Making the power grid safer by planning for failure

Quelle: http://in.reuters.com von John Kemp

 

Simultaneous attacks on just nine substations could black out the entire United States, according to a report in the Wall Street Journal, based on a confidential study by energy regulators.

 

The concerns revealed by the leak are not new. Professionals have been expressing similar worries about the vulnerability of highly interconnected energy systems for electricity, natural gas and oil since at least the 1970s.

"The United States has reached the point where a few people could probably black out most of the country," Amory and Hunter Lovins wrote in 1982.

The grid's interconnectedness is both its greatest strength and greatest weakness.

 

The size, complexity, pattern and control structure of these electrical machines make them inherently vulnerable to large-scale failures.

 

Complex energy devices were built and linked together one by one without considering how vulnerable a system this process was creating.

 

When each city or region had its own generating plant and distribution system, the effects of any failure were localised.

 

But the nationwide grid is a single machine.

 

Once power plants and transmission systems were linked together, it was possible for a single fault to propagate or cascade across a much larger area, even in the worst instance a whole region.

COUPLING AND COMPLEXITY - Vernetzung und Komplexität

Several features of the grid and other modern energy systems make them vulnerable to large-scale failure.

  • The grid is highly interconnected. It is also tightly coupled, in the sense that failure of one component dramatically increases the potential for failure of others.
  • Finally, the grid is a complex, dynamic and non-linear system. There are many branching paths and feedback loops that can magnify small errors in unexpected ways. Small initial problems can quickly generate escalating disturbances.
  • The August 2003 blackout demonstrated just how interconnected, tightly coupled and non-linear the system really is. [Ebenso das Blackout 2006 in Europa - in 14 Sekunden war Westeuropa stromlos]

But the grid also has some important features that make it more secure and resilient than this worst-case scenario suggests.

RESILIENCY AND SECURITY

Power flows vary according to the time of day, season, temperature and maintenance schedules. In theory, the entire country could be blacked out by destroying as few as nine substations, but it would not always be the same ones. There are dozens, perhaps as many as 100, which could be critical in different conditions.

PLANNING FOR FAILURE - Fehlerfreundlichkeit

Former FERC chairman Jon Wellinghoff told the Wall Street Journal: "There are probably less than 100 critical high-voltage substations on our grid in this country that need to be protected from a physical attack. It is neither a monumental task, nor is it an inordinate sum of money that would be required to do so."

But this is arguably the wrong focus, or at least an incomplete one. The most effective way to protect complex interconnected systems is to make them less tightly coupled so one component can fail safely without damaging others, leaving the system overall in a safe condition.

"De-coupling" or "defence in depth" is already central to the protection of high-risk systems such as nuclear power plants, nuclear weapons, chemical plants and aircraft.

It is simply not possible to give an absolute guarantee that individual components or sub-systems will not fail. So, complex and high-risk systems are planned from the outset with failure in mind.

Complex and dangerous systems are designed with many independent sub-systems and redundant safety features on the assumption some components will fail but should leave others functioning.

In general, serious accidents occur when sub-systems turn out not to be as independent as their designers thought, or when personnel ignore safe operating procedures.

Similar safety protections are built into the design and operation of the grid. Controllers conduct thousands of computer simulations to identify risk factors and prepare for contingencies.

In the case of the power grid, the solution is not just, or mainly, to protect critical substations from physical attack. It is also to make them less critical to the operation of the network by building in more redundancy.

Hardening critical substations can only ever be a very small part of the solution. Physical attacks are only one of the serious threats the grid faces. Others include equipment failure, operational errors [,cyber attacks]  and solar storms, any of which could be just as dangerous.

The grid's greatest security lies in making it more flexible and less tightly coupled, as well as careful but confidential system planning to ensure the network is able substantially to survive even a simultaneous attack.

Kommentar schreiben

Kommentare: 1
  • #1

    Plötzlich Blackout! (Freitag, 14 März 2014 21:35)

    Dieser Analyse ist nicht viel hinzuzufügen, entspricht sie doch unserer (systemischen) Sicht. Leider sind solche Aussagen und Herangehensweisen nicht die Regel. Wenn man sich aber etwas mehr mit Systemen befasst, der einzig sinnvolle Weg, da damit mehrere Fliegen mit einer Klappe geschlagen werden können