Brazilian System Operator Online Security

Assessment System Jorge Jardim, Senior Member, IEEE, Carlos Neto and Marcelos Groetaers dos Santos, Member, IEEE

On the other hand, there have been many challenges for

deploying real time security assessment tools, the main being

the achievement of accuracy and time performance. As

operating conditions vary continuously, obviously the

assessment must be fast enough to be of any use.

Abstract--Implementation details and performance results of

the Brazilian System Operator dynamic security assessment are

presented. It describes the adopted models, analytical methods

and functions. Important implementation issues such as network

size, contingency screening, EMS integration, user interface and

quality of data are also commented. . The computational burden of a security analysis depends

basically on network model size, number of contingencies

(disturbances with considerable probability of occurring),

analytical methods, assessment functions needed and level of

modeling details. Accuracy is dictated mainly by the later.

Early works in this area would only consider analytical

methods based on simplified network modeling, as there was

no other alternative to meet time requirements. Today, high

performance computing is available at low cost. This has

made detailed modeling methods competitive. Hybrid

security assessment system solutions that combine simplified-

fast and detailed-accurate algorithms are also considered when

designing a security assessment system, as an attempt to take

advantage of the best of both worlds.

Index Terms -- Contingency analysis, distributed processing,

dynamic security assessment, dynamic simulation, energy

function, power flow, security region.

I. NOMENCLATURE

DSA - Dynamic Security Assessment System.

EMS - Energy Management System.

OLTC - On Load Tap Change.

ONS - Operador Nacional do Sistema Elétrico - Brazil

RTU - Remote Terminal Unit.

II. INTRODUCTION

POWER system security assessment is a fundamental

process in the expansion and operational planning of

power grids. Assessments are based on simulation studies to

quantify vulnerability of power systems when subject to major

disturbances. Such studies are performed off-line by expert

engineers for the purpose of upgrading the grid, planning

near-future outage schedules, validating economical or

transaction dispatches, etc. However, the need of online

security assessment has been recognized for decades [5-8].

There are plenty of reasons for that, but essentially it may be

risky or anti-economical or both to relying only on off-line

studies for operating stressed networks or networks with high

levels of operational uncertainties. It is not possible, even for

well-planned systems, to assess all possible real-time

operating conditions off-line because of the combinatorial

nature of the problem, which makes it very complex from the

computational viewpoint. Consequently off-line operation

planning can be over conservative, when based on worst-case

scenarios, or optimistic, when oversees possible degraded

operating conditions.

Other critical issues are related to quality of real-time data

available and possible impacts of advanced applications on

existing operation and planning processes.

In this paper the design choices made for the ONS DSA

[11-13] and related critical issues are presented. Section III

briefly describes the characteristics of the Brazilian system

and ONS control centers. Section IV presents the methods

and algorithms adopted and main assessment functions. Other

implementation issues are depicted in Section V. Section VI

shows performance results. This is followed by conclusions.

III. DESCRIPTION OF THE BRAZILIAN SYSTEM

The installed capacity of the Brazilian power system is

approximately 88.000 MW being 84% hydro and 16% thermal

(coal, oil, nuclear and gas) generation. There are 80,000 km

of transmission lines (230 kV and above). The peak load is

around 57 MW. The system is owned by various utilities and

operated by the Operador Nacional do Sistema Elétrico –

ONS.

The power system model for studies at operational

planning environment contains approximately 4000 buses and

5600 branches, considering all voltage levels. Supervised

data from the various utilities are concentrated in four regional

centers and retransmitted to the main control center. All

centers perform their own topology processing, state

estimation and steady-state analysis, but the model available at

the main control center is more suitable for dynamic security

J. Jardim is with Operador Nacional do Sistema Elétrico - ONS, 20091-

005 Rio de Janeiro, RJ Brazil (e-mail: jorge.jardim@ons.org.br).

C. Neto is with Operador Nacional do Sistema Elétrico - ONS, 20091-005

Rio de Janeiro, RJ Brazil (e-mail: cneto@ons.org.br).

M. G. dos Santos is with Operador Nacional do Sistema Elétrico - ONS,

20091-005 Rio de Janeiro, RJ Brazil (e-mail: marcels@ons.org.br).

71­4244­0178­X/06/$20.00 ©2006 IEEE PSCE 2006

analysis, as it is a superset of the regional models. This

includes a supervised network (mainly 230 kV and above) of

approximately 1800 buses. Ongoing installation of new

Remote Terminal Units - RTUs will increase this figure in a

near future.

IV. METHODS, ALGORITHMS AND MODELING

A. Assessment Functions

Six security analysis methods are currently available in the

ONS DSA, as follows.

Operating Point Stead-State Contingency Analysis –

This is the classical steady-state contingency analysis.

For this method four criteria are checked and

tabulated: thermal limit violation, voltage violation,

voltage deviation and no power flow solution.

Contingencies can be ranked according their respective

severity.

Operating Point Dynamic Contingency Analysis –

This is a dynamic contingency analysis. For this

method nine criteria can be checked and tabulated:

transient temporized voltage sag, transient

instantaneous voltage sag, transient temporized voltage

swell, transient instantaneous voltage swell, MW

margin for critical generators and critical cluster,

synchronous generator angular damping, transient

angle deviation, steady-state angle deviation and

frequency deviation.

Import-Export steady-state transfer limit between two-

generation areas. Boundaries are given for the four

steady-state criteria.

Import-Export dynamic transfer limit between two-

generation areas. Boundaries are given for the nine

dynamic criteria.

Steady-state security region computation - This is the

set of secure power dispatch for three interconnected

generation areas. A security contour can be given for

each steady-state criterion.

Dynamic security region computation - This is the set

of secure power dispatch for three interconnected

generation areas. A security contour can be given for

each dynamic criterion.

Import/export transfer limit functionality computes security

borders of a transmission corridor. Two interconnected

generation regions are defined. Power is exchanged back and

forth to search the security boundaries (import/export). A

boundary per criterion can be computed. The available criteria

are the same as the contingency analysis.

The security region is similar to import/export limit

calculations, but in this case there are three-generation groups

instead of two. It is also possible to consider two-generation

groups and a load group as a set of variable parameters. The

available criteria are the same as for contingency analysis.

B. Preventive and Corrective Functions

The DSA offers the following resources for preventive

corrective actions:

Ranking of voltage control resources (generator or

shunt compensation) to correct voltage violation.

Suggested MW re-dispatch (amount and location) to

alleviate thermal limit violation.

Suggested MW re-dispatch (amount and location) to

avoid angular instability.

Suggested MW re-dispatch (location) to improve

damping.

Suggested load shedding (amount and location) to

move from alert/emergency states to secure state.

One important aspect to be emphasized here is the

importance of results visualization, in particular for security

region computations, as it automatically provides simple

means of removing violations by moving the operating point

in the generation/load space (MW changes).

C. Analytical Methods

ONS DSA adopts the detail modeling approach, but it also

contains simplified methods for filtering and sensitivity

calculations. The following methods are used in the

implementation of the above functions.

Power Flow Methods: The power flow methods can

represent up to 100,000 buses and 100 bus sections per bus.

Models for voltage sensitive loads, shunt compensation

(continuous and discrete), phase shifters, on load tap changers

and DC links (conventional and capacitor commutated

converter) are available. The power flow computation

methods are the following.

DC power flow: This method is used only for

initialization and contingency screening purpose.

Full-Newton power flow: In this method all controls

(OLTC, DC Link, etc.) are solved simultaneously by

the Newton method.

Synthetic Dynamic Power Flow: This is a very robust

power flow method [14] in which most of controls are

represented by synthetic dynamic models. The

formulation is such that if the solution exists and the

problem is properly formulated, the solution is found.

This method is many times slower than the Newton

method. Therefore, it is only used when it is absolutely

necessary to confirm the existence of a power flow

solution.

Continuation Power Flow: The tangent vector

approach [9] is adopted for this implementation. The

continuation method is used for moving operating

points in search of security borders or for computation

of PV curves (maximum loadability).

Optimal Power Flow: The primal-dual interior point

method [2] is adopted for this implementation. It is

currently used to generate bases for near-real-time and

days-ahead scenarios. There are also plans for using it

for contingency constrained optimization.

Sensitivity Analysis: This is used to ranking controls

for voltage and flow controls and estimate contingency

severity.

8

V. OTHER IMPORTANT ISSUESTime Domain Simulation Method: The simulation method

adopts the ABM-BDF numerical integration method [1,3]

associated with variable-step-variable-order approach and

simultaneous solution of algebraic and differential equations.

These characteristics allow improved performance (more than

10 times faster) compared to the fixed time step approach and

high numerical stability. Simulations can be early terminated

either by instability detection or steady-state convergence.

A. Network Size

Of course, the size of the network directly impacts

performance. Therefore, it is important to minimize the size

of the network through the use of equivalents, as long as it

does not impact the results of the assessment for the areas of

interest. The present supervised and planning study networks

contain approximately 1800 and 4000 buses respectively.

Currently there is no external equivalent represented in the

real-time simulation model. But there is an ongoing study to

determine the ideal network size for this model. Simulations

with both models must provide similar results. It is expected

that there will be necessary to include some low-voltage

unsupervised equivalents to improve the model.

Energy Function and Single Machine Equivalent Methods:

Individual numerical energy functions [16] and SIME [4]

methods are used for energy margin computation and filtering

of critical machines.

Prony Analysis: This method [15] is used for modal

analysis (damping assessment) of synchronous machines.

D. Dynamic ModelsReal time base cases include almost all generation power

plant and their respective transmission systems. Therefore, no

external dynamic equivalent is required, but similar generating

units at a power plant are automatically aggregated for

security assessment studies, which significantly reduces the

size of the dynamic model.

Dynamic models necessary to simulate the Brazilian

system include synchronous machines and respective controls,

dc links (conventional and capacitor commutated converter),

static var compensators, controlled series capacitors, OLTC,

out-of-step, under-voltage and under-frequency relays, and

special protection schemes.B. Contingency Set

E. Distributed Processing Architecture A large set of contingencies dramatically impacts

performance. Therefore, it is important to have means of

selecting only those that can potentially cause criteria

violation. So far, off-line security assessment studies around

the world have been performed using small sets of

contingencies. This can be done because engineers know

from repetitive simulations what are the bottlenecks of their

systems. Besides, it is not practical to process, book-keep and

post-process thousands or even hundreds of cases manually.

Therefore, it is quite unnecessary and a waste of time to

impose thousands of contingencies to the real-time security

assessment. On the other hand, the contingency set cannot be

too small at the risk of missing critical ones. Therefore, a

larger than necessary set is initially used and subsequently

filtered (contingency screening) to improve performance.

To meet the performance requirements, the DSA adopts a

distributed processing approach in a manager/worker

(master/slaves) configuration, Fig. 1. The manager process

contains the high level instructions to perform a security

assessment functionality. The low-level instructions (solve a

power flow problem, perform a time domain simulation, etc.)

are done at worker processes. Manager is responsible for

generating base cases, distributing tasks among servers,

collecting the respective reports, communicating with external

world, managing distributed resources, storing/displaying

results and plots. Workers receive tasks, process them using

the specified power system simulation tool and send

respective diagnosis in a report to the Client.

DSA

Server N

DSA

Server 2

DSA

Server 1

DSA Manager EMS Algorithms and methods based on simplified modeling and

artificial intelligence methods are more suitable for

contingency screening. So far, the DSA has only used DC

power flow and sensitivity analysis for contingency screening.

A new method for dynamic contingency screening, which

does not require time simulation, is under development.

However, the authors consider that artificial intelligence

algorithms are potentially the best approach in this area [12].

The screening should also be able to simultaneously select

cases based on multi-criteria (steady-state and dynamic).

Fig. 1. Client-Server distributed processing environment.

Fail of a worker process can be detected by the manager

process, which reassigns the task to another process. This

also causes an alarm for system maintenance. A monitor

process in the EMS detects fails of the manager process and

restart the DSA reallocating the manager process to another

node if necessary.

C. Quality of Real-Time Data

Online security assessment is only possible if there are

sufficient and good quality real-time data available for the

kind of required analysis. The real-time model in ONS

includes most of the bulk transmission system and power

plants. This enables dynamic studies for almost all regions.

However, problems with data measurement, database and state

estimation have prevented full use of the DSA tools. A lot of

The DSA at the main control center uses 12 3GHz

processors and run under Windows platform. Regional

control centers will also run DSA functions in a near future.

9

effort has been dedicated to improvements on these areas.

Special attention must be paid to the problem of ill defined

or conflicting controls in the power flow model (e.g., two

parallel OLTC transformers controlling different buses).

Although the software must be prepared to deal with such

situations, this has a performance cost that can and should be

avoided.

D. Impact on Processes

Implementation of any online security assessment

functionality affects existing planning and operating

processes, which may need to be re-engineered. Operating

orders must be adapted to avoid possible conflicts with the

DSA results.

E. Integration with EMS

In the current phase network state is exchanged by flat file,

the DSA system runs asynchronously with EMS and the

graphical user interface is the one implemented in the DSA

system. In the last phase, the DSA system access the EMS

database to retrieve network data, runs synchronously with

EMS, DSA results are updated in the EMS database and EMS

displays the results.

ONS uses presently three different technologies in its five

control centers. As there is a high probability of upgrading to

just one in a near future, the project to tightly integrate the

DSA has been postponed.

F. User Interface

The DSA graphic interface is based on windows. Data

input and editing is done through dialog boxes. Data output is

displayed in report tables, Fig.2, nomograms (2-dimensional

plotting), Fig. 3 , and single-line diagrams, Fig. 4.

The security region visualization, Fig. 3, is one of the most

powerful visualizations tools for security assessment.

Dispatchers can see if the operating point in generation

coordinates lies in the secure (green) or alert (yellow or red)

region. If the operating point (OP) is in the yellow region, at

least one of the credible contingencies will cause thermal limit

violation. If the operating point is in the red region, at least

one of the contingencies will cause instability. Mouse

positioning tips and report tables provide detail information

per violation. One contour per security criterion can be plot.

For example, a contour for voltage drop (blue) is also plot in

Fig. 3.

Single line diagrams are useful to quickly inspect out of

services components and data editing in study mode. It can be

also a powerful visualization tool for signaling violations.

There are plans for developments in this area.

The user interface resides in the manager process, but are

imported and displayed in any of the dispatcher's monitors or

projected on the control room wall as any other EMS

interface.

G. Future Developments

There are two main development plans for this project.

One is focused on the improvement of contingency screening

methods using fast-simplified methods and artificial

intelligence algorithms. The other is to quantify risk on the

assessment [10].

Fig. 2. Report tables - generator security margin.

Fig. 3. Security region nomogram.

Fig. 4. Single line diagram.

VI. PERFORMANCE

The performance must meet the requirements and is

affected by the following factors.

- The choice of methods and algorithms as mentioned in

the previous paragraphs.

- Size of the network model.

- Number of contingencies to be simulated.

- Computational resources available.

Ideally the time taken for completing security assessment

analysis should be minimal, i.e., assessment should be

10

completed a few seconds after the system state has been

estimated. In practice, some minutes are tolerated, as it is

assumed that system state does not change significantly during

the tolerance period. However, one can claim that tolerance in

the range of minutes can be dangerous as events causing large

discontinuities, such as tripping of a major transmission line,

can invalidate the assessment results, living dispatcher without

reliable information for the same period. On the other hand,

the existence of real-time security assessment implies that

major events (disturbances) have already been considered in

previous analyses and should at most move the system to alert

state.

Performance requirements are typically in the range of 2 -

15 minutes. The actual response varies with system operating

conditions, i.e., computational cost of power flow and time

domain simulations are generally more expensive for stressed

cases. The target performance per function for ONS DSA is

shown in Table I.

TABLE I

PERFORMANCE REQUIREMENTS

Functionality Contingencies Performance

Static Contingency

Analysis

100 < 10 s

Dynamic Security

Analysis

100 < 1 min

Static Transfer

Limit

10 < 5 s

Dynamic Transfer

Limit

10 < 30 s

Static Security

Region

10 < 1 min

Dynamic Security

Region

10 < 2 min

State estimation is processed every 2 minutes. Therefore, it

is desirable that the most expensive function (dynamic

security region) should run within this cycle. Again, if the

system size increases and/or more functions or contingencies

need to be added in the cycle, it is possible to adjust the

response by adding more processors.

VII. CONCLUSIONS

This paper presents the main features and experience with

the ONS DSA. The system employs traditional analytical

tools such as power flow and time domain simulations

methods.

Detailed modeling and embedded diagnosis algorithms

such as energy function and Prony analysis are used for

dynamic simulations. Functions for contingency analysis,

transfer limits and security region are available. The DSA

meets the required performance using distributed processing.

Significant effort is being applied to improve the quality of

real-time data, which is a sine qua non condition to implement

an online DSA.

Integration of the DSA with the EMS is currently through

flat files, but a tight coupling is planned.

Special attention must be paid to the impact of online DSA

in real-time and planning processes.

Future developments are in the field of risk security

assessment and artificial intelligence contingency screening.

VIII. REFERENCES

Periodicals: [1] J. Y. Astic, A. Bihain and M. Jerosolimski, “The mixed Adams - BDF

Variable Step Size Algorithm to Simulate Transient and Long Term

Phenomena In Power Systems”, IEEE Trans. on PS, Vol. 9, No. 2, May

1994.

[2] S. Granville " Optimal reactive Dispatch Through Interior Point

Methods" , IEEE Trans. PS, Vol. 9, No. 1, Feb 1994.

Books:[3] J. D. Lambert, "Numerical Methods for Ordinary Differential Systems:

The Initial Value Problem", Wiley, 1991.

[4] M. Pavella, D. Ernst, D. Ruiz-Veja “Transient Stability of Power

Systems: A Unified Approach to Assessment and Control”, Norwel,

MA: Kluwer, 2000.

Technical Reports: [5] T. E. DyLiacco, "Control of Power Systems via the Multi-level

Concept," Case Western Reserve University System Research Center

Report No. SRC-68-19, June 1968.

Papers from Conference Proceedings: [6] H. D. Limmer, "Security Applications of On-line Digital Computers,"

Second Power Systems Computation Conference, Stockholm, June 27,

1966.

[7] S. Hayashi, "Power System Security Assessing by Digital Computer

Simulation - Basis Control," in Proc. PICA Conference, Denver,

Colorado, May 18-21, 1969.

[8] A. S. Debs, A. R. Benson "Security Assessment of Power Systems," in

Proc. System Engineering for Power: Status and Prospects, Henniker,

NH, Washington, DC, 1975.

[9] V. Ajjarapu, C. Christy, 'The Continuation Power Flow: A Tool for

Steady State Voltage Stability Analisys', IEEE PICA, May 91, pp 304-

311.

[10] A. M. Leite da Silva, J. L. Jardim, A. M. Rei, J. C. O. Mello “Dynamic

Security Risk Assessment”, Power Engineering Society Summer

Meeting, 1999 IEEE, Vol. 1, pp 198-205, 18-22 July 1999.

[11] J. L. Jardim, C. A. da S. Neto, A. P. Alves da Silva, A. C. Zambroni de

Souza, D. M. Falcão, C. L. T. Borges, G. N. Taranto, “A Unified On-

Line Dynamic Security Assessment System”, Cigré, Paris, France, 27

Ago – 1 Sep 2000.

[12] J. L. Jardim, “Online Dynamic Security Assessment: Implementation

Problems and Potential Use of Artificial Intelligence”, Power

Engineering Society Summer Meeting, 2000. IEEE, Volume: 1, 16-20

July 2000.

[13] J. L. Jardim, C. S. Neto, W. T. Kwasnicki “Design Features of a

Dynamic Security Assessment System”, IEEE Power System Conference

and Exhibition, New York, Oct 13-16, 2004.

[14] J. L. Jardim, B. Stott, "Synthetic Dynamics Power Flow", IEEE General

Meeting, San Francisco, 12-16 June 2005

[15] J. F. Hauer "Application of Prony Analysis to the Determination of

Modal Content and Equivalent Models for Measured Power System

Response”, IEEE Winter Meeting, 215-4 PWRS, 1991.

[16] J. L. Jardim, B. Cory, N. Martins, “Efficient Transient Stability

Assessment Using Transient Energy Function”, Power Systems

Computation Conference – PSCC, Trondheim, Norway, June 1999.

[17] X. V. Filho, M. V. Ferreira, P. Gomes, M. G. Santos, E. Nery "A

Probabilistic Approach to Determine the Proximity Effect of the Voltage

Collapse Region," Cigré Session, Paris, France, Sep 1994.

[18] R. Prada, X. V. Filho, P. Gomes, M. G. Santos "Voltage Stability System

Critical Area Identification Based on the Existence of Maximum Power

Flow Transmission," 11th Power System Computation Conference -

PSCC, Avignon, France, Aug-Sep 1993.

11

IX. BIOGRAPHIES

Jorge Jardim received his PhD from Imperial College, London, UK. He

has worked in Rio de Janeiro in the FURNAS utility company, and at the

national electric power research center CEPEL. He is currently at ONS, the

operator of the Brazilian national power system. From 1999-2002 he was

with BC Hydro in Vancouver, Canada. His main field of interest is power

system analysis methods and software, with emphasis on voltage and dynamic

stability.

Carlos S. Neto received his B.Sc. in Electrical Engineering, in 1984, and

M.Sc. in Systems Engineering and Computation, in 1999, both from the Rio

de Janeiro Federal University, Brazil. He worked for a consulting (Themag)

and a utility (Furnas Centrais Eletricas) company and for a research center

(CEPEL) in Brazil. He worked also for a utility company (BCHydro) in

Canada. At present he is at ONS, Operador Nacional do Sistema (Brazilian

ISO). He has worked with power systems applications development and

studies in planning and operation areas.

Marcelos Groetaers dos Santos received his B.Sc. in Electrical

Engineering from Federal University of Rio de Janeiro, UFRJ, in 1982 and

M.Sc. from Federal University of Itajuba, UNIFEI, in 1995. He is presently

completing the D.Sc. degree at Fluminense Federal University, UFF, in the

area of power system security risk assessment. He was with CEPEL from

1982 to 1984. In 1985 he joined ELETROBRAS where he was in charge of

studies on power system steady state and dynamic performance and control in

the System Operational Planning and Technological Development

Department.

He lectured Power System Stability from 1986 to 1992 at Veiga de

Almeida University, UVA, Brazil, and at Escuela Superior Politecnica del

Litoral, ESPOL, Ecuador, in 1996, where he lectured and developed projects

in power system engineering education. He is currently working at Operador

Nacional do Sistema Elétrico, ONS, the Brazilian ISO, as manager of the

Electrical Methodologies and Models Department.

12