ICT Support for Control and Coordination · D3.1 ICT Support for Control and Coordination Project FP6-038576 INTEGRAL: Integrated ICT-platform for Distributed Control in Electricity

Integrated ICT-platform based Distributed Control in electricity grids with a large share of Distributed Energy Resources and Renewable Energy Sources

ICT Support for Control and Coordination

Deliverable D3.1

Rune Gustavsson

Björn Ståhl

Identifier: ……

Date: 2008 - 09 - 15

Class: Deliverable

Responsible Partners:

Blekinge Institute of Technology

Annexes:

Distribution: PU

Overview:

This project is funded by the European Commission Under the 6th Framework Programme (Project FP6-038576)

D3.1 ICT Support for Control and Coordination Project FP6-038576

INTEGRAL: Integrated ICT-platform for Distributed Control in Electricity Grids

The INTEGRAL consortium consist of: ECN Principal Contractor & Coordinator The Netherlands NTUA/ICCS Principal Contractor Greece IDEA Principal Contractor France Blekinge Institute of Technology Principal Contractor Sweden Gasunie Engineering&Technology Principal Contractor The Netherlands WattPic Intelligent Principal Contractor Spain EnerSearch AB Principal Contractor Sweden INPGrenoble Principal Contractor France ICT Principal Contractor The Netherlands

Page 2 of 45



Control Versions: Version Date Author Description of Changes D3.1 Version 1 2008-05-20 Rune Gustavsson First draft D3.1 Version 2 2008-07-21 Rune Gustavsson

Björn Ståhl Revisions

D3.1 Version 3 2008-08-05 Rune Gustavsson Björn Ståhl

Revisions based on D2.1 and D2.2

D3.1 Version 4 2008.09-15 Rune Gustavsson Björn Ståhl

Revisions and updates based on comments

Page 3 of 45



Table of Contents 1. Introduction......................................................................................................................12 2. Overview of field experiments .........................................................................................14

2.1 Field Test A – Normal operations...............................................................................14 2.2 Field Test B – Critical situations.................................................................................16 2.3 Field Test C – Emergency situations .........................................................................17 2.4 Assessment of the experiments .................................................................................18

3. Coordination and control .................................................................................................19 3.1 The proper role of multi-agent systems in INTEGRAL...............................................23

4. Self-healing and resilience ..............................................................................................24 4.1 Mechanisms of self-healing........................................................................................26

5. Configurable experimental environments........................................................................26 5.1 Experiences from the CRISP project .........................................................................26 5.2 The tools EXP-II and INSPECT .................................................................................28 5.3 Configurable experiments ..........................................................................................30

6. Dependability and security ..............................................................................................31 6.1 Classical SCADA systems .........................................................................................32 6.2 Emerging standards by IEC .......................................................................................34 6.3 A service-oriented approach of virtual utilities............................................................37 6.4 Service Bundles and Service Level Agreements .......................................................38 6.5 Challenges related to ensured resilient and reliable systems ....................................38 6.6 Mechanisms supporting resilience and reliability .......................................................40

7. Other approaches............................................................................................................41 Appendix A .............................................................................................................................44

List of Figures Figure 2.1 – Design of experiments of market driven virtual power plants 14 Figure 2.2 - Busines proceses based on DER/RES markets 15 Figure 2.3 - Smart clusters of smart buildings forms the customer part of the virtual utility 15 Figure 3.1 - Overview of the main concepts of cell-based virtual utilities in the INTEGRAL

project 20 Figure 3.2 - Coordination between the grid management and computational market

infrastructures in virtual cell-based utilities 20 Figure 3.3 - Classification scheme of operational states of a power system 22 Figure 5.1 - Conceptual view of controlled experiments in CRISP of the behaviours of the

critical infrastructures controlled and monitored by the nodes A, B and C Fout! Bladwijzer niet gedefinieerd.

Figure 5.2 - EXP services supporting configuration, running and restoration of experiments27 Figure 5.3 - Components of the Fault Diagnosis system of CRISP 28 Figure 5.4 - Relations between the tools EXP, EXP-II and INSPECT related to EU projects

CRISP and INTEGRAL and their associate environments 29 Figure 5.5 - Architecture of the experimental NSF GENI platform Fout! Bladwijzer niet

gedefinieerd. Figure 5.6 - Interactions between two programmable aggregates 30

Page 4 of 45



Figure 5.7 - EXP-II based configurable environment supporting programmable nodes and

connectivity models 30 Figure 5.8 - Virtualization of interaction points at boundaries 31 Figure 6.1 - Standard control system architecture (SCADA) of power systems 32 Figure 6.2 - Network-centric architecture for future energy based information systems 33 Figure 6.3 - Some IEC protocols related to the virtual utility 36 Figure 6.4 - Ad hoc client-server implementation. Does not scale and is difficult to maintain.

36 Figure 6.5 - A generic service oriented information architecture for enterprises 37 Figure 6.6 - A generic architecture for embedded ICT in critical infrastructures 37 Figure 6.7 - A layered coordination model 39 Figure 6.8 - The general structure of a dialogue diagram 40 Figure 7.1 - The architecture of the NESSI approach 41 Figure 7.2 - The ARECI security model 42 Figure 7.3 - Architecture of the NSF GENI Platform with Substrates, Aggregates, and Slices

43

Page 5 of 45



References [ABD-KAN-NEE, 2004] Abdelwahed, S., Kandasamy, N., and Neema, S. : A control-based framework for self-managing distributed computing systems. In Proceedings of the 1st ACM SIFSOFT workshop on Self-managed systems, pp. 3 – 7, ACM New York, NY, USA. [AKK-YGG-GUS, 1996] Akkermans, H., Ygge, F., and Gustavsson, R.: HOMEBOTS: Intelligent Decentralized Services for Energy Management. In Proceedings of the Fourth International Symposium on the Management of Industrial and Corporate Knowledge (ISMICK´96). [BRA et. al., 2004] Bradbury, J., Cordy, J., Dingel, B, and Wermelinger, M. : A survey of self-management in dynamic software architecture specifications. Proceedings of the 1st ACM SIFSOFT workshop on Self-managed systems, pp. 28 - 33, ACM New York, NY, USA. [CON, 2007] Considini, T. : Business Innovation and Service Abstractions. In Proceedings of GridWise Grid-Interop Forum, Albuquerque, NM, 2007, 134-1. [DAL-JOH, 2007] Dale, J. and Johnson, A. : Rational Agents for Decentralized Environments. In Proceedings of GridWise Grid-Interop Forum, Albuquerque, NM, 2007, 135-1. [DIJ-RAV-YGG, 1996] van Dijk, E., Raven, R., and Ygge, F.: SmartHome User Interface: Controlling your Home through the Internet. In Proceedings of DA/DSM Europe ¨96. [FON, 2008] Fontela Garcia, M.: Interaction des réseaux transport et de distribution en présence de productions décentralisées. Thèse pour obtenir le grade de Docteur de L’INP Grenoble, de 10 juillet 2008. [FRE, 2004] Fredriksson, M.: Online Engineering. On the nature of open computational systems. Doctoral Dissertation Series No. 2004:05. Blekinge Institute of Technology. [FRE-GUS, 2002] Fredriksson, M. and Gustavsson, R.] Methodological principles in construction and observation of open computational systems, In Proceedings of First International Joint Conference on Autonomous Agents and Multi-Agent Systems (AAMAS’2002 ), pp. 692-693, ACM Press. [FRE-GUS, 2003] Fredriksson, M. and Gustavsson, R,: Trustworthy and sustainable operations in marine environments. In Proceedings of 25th International Conference on Software Engineering (ICSE’2003), pp. 806-807, IEEE Press. [FRE-GUS-RIC, 2003] Fredriksson, M., Gustavsson, R. and Ricci, A.: Sustainable Coordination. In Klusch, M, Bergamaschi, S., Edwards, P. and Petta, P. (eds.) Intelligent Information Agents: The AgentLink Perspective, Lecture Notes in Artificial Intelligence (LNAI), vol. 2586, pp. 203-233, Springer Verlag. [GHO et al, 2007] Ghosh, D., Sharman, R., Rao, R., and Upadadhyaya, S.: Self-healing systems – syrvey and synthesis. Decision Support Systems, 42, Issue 4 (January 2007), pp. 2164 - 2185. Elsevier. ISSN-0167-9236.

Page 6 of 45



[GOE-SHO, 2008] Goetz, E. and Shenoi, S.: Critical Infrastructure Protection. IFIP, Springer, 2008. ISBN: 978-0-387-75461-1. [GUS, 1999] Gustavsson, R.: Agents with Power. Special issue of Communications of the ACM, vol. 42, issue 3 (March 1999), pp. 41-47, ISSN-0001-0782. [GUS, 2006a] Gustavsson, R.: Ensuring Dependability in Service Oriented Computing. In Proceedings of The 2006 International Conference on Security & Management (SAM’06) at The 2006 World Congress in Computer Science, Computer Engineering, and Applied Computing. [GUS, 2006b] Gustavsson, R.: Sustainable Virtual Utilities Based on Microgrids. In Proceedings of the Third International Symposium on Energy, Informatics and Cybernetics (EIC 2007). Best paper Award. [GUS, 2006c] Gustavsson, R.: Ensuring Quality of Service in Service Oriented Critical Infrastructures. Proceedings of The International Workshop on Complex Network and Infrastructure Protection (CNIP 06). Italian National Agency for New Technologies, Energy and the Environment (ENEA). [GUS, 2006d] Gustavsson, R.: Proper use of Agent Technologies in Design and Implementation of Software Intensive Systems. Sixth International Conference on Quality Software (QSIC 2006), IEEE Xplore, Issue Oct 2006, pp. 435 – 440. Dig identifier: 10.1109/QSIC.2006.49. [GUS-FRE, 2003] Gustavsson, R. and Fredriksson, M.: Sustainable Information Ecosystems. In Garcia, A., Lucena, C., Zambonelli, F., Omicini, A. and Castro, J. (eds.) Software engineering for large-scale multi-agent systems. Research issues and practical applications, Lecture Notes in Computer Science (LNCS), vol. 2603, pp. 127 – 142, Springer Verlag. [GUS-FRE, 2005] Gustavsson, R. and Fredriksson, M.: Process Algebra as Support for Sustainable Systems of Services. In Viroli, M, and Omnicini, A. (eds.) Algebraic approaches for multi-agent systems. Special issue of Journal of Applicable Algebra in Engineering, Communication and Computing (AAECC), vol. 16 (2005), pp. 179-203, Springer Verlag. [GUS-MEL, 2006] Gustavsson, R. and Mellstrand, P,: Dependable Virtual Power Plants. In Proceedings of CRIS Workshop 2006 – Influence of the Distributed and Renewable Generation on the Power System Security. [HAG, 19997] Hägg, S.: A sentinel approach to fault handling in multi-agent systems. Multi-Agent Systems Methodologies and Applications, Lecture Notes in Computer Science, Volume 1286/1997, Springer Verlag, pp. 181-195. ISBN 978-3-540-63412-6. [HAG-YGG, 1995] Hägg, S. and Ygge, F.: Agent-Oriented Programming in Power Distribution Automation: an Architecture, a Language, and their Applicability. Licentiate Thesis. Department of Computer Science, Lund University, LUNFD6/(NFCS-3094)/1-183/ (1995); LUTEDX/((TECS-3056)/1-183/(1995). [HIN-HAM-FEL, 2007] Hines, P., Hamilton, S., and Fellachi, A.: Integrated, Agent-Based, Real-time Control Systems for Transmission and Distribution Networks. In Proceedings of GridWise Grid-Interop Forum, Albuquerque, NM, 2007, 105-1.

Page 7 of 45



[JEN-SYC-WOO, 1998] Jennings, N.R., Sycara, K., and Wooldridge, M.: A Roadmap of Agent research and Development. Autonomous Agents and Multi-Agent Systems, Volume 1, Issue 1 (1998), pp. 7 – 39, Kluwer Academic Publishers. ISSN: 1387-2532. [JUL-BOT, 2004] Julian, V. and Botti, S.: Developing real-time multi-agent systems. Integrated Computer-Aided Engineering, IOS Press, Volume 11, Number 2/2004, pp. 135 – 149. ISSN: 1069-2509. [KEL-vDOL, 2007] Kelly, J.F. and von Dollen, D. : The Illinois Institute of Technology Perfect Power System Prototype. In Proceedings of GridWise Grid-Interop Forum, Albuquerque, NM, 2007, 137-1. [KNO-CLA, 2005] Knottenbelt, J. and Clark, C.: Contract Related Agents. In Proceedings of the Sixth Internatinal Workshop on Computational Logic in Multi-Agent Systems (CLIMA’ 2005), pp 168 – 183. [KIN-GEO-RAO, 1996] Kinny, D., Georgeff, M., and Rao, A.: A Methodology and Modelling Technique for Systems of BDI Agents. In (Van de Velde, W. and Perram J.W. (Editors) Proceedings of the Seventh European Workshopp on Modelling Autonomous Agents in a Multi-Agent World (MAAMAW´96), LNAI Volume 1038, pp. 56-71. Springer Verlag. [LIN, 2006] Lindh, J-O.: On Observation of and Interaction in Open Distributed Systems. Doctoral Dissertation Series No. 2006:06. Blekinge Institute of Technology. [MAM-ZAM, 2006] Mamei, M. and Zambonelli, F.: Self-Maintaining Overlay Data Structures for Pervasive Automic Services. Self-Managed Networks, Systems, and Services, LNCS Volume 3996/2006, pp. 58 – 72, Springer Verlag. ISBN: 798-3-540-34739-2. [MEL, 2007] Mellstrand, P.: Informed System Protection. Doctoral Dissertation Series No. 2007:10. Blekinge Institute of Technology. [MEL-GUS, 2003] Mellstrand, P. and Gustavsson, R.: Safe Execution of Unreliable Software. In Pocardi, R. and Zavattaro, G. (eds.) Electronic Notes in Theoretical Computer Science, vol, 85(3), 18 pages, Elsevier. [MEL-GUS, 2004] Mellstrand, P. and Gustavsson, R.: Dynamic Protection of Software Execution Environments. In Proceedings of the Second International Conference on Critical Infrastructures. [MEL-GUS, 2006a] Mellstrand, P. and Gustavsson, R.: Preventing Buffer Overflows by Dynamic Environment Hardening. In Proceedings of the Third International Conference on Critical Infrastructures. [MEL-GUS, 2006b] Mellstrand, P. and Gustavsson, R.: Experiment Based Validation of CIIP. In Proceedings of the First International Workshop in Critical Information Infrastructures Security (CRITIS’2006), Selected papers in Lecture Notes in Computer Science (LINCS) No 4347, pp. 15 – 29. [NIC-PRI, 1977] Nicolis, G. and Prigogine, I.: Self-Organization in Non-Equilibrium Systems (Chaps. III and IV). J. Wiley and Sons, New York, 1977.

Page 8 of 45



[PAR-YOO-LEE, 2005] Park, J., Yoo, G., and Lee, E.: Proactive Self-Healing Systems based on Multi-Agent Technologies. In Proceedings of the 2005 Third ACIS Inyernational Conference on Software Engineering Research, Management and Applications (SERA’06). IEEE ISBN: 0-7695-2297-1/05. [PIE-KIL-GHA, 2007] Design and Implementation of an Open, Interoperable, Automated Demand Response Infrastructure. In Proceedings of GridWise Grid-Interop Forum, Albuquerque, NM, 2007, 100-1. [PLA, 2007] Platt, G. : The Decentralised Control of Electricity Networks – Intelligent and Self-Healing Systems. In Proceedings of GridWise Grid-Interop Forum, Albuquerque, NM, 2007, 105-1, pp. 1-6. [RIN, 2007] Rindebäck, C.: Designing and Maintaining Trustworthy Online Services. Licentiate Dissertation Series No. 2007:08. Blekinge Institute of Technology. [TRA, 2004] Tranchita C., Torres A.: Events classification and operation states considering terrorism in security analysis. Proceedings of IEEE Power Systems Conference and Exposition, October 2004, Vol. 2, pp 1265 – 1271, ISBN: 0-7803-8718-X. [TRA, 2008] Tranchita, C.: Risk Assessment for Power System Security with Regard to Intentional Event. Thesis L’Institut Polytechnique de Grenoble, 2008. [WAR et.al., 2005] Warmer, C., Kamphuis, R., Mellstrand, P. and Gustavsson, R.: Distributed Control in Electricity Infrastructure. In Proceedings International Conference of Future Power Systems. ISBN: 90-78205-02-4�INSPEC Accession Number: 9045591, pp. 1-7. [WGC, 1997] CIGRE WG 38-03: Power Systems Security Assessment: A Position Paper. CIGRE Electra, No. 175, December 1997 pp 53 – 77. [WOB-NGU-KRZ, 2005] Wobcke, W., Nguyen, A., and Krzywicki, A.: A BDI agent architecture for dialogue modelling and coordination in a smart personal assistant. In Proceedings of IEEE/WIC/ACM conference on Intelligent Agent Technology, 19-22 September 2005, pp. 323 – 329. [YGG, 1998] Ygge, F.: Market-Oriented Programming and its Application to Power Load Management. Doctoral thesis, Lund University, 1998. ISBN: 91-628-3055-4. [YGG-AKK, 1997] Ygge, F. and Akkermans, H.: Making a Case for Multi-Agent Systems. In Proceedings of 8th European Workshop on Modelling Autonomous Agents in a Multi-Agent World (MAAMAW’97), pp. 156-176. ISBN: 3-540-63077-5. [YGG-AKK, 1999] Ygge, F. and Akkermans, H.: Decentralized Markets versus Central Control: A Comparative Study. Journal of Artificial Intelligence Research, vol, 11, pp. 301-333. [YGG-AKK, 2000] Ygge, F. and Akkermans, H.: Resource-Oriented Multicommodity Market Algorithms. Autonomous Agents and Multi-Agent Systems, vol. 3, number 1 /March, 2000, pp.53-71. Springer Verlag. ISSN 1387-2532 (print) 1373-7464 (Online).

Page 9 of 45



Acronyms and Abbreviations

AI Artificial Intelligence

AOP Aspect-Oriented Programming

CAA Commercial Aggregating Agent

DAI Distributed AI

DG Distributed Generation

DMS Distributed Management System

DNO Distributed Network Operator

DSO Distributed System Operator

EC European Commission

EPS Eletrical Power System

HV High-Voltage

IT Information Technologies

LMP Locational Maginal Pricing

LV Low-Voltage

MAS Multi-Agent System

MV Middle-Voltage

MG Micro-Grid

MGCC Micro-Grid Central Controller

OOP Object-Oriented Programming

OOSAD Object-Oriented System Analysis and Design

QoS Quality of Service RCS Remote Controlled Switch

Page 10 of 45



Executive Summary The purpose of WP3 is to identify proper requirements to support design and implementation of the INTEGRAL ICT Reference Platform. The basic requirements are specified in D3.1 ICT support for control and coordination and D3.2 ICT Service models and components. Inputs to those deliverables are the two deliverables D2.1 High Level Specification of Selected Functions and D2.2 Guidelines for practical implementations from WP 2 Integrated Distributed Control Concepts. Furthermore, since the Reference Platform will support the three Field Demonstrators, A, B, and C, interaction between WP 3 and WP 4 Common Demonstrator Design is crucial. This deliverable focus on issues derived from the three INTEGRAL Field Tests meeting the goals and objectives of the project. The topics addressed are Coordination and control and specifically the multi-agent aspects and views. Self-healing mechanisms and configurable experimental environments are introduced specifically to address issues related to Field Demonstrator C. A section is specifically addressing dependability and security from a SCADA perspective. We argue for the advantages of a service-oriented approach for future virtual utilities. The report refers to- and concludes with- comparisons with other international approaches towards similar objectives as INTEGRAL.

Page 11 of 45



1. Introduction Investigations of enabling technologies aiming at design and maintenance of future energy systems are in focus of several ongoing international R&D projects. An identified challenge is related to integrating a vast amount of Renewable Energy Sources (RES) as Distributed Energy Resources (DER). One of the international projects addressing related challenges is the EU funded SmartGrids Technological Platform1 (Appendix A). The project INTEGRAL is one of the projects conducted within the SmartGrids umbrella. The EU STREP project INTEGRAL2 is as such a follow up of the earlier EU projects CRISP3 and MicroGrids4. According to the Strategic Research Agenda (SRA) of SmartGrids, standardization, modularization and programmable functionality will enable an economy of scale of future power systems, potentially leading to lower costs of operations and more expandable systems. Instrumental to that end is proper design and maintenance of multidirectional communication and control systems enabling horizontal and vertical integration of system components. This will facilitate participation of customers and DG in system operation resulting in effective distribution control for the benefit of power quality and reliable enhancement at the connection point. Metering services and statistical metering tools represents the gateway for the access to the “active distribution network”. For that reason, electronic meters and Automated Metering Management (AMM) represents the enabling advanced hardware and software technologies to facilitate and inform about customer preferences and opportunities in the energy field and to optimize demand forecasting. One of the major problems limiting the wider penetration of DER in today’s power systems is the lack of harmonization of grid connection requirements and the lack of compatibility of fault protection systems and metering. Further obstacles arise from the operational engineering requirements on the network where DER is connected. At distribution level, power flow constraints may lead to local reinforcement, in particular related to bi-directionality and possible conflicting requirements with natural gas and heat distribution networks (Combined Heat and Power). Distribution networks across Europe exhibit considerable differences in detailed design. However, the majority of these networks have been developed against a background of the migration of generation plant to the transmission system. As a result, the fundamental architecture of these networks has much in common. As a general rule, the distribution networks have a relatively small amount of active elements, such as generators, but are instead dominated by passive elements, principally uncontrolled loads.

1 http://www.smartgrids.eu/ 2 FP6 - 038576 Integrated ICT-platform based distributed control in electricity grids with a large share of distributed energy

resources and renewable energy sources. The project started in November 2007. 3 Distributed intelligence in critical infrastructures for sustainable power: http://crisp.ecn.nl/ 4 http://microgrids.power.ece.ntua.gr/

Page 12 of 45



There is significant structural inertia in the design of distribution networks. However, the reintroduction of more active elements is going to require networks to be, for the lack of a better word, “smarter”. The changes required in fundamental distribution-network architecture need to be identified at the earliest possible opportunity. The goals of the INTEGRAL project are addressing some of these challenges and are achieved through the following steps:

1. Define Integrated Distributed Control as a unified and overarching concept for coordination and control, not just of individual DER devices, but at the level of large-scale DER/RES aggregations.

2. Show how this can be realized by common industrial, cost-effective and

standardized, state-of-the-art ICT platform solutions. 3. Demonstrate its practical validity via three field demonstrations (A, B and C)

covering the full range of different operating conditions including:

a. Normal operating conditions of DER/RES aggregations, showing their potential to reduce grid power imbalances, optimize local power and energy management, minimize cost etc.

b. Critical operating conditions of DER/RES aggregations, showing stability also in integrated grids.

c. Emergency operating conditions, showing self-healing capabilities of DER/RES aggregations.

The expected results of the project are a selected portfolio of important operational aspects on how to run DES/RES integrated with the grid, particularly:

• Self-healing fault handling and automatic grid reconfiguration in the presence of a large number of DER/RES

• Optimality of autonomous DER/RES islanded operations in interaction with higher levels of the grid.

• System level security and protection of DER/RES distributed control information and actions.

• Balancing- and trade- services with the help of DER/RES clusters of cells. In this deliverable we introduce a couple of tools, EXP II and INSPECT, to support our investigations towards these ends. The tools are mainly extensions of tools from earlier EU projects such as CRISP and Alfebiite5. The GridWise project in the US has similar goals as SmartGrids. The GridWise Architecture Council (GWAC6) also organizes the Grid Interop Forum conferences. The remaining part of the paper is organized as follows:

• Section 2 - Overview of field experiments, identify important aspects of some of the challenges outlined above

5 http://www.iis.ee.ic.ac.uk/~alfebiite/ab-consortium-page.htm#Partners 6 http://www.GridWiseac.org/

Page 13 of 45



• Section 3 - Coordination and control, introduce and motivate some challenges related to the project

• Section 4 - Self-healing and resilience, introduce principles and goals of self-healing mechanisms

• Section 5 - Configurable experimental environments, motivate the means to and ends of such experimental environments and introduce the tools EXP-II and INSPECT

• Section 6 - Dependability and security, introduce the need for a new approach towards SCADA systems and present the service oriented system approach of ensuring expected system behaviour

• Section 7 - Other approaches, introduce the NSF GENI effort and the EU NESSI approach as well as the ARECI security framework

A list of references is included in the ‘References’ section.

2. Overview of field experiments We give a short overview of the three planned Field experiments to be conducted within INTEGRAL. More detailed information is given in the deliverables of WP4 that is D4.1, D4.2 and D4.3 design documents for each of the three demonstrations. An important deliverable in this context is D4.4 Common design and ICT implementation framework shared by all demonstrators. This deliverable is one of the inputs to that deliverable.

2.1 Field Test A – Normal operations The focus of the experiment is Normal Operation of coordinated control of 100DER/RES devices as a Virtual Power Plant. Specific issues are given in the following, Figure 2.1.

Figure 2.1 – Design of experiments of market driven virtual power plants

Page 14 of 45



Of specific interest are the business processes of the local market as described in the following Figure 2.2.

Figure 2.2 - Busines proceses based on DER/RES markets

The customer side is based on smart houses services and equipment as depicted in Figure 2.3.

Figure 2.3 - Smart clusters of smart buildings forms the customer part of the virtual utility

The following Figure 2.4 illustrates a metering management system associated with Field test A. In fact, “The smart meter” is a portal to and from end-users to the smart experimental distribution network. Identification of proper meter - based services of added value to customers and supporting smart DSM are key areas of experimentation in Field test A. Figure 2.4 also illustrated different communication channels and equipment to be investigated in the experiments.

Page 15 of 45



Figure 2.4 – Typical Metering systems of Field test A Flexibility is the key of Field test A. Flexibility in production will be illustrated by distributed gas, solar and wind energy sources. Another flexibility is related to energy based business models.

2.2 Field Test B – Critical situations The test site is Mas Roig in Girona Spain. The following Figure 2.5 illustrates the basic configuration of the experiment.

Page 16 of 45



Figure 2.5 - Basic resources of field experiment B

The particular set-up of the test site allows for different kinds of modelling and the evaluation of system behaviour during critical situations. The partners CRIC and WATTPIC lead the experiments. The following technical issues will be addressed:

• Different connection models of micro grid to higher level grids • Injections of controlled external events to trigger critical behaviour of the LV grid. • Testing of critical micro grid critical behaviour due to high loads and connection

problems.

2.3 Field Test C – Emergency situations Demonstration C focuses on demonstrating self-healing in DER/RES distribution networks as shown in the following Figure 2.6.

Figure 2.6 - Agent enabled self-healing of virtual utility cells at level 1

Page 17 of 45



The different kinds of components involved in the experiments concerning recovery from emergency situations are given in Figure 2.7, below.

Figure 2.7 - Components of field experiment C

Field experiment C is based on results from CRISP on controlled dispersed generation and controlled intentional islanding based on dispersed generation [FON, 2008].

2.4 Assessment of the experiments There are specific ICT challenges addressed in all three field tests described above. For instance:

• Development and assessments of suitable (agent based) information systems tailored for the specific experiments. Those information systems should be seen as instantiations of a common INTEGRAL Information Platform (WP4).

• Identification of basic functionalities (agent-based) and ancillary functionalities to

ensure proper and secure system behaviour.

• How to define and instrument proper state models • How to monitor systems to detect system states (failure exposures) and control state

transitions.

• Define an operational view of self-healing and implement proper supporting mechanisms.

• Definition and implementation of intelligent control at different system levels.

Page 18 of 45



Furthermore, the systems supporting the field experiments should take into account different kinds of:

• Resilience, dependability and security • Protected use by different stakeholders of common infrastructures

• Real time performance

• Flexibility, extensibility and adaptability

To be specific, in Field test A we need to assess availability since real households are involved. We cannot afford crashes, hang-ups, etc. We also have to address changeability, as we, for instance, might need to make modifications during field trials. Security is to ensure that household information or data cannot be misused. Traceability is also important for contractual and economic reasons. The following Extended ISO 9126 model on attributes of software quality (http://www.serc.nl/quint-book/) could act as guideline for the INTEGRAL project. Figure 2.8 Extended ISO 9126 model for software quality Some of these challenges are addressed below in this deliverable. The functional and architectural aspects are addressed in the deliverable D3.2 ICT service models and components.

3. Coordination and control The INTEGRAL approach is to integrate novel and emergent ideas from Energy Management Systems (EMS) and ICT-systems in order to support DES/RES integration along with new energy-based business models and processes (e.g., Field test A, Section 2). In fact, we are investigating the interactions between as well as within two internationally identified critical infrastructures (EMS and ICT), to support a third, that is, Critical Business Systems (CBS). In short, challenges related to intra- and interdependencies between three critical infrastructures.

Page 19 of 45

http://www.serc.nl/quint-book/



Figure 3.1 - Overview of the main concepts of cell-based virtual utilities in the INTEGRAL project

Figure 3.1 gives an overview of the INTEGRAL project. The efficiency of the active distribution networks rely on combination of three types of distributed resources: Distributed generations, Distribution grids and Demand side integration (DSI). The main operation modes addressed are: Normal operation states (Field test A), Critical operation states (Field test B) and Emergency operation states (Field test C). Figure 3.2, below, (from CRISP) illustrates the basic coordination patterns of the cell-based virtual utility outlined in Figure 3.1. Two coordination aspects are indicated in the figure. Technical Grid Management focus on secure generation and distribution of energy, while the term Computational market manages DMS management and business processes at customer side. The figure illustrates that under “normal” conditions the interaction between the technical Grid Management and the business processes of the Computational market is loosely coupled (c.f. event based markets of Field test A). However, when the TGM enters a “critical state” a high level Meta - coordination takes control of the overall coordination of both infrastructures.

Figure 3.2 - Coordination between the grid management and computational market infrastructures in

virtual cell-based utilities

Page 20 of 45



For instance, control of the computational market might utilize its market processes (buy or sell) enabling the bringing back of the technical grid into a “Green state” while maintaining quality of service. Figure 3.2 also illustrates that we might have several feedback loops at different levels between as well as within our critical infrastructures. Such feedback loops are potentially creating non-linear system behaviours. That is, a complex behaviour difficult to analyze, predict or control. We have to face the challenge of design, implementation and maintenance of resilient open complex systems. References include [ABD-KAN-NEE, 2004; BRA et. al., 2004; CON, 2007; MAM-ZAM, 2006]. Software intensive systems are further expected to meet stated performance and quality criteria by its customers. Furthermore, these systems must, due to cost reasons, be built using off-the-shelf hardware and software components; hence components of mixed or unpredictable quality. Specifically, interactions between such components are mostly unforeseen and therefore unpredictable. Monitoring, coordinating and controlling virtual utilities as depicted in Figure 3.1 hence pose new challenges related to proper definition of system states, instrumentation and measurements. The following, Figure 3.3, illustrates a state model for the electric grid part of Figure 3.2. The classification scheme of states is proposed by CIGRE [WGC, 1997]. The CIGRE’s diagram shows that there could be a definition of states in terms of adequacy and stability. That definition suits us well given the analysis above. However, the only transitions among states that are considered in this model are those due to consequences of natural events. Present SCADA systems have two well-known shortcomings in meeting the requirements of future DES/RES virtual utilities [Sandia7].

• Inherent vulnerabilities - exploitable when SCADA systems are integrated with “foreign networks”.

• Present day hard-wired hierarchical systems make it hard to cope with integration of

new RES and DES as well as open up for new energy based business processes. A Decoupling of SCADA systems enables virtualization at interaction points and hence self-healing as well as allowing for configurable service-based system approaches (Section 6).

An adversary exploiting vulnerabilities cause attack-patterns that pose as growing threats towards our critical infrastructures [Cert Coordination Center CERT/CC8]. Attack patterns can be instantiated by an adversary having the motif, means and resources to do so. Unintended exploits of vulnerabilities due to software or protocol bugs causes system failures or breakdowns of potentially similar magnitude. A recent thesis on Risk assessment for power system security with regard to intentional events is addressing the first aspect [TRA 2008]. Important sources with regard to the first and second aspects are Common Attack Pattern Enumeration and Classification (CAPC)9 and the homepage of Common Vulnerabilities and Exposures (CVE)10. Our approach towards system hardening has been in the same directions [GUS, 2006a; GUS, 2006c; GUS-

7 http://www.sandia.gov/scada/home/htm 8 http://www.cert.org/certcc.html 9 http://capec.mitre.org/ 10 http://cve.mitre.org

Page 21 of 45



MEL, 2006; MEL, 2007; MEL-GUS, 2003; MEL-GUS, 2004; MEL-GUS, 2006a; MEL-GUS, 2006b]. To handle state-transitions due to such undesired events the concepts and states of Figure 3.3 have been further elaborated, including new transitions between operating states [TRA, 2004]. To illustrate the complexities we have to address in maintaining adequate and normal operations of DER/RES cell-based systems as in Figure 3.1 we make the following observations:

1. We have to identify a suitable state diagram of the infrastructure supporting the Computational Market

2. We have to identify the state diagram for the combined system of Figure 3.1.

The ICT system of our Virtual utilities combines parts of a decoupled traditional SCADA-system with new functionalities aiming at supporting the management and control of the combined system

3. We have to instrument and monitor the combined system to enable adequate

operations. State diagram:

Figure 3.3 - Classification scheme of operational states of a power system

An interesting approach of monitoring states is the introduction of a Robustness index (RI) in the earlier mentioned thesis by Fontela [FON, 2008]. By monitoring the RI it is experimentally validated that controlled injection of Dispersed Generation (DG) is manageable given specific constraints. Furthermore it is demonstrated that the use of DG can increase the robustness of energy systems and also support controlled intentional islanded operations in critical system states. However, we should note that the system states being identified and monitored are typically not in equilibrium at any time, due to the inherent complexity and feedback loops of our system. We can eventually hope for that the system at hand is near equilibrium states most of the time to enabled controllable behaviour. It might, of course, be the case that we are in states far from equilibrium. If so, a small change of parameters could result in a quick jump to another (catastrophic) state, due to bifurcation [NIC-PRI, 1977]. To further illustrate the complexity of our task, we have inherent uncertainties in measurements of system parameters and inherent limitations of bandwidth and

Page 22 of 45



computational power. In short, there is no such thing as a correct and shared view of system states of our distributed systems [LIN, 2006]. The bottom line is that we have to engineer our ICT-system towards having a sustainable and ensured optimal and adequate operational support. A second conclusion is that we have to build as resilient and secure systems as possible. To that end we use modularization and virtualization techniques to build in self-healing mechanisms at different system levels, Section 4.

3.1 The proper role of multi-agent systems in INTEGRAL An excellent tool for high-level modelling of distributed systems with local control is as multi-agent systems. Obviously, systems as those addressed by INTEGRAL and its predecessors CRISP and MicroGrids could and have also partly been modelled as multi-agent systems. Agents and multi-agent systems play-out different roles in demonstrators A, B, and C of the INTEGRAL project. To enable structured experiments and evaluations the following common Agent Framework (AF) is suggested. The AF is an integration of several approaches during the last decennia in agent based R&D. In effect agents enact two important roles when modelling intelligent information systems. Firstly, agents encapsulate problem solving capabilities (PSC) and secondly, agent systems encapsulate coordination (or social) capabilities of teams. Agent communication is here modelled using a high-level Agent Communication Language (ACL) allowing separation between content and purpose (dialogue models) of message passing between agents. The following generic Agent Framework (AF) captures these two aspects of agent capabilities. The Problem Solving Capabilities of agents are modelled according to the Beliefs-Desire-Intention (BDI) architecture [JEN-SYC-WOO, 1998; JUL-BOT, 204; KEN-GEO-RAO, 1996; WOB-NGU-KRZ, 2005]. Typically, the BDI architecture is implemented as tagged plans. Messages sent to the agents are assessed by interpreters and pre processors to validate the proper type and content of the messages. A primary classification is if the message is of a problem solving type or of a communication type. Proper actions are then determined by the rule engine in the given context.

Page 23 of 45



Figure 3.4 – A generic Agent Framework

The Social Competence module checks if the communication message is of proper type and which coordination model should be enforced in sending out response messages to selected team members. Detected faults and violations of contracts (e.g., Service Level Agreements) can also be handled in the given context Coordination models could for instance be based on negotiation patterns with receiving team member according to pre-defined rules or selected by context matching of messages [HAG, 1997]. There are numerous variations of the components of the AF in Figure 3.4 in the planned Field Tests A, B, and C (Section 2). A first task of WP4 is to clarify the intended instantiations of Figure 3.4 in the different field tests in order to have a common (agent) architecture for INTEGRAL experiments. Some recent investigations of multi-agent systems of relevance to INTEGRAL are [DAL-JON, 2007; HIN-HAM-FEL, 2007; KEL-vDOL, 2007; PIE-KIL-GHA, 2007. Modelling information systems supporting INTEGRAL Field test can be based on several different design principles such as modularization, underlying architecture of energy system components, distribution of control, connectivity models, degree of automation, reusability, adaptively, robustness, security, and so on. We will focus on those aspects in deliverable D3.2 Service Models and Components. Some earlier similar investigations on agent system architectures are [AKK-YGG-GUS, 1996; DIJ-RAV-YGG, 1996; HAG-YGG, 1995; GUS, 1999; YGG, 1998; YGG-AKK, 1997; YGG-AKK, 1999; YGG-AKK, 2000]. However, a multi-agent approach has also two inherent shortcomings:

1. A multi-agent system is in a sense a closed system (fixed coordination mechanism and fixed local agent model). We can perform simulations within the given framework, but combinations of existing agent systems or more general experimentations are not easy to do.

2. There are several agent-based implementation platforms. However it is not easy to

transform and integrate an application running on an agent platform onto an industry-standard environment.

Those aspects are further elaborated in the paper Proper uses of agent technologies in design and implementation of software intensive systems [GUS, 2006d). It should also be noted that agent architectures and systems are focusing on the functions of the system. Important non-functional aspects such as, security needs ancillary functions or ancillary agent systems. An example of the latter kind of systems is monitoring systems. Following the principle of separation of concerns those (agent) systems should be modelled and implemented separately. This kind of control systems based on sentinels is described in [HAG, 1997].

4. Self-healing and resilience Today’s software engineering and system engineering efforts are largely predicted on the notion that with sufficient efforts one can design systems to eliminate all critical flaws. Hence

Page 24 of 45



most techniques for software development of trustworthy systems have focused on design-time techniques: specification, modelling and analysis, validation, protocol design, etc. This approach works quite well for systems that function in a known environment, that interact with other systems over which we have considerable control, and that can be taken off-line to correct problems. However, increasingly (as in our case) systems must function with an expected QoS in environments that are highly unpredictable, if not outright hostile. They must interact with other components of dubious quality and/or origin. They must function in a world where resources are not limitless or assured and where cost may be a major concern in achieving trustworthy behaviour. And they might be expected to run without interruption. For such systems it becomes essential that systems become more responsible for their own behavior, adapting as appropriate at run time to maintain adequate levels of service. These systems must be able to detect when problems arise and fix them automatically or semi-automatically. In the Autonomic Computing Initiative by IBM11 (2001) the concept of Self Management was introduced to address some of those challenges. Self-management was subdivided into the following self* components; -configuring, -adaptive, -optimizing, -detecting, -protecting, -healing, and -organizing. Neither of those concepts are well defined, but there are several, for our purpose, useful descriptions available such as Elements of the Self-Healing System Problem Space [KOO, 2003], Self-healing systems – survey and synthesis [GHO et. al, 2007], and reports from the EU project IST-516933 Web Services – Diagnosability, Monitoring and Diagnosis (WS - DIAMOND12). The elements identified in [KOO, 2003] are: Fault model, System response, Systems completeness, and Design context. In [GHO, et. al., 2007] the following useful definition of self-healability is given:

Definition (Self-healability). Self-healability is the property that enables a system to perceive that it is not operating correctly and, without human intervention, make the necessary adjustments to restore itself to normality.

This definition can be related to the definitions of:

• Dependable systems, defined as systems globally trustworthy with respects to their ability to always deliver its service.

• Fault-tolerant systems, in which faults may occur but do not affect the performance of the system.

• Resilient systems, systems that could reconfigure to harness disturbances. But opposite these three definitions that specify the goals but not the means, self-healability aims at correcting or put right undesirable system situations. That is an active approach that operationalizes the definitions stated above. In our case we will have different elements and operationalizations depending on the critical infrastructure at hand (EMS, ICT, CBS Section 3). The WS - DIAMOND approach follows the definition given above in the context of Web-services. Those three reports are a background to our own approach towards our environments EXP II and INSPECT and controlled experiments as reported in Section 5. A desirable systemic property of critical infrastructures is resilience. Due to the inherent complexity of involved systems, this property is only feasible utilizing well-chosen and 11 http://researchweb.watson.ibm.com/autonomic/overview/challenges.html 12 http://wsdiamond.di.unito.it/

Page 25 of 45



implemented mechanisms supporting self-healing. Next section discusses these issues in further details.ß

4.1 Mechanisms of self-healing The well-known N-1 criterion in power system operations can be seen as a method of self-healing that could be implemented by different mechanisms. In Field test C (Figure 2.5) we introduce the concept of agent enabled self-healing of the virtual utility. In fact, we are addressing self-healing in software intensive controlling complex equipment. Self-healing, as a concept, has a long history in computing. Historic efforts have mainly been related to adaptation mechanisms in operating systems or multiprocessor systems. Recent interest in self-healing however is due to the increased complexity of our software intensive systems13 [GHO et.al., 2007; PAR-YOO-LEE, 2005; PLA, 2007]. Modern practical computing systems are much more complex than the simple programs on which we developed our models of dependability. These dependability models typically rely on precise specifications, which is in practice impossible to obtain for larger distributed systems. Self-healing could be defined as a mean to transform brittle tightly coupled systems into loosely coupled ductile systems with flexible interaction patterns (virtualization). The idea is that the flexibility of interaction could absorb (self-heal) disturbances not foreseeable at design time of the system. Having said that, it is paramount that self-healing mechanisms are engineered based on input from carefully performed experiments. The degree of self-healing of a systemic fault or failure could be measured in terms of automation. At one end of a spectrum self-healing could be monitoring by a system operator given the appropriate support tools. At the other end of the spectrum self-healing tasks are fully automated. We have thus either human supported intelligent systems or automatic intelligent systems. In Field test C we will have both kinds of self-healing support. Our efforts on self-healing mechanisms have also been on the low and high levels of system interaction (Figure 5.5). That is on securing software execution by hardening mechanisms (Section 5) and self-healing at the mission level [FRE, 2004; FRE-GUS, 2002; FRE-GUS, 2003; FRE-GUS-RIC, 2003; GUS-FRE, 2003; GUS-FRE, 2005]. The purpose of the tools and environments introduced in Section 5 is to further identify and implement self-healing mechanisms, in a principled way, at remaining system levels.

5. Configurable experimental environments 5.1 Experiences from the CRISP project The EXP II and INSPECT tools and environments, below, are continuations of our efforts to investigate reliability, security and resilience aspects of critical infrastructures, Figure 7.3.

13 IST-2001-32685 SAFEGUARD: http://www.ist-

world.org/ProjectDetails.aspx?ProjectId=1b4dfde9ea2e4563b4411fe9f15c5078

Page 26 of 45



The starting point was experiments related to the CRISP project. The following Figure 5.1 depicts our experimental configuration at that time.

Figure 5.1 - Conceptual view of controlled experiments in CRISP on the behaviours of the critical infrastructures

controlled and monitored by the nodes A, B and C

The basic services provided by the EXP controller are Generic services (parameter settings), Runtime configuration base and Experiment specific services (including Restoration Service and Start-up Service). Those services and their controlling environment are depicted in the following Figure 5.2.

Figure 5.2 - EXP services supporting configuration, running and restoration of experiments

The main results of the CRISP experiments were [GUS, 2006b; GUS, 2006c; MEL-GUS, 2006b; WAR et. al., 2005]:

• Coordination between infrastructures in “yellow situations” • Customized IP protocols to meet real-time network requirements

• Implementation of secure execution environments implementing self-healing

mechanisms protecting execution of unreliable software • Visualization of system status, with different points of view, to support operators

understanding of system components and their interaction and behaviour The combined experiments on Fault Location, Diagnosis and Repair, are reported in a recent doctorial thesis [FON, 2008]. The following Figure 5.3 gives the context for the implemented demonstrator. Legend: Help Tool for Fault Diagnostic (HTFD), Fault Passage Indicator (FPI), Fault Recorder (FR).

Page 27 of 45



Figure 5.3 - Components of the Fault Diagnosis system of CRISP

5.2 The tools EXP-II and INSPECT The EXP tool and environment have been developed along different lines. One development strand has resulted in several experimental platforms supporting our university’s education programs, including programs on security engineering. Furthermore, our industrial partners have successfully tested and deployed EXP environments. The following Figure 5.4 shows the connections between our tools developed to support investigations in the mentioned EU projects. A comprehensive account of the theoretical foundations and engineering aspects related to EXP is given in the thesis Informed System Protection [MEL 2007]. Other results are reported in several papers in different contexts. The purpose of the EXP suite of environments is to allow for controlled experiments of critical infrastructures. In fact the EXP–II environment allows us to make experiments much along the line of those envisaged by the NSF GENI14 initiative of Figure 7.3 (Section 7). The purpose of the INSPECT tool is to explicitly model and assess information flow across component boundaries (Section 5.3). Those experiments aim at develop and test self-healing mechanisms to ensure resilience.

14 http://www.geni.net/

Page 28 of 45



Figure 5.4 - Relations between the tools EXP, EXP-II and INSPECT related to EU projects CRISP and

INTEGRAL and their associate environments

Arguably, modelling, understanding and maintaining correct information flows is fundamental for ensuring proper behaviour of critical infrastructures [GOE-SHO, 2008; ARECI, Figure 7.2]. From Figure 5.5 we can read that there are indeed different types of information, i.e., measurements, control information and user information involved in the systems we are addressing. The interface Measurement Plane controls configuration for measurement infrastructure and management of collected data. The interface Control Plane manages resource discovery, reservations and release, slice control (e.g., experiment start and shutdown) and tools for debugging. The interface Data Plane controls experiment data flow “in-band” debugging and experiment control. Furthermore, the information has different formats and is typically transformed during its flow through the systems as is depicted in Figure 5.6.

Figure 5.5 - Architecture of the experimental NSF GENI platform

Figure 5.6 depicts the interaction between two programmable aggregates, e.g., smart houses or smart equipment in our Field tests (Section 2). The information flow between the aggregates must follow protocols and policies at different layers. The INSPECT tool and environment allows as to model and execute information flow experiments (Section 5.3)

Page 29 of 45



Figure 5.6 - Interactions between two programmable aggregates

A purpose is to develop and test self-healing mechanisms or enable proper monitoring to ensure resilience.

5.3 Configurable experiments The following experimental environment, based on EXP-II, is an evolution of the experimental environment of Figure 5.1 and Figure 5.2. The main components of the EXP-II environment are given in Figure 5.7.

Figure 5.7 - EXP-II based configurable environment supporting programmable nodes and connectivity models

The main features of our new environment under development are:

• Support for environment manipulation during experiments, e.g., fault injections • Virtualization at interaction points at borders

• Extensions of basic services of EXP across platforms and networks

• Support for experiments on instrumentation and measurements

Page 30 of 45



(Network of software probes) • Support for feed-back, calibration and debugging • Support for configuration of experimental environments. Programmable nodes and

connectivity models In fact, we could experiment with large, open distributed heterogeneous systems along the lines of NSF GENI efforts (Section 5). The main idea is to maintain a self-sufficient experiment environment at any time, but;

• When conditions allow for it, establish controllably connections to other environments through VPNs between controllers (Implementing trusted Slices, GENI Section 7)

• Allowing for new mode of distributed operation, which can be toggled during

experimentation. The INSPECT tool enables experiments across component boundaries as outlined in Figure 5.8.

Figure 5.8 - Virtualization of interaction points at boundaries

The tool allows us to model different connectivity models such as, Publish/Subscribe, Broadcast or Peer-to-Peer, supported by high-level programmable contract-based interaction protocols. The messages are indexed and transmitted by a pattern based message router. Subscriptions and notifications are based on pattern matching of contract protocols. The indexing allows for on-line monitoring or off line analysis of messages related to predefined contract based dialogues (Section 6.5). The off-line analysis of stored messages is supported by event calculus logic. Correctness of interactions or forensics related to breakdowns of communications can thus be established. The theoretical underpinnings and their applicability are reported in [KNO-CLA, 2005; RIN, 2007].

6. Dependability and security

Page 31 of 45



In this section we focus on the needed transformation of supporting information systems to enable new energy based business processes and grid protections in future cell-based virtual utility as addressed in the INTEGRAL project (Section 1). In short; we have to replace present day vertical, closed and hierarchical SCADA systems with flexible service-oriented systems for information management in cell-based virtual utilities. We give in Section 6.1 a short overview of current SCADA systems with some well-known limitations and shortcomings. Decoupling of SCADA system functions into the required open information system requires a set of standards as well as new architectures. Those issues are addressed in Sections 6.2 and 6.3. Security and dependability issues related to the new architectures are addressed in Section 6.5.

6.1 Classical SCADA systems Typical control system architecture of power systems is given in Figure 6.1. The vertical hierarchical architecture of the information system closely mirrors the hierarchical structure of the classical power grid. The main drawbacks in today’s control systems are as follows. The data and information exchange within the system are structured into a strong hierarchy. Measurement values, or process data, are transmitted from lower to higher levels, while control information is transmitted vice versa. The communication bandwidth within a station, and that between stations and the system control levels are limited. Several vendor specific protocols are used with the need for specific gateways (GW). Fixed information channels, e.g., telecontrol systems, are supporting the hierarchy.

Figure 6.1 - Standard control system architecture (SCADA) of power systems

The applications within the Energy Management System (EMS) are not modularised and are based on the central SCADA database information. Interconnections to other information systems, such as enterprise information or maintenance management systems, have to be handled by specific interfaces. The SCADA system itself contains both real-time and configuration data. The Intelligent Electronic Devices (IED) like protection devices on the

Page 32 of 45



station and bay level are also vendor specific with varying functionalities, interface protocols and data models. Besides of being rigid, current SCADA systems have also, as stated earlier, revealed vulnerabilities due to increased complexity and interdependencies between systems. As we have seen from the INTEGRAL scenarios (Section 2), new business models and opportunities will rely on advanced information processing between components on the Bay, Station, and System control levels as well as bi-directional flows between hierarchical levels and customer sites. In short we need new system architectures to support critical information management of future cell-based virtual utilities in a trustworthy and dependant way. To accomplish this flexibility we have to introduce network centric architectures, e.g., Service-Oriented Architectures (SOA) to replace the architecture of Figure 6.1. To that end, we have to rely on protocol standards and data standards to be able to support flexibility and security. The following Figure 6.2 introduces a network-centric information system for operations of future energy based business such as high-quality generation and distribution as well as new Business to Business processes based on energy services. The basic topology of the system is outlined in Figure 6.2. Local area networks (LAN) are used for data communication within a substation. The communication between substations is implemented with wide area networks (WAN) to which the substations are connected via gateways (GW). Some IEDs from substations without a substation automation system can be directly linked with the WAN. To fulfil the requirements concerning bandwidth reservation and security for real time control systems, the WAN for the use of electrical power system is separated from public WANs. It should be noted that figures 6.1 and 6.2 depict physical component based architecture. The corresponding layered and service-based distributed information architecture related to Figure 6.2 is described in Figure 6.4 and Figure 6.5. The information architecture related to Figure 6.1 collapses to the centralized EMS information architecture.

Figure 6.2 - Network-centric architecture for future energy based information systems

Page 33 of 45



6.2 Emerging standards by IEC The ongoing development of IEC standards, below, supports the decoupling of SCADA systems as well thus fit very well into a service-oriented ICT support for future energy-based business systems. Furthermore, those standards could support development of more dependable and secure ICT systems than those that build on Internet standards alone. We will investigate those issues in subsequent experiments on our test bed. The communication protocols of the four lower levels of the ISO OSI Reference model enable data to be ‘physically’ exchanged between modules of the system. Traditional and still widely used protocols usually only implement the lower layers of the reference model. The data model is in this case simply an array containing signal addresses (or data points), and there is no notion of devices at the protocol level. This type of communication is an anonymous exchange of data points, because a physical device that receives the value knows neither what the meaning of the value is nor which physical device sent it – it only knows that the signal comes from a given address. The same comment applies to the sending device. To give semantics to the values used by the applications at any end of the communication channel, there must be a mapping facility at each end that has to be configured so as to associate data points with meaningful physical objects (i.e., circuit breaker) and their attributes’ values (e.g., status = ‘open’). This section will focus on the data models specified in the standards that provide for more abstract means for enabling communication (i.e., exchange of data), for both real-time and non-real time tasks such as system configuration or inter-application communication (i.e., message sending as needed in earlier discussed scenarios). In the following paragraph we briefly introduce three emerging IEC standards that define more elaborate data models. Their application can eliminate the shortcomings of point-oriented, anonymous data exchange, and enable direct interactions between autonomous components. Although all these standards are still only in draft versions, some of their parts have already been adopted as de facto standards and even implemented by some device manufacturers and system vendors. The standards are IEC 61850 aiming at data modelling for sub stations and devices. Another standard in progress is IEC 61970: Energy Management System Application Programming Interfaces (EMS-API). The third standard is IEC 61968: System Interfaces for Distribution Management. This work is in progress and is closely related to and coordinated with the efforts on IEC 61970. The IEC 61850 is basically a communication standard but a great effort has been invested in domain analysis. This effort has resulted in an elaborated domain model, which contains also the data model. The main abstraction of the domain model is the Logical Node (LN), which can be seen as an atomic functionality available within the substation, from the substation control system, to protection and control devices, to the process itself. An LN holds data, classified into a number of Common Data Classes, which are the main abstractions of the data model. There are efforts to provide a formal model of IEC 61850. Each LN encapsulates the data it needs for performing its functionality or behaviour. That is, not only typical operational data but also different configuration data. This implies that the devices can describe themselves to the system. In the operational context, devices are servers and clients, and thus can be queried or query other devices through ANSI services. For configuration purposes, the IEC 81850 defines

Page 34 of 45



Substation Configuration Language (SCL). SCL is an XML Schema, with the elements and attributes reflecting the domain model. So, the self-description capability of IEDs can be available in a standard human and machine-readable way, through an XML instance file. Additionally, SCL allows one to configure the communication-related attributes of an IED as well as to describe the equipment and communication topology within the substation. The concept of abstract LNs, which model atomic behaviours within devices and systems, encapsulate own data, perform reasoning, and collaborate with other LNs through server-client mechanisms, can facilitate implementations of the IEC 61850 with means of software components, Depending on the capabilities of the LN it can in effect be an agent and/or a Service. The standard IEC 61970 (EMS-API) defines means that facilitate ‘opening’ of traditionally closed and monolithic EMS/SCADA systems, which equip the network control centres. The standard defines a data model, called CIM (Common Information Model), and a set of application programming interfaces (APIs) used to manipulate the EMS/SCADA database data. Contrary to the IEC 61850 for substations, this standard does not specify any particular communication protocol. Rather it specifies concrete APIs, which can realized by a protocol with the OSI profile appropriate for the given execution environment. There are two global sets of APIs. One set is intended for fast access to real-time data, typical used within SCADA applications, such as data acquisition front end or an update of human machine interfaces with the process data. The other set of APIs enables near-real-time access to the full network model or its parts, typically used in EMS on-line applications, even out of EMS for, e.g., long time planning or reliability analysis applications. A notable contribution of this standard is the data model CIM. CIM is an abstract model that describes the domain known to EMS/SCADA systems as a set of objects with attributes and relations to other objects. The model is defined in the standard UML. The CIM model is maintained using a CASE tool. Similar to the IEC for substations this standard also defines the serialization format. CIM and the APIs defined in IEC 61970 represent obvious means that support open EMS/SCADA systems as described above in Figure 6.3. The last standard that will be mentioned here, IEC 61968: System Interfaces for Distribution Management is designed for Distribution Management Systems (DMS), which typically must communicate with network operation and process control systems (EMS/SCADA) and substations, respectively), as well as with different enterprise level systems, such as customer management, resource planning and maintenance and outage systems. Therefore, the objective of this standard is to define a set of messages that DMS needs to exchange with other systems within the enterprise. This standard is complementary to the IEC 61970 (EMS/SCADA) for two reasons. First, it uses CIM as its domain model and extends it with the physical objects and concepts that are relevant for distribution networks only. The second reason is that this standard also uses the APIs defined in IEC 61970, where applicable, and extends them with APIs that allow inter-application messaging. This means that these extended interfaces can be used by EMS/SCADA systems as well. Messages in IEC 61968 are specified in XML. Since the time scale for inter-application messaging is not real-time critical, the implementations are likely to simply use some XML-

Page 35 of 45



based communication protocol such as SOAP. The SOAP protocol itself is a key technology for web services (c.f., IBM and Microsoft’s .NET). The following Figure 6.3 depicts the locations of the different IEC standards in an architecture resembling that in Figure 6.2.

Figure 6.3 - Some IEC protocols related to the virtual utility

it should be noted that decoupling of SCADA functions enables flexibility if we recombine the functions in a structured and flexible way. A standard distributed architecture to that end is the client-server model. However, an unintelligent use of that model could quickly result in non-flexible and hard to maintain systems as illustrated in Figure 6.4.

Figure 6.4 - Ad hoc client-server implementation. Does not scale and is difficult to maintain.

Page 36 of 45



The following Figure 6.5 captures the main components of a service-oriented information architecture.

Figure 6.5 - A generic service oriented information architecture for enterprises

The main difference between a client-server implementation and a SOA approach is that in the first case we implement an application, whence in the second approach we configure applications from reusable components (services). A transition from a client-server application to SOA application effectively means that we have to decouple the application into sub functions and hence services. The configuration of services into applications has to be supported by appropriate middleware services (Figure 6.6). For the CRISP experiments we have identified the following generic service oriented architecture (Compare with Figure 6.5)

Figure 6.6 - A generic architecture for embedded ICT in critical infrastructures

6.3 A service-oriented approach of virtual utilities Obviously we can, and might do, implement all field experiment environments of Section 2 using a client server approach (Figure 6.4). For application systems of moderate size it might be the most cost effective way to proceed. However, our field test environments should:

• Support controlled experiments • Allow comparisons • Support general recommendation (e,g., in the MicroGrids context, Section 1)

Page 37 of 45



For those reasons we should aim for a SOA based ICT Generic Platform in INTEGRAL

6.4 Service Bundles and Service Level Agreements Configuring services to create an application meeting a set of requirements generates a Service Bundle (SB). The control of the execution of the services is specified in a Service Level Agreement (SLA). Proper specification, instrumentation and monitoring of the SLA are the key-mechanisms needed to ensure resilient and reliable system behaviour. The mechanism of SB/SLA allows us to combine, for instance, two multi-agent systems (c.f. Section 3.1). Decompose the multi-agent systems into sets of agents. Implement the agents as services. Translate the control of the agent systems into control patterns between middleware services. Recombine the combined agent system from selected services and identify corresponding SB/SLA.

6.5 Challenges related to ensured resilient and reliable systems Future cell-based utilities consist of the energy system and an embedded information system. In fact we have interdependencies between two critical infrastructures. Protection of critical infrastructures (CIP) and of critical information infrastructures (CIIP) are of major international concern, not the least in the ongoing EC FP7 programme. To complicate issues, some concepts (e.g., security and dependability) have different meanings in CIP and CIIP. We have in CRISP outlined a framework addressing to some extent CIP as well as CIIP. Since software is the glue within and between infrastructures we have on one side focused on trustworthy and dependable software, and on the other side focused on the performance of ICT networks and the protecting of the grid. We begin with the first concern and come back later to ICT and grid issues. In a running system there will be software of different quality and of different origin (own developed software, COTS, proprietary software, and legacy systems). Furthermore, the software modules might be involved in interactions not intended, or thought of, at design and implementation time (as we have witnessed for SCADA systems). Still we expect and depend upon a trustworthy behaviour of our systems! The following equation (Equation 1) captures our approach towards trustworthy computations:

• Computation = Code + Execution Most of contemporary models aiming at assuring correct computations have been focusing on assessing and testing the code itself (black box and white box testing, etc.). Our approach is towards assuring correct execution. We have to that end identified and tested different mechanisms supporting assessments of the running state of execution. Our results towards securing execution and protecting systems at runtime are very promising and will be pursued towards protecting execution of services in a service oriented architecture. The configurable experimental test bed used in validating our mechanisms for protecting execution has also been used in experiments related to ICT performance (delay and throughput) related to CRISP experiments. By tailoring routing algorithms we have validated

Page 38 of 45



that we can protect (detect, localize, and restore) the power grid even in time-critical situations. The CRISP experiments involve (technical) power grid protection and high-level business processes based on demand-supply matching. In effect those two applications can be modelled on the same service oriented platform (Figure 4.2, 4.5, and 4.6). We have outlined a common business model coordinating the grid protection and the business model that allows us to by or sell energy from a cell (in a “yellow” state) in order to avoid a critical situation (load shedding or black-out) and to bring the grid back to a “green” state (Figure 3.2) The corresponding layered model is given in Figure 6.7.

Normal Emergency BlackoutRecovery

Business operation applications

Grid operation applications

Coordination middleware for critical infrastructures

ICT

Figure 6.7 - A layered coordination model

Equation (1) above indicated that we modelled protection of computation as protection of execution. We take a similar route towards information protection. To that end we introduce the following equation (Equation 2):

• Information = Representation + Interpretation Again, classical information protection (Confidentiality, Integrity, Availability (CIA-model)) mainly focus on protecting the representation by means of cryptography, PKI, and access control such as passwords). Those methods have many known weaknesses and limitations including scalability and maintenance. To counter that we address the Interpretation capabilities, i.e., the tools that are available for a user in a given context for access and management (including visualization) of representations. The backbone of this approach is high-level dialogue models related to workflows of tasks (an extended CommonKADS framework). We have in this framework indicated how we could secure for instance business processes related to demand-supply matching. This line of work is promising but still in a early phase.

Page 39 of 45



Agent A Agent BDialogue

Task A1

Task A2

Task A3

Task A4

Task A5

Task B1

Task B2

Task B3

Task B4

TransTr. 1

TransTr. 2

TransTr. 3

TransTr. 4

Figure 6.8 - The general structure of a dialogue diagram

From Figure 6.8 and equation (2) we can in a structured way analyze and implement appropriate information protection mechanisms (e.g., related to business processes based on demand-supply matching) at appropriate levels, e.g., dialogues, tasks, workflows, information items, and supporting agent capabilities and access rights. Finally, we have outlined a dependability model of socio-technical where security and dependability concerns are expressed as constraints of system behaviours. We have also identified a failure model supporting improvement of system dependability qualities. The bottom line is that we have within the CRISP identified and partly validated important mechanisms towards dependable and assured business services based on cell-based virtual utilities. Further investigations will be enabled within the INTEGRAL project using the tools EXP–II and INSPECT as has been outlined in Section 5.3.

6.6 Mechanisms supporting resilience and reliability We have in section 3.2 introduced mechanisms of self-healing to ensure resilience. Obviously, there is a trade-off between implementing those mechanisms and performance. In fact we have introduced constraints on the system behaviour in order to achieve the desired system criterion resilience. Similarly, constraints on access between users and system or between system components such as Role Based Access Control (RBAC) aims at ensuring data integrity and other system criteria.

Page 40 of 45



The tools EXP II and INSPECT will allow us to experimentally validate proper constraints and their mechanisms to ensure resilience and reliability.

7. Other approaches Of particular interest to us are the Availability and Robustness of Electronic Communications Infrastructures – ARECI report, the NSF Global Environment for Network Innovation – GENI framework and the EU The Networked European Software and Services Initiative – NESSI15. Its aim is to create a unified agenda based on a multidisciplinary approach, for European research on Services and their foundations. In many respects the NESSI agenda is similar to the US NSF initiative GENI. An overview of service - centric systems is given in a recent IEEE journal16.

Figure 7.1 - The architecture of the NESSI approach

The ARECI17 report was conducted by Alcatel –Lucent technologies for the European Commission as part of its larger multi-annual MONDIS programme, which provide support for the implementation of the eEurope 2005 action plan. The report includes 10 Recommendations that will significantly enhance the availability and robustness of Europe’s communications networks. A main contribution is the Eight Ingredient Framework of communication Infrastructures18. The report focuses how to mitigate vulnerabilities in the 8 ingredients to avoid threats exploiting those vulnerabilities. The following Figure 6.1 give an overview of some key concepts and the proposed Network Security Framework.

15 http://www.nessi-europe.com 16 IEEE Software November- December 2007. Special issue on Service-Centric Software Systems. 17 Report to EU DG Information Society and Media. Alcatel – Lucent 2007. 18 Bell Labs Technical Journal 11(3), 73-81 (2006)

Page 41 of 45



Figure 7.2 - The ARECI security model

The GENI initiative by NSF designs and implements a flexible experimental platform towards understanding Future Internet and fundamental innovations in networking and distributed systems. GENI provides these capabilities through an innovative combination of techniques: virtualization, programmability, controlled communication, and modularity. Specifically:

• GENI will allow us to experimentally answer questions about complex network systems giving us an increased fundamental understanding about their dynamics, stability, emergent behaviors and related matters.

• GENI will allow us to evaluate alternative architectural structures, and reconcile the

contradictory goals a network architecture must meet. • GENI will allow us to evaluate engineering tradeoffs and test theories about how

different architectural elements might be designed. GENI comprises a collection of hardware resources, this collection includes computer nodes, backbone links, tail circuits, storage capacity, customizable routers, wireless subnets, and so on and so forth. Each experiment using GENI will run on some subset of the GENI resources. We call the resources bound to a particular experiment a slice. GENI includes management software that is used to allocate resources to slices, embed slices in these resources, and ensure that slices do not interfere with each other.

Page 42 of 45



Figure 7.3 - Architecture of the NSF GENI Platform with Substrates, Aggregates, and Slices

A recent book by IFIP on related issues on Critical Infrastructure Protection is [GOE-Sho, 2008].

Page 43 of 45



Page 44 of 45

Appendix A Overview of the content of the Strategic Research Agenda (SRA) of the EU Technical Platform SmartGrids. The Strategic Research Agenda (SRA) is subdivided into 19 Research Tasks (RT) and provides examples of the following Innovation opportunities:

• Small Users – Demand Side Participation. Enhanced quality and security of supplies. • Large Users – Reduced congestion for generation export. Access to Europe-wide

electricity markets. • Distribution Networks – Integration of DER to enhance supply security and quality.

Achieving asset renewal cost-effectively and security. • Transmission Networks – Reduced congestion for pan European grid energy flows.

Open access to essential ancillary services across Europe. The following Key elements of the vision are included:

• Creating a toolbox of proven technical solutions that can be deployed rapidly and

cost-effectively, enabling existing grids to accept power injections from all energy sources.

• Harmonising regulatory and commercial frameworks in Europe to facilitate cross-

border trading of both power and grid services, ensuring that they will accommodate a wide range of operating situations.

• Establishing shared technical standards and protocols that will ensure open access,

enabling the deployment of equipment from any chosen manufacturer. • Developing information, computing and telecommunication systems that enable

business to utilise innovative service arrangements to improve their efficiency and enhance their services to customers.

• Ensuring the successful interfacing of new and old designs of grid equipment to

ensure interoperability of automation and control arrangements. The following matrix captures the SmartGrids Research Areas and Research Tasks:

Research Area Research Task RA1 – Smart Distribution Infrastructure (Small customers and Network Design)

RT 1.1: The distribution networks of the future – new architectures for system design and customer participation

RT 1.2: The distribution network of the future – new concepts to study DG integration in system planning

RA 2 – Smart Operations, Energy Flows and RT 2.1: The networks of the future – a system



Page 45 of 45

Customer Adaptation (Small Customers and Networks)

engineering approach to study the operational integration of distributed generation and active customers. RT 2.2: Innovative energy management strategies for large distributed generation penetration storage and demand response. RT 2.3: The distribution networks of the future –customer driven markets.

RA 3 – SmartGrid Assets and Asset Management (Transmission and Distribution)

RT 3.1: Network asset management – Transmission and Distribution RT 3.2: Transmission networks of the future – new architectures and new tools. RT 3.3: Transmission networks of the future – long distance energy supply.

RA 4 – European interoperability of SmartGrids (Transmission and Distribution)

RT 4.1: Ancillary services, sustainable operations and low level dispatching. RT 4.2: Advanced forecasting techniques for sustainable operations and power supply. RT 4.3: Architectures and tools for operations, restorations and defence plans. RT 4.4: Advanced operation of the high voltage system –seamless smart grids. RT 4.5: Pre-standardisation research

RA 5 – Smart Grids Cross-Cutting Issues and Catalysts

RT 5.1: Customer interface Technologies and Standards. RT 5.2: The network of the future – Information and Communication. RT 5.3: Multiple Energy Carrier Systems. RT 5.4: Storage and its strategic impact on grids. RT 5.5: Regulatory incentives and barriers. RT 5.6: Underpinning technologies for Innovation.

Table 1 - Research Areas and research Tasks of SmartGrids

According to SmartGrids, through standardization, modularization and programmable functionality an economy of scale will be possible, leading to lower costs and more expandable systems.

Documents

ICT Support for Control and Coordination · D3.1 ICT Support for Control and Coordination Project FP6-038576 INTEGRAL: Integrated ICT-platform for Distributed Control in Electricity