206 IEEE TRANSACTIONS ON SMART GRID, VOL. 4, NO. 1, MARCH 2013
Reliability Analysis of Substation AutomationSystem Functions Using PRMs
Johan König, Student Member, IEEE, Lars Nordström, Member, IEEE, and Magnus Österlind
Abstract—This paper presents the application of a frameworkfor reliability analysis of substation automation (SA) system func-tions. The framework is based on probabilistic relational modelswhich combines probabilistic reasoning offered by Bayesian net-works together with architecture models in form of entity rela-tionship diagrams. In the analysis, both the physical infrastruc-ture, and the logical structure of the system, is regarded in termsof qualitative modeling and quantitative analysis. Moreover, theframework treats the aspect of failures caused by software. An ex-ample is detailed with the framework applied to an IEC 61850-based SA system. The logical structure, including functions andtheir relations, is modeled in accordance with Pieces of Informa-tion for COMmunication (PICOM) defined in the IEC 61850 stan-dard. By applying PICOMs as frame of reference when modelingfunctions themodel instantiation becomesmore standardized com-pared to subjectively defining functions. A quantitative reliabilityanalysis is performed on a function for tipping a circuit breaker incase of mismatch between currents. The result is presented both interms of a qualitative architecture model and a quantitative resultshowing the probability of successful operation during a period ofone year.
T HE MODERN society is unquestionably heavily relianton supply of electricity. Hence, the power system infra-
structure is one of the outermost important infrastructures for fu-ture growth. However, the power system of today was designedfor a stable radial flow of electricity from large power plants tothe customers and not for a large scale integration of hybrid elec-trical vehicles, wind power plants, solar cells etc. In particularin sense of designing power system control and protection func-tionality. Problem occur when the flow of electricity changesfrom a unidirectional radial flow to a bidirectional. Such an im-plication requires redesign of control and protection function-ality as well as introduction of new information and commu-nication technology (ICT). The closer the interaction betweenthe power system and the ICT systems the more complex thematter becomes from a reliability concern. Hence, such matterbecomes more a cyber-physical concern, including everything
Manuscript received March 16, 2012; revised September 21, 2012; acceptedOctober 02, 2012. Date of current version February 27, 2013. Paper no. TSG-00114-2012.The authors are with the KTH Royal Institute of Technology, School of Elec-
trical Engineering, Department of Industrial Information and Control Systems,Stockholm SE-10044, Sweden (e-mail: {[email protected]; [email protected];[email protected]).Color versions of one or more of the figures in this paper are available online
at http://ieeexplore.ieee.org.Digital Object Identifier 10.1109/TSG.2012.2225452
from system software to power cables and transformers, ratherthan the traditional reliability concern of only focusing on powersystem components.A number of standards have been developed by the power in-
dustry to effectively integrate new ICT technology. Standardssuch as IEC 61580 [1] and the Common Information Model(CIM) [2] have opened new ways for system vendors to de-sign their products with a standardized interface, which has cre-ated a platform for interoperability without specifying compo-nent or system architecture. The logical aspect is also impor-tant when designing ICT system architecture where IEC 61850enables functional allocation independent from the physical in-frastructure in a harmonized way. Subsequently, ICT system ar-chitecture includes the design of physical infrastructure togetherwith a logical structure with proper allocation of functionality.Failure scenarios of protection and automation systems withinsubstations, as part of the power system, is for example depictedin [3] to be directly reliant both on the logical system structureand on the physical architecture. Hence, when analyzing reli-ability one should be aware of both cyber-physical aspects aswell as logical aspects.
A. Scope of the Paper
The scope of the paper is to present and test the applicationof a probabilistic framework for reliability analysis of Substa-tion Automation (SA) systems based on IEC 61850. The frame-work is based on Probabilistic Relational Models which speci-fies a template for a probability distribution over an architecturemodel. In the current paper the modeling of functionality in SAsystem is based on Pieces of Information for COMmunication(PICOM) defined in the IEC 61850 standard.
B. Relation to Previously Published Work
The framework development has previously been presentedin the research literature in a number of iterations [4], [5] and[6]. The current work mainly diverges on the aspect of tailoringthe framework and its application for IEC 61850-based SA sys-tems, in particular by using PICOMs for modeling functionality.A description on how to apply the framework is also presentedand each step is put into a layer context, separating the hard-ware and the logic. A particular focus is also put on acknowl-edging and contrasting closely related work dealing with similaraspects of reliability analysis of SA system functionality.
C. Paper Outline
The paper starts with a definition of reliability, and reliabilityanalysis, and continues with related works on the subject. It thencontinues with a presentation of the framework together withimportant aspects of reliability analysis of SA systems. After
KÖNIG et al.: RELIABILITY ANALYSIS OF SUBSTATION AUTOMATION SYSTEM FUNCTIONS USING PRMS 207
that the framework is shown applied to a SA system setup, bothin terms of qualitative modeling and the result from the quanti-tative reliability analysis. Conclusions of the framework appli-cation ends the paper.
II. RELIABILITY ANALYSIS
The definition of reliability is according to the IEEE StandardComputer Dictionary [7] the ability of a system or componentto perform its required functions under stated conditions for aspecified period of time. As stated, reliability could either regardcomponents or systems. Components, in contrast to systems,generally have natural defined boundaries whereas systems canconsist of a number of components of different types or even ofother systems (systems of systems), and so it is important to de-fine the boundaries of the system at focus. Using the definitionin [7] a system is: a collection of components organized to ac-complish a specific function or set of functions; whereas a sub-system, using the same source of reference, is defined as: a sec-ondary or subordinate system with a larger system. In our casewe are focusing on both systems and subsystems. The system,or subsystem, boundary is naturally determined by the functionsto be analyzed. I.e. only the components needed to realize thetarget function(s) are included in the analysis.The definition also states that the main concern is for the
system (or component) to perform its intended function. ICTsystems acting on the power grid offers a variety of functions,for example voltage-stability monitoring and control or timesynchronization of real-time measurements, which are realizedof both hardware and software components of different typeswith communication over large distances. Graphical modelsprovide an effective tool for understanding and analyzingsystems and their architecture. They are also useful for the un-derstanding of dependencies between components, for examplewhen analyzing and identifying the impact of a single compo-nent’s failure on the rest of the system. Most of the well-knownmethods for reliability analysis, such as Fault Tree Analysis(FTA), Reliability Block Diagrams (RBDs), Markov chains andBayesian Networks (BNs), provide a visual modeling languageto improve the understanding and ease the analysis. In the nextsection some of these methods are presented and discussed inthe context of suitability for reliability analysis of SA systemfunctionality.
A. Methods for Reliability Analysis
System reliability analysis is a mature field and there is anabundance of system reliability analysis techniques includingmethods such as RBDs, FTA, Failure Mode Effects Analysis(FMEA), Markov chains and BNs [8]. In the category of quali-tative methods we find for example FMEA [9]. In FMEA, eachsystem component’s failure mode and its impact on the rest ofthe system is documented. The method is particularly useful forsystems with single component failures. Thus the approach isnot well suited for systems with a fair degree of redundancy[8]. An alternative approach is state-based analysis. State-basedmethods enumerate all possible system failure states and arenot limited to stochastically independent failure of components.This expressiveness comes at a price: models for state-based
analysis using Markov chains [10] grow exponentially with thenumber of system components [11]. One of the most frequentlyadopted methods is FTA, which translates the failure behaviorof a physical system into a visual diagram and a logical model[8]. The modeling structure of FTA allows the modeler to visu-alize the system architecture in terms of primary component’srelational dependency on subcomponents [12]. Reliability anal-ysis using FTA is much similar to the approach based on RBDs[8]. The concept behind RBD is to identify undirected relationalpaths between components within the architecture. In [13], [14]Bobbio et al. showed how FTA can be translated into BNs [15]thus augmenting the intuitiveness of FTA with the probabilisticreasoning capabilities of BNs. Bayesian networks are also asubset of Probabilistic Relational Models (PRM), further de-scribed in Section III. Casually put, the PRM formalism usesBNs to describe and quantify probabilistic dependencies be-tween class attributes in class diagrams.
B. Reliability Analysis of Power System Control andProtection
Numerous work can be found in the research literature ad-dressing the issue of reliability analysis of power system con-trol and protection. In [16] fault tree analysis is used to analyzethe availability and reliability of different system architectures.Similar work is presented in [17] where FTA is applied in a casestudy of a large substation integration project, as well as in [18]which details the application of FTA for various transmissionprotection architectures. In [19] a combination of FTA, FMEAand event trees combined with dynamic power system simula-tions as used for probabilistic analysis of power system relia-bility.How to apply FTA techniques, in particularly reliability as-
sessment for protection systems, is presented in [20]. The au-thors only presents an elementary background to the applicationof FTA; however an important aspect they address is the impor-tance of establishing boundaries and limitations of the analysis.Another interesting article is [21] which presents the analysis ofdifferent SA system architectures using RBDs. However, noneof the papers address the aspect of logic relations and their allo-cation in the SA system architecture.In [22] a Markov state model is used for reliability anal-
ysis of various SA system architectures, particularly focusingon communication architecture and redundancy of system func-tionality. The paper also addresses different architectures andtheir impact on distributed functions, for example if a func-tion is allocated to bay or station level. In [23] a methodologyfor calculating reliability and availability parameters for IEC61850-based SA systems is presented.A more thorough effort on addressing interactions between
functions in SA systems is presented in [24] and [25]. In thesepapers the reliability and availability assessment is structured ina three-step process, starting with an assessment of a functionalmodel, then a hardware model, and as the final step assessing thehardware and functions interfaces. The functional model is de-scribed in an event tree which is mapped to the hardware usingan interface table. Both papers focus primarily on reliability ofsecondary systems and do not consider the probability of failingprimary equipment.
208 IEEE TRANSACTIONS ON SMART GRID, VOL. 4, NO. 1, MARCH 2013
The most relating work is presented in [26], where the authordescribes a technique for reliability evaluation of SA systems.In contrast to previous referred related work this paper considerboth the hardware infrastructure, including both power systemcomponents and ICT components, as well as the logical struc-ture and their relation to the hardware. The hardware infrastruc-ture is modeled using RBDs, and the functional modeling byusing event trees. Relations between hardware components andin this case control functions are documented using a linkingtable. Although useful, the method requires a total of three dif-ferent modeling approaches to capture all the aspects for relia-bility analysis of the SA system and its functions, which is twomore than the framework presented in this paper.
III. ANALYSIS FRAMEWORK
The current section presents the complete analysis frameworktogether with the reliability model used for probability calcula-tions. Before going into detail of the framework a short intro-duction to PRMs is presented.
A. Probabilistic Relational Models
Probabilistic Relational Models (PRM) extends Bayesiannetworks with the concept of objects, their properties, andrelations between them [27]. A PRM specifies a templatefor a probability distribution over an architecture model.The template describes the metamodel for the architecturemodel—defining a set of classes, with each class associatedwith a set of descriptive attributes and a set of referenceslots—and the probabilistic dependencies between attributes ofthe architecture’s objects. An architecture instantiation (or anarchitecture model) specifies the set of objects in each class, thevalues for the attributes, and the reference slots of the objects.It specifies a particular set of components, functions, etc., alongwith values for each of their attributes and references. A PRM,together with an instantiated architecture model of specificobjects and relations defines a probability distribution overthe attributes of the objects. A PRM thus constitutes a formalmachinery for calculating the probabilities of various architec-ture instantiations. This allows us to infer the probability thata certain attribute, e.g., reliability, assumes a specific value,given some (possibly incomplete) evidence of the rest of thearchitecture instantiation. A more comprehensive descriptionof the formal PRM language see [27]. A number of applicationsof PRMs for probabilistic system quality analysis is found inthe research literature, as for example for security risk analysis[28] and dependability analysis [29].
B. Description of Analysis Framework
As described in [3] the engineering of a SA system is a com-plex process, with questions to be answered such as the positionof any Intelligent Electronic Device (IED) within the systemstructure, their relation to the switchyard and the functions tobe performed. In the report, it also states that in the specifica-tion of the substation, functions should be defined without anyrelation to devices. If all the requested functionality is specifiedwithout any relation to the infrastructure, it then becomes pos-sible to optimize the infrastructure solution based on functionalrequirements [30]. The situations is however not always as easy
as you start with a blank sheet of paper but instead you are stuckwith legacy systems and would like to add new devices or func-tions. In such case it is preferred to start by modeling the as-isstate, normally beginning with the hardware infrastructure. So,from a qualitative modeling perspective it is up to the modelerto decide whether to start with the logical structure or the phys-ical infrastructure. We continue with a description on each ofthese steps.1) Logical Structure: The logic of an SA system refers both
to functionality found in the switchyard as well as functionsimplemented in the control and protection systems. The log-ical structure referrers to the relations between functions in theswitchyard, functions implemented in the control and protectionsystems and relations between switchyard functions and controland protection system functions. As previously described, thereason by focusing on the dependencies between functions isbecause the standard IEC 61850 enables allocation of function-ality independent from the hardware infrastructure. Of coursewith some restrictions and constraints to what is actually fea-sible, with physical boundary conditions such as with shieldedrooms, distance and performance requirements. But excludingsuch constraints, functionality can be deployed in many dif-ferent options with less consideration regarding the hardwareinfrastructure.2) Physical Infrastructure: The physical infrastructure of a
SA system includes ICT components, such as IEDs, switches,station computers, as well as equipment found in the switch-yard, such as circuit breakers, busbars and transformers. Themodeling of hardware is essential for the understanding of re-lations between the components as well as for the identificationof structural properties that is of importance for example foranalysis of redundancy. Another important aspect is the factthat functions do not fail on their own, but instead are affectedby failures of components in the physical infrastructure. Hence,identifying infrastructure components are vital for findingproper failure rates in order to be able to perform quantitativereliability analysis of SA systems. It is to be noted that softwareapplications also are counted as part of the physical infrastruc-ture.3) Relations Between Logic and Physical Infrastructure: To
be able to analyze the reliability of SA system functions thelogic needs to be related to physical infrastructure components,i.e., the failure sources. A major difference between switchyardequipment and control and protection devices is that switchyardequipment has a number of fixed functions while modern con-trol and protection devices easily can be configured with a va-riety of functions with different configurations. Hence, a controland protection system can be configured in a number of wayswithout changing the infrastructure architecture.4) Redundancy: Redundancy is probably one of the abso-
lute most important aspects for improving the reliability of sys-tems and their functionality. When implementing redundancyone must both regard the possibility of having infrastructure re-dundancy, for example multiple devices, switches and commu-nication links, as well as redundant functionality, for exampleif a function is not responding within a specified time anotherbackup function is triggered. While the concept of infrastruc-ture redundancy is fairly clear, functional redundancy may be a
KÖNIG et al.: RELIABILITY ANALYSIS OF SUBSTATION AUTOMATION SYSTEM FUNCTIONS USING PRMS 209
Fig. 1. The PRM framework for reliability analysis—the left showing the main PRM and the right showing the gate PRM.
TABLE IDESCRIPTION OF STRUCTURAL AND LOGICAL PRM ENTITIES
bit more difficult to identify and implement. Hence, functionalredundancy may not always be implemented in the control andprotection systems but rather could be a manual operation is-sued by the grid operator from the control room or protectionwith backup e.g., main 1 and main 2 protection [30]. Therefore,a framework for reliability analysis of SA systems must graspall such aspects in order to fully capture the reliability of thesystem and its functions.
C. The PRM Framework
The complete PRM is presented in the left side of Fig. 1and includes a total of five structural elements (hardware andsoftware) and five logic elements (functions). On the right sideof Fig. 1 a second PRM for AND and OR gates is presented.As seen, each of the five structural and five logic elements aredescribed with relations to a superclass—Functions and Struc-ture—that in turn is related to the gates. The classes inherits allthe properties of the relating superclass. A description of eachPRM entity is presented in Table I.
TABLE IICLASSES AND ATTRIBUTES WITH DOMAIN OF VALUES AND REFERENCE SLOTS
FOR MAIN PRM
The entity relations are graphically represented by the dashedrelations in Fig. 1 whereas attribute relations are representedby the solid arrows. The attribute relations are defined via theslot-chain relations as defined in the PRM formalism. The com-plete list of relations between attributes and their domain ofvalues for both PRMs is summarized in Tables II and III. Asseen in Fig. 1 some relations are bi-directional with each di-rection relating to a corresponding attribute relation. However,since Bayesian network and therefore also PRMs only allowacyclic relations it is not allowed to instantiate a cyclic rela-tion. This means that two instantiated entities only are allowedto have a single relation to each other.The logical operation of the AND and OR-gates is performed
in coherence with FTA [8]; i.e., the OR-gate indicates that theoutput event occurs if any of the input events occur and theAND-gate indicates that the output event occurs only when allinput events occur at the same time.
D. Reliability Model
In this paper the time to failure is modeled with exponentialdistributions, so that failures occur completely at random, inde-pendent of operating time [8]. The exponential distribution is
210 IEEE TRANSACTIONS ON SMART GRID, VOL. 4, NO. 1, MARCH 2013
TABLE IIICLASSES AND ATTRIBUTES WITH DOMAIN OF VALUES AND REFERENCE SLOTS
FOR GATE PRM
the most commonly used distribution in applied reliability anal-ysis. The reason for this is its mathematical simplicity and thatis leads to realistic lifetime models for certain types of items [8].The probability density function is given as:
(1)
In the stated equation parameter is the operation time of anitem, and is determined by the operational environment and itsrequirement, as for example cycle time or maintenance interval,whereas the parameter is equal to the failure rate functionof an item with exponential life distribution [8]. Accordingly,the failure rate function is constant for an exponential distri-bution [8]. For this to be valid we assume that the system isstable, meaning that no changes are made to the system duringthe observation window. The parameter is the reciprocalof the mean-time-to-failure (MTTF) [8], ;which is approximately equal to the mean-time-between-fail-ures (MTBF) used for repairable systems and components, if
, where MTTR is the mean-time-to-repair.A simple way to determine the MTBF of a component withrandom failure is by studying the total numbers of failures for aknown number of similar components over a specific operationtime period; and then dividing the total operation time of all thecomponents with the total number of failures. An appropriatetime period must be determined in order to get an acceptableconfidence level of the result.
IV. APPLICATION OF THE PRM FRAMEWORK
In order to standardize the modeling of SA system architec-ture, including functions and their relations, a requirement hasbeen to be compliant with the IEC 61850 standard. As result,as many functions as possible are modeled in accordance withIEC 61850 defined PICOMs. The PICOMs describe informa-tion passed between Logical Nodes (LNs) and is for exampleused for performance analysis in [31], and for security analysisin [32]. An example of a PICOM is Trip Command which ispart of communication from all defined protection LNs as wellas other types of LNs. Following the naming of the PRM en-tities it is only Conversion Functions and Secondary Functionsthat are describes by PICOMs. Infrastructure Functions can bemodeled using the type of PICOM as for example Value Cyclic
Fig. 2. Hardware infrastructure of example SA system.
or Command Spontaneous; however Primary Functions must bemodeled by identifying the switchyard component’s function,for example Open/Close a circuit breaker, and are not describedby PICOMs.
A. Application Process
The first step in the process of applying the analysis frame-work is the identification of a system setup. The most forwardapproach to set the system boundaries is to first specify a targetfunction for the analysis which in this case is Trip breaker ifmismatch between currents. The example SA system design ispresented in [33] and shown in Fig. 2. The only modificationthat is not present in the original SA system design is an addi-tional communication network for redundancy, and some IEDsare excluded since they are not part of the function to be an-alyzed. As seen, the system contains one circuit breaker, twocurrent transformer, four IEDs and two networks in a redundantscheme.Once the system setup and its components has been identified
the steps are the following: 1) Identify failure rates of all thecomponents; 2) Model the physical architecture; 3) Identify andmodel all the functions of the system; and 4) Input failure ratesand calculate the reliability of the target function.
B. Failure Rates
As pointed in [26] it is difficult to obtain failure data andfailure rates of components, in particular for control and protec-tions systems. When regarding software failures of protectionand control systems it is even more difficult to find data or sta-tistics. An attempt to quantify software reliability is presentedin [34] where Bayesian networks are used to estimate failurerates of different software versions. Although an excellent con-tribution the authors mainly focus on faults and defects in thesoftware component’s source code and less on implementationand configuration faults. Instead, a majority of the software re-lating failures could be traced to faults in the configuration. Anattempt to quantify failure rates of software for control and pro-tection systems based on operational failure data is presentedin [6]. A total of 171 causes of failures were studied within theyear 2006–2011, all relating to modern control and protectiondevices. As shown approximately 1/3 of all failures related tosoftware and 2/3 related to hardware. A MTTF figure of 225years for software could be extracted based on MTTF figuresof around 120 years for hardware. For the network connectiona MTTF of 300 years is used based on Ethernet figures from
KÖNIG et al.: RELIABILITY ANALYSIS OF SUBSTATION AUTOMATION SYSTEM FUNCTIONS USING PRMS 211
Fig. 3. Framework instantiation using the EAT tool.
TABLE IVCOMPONENT FAILURE RATES
[35]. The two current transformers (CT) are each modeled witha MTTF of 500 years [36] and the 1 A, 5 A wiring with a MTTFof 5000 years [36]. The circuit breaker (CB) is modeled with aMTTF of 100 years [37]. A summary of all MTTF failures ispresented in Table IV.
C. Framework Instantiation and Calculation
The reliabilty, i.e., probability of successful operation, of eachcomponent in the physical infrastructure is calculated using anexponential probability distribution in (1) and theMTTF figuresin Table IV. The time period is set to one year. The instantiationand calculation of the complete model is performed using theEAT tool [38].In the present example the first step in the framework instan-
tiation is the modeling of the physical infrastructure, which israther straight forward once the system boundaries has beenset. Each component composing the physical infrastructure isrepresented by an entity in the bottom of Fig. 3 and the rela-tions between the entities are modeled in coherence with the
PRM framework. As seen in the figure, the redundant networkconfiguration is modeled using two Network entities relatedthrough an OR-gate to the functional layer, and together theyare realizing the Infrastructure Functions CommandSponta-neous. Each network has a reliability of 99.67%, which, usingthe OR-gate, gives a reliability of the redundant scheme of morethan 99.99%. Following the system setup presented in Fig. 2the IED D1Q2SB3 is connected to the two current transformersusing wired connections 1 A, 5 A. The wired connections arein turn connected to AND-gates, that together with the tworedundant networks, via the OR-gate, realize the InfrastructureFunctions ValueCyclic with a reliability of 99.98%. Moreover,all IEDs are connected to each other through the two networkconnections.The second part of the modeling is the identification of
functions and their relation to the physical infrastructure.From the description in [33] the Conversion Functions andthe Secondary Functions follows the PICOM descriptionswhile the Infrastructure Functions follows the PICOM types.Primary Functions, however, are not represented by PICOMs,but instead need to be identified and modeled by hand. For theexample system the circuit breaker is modeled with a PrimaryFunctionOpen/Close—representing its function of opening andclosing—and is identified without any PICOM. The reliabilityof theOpen/Close function is the same as for the circuit breaker,i.e., 99.00%. The functions of the two CTs are modeled usingtwo Conversion Functions Current, both with individual parentrelations to the Secondary Functions SampledCurrent—twofunctions realized by the IED D1Q2SB3. Both functions
212 IEEE TRANSACTIONS ON SMART GRID, VOL. 4, NO. 1, MARCH 2013
are actually derived from a single PICOM Current/Voltage.The Current functions have a reliability of 99.80% and theSampledCurrent functions have a reliability of 98.51%. Tobe able to communicate the sampled currents, and be used asinputs to the function responsible for actuating a trip command,the SampledCurrent depends on the Infrastructure FunctionsValueCyclic. The ValueCyclic functions are based on PICOMtypes, and are realized by the wired 1 A, 5 A connections aswell as the redundant networks. As previously described, twoAND-gate are used to model and calculate the dependenciesbetween the functions ValueCyclic and the wired connectionsand redundant networks. Hence, both communication channelsneed to operate successfully in order to realize the ValueCyclicfunctions, which gives them a reliability of 99.98%. AnotherAND-gate is applied to model and calculate the dependencybetween the Secondary Function TripCommand and the twoinputs ValueCyclic. Hence, if any of the ValueCyclic functionsfails the TripCommand will not successfully operate, whichgives it a reliability of 97.05%. The TripCommand function isin turn input to the Secondary Function CommandToSwitchgearwith event-driven communication—modeled using the Infra-structure Functions CommandSpontaneous—between the twoIEDs over the redundant networks. Based on the conditionalproabilities of the functions TripCommand and CommandSpon-taneous the reliability of CommandToSwitchgear is 95.82%.The final Secondary Function in the chain of dependenciesis the function Operated with a reliability of 94.60%, which,together with the Primary Function Open/Close, realize theBusiness Function, and the target of the analysis, Trip breakerif mismatch between currents. The reliability of the BusinessFunction Trip breaker if mismatch between currents is calcu-lated to 93.66%, or rounded to 94% in Fig. 3. The result shouldhowever interpreted with caution by the reason that a numbercomponents are not utilized at all time, but instead may betriggered by certain events. Although, it would be possibleto specify a conditional probability of the realized functionbased on the utilization of the relating physical component.For example, if a component is only utilized half of the timethe reliability of the realized function can be specified witha probability of failing of 50% in case of a failure of thephysical component. Another important factor that limits thecorrectness of the result is the trustworthiness of the MTTFfigures; which can be questioned, and needs further attention.Therefore, the reliability analysis presented in this paper ismainly applicable for evaluation and comparison of differentarchitecture senarios.
V. CONCLUSIONS
The ability of PRMs by combining the qualitative modelingusing entity relationship diagrams together with quantitativeanalysis based on Bayesian probabilistic enables the instan-tiation of a single architecture model for the analysis of SAfunctions. Components implemented in a serial or parallelstructure, e.g., redundancy, is captured by designing a PRMwith AND and OR logic much similar to FTA. However,an issue with such analysis is the modeling of the logicalstructure of the SA system. One solution for IEC 61850-basedSA systems demonstrated in this paper is to use the PICOMs
defined in the standard. However, the use of PICOMs seemsonly applicable for the control and protection system functionsand not primary switchyard functions. On the other hand, itis mainly the functions of the control and protection systemsthat can be implemented in many different ways independentof the physical infrastructure while functions of switchyardequipment are pretty much constant. As shown in the paper it isfeasible to use PICOMs for the identification of most functionsand their dependencies needed for reliability analysis of IEC61850-based SA system functions.
REFERENCES
[1] IEC-TC57-WG10/11/12, Communications Networks and Systems inSubstations, International Standard IEC 61850-1.10, InternationalElectrotechnical Commission, Geneva, Switzerland, 2003.
[2] Common InformationModel (CIM) Specification, DistributedManage-ment Task Force, 1999.
[3] K. P. Brand, “The introduction of IEC 61850 and its impact on protec-tion and automation within substations,” Paris, France, Cigré SC B5WG11, 2006.
[4] J. König, U. Franke, and L. Nordström, “Probabilistic availabilityanalysis of control and automation systems for active distributionnetworks,” in Proc. IEEE PES Transm. Distrib. Conf. Expo., NewOrleans, LA, Apr. 2010, pp. 1–8.
[5] J. König, P. Närman, U. Franke, and L. Nordström, “An extendedframework for reliability analysis of ICT for power systems,” in Proc.IEEE PowerTech, Trondheim, Norway, Jun. 2011, pp. 1–6.
[6] J. König and L. Nordström, “Reliability analysis of substation automa-tion system functions,” in Proc. Rel. Maintainability Symp. (RAMS),Reno, NV, Jan. 2012.
[7] A. Geraci, IEEE Standard Computer Dictionary: Compilation of IEEEStandard Computer Glossaries, F. Katki, L. McMonegal, B. Meyer, J.Lane, P. Wilson, J. Radatz, M. Yee, H. Porteous, and F. Springsteel,Eds. Piscataway, NJ: IEEE Press, 1991.
[8] M. Rausand and A. Høyland, System Reliability Theory: Models, Sta-tistical Methods, and Applications, ser. Wiley Series in Probability andStatistics. Hoboken, NJ: Wiley-Interscience, 2004.
[9] D. Stamatis, Failure Mode and Effect Analysis: FMEA From Theory toExecution. Milwaukee, WI: ASQ Quality Press, 2003.
[10] S. Meyn and R. L. Tweedie, Markov Chains and Stochastic Stability,2nd ed. New York: Cambridge Univ. Press, 2009.
[11] J. Andrews and C. A. Ericson, “Fault tree and Markov analysis appliedto various design complexities,” in Proc. 18th Int. System Safety Conf.,Fort Worth, TX, Sep. 2000.
[12] W. Vesely, J. Dugan, J. Fragola, J. Minarick, and J. Railsback, FaultTree Handbook With Aerospace Applications. Washington, DC: Na-tional Aeronautics and Space Administration, 2002.
[13] A. Bobbio, L. Portinale, M. Minichino, and E. Ciancamerla, “Im-proving the analysis of dependable systems by mapping fault treesinto Bayesian networks,” Rel. Eng. Syst. Safety, vol. 71, no. 3, pp.249–260, 2001.
[14] A. Pasquini, A. Bobbio, L. Portinale, M. Minichino, and E. Cian-camerla, “Comparing fault trees and Bayesian networks for de-pendability analysis,” in Computer Safety, Reliability and Security,ser. Lecture Notes in Computer Science, K. Kanoun and Ed,Eds. Berlin/Heidelberg, Germany: Springer, 1999, vol. 1698, pp.689–689.
[15] F. V. Jensen, Bayesian Networks and Decision Graphs, Ser. Statisticsfor Engineering and Information Science. NewYork: Springer, 2001.
[16] G. W. Scheer, “Answering substation automation questions throughfault tree analysis,” in Proc. 4th Annu. Texas A&M Substation Autom.Conf., 1998.
[17] D. Dolezilek, “Case study of a large transmission and distributionsubstation automation project,” Schweitzer Engineering Laboratories,Inc., Pullman, WA, 1999.
[18] E. O. Schweitzer, B. Fleming, T. J. Lee, and P. M. Anderson, “Reli-ability analysis of transmission protection using fault tree methods,”Proc. 24th Annu. Western Protective Relay, 1997.
[19] L. Pottonen, U. Pulkkinen, M. Koskinen, andM. Koskinen, “A methodfor analysing the effect of substation failures on power system relia-bility,” in Proc. 15th Power Syst. Comput. Conf., Liege, Belgium, Aug.2005.
KÖNIG et al.: RELIABILITY ANALYSIS OF SUBSTATION AUTOMATION SYSTEM FUNCTIONS USING PRMS 213
[20] R. Beresh, J. Ciufo, and G. Anders, “Basic fault tree analysis for usein protection reliability,” Int. J. Rel. Safety (IJRS), vol. 2, no. 1/2, pp.64–78, 2008.
[21] H. Hajian-Hoseinabadi, “Reliability and component importance anal-ysis of substation automation systems,” Int. J. Electr. Power EnergySyst. [Online]. Available: http://dx.doi.org/10.1016/j.ijepes.2010.06.012, available online Jul. 2, 2010.
[22] L. Andersson, K.-P. Brand, C. Brunner, and W. Wimmer, “Reliabilityinvestigations for SA communication architectures based on IEC61850,” in Proc. IEEE PowerTech, St. Petersburg, Russia, Jun. 2005.
[23] B. Yunus, A. Musa, H. Ong, A. Khalid, and H. Hashim, “Reliabilityand availability study on substation automation system based on IEC61850,” in Proc. IEEE 2nd Int. Power Energy Conf., Dec. 2008.
[24] L. C. Ferreira, P. Crossley, and R. Allan, “The impact of functionalintegration on the reliability of substation protection and control sys-tems,” IEEE Trans. Power Del., vol. 16, no. 1, pp. 83–88, Jan. 2001.
[25] L. C. Ferreira, P. Crossley, J. Goody, and R. Allan, “Reliability eval-uation of substation control systems,” IEEE Proc.—Gener., Transm.,Distrib., vol. 146, no. 6, pp. 626–632, 1999.
[26] H. Hajian-Hoseinabadi, “Impacts of automated control systems onsubstation reliability,” IEEE Trans. Power Del., vol. 26, no. 3, pp.1681–1691, Jul. 2011.
[27] L. Getoor and B. Taskar, Introduction to Statistical RelationalLearning, ser. Adaptive Computation and Machine Learning. Cam-bridge, MA: MIT Press, 2007.
[28] T. Sommestad, M. Ekstedt, and P. Johnson, “A probabilistic relationalmodel for security risk analysis,” Comput. Security, vol. 29, no. 6, pp.659–679, 2010.
[29] G. M. Oliva, P. Weber, E. Levrat, and B. Iung, “Use of probabilistic re-lational model (PRM) for dependability analysis of complex systems,”in Proc. 12th IFAC Symp. Large Scale Syst.: Theory Appl., 2010.
[30] K. P. Brand, C. Brunner, W. Wimmer, and A. Switzerland, “Design ofIEC 61850 based substation automation systems according to customerrequirements,” in Proc. CIGRE Plenary Meeting, Paris, France, 2004.
[31] R. Feng, X. Cheng-Jun, M. Peng, and X. Yang, “Performance anal-ysis for substation automation systems: A PICOM approach and im-provement,” inProc. IEEEPES Transm. Distrib. Conf. Exh.: Asia Pac.,2005, pp. 1–6.
[32] N. Liu, J. Zhang, and X. Wu, “Asset analysis of risk assessment forIEC 61850-based power control systems—Part II: Application in sub-station,” IEEE Trans. Power Del., vol. 26, no. 2, pp. 876–881, Apr.2011.
[33] W. G. B5.32, Functional Testing of IEC 61850 Based Systems, CIGRE2009.
[34] A. Helminen and U. Pulkkinen, “Quantitative reliability estimation ofa computer-based motor protection relay using Bayesian networks,”in Knowledge-Based Intelligent Information and Engineering Systems,ser. Lecture Notes in Computer Science, V. Palade, R. Howlett, andL. Jain, Eds. Berlin/Heidelberg, Germany: Springer, 2003, vol. 2773,pp. 92–102.
[35] P. Zhang, L. Portillo, and M. Kezunovic, “Reliability and componentimportance analysis of all-digital protection systems,” in Proc. IEEEPES Power Syst. Conf. Expo., Nov. 2006, pp. 1380–1387.
[36] R. Sandoval and J. L. Eternod, “Evaluation of methods for breaker-flashover protection,” in Proc. 31st Annu. Western Protective RelayConf., 2004.
[37] IEEE Recommended Practice for the Design of Reliable Industrial andCommercial Power Systems, IEEE Std 493-1997 (IEEE Gold Book),1998.
[38] M. Buschle, J. Ullberg, U. Franke, R. Lagerström, and T. Sommestad,“A tool for enterprise architecture analysis using the PRM formalism,”in Proc. 22nd Int. Conf. Adv. Inf. Syst. Eng., 2010.
Johan König received his M.Sc. degree in electricalengineering from the Royal Institute of Technology(KTH), Stockholm, Sweden, in 2008. He is currentlyworking toward the Ph.D. degree at the Departmentof Industrial Information and Control systems atKTH. His research includes quality analysis of activedistribution grids from an ICT perspective.
Lars Nordström (M’06) received the M.Sc. degreein electrical engineering and the Ph.D. degree in in-dustrial control systems, both fromKTH—TheRoyalinstitute of Technology, Stockholm, Sweden.He is an Professor in Power System Management
and Director of the Swedish Centre of Excellence inElectric Power Engineering, an industry-universityresearch center, located at KTH. His area of researchis power systems management and related infor-mation exchange, including application of decisiontheory on information system architectures and the
application of ICT to power system problems.
Magnus Österlind received the M.Sc. degreein computer science from the Royal Institute ofTechnology (KTH), Stockholm, Sweden, in 2012.He has studied Computer Science and Communi-
cation at KTH Royal Institute of Technology, Stock-holm, Sweden. He is currently a Research Engineerat the Department of Industrial Information and Con-trol Systems at KTH. His main research is within theICT domain with a focus on information systemmod-ifiability.
