Incorporating failures of System Protection Schemes into power system operation

The power transfer capability of existing transmission networks can be enhanced through the use of automated system protection schemes (SPS), which rapidly respond to disturbances on the network to keep the system’s variables within operational bounds. However, reliance on such schemes may expose the network to large impacts – including blackouts – if the SPS does not respond as designed, so the deployment of SPS should balance risks and benefits. This paper formulates a risk-based cost–benefit framework that allows the operator to strike an optimal balance between constraint costs and risks of demand curtailment due to malfunctioning SPS. It is applied to a simple 4-bus power system inspired by the GB network, for which an exact optimisation problem can be formulated. A component-based dependability model is developed for the SPS to determine its failure modes and associated probabilities. The resulting cost-minimisation problem is solved for a range of operating conditions and SPS reliability levels. The results consistently show cost savings from the use of an SPS, even if it is highly unreliable, when a hedging strategymay be used. The optimal solution is highly sensitive to the problem parameters, but it is demonstrated that optimal operational strategies are associated with particular SPS outcomes. This finding may be used as empirical guidance to develop operational strategies for complex networks with unreliable SPS. © 2016 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/).


Introduction
System Protection Schemes (SPS), also known as System Integrity Protection Schemes (SIPS) or Remedial Action Schemes (RAS), are systems designed to detect abnormal power system conditions and initiate predetermined corrective actions to mitigate the impact of abnormal operating conditions, usually triggered by contingencies [1]. SPS interventions include changes in load, generation, or system topology, usually mediated by ICT infrastructure. These corrective systems help to protect the power system from high-impact low-probability events, including cascading failures [2]. network users [4,6], illustrated by deployments in e.g. Canada, Brazil and Chile. Indeed, a recent survey by IEEE and PSERC [7] on global experiences with SPS shows an increase in the use of such schemes. However, SPS actions are not infallible in practice, and relying on them means exposing the system to additional risks resulting from SPS malfunction. If such failures occur, they may drive the system far outside its regular operating regime, potentially triggering harmful blackouts. Therefore, the increasing use of these schemes needs to be accompanied by a better understanding of their true impact, as undesirable SPS operations may result in a deterioration of the overall system reliability.
SPS malfunctions are not as infrequent as one may think. Panteli et al. [8] reviewed NERC System Disturbance Reports from 1986 to 2009 and found that of 26 SPS malfunctions, 11 cases were related to ICT operational failures. SPS malfunctions have also played a role in Europe, as happened in the Nordic network in 2005 [1]. Moreover, in a 1996 IEEE-CIGRE survey [9], respondents from the power industry assigned very high cost estimates to SPS failures. This underscores the necessity of a robust decision framework for SPS operation that takes into account SPS failure modes and their likelihood of occurrence. SPS failures are classified into dependability-based (failure to operate when required) and security-based (accidental activations). Dependability failures typically receive the most attention in protection system design and system studies, because failure of a protection system to operate when the system is in a state that requires it, is likely to have significant consequences [10].
Despite the potential risks from SPS malfunctions, the operational rules for these systems have historically been determined based on deterministic techniques combined with expert judgement [1]. In recent years, probabilistic analysis has increasingly been used to address uncertainties in pre-fault operating conditions (e.g. demand levels, outages, variable generation, etc.). Hydro-Quebec [11,12] has performed simulations based on historical snapshots and made use of techniques such as data mining and combinatorial optimisation to optimise the settings of generation and load shedding protection systems [11,12]. Similarly, Hsiao et al. [13], and Wen-Ta and Chao-Rong [14] perform simulations under different operating conditions to optimise SPS settings in the Taiwan power system. Another example is BC Hydro [1] which has implemented an arming scheme for multiple SPS such as generation intertripping using off-line Monte Carlo simulations. All these efforts have resulted in robust rules for SPS operation based on a sensible coverage of operating conditions and contingencies, but dependable SPS operation has commonly been assumed for these studies.
Integrating the risks caused by unreliable SPS into power system operations is a challenging task, due to the large number of possible scenarios and the difficulty involved in modelling the consequences of SPS malfunctions. A generic risk assessment for SPS based on FMEA and Markov modelling is presented in Fu et al. [15], where the authors focus on computing the optimal arming point of a generation rejection scheme. Panteli and Crossley [16] also calculate optimal arming points that balance the risks stemming from a lack of dependability and accidental activations. These works are concerned with riskbased optimal configuration of SPS. However, the computation of impacts from SPS malfunction scenarios has commonly not included the response of the power system in complex post-fault scenarios. The latter is often highly nonlinear, for example when the malfunction triggers a cascading outage. Besides, the risks from unreliable SPS operation should be embedded in a system-level cost-benefit analysis, so that it is accounted for in operational decisions regarding dispatch and the loading of transmission lines. Ultimately, such a framework seeks to balance benefits and risks associated with different levels of network utilisation and investment, as in the case of probabilistic security standards [17]. Moreno et al. [4] have presented an initial investigation of this topic, but their analysis included only a very simple model of SPS malfunction and its impacts.
SPS use long-range communication and automated decisions to improve the control of the physical electricity grid. As such, they form an excellent model system to study the complexities involved in the modelling and operation of cyber-physical energy and communication systems. The development of reliability analysis methods for such systems is an open research challenge [18].
This paper makes a number of contributions towards the riskaware operation of power systems using unreliable SPS: • We formally state the decision problem faced by the operator to simultaneously optimise the dispatch of generators and the arming of the unreliable SPS, introducing the different cost components of the objective function (Section 2).
• A simple four-bus model system is introduced to demonstrate the salient properties of this optimisation challenge. The model is sufficiently simple to allow a closed form expression for the optimisation (Section 3 (model) and Section 4 (optimisation)).
• The model makes use of a high-level SPS dependability model, based on generic components (relay, communication channel, logic controller, breaker), the results of which are summarised by a conditional probability table for the SPS response (Section 4).
• Section 5.1 investigates the properties of the optimal dispatch and SPS configuration, across a range of operating conditions and SPS reliability scenarios. The results demonstrate the robust ability of even an unreliable SPS to contribute to a reduction in system costs, often through hedging against (partial) failures.
• We demonstrate that the optimal SPS configuration, for any dispatch, is a member of a discrete set of candidate solutions, which are associated with specific SPS outcome (including its failure modes). This finding is likely to be beneficial for the development of efficient optimisation methods for large power systems.
It should be noted that the framework presented in Section 2 is widely applicable, but implementing such a framework for large networks that may suffer complex cascading outages is far from trivial. The implementation in Sections 3 and 4 stops short of that long term aim by focusing on a simple network configuration. The transparency of this model enables an in-depth understanding of the properties of the solutions (Section 5). Such understanding will contribute to the future development of generalised methods that can be applied to complex power systems.

Problem statement
We consider the problem of optimal system operation from the perspective of a single central operator in a congested network with pre-contingency security constraints. In the operational time frame, the operator must decide on the optimal dispatch of generators to minimise operational costs. In addition, it can configure and arm an SPS to relax security constraints. Efficient operation of the system is achieved by co-optimising the dispatch and SPS configuration in a way that balances the benefits from the utilisation of low-cost generation (e.g. wind) and the risks due to contingencies and unreliable SPS operation. Fig. 1 illustrates the operational decision problem. We assume that the operator has no recourse after a contingency occurs, so that the dispatch and SPS configuration fully define the system's response to faults. We further assume that contingencies unrelated to the SPS are neutralised by a security constrained OPF as part of the dispatch so that only SPS-related contingencies need to be considered. The operational costs are analysed using a three-stage decomposition of the power system response to faults. The first stage is steady state operation, which characterises the pre-fault state. This stage is associated with two deterministic cost elements: (1) variable generation costs G (£/h); (2) availability fees P a (£/h) for system protection services, including the availability/arming fee of the SPS.
The second stage, SPS action and system response, is triggered by the stochastic occurrence of a contingency. SPS activation causes generators to trip and spinning reserve services to be deployed in order to neutralise the resultant generation shortage. The costs associated with this stage are the protection utilisation costs P u (£/event). Note that this is a random variable, characterised by uncertainties relating to the stochastic occurrence of contingencies and the potential for SPS malfunctions.
The third and final stage is end user impact. SPS malfunctions or operational choices can result in post-fault overloads that trip transmission lines, possibly in a cascading manner. The impact on supply to end users is summarised by the loss of load cost L (£/event).
Taken together, this allows us to define a probabilistic cost-benefit framework. The operator identifies dispatch decisions D and SPS decisions S that minimise the total cost C -or more specifically the expected cost E [C ] (for a risk neutral system operator): where P and X are the expected protection and loss-of-load costs, respectively. The optimisation is subject to constraints relating to power flows, the generation dispatch, etc. The optimisation framework presents two challenges. First, the set of possible SPS outcomes can be very large, and depends on the decision variables (generator dispatch and SPS configuration). The explicit consideration of all possible SPS outcomes for all possible SPS configurations can be prohibitive for large systems. Second, in a general setting, computing the load-shedding costs L requires detailed analysis of a complex power system. The costs may, for example, depend on the outcome of a cascading process that includes random hidden failures of local protection systems [19]. When complex cascading pathways are involved in the power system response to faults, an algebraic formulation of the costs is typically not available, and the impact can only realistically be evaluated by explicit simulation of individual events and operating points.
In the remainder of this paper we analyse a simple 2 + 2 bus model where an exact expression for X = E [L] exists.
Although this direct approach to solving (1) cannot be extended to large systems, it provides insight into the challenges involved in formulating and solving this problem. Specifically, we identify properties of the solutions that provide guidance for the future development of heuristic optimisation schemes for larger systems.
The discussion above considers a single decision under constant system conditions. This decision process can be repeated on a rolling basis (e.g. half-hourly) for long-term system operation. See [20] for an example of this approach. In the following, only a single operational snapshot is considered, to focus on the properties of the elementary decision problem itself.

Model description
The challenging task of co-optimising generation dispatch and the configuration of an unreliable SPS will be illustrated using a simple model system. The model is inspired by the situation in the GB power system, where most demand is situated in England and Wales, whereas Scotland offers the best locations for wind power generation. The Scotland-England transmission corridor consists of two existing (AC) double circuits, which are scheduled to be supplemented by two off-shore HVDC lines in order to increase the power transfers [21,22]. The overall planned transmission investment to accommodate new wind power projects amounts to approximately £15 billion (2010-2020) [5], thus illustrating the potential value of making better use of existing assets. The model power system is shown in Fig. 2; it has two major busbars, labelled North and South. The North bus has a large amount of installed wind capacity and only limited local demand, creating an economic incentive for a net North-South power flow. The power flows downstream through two identical double circuits, each divided in two sections. The representation then has a total of eight identical lines (L 1 . . . L 8 ), each with a circuit rating of 1700 MW [4]. We restrict our analysis to active power flows -ignoring losses -and do not consider dynamical or voltage constraints. In the absence of an SPS, we will assume that the transmission lines are subject to an 'N-1' security standard, where the system must be able to continue normal operations after the loss of any single or double circuit (also known as 'N-d'). Assuming identical double circuits and a lack of corrective control actions, only 50% of the network capacity can be released to the users, resulting in frequent curtailment of wind power generation in the North bus.
A generation rejection scheme is connected to two intermediate buses, named West and East. After any line fault (single or double), this SPS aims to disconnect the faulted lines and remotely trip a predetermined amount of wind generation connected to the North node. These actions have the objective of isolating the faulted lines and reducing the load on remaining lines. Frequency services from generators located in South are relied on to restore the balance between load and generation (see also Section 3.3). The amount of generation to be disconnected may therefore not exceed the frequency response capability of the network. The base case considers a minimum of 1800 MW to deal with large generator In order to focus on generic problems related to SPS reliability we consider a basic SPS that disconnects a defined amount of wind power s, equally distributed across n independent sites connected to the North bus. The system operator balances the system's risk profile by selecting suitable values of s and n, in conjunction with a pre-fault generation dispatch. Table 1 shows the installed capacity and cost parameters α i of different types of generating units, based on data from [4]. To simplify the optimisation model, we use an average generating unit size of 500 MW for all technologies.
Single and double circuit faults are modelled as Poisson processes with rates λ s and λ d (occurrences/hour), respectively.
Representative values for fair and bad weather are shown in Table 2.

SPS dependability model
The SPS is not 100% dependable (i.e. can fail to operate when called upon).
a block if it has not suffered a hidden failure. When a signal reaches a G i symbol on the right, the corresponding generator is disconnected. The scheme includes physical connections to N wind farms, but only n ≤ N connections are armed at any given time, at the operator's discretion. The dependability model is similar to the Reliability Block Diagram/Network Model approach [24], but unlike that approach the diagram in Fig. 3 has multiple inputs and outputs, and a single connected path does not necessarily qualify as a 'success'. The components of the SPS are of the type: • Relay (R 1 . . . • Logic control (LC W , LC E ): makes the decision to remotely trip generation. It acts as an OR logic gate, and broadcasts a trip signal to the remote breakers upon receiving a fault signal from any one of the relays. The signal is only broadcast to the n ≤ N generators that have been pre-selected by the system operator. Let us suppose that a fault occurs on line L 1 . In a normal operation of the SPS, the relevant relay (R 1 ) identifies the fault and sends a trip signal to its local breaker (B 1 ). This action then trips the faulted line (L 1 ). At the same time, R 1 sends a signal to the logic control (LC w ) which broadcasts a trip signal through the communication channels associated with the generators that had been previously selected (C w,1 . . . C w,n ). The trip signals reach the remote breakers which finally trip the targeted generators However, malfunctioning SPS components can result in abnormal operation. For example, the malfunction of the communication channel associated with one of the n selected generators results in a loss of a fraction 1/n of the scheduled SPS capacity. For the communication channels we consider an illustrative average availability (0.95 by default), which will be varied for sensitivity analysis in later sections. The dependability of the other components is modelled using a hidden failure model. Their average availability is determined using a constant failure rate and regular (independent) inspections during which any faulty component is repaired [25]. Average availabilities are estimated using a first order approximation as: The component availabilities (Table 3) are computed assuming a time between inspections of 6 months. It must be noted that any event that triggers SPS activation also constitutes an inspection, as malfunctioning components will be identified by their failure to operate. Therefore, if the SPS is triggered at a rate similar to or larger than the inspection frequency, the inter-inspection time T i should be adjusted for these activations. A constant value is used for the component availabilities, consistent with our analysis of a single operational snapshot. For applications to rolling decision problems, the reliability parameters could vary with time, and potentially depend on load conditions. We assume that the SPS has a protective back-up system that clears the faulted lines if the main breakers (B 1 . . . B 8 ) fail to do so [26]. This, however, always involves the loss of the whole bus to which the faulted lines are connected. Returning to our example, should B 1 fail to isolate L 1 from the system, the back-up system would actuate and isolate the eastern intermediate bus.

Cost of SPS (mis)operation
From the power system perspective, unintentional SPS outcomes can result in a sequence of events that are ultimately associated with a cost to the operators or users of the system. In keeping with our basic model we use a quasi-steady state assumption.
The operation of the SPS results in a net power imbalance whenever at least one of the generating sites is successfully tripped. In such a situation, frequency-sensitive generators will restore the power balance within seconds, before any further action in the form of load shedding is triggered. Frequency services are assumed to be deployed in the South node with a minimum capacity of 1800 MW, which is required to protect the system against the sudden loss of the largest generating unit. We assume that response and reserve capacity is purchased at a price π a [£/MW/h], and additional capacity beyond the minimum amount of 1800 MW can be optionally purchased to provide headroom for additional SPS intertripping capacity. In the latter case, π a represents an effective availability fee for frequency regulation driven by the SPS. In addition, there is an SPS utilisation fee, consisting of payments π u [£/MW/event] to disconnected generators. After the generation-demand balance is restored, it is assumed that the north-south power flow is evenly distributed over the remaining lines. The total transfer capacity is therefore equal to N× 1700 MW, where N is the number of parallel circuits that remain in service. If, after SPS operation and frequency response, the power flow exceeds the post-fault transfer capacity this will trigger a disconnection of the remaining lines. Note that this condition will usually result from a (partial) SPS malfunction, but in rare cases it may be economically advantageous to accept disconnections even when the SPS operates as designed.
Disconnection of the corridor splits the system, separating the north and south nodes. This new topology necessitates a second restoration to balance generation and demand within each node (electrical island). In this case, frequency services are exhausted before emergency defence plans are invoked, triggering involuntary load and generator shedding. The capacity for emergency generation and load shedding is assumed to be unlimited and of the required granularity. The cost associated with customer disconnections is π x [£/MW/event]-restoration is implied, but not explicitly modelled. There is no cost associated with emergency generator disconnection. The numbers used in our study are listed in Table 4.
In our basic model, the loss of the transmission corridor following incorrect operation of the SPS will lead to system splitting and necessary demand curtailment. This is special case of a more general phenomenon where an initial fault is compounded by an inappropriate corrective response. As a result, the power system can find itself significantly outside the range of safe operating conditions, which may lead to an uncontrollable cascading outage that can result in a complete blackout.

Methods
This section develops the formal optimisation model that represents efficient operation and SPS configuration for the system described in Section 3. For clarity, the notation used is summarised in Table 5.

Probabilistic SPS outcomes
The component-level SPS model described in Section 3.2 has inherent symmetries that can be exploited to simplify its analysis. Instead of modelling all possible line outages and malfunctions of the SPS components individually, it is sufficient to consider one single and one double line outage with appropriately scaled fault rates and convert the original SPS topology to a simplified block diagram. This is justified because: • all SPS components of the same type have identical availabilities • the SPS acts in the same way for any line outage of the same order, namely single and double faults, regardless of where it occurs • all single line faults are equivalent, independent from each other and are assumed not to occur at the same time, and the same applies to double line faults. We further reduce the complexity of the initial SPS by integrating the availability of the generator-connected circuit breaker block with that of its respective communication channel block. Finally, the simplified SPS model, shown in Fig. 4, includes exclusively the n generators that the system operator selects to participate in the scheme at a given time (n ≤ N).
The outcomes of the SPS are characterised by the loss of one or two lines (local actions) as well as the number of generators that successfully trip (remote actions). The local actions are indicated by the label l ∈ {s, d}, where s and d represent single or double circuit outages, respectively. Because the intertripping capacity is allocated evenly among the selected generators, the remote actions can be summarised by the number m ∈ {0, . . . , n} of generating sites that was successfully disconnected. The 2(n + 1) possible outcomes of SPS action can thus be represented by the pair (l, m).
The SPS can be triggered by single and double line faults, which means that the outcome probabilities are conditional on these events. The probabilistic dependability model is thus summarised by Table 6 We now compute the probabilities of the different SPS outcomes upon the occurrence of a single line fault (e s ). We first analyse the case m = 0 in which none of the selected generators trip. The conditional probabilities for a single or double circuit outage are: For m ̸ = 0 we find: Next, we determine the probabilities of SPS outcomes upon a double circuit fault event (e d ). After the occurrence of a double circuit fault the local bus (Western or Eastern) will be disconnected, either by correct operation of the local breakers or by operation of the back-up breakers. We first calculate the probability that a signal is successfully sent from the logic control. This requires at least one of the relays and the logic controller to function correctly: p (ts) |e d = (a r1 a r2 + a r1 a r2 + a r1 a r2 ) a lc .
As before, we treat separately the cases m = 0 and m ̸ = 0. Using p (ts) |e d , the probabilities of each SPS outcome conditional on

Cost and constraint formulation
Ultimately, the SPS is part of the system operator's toolbox that provides additional options to reduce operational costs. The SPS failure and impact models thus form part of a probabilistic optimisation problem that determines the optimal dispatch of generators jointly with an SPS configuration. This minimisation is subject to the definitions and constraints listed below.
(1) Generation (G) The cost of generation G is defined as a linear function of the dispatched output g i of generator i: A time step t = 1 hour is assumed throughout. The dispatched generating capacity should equal the demand in the North (D N ) and South (D S ) nodes combined: subject to physical transfer constraints on the North-South flow t: The commitment of generating units is modelled as follows: where u i represents the binary commitment status of each generator and g i the reserve capability from part-loaded generators. We assume that this is provided by generators in the South, and it is constrained by 1800 MW ≤ r ≤ 2800 MW (19) where r is the allocated frequency response and reserve capacity and △g i represents the reserve limit of unit i. The minimum value of r is 1800 MW, but the system operator may decide to contract up to 1000 MW of additional intertripping and reserve capacity if this is beneficial for the overall cost minimisation. The additional capacity may be used to relax constraints on the intertripping capacity s, which is limited by (2) System protection (P) The system protection cost P represents the expected hourly cost of system protection services, consisting of frequency response and SPS availability fees and SPS utilisation fees. The availability cost is determined in advance by purchasing a response capacity r at a fee π a of £30/MW/h. This fee implies that the response capacity will only exceed 1800 MW if there is a corresponding security benefit from arming a significant amount of SPS capacity (s > 1800 MW).
The actual SPS utilisation fees are unknown, as they depend on the stochastic occurrence of outages and the actual amount of generation tripped in response to these outages. For this reason, the expected utilisation cost is included in P. Successfully tripped generation capacity is compensated with a utilisation fee π u of £1000/MW/event. (

3) Risk (X)
The third source of costs is the risk X due to emergency load shedding after unsuccessful SPS operation. The risk, the expected cost of supply interruptions, is computed by multiplying the value of disconnections π x by their rate of occurrence and the amount of Here, D l,m (t, r, s, n) represents the (deterministic) demand that will be shed in a particular scenario. For the minimal model that is the focus of this paper D l,m (t, r, s, n) has the compact explicit This expression consists of two factors. The first determines whether or not an overload occurs. The quantity t − m n s indicates the post-SPS power flow between the nodes and t l = N l × 1700 MW is the available transfer capacity, which depends on the local SPS outcome l ∈ {s, d}: N s = 3 for a single circuit disconnection and N d = 2 for a double-circuit disconnection. θ (x) represents the unit step function that returns 1 when x > 0 and 0 otherwise.
The second factor determines the extent of the load shedding if the north and south nodes split into separate islands. The south node has a pre-fault generation deficit t, which can be partially offset by the reserve capacity r. The remainder must be shed.
Note that this leaves δ l,m and η are undefined for exact equalities, but the lower associated costs will result in δ l,m = 0 and/or η = 0 in such cases.

Optimisation formulation
Having defined the cost terms G, P and X and the constraints on the optimisation variables, the overall cost-benefit optimisation can be stated as This is a mixed integer problem, which is non-linear due to appearance of n, the number of contracted sites, in the denominators in (21), (23) and (24). However, for a fixed value of n the problem (32) reduces to a mixed integer linear program. Because the realistic range of n is small (each site requires a separate communications channel and intertripping contract), we solve it sequentially for each permissible value of n and select the best solution. In the following, we use n = 1, . . . , 4.
The optimisation (32) computes an optimal trade-off between the cost of generation, protection and risk. It is instructive to compare the resulting cost of generation G * with the hypothetical scenario where fault-related costs are not considered. The cost of this unconstrained dispatch is computed as subject to (10)- (19).
The difference G * − G 0 is the constraint cost: the additional generation cost incurred in the interest of system security.
Finally, to investigate the properties of the solutions to (32) we will also consider the restricted problem where the operator selects an optimal SPS configuration for a given dispatch, which fixes the pre-fault transfer condition t and response/reserve allocation r. This results in the formal optimisation (34)

Optimal generation dispatch and SPS configuration
We solve the optimisation problem (32) to investigate how the optimal cost-benefit trade-offs are affected by weather conditions and SPS reliability. The weather conditions affect the fault rates, as presented in Table 2, and therefore the overall risk levels. The SPS reliability is modulated by the availability of the communication channels, using three scenarios: 80%, 95% and 99%. With these numbers, communication dropouts are considerably more likely than is commonly assumed [27], but the aim of this exercise is to probe the sensitivity of solutions to a large range of SPS reliability levels. For example, the analysis of unreliable communication channels could exemplify the control of low cost providers of ancillary services over the internet. Other component availabilities are modelled as in Table 3. A hypothetical 100% dependable SPS (for all components) is also included in the comparison. Local demands of 6600 MW (north) and 48 400 MW (south) are used for all examples.
The cost-benefit trade-off is also impacted by the generation side, which determines the constraint costs that drive the willingness to take risks. To investigate this, we perform studies for different available wind output levels (maximum value of wind output) in the north node, ranging from 1.8 to 11 GW. The system operator may curtail wind to satisfy constraints, thereby reducing the actual power produced at the wind farms.
On the left side of Fig. 5 (upper panel), we plot the total operating costs G + P + X as a function of the amount of wind power available, for bad weather conditions. Different curves correspond to different reliability levels: black: 80%; red: 95%; blue: 99% (communications availability); green: 100% availability of all components. The overall cost of the solutions decreases smoothly as a function of available wind output, and increasingly reliable SPS result in decreased operating costs. The SPS results (solid lines) should be compared to the dashed cyan line, which shows the cost of operating the system without SPS under the preventive 'N-d' security standard (anticipation of double circuit faults). Under this regime, costs no longer decrease after the wind power availability reaches 6900 MW. The middle and bottom left panels of Fig. 5 confirm that the constraint cost G * − G 0 (computed using (33)) associated with this solution increases sharply, primarily driven by wind power curtailment. In contrast, the use of an SPS allows the system to make effective use of approximately 10 GW of wind. Notably, this is true even for the most unreliable SPS (solid black line). The right side of Fig. 5 shows the breakdown of the objective function into its generation, protection and loss-of-load risk components. The generation costs are an order of magnitude larger than the protection and risk components, and thus show a trend that is qualitatively similar to the overall cost. The dependable SPS (solid green) is deployed when the available wind output reaches 4GW, resulting in an increase in protection costs without associated risk. On the other hand, the unreliable SPS are armed only when the available wind output exceeds 6.5 GW, because of the risk associated with their malfunction. Their use is accompanied by a rise in protection costs and loss-of-load risk. It is important to note that the balance of G, P and X depends in a nontrivial way on the available wind output and SPS dependability parameters. For example, we observe that the most unreliable SPS considered (the black line) results in higher overall operating costs compared to more reliable SPS (red or blue lines), butfor the optimal configuration -the loss-of-load risk X is actually smaller for available wind outputs exceeding 9750 MW (bottom right panel). Fig. 6 plots the selected optimal SPS configuration (the parameters n and s) as a function of available wind output. The upper panel shows the number of armed sites n, and the bottom panel the total SPS capacity s. Note that the value of n is not shown for the 100% dependable SPS, because it is indeterminate (all configurations are equally reliable). As the available wind output increased, so did the cost of constraining transmission capacity, thus providing an incentive to increase the SPS capacity s. Whereas the reliable SPS (green curve) is used from available wind output levels of 3900 MW upwards, the less reliable SPS are only employed for higher wind penetration levels. For available wind output above 8000 MW it becomes increasingly desirable to contract additional reserve and SPS capacity, for all reliability levels. In general, it should be noted that the optimal SPS configuration depends on the parameters in non-trivial ways.
In addition to committing redundant SPS capacity, as the SPS configuration is co-optimised with the dispatch the system operator may also constrain generators out of their merit order, in order to limit the transfer in the corridor (preventive security). In Fig. 7 we contrast the resulting pre-fault transfer capacity for bad weather (top) and good (bottom) weather conditions. The bad weather scenario corresponds to that analysed in Figs. 5 and 6. For fair weather conditions the occurrence of faults is significantly less likely, and in this case the reliability level of the SPS hardly impacts the optimal power transfer. As in Fig. 5, the 'Nd' preventive security solution is shown for comparison (dashed cyan), illustrating that SPS are used to enable significantly higher power transfers, even in bad weather conditions with unreliable SPS.

Candidate solutions
The previous section has demonstrated that the optimal choice of dispatch and SPS configuration depends in complex ways on generation and SPS reliability parameters. This section attempts to identify generic properties of these optimal solutions, which can be used to structure the search for such solutions in cases where an explicit optimisation problem in the form (32) is not available.
We consider the restricted optimisation (34) where the operator must select an optimal SPS configuration for a given dispatch-and thus for a given pre-fault transfer condition t. The objective function for a representative case is shown in Fig. 8, which plots P + X as a function of s, for each of the cases n = 1, . . . , 4, with bad weather conditions, a dispatch that results in a pre-fault transfer of 6100 MW and the minimum reserve capacity requirement of 1800 MW. Note that in this illustration no additional reserve capacity is purchased and therefore the cost of increasing the SPS capacity committed does not augment the cost of available reserve capacity. The global minimum is found for (s, n) = (1500 MW, 3).
In our model, the protection costs P(·) (Eq. (21)) have two regimes: s ≤ 1800 MW where no availability fee is directly attributable to the SPS capacity and s > 1800 MW where it requires the system operator to purchase additional reserve capacity to counteract generation-demand imbalances beyond the (otherwise) largest credible loss of generation. In both regimes P(·) is linearly increasing in s. The lost load cost X (·) (Eq. (22)), on the other hand, is dependent on whether load shedding is required. In our power system there are only two possible scenarios: no load shedding ( D l,m = 0), or a complete loss of transmission in the corridor resulting in the formation of two islands. When this happens, the southern node has insufficient reserve capacity to restore the balance, in which case load must be shed at a cost of X = π x · (t − r). The function X (t, r, s, n) is therefore piecewise constant in s.
The discontinuities along the s-coordinate occur where the system transitions from a fault that is contained to one that leads to islanding followed by involuntary load shedding. Because there is at most one such transition for a given SPS outcome, the discontinuities can be labelled by the set s l m/n where the pair (l, m) defines the post-SPS scenario as before. The implication is that the minimum of X (t, r, s * , n) with respect to s is attained at one of these discontinuities, or at the domain boundaries of s: {s, s}. We will refer to this set of possible values of s as ''candidate solutions''. The value s l m/n can be interpreted as the SPS capacity that just prevents load shedding for a loss of load of l lines followed by the response of m-out-of-n generators. This statement has a significant implication: the optimal SPS configuration is always one that just prevents cascading overloads in a particular outcome scenario. Table 7 summarises the final set of candidate solutions in our example. The minimum cost solution (bold) is achieved using three generators (n = 3), committing 1500 MW in total. Specifically, this configuration corresponds to the solution s s 2/3 in which the system just remains within the transfer limits if one line is lost and one out of three generators fails to trip. This corresponds to an overprovision of 500 MW of intertripping capacity to hedge against SPS malfunction. Note that a candidate solution may implicitly include prevention against overloading in other scenarios. For example, the candidate solution s s 2/3 also implies that there is We apply this analysis to the co-optimised dispatch and SPS configurations shown in Figs. 5 and 6. Fig. 9. shows the sequence of selected candidate solutions as a function of available wind output. Firstly, these results confirm that optimal operational solutions are always part of a finite set of candidate solutions defined by the different SPS outcomes. Inspection of the selected outcomes for unreliable SPS shows three regimes: for low wind power output levels, the SPS is not armed (s); for intermediate levels, the SPS is configured to prevent islanding for double line outages, assuming the SPS works correctly (s d n/n ); for very high wind output levels, the SPS only fully protects against a single line outage, but with a degree of redundancy (s s m/n , with m < n).

Conclusions and future work
This paper provides insights into the challenges involved in formulating and solving the problem of balancing benefits and risks associated with unreliable SPS for efficient power system operation. The fundamental characteristics of the problem were captured in a risk-based cost-benefit framework based on a threestage decomposition of the power system response to faults; each stage contributes to the objective function of a risk neutral operator. One of these contributions is the expected cost of load shedding. In a general setting, computing this cost will require the analysis of complex cascading pathways. This will typically prevent the formulation of an algebraic optimisation problem and necessitate the use of heuristic optimisation methods.
By focusing on a simple four-node exemplar network, we were able to derive a closed-form expression for the optimisation problem (32), which enabled us to investigate the properties of the optimal dispatch/SPS configurations in detail. The analysis reveals that even SPS with a high probability to malfunction can produce large operational cost savings with respect to the 'N-d' security standard, by reducing constraint costs. This is especially true in good weather scenarios (low fault rate), where the optimal generator dispatch was insensitive to SPS performance. For higher fault rates (e.g. bad weather conditions), the savings with respect to 'N-d' are still substantial, but depend more sensitively on SPS dependability. In some cases, additional intertripping capacity is committed to hedge against partial malfunctioning of the SPS. However, the precise optimal operational decisions depend in nontrivial ways on model parameters, even for the minimal system analysed in this paper, thus illustrating the inherent complexity in finding optimal solutions using heuristic means.
However, the identification of 'candidate solutions' in Section 5.2 may help such methods to search the solution space more efficiently. We have observed that the optimal operational strategies precisely prevent expensive involuntary load shedding for one SPS outcome scenario (fully operational or partial failure). This property may then be used to select starting points for heuristic optimisation, or to restrict the search space. The authors are currently researching such approaches to the operation of large scale power systems with unreliable SPS.
The SPS dependability block model described in this paper is generic, and is easily applied to more complex protection schemes that feature a variety of responses, including load and topology changes. In future work, the SPS model can also be extended to include security-based failures (accidental tripping). Finally, it should be noted that the combined model of power system and  SPS is a compact example of a cyber-physical system. Although general methods for the reliability analysis of such systems are still elusive, the findings described in this paper may contribute to the development this research area.