Professional Documents
Culture Documents
CSE - 30 Power System Resilience Definition Features and Properties
CSE - 30 Power System Resilience Definition Features and Properties
AUTHORS
Summary
Modern power systems are subject to natural and man-made threats with
increasing frequency. The management of the system in case of extreme events can
bene t from the introduction of the property of “resilience”. After a brief overview on
the strengths and limits of the most signi cant de nitions of resilience available in
literature, this paper discusses the de nition of resilience recently elaborated by the
CIGRE WG C4.47 “Power System Resilience”, clarifying its features, the main
differences between resilience and well-established properties such as adequacy
and security, and proposing some models to represent the relationships between
resilience and reliability. Moreover, the paper lists and brie y discusses the key
measures that make a system resilient.
KEYWORDS
1. Introduction
The term resilience has been used in very different elds of knowledge for many
decades, and it has been more recently applied in the power system sector due to
the increasing number of extreme events which negatively affect power systems [1].
Considering this trend in natural events but also in cyber and/or physical attacks, the
stakeholders (in particular Transmission system Operators, TSOs, and Distribution
System Operators, DSOs) started focusing their attention to pursue these two goals:
(a) to evaluate the impact of multiple (also dependent) outages of components,
potentially leading to blackouts, and (b) to propose preventive or corrective
The rst de nitions of resilience referred to materials and were used in the XIX
century especially in the naval engineering context. C.S. Holling provided the rst
system-level de nition of resilience by de ning it in 1973 [2] as a measure of “the
persistence of systems and of their ability to absorb change and disturbance and still
maintain the same relationships between populations or state variables”. Since this
foundational de nition, the concept of resilience has evolved remarkably in several
systems, such as safety management, organizational, social-ecological, and economic
ones. After Holling, numerous interpretations of resilience have been developed,
resulting in many different de nitions and a lack of a universal understanding of
what resilience really means. For example, Perrings in [3] de nes economic
resilience as “the response to hazards that enables people and communities to avoid
some economic losses at micro-macro market levels. It is the capacity for the
enterprise to survive and adapt following market or environmental shocks”.
Hollnagel in [4] de nes organizational resilience as “the ability of an organization to
identify risks and to handle perturbations that affect its competencies, strategies and
coordination”.
In the sector of electric power systems as critical infrastructures the picture is even
blurrier, as the concept of resilience has roughly only emerged in the last decade.
There have been several attempts by organizations worldwide in the power and
energy engineering communities, such as the UK Energy Research Center (UKERC)
[5] and the Power Systems Engineering Research Center (PSERC), USA, to de ne
resilience and distinguish it from the concept of reliability. According to the UK
Cabinet Of ce, resilience encompasses reliability and further includes resistance,
redundancy, response, and recovery as key features. Another pioneer de nition
comes from the Multidisciplinary and National Center for Earthquake Engineering
Research (MCEER), USA, where a generic organizational resilience framework has
been developed [6] that can be applied to any critical infrastructure, including power
systems. The de nition of MCEER for the disaster resilience of social units is
reported below [6]:
The above framework entails the “4 R’s” of resilience which consist in robustness,
redundancy, resourcefulness, and rapidity according to [6].
The paper is organized as follows: Section 2 discusses the main features of reliability
and its sub-properties in order to highlight the need for introducing the new concept
of resilience in power system planning and operation. Section 3 presents the
available de nitions of resilience and the motivations at the basis of the new
de nition proposed by CIGRE WG C4.47. Section 4 illustrates the new de nition of
resilience and clari es the differences between resilience, reliability, and its sub-
properties. Section 5 discusses the relationship between reliability and resilience.
Section 6 concludes. Finally, the appendix (Section 7) lists some possible resilience-
reliability relationship models.
Reliability has been de ned in different ways by CIGRE, IEEE, IEC, NERC, ENTSO-E.
Table 2 summarizes the de nitions of reliability from these different entities, along
with those of adequacy and security, identi ed as the sub-properties of reliability.
All the reported de nitions agree that reliability refers to the probability of
satisfactory operation of the system in the long term. To this regard, IEC de nition [7]
also includes a reference to the time interval of analysis.
The degree of reliability can be measured through the frequency, duration and
intensity of situations of service degradation for the customers.
Reliability depends on the adequacy and security of the power system, as reported
e.g. in CIGRE references [8]-[9].
As far as adequacy is concerned, the key concept is the availability of resources and
components, or system elements, with suitable capacity to meet the load demand
without violating operating limits.
ENTSO-E [12] de nes the contingency as the “identi ed and possible or already
occurred fault of an element, including not only the transmission system elements,
but also signi cant grid users and distribution network elements if relevant for the
transmission system operational security”.
As for security, CIGRE [8][9], NERC [13], and ENTSO-E [12], [14], [15] de nitions are
perfectly coherent in recognizing security as “the ability to withstand sudden
disturbances”. IEC de nition [7] includes the requirement of “integrity of demand
supply” (i.e., “without loss of load”) in case of an event which satis es a credibility
criterion. IEEE [10][11] similarly speci es “without interruption of customer service”.
CIGRE [8]-[9] A measure of the ability A measure of the ability The ability of the power
of a power system to of a power system to system to withstand
deliver electricity to all meet the electric power disturbances, where:
points of consumption and energy requirements Power system
and receive electricity of its customers within includes all
from all points of supply acceptable technical elements of
within accepted limits, taking into account the
standards and in the scheduled and generation,
amount desired. unscheduled outages of transmission
system components, and
where: distribution
Power system systems, and
includes all customer
elements of facilities that
the supply or use
generation, power and
transmission energy, or
and provide
distribution ancillary
systems, and services;
customer Ability to
facilities that withstand will
supply or use vary
power and depending on
energy, or speci c
provide disturbances
ancillary and
services; applicable
Customers criteria or
include all standards,
parties that and includes
supply power agreed use of
and energy or customers’
ancillary ability to vary
services, as power supply,
well as those adjust
who consume demand and
them; provide
Requirements ancillary
of customers services;
include their Disturbances
basic power include
and energy electric short
needs, and circuits,
agreed use of unanticipated
customers’ loss of system
ability to vary facilities, or
power supply, other rapid
adjust changes such
demand and as in wind or
provide solar
generation.
ancillary
services;
Acceptable
technical
limits and
scheduled
and
unscheduled
outages are
those
speci ed in
the applicable
planning
criteria and
standards;
and
System
components
include all
elements of
the supply,
delivery and
utilization
systems
regardless of
ownership or
control.
NERC [13] The degree to which the The ability of the electric The ability of the bulk
performance of the system to supply the power system to
elements of that system aggregate electrical withstand sudden,
results in power being demand and energy unexpected
delivered to consumers requirements of the end- disturbances, such as
within accepted use customers at all short circuits or
standards and in the times, taking into account unanticipated loss of
amount desired. scheduled and system elements.
reasonably expected
unscheduled outages of
system elements
IEEE [10][11] Reliability of a power The ability of the electric Security of a power
system refers to the systems to supply the system refers to the
probability of its aggregate electrical degree of risk in its ability
satisfactory operation demand and energy to survive imminent
over the long run. requirements of their disturbances
It denotes the ability to customers at all times, (contingencies) without
supply adequate electric taking into account interruption of customer
service on a nearly scheduled and service.
continuous basis, with reasonably expected It relates to robustness
few interruptions over an unscheduled outage of of the system to
extended time period. system elements. imminent disturbances
and, hence, depends on
the system operating
condition as well as the
contingent probability of
disturbances.
IEC [7] The ability of a power The ability of an electric The ability to tolerate a
system to meet its power system to supply credible event
supply function under the aggregate electric without loss of load,
stated conditions for a power and energy over-stress of system
speci ed period of time. required by the components, or deviation
customers, under steady- from speci ed voltage
state conditions, with and frequency
system component tolerances.
ratings not exceeded,
bus voltages and system
frequency maintained
within tolerances, taking
into account planned and
unplanned system
component outages.
ENTSO-E The degree of The ability of the electric The ability of the electric
[12], [14], [15] performance of the system to supply the system to withstand
elements of the bulk aggregate electrical sudden disturbances
electric system that demand and energy such as electric short
results in electricity requirements of the circuits or unanticipated
being delivered to customers at all times, loss of system elements.
customers within taking into account
accepted standards and scheduled and
in the amount desired. reasonably expected
unscheduled outages of
system elements.
For system adequacy, the focus is the quanti cation of availability of facilities
needed to satisfy the consumer demand plus reserves for contingencies, which may
be relevant both in long term horizons and in short-term ones.
To this aim, probabilistic criteria are becoming a standard [16]-[19]. Indeed, many
countries and regions all over the world adopt resource adequacy standards in terms
of Loss Of Load Expectation (LOLE), or based on similar metrics. The evaluation of
the LOLE can then consider not only the most credible contingencies but also other,
less likely contingencies that could lead to a power shortage. However, adequacy
criteria are typically expressed purely on expected values. In adequacy assessment,
contingencies are analysed with static tools, usually based on Optimal Power Flow.
For Security the focus is to evaluate the nal state of the system following a
contingency, with the aim of assessing the system’s capability to withstand
disturbances analysing both steady state violations and dynamic transients.
Probabilistic approaches for system security have thus been investigated to estimate
the risk of undesired consequences [16], [20]. Risk based approaches allow
considering multiple contingencies, thus addressing the aforementioned problem.
In particular:
Nevertheless, the traditional criterion for the application of these properties may not
assure satisfactory performances of the system in case of extreme events. In fact,
blackouts are often originated by multiple contingencies that are not contemplated
by the N-1 criterion. Being this criterion deterministic, it does not consider the
probability of contingencies, which in turn depends on the threats affecting the
system.
There is thus a gap coming from both the de nitions and the way they are applied,
such that extreme events are not part of the traditional reliability analyses. To
overcome this gap, the concept of resilience has been introduced:
Almost all of the de nitions above (12 out of 13) agree upon the fact that resilience is
an ability of the power system, just like reliability and security. This implies the
possibility to propose methods and metrics to quantify this ability.
Most of the terms used in the de nitions above correspond to some capabilities
which make a system resilient (e.g. withstand, adapt to, recover, absorb, anticipate).
Half of the de nitions (7 out of 13) indicate that resilience must be evaluated in case
of a “disruptive event” affecting the system. Only 4 de nitions out of 13 (in particular
#1, #6, #9 and #12) characterize the types of these disruptive events, by specifying
that these events are “extraordinary and high impact – low probability events”.
7 US Presidential Policy Directive 21: The ability to prepare for and adapt
Critical Infrastructure Security and to changing conditions and
Resilience, 2013 [28] withstand and recover rapidly from
disruptions.
Resilience includes the ability to
withstand and recover from
deliberate attacks, accidents, or
naturally occurring threats or
incidents.
System performance:
Given the exibility
of many systems to
adjust and
recon gure to a
disruptive event,
maintaining system
structure is not as
important as
maintaining system
performance. Hence,
measurement of
resilience should
evaluate how a
disruption affects
system performance
and causes
productivity to
decrease relative to
targeted system
performance levels:
that is, how the
system should
behave during and
after disruptive
events.
10 IEEE Task Force on De nition and The ability to withstand and reduce
Quanti cation of Resilience, April the magnitude and/or duration of
2018 [31] disruptive events, which includes
the capability to anticipate, absorb,
adapt to, and/or rapidly recover
from such an event
De nition #2 also mentions “major disruption” to specify the high severity of the
events taken into account. However, in general, resilience de nitions are detached
from the relevant application criterion.
The key concept of degradation is mentioned only in two de nitions (#2 and #5), but
a similar concept (“deviation from targeted system performance levels”) is also
indicated in de nition #8. Even though little mentioned, the concept of degradation
should be considered a major aspect distinguishing resilience from other properties
such as “security”, which are usually of binary nature (i.e. a system is secure or not
secure) as they require the ful lment of strict criteria.
Besides de nition #2, the reference to the economic aspects of resilience can be
found in Sandia Lab’s de nition (#8), which mentions an ef cient reduction of the
magnitude and duration of the deviation from targeted performances. The reference
to ef ciency implies the adoption of the lowest possible amount of resources (money,
repair man-hours, etc.).
Among all the de nitions, only Sandia’s (#8) and PSERC’s (#5) ones separate the
de nition of “resilience” property from the key measures that make the system
resilient (anticipation, adaptation, absorption, fast recovery); moreover, as
mentioned above, both refer to a generic “disturbance” or “disruptive event” without
specifying anything about its severity or probability of occurrence. This is a valuable
Most of the de nitions (11 out of 13) highlight the importance of fast recovery in
order to characterize a resilient system. All these de nitions underline that the
assessment of power system resilience, unlike security, calls for the evaluation of the
restoration process. The point that a fast recovery is the major characteristic of a
resilient system is also highlighted in [35].
In particular, Sandia Lab’s de nition (#8) speci es two aspects of the system
degradation i.e. its magnitude and its duration. To this regard, term “magnitude” is
quite indistinct or inde nite, because it may refer to the severity, in terms of
triggered damages, and to the extent of the disturbance. However, these two aspects
are not correlated: in fact, certain threats like tornados determine very localised (low
extent) but signi cant (high severity) damages to the power infrastructure and
service. Other threats, like wet snow events, can have moderate severity but large
extensions.
Also, the IEEE de nition of resilience (#10), besides mentioning the enabling
capabilities of resilience, refers to the magnitude and the duration of disruptive
events, without clarifying the ambiguity of term “magnitude”.
Table 3 explains the bold words of the resilience property de nition proposed above.
This de nition is innovative with respect to most of the previous de nitions in Table
2 because:
It is more accurate in de ning the details of the action of the disruptive event.
The inde nite term “magnitude” – used in de nition #8 in Table 2 - is replaced
with two terms “extent and severity” which refer respectively to the geographical
extension and the severity of the effects.
It operates a clear separation between resilience as a property and the key
measures (shock absorption, fast recovery, etc.) which allow to achieve it. The
latter are an integral part of the de nition and are addressed in next sub-section.
This is common to only a few other de nitions in literature.
anticipation,
preparation,
absorption,
adaptation,
rapid recovery and
sustainment of critical system operation
These “measures” listed in the present subsection characterize any power system: in
fact, the adoption of defence plans to absorb the contingency impact, the upgrades of
operating and maintenance procedures on the basis of past events, the scheduling of
maintenance teams are only few examples of current practices of grid operators to
face severe disruptive events. However, a resilient system should be capable to
exploit these measures to achieve acceptable targets for the energy supply in case of
extreme events.
The corresponding capabilities of the system to deploy the previous key measures,
i.e. the anticipative, absorptive, adaptive and restorative capabilities, must be
quantitatively assessed by means of suitable metrics, so that it is possible to set
objectives, to establish suitable strategies and measure the improvements, thus
providing a valuable support to decision making process.
As a preliminary remark, it is worth recalling that there are some differences in the
interpretation of the “security” property passing from some standardization entities
(IEEE, IEC) to operators’ associations or regulating entities (such as ENTSO-E and
NERC). This difference is due to the fact that from a pragmatic viewpoint operators
can perform not only preventive but also corrective actions, including the shedding
of speci c loads under special contracts (Interruptible Loads), to assure a normal
(thus, secure) state to the power system. Thus, a broader interpretation of security as
“the ability to withstand disturbances” may include the possibility not to ful ll the
whole customers’ demand, if we include the above exibility measures regarding
loads.
Scope Power system [15] Power system Power system with its
interactions with
environment, humans.
Extreme events Limited relevance, Usually limited relevance, Relevance to events with
depending on operators’ depending on operators’ high impacts that are
guidelines for system guidelines for system commonly excluded from
design and operation design and operation design and operating
(grid codes) [40][15] (grid codes) [40][15] provisions.
Contingency selection Prede ned set of events Prede ned set of events Contingencies with very
(from N-1 to some N-k) (from N-1 to some N-k, high impact selected
depending on TSO/ISO’s mainly N-1-1 and N-2) based on TSO’s
grid code indications [40] depending on TSO/ISO’s experience or other
[15]. grid code indications [40] approaches such as risk-
[15]. based techniques
accounting for the
likelihood of events (over
different time frames)
and their impact.
Time evolution Account for the Account for the power Account for the time
availability of generating system response to evolution of threats,
units and grid contingencies, over the power system and
components over the time. humans interacting
time. In operational planning, together over different
security studies may also phases, from the
exploit probabilistic absorption of
models to assess contingency effects to
possible time evolutions the restoration of
of loads and renewable damaged system facilities
sources. and the supply of service
to customers.
Long term dynamics of
the organization (such as
adaptation from past
events, preparation and
anticipation strategies) is
also included.
Impact on the system Lack of demand coverage Potential instabilities or Effects on customer
due to insuf cient frequency/current/voltag supply, also due to
generation/transmission e violations. severe damages to the
capacity and/or reserve Effects on customer infrastructure itself
[42]. supply (customer (disruption and recovery
interruption times and/or times).
energy not supplied). Account for grid
operators’ actions under
stressed situations and
staff (e.g. maintenance
teams) interventions
under extreme
conditions.
Table 5 - Comparison of the main aspects concerning reliability, adequacy, security and resilience.
In particular, if one considers the diagram of power system operating states [39],
preventive controls can be adopted to move the power system from an “alert” state
after the occurrence of a contingency to “normal” state (i.e. “preventively” secure
state), while corrective actions, such as the corrective redispatch of generators taking
account of the ramping limitations or the shedding of loads under speci c contracts,
can be deployed to move the system from an “emergency state” (which shows
violations of operating quantities and/or instabilities) to an alert or a normal state
(i.e. “correctively” secure). In the end, if even corrective controls are not suf cient,
then emergency controls, such as system splitting or generalized load shedding, are
performed to avoid the “in extremis” state which is characterized by both violations
of operating quantities and/or instabilities and lack of supply to customers.
The rst aspect compared in Table 5 is the scope of the analysis: adequacy and
security focus on the power system per se. The interactions with environment can be
considered by adjusting the failure rates of the components according to a rough
classi cation of weather (adverse/normal) or climate conditions, but in a
conventional reliability methodology the vulnerability of individual components is
not modelled.
As far as extreme events are concerned, current grid codes [15] [40] require the
evaluation of system response to a prede ned list of contingencies passing from
single outages to multiple plausible outages involving the loss of a double circuit, or
busbar contingencies. For the sake of clearness, ENTSO-e and NERC approaches are
presented in the subsequent paragraphs.
In [12], [14], [15] and ENTSO-e currently distinguishes the contingencies into normal,
exceptional and out-of-range events:
Planning events (P0-P7), for which the power system is required to ful l speci c
performance criteria; this category contains all the P0-P7 events de ned in the
Standard, passing from no outage (P0) or single outage (P1) to a busbar fault
following by a stuck breaker (P7).
Extreme events include very widespread and impacting events due to weather
phenomena (hurricanes, droughts, geomagnetic storms, etc.) and/or cyber-
attacks. This set of events requires the time domain simulations of the sequence
of events (cascading outages, protection interventions, etc.) following the
initiating contingency, considering the normal fault clearing process.
From references [15], [40] it’s worth noting that limited relevance is given to extreme
events in conventional reliability analyses, because only few plausible severe
contingencies which are chosen based on TSOs’ experience are simulated in detail.
Instead, extreme events are given a very high relevance in resilience analyses.
The selection of the contingencies de nes another difference between the classical
concept of reliability and resilience: in fact, current grid codes in US [40] and in
Europe [13] indicate a prede ned list of (single, possibly a few multiple)
contingencies for which speci c requirements in the system response must be met.
This list is completed by operators on the basis of their operational experience. For
all the contingencies of the set, the operators must verify the ful lment of adequacy
and security requirements. However, resilience analyses are focused on extreme
events with possibly catastrophic impacts on power system service and
infrastructure. These events are normally not considered in current reliability-
centered design of the system: in fact, a complete enumeration of multiple
contingencies would lead to combinatorial explosion problems; moreover,
contingencies with a very high number of outaged components would inevitably lead
to unacceptable impacts. Thus, the selection of multiple contingencies can be based
on experience or from risk based analyses [41] where risk, interpreted as a
quadruple {threat, vulnerability, contingency, impact}, is used to select the events to
be investigated on the basis of the forecasted states of power system and in uencing
environment.
As for the impact on the system, reliability assessment focuses on the potential lack
of demand coverage due to insuf cient generation/transmission capacity and/or
problems of reserve for the most limiting contingencies (adequacy analysis) and on
the potential instabilities or frequency/current/voltage violations in the power
system response to contingencies (security analysis). Even if the return into service
of components following a disturbance is modelled, the main scope of such analyses
is to evaluate the quality of supply to customers (in terms of customer interruption
times and/or energy not supplied). Resilience analyses are meant to evaluate the
power system ability to deliver a degraded but still acceptable power supply service
to customers also under extreme events, taking into account the potential effects
that severe damages to the infrastructure can have on the power supply service.
Moreover, resilience assessment should account for the interactions with human and
natural environment (control center and maintenance personnel, weather
conditions, etc.) during extreme events.
As for the acceptability criteria, adequacy and security must be met in a “strict” way,
irrespective of the considered events. With resilience, instead, some degradation of
the service is allowed, according to the severity and extension of the event.
Instead, resilience analyses do not only focus on the customer supply but also on the
multiple aspects of the interactions between power system components and (natural
and human) environment, thus assessing both the process of electric supply loss and
recovery, and the process of infrastructure disruption and recovery. The response of
human staff (operators, maintenance teams) at the various phases of the system
response to disturbances is also a part of this process [46].
As for the modelling techniques, both reliability and resilience can be studied via
probabilistic or deterministic approaches. Examples of deterministic methods to
assess generation adequacy are the “reserve margin” and the “loss of largest unit”
criteria applied to some signi cant operating conditions in the year (i.e. summer or
winter peak); on the other side, probabilistic methods based on either Monte Carlo
simulations or analytical methods (e.g. Markov processes), can be applied to assess
load coverage accounting for the uncertainties of generation and transmission
capacity, availability, load level, etc. [42]-[44].
Currently, security and adequacy are the two necessary conditions to verify the
classical property of “reliability” for a power system. However, assuring the security
of the system in case of multiple outages, such as the ones produced by extreme
events, may not be techno-economically viable in terms of design, planning,
operation, and asset management requirements, whereas resilience criteria may be
met.
Several entities and researchers have already proposed their views on this
relationship.
For example, the US Federal Energy Regulatory Commission (FERC) indicates in [47]
that “resilience is a component of reliability in relation to an event”.
The North American Electric Reliability Corporation (NERC) states in [48] that “a bulk
power system that provides an adequate level of reliability is a resilient one”: this
suggests that resilience is a necessary condition for a reliable system. Moreover, the
de nition of ALR “Adequate Level of Reliability” [49] of a Bulk Electric System (BES)
proposed by NERC contains a list of system requirements which refer both to the
“traditional” view of reliability (the system must respond satisfactorily to prede ned
disturbances) and to the property of resilience (the system must limit the
performance degradation provoked also by HILP events and must recover effectively
In the “State of Reliability” reports, NERC highlights the dif culty for BES operators
in complying with points 4 and 5, stating that “For these less probable severe events,
BES owners and operators may not be able to apply economically justi able or
practical measures to prevent or mitigate an adverse reliability impact on the BES
even if these events can result in cascading, uncontrolled separation, or voltage
collapse” [50]. Anyway, the ALR de nition is considered as the basis of long term
reliability assessment reports by NERC in the last years (see for example [51]).
Reference [52] states “Within the broad context of reliability de ned by these
indices, resiliency would appear as a component of reliability. Resilience relates to
restorability and speed of restoration”, highlighting that available reliability tools
should consider the resilience of the system, by adequately modeling repair and
restoration processes [52][53].
As indicated in [54] reliability is related to the ultimate goal of the power systems,
i.e. providing electricity to the customers within speci c standards for the service
supply. The introduction of resilience property permits to specify the “standards for
the service supply” in terms of maximum duration and severity of degraded
performance of the system when it is struck by very severe events for which security
property cannot be assured at reasonable costs. This enables the de nition of
reliability standards also for extreme events.
The response of a power system under (either credible or extreme) events depends
not only on the features of the threat (intensity, location, extension, etc.) but also on
the intrinsic characteristics of the power system (physical characteristics of the
infrastructure, available systems for control, defense, automation and protection,
operating condition, in turn depending on load level, network topology, generation
and import/export patterns, etc.). A reliable system should satisfy the “standards of
quality of supply” over the long run, which implies the capability to have a
satisfactory response to (either single and multiple) contingencies for the operating
points over the analysis period, so that the reliability indicators (such as EENS)
computed typically on a yearly basis stay below a threshold established in
operational standards.
To attain this general goal (i.e. providing energy with given standards over the long
run) the system must be also resilient - i.e. limit its degradation within given
standards - in presence of the extreme events, for the operating points over the same
analysis period, considering the potential interactions between operating points and
the incumbent extreme events (e.g. potential cut-out of wind farms due to
windstorms, the reduction of thermal generation output due to prolonged droughts
and/or high ambient temperature, and load demand increase at the time of
temperature peaks). This requires the completion of the reliability standards by
introducing resilience-informed metrics and setting suitable admissible values for
these metrics.
6. Conclusions
After a comprehensive overview of the de nitions available in the literature, the
paper has presented a new de nition of power system resilience discussed in CIGRE
WG C4.47. This de nition provides a detailed characterization of the action of the
disruptive event in terms of geographical extension and severity of the effects.
Moreover, the property resilience and the key actionable measures which make a
power system resilient are de ned separately in the proposed de nition. Unlike
well-established properties like reliability, resilience is a dynamic multifaceted
concept which focuses on extreme (also HILP) events, on the evolution of threats
over the time and the interdependence among different critical infrastructures.
The paper has also compared resilience against reliability, adequacy and security
under different aspects (e.g. scope of analysis, selection of contingencies): the
increasing attention to power system responses to extreme events implies that
resilience is a necessary requirement to achieve a satisfactory quality of supply in
modern power systems and resilience informed metrics have to be considered in the
de nition of the standards for a reliable supply of electricity. It is envisaged that
resilience will change more and more the paradigm related to the planning and the
operation of power systems.
The following subsections present the most promising models discussed within
CIGRE WG’s. This does not exclude that other CIGRE WGs have different views on the
relationship between these two properties.
Firstly, from subsection 4.2 it’s worth noticing that reliability can be interpreted as a
fundamental property which does not refer to any speci c application criterion (no
reference to credible or extreme events).
In this perspective, a reliable system must have enough available generation and
transmission resources to cover the load with a suitable margin (adequacy), it must
withstand disturbances (security), i.e. continues supplying all the customers ful lling
suitable requirements for the electricity supply, at least for the category of
contingencies which satisfy a credibility criterion, but it must also limit its functional
degradation (resilience) for those contingencies which do not satisfy the credibility
criterion adopted by the TSO (extreme events).
Figure 1 - First model of relationship between reliability and resilience: resilience as a third sub-
property of reliability
This extension of the classical reliability model with the addition of resilience as a
sub-property of reliability is further justi ed by the following considerations.
Adequacy and security are necessary conditions to verify the classical property of
“reliability” for a power system. However, assuring the security of the system in case
of multiple outages such as the ones produced by extreme events leads to excessive
costs in terms of design, planning, operation, and maintenance.
If the reliability concept did not include resilience, as in the classical approach, then
a power system could not be de ned reliable in case of extreme events. In fact,
security, which requires no loss of conventional loads, is not assured for extreme
events but only for credible contingencies, due to the resulting excessive costs.
Instead, stating that a necessary condition for a system to be reliable is that the
system must have a suf cient resilience to extreme events leads to several
advantages:
Note that a system which is resilient is not necessarily reliable (because it may not
respect the requirements concerning the service supply, e.g. the maximum number
and duration of supply interruptions, in case of credible contingencies). Moreover, a
system which is reliable with respect to credible events (i.e. adequate and secure,
Figure 2 - Second model of relationship between reliability and resilience: two overlapping circles.
This model helps classifying the different sets of disturbances and performance
requirements as related to reliability and resilience that they intend to meet. In this
sense, the diagram not only represents the total probability space of disturbance
(credible and extreme events), but the relationship between reliability and resilience
in term of methodology, measures, and metrics:
The overlapping area of the reliability and resilience circles can also be described as
a risk-mitigation region in which both reliability and resilience performance
requirement goals are met. The goal is to expand the overlapping area by means of
integrated reliability and resilience planning processes to optimise both reliability
and resilience investment decisions.
Accordingly, reliability and resilience concepts could be linked as follows: the power
system is designed and operated for a set of incidents/events in such a way that it
reaches a desired reliability level. Thus, a resilient power system has different
reliability degree for different kind of incidents, from credible to non-credible events.
Resilience is given when after such an event the power system is able to return to an
acceptable operation within an acceptable ( nite) time after an event. How well that
succeeds, that is, how long parts of the power system are thereby in an unacceptable
condition is described over the measure of the resilience, which can be e.g. “high” or
“low”. As technical measurable value one of the reliability indices can be consulted.
Fig. 3 visualizes this interconnection between resilience and reliability. Each circle
represents a set of incidents in a power system.
The inner circle de nes the set of incidents (credible events) for which the power
system is designed to achieve a reliability level of almost 100%). This includes the
provision of a suitable generation and transmission infrastructure to satisfy the
demand with margins (adequacy) and of a satisfactory operation (security in case of
credible contingencies). For this set of incidents, the power system fully reliable. For
non-credible events the power system should guarantee the supply after a de ned
time following an incident, the system is still resilient but less reliable.
This model considers that resilience is a necessary condition for power system
reliability, as stated by model 1 and NERC documentation. However, according to this
model unlike the new resilience de nition discussed in this paper, resilience concept
is applied to both credible and non-credible (extreme) events.
Acknowledgment
The authors would like to thank CIGRE C4.47 Power System Resilience working group
and all members of C4, C2 and C1 WG’s for the useful discussions.
References
1. M. Panteli, G. Mancarella, “In uence of extreme weather and climate change on
the resilience of power systems: Impacts and possible mitigation strategies,”
Electric Power Systems Research, vol. 127, pp. 259-270 October 2015.
2. Holling, C. S. 1973. Resilience and stability of ecological systems. Annual Review
of Ecology and Systematics 4:1-2
3. C. Perrings, "Resilience and sustainable development," Environment and
Development Economics, vol. 11, pp. 417-427, 2006.
4. E. Hollnagel, et al., Resilience engineering: Concepts and precepts, Ashgate
Publishing, Ltd., 2007.
5. M. Chaudry, P. Ekins, K. Ramachandran, A. Shakoor, J. Skea, G. Strbac, X. Wang, J.
Whitaker, “Building a Resilient UK Energy System”, UKERC, Tech. rep. REF
UKERC/RR/HQ/2011/001, April 2011.
6. MCEER (Multidisciplinary and National Center for Earthquake Engineering
Research), “Engineering Resilience Solutions - From earthquake engineering to
extreme events”, Technical report MCEER-08-SP09, December 2008.
7. IEC, “Glossary of terms”, 2002. Available: http://std.iec.ch/glossary.
8. CIGRE WG C1.27, "The future of reliability – de nition of reliability in light of new
developments in various devices and services which offer customers and system
operators new levels of exibility", Technical Brochure no. 715 , Jan 2018.
9. CIGRE WG C1.27, “The future of reliability”, reference paper, Electra no. 296 ,
pp. 1-3, Feb 2018.
10. IEEE PES, “De nition of Terms”, technical report, 2004.
11. IEEE/CIGRE Task Force on Stability, «De nition and Classi cation of Power
System Stability,» IEEE Transactions on Power Systems, vol. 19, n. 3, pp. 1387-
1401, May 2004.
12. EU Commission Regulation (EU) 2015/1222 of 24 July 2015 establishing a
guideline on capacity allocation and congestion management, 2015.
13. NERC, “Glossary of Terms”, technical report, last update March 2022.
14. ENTSO-E, “Synchronous Area Framework (SAFA) Documentation, 2019. Available
at the link: https://www.entsoe.eu/publications/system-operations-
reports/#continental-europe-synchronous-area-framework-agreement
15. EU Commission Regulation (EU) 2017/1485 of 2 August 2017 establishing a
guideline on electricity transmission system operation, 2017.
16. ENTSO-E, “All TSOs Biennial Progress Report on Operational Probabilistic
Coordinated Security Assessment and Risk Management”, December 2021
17. CIGRE WG C4.601, “Review of the current status of tools and techniques for risk-
based and probabilistic planning in power systems”, Technical Brochure no. 434
, pp 1-132, March 2010.
18. Methodology for the European resource adequacy assessment in accordance with
Article 23 of Regulation (EU) 2019/943 of the European Parliament and of the
Council of 5 June 2019 on the internal market for electricity, 2 Oct 2020. Online
19. Rede ning Resource Adequacy Task Force, “Rede ning Resource Adequacy for
Modern Power Systems,” 2021, Reston, VA: Energy Systems Integration Group.,
Tech. Rep. ESIG. Online
20. U. Shahzad, “Probabilistic Security Assessment in Power Transmission Systems:
A Review”, Journal of Electrical Engineering, Electronics, Control and Computer
Science – JEEECCS, Vol. 7, no. 26, pp. 25-32, 2021
Biographies
Emanuele Ciapessoni has been in Italian Power system research centres since 1990,
when he joined CISE S.p.A. and then ENEL Research. Currently he is Leading
Scientist and Chair of the Scienti c Committee at Ricerca sul Sistema Energetico (RSE
S.p.A.). His research interests include power system resilience and security, risk
analysis and mitigation, wide area monitoring protection and control, restoration.
He is convenor of Italian Electrotechnical Committee CT65 on Industrial-process
measurement, control and automation. He also provides consultancy services to the
Italian regulatory Authority for electric Energy and Gas in power system resilience
and several energy-related topics. He is the scienti c lead in the de nition of the
Terna-RSE methodology for resilience-oriented planning. He is an active member of
the CIGRE Working Group C4.47 on power system resilience and of IEEE Working
Groups on cascading failures.
Since 1990 he has coordinated several national and international projects on power
system, dealing with the development and application of innovative approaches for
system resilience and risk management. Currently he is involved in the EU project
HVDC-WISE EU project dealing with reliability and resilience of power systems
including HVDC grids.
He has published over 80 scienti c papers and reports and he has been reviewer
and session chair in several international conferences and reviewer for several
journals.
Andrea Pitto got his M.Sc. degree (2005) and PhD (2009) in Electrical Engineering
from the University of Genoa (Italy), where he worked as a research assistant in
2009-2010. He joined Ricerca sul Sistema Energetico – RSE S.p.A. in 2011. His
research interests concern probabilistic risk-based approaches to power system
resilience assessment and enhancement, cascading outage analysis, security
assessment techniques. He was involved in the development of the methodology for
resilience-oriented planning of the Italian TSO. Active member of the CIGRE Working
Group C4.47 on power system resilience and of IEEE Working Groups on cascading
failures and on common mode dependent outages. He has been IEEE Senior Member
since 2016.
Malcolm Van Harte has 26 years of experience in the electric utility Transmission
and Distribution industry. He holds an MSc in Electrical Engineering from the
University of Cape Town and works in distribution as the Senior Manager for SMART
GRID and Head of Network Operations Centre of Excellence (including Cyber
Security, Data Analytics and Distribution Telecommunication Operations). He's also
worked in risk and resilience, network planning, regional and national control
centers, and network optimization. He has chaired or participated in a number of
strategy projects, working groups, and study committees aimed at improving the
reliability and quality of electricity infrastructure, including the National Blackout,
Provincial Transmission Risk Workshops, Network Planning, Network Performance,
and Quality of Supply. He has led and participated in a number of strategic initiatives
aimed at strengthening Eskom's resilience capabilities, including disaster
management, business continuity, organizational resilience, and enterprise risk
management. He is now working with the implementation of a new Distribution
operating model with additional capabilities such as Distribution System Operator
and Energy Trader.
[1]
Expression “High Impact, Low Probability” is equivalent to “High Impact Low
Frequency” adopted in [37].