1 Introduction

The electricity grid is primarily recognized as a physical transport layer for electrical energy. However, modern power systems are increasingly reliant on sensing, communication, computing and automated control to deliver the efficiency, flexibility and reliability that is required of them. They should therefore be understood as cyber-physical systems (CPSs) [1], where system-level behaviour results from the interplay between physical processes, information flows and control actions. A particular challenge is presented by the fact that power systems are critical infrastructures, where an inability to deliver energy to end users comes at a very high cost. This makes the study of failure modes in cyber-physical energy system particularly pressing. Although the need for such analysis has been recognized [1, 2], the development of formal reliability models for cyber-physical energy system is still at an early stage [3, 4].

System protection schemes (SPSs), also known as remedial action schemes (RASs) or system integrity protection schemes (SIPSs), are a natural candidate for studying CPS reliability in a well-defined context. SPSs are designed to detect abnormal power system conditions and initiate predetermined corrective actions to mitigate their impact [5]. SPS interventions include changes in load, generation, or system topology; these are usually triggered by the remote detection of contingencies, mediated by information communications technology (ICT) infrastructure. In other words, events originate in the physical domain (initiating contingencies), traverse the cyber domain (control logic and signals) and return to the physical domain (interventions in the power system).

The use of SPS has been largely associated with last-resort defense plans [6]. As such, SPS helps to protect the power system from high-impact low-probability events, including cascading outages. Alternatively, SPS can be used to improve the utilisation levels of electricity networks, alleviating operational security constraints in network-constrained areas. The principle is simple: SPSs take corrective actions upon the occurrence of a network contingency to avoid overloading the remaining circuits. In this second application, SPS helps to reduce generation dispatch costs, for example when large amounts of remote renewable resources are connected to the grid: preventive security constraints may require costly curtailments of renewable generation and dispatching generators out of merit [7]. On the other hand, activation of an SPS incurs additional operational costs, for example in the form of availability and utilization payments and potential loss-of-load costs [4]. The resulting cost-benefit problem falls into the security constraint optimal power flow (SCOPF) general framework [8] with the further aim of considering the value of the corrective security [9]. Significant research has been dedicated to resolve variations of this problem [10, 11] which show the need to consider these corrective systems in a cost-benefit fashion. The benefits from SPS have been recently explored in a multi-area electricity market system where a supra-operator determines the optimal power flows between areas [12].

As a result of these benefits, there is growing interest in SPS deployment of in the benefits from SPS deployment as noted in a survey by IEEE and PSERC [5] on global experiences with such systems, and other recent examples [13,14,15]. However, history has shown that SPSs are not always dependable: [16] reviewed NERC system disturbance reports from 1986-2009 and found that of 26 SPS malfunctions, 11 cases were related to ICT operational failures. The perceived risk associated with these systems has been highlighted already in 1996, when a IEEE-CIGRE survey to the power industry [17] estimated costs related to SPS failures to be very high. Given the potentially large impact of such malfunctions, it is critical to develop an understanding of the link between cyber-failures and overall system reliability.

A number of modelling techniques have been proposed and investigated in this area [18]. Examples of SPS risk modelling with the aim of computing optimal arming points for generation rejection schemes are found in [19, 20]. Similar reliability models have been proposed for digital substations [21], resulting in proposals for generic representations of cyber-physical fault pathways, such as the cyber-physical interface matrix [22] and the consequent event matrix [3]. The IEEE Task Force on Reliability Considerations in Emerging Cyber-Physical Energy Systems has recently compiled the state of the art in this research area [23].

The role of SPS in improving economic utilisation of electricity networks necessitates a wider view of SPS reliability. The operator should ideally embed the notion of SPS reliability into its operational decisions about protection settings, generator dispatch and the loading of transmission lines. The main challenge in this exercise is that the outcomes from SPS malfunctions are often highly nonlinear, for example when the malfunction triggers a cascading outage. Hence, when it has been attempted at all, a joint cost-benefit analysis of dispatch and protection settings has typically relied on simplified representation of SPS malfunction and the resulting system response, e.g. [7]. A more elaborate SPS model was used in [4], but the simplicity of the system ensured that all failure pathways were readily enumerated.

This paper presents a method to embed SPS reliability aspects into optimal operational decisions with an explicit allowance for the evaluation of complex consequences of faults - cascading outages in particular. First, Section 2 formally defines the problem the operator faces when co-optimizing economic dispatch and the configuration of protection systems. Then, Section 3 describes an iterative approach to find an approximate solution to this problem, which builds on the concept of partial security scenarios introduced in [4] to generate plausible candidate solutions in a very large parameter space. Starting from the initial assumption that the cyber system works as designed, the method iteratively secures the system against a growing set of cyber-failure modes and evaluates the results obtained, thus balancing the cost of protection against the risks due to malfunctions that are not explicitly secured. The method uses explicit cascading outage simulations to compute costs associated with operational decisions such as dispatch of generators, SPS configurations and reserve deployment. An illustration of the method on the 24-bus IEEE reliability test system (RTS) is presented in Section 4, along with its specific power system and operational decision models. The results in Section 5 suggest a robust ability to identify solutions that better balance costs of supply, protection and interruption, compared to alternative approaches. The findings are further supported by results on the two-area RTS.

2 Problem statement and challenges

We consider the problem of optimal system operation from the perspective of a central operator that wishes to secure the network against a set of contingencies \({\mathcal{C}}.\) The following sequence of events is assumed [4]: ① in response to a given demand pattern and availability of generators, a generation and reserve dispatch is determined and, when desirable, the SPS is configured and armed; ② contingencies occur with a certain probability; ③ a contingency may trigger an SPS response and/or activation of frequency response to balance the system; ④ if residual constraint violations are present (DC overloads in the context of this paper), this results in further automated protection action, e.g. branch openings, that may cause loss of supply for customers. Note that the operator has no recourse after a contingency occurs, so that the dispatch and protection configuration fully define the system’s response to contingencies.

The operator can choose to secure the system in a preventive manner, by adjusting the pre-fault generator dispatch, or in a corrective manner, by relying on automated post-fault automatic actions to return the system within operational limits. However, as these corrective actions may fail, they are accompanied by a risk of adverse consequences. The optimal decision is a trade-off between security and profitability based on a quantitative assessment of risk. Notably, in many real-world systems the system operator does not autonomously dispatch the generation assets, but relies on the markets to do so. Nevertheless, the system operator would still configure protection settings and influence reserve allocation, and it may adjust proposed market positions based if this is warranted by system security. Moreover, knowledge of the optimal solution obtained by a central operator, even if it cannot always be implemented in practice, may serve to identify shortcomings in markets or regulatory designs.

Formally, the operational problem of securing the system consists of choosing a generator dispatch and a configuration of the protection system. We denote the sets of related decision variables by \({\mathcal{D}}\) and \({\mathcal{S}},\) respectively. For the analysis, the set of credible contingencies \({\mathcal{C}}\) is divided into two classes: contingencies that are connected to a protection system thus may trigger a protection response (\({\mathcal{C}}_p\)) and those that do not (\({\mathcal{C}}_n\)). The contingencies in \({\mathcal{C}}_n\) are secured in a preventive manner and those in \({\mathcal{C}}_p\) are configured to trigger the protection system. For those contingencies a quantitative risk trade-off is made, which explicitly accounts for possible failures of the protection system.

The contingencies \(c\in {\mathcal{C}}_p\) are assumed to occur with a rate \(\lambda _c\) within the operational period under consideration. For each initiating contingency c, there is one intended ‘design outcome’ o(c) of the protection system, but in practice the initiating contingency can result in a range of protection system outcomes \({\mathcal{O}}.\) If a probabilistic model is available for the failures within the cyber system, this results in a set of conditional probabilities \(p_{o|c}\) for outcomes o, depending on the initiating contingency c, with \(\sum _{o \in {\mathcal{O}}} p_{o|c} = 1.\) This set of conditional probabilities, also used in [4], encodes the same information as the cyber-physical interface matrix (CPIM) [22]. We further define the concept of a cyber-physical post-fault scenario \(q \equiv (c,o),\) which consists of an initiating contingency c and a subsequent protection outcome o. The rate of occurrence \(\mu _q\) of each outcome \(q \in ({\mathcal{Q}}_p \times {\mathcal{O}})\) is given by \(\mu _q = \lambda _c \times p_{o|c}\).

The operator’s cost-benefit optimization for an operational window \({\Delta } t\) is then expressed as:

$$\begin{aligned} \min _{{\mathcal{D}}, {\mathcal{S}}} [G+P+X]&\equiv \min _{{\mathcal{D}}, {\mathcal{S}}} \left\{ G({\mathcal{D}})+P^a ({\mathcal{D}},{\mathcal{S}}) \right. \nonumber \\&\quad +\, {\Delta } t \sum _{c \in {\mathcal{C}}_p, o \in {\mathcal{O}}} \lambda _c p_{o|c} [P^u ({\mathcal{D}},{\mathcal{S}}, c,o) \nonumber \\&\quad + \,\left. L({\mathcal{D}},{\mathcal{S}}, c,o)] \right\} \end{aligned}$$
(1)

s.t.

$$\begin{aligned} {\left\{ \begin{array}{ll} h({\mathcal{D}}, {\mathcal{S}}, {\mathcal{C}}, {\mathcal{O}}) \le 0 \\ g({\mathcal{D}}, {\mathcal{S}}, {\mathcal{C}}, {\mathcal{O}}) = 0 \end{array}\right. } \end{aligned}$$
(2)

where GPX are generation, protection and loss-of-load costs, respectively. The protection costs P consist of a deterministic availability fee \(P^a({\mathcal{D}},{\mathcal{S}})\) and a per-event utilization fee \(P^u ({\mathcal{D}},{\mathcal{S}}, c,o)\) that depends on the CPS scenario (co). The loss-of-load risk X represents the expected cost associated with loss of supply to end users, consisting of per-event loss contributions \(L({\mathcal{D}},{\mathcal{S}}, c, o).\) These loss contributions are determined, for example, by computation of the energy not supplied and an estimated value of lost load (VoLL). The constraints (2) contain pre-fault and post-fault constraints for all scenarios, including those in the security-constrained contingency set \({\mathcal{C}}_n\) (see e.g. [8]).

In [4], the problem (1) was solved explicitly for an SPS in a very simple network. However, in a general setting, the computation of the load-shedding cost L requires detailed analysis of a complex power system. The costs may, for example, depend on the outcome of a multi-stage cascading process. When complex failure dynamics are present, the loss-of-load cost \(L( {\mathcal{D}}, {\mathcal{S}}, c, o)\) cannot be expressed algebraically as a function of \({\mathcal{D}}\) and \({\mathcal{S}}.\) In this case, the impact can only realistically be evaluated by explicit simulation of individual events and operating points.

3 Partial security method

In the following, we describe an heuristic approach to find an approximate solution to (1). The risk term X, which cannot be evaluated within a symbolic optimization, is replaced by an additional set of constraints. These constraints are varied to yield a set of candidate solutions, the best of which is selected by enumeration and direct simulation. The method consists of three parts that are described in detail below, and summarized in Fig. 1.

3.1 Selection among candidate solutions

At a high level, the optimization is implemented as an enumeration across a set of ‘candidate solutions’. Let \({\mathcal{K}}= \{ \kappa _1,\kappa _2,\ldots ,\kappa _N \}\) be a set of candidate solutions \(\kappa _i\equiv ({\mathcal{D}}_i,{\mathcal{S}}_i)\) (to be defined below). The optimization then takes the form

$$\begin{aligned} \kappa ^* = \mathop {\mathrm{argmin}}\limits _{\kappa \in {\mathcal{K}}} G(\kappa ) + P(\kappa ) + X(\kappa ) \end{aligned}$$
(3)

For each of the candidate solutions, all protection system outcome scenarios are enumerated explicitly, contributing according to their probability of occurrence. The load-shedding impact may be computed by means of simulation, or using an independent optimization procedure. This point-by-point analysis guarantees that the best candidate is selected from the set \({\mathcal{K}}\).

3.2 Partial security candidates

The challenge is thus transformed to the generation of a suitable candidate set \({\mathcal{K}}\). A heuristic approach to generate suitable candidates using a generalized SCOPF formulation is described below.

Reference [4] studied an unreliable SPS in a small demonstration system, where (1) could be solved directly. It was observed that the optimal SPS configuration is always a configuration that just prevents cascading overloads in one of the outcome scenarios. In other words, the system is operated such that for a particular combination of an initiating contingency and SPS failure mode, one or more of the components are at their operational threshold (e.g. thermal limit). This is intuitive, because crossing these thresholds is associated with further disconnections and possible customer disconnections. In the studied model, the optimal solution was therefore always one of a discrete set of ‘candidate solutions’ that were directly related to the triggering contingencies and associated SPS outcomes.

In the present paper, we postulate that the same principle can be applied more generally to generate potentially optimal solutions to (1). We define partial security configurations as solutions that are guaranteed to prevent load shedding for one or more scenarios \(q = (c,o)\). A partial security configuration for the set \({\mathcal{Q}}=\{q_1,q_2,\ldots ,q_k\}\) is defined as a solution that has no post-contingency constraint violations and thereby necessarily prevents load-shedding for all scenarios in \({\mathcal{Q}}\). This is enforced by a set of constraints \(h_{\mathcal{Q}}({\mathcal{D}},{\mathcal{S}}, {\mathcal{C}}, {\mathcal{O}})\le 0, g_{\mathcal{Q}}({\mathcal{D}},{\mathcal{S}}, {\mathcal{C}}, {\mathcal{O}}) = 0\). Simultaneously we remove the load-shedding risk X from the objective function.

A practical concern is that the protection configuration itself (the decision variables \({\mathcal{S}}\)) impacts its possible failure modes, and therefore the possible elements of \({\mathcal{Q}}\). Deciding \({\mathcal{S}}\) on the basis of a given set of failure pathways \({\mathcal{Q}}\) reverses this causality: it effectively makes the optimizer clairvoyant, letting it avoid those protection elements that fail in some scenario \(q \in {\mathcal{Q}}\). For example, in the context of a generation rejection scheme (an SPS that disconnects generation in abnormal system conditions), each outcome o is characterized by a collection of generators that successfully disconnect. Without further restrictions the partial security constraints \(h_{\mathcal{Q}}\) would simply result in the use of generators that will not be impacted by the failures. To rectify this issue, we introduce the constraint \({\mathcal{S}} \in {\varSigma }({\mathcal{Q}})\) that ensures that the valid choices of protection configuration are those that are actually affected by the scenarios in \({\mathcal{Q}}\).

Summarizing the above, the partial security configuration for a set of scenarios \({\mathcal{Q}}\) is defined as:

$$\begin{aligned} \kappa ({\mathcal{Q}})&= \mathop {\mathrm{argmin}}\limits_{{\mathcal{D}}, {\mathcal{S}}} \left[\vphantom{ \sum_{c, o})}G({\mathcal{D}}) + P^a({\mathcal{D}},{\mathcal{S}}) \right. \nonumber \\&\quad +\, \left. {\Delta } t \sum _{c, o} \lambda _c p_{o|c} P^u( {\mathcal{D}}, {\mathcal{S}}, c, o) \right] \end{aligned}$$
(4)

s.t.

$$\begin{aligned} {\left\{ \begin{array}{ll} h({\mathcal{D}}, {\mathcal{S}}, {\mathcal{C}}, {\mathcal{O}}) \le 0 \\ g({\mathcal{D}}, {\mathcal{S}}, {\mathcal{C}}, {\mathcal{O}}) = 0 \\ h_{{\mathcal{Q}}}({\mathcal{D}}, {\mathcal{S}}, {\mathcal{C}}, {\mathcal{O}}) \le 0 \\ g_{{\mathcal{Q}}}({\mathcal{D}}, {\mathcal{S}}, {\mathcal{C}}, {\mathcal{O}}) = 0 \\ {\mathcal{S}} \in {\varSigma }({\mathcal{Q}}) \end{array}\right. } \end{aligned}$$
(5)

This is effectively an SCOPF formulation that secures the system against the set of non-SPS-triggering contingencies \({\mathcal{C}}_n\) and the set of contingency-outcome pairs in \({\mathcal{Q}}\).

3.3 Iterative set expansion

The techniques from Sections 3.1 and 3.2 can be combined into an intuitive heuristic search algorithm as follows. Consider the set of all possible outcome scenarios \(\overline{{\mathcal{Q}}}\), obtained by combining all protected contingencies \({\mathcal{C}}_p\) with all possible protection outcomes \({\mathcal{O}}\). Partial security sets \({\mathcal{Q}}_i\) can be generated to represent all possible subsets of \(\overline{{\mathcal{Q}}}\), resulting in a full set of partial security candidates \(\{\kappa _i\}\). In theory, the best of these candidates can be selected through explicit simulation and enumeration, using (3). However, this naive approach is impractical in practice, because the full number of partial security scenarios equals \(2^{|{\mathcal{C}}_p| \times |{\mathcal{O}}|}\), making it infeasible to evaluate all candidates for even moderately large systems.

To address this challenge, a further heuristic is proposed that relies on two further simplifications:

  1. 1)

    Consider only protection outcomes involving at most one component malfunction (an \(N-1\) search of cyber failures). This greatly reduces the size of the set \({\mathcal{O}}\).

  2. 2)

    Rather than an exhaustive search, sequentially enlarge the partial security set \({\mathcal{Q}}_i\) using a steepest descent algorithm.

The algorithm is depicted in Fig. 1, and described below.

Fig. 1
figure 1

Process for computation of partial security solution to reduce operational costs

Full size image

The algorithm starts with the set \({\mathcal{Q}}_0\) that contains all scenarios corresponding to correct SPS operation: one scenario for each contingency, paired with the outcome \(o_{ok}\) in which the SPS operates correctly. The corresponding candidate solution \(\kappa _0=\kappa ({\mathcal{Q}}_0)\) reflects the assumption that the SPS is dependable.

Next, the set of secure scenarios is expanded in an iterative fashion. The initial set \({\mathcal{Q}}_0\) is combined sequentially with each single credible SPS failure scenario to generate trial sets \(\tilde{{\mathcal{Q}}}_1^i\), where i runs over all included failure scenarios. Partial security candidates \({\tilde{\kappa }}_1^i\) are generated for each trial set and the best candidate is selected through enumeration and explicit simulation, according to (3). The winning candidate solution and its corresponding secure scenario set are labeled \(\kappa _1\) and \({\mathcal{Q}}_1\), respectively. In case of multiple best candidates, the method decides on a ‘first come first served’ basis: selecting the first candidate that attains the local optimum. The process proceeds analogously in subsequent stages: single credible failure scenarios are added to \({\mathcal{Q}}_1\) to generate \(\tilde{{\mathcal{Q}}}_2^i\) and associated candidate solutions \({\tilde{\kappa }}_2^i\), and the winning candidate solution is denoted by \(\kappa _2\). This algorithm continues until the objective function of \(\kappa _{j+1}\) at iteration \(j+1\) ceases to improve on the previous iteration \(\kappa _j\).

The procedure above describes a greedy approach to exploring the search space defined by the constraint \({\mathcal{Q}} \subseteq {\overline{{\mathcal{Q}}}}\), which is shown to work well in the examples in Section  5. However, the presented approach can readily be extended to use more elaborate heuristic search strategies, such as evolutionary algorithms.

4 Application: SPS IEEE RTS system

In this section, the partial security methodology for cyber-physical risk optimization described in Section 3 is specialized for a particular application to a SPS [5] on the basis of a generation rejection approach. Although the SPS is far from the most general example of a cyber-physical system, its extensive configurability, the inclusion of non-local actions and the far-reaching consequences of malfunctions make it a good demonstration case for the reliability of cyber-physical systems.

4.1 System description

The example is based on the IEEE RTS [24], shown in Fig. 2. To diversify the generation resources in the IEEE RTS, we divide the two original generators of 400 MW at Buses 18 and 21 in two separate units with capacities of 160 MW and 240 MW (Bus 18) and 110 and 290  MW (Bus 21) respectively. We also reduce the capacity of all transmission lines by 5% in order to create additional stress in the network.

The set of relevant contingencies \({\mathcal{C}}\) is generated by considering the set of \(N-d\) contingencies: single and double line outages. Line outages that immediately result in islanding are ignored. The system operator must also ensure a minimum requirement of reserve capacity to counteract the loss of the biggest generating unit in the network. We assume that 4% of the demand at each bus is available to provide reserve services. The price of reserve availability is assumed to be \(\pi^{a}=30\,\$ \)/MWh. The price of generation disconnection by the SPS is \(\pi^{u}=1000\,\$ \)/MW event and VoLL is $30000/MWh. Other costs are derived from the Matpower RTS case [25]; linear generating costs are obtained through linear interpolation between the minimum and maximum generation levels.

The network is characterized by dominant north-south power flows as the cheapest generating units are located at exporting Buses 18, 21, 22 and 23 shown in Fig. 2. To reduce generation curtailment in the north area, a generation rejection SPS is installed to detect and respond to faults on line 27 (L27) and in transformer 7 (T7) as well as to double circuit faults in lines 25 and 26. Any of these faults will trigger SPS activation resulting in the immediate disconnection of remote generators and, through system rebalancing, a corresponding activation reserves elsewhere in the system. The system operator configures the SPS by pre-selecting generators from Buses 18, 21, 22 and 23 to trip in response to the detection of one of the three triggering contingencies. It is assumed that SPS-connected generators are must-run units and do not provide reserve services. To simplify the problem representation and focus on relevant details, we do not distinguish between frequency response services and operating reserves, instead referring to both as reserves.

To simulate bad weather conditions the nominal outage rates [24], considering both permanent and transient outages, are multiplied by a factor of 15. The double circuit fault rate for lines 25 and 26 is taken to be 7.5% of the resulting outage rate of line 26. The resulting fault rates are \(\lambda _7=3.43\times 10^{-5}, \lambda _{27}=0.0013\) and \(\lambda _{25\cap 26}=1.69 \times 10^{-4}\) (events/hour).

Fig. 2
figure 2

IEEE reliability test system

Full size image

The SPS measurement and control logic constitutes the cyber-system that interfaces with the physical network at its inputs and outputs; a block model of its main components is shown in Fig. 3. In Fig. 3, the arrows on the left represent contingencies and the solid lines are the connections between functional blocks. A generator is tripped in response to a contingency if it is armed (\(t_i=1\)) and all blocks between the initiating contingency and the generator are available. The SPS is composed of relays, a logic control, bus-to-bus communication systems and generator circuit breakers. The relays \(R_{1-3}\) are located at T7 and branches 25-27. If a local fault is detected, the relays notify the logic controller at bus 15 (\(LC_{15}\)). It will trigger the SPS response if it receives a signal from \(R_3\) or from both \(R_1\) and \(R_2\) (because it is configured to respond to double line faults on lines 25 and 26). Triggering the response involves broadcasting a trip signal to connected generators \(G_{1-13}\) via the bus-specific communication channels \(Bus \, x\). Figure 3 shows all available generators, but only those that have been ‘armed’ by the operator will actually receive the signal. For this simple SPS model, any of the triggering contingencies activates the same response.

The block diagram in Fig. 3 also represents the SPS reliability model. Each of the blocks can fail to operate on demand, resulting in a reduced dependability of the system. The reliability of each block is represented by its availability, and failures are assumed to be independent between blocks. The availability of relays, logic controller and generator circuit breakers is taken as \(a_r=0.9810, a_{lc}=0.9925\) and \(a_g=0.9980\), respectively [4]. The availability of the communication channels to each bus is set to 0.9 to simulate a failure-prone environment. We note that the design dependability of real SPS is considerably higher, but this has not always been borne out in practice [16]. Moreover, as an example of an unreliable cyber-physical system it is illuminating to investigate this low-reliability regime. A further sensitivity study to this parameter is performed in Section 5.3.

The credible failure scenarios that are considered in the iterative optimization (Section 3.3) are those that affect a single generator (breaker failure), all generators at a bus (communication link failure) or the whole SPS (logic control and/or relay(s) failures). There are \(|{\mathcal{C}}_p|\times (B+G+1)\) such failure modes, where \(|{\mathcal{C}}_p|\) is the number of SPS-triggering contingencies, B is the number of SPS-linked buses and G is the total number of generators connected to those buses. In practice, the number of relevant modes is further reduced by avoiding double-counting of failure modes involving identical generators at the same bus.

Fig. 3
figure 3

Generation rejection SPS

Full size image

4.2 Generation of partial security solutions

In the following we develop the partial security formulation (4) for the specific case of the generation rejection scheme. In the following, subscripts in and l are used to refer to generators, nodes and lines, respectively. Superscripts are used to refer to the pre-fault scenario (0), an SPS outcome scenario (\(q\in {\mathcal{Q}}\)) or a preventively secured fault scenario (\(k \in {\mathcal{C}}_n\)).

The cost terms \(G, P^a\) and \(P^u\) are given by:

$$\begin{aligned} G(g)&= \sum _{i\in {\mathcal{G}}} \alpha _i g_i {\Delta } t \end{aligned}$$
(6)
$$\begin{aligned} P^a(r^g, r^d)&= \pi ^a {\Delta } t \left( \sum _{i \in {\mathcal{G}}} r^g_i + \sum _{n \in {\mathcal{N}}} r^d_n \right) \end{aligned}$$
(7)
$$\begin{aligned} P^u(g,t,o)&= \pi ^u \sum _{i \in {\mathcal{G}}} q_{i|o} g_i t_i \end{aligned}$$
(8)

The generation costs (6) are computed from the dispatch decision \(g_i\) and unit cost of energy of each generator (\(\alpha _i\)) and the time step \({\Delta } t\). The availability fees for system protection services (7) are determined by the unit cost \(\pi ^a\) (per MWh) and the amount of reserves provided by generators (\(r^g_i\) for generator i) and responsive demand (\(r^d_n\) in node n). The SPS utilization fees (8) consist of the unit cost \(\pi ^u\) (per MW, per event) multiplied by the contribution of each generator i: the dispatch \(g_i\) is the reduction of output if the generator is successfully disconnected by the SPS, but this only happens if it has been selected to do so by the operator (\(t_i\), binary) and if it is successfully triggered in the outcome scenario o (\(q_{i|o}\)).

Inserting (6)-(8), the problem (4) takes the form of a mixed integer linear programming (MILP) model.

$$\begin{aligned} \kappa ({\mathcal{Q}})&= \mathop {\mathrm{argmin}}\limits _{{\mathcal{D}}, {\mathcal{S}}}{\Delta } t \left[ \sum _{i\in {\mathcal{G}}} \alpha _{i} g_{i} + \pi ^{a} \left( \sum _{i \in {\mathcal{G}}} r^{g}_{i} + \sum _{n \in {\mathcal{N}}} r^{d}_{n} \right) \right. \nonumber \\ & \quad \left. +\, \pi ^{u} \sum _{c \in {\mathcal{C}}} \sum _{o \in {\mathcal{O}} } \sum _{i \in {\mathcal{G}}} \lambda _{c} p_{o|c} q_{i|o} t^{*}_{i} \right] \end{aligned}$$
(9)

where

$$\begin{aligned} {\left\{ \begin{array}{ll} t^{*}_{i} = g_{i} t_{i} \\ {\mathcal{D}} = \{ u, g, r^{g}, r^{d}\} \\ {\mathcal{S}} = \{ t \} \end{array}\right. } \end{aligned}$$

The dispatch decision \({\mathcal{D}}\) concerns the commitment (\(u_i\), binary) and dispatch of generators (\(g_i\)) and reserve (\(r^g_i, r^d_n\)), and the protection decision \({\mathcal{S}}\) consists of the arming of generators to be tripped by the SPS (\(t_i\), binary).

The constraints (5) of the abstract problem (4) are developed as follows. The nonlinear relation \(t^*_i = g_i t_i\) for the total tripping capacity of generator i is replaced by the triplet of linear inequality constraints:

$$\begin{aligned} {\left\{ \begin{array}{ll} g_{i} - t_{i}^{*} \le {\overline{g}}_{i} (1 - t_{i}) \\ t_{i}^{*} \le {\overline{g}}_{i} t_{i} \\ t_{i}^{*} \le g_{i} \end{array}\right. } \end{aligned}$$
(10)

The nodal power balance is enforced by the following equalities, which hold \(\forall n \in {\mathcal{N}}\) (for all nodes), \(\forall q \in {\mathcal{Q}}\) (all partial security scenarios), \(\forall k \in {\mathcal{C}}_n\) (all preventively secured contingencies):

$$\begin{aligned} d_n&=\sum _{i \in {\mathcal{G}}_n}g_i + A_{nl} f_l^0 \end{aligned}$$
(11)
$$\begin{aligned} d_{n}&= \sum _{i \in {\mathcal{G}}_{n}}g_{i} - \sum _{i\in {\mathcal{GS}}_{n}} q_{i|o} t^{*}_{i} + \sum _{i \in {\mathcal{GR}}_{n}} {\Delta } g^{q}_{i} + {\Delta } d^{q}_{n} + A_{nl} f_{l}^{q} \end{aligned}$$
(12)
$$\begin{aligned} d_n&= \sum _{i \in {\mathcal{G}}_n}g_i + A_{nl} f_l^k \end{aligned}$$
(13)

where \(d_n\) is the nodal demand in node \(n, \,{\mathcal{G}}_{n}\) are the indices of the local generators; those in \({\mathcal{GS}}_n\) may participate in the SPS and those in \({\mathcal{GR}}_n\) provide system reserves. The active power flow in line l is indicated by \(f_{l},\, A_{nl}\) is the node-line incidence matrix (1 for incoming, -1 for outgoing) and \({\Delta } g_i^q\) and \({\Delta } d_n^q\) are the deployed reserves by generators and responsive demand, respectively, in node n and SPS outcome scenario q.

The DC power flow equations are completed by (\(\forall l \in {\mathcal{L}}, \forall q \in {\mathcal{Q}}, \forall k \in {\mathcal{C}}_n\)):

$$\begin{aligned} f^0_l&= \frac{1}{x_l}\sum _{n \in {\mathcal{N}}} A_{nl}\theta ^0_n \end{aligned}$$
(14)
$$\begin{aligned} f^{q}_{l}&= \left\{ \begin{array}{ll} 0 & \quad {\text {if }}\,l\,{\text {is}}\,{\text {outaged}}\,{\text {in}}\,c\\ \frac{1}{x_{l}}\mathop {\sum }\limits _{n \in {\mathcal{N}}} A_{nl}\theta ^{q}_{n} & \quad {\text{otherwise}} \end{array} \right. \end{aligned}$$
(15)
$$\begin{aligned} f^{k}_{l}&= \left\{ \begin{array}{ll} 0 & \quad {\text{if}} \,l\,{\text {is}}\, {\text {outaged}}\,{\text {in}}\,k\\ \frac{1}{x_{l}}\mathop {\sum }\limits _{n \in {\mathcal{N}}} A_{nl}\theta ^{k}_{n} & \quad {\text{otherwise}} \end{array} \right. \end{aligned}$$
(16)
$$\begin{aligned} -{\overline{f}}_l&\le f^0_l \le {\overline{f}}_l \end{aligned}$$
(17)
$$\begin{aligned} -{\overline{f}}_l&\le f^q_l \le {\overline{f}}_l \end{aligned}$$
(18)
$$\begin{aligned} -{\overline{f}}_l&\le f^{k}_l \le {\overline{f}}_l \end{aligned}$$
(19)

where \({\overline{f}}_l\) is the thermal limit of line l; \(x_l\) is its reactance and \(\theta _n\) the phase angle of node n.

Constraints on active power dispatch and reserves are given by:

$$\begin{aligned}&{\left\{ \begin{array}{ll} \mathop {\sum }\limits _{i \in {\mathcal{GR}}} r^{g}_{i} + \mathop {\sum }\limits _{n \in {\mathcal{N}}} r^{d}_{n}\ge 350 \ \text {MW} \\ \mathop {\sum }\limits _{i \in {\mathcal{GR}}} r^{g}_{i} + \mathop {\sum }\limits _{n \in {\mathcal{N}}} r^{d}_{n} \ge \mathop{ \sum}\limits_{i\in{\mathcal{GS}}} t^{*}_{i} \end{array}\right. } \end{aligned}$$
(20)
$$\begin{aligned}&r^d_n \le 0.04 d_n \qquad \forall n \in {\mathcal{N}} \end{aligned}$$
(21)
$$\begin{aligned}&{\left\{ \begin{array}{ll} g_i \ge {\underline{g}}_i u_i \\ g_i + r^g_i \le {\overline{g}}_i u_i \end{array}\right. } \quad \forall i \in {\mathcal{G}} \end{aligned}$$
(22)
$$\begin{aligned}&{\left\{ \begin{array}{ll} u_i = 1\\ r_i = 0 \end{array}\right. } \qquad \forall i \in {\mathcal{GS}} \end{aligned}$$
(23)
$$\begin{aligned}&{\left\{ \begin{array}{ll} 0 \le {\Delta } g^q_i \le r^g_i \qquad \forall i \in {\mathcal{GR}} \\ 0 \le {\Delta } d^q_n \le r^d_n \qquad \forall n \in {\mathcal{N}} \end{array}\right. } \end{aligned}$$
(24)

Here, (20) imposes a lower bound on the amount of reserves, of either 350 MW (size of the largest generator) or the total amount of SPS tripping capacity. Equation (21) indicates that 4% of load can be committed as demand response. Equation (22) constrain the committed generation and reserve of generator i to lie within \([{\underline{g}}_i, {\overline{g}}_i]\), if the generator is committed (\(u_i\)), and zero otherwise. Equation (23) ensures that generators in the SPS-connected set \({\mathcal{GS}}\) are committed and do not participate in reserve services (because they may be disconnected). Equation (24) constrains the activated reserves in the SPS outcome scenario q to lie within the committed range.

Finally, the forced inclusion of generators affected by scenarios in \({\mathcal{Q}}\) ( \({\mathcal{S}} \in {\mathcal{Q}}\) ) is implemented by:

$$t_{i}= 1\quad {\text{if}}\, {\text{breaker }}\,i\,{\text {fails}}\,{\text{in}}\,{\text{any}}\,q' \in {\mathcal{Q}}$$
(25)
$$\sum _{i \in {\mathcal{GS}}_{n}} t_{i} \ge 1 \quad {\text {if}}\,{\text{bus}}\,n\,{\text {comms}}\,{\text{fail}}\,{\text{in}}\,{\text{any}}\,q' \in {\mathcal{Q}}$$
(26)

4.3 Cascading outages and loss of load

The problem (9)–(26) defines candidate solutions \(\kappa ({\mathcal{Q}})\) that are robust to the cyber-physical outcome scenarios in \({\mathcal{Q}}.\) However, the ranking of candidate solutions, requires the explicit evaluation of the risk \(X(\kappa),\) necessitating the evaluation of impacts in all scenarios, including non-secure scenarios that may lead to load shedding through a complex cascading pathway. The procedure that is used is described below.

First, the immediate impact of the contingency is evaluated. When the SPS is successfully activated and generator tripping results in an imbalance between generation and demand, the available reserves \(r_i^g\) and \(r_n^d\) are activated to restore the balance. In many cases—at least for all scenarios in the set \({\mathcal{Q}}\)—there exists an allocation of reserves that avoids residual overloads. However, when this is not possible, they are deployed in such a way that they minimize post-action line overloads according to:

$$\begin{aligned} \min \sum _{l \in {\mathcal{L}}} \frac{\max (|f_l| - {\overline{f}}_l, 0)}{{\overline{f}}_l} \end{aligned}$$
(27)

which is reformulated as an MILP model, subject to reserve constraints.

At this point, the system has restored generation balance, but there may be overloads of transmission lines. A quasi steady state cascading algorithm is initiated to explicitly compute the impact of post-SPS scenarios. For this simplified model all generators in a bus are aggregated into a single generator that is characterized by its aggregate output and remaining reserve capacity. It is assumed that the output of this nodal generator can be adjusted to all levels between zero and the sum of the initial output and reserve capacity. The following procedure is repeated until no further overloads are present in the system:

  1. 1)

    All overloaded lines are identified and disconnected simultaneously.

  2. 2)

    Electrical islands are identified.

  3. 3)

    In every island with surplus generation, a proportional reduction in generation output is applied to the generators in the island to balance generation and demand.

  4. 4)

    In every island with a generation deficit, the generator reserve capability is used where possible (proportionally, subject to reserve limits). If the reserve capability is insufficient, load is shed proportionally until the total load equals the maximum generating capacity in the island.

  5. 5)

    DC power flow solutions are computed for the updated generation and load levels.

When no further overloads are found, the aggregate amount of disconnected load (in MW) is multiplied by VoLL and interruption duration to determine the financial impact \(L({\mathcal{D}}, {\mathcal{S}}, c, o).\) It is assumed that interruptions last 3 hours.

The model described above is a highly simplified model of cascading that is intended to capture the qualitative behavior of cascades. It can result in very large load losses with a high sensitivity to initial conditions, despite being deterministic, simplifying temporal analysis to a quasi-steady state and relying on simple initiating contingencies (\(N-1\)) in combination with simple SPS failures. The methodology presented in this paper could be refined by enhancing the simulation-based evaluation of risks, for example, by taking into account \(N-k,\) initiating contingencies or stochastic simulations that incorporate additional hidden failures of protection systems [26]. The use of more elaborate simulation methods could only improve the results, because a point-wise comparison of solutions of the type (3) guarantees that the best overall solution is selected, despite simplifications made at the optimization stage.

5 Results

The IEEE RTS case study was implemented in Matlab 2016a, using its interface with FICO Xpress 8.0 to solve mixed-integer linear programming problems. We consider the operation of the system at peak demand (2850 MW) for a period of \({\Delta } t= 1 \ \text {hour}.\) The results are discussed below.

5.1 Optimization of SPS only

As an initial study, we consider a restricted set of decisions where the dispatch \({\mathcal{D}}\) has been fixed, and the operator only determines the optimal SPS settings \({\mathcal{S}}.\) Because the set of possible SPS settings is finite, it becomes possible to enumerate all SPS configurations and their corresponding outcomes, despite the need to invoke a simulator for each operating point. The objective of this exercise is to illustrate the performance of the greedy steepest descent method by comparing its results to a global optimum obtained by enumeration. For this example, the dispatch is determined through an optimal power flow (OPF) that is secured against the contingencies in set \({\mathcal{C}}_n,\) but not against those in the SPS-triggering contingencies \({\mathcal{C}}_p\). A minimum reserve requirement of 600 MW is present, in order to enable generation and demand re-balancing after SPS actions.

Table 1 shows the best solutions obtained at each step of the iterative process: the secured scenario sets \({\mathcal{Q}}_i,\) the intertripping generators selected, the total capacity involved (SPS capacity) and the different cost components of each solution. The total cost includes the generation costs \(G=\$44369\) associated with the selected dispatch. The risk X is evaluated with respect to the occurrence of contingencies \(c \in {\mathcal{C}}_p\) (because the system has been preventively secured against the others). The bottom row lists the global optimum, and the final column indicates the cost gap between this and the other solutions. In the secured scenario sets, \(({\mathcal{C}}_p,o_{ok})\) denotes set of scenarios in which the SPS works as expected. It is followed by a specific set of protected SPS failure scenarios, where \(g_i\) signifies the SPS failure mode at the breaker of generator i and \(b_i\) represents the failure of the communication link at bus i.

Table 1 Iterative partial security scenario search, with fixed dispatch
Full size table

In this example, the method requires three iterations to converge to a minimum cost solution, when no better solutions are found by adding additional SPS failure modes to secure against. In this case, the solution \(\kappa _3\) is equal to the global optimum found by enumeration of all possible candidates. The method starts with the base case \(\kappa _0=\kappa ({\mathcal{Q}}_0)\) that has a large optimality gap, largely due to the loss-of-load risk X. The root cause to this high exposure is that all selected generators are located at Bus 22, which increases the risk from a common mode failure at this bus. In the first iteration, the method generates and evaluates a variety of SPS configurations that differ from the base case. The best of these, \(\kappa _1,\) is found by securing the system against the common fault at Bus 22 when the most onerous contingency (lines 25 and 26) occurs. It reduces the risk X by diversifying the SPS capacity among Buses 18, 21 and 22, and by committing an additional 100 MW of SPS capacity. The next two iterations provide further robustness to the SPS in case of the double line contingency event, securing the system against the common failure to trip generation in Bus 21 and a failure to trip generator 1 in Bus 18. This is achieved by committing an extra 100  MW of generation in Bus 22.

5.2 Co-optimization of dispatch and protection

We proceed to the extended problem of co-optimizing generator dispatch and SPS settings. In this case, the space of possible solutions is no longer restricted to a finite set of scenarios, as the generator outputs do not correspond to discrete variables. Hence, in contrast with the previous section, we can no longer compare the candidate solutions to a global optimum obtained by enumeration.

Table 2 shows the properties of the solutions obtained. The control of the dispatch constitutes many new degrees of freedom for the optimization and the method has more options to find new solutions in each iteration. In particular, the optimizer can decide on the output of generators and the provision of reserves. The generation SPS column indicates the total allocated SPS capacity. The generation curtailment column indicates the reduction in generation output in the exporting area (north), compared to the case where security considerations are ignored for \(c \in {\mathcal{C}}_p.\) For this case, we explicitly show the diverse properties of candidates evaluated in each round. For brevity, only three candidates \({\tilde{\kappa }}_i^j\) per iteration are shown, including those with the lowest cost (\(\kappa _i,\) highlighted in bold type). The method takes three iterations to converge to the final candidate.

Table 2 Iterative partial security scenario search (with variable dispatch) and alternative solutions (for comparison)
Full size table

In general, we observe how the allocation of costs to dispatch, protection and risks varies strongly between candidate solutions. This diversity is shown in the first iteration. For example, the candidate \({\tilde{\kappa }}_1^3\) proposes to commit extra SPS capacity and slight generation curtailments. It also diversifies the SPS capacity among Buses 18, 21 and 22. The end result is a significant reduction of the expected loss-of-load costs at the expense of higher dispatch and protection costs. On the other hand, \({\tilde{\kappa }}_1^2\) proposes the same SPS configuration and has the same dispatch costs as the base case. However, it achieved better results through an allocation of reserves that happens to ease the impact of non-secured scenarios. The method was able to evaluate such second-order benefits by evaluating the true cost of each candidate.

In the second iteration, a new set of candidate solutions is derived from the best round-1 solution \(\kappa _1={\tilde{\kappa }}_1^2.\) The best candidate, \(\kappa _2 = {\tilde{\kappa }}^3_2,\) eliminates the risk from a complete failure to trip generators at Bus 22 in response to a fault in transformer 7 or a double circuit failure at lines 25 and 26. This is achieved through a combination of generation curtailments and extra SPS capacity; it opts for committing SPS capacity at Bus 21 (\(g_4\)) to diversify the SPS response. The other two candidates shown heavily rely on an increase in generation curtailments and protection costs in order to minimize the risk exposure—yet not enough gain is achieved to compensate these extra costs.

The third iteration improves the overall cost by enhancing the security profile associated with communication failures to Bus 21. In particular, the selected candidate secures against this event when a contingency in line 7 triggers the SPS. Interestingly, this is exclusively achieved by improving the deployment pattern of reserves, thus no extra generation and protection costs are required. This example illustrates the importance of the spatial allocation of reserves in highly-congested networks. The algorithm finishes after the third iteration as no further improvements are achieved by adding another scenario to the secured set.

We compare the solution \(\kappa _3\) found using the proposed steepest descent procedure against five alternative solutions shown in the bottom rows of Table 2. The first is the unconstrained dispatch, which features the lowest generation and protection costs, but naturally carries the highest risk. A second point of comparison it the dependability assumption (\(\kappa _0\)), which still carries higher risks. The final three solutions take into account the fallibility of the SPS to varying extents. The G-1 solution secures the system against non-responsiveness of any single generator. This is achieved by adding all relevant contingency-failure mode combinations to the secured set, and omitting the constraint (25) (because every solution is affected by faults). The B-1 solution secures the system against communication faults that simultaneously affect all generators at a bus. The constraint (26) was omitted to obtain this solution. Both solutions achieve higher security levels than \(\kappa _3,\) but this is outweighed by significantly higher expenditure on protection and, in case of B-1, generation. A final point of reference is the preventive dispatch solution that corresponds to hedging against a complete failure of the SPS. Although risks are fully mitigated in this case, the operation costs are much higher overall. Compared to the other solutions, \(\kappa _3\) presents an appealing balance between generation, protection and loss-of-load costs.

Even though it outperforms the listed alternatives, the (global) optimality of the partial security solution \(\kappa _3\) cannot be ascertained. However, a very conservative lower bound to the total cost of such a solution can be established as follows. The unconstrained dispatch does not secure the system against SPS-connected contingencies \({\mathcal{C}}_p\) and therefore achieves the lowest possible generation and protection costs, which will bound from below those costs components of the optimal solution. Hypothetically, the optimal solution could eliminate risks altogether (\(X=0\)), so that a lower bound is obtained as \(G|_{\kappa _0}+P|_{\kappa _0} =\$ 53459\). With a total cost of $55292, the partial security solution \(\kappa _3\) is significantly closer to this conservative lower bound than most alternatives, as well as offering a slight improvement on the dependability assumption (\(\kappa _0\)).

5.3 Two-area system

We finally present an application on a larger power system, which will be used to illustrate the behaviour of solutions as a function of SPS dependability and the scalability and performance of the method. The power system under consideration is based on the two-area IEEE RTS system: the RTS system presented in the previous section (area A) is linked through three tie-lines to an identical system (area B) [24]. An incentive to make an economic use of the network is created by assuming that the generation in area B is 50% more expensive than that in area A. An extra unit is connected in node 18 (area A) with a maximum and minimum generation capacity of 200 MW and 100 MW, with no associated generation cost. The generation rejection scheme is connected to the same units of area A as in previous sections. However, the dominant power flows from area A to area B lead to further transmission constraints. To alleviate these conditions, we extend the set of line contingencies that trigger an SPS response to include single faults on lines 7, 23, 25, 26, 27, 28, 29 as well as to double circuit faults in lines 25 and 26, all in area A (see Fig. 2). The fault rates of additional lines linked to the SPS are taken equal to that of \(\lambda _{27}\).

Table 3 Comparison of solutions for the two area network, for different levels of communication dependability R
Full size table

Table 3 shows the results obtained with the proposed iterative partial security method, compared to the alternative approaches discussed above. The different cost components for each solution are analysed for three different SPS dependability scenarios. These are obtained by assigning the dependability of the controller-to-bus communication in (the ‘bus’ elements in Fig. 3) a value of 0.9, 0.95 and 0.99, respectively.

As was the case in the single area system, the alternative solutions represent a sequence of decreasing loss-of-load risk (X), with the proposed partial security solutions providing a risk level in between the assumed-dependable solution and the G-1 solution. For moderate and high reliability of the communication systems (0.95 and 0.99), the partial security solution has the lowest overall cost, reiterating the benefit from partially securing the system against protection faults. It is only for the lowest communication reliability that the B-1 solution provides a better solution, by reducing the risk at the expense of increasing both the generation and protection components.

Fig. 4
figure 4

Risk exposure of solutions visualised by the complementary cumulative probability distribution of loss of load costs

Full size image

Figure 4 takes a closer look at the differences in risk exposure between solutions. It shows the complementary cumulative distribution function of loss of load costs, i.e. the probability that certain cost levels are exceeded. Curves are shown for the \(R=0.99\) case, and the dependable, partial security, G-1 and B-1 solutions. The preventive solution is not shown because the is no associated loss-of-load risk, and the unconstrained solution is not listed due to excessive loss of load risk (outside the figure). This representation shows that the loss-of-load risks of the B-1 solution are due to events that are both smaller in impact and less likely than those for other solutions. The partial security solution involves risks that are most similar to the G-1 solution: slightly smaller in terms of impact but more likely to be triggered.

Table 4 summarises the computational performance of the method, running on an Intel Xeon E5-2690 CPU (8 cores, 2.90 GHz). The number of candidates evaluated by the partial security method is \([1 + (J+1)\times |{\mathcal{C}}_p| \times |{\mathcal{O}}|]\), where J is the number of iterations until the lowest-cost candidate is found and \({\mathcal{O}}\) is the number of unique failure modes. The two area system used in the example had a greater number of SPS-triggering contingencies, but required fewer iterations to converge, resulting in the evaluation of fewer candidates. However, the larger system size roughly doubles the number of variables in the optimisation problems used for OPF and post-SPS redispatch and cascading failure simulation, leading to significantly larger computational requirements for the generation and evaluation of single candidates.

Table 4 Performance metrics for solutions on the single area and two area networks
Full size table

6 Conclusion and future work

This paper has considered the challenge faced by a system operator operating a power system with an automated protection system that is itself subject to failures. The interplay between physical and cyber faults results in potentially complex failure pathways, including cascading failures, that are very difficult to incorporate into an optimal dispatch framework.

We proposed a method to generate approximate solutions to this optimization problem. The method can be considered a generalized SCOPF approach, where the set of secured contingencies is expanded with specific cyber-physical failure modes. However, the selection of these failure modes is not static, but dynamic: an iterative procedure is used to add secured failure modes one at a time. The selection of the failure mode to add in each round is based on point-wise evaluation of the risks. The use of point-wise evaluations is a powerful property that permits embedding of complex impact assessments based on power system dynamics into cost-benefit operational frameworks.

The procedure was developed in detail for a case study of a generation rejection type SPS on the IEEE RTS (single area and two areas). A mixed integer linear programming model was used to generate partial security solutions, and a basic cascading outage model was used to assess impacts of proposed solutions across all cyber-physical outcome scenarios.

For the restricted case of a fixed generation dispatch, we were able to compare the result from the iterative procedure against the global optimum obtained through enumeration. In the case considered, the optimal solution was recovered. In the more general case where the dispatch was co-optimized with the protection settings, a global optimum is not available, but the solution was compared in detail to alternatives, obtained by 1) unconstrained dispatch; 2) assuming perfect SPS operation; requiring robustness against failure to 3a) trip any one generator, 3b) trip all generators on any bus, or 3c) activate the SPS. The solution obtained using the partial security method resulted in a better risk trade-off for the single area system, and the more reliable two-area systems.

The concepts and method presented in this paper are equally applicable to protection systems that are more complex than the one studied in Sections 4 and 5. More advanced applications include the coordination of multiple SPSs, or SPSs that differentiate responses according the initiating contingency, or more realistic models of power system dynamics. Moreover, although this paper has considered only faults that originated in the physical domain, the same approach can also be applied to cases where faults originate in the cyber domain (e.g. accidental activation of a response).

The method currently relies on a greedy algorithm to search the space of partial security candidates: one secured failure mode is added at a time until no further improvement is found. Of course, despite the good results obtained above, these are likely to be local optima, and pursuing a more advanced search strategy may be worthwhile. As a simple extension, all combinations of k failure modes could be tried, or one could use a stochastic metaheuristic such as a genetic algorithm to search the space of partial security candidates.

Finally, it is important to note that the candidate selection procedure is risk-neutral, balancing upfront and loss-of-load costs in expectation. However, depending on requirements, one could reformulate this in a risk-averse manner, weighting the contributions of individual outcome scenarios differently according to the magnitude of their impacts.