e or responsible for its content.
Operating under stress and strain
LARGE SYSTEMS
Power/energy
- - - -
Operating under
stress and strain
This, part two of the blackout series, defines control
objectives for various levels and types of emergencies
In the U.S. today, complex power systems are able to pro-
vide reliable electric service at low cost with the help of
automatic control-simultaneously tracking the random-
ly varying system load, optimizing generation to minimize
cost, and coordinating the action of many independent
control centers.
When
an
develops in one of
these systems, however, the picture changes completely
and new control objectives must be met if the system is to
be restored successfully to normal operation.
The control objectives of a power system are related
to the level of security at which the system is operating,
and (see box

50) as this level decreases below an ac-
ceptable threshold, preventive measures must be taken to
restore the system to a robust state. It is rare that a major
system failure is the result of one catastrophic disturbance
that wipes out an apparently secure system. Usually such
failures are brought about by a reduced level of security
that renders the system vulnerable to the cumulative ef-
fects of a sequence of moderate disturbances. The systems
have been designed and built to operate as efficiently as
possible under normal circumstances. In the event of the
loss of a piece of major equipment (whether due to an in-
ternal fault or an external event) with its resultant instan-
taneous surges of power, the system must be
to
sorb these stresses without further damage and to find a
new balance of
flows. Coincidence of disturbances
and/or hidden weaknesses in system components or con-
trol functions can combine to produce momentary local
stresses beyond any level of endurance to which the
system could possibly be designed within reasonable
economic limits.
Emergencies can strike suddenly-or build slowly. Dur-
ing these emergencies, the system operator (human or
automatic) struggles to keep the system under control-to
maintain balance between load and generation, or de-
mand and supply, through all available means. However,
there are two factors that can doom these efforts to
failure: time constraints-the inability to
quickly
enough; and capacity constraints-demand outstripping
available supply. Recent blackouts have been in the first
category. Hut in January 1977, several interconnected
utilities appeared to be headed toward a failure of the se-
cond kind when, in some areas of the U.S., unusually
severe winter temperatures froze such crucial resources as
coal piles and waterways and greatly limited generating
System frequency, a sensitive
o f
discrepancy between load and generation, sagged to 59.84
Hz, and remained below 60 Hz for almost seven hours.
-
-
Lester H.
U.S. Department of Energy
Carlsen
General Electric Company
During this period, the available power supply was re-
duced to a critical level.
W h e n t h e c a r e f u l l y c o n s t r u c t e d a n d m a i n t a i n e d
dynamic system structure (see box on
51) begins
to reel under the impact of a major disturbance, and is on
the verge of disintegrating, the
regimes

normal circumstances are
no
longer adequate, or rele-
vant, and new controls are necessary. However, before
such controls can be discussed, the general states of
operation of a power system should be considered.
States of operation ,
Power system conditions are described by five
operating states, as shown in Fig. Three sets of generic
equations-one differential and two algebraic-govern
operation: The differential set encodes the
physical laws governing the dynamic behavior of the
systems components. The two algebraic sets
equality constraints, which refer to the systems total
load and total generation, and inequality constraints,
which state that some system variables, such as currents
and voltages, must not exceed maximum levels
tidg the limitations of physical equipment.
t h e


all constraints are
satisfied, indicating that the generation is adequate to
supply the existing total load demand, and that no equip-
ment is being overloaded. In this state, reserve margins
(for transmission as well as for generation) are sufficient
to provide an adequate level of security with respect to the
stresses to which the system may be subjected.
If the security level falls below some threshold of ade-
quacy, or if the probability of
increases, then
the system enters the


this state, all
straints would still be satisfied, but existing reserve
margins would be such that some disturbance could result
in a violation of some inequality constraints; e.g., equip-
ment would be overloaded
or less severely above its
rated capabilities. In this (insecure) alert state, preventive
action can be taken to restore the system to the normal
state (see Table I).
If a sufficiently severe disturbance takes place before

preventive action can be taken, the system enters the

Here, inequality constraints are violated,
and system security would have been breached since the
security level would be below zero and practically
nonexistent. The system, however, would still be intact,
and emergency control action (heroic measures)
be initiated in order to restore the system to at least
alert state. If these measures are not taken in time, or are
ineffective,
if the initiating disturbance or a
one is severe enough to overstress the system, the
system then starts to disintegrate and is
(see



I). this staie, equality as well as inequality con-
straints have been violated; the system would no longer be
intact, and major portions of the system load would be
lost. Emergency control action should be directed toward
salvaging as many pieces of the system as possible from
total collapse. Once the collapse had been halted, if there
were any remaining equipment operating within rated
capability, or some equipment had been restarted follow-
ing total collapse, the system
enter the restorative

with control action being taken to pick up all lost
load and reconnect the system. From this state, the system
could transit to either the alert or to the normal state,
depending on circumstances.
So far, precise definitions characterizing the several
states discussed have not been provided. Without such
definitions, the indicated framework can be of heuristic
value only; judgment as to whether the system has moved
from one state to another will be subjective at best, and
possibly arbitrary. Nevertheless, even at this level this
framework can contribute significantly not only by clari-
fying analyses of the histories of disturbances but, more
important, by providing some guidance as to the controls
to be effected under certain circumstances or the operator
decisions to be implemented (see Fig. 1).
Given a consistent set of definitions of each state,
necessary and/or sufficient conditions for state
the problem involved in on-line security assessment
could provide considerable insight into the design
of con-
trol strategies proper to
several states.
prevention
Historically, system security
been approached by
way of reliability; planning and building systems that
could be inherently robust in the face of credible (and
some incredible) disturbances. Typically, the assessment
was carried out in the planning stage by way
of
simulating
the response of the projected system to a
of
hypothesized severe (worst case) disturbances. Such
have served as a means to measure the strength and
capacity of a system to withstand the entire
of
disturbances under stress conditions. Systems designed to
such criteria have proved reliable under all but

unusual circumstances.
However, no absolute guarantee of reliable perfor-
mance can be provided by the system planner for even the
best planned and constructed system. The system
operator is ultimately responsible for maintaining effec-
tive operation of the system under all circumstances.
Following the Northeast blackout of 1965, increasing
System operating states.

Reduction in reserve
and/or increased
probability of disturbance Table I). In this state, equality as well as inequality con-
straints have been violated; the system would

longer be
intact, and major portions of the system load would be
lost. Emergency control action should be directed toward
salvaging as many pieces of the system as possible from
total collapse. Once the collapse had been halted, if there
were any remaining equipment operating within rated
capability, or some equipment had been restarted follow-
ing total collapse, the system
enter the
with control action being taken to pick up all lost
load and reconnect the system. From this state, the system
could transit to either the alert or to the normal state,
depending on circumstances.
So far, precise definitions characterizing the several
states discussed have not been provided. Without such
definitions, the indicated framework can be of heuristic
value only; judgment as to whether the system has moved
from one state to another will be subjective at best, and
possibly arbitrary. Nevertheless, even at this level this
framework can contribute significantly not only by clari-
fying analyses of the histories of disturbances but, more
important, by providing some guidance as to the controls
to be effected under certain circumstances or the operator
decisions to be implemented (see Fig. 1).
Given a consistent set of definitions of each state,
necessary a