than one) substation will result in a damaged state. This procedure thus allows us to sample (among the manifold of possible damaged network states) those states where one or more substations are simultaneously damaged, in agreement with the rate of faults of the different stations. Over
damaged configurations were obtained with the Monte Carlo sampling, of which 1163 were constituted by single damaged substations; 296 with two damaged substations; 49 with three damaged substations; 5 with four damaged substations; 2 with five damaged substations [
30].
2.2. Assessing the Impact of Improved Distribution Automation Systems (DAS) on the EDN Resilience
In this case, RecSIM was extended to simulate the operator operational procedures for fault detection, isolation (FDIR) [
19]. The proposed framework was used to assess the performance of the EDN during normal and daily operational conditions. In particular, the extended tool was used to assess the performances of the Distribution Automation System (DAS) and to evaluate the improvements that could be achieved by adopting new communication technologies for the DAS network. Similar to the works in [
31,
32,
33], ENEA and Areti SpA are currently working on an optimization framework to support the optimal placement and composition of automatic switches (ASs) to improve the distribution power grid reliability. Indeed, as noted in [
32], a greater number of automatic switches allows for better operation; however, there are practical limitations because of the increasing of installation costs and more strict maintenance requirements for the ASs. This work shows preliminary results that were obtained using the improved RecSIM to assess the benefits of an improved DAS schema (currently under testing in Areti SpA), where the ASs collaborate using the 4G communication network.
3. The RecSIM Tool
Figure 6 shows the input of RecSim and its output (i.e., the consequence of a perturbation in terms of
). In particular,
Figure 6 highlights the relationships among the simulator input and the resilience properties introduced in
Section 2. The RecSIM inputs are:
Network topology—expressed as the EDN graph and the perturbation
P represented by the SS is in the
damaged state. In this work, perturbation
P is introduced by the user. However, the node in the
damaged state can also result from the analysis of external perturbation (i.e., weather forecast) and result from an over-threshold probability of damage of a node induced by a natural hazard (e.g., in the CIPCast platform, see [
22,
34]);
SCADA system—expressed in terms of the set of SS that can be remotely tele-controlled;
Efficiency of SCADA system—expressed in terms of the functioning status of the BTS providing communication service to the EDN and in terms of , the time needed to perform a remote operator action (using the EDN SCADA functionalities);
Efficiency of restoration procedures—expressed in terms of the time needed by an emergency crew (a) to reach a damaged SS (), (b) to perform a manual reconnection action () and (c) to set in place a PG to feed the users of the damaged SS (or of other SS, which will result in being isolated and thus needing a PG as they were damaged). The input time values represent “mean” values as they have been provided by the electrical operator. RecSim performed simulations by using these values as mean values of a flat distribution from which time values to be used in the simulation were randomly extracted;
Technical resources—expressed in terms of the number C of technical crews available in the field. The number of available PGs is assumed to constitute an unlimited resource. Further development of the algorithm will consider the finiteness of available PGs.
The output of RecSim is represented by the value of the impact of the damage scenario (represented by the perturbation
P and by its cascading effects) on the EDN, considering all the actions performed (in series or in parallel, as many technical crews were simultaneously available): (a) the
damaged node and, whenever the case, the isolated node substitution with a PG; (b) the manual reconnection of
disconnected nodes by the available technical crews and (c) the automatic reconnections made through remote tele-control operations. These actions restore the EDN to a normal operating status and allow all users to be reconnected to the grid. As previously stated,
damaged SS are just substituted by a PG and, at the end of the simulation, they are still in the
damaged state although their function is recovered by the PG. The impact of the perturbation
P on the network is thus computed using the Equation (2).
Figure 7 shows the different elements of a RecSim EDN model. The electrical MV lines start from primary stations (the node A in
Figure 7) and they connect the secondary substations forming, in general a tree structure. As it as already explained in the previous section, some of the secondary substations can be: normal, remotely tele-controlled, automated and “frontier” substations that are represented, respectively, as white, grey, orange and purple nodes in
Figure 7. The automated substations are very important as they are able to perform automatically the isolation and restoration procedures needed to react to failures happening to they descendants substations (e.g., the substations P, Q, R, S in
Figure 7 are the descendants of the automated substation F). The “frontier” substations can be used to restore a portion of an MV line from another MV line backup feeders.
For instance, in case of an outage in some of the substations on the MV line 1 in
Figure 8, the descendant substations of the failed substation can be restored using line 2 or 3 using the “frontier” nodes (D1, C2, C3). Furthermore, in the RecSim models, there are dependencies between the EDN SCADA components and the telecommunication components providing the communication service. As shown in
Figure 9, the tele-controlled substations use the communication service that is provided by telecommunication network components (i.e., the Base Transceiver Station of the tlc network ); this also works in the other direction—the BTS are fed by the secondary substations of the EDN. In this work, we assume that the BTS do not have battery backup. Then, if a BTS
depends on a substation
and
is in a damaged or disconnected status, the consequence is that
will immediately stop functioning.
4. Assessing Robustness of Electrical Distribution Network Components and Possible Physical Damage Scenarios
This section describes how to assess the physical damage that a possible shock might cause on EDN components, causing a loss of
that from the unit value will fall to the
of
Figure 2. The entity of
will depend, among other factors, on the level of physical damage induced by the shock on the EDN components, if they are not totally robust to the shock. Properly designed components according to the most advanced design standard will guarantee a good level of robustness. However, it is usually not possible or, in any case, economically not feasible to guarantee full robustness of EDNs components to the different shocks that might arise from extreme natural events. Therefore, it might be useful to be able to assess their vulnerability (i.e., the propensity to be affected by perturbation of certain types, which can be considered as the complementary term of the robustness) and the physical damage that a shock might induce on them. A first step toward the assessment of vulnerability is the collection of relevant information related to the design level and the geometric and constructive features of the components.
Table 1 proposes a taxonomy for assessing the vulnerability of EDNs.
The assessment of a possible damage scenario can then be carried out by overlaying and convoluting information on the exposed EDNs components, including those regarding their vulnerability to the specific hazard under analysis (referred to as vulnerability factors in
Table 1), and the perturbation intensity at the location of the exposed EDNs.
This concept is summarized in the equation below, where the symbol ∗ expresses convolution among factors:
Damage can be described with different metrics for different types of EDN components (
Table 1). Damage to infrastructure nodes is represented in CIPCast-DSS according to a four-level damage scale, i.e., D1 slight/minor damage, D2 moderate damage, D3 extensive damage and D4 total disruption; with D0 representing the absence of damage.
Damage of infrastructure nodes should consider both the physical damage and operational failure. Although components are located inside buildings, it may be necessary to separately assess the operational state of the equipment and the physical damage of the building. In these cases, it is possible that the structure is significantly damaged and that the component is fully operational, as none of the equipment is damaged. Conversely, it is possible for the structure to be unaffected and the component has lost its function due to the damage of the equipment.
Damage of infrastructure edges (a cable, for instance) can be assessed quantitatively in terms of a damage rate DR, a deterministic estimate of the number of damages that a cable is expected to experience per unit of length (usually per kilometer). Specific damage functions implemented to assess the expected damage level or damage frequency of different EDN components can be seen in [
27,
35,
36] for assessing earthquake-induced damage and damage induced from heat waves.
CIPCast-DSS was used to evaluate the resilience of urban infrastructure networks at systemic level. For example, in [
28], the authors simulated a realistic earthquake event occurring in the city of Florence (Italy) by predicting disruptions on buildings and critical infrastructure and by designing a reliable scenario, accounting for road obstructions due to building collapse, to be used to design efficient contingency plans for infrastructure networks using an approach similar to that described in [
17].
6. Discussion
The Electrical Distribution Network (EDN) is a critical infrastructure that plays a primary role in citizen life. The resilience of an EDN, intended as its service continuity, should be pursued both in business as usual and adverse conditions. These EDN systems should be able to withstand different types of perturbations possibly affecting their functions through a combination of technical solutions and management strategies spanning from intrinsic system technologies to effective operational plans.
This work proposed a framework enabling: (1) the estimation of the physical impacts and consequent functional perturbations that might affect EDN, and (2) the testing of the effectiveness of different strategies to achieve operational resilience. Factors that are considered within the framework to set resilient response strategies include: the EDN topology; the technological properties of EDN active elements; the SCADA systems; automation procedures and management efficiency.
In particular, the proposed approach is related to a novel integrated metric (similar to the metric proposed in [
14]) for operational resilience to be used in systems showing a functional behavior whose management, particularly in crises scenario, might be highly dependent on the functioning of other systems from which it takes operational services.
The obtained results show that RecSIM is a valuable tool to assess the resilience of EDN considering either (i) the normal EDN operational procedures and (ii) in case of natural disasters and/or critical contingencies.
A primary use of the RecSIM model is in the optimization of the positioning of new automation devices along the network. Automation devices are useful to improve the quality of the EDN response, to improve its capability to isolate the perturbed trunk line. In a limited resource strategy, the positioning along the lines should be attentively considered in order to maximally improve the benefits in terms of controllability and resilience gain. The RecSim model is particularly suited to carry out such an optimization strategy: new device positioning is positioned along the lines and an heuristic strategy can be used to select the possible n-device positioning in a way to provide a sub-optimal improvement to resilience, which will be considered as the objective function for the optimization strategy. This will be the primary application of the RecSim model to the EDN case and will provide new understanding on the use of appropriate optimization strategies to be used in combination with RecSim.
A further research direction could consider resilience as a “systemic” property. As the rebound from a perturbed to the equilibrium state, in a specific infrastructure (in our case the EDN), is related to the availability of external services (in our case the telecommunication service), which could fail due to the perturbation to the hit infrastructure, the overall efficiency for restoration will thus depend on the properties and the management of both systems. The case could be even more complex when multiple infrastructures are involved: this is the case, for instance, of water distribution networks (WDN) and railway networks [
37,
38,
39], where electrical and telecommunication functions are both needed for supporting normal and crisis management. In this respect, the “Systemic Operational Resilience” score should be able to gather, in a unique definition, the functionality losses in all the infrastructures that can be hit by a perturbation inserted somewhere in the “system of systems”, a perturbation that could hit one or the other of the interdependent infrastructure. This will open a “generalization” of the two-systems case, which could provide, at the end, the settlement of a unified model for the resilience in the real case of multiple, interconnected infrastructures [
15,
40].
In particular, the proposed approach was applied to the case study of Rome city, whose large distribution network contains more than electrical substations, to show how the model can appropriately handle a real EDN of large dimensions.
RecSIM has proven to be able to realize a simulated stress test to the electrical infrastructure by simultaneously considering the different network properties that have an impact on resilience (topology, tele-control, appropriate interaction with the telecommunication operation providing tele-control, cabin automation, level of network management in terms of number of technical crews and times of interventions). In this respect it allows us, by appropriately varying those factors in the model, to establish the impact of each of them on the final resilience score. This would have a large impact on the industrial point of view for determining, through educated analysis, the best approach in terms costs/benefits for progressively improving the overall network resilience. RecSIM will be made available to operators: in this perspective, the Infrastructure Simulation and Analysis Centre (EISAC) is working to establish a collaborative, European-wide network of national centers, empowered by advanced technologies, to inform, support and empower the different players involved in the resilience enhancement of EDNs, among other critical infrastructures. One of the tools developed by EISAC is the CIPCast Decision Support System (CIPCast-DSS), whose development has been part of the EU-funded FP7 project CIPRNet (“Critical Infrastructures Preparedness and Resilience Research Network”) and of the Italian project RAFAEL (“System for Risk Analysis and Forecast for Critical Infrastructures in the AppenninEs dorsaL Regions”) [
22]. CIPCast provides a database, an interoperable platform and a user-friendly WebGIS interface, conceived as a combination of free/open source software environments, for the real-time and operational (24/7) monitoring and risk analysis of built and natural environments, with special focus on interdependent critical infrastructures including the EDNs. CIPCast-DSS can be coupled with RecSIM, providing a complex simulation model to enable the effective assessment of resilience enhancement strategies for EDNs, considering the specific situational awareness data and functional impact scenarios predicted/assessed by CIPCast-DSS. In this sense, CIPcast-DSS can be used to assess the possible damage and impact scenarios for real events, supporting an effective and rapid emergency management and response, as well as for simulated events (e.g., earthquakes) [
28], to inform risk mitigation and resilience enhancement strategies. Indeed, as pointed out in [
25], considering risk and situation awareness results can improve resilience assessment and management.
At the current stage, RecSIM is able to assess the resilience of an electrical distribution network according to the given enforced organizational and automated security systems. Concerning the implementation of other resilience protocols, further work could focus on optimizing the positioning of rescue teams, their availability during the event and the different levels of automation of the substations and their remote controllability.
Section 4 shows the application of the proposed approach to assess the possible performance improvement that can be obtained using an improved distribution automation system protocol. The infrastructure operators may rely on these results to plan network investments and developments.
Integrating RecSIM with security monitoring platforms used by operators would significantly improve the situational awareness capability of the CIPCast-DSS platform. In recent years, various studies have proposed advanced techniques to enhance the resilience of cyber-physical systems and industrial control systems [
41,
42]; however, this integration would entail the overcoming of a number of problems related to operators requirements concerning with data confidentiality, liability management and security that will deserve a constraint-mediated approach.