analyzing substation automation system reliability using ...715620/...analyzing substation...

Analyzing Substation Automation System Reliability using

Probabilistic Relational Models and Enterprise Architecture

JOHAN KÖNIG

Doctoral Thesis

Stockholm, Sweden 2014

TRITA-EE 2014:021ISBN 978-91-7595-131-7ISSN 1653-5146ISRN KTH/ICS/R-14/02-SE

Industrial Information and Control SystemsKTH, Royal Institute of Technology

Stockholm, Sweden

Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy

© Johan König, April 2014. Copyrighted articles are reprinted with kind permission fromIEEE.

Set in LATEX by the authorPrinted by Universitetsservice US AB

Abstract

Modern society is unquestionably heavily reliant on supply of electricity. Hence, the powersystem is one of the important infrastructures for future growth. However, the power systemof today was designed for a stable radial flow of electricity from large power plants to thecustomers and not for the type of changes it is presently being exposed to, like large scaleintegration of electric vehicles, wind power plants, residential photovoltaic systems etc. Oneaspect of power system control particular exposed to these changes is the design of powersystem control and protection functionality. Problems occur when the flow of electricitychanges from a unidirectional radial flow to a bidirectional. Such an implication requiresredesign of control and protection functionality as well as introduction of new informationand communication technology (ICT). To make matters worse, the closer the interactionbetween the power system and the ICT systems the more complex the matter becomesfrom a reliability perspective. This problem is inherently cyber-physical, including every-thing from system software to power cables and transformers, rather than the traditionalreliability concern of only focusing on power system components.

The contribution of this thesis is a framework for reliability analysis, utilizing systemmodeling concepts that supports the industrial engineering issues that follow with the imple-mentation of modern substation automation systems. The framework is based on a Bayesianprobabilistic analysis engine represented by Probabilistic Relational Models (PRMs) in com-bination with an Enterprise Architecture (EA) modeling formalism. The gradual develop-ment of the framework is demonstrated through a number of application scenarios basedon substation automation system configurations.

This thesis is a composite thesis consisting of seven papers. Paper 1 presents the frame-work combining EA, PRMs and Fault Tree Analysis (FTA). Paper 2 adds primary substationequipment as part of the framework. Paper 3 presents a mapping between modeling en-tities from the EA framework ArchiMate and substation automation system configurationobjects from the IEC 61850 standard. Paper 4 introduces object definitions and relations incoherence with EA modeling formalism suitable for the purpose of the analysis framework.Paper 5 describes an extension of the analysis framework by adding logical operators to theprobabilistic analysis engine. Paper 6 presents enhanced failure rates for software compo-nents by studying failure logs and an application of the framework to a utility substationautomation system. Finally, Paper 7 describes the ability to utilize domain standards forcoherent modeling of functions and their interrelations and an application of the frameworkutilizing software-tool support.

Keywords: Reliability analysis, substation automation, Enterprise Architecture, proba-bilistic analysis, Probabilistic Relational Models, Bayesian networks, software reliability,failure rates, fault tree analysis.

Sammanfattning

Dagens samhälle är helt beroende av konstant försörjning av elektricitet. Elnätet utgörsåledes en grundsten för samhällets tillväxt. Av historiska skäl är elnätet utformat för atthantera ett radialt flöde av elektricitet - från stora kraftverk ut till enskilda konsumenter.Den nuvarande utvecklingen runt om i Europa och världen som innebär en omfattandeanslutning av geografiskt spridda småskaliga produktionsenheter, som vindkraftverk ochsolceller, kommer att ändra dagens enkelriktade överföring av el från stora centraliseradeproduktionskällor ut till konsumenterna. En sådan problematik ställer krav på styr- ochskyddssystem något som leder till införande av ny informations- och kommunikationsteknik(IKT). Detta ökar samtidigt komplexiteten i hela systemet vilket i sin tur ställer kravpå utveckling av nya metoder och verktyg för hantering av tillförlitligheten i dessa merkomplexa system.

Arbetet som presenteras i denna avhandling ett modellbaserat ramverk för tillförlitlig-hetsanalys av automationssystem för kraftverk. Analysramverket är baserat på en bayesi-ansk analysmotor baserat på probabilistiska relationsmodeller (PRM) i kombination medprinciper för modellering av verksamhetsövergripande arkitektur (s.k. Enterprise Archi-tecture – EA). Avhandlingen beskriver ramverkets gradvisa framtagande, där varje utveck-lingssteg demonstreras genom applicerande av ramverket på lämplig systemkonfiguration.

Avhandlingen är en sammanläggningsavhandling bestående av sju artiklar. Artikel 1presenterar analysramverket som kombinerar EA, PRM och felträdsanalys. Artikel 2 in-troducerar kraftsystemkomponenter som del av analysramverket. Artikel 3 beskriver enmappning mellan modelleringselement från EA-ramverket ArchiMate och de objekt enligtstandarden IEC 61850 som används för konfigurering av ställverksautomationssystem. Ar-tikel 4 introducerar definitioner av analysramverkets element och relationer, vilket görsi enighet med EA-ramverket ArchiMate. För att säkerställa att ramverket räknar enligtförväntat resultat presenteras en jämförelse av analysresultat från ett antal systemkonfi-gurationer med beräkningar baserade på tillförlitlighetsblockdiagram (s.k. Reliability BlockDiagrams – RBD). Artikel 5 utvidgar ramverkets förmåga att analysera systemarkitekturgenom introduktion av logiska grindar. Artikel 6 presenterar förbättrad statistik på sanno-likheteten att fel i systemet kan härledas till mjukvarukomponenter samt en tillämpningav ramverket på ett modernt ställverksautomationssystem. Artikel 7 presenterar möjlighe-ten att använda domänstandarder för att normalisera modellering av funktioner och dessrelationer samt tillämpning av ramverket integrerat i mjukvarustöd.

Nyckelord: Tillförlitlighetsanalys, ställverksautomation, Enterprise Architecture, system-modellering, probabilistiska relationsmodeller, bayesianska nätverk, mjukvarufel, felfrekvens,felträdsanalys

Acknowledgments

I want to express my gratitude towards everyone who have helped me along my path towardthis thesis. Without the support by supervisors, colleagues, family and friends none of thiswould ever have been possible.

I thank my head supervisor Professor Lars Nordström for the tolerance, encouragementand support throughout the project as well as my assistant supervisor Associate ProfessorMathias Ekstedt for some very interesting discussions. I also thank Professor EmeritusTorsten Cegrell for giving me this opportunity and Judy Westerlund and Annica Johannes-son for the truly outstanding support along the entire journey.

My present and past fellow PhD candidates, thank you for creating a joyful environ-ment at the department, for all the interesting discussions and for all laughters shared. Iam grateful to my co-authors, especially Per Närman and Ulrik Franke for sharing yourknowledge and experiences.

I thank my partners from industry and academia who have guided me in the rightdirection and supporting me with invaluable knowledge and information. A special thanksto Dr. Nirmal Nair and my other friends at the University of Auckland for giving me suchan amazing time.

Finally, I am deeply grateful to my family - Anita, Bo and Anders - and my friends forall the invaluable support; and last but definitely not least, Emma and Ebba - you are thesunshines of my life!

Thank you all!

Stockholm, April 2014Johan König

vii

Papers

Papers included in the thesis

[1] J. König, U. Franke, and L. Nordström, “Probabilistic availability analysis of controland automation systems for active distribution networks,” in IEEE PES Transmissionand Distribution Conference and Exposition, New Orleans, US, Apr. 2010, pp. 1–8.

[2] J. König, L. Nordström, and M. Ekstedt, “Probabilistic relational models for assessmentof reliability of active distribution management systems,” in 2010 IEEE 11th Interna-tional Conference on Probabilistic Methods Applied to Power Systems, PMAPS 2010.IEEE, 2010, pp. 454–459.

[3] J. König, K. Zhu, L. Nordström, M. Ekstedt, and R. Lagerström, “Mapping the sub-station configuration language of IEC 61850 to archimate,” in Proceedings - IEEE In-ternational Enterprise Distributed Object Computing Workshop, EDOC. IEEE, 2010,pp. 60–68.

[4] J. König, L. Nordström, and M. Ekstedt, “An architecture-based framework for reliabil-ity analysis of ICT for power systems,” in Power and Energy Society General Meeting,2011 IEEE, 2011.

[5] J. König, P. Närman, U. Franke, and L. Nordström, “An extended framework for relia-bility analysis of ICT for power systems,” in IEEE PowerTech, Trondheim, Jun. 2011,pp. 1–6.

[6] J. König and L. Nordström, “Reliability analysis of substation automation system func-tions,” in Reliability and Maintainability Symposium (RAMS), Reno, US, Jan. 2012, pp.1–6.

[7] J. König, L. Nordström, and M. Österlind, “Reliability analysis of substation automationsystem functions using PRMs,” IEEE Transactions on Smart Grid, vol. 4, no. 1, pp.206–213, 2013.

Author contributions

In [1], the general research concept is due to König and Franke with support by Nord-ström, whereas the article was mostly authored by König and Franke.

In [2], the general research concept is due to König, Nordström and Ekstedt, whereasthe article was mostly authored by König, and presented by König at the conference.

In [3], the general research concept is due to König and Nordström, and the mappingwas jointly performed by König, Kun, Nordström, Ekstedt and Lagerström, whereas the

ix

x PAPERS INCLUDED IN THE THESIS

article was mostly authored by König and Kun. The article was presented by Prof. PontusJohnson.

In [4], the general research concept is due to König, Nordström and Ekstedt, whereasthe article was mostly authored by König, and presented by König at the conference.

In [5], the gate logic concept is due to König, Närman and Franke, whereas the thegeneral research concept is due to König, Närman, Franke and Nordström, and the articlewas mostly authored by König, and preseted by König at the conference.

In [6] the general research concept is due to König and Nordström, and the case studymostly performed by König with support by Nordström, whereas the article was mostlyauthored by König, and presented by König at the conference.

In [7] the general research concept is due to König and Nordström, whereas the articlewas mostly authored by König and Österlind.

RELATED PAPERS NOT INCLUDED IN THE THESIS xi

Related papers not included in the thesis

[8] U. Franke, H. Holm, and J. König, “The distribution of time to recovery of enterprise ITservices,” IEEE Transactions on Reliability – Special Section on Information, System,and Software, 2014 Submitted for publication.

[9] U. Franke, P. Johnson, and J. König, “An architecture framework for enterprise ITservice availability analysis,” Software & Systems Modeling, pp. 1–29, 2013.

[10] U. Franke, P. Johnson, J. König, and L. Marcks von Würtemberg, “Availability ofenterprise IT systems : an expert-based bayesian framework,” Software quality journal,vol. 20, no. 2, pp. 369–394, 2012.

[11] P. Närman, U. Franke, J. König, M. Buschle, and M. Ekstedt, “Enterprise architectureavailability analysis using fault trees and stakeholder interviews,” Enterprise Informa-tion Systems, 2012.

[12] P. Närman, H. Holm, P. Johnson, J. König, M. Chenine, and M. Ekstedt, “Dataaccuracy assessment using enterprise architecture,” Enterprise Information Systems,vol. 5, no. 1, pp. 37–58, 2011.

[13] U. Franke, P. Johnson, J. König, and L. Marcks von Würtemberg, “Availability ofenterprise IT systems : an expert-based bayesian model,” in Proc. Fourth InternationalWorkshop on Software Quality and Maintainability, 2010.

[14] J. König, D. Höök, and L. Nordström, “Probabilistic relational models for reliabilitycentered asset management of active distribution management systems,” in CIREDWorkshop 2010, 2010.

[15] P. Närman, M. Buschle, J. König, and P. Johnson, “Hybrid probabilistic relationalmodels for system quality analysis,” in Proceedings - IEEE International EnterpriseDistributed Object Computing Workshop, EDOC, 2010, pp. 57–66.

[16] K. Zhu, M. Chenine, J. König, and L. Nordström, “Data quality and reliability aspectsof ICT infrastructures for wide area monitoring and control systems,” in 2010 5thInternational Conference on Critical Infrastructure, CRIS 2010, 2010.

[17] ——, “Analysis of data quality issues in wide area monitoring and control systems,”in 2010 IREP Symposium – Bulk Power System Dynamics and Control, 2010.

[18] U. Franke, D. Höök, J. König, R. Lagerström, P. Närman, J. Ullberg, P. Gustafs-son, and M. Ekstedt, “EAF(2) - a framework for categorizing enterprise architectureframeworks,” in SNPD 2009 : 10TH ACIS International Conference on Software En-gineering, Artificial Intelligence, Networking and Parallel Distributed Computing, Pro-ceedings. IEEE Computer soc., 2009, pp. 327–332.

[19] U. Franke, P. Johnson, R. Lagerström, J. Ullberg, D. Höök, M. Ekstedt, and J. König,“A method for choosing software assessment measures using bayesian networks anddiagnosis,” in 13TH European Conference on Software Maintenance and Reengineering:CSMR 2009, Proceedings, ser. European Conference on Software Maintenance andReengineering. IEEE Computer soc., 2009, pp. 241–245.

[20] ——, “A formal method for cost and accuracy trade-off analysis in software assess-ment measures,” in RCIS 2009 : Proceedings of the IEEE International Conference onResearch Challenges in Information Science. IEEE, 2009, pp. 295–302.

xii RELATED PAPERS NOT INCLUDED IN THE THESIS

[21] J. König and L. Nordström, “Assessing impact of ICT system quality on operationof active distribution grids,” in 2009 IEEE Bucharest Powertech. IEEE, 2009, pp.1977–1984.

[22] R. Lagerström, P. Johnson, D. Höök, and J. König, “Software change project costestimation : A bayesian network and a method for expert elicitation,” in Third Inter-national Workshop on Software Quality and Maintainability (SQM), 2009.

[23] P. Närman, P. Johnson, M. Ekstedt, M. Chenine, and J. König, “Enterprise architec-ture analysis for data accuracy assessments,” in 2009 IEEE International EnterpriseDistributed Object Computing Conference. IEEE Computer soc., 2009, pp. 24–33.

Table of contents

I Introduction 1

1 Introduction 31.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 Research objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.3 Research results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.4 The developed framework in brief . . . . . . . . . . . . . . . . . . . . . . . . 81.5 Outline of the thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Research domain 112.1 Substation automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.2 Information system modeling . . . . . . . . . . . . . . . . . . . . . . . . . . 142.3 Reliability analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3 Research design 253.1 Research process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253.2 Reliability and validity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283.3 Expert validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4 Conclusions & Future work 314.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314.2 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Bibliography 35

II Papers 1 to 7 45

1 Probabilistic Availability Analysis of Control and Automation Systemsfor Active Distribution Networks 47

2 Probabilistic Relational Models for Assessment of Reliability of ActiveDistribution Management Systems 57

3 Mapping the Substation Configuration Language of IEC 61850 to Archi-Mate 65

4 An Architecture-Based Framework for Reliability Analysis of ICT forPower Systems 77

xiii

5 An Extended Framework for Reliability Analysis of ICT for Power Sys-tems 87

6 Reliability Analysis of Substation Automation System Functions 95

7 Reliability Analysis of Substation Automation System Functions usingPRMs 103

Part I

Introduction

Chapter 1

Introduction

1.1 Background

The electrification of modern society is one of the most significant technology achievements.This has led to the power system today being a critical infrastructure where people aroundthe globe rely on the continuous supply of electricity at home as well as at work. To beable to supply the increasing demand of electricity the power network needs to operatecloser to its limits with rising stress on equipment such as cables and transformers. Theintegration of new type of components, e.g. photo voltaic panels, electrical vehicles, windpower, "smart homes" etc., will require even more capacity of the power system in orderto not jeopardize the security of electricity supply. Such power systems, described in forinstance [127] and [37], is drastically different from today´s radial flow of electricity fromlarge centralized power plants to the customers. Distributed generation of electricity mayfor instance cause power to flow in opposite direction, creating a bi-directional flow, thatcould be very dangerous if not managed correctly. A possibility would be not to allow suchconditions, which however unnecessarily curtails lots of generated electrical energy thatcould have come to better use in a world with limited energy resources.

Operating these new types of systems will call for new solutions supported by Infor-mation and Communication Technology (ICT). An important factor that needs attentionis the increased interdependency between the power grid and the ICT systems. This issomething, that if it is not managed properly will enhance the probability of that a systemoperation failure will be caused by a malfunctioning ICT sub-system or component, as forexample illustrated in [106], [107] [32], [31], [14]. Addressing the aspects of ICT system fail-ure and its impact on the power system operation will be critical for successful operation ofthe future power systems. As a consequence, this becomes more a cyber-physical concern,including everything from system software to power cables and transformers, rather thanthe traditional reliability concern of only focusing on power system components, as stressedin [129].

To effectively integrate new ICT technology a number of standards have been developedby the power industry. Standards such as IEC 61850 [62] and CIM [28] have opened newways for system vendors to design their products with a standardized interface. This hascreated a platform for interoperability without specifying component or system architecture.The functional architecture, i.e. functions allocation in the system architecture and theirinterrelations, is becoming more important when designing ICT system architecture. Forinstance the IEC 61850 standard enables functional allocation independent from the physicalinfrastructure in a harmonized way. ICT system architecture development includes the

3

4 CHAPTER 1. INTRODUCTION

design of physical infrastructure together with a logical structure with proper allocation offunctionality. The paradigm change by separating physical and logical structure enabled bythe standards opens new ways of reasoning when designing future systems. However, thisdrive also potentially creates more complicated system solutions, making reliability analysisbased on "per device" obsolete.

A domain that has shown success in capturing ICT systems physical components andtheir functionality, as well as relations to organizational and business objectives and pro-cesses, is Enterprise Architecture (EA). EA is a discipline for managing an enterprise´sinformation system portfolio in relation to the supported business and offers a variety of dif-ferent methods, tools and frameworks. In this thesis the EA discipline is mainly addressedin terms of metamodeling, as part of the probabilistic analysis framework development.Metamodels, descriptive models on how to model the architecture, are one of the core com-ponents of EA and can serve multiple purposes [86]: (i) to document the architecture of anenterprise; (ii) to plan and design the architecture of an enterprise, and (iii) to analyze thearchitecture of an enterprise. Analysis, in particular, closely relates the the use of EA andarchitectural models for decision-making [68]. The need for proper management of substa-tion automation systems is motivated both by their complexity and also by their importantrole in the Smart Grid vision. The proposal of using EA, which has proven successful inother information system domains, hopefully can support stakeholders in managing theirSA system portfolio and their integration to other business domains.

1.2 Research objectives

The research objective of the work described in this thesis is to develop a framework forreliability analysis by potentially utilizing EA concepts that supports the industrial engi-neering issues that follow with the implementation of modern SA systems.The framework should possess the following properties:

• Support quantitative cyber-physical reliability analysis of SA system functionalityrealized by ICT systems (control and protection relays, network switches, softwareapplications, etc.) in tight integration with primary equipment (circuit breakers,disconnectors, transformer, etc.)

• Since the reliability of SA system functionality depend both on the layout of thephysical ICT infrastructure as well as the layout of the functional allocation, theframework shall be able to capture architecture layouts based on specifications ofeither physical infrastructure or logical structure.

• Make use of existing information models about components and systems and supportimport and reuse of existing information, for example based on standards and systemconfigurations.

Research questions

Based on the aforementioned research objectives, the three following research questions havebeen specified:

1. Is it possible to utilize EA frameworks for modeling and documenting architecturesof moderns Substation Automation systems? Or are there fundamental differences incontext? If so, provide suggestions for adaptations to the utilized EA frameworks.

1.3. RESEARCH RESULTS 5

2. Could Probabilistic Relational Models be applied onto EA models for analyzing reli-ability of substation automation systems developed according to modern principles?

3. Is it possible to extract useful information in IEC 61850-based configuration files inorder to reduce modeling efforts?

The choice of research questions is motivated by:

1. As stated in the introduction, the discipline of EA has proven successful in captur-ing the complexity of systems in architectural models. In particular, the layering ofsystems into a separation between physical infrastructure and functional structure isa feature in many EA frameworks, e.g. ArchiMate [60] and TOGAF [128], and thatpossibly could apply well for the stated research objective.

2. The interest in using PRMs has its background in a number of interesting applica-tions for decision support, for example modifiability analysis of enterprise informationsystems [88], application consolidation [41], as well as tool support [34].

3. The idea of extracting information from IEC 61850-based configuration files, SCDfiles, originates from the Substation Configuration Language (SCL) which, describedin more detail in Chapter 2, includes an object meta-model that could be mappedonto the PRM analysis framework. If important information, e.g. Intelligent Elec-tronic Devices (IEDs), networks and functional allocation, could be extracted fromthe XML-based SCD files the modeling effort could drastically be reduced. Especiallysince an SA system usually is composed of 20-100 IEDs interconnected by high-speedcommunication network including routers and gateways with hundreds of distributedfunctions [85].

1.3 Research results

The research presented in this thesis is a result of efforts on answering the aforementionedresearch questions. The results, presented in a number of research articles - Paper 1 to 7- are included in the thesis; each relating to one or more of the research questions. Whilethe analysis framework being the common denominator throughout the presented researcharticles, the union of them all constitutes the contributions and answers to the statedresearch questions. Figure 1.1, 1.2 and 1.3 show the relation of each paper to each of thethree research questions.

Research question 1

As seen in Figure 1.1 the utilization of EA was introduced from the start, i.e. in Paper1. This first development was very much focused towards ICT components, functions andservices closely related to utilization one would expect for enterprise information systems.The setup was intended to capture important objects in active distribution power grids,in particular related to ICT. Hence, the analysis framework at that point did not supportmodeling of primary equipment relating to the power system. Primarily the ArchiMatemetamodel [59] was used as reference for the design of the PRM analysis framework.

The most significant advancement in terms of EA integration is a mapping between theSCL object metamodel of the standard IEC 61850 presented in Paper 3. The result showsa limitation of applying ArchiMate for power systems, where the actors of a power systemare physical power equipment instead of humans, departments, or business units as specified


� � � � � � �� ! � � " � �# $ % & ' � � � ( � � �� ) � � * � � + ( � � � � � � � � � � , �- � � � � � � . / � � � � � � � � �� ( � � �� ) � � * � � + ( � � � � � � � � � � 0 �� + � � � � � � � �� . / � ) � � ( � � � �� + � � � � � � � � � � �� + � � � + � � � � � � 1Figure 1.1: The process of answering research question 1

in ArchiMate. The analysis framework presented in Paper 4 is a result of the previousadvancements with object definitions and relations in coherence with a subset of ArchiMatesuitable for the purpose of the analysis framework. In Paper 6 the framework’s abilityto capture components of interest is demonstrated in a case study on a specific SA systemfunction. The PRM’s structural entities which are primarily based on technical documenta-tion of SA systems captures relevant components including relations to functionality. Theresult shows that the EA framework ArchiMate could be utilized in the SA system domainas long as it is expanded with the capability of modeling physical equipment. As ArchiMateis a widely adopted modeling standard maintained by the The Open Group and supportedby numbers of EA tools it is assumed to be a valid representative for EA modeling languagesand frameworks in general.

Research question 2

The first result of PRM utilization is presented in Paper 1, as shown in Figure 1.2.The PRM at this point is aimed at availability; however the differences are very limitedand the concept is still valid for reliability. The primary difference between availability andreliability is that availability focuses on the probability of a system or component is workingproperly, while reliability focuses on the probability that a system or component is workingproperly after a certain time in operation, i.e. without repair. In order to verify PRMsin the context of system availability/reliability analysis, a simple example is presented inrelation to the well-known fault tree analysis (FTA) method. The paper also presents amore well-defined PRM with an application to a simplified system for voltage control. Theoption of analyzing structural properties, for example redundancy, is supported by the PRMin a similar way as using FTA.

In Paper 2 the application of PRMs is expanded to include primary equipment aspart of the framework. It also shows the support of multiple attributes for each entity, forexample the attribute lines of code as part of entity software application with casual relationto the attribute reliability. In order to make sure the calculations of the PRM-based analysisframework are correct, they are in Paper 4 contrasted with the well-known reliability blockdiagram (RBD) method. The result in Paper 5 presents an extension of the framework byadding logic gates - AND and OR - to the PRM. This extension is similar to the supportfor redundancy in Paper 1, but with more coherence with FTA. More about PRMs followsin section 1.4.

1.3. RESEARCH RESULTS 72 3 4 5 6 7 89 : ; < = > ? @ A ? B < = < CD E F G > C < @ @ : H B A I B H B ? JA = A H > J > B = ? K : L < = ? : M ?< C A L ? B N : O B > ? @ B I P ? B < =Q @ B O >2 3 4 5 6 R 8S ? B H B T B = Q D E F G > C < @U A P H ? V @ : : W = A H J > B > 2 3 4 5 6 X 8D A @ ? B A H N A H B O A ? B < = < CD E F L A H L P H A ? B < = > I A > : O< = E : H B A I B H B ? J Y H < L Z9 B A Q @ A ; > A = OL < ; [ < = : = ? C A B H P @ : @ A ? : > 2 3 4 5 6 \ 8D E F C @ A ; : ] < @ Z: M [ A = O : O ] B ? K H < Q B L< [ : @ A = O > W ^ 9 _ ` E> B ; B H A @ ? < U A P H ? V @ : :W = A H J > B >Figure 1.2: The process of answering research question 2

Research question 3

The most apparent result in terms of integrating the PRM with IEC 61850 is the mappingpresented in Paper 3. Although the result does not show the possibility to extract databased on configuration files, it highlights the sort of information that is available, butleaves the actual mapping as future work. The continued development however showedcomplications in terms of modeling functions and their relations using logical nodes as givenin the result of the mapping. Instead, as presented in Paper 7, the piece of informationfor communication (PICOM) from the IEC 61850 standard was most appropriate for thetask at hand.

2 3 4 5 6 a 8F A [ [ B = Q b c d < C e f cg h i j k ? < ? K : f WC @ A ; : ] < @ Z W @ L K B F A ? : 2 3 4 5 6 l 8b ? A = O A @ O B T B = Q C P = L ? B < =; < O : H B = Q P > B = QD e c ` F G > < C e f c g h i j kFigure 1.3: The process of answering research question 3

An effort was also put into integrating the results in the tool EAAT [23] developedat the department as well as add the feature of information extraction from substationconfiguration description (SCD) files. SCD files are based on the substation configurationlanguage (SCL) and partly contains information about the system architecture in an XMLformat. Hence, instead of spending lots of effort to create a separate model of the SA systemfor reliability analysis, for example an instantiated fault tree, the process is automated byextracting information from the configuration files. Based on the information from the SCDfile most of the physical infrastructure, logical structure and their relations could be modeledand used for the analysis. Although an early development has shown promising results thecontinuation if left for future work with emphasis on software application developmentfocusing on EAAT.


1.4 The developed framework in brief

The aforementioned results are summarized in the output of a PRM-based framework foranalyzing the reliability of SA systems. The motivation behind applying PRMs for reliabilityanalysis of SA systems is the ability to both use the probabilistic reasoning offered byBayesian networks together with architecture models. PRMs extend Bayesian networks withthe concept of objects, their properties, and relations between them [48]. A PRM specifiesa template for a probability distribution over the attributes of objects and their relations inan architecture model. The template describes the metamodel for the architecture model -defining a set of classes, with each class associated with a set of descriptive attributes anda set of reference slots linking the attributes - and the probabilistic dependencies betweenattributes of the architecture’s objects. An architecture instantiation (i.e. architecturemodel) specifies the set of objects from each class, the values for the attributes, and thereference slots of the objects. A PRM, together with an instantiated architecture modelof specific objects and relations defines a probability distribution over the attributes of theobjects. A PRM thus constitutes a formal machinery for calculating the probabilities ofvarious architecture instantiations. This allows us to infer the probability that a certainattribute, e.g. reliability, assumes a specific value, given some (possibly incomplete) evidenceof the rest of the architecture instantiation. For a more comprehensive description of theformal PRM language see [48].

The complete PRM is presented in Figure 1.4 and includes a total of five structuralelements (hardware and software) and five logic elements (functions). In Figure 1.5 a secondPRM including AND and OR gates is presented. As seen, each of the five structural andfive logic elements are described with relations to a superclass - Functions and Structure -that in turn is related to the gates. The classes inherits all the properties of the relatingsuperclass.

Equipment Conversion Unit Network

Device

Reliability

Application Component

Reliability Reliability

Reliability

Reliability

Primary Function

Reliability

Conversion Function

Reliability

Infrastructure Function

Reliability

Secondary Function

Reliability

Business Function

Reliability

1

1…* 1…*

1…*

0…*0…* 0…* 0…*

0…*

1…*

1…* 0…*

1…*

1

0…*

0…*

11…*

0…*0…*

0…*0…*

0…*

0…*

0…*

0…*

0…*

0…*

0…*0…*

0…*0…*

Re

alize

Re

alize

AssociatedWith

AssociatedWith

AssociatedWith

AssociatedWith

AssignedTo

Realize

Realize

Use

s

Uses

UsesUses

Uses

Re

alize

Re

alize

Figure 1.4: The PRM framework for reliability analysis

1.4. THE DEVELOPED FRAMEWORK IN BRIEF 9

Functions

Reliability

Structure

Reliability

OR

Reliability

AND

Reliability

MAXMAX

MINMIN

Func2OR

OR2Func

Func2AND

AND2Func

Struc2OR

Struc2A

ND

Application Component

Reliability

Device

Reliability

Network

Reliability

Conversion Unit

Reliability

Equipment

Reliability

Business Function

Reliability

Primary Function

Reliability

Conversion Function

Reliability

Infrastructure Function

Reliability

Secondary Function

Reliability

MA

X

MIN

AN

D2O

RO

R2A

ND

MAXAND2AND

MINOR2OR

Figure 1.5: An extension of the PRM framework with logical gates

The entity relations are graphically represented by the dashed relations in Figure 1.4whereas attribute relations are represented by the solid arrows. The attribute relations aredefined via the slot-chain relations specified in the PRM formalism. The complete list ofrelations between attributes and their domain of values for both PRMs is summarized inPaper 7. As seen in Figure 1.4 some relations are bi-directional with each direction relatingto a corresponding attribute relation. However, since Bayesian network and therefore alsoPRMs only allow acyclic relations it is not allowed to instantiate cyclic relations.

The logical operations of the AND and OR-gates are performed in coherence with FTA[115]; i.e. the OR-gate indicates that the output event occurs if any of the input eventsoccur and the AND-gate indicates that the output event occurs only when all input eventsare true. As visible in Figure 1.5 logical gates can also be applied between functions andso can be be used to capture for example logical redundancy and not only duplication of forinstance physical devices or networks. A more comprehensive treatment of the applicationof gate logic is presented in Paper 5.

Each instantiated structural entity of the PRM is set with a prior probability of un-successful operation calculated based on an appropriate failure rate. Table 1.1 presents anumber of failure rates based on an example presented in Paper 7. Most of the failure ratesare gathered from the research literature with the exception of software applications. Theexistence of failure rates of that for software applications is very sparse, so in Paper 6 anattempt is presented to identify failure rates based on failure logs. The result indicates thatas much as one third of failures of modern relays could be traced to failing software. Thisresult shows a much higher probability of failing software than other related work with thereason being that configuration is also counted as a source of failing software and not onlyoperating system and source code.

Together with architecture instantiation of the PRM the failure rates are used to cal-culate the probability of successful execution, i.e. its reliability, of a certain functionalityoffered by the system. Such analysis is presented in Figure 1.6 and in Paper 7, where thePRM is employed in the tool EAAT to analyze the reliability of a function for tripping acircuit breaker.


Table 1.1: Component failure rates

Component Entity Failure rate λi [years−1]

IED Device 1/120Software Application Component 1/225Network Network 1/300Current transformer Conversion Unit 1/5001A, 5A Network 1/5000Circuit breaker Equipment 1/100

Figure 1.6: Framework instantiation using the EAAT tool

1.5 Outline of the thesis

The continuation of the thesis if structured as follows: Chapter 2 presents the researchdomain, starting with an introduction to substation automation and IEC 61850 with itsimportant components. Then the concept of enterprise architecture is presented, includingits relation to substation automation system engineering, followed by reliability engineeringwith definitions and analysis methods. In Chapter 3 the research process is detailed inrelations to applied research methods and discussion of reliability and validity is presented.Chapter 4 summarizes the thesis with conclusions and future work. Part II of the thesisincludes research contributions in the form of seven academic publications - Paper 1 to 7.

Chapter 2

Research domain

The research presented in this thesis relates primarily to three domains - substation au-tomation, enterprise architecture and reliability engineering. Each of the three domains isintroduced in this chapter including a description of its relation to the research output.

2.1 Substation automation

In a modern power system the substations are operated and controlled by Substation Au-tomation (SA) systems. Previous generations of control and protection devices were basedon the electro-mechanical principle with a single or a few designated functionalities designedinto an individual device. Modern SA systems, however, are composed of reconfigurableIntelligent Electronic Devices (IEDs) running software applications. The major difference isthat the modern IEDs are designed with an extensive variety of functions that are activatedthrough configuration. Therefore, it is not possible to identify a system’s functionalities bylooking at the components. There is also a need to look at how the devices are configured.Besides the monitoring, control and protection functionalities, SA systems also provide in-terfaces to the Supervisory Control and Data Acquisition (SCADA) systems and the HumanMachine Interfaces (HMI), which realize both local and remote communication access. Allthese aforementioned SA system functions are facilitated by several IEDs interconnected bycommunication networks together with interfaces to primary equipment such as switches,transformers, tap changers, measurement units, etc. [12] [3].

IEC 61850 basics

IEC 61850 is a standard developed by the International Electrotechnical Commission (IEC)for the design of SA systems [62]. The standard provides a vendor independent frame-work for interoperability by defining communication networks and functions. AlthoughIEC 61850 is foremost proposed as a communication solution for SA systems, it also in-cludes the operational functions of substations. Therefore, the standard needs to takeoperational requirements into consideration. However, the purpose of the standard is nei-ther to standardize (nor limit in any way) the functions involved in substation operation northeir allocation within SA systems. Therefore the standard allows optimization of systemsdesign based on properties of interest, e.g. financial, functional or non-functional propertiesthanks to providing a structured approach for information modeling. Such design optimiza-tion is described and proposed in [13] where increased availability and reliability setting thenon-functional properties as the objective function. An example IEC 61850-based system

11

12 CHAPTER 2. RESEARCH DOMAIN

configuration based on [13] is presented in Figure 2.1. It shows how functions can be allo-cated on different devices - left showing a two device configuration and right showing a fivedevice configuration.

m n o pq r s tq p u vn p n v

p r s tp t w op r s tx y z { | }m n o p

q r s tq p u vn p n vp r s tp t w op r s tx y z { | } x y z { | }

Figure 2.1: Example of IEC 61850-based system configurations

Some of the major advantages of IEC 61850 are summarized below [94]:

• Functional modeling: the functions described by IEC 61850 are realized by collabo-ration between a set of atomic functional units called Logical Nodes (LNs). Thesefunctional units can be implemented in different IEDs and communicate with eachother. The interfaces behavior of the parts is described by the LNs. The separationbetween physical infrastructure and logic enables functional allocation independentfrom the ICT infrastructure, and was not present in prior SA systems and standards.Figure 2.1 describes two different configurations with same functionality - the leftshowing LNs implemented on two devices; the right showing the same logical setupusing five physical devices.

• Data modeling: IEC 61850 provides not only the syntax but also the semantics forthe data exchange within SA systems.

• Communication service modeling: IEC 61850 does not restrict itself to any specificcommunication solutions. Instead it defines an abstract communication interfacewhich specifies communication services and which are then mapped to main streamcommunication protocols. The flexibility of switching to future communication solu-tions enables easy adaption and reduces the investment on substation refurbishmentsignificantly.

• Engineering tool and testing: IEC 61850 is not only limited to describing the commu-nication and related processes. The XML-based Substation Configuration Languagedescribing the SA systems and the communication topology can be used to configurethe communication in the substation and allocation of LNs to devices.

As said in the third bullet, a feature of IEC 61850 is that data objects and servicesare abstracted in terms of being independent from any underlying protocol [94]. The Ab-stract Communication Service Interface (ACSI) is a central part in abstracting services andcreating interoperability between different IEDs - making them behave in the same way,independent from specific protocols. Using ACSI data objects and services can be mappedonto any protocol that fulfills the data and service requirements. Current mappings includeprotocols such as MMS, GOOSE and SMV which then could be run over e.g. TCP/IP

2.1. SUBSTATION AUTOMATION 13

or a switched Ethernet. Hence, the IEC 61850 could be described using three layers: I)Information models - Logical nodes, data objects and classes; II) Information exchange -ACSI; and III) Communication profiles - Mapping to MMS, GOOSE etc.

An additional abstraction provided in IEC 61850 is the Piece of Information for COM-munications (PICOM) which describes LNs, how they communicate and the informationpassed between between them, including communication attributes e.g. performance re-quirements. PICOMs are also defined with source and sink LN, which means that directionsof information flow are defined in terms of sender and receiver. That gives a much clearerdependency in the relation between LNs instead of only specifying that a relation existswithout further description. Such information could for instance be used for performanceanalysis, as presented in [38].

The Substation Configuration Language

The Substation Configuration Language (SCL) is a configuration language defined withinthe IEC 61850 suite of standards. A central part of SCL is a defined metamodel [61] shownin Figure 2.2. The metamodel - in its current state - is described in complete UML formatand is currently under revision by the IEC working groups. As seen in Figure 2.2, notonly does SCL cover ICT components (product and communication) and their relations,but also components found in the switchyard, e.g. breakers, switches etc., as well as theconfiguration of these components, e.g. voltage level, bay etc (substation).

~ � � � � �� ~ � � � � � � � � � � � � � � � � � ��

� � � � � � � � ~ � � � � � � � � � �~ � � � � � � � � � � � � � � � � � � � �� ¡ � � � � ~ � � � � � ¡ � � � �� ¢ � � �� ~ � � �� £ ££ £ £ £££ ££ ££

£ £££££ £

¤ ¥ ¥ ¦£ ¥ ¥ §£ ¥ ¥ § £ ¥ ¥ § £ ¥ ¥ §¤ ¥ ¥ §¤ ¥ ¥ §

¤ ¨ £¤ ¨ £¤ ¨ £¤ ¨ £ © ª « ¬ ® ¯ ° ±² ³ ° ´ ª µ ¶ ° · · ª ± ¯ µ ® ¯ ° ±Figure 2.2: SCL object meta-model [61]

Forming the link between the ICT components and switchyard-related entities is theLN. As partly described earlier, the LN is a logical representation/abstraction of functions,


components, or other entities, creating interfaces to these objects as well as representingthem when communicating with other devices. The LN in it self is not a deployable andexecutable software module but an abstraction of such module with defined interfaces.Therefore the software design is completely up to the vendors them selfs as long as thesoftware application interfaces conforms with the defined LNs. A substation automationsystem is specified by by a designer through the creation of an SCL file. This configurationfile .SCD specifies the substation single line diagram, the information model, parameters ofcontrol blocks, GOOSE, Sampled Values, relation to the process and the data flow [62].

The SAS system engineering process

As described in [11] the engineering of a SA system is a complex process with questions to beanswered, such as the location and function of Intelligent Electronic Devices (IEDs) withinthe system structure, their relation to the switchyard and the functions to be performed.There appears to be little conformity among industry practitioners on how the engineeringprocess of a modern IEC 61850-based SA system should be performed. Instead, it seemsto depend on how it has been performed in the past, before the existence of IEC 61850.However, there are guidelines and descriptions on how the engineering could proceed foundin the standard [61] as well as in other sources [13], [105] and [134]. As stated in for in-stance [13], [52], the process could either begin by identifying and specifying functions tobe performed by the SA system or boundaries and requirements on the system as such, e.g.non-functional requirements. Compared to methods that focus on purchasing equipment,the specification of functional requirements demands a different approach that needs toencompass far more [134]. In [134], it is also stated that the specification of the substationfunctions should be defined without any relation to devices. If all the requested function-ality is specified without any relation to the infrastructure, it is then possible to optimizethe infrastructure solution based on functional requirements [13]. As stated in [134] it isimportant to determine the logical network design and to make sure that the communi-cation infrastructure supports the requirements in terms of for example functionality andreliability.

Languages and standards such as SCL of IEC 61850, that is to be applied during thecomplete procurement of an IEC 61850-based SA system, should be utilized as much aspossible in order to reduce unnecessary redundant work. The deployment of UML modelshas been discussed as a way to ease the understanding of IEC 61850 standard and to aidthe harmonization with other standards, e.g. with the CIM UML model [84] and evenwith patented tool support for translation between the two [45]. UML models are today anintegrated optional part of IEC 61850 and frequently applied for various purposes [6], [113],[109] and [104]. Other developments have for example included the integration betweenIEC 61850 and the open control architecture standard IEC 61499 [56], [136], encapsulatingfunctionality in basic building blocks in a function blocks modeling language, from whichsystems and applications are constructed. All in all, these developments show the possiblesupport provided by models and modeling languages for understanding systems and theircomplexity.

2.2 Information system modeling

Information systems of today are growing in complexity with increased interconnectionsand dependencies between systems and components. This is true for substation automationsystems, but of course also for most other branches of computing. Hence, new tools and

2.2. INFORMATION SYSTEM MODELING 15

methods are constantly being developed in order to understand, capture and communicatethe relationships between components, and the functions in these systems of systems. Thissection presents one of the more powerful approaches - Enterprise Architecture.

Enterprise Architecture

Enterprise Architecture (EA) is a discipline for managing an enterprise´s information sys-tem portfolio in relation to the supported business. It was pioneered in 1987 by John Zach-man with the presentation of the well-cited and applied "Information Systems ArchitectureFramework" [141]. Today EA constitutes a variety of methods, tool, models, frameworksetc., with an interest from both industry as well as academia. There are numerous bookson different aspects of EA, for example [117], [92], [97], [50], [91], [120] and[68].

The interest in EA as a field of research is for example stressed in the recently publishedarticle "An Exploration of Enterprise Architecture Research" [123], complemented by anumber research papers [137], [139], [75], [35], [121], [2], [138], [114], [20], [19], [1], amongmany others.

From an industrial perspective, it is probably the "The Open Group Architecture Frame-work" (TOGAF) [128] that has garnered the most interest. This is valid also in power systemengineering, and in particular focusing on smart grids, e.g. EPRIs Smart Grid EnterpriseArchitecture Interest Group (SGEA) as well as CENELECs Smart Grid Reference Archi-tecture [15]. Many other frameworks do exist, such as for instance DoDAF [27], MoDAF[130], GERAM [63], FEA [24], EAF2 [43] and E2AF [119].

In this thesis the EA discipline is mainly addressed in terms of metamodeling and sys-tem analysis. Metamodels, descriptive models on how to model an architecture, are one ofthe core components of EA and can serve multiple purposes [86]: (i) to document the EA;(ii) to plan and design the EA, and (iii) to analyze the EA. Analysis, in particular, closelyrelates to the use of EA and architectural models for decision-making [68]. Let’s continuewith a brief introduction to the modeling language ArchiMate and then jumps into thesub-domain of EA - system analysis.

ArchiMate

ArchiMate is an open and independent modeling language, i.e. metamodel, for enterprisearchitecture. The primary focus of ArchiMate is to support stakeholders how to addressconcerns regarding their business and the supporting ICT systems. It was first introducedby Lankhorst et al. in [93] and is partly based on the ANSI/IEEE 1471- 2000, RecommendedPractice for Architecture Description of Software-Intensive Systems, also known as the IEEE1471 standard [57]. The Open Group accepted the ArchiMate metamodel as a part of TheOpen Group Architecture Framework (TOGAF) in 2009 [59]. The ArchiMate metamodelis seen in its full in Figure 2.3.

The ArchiMate metamodel consists of three layers:

• Business layer - about business processes, services, functions and events of businessunits

• Application layer - about software applications

• Technology layer - about hardware and communication infrastructure


¸ ¹ ¹ º » ¼ ½ ¾ » ¿ ÀÁ Â Ã Ä » ¼ ÂÅ À Æ Ã ½ Ç ¾ Ã È ¼ ¾ È Ã ÂÁ Â Ã Ä » ¼ Â

É È Ç » À Â Ç ÇÁ Â Ã Ä » ¼ Â É È Ç » À Â Ç ÇÅ À ¾ Â Ã Æ ½ ¼ Â¸ ¹ ¹ º » ¼ ½ ¾ » ¿ ÀÅ À ¾ Â Ã Æ ½ ¼ Â

Å À Æ Ã ½ Ç ¾ Ã È ¼ ¾ È Ã ÂÅ À ¾ Â Ã Æ ½ ¼ Â¸ ¹ ¹ º » ¼ ½ ¾ » ¿ ÀÊ È À ¼ ¾ » ¿ À ËÅ À ¾ Â Ã ½ ¼ ¾ » ¿ ÀÌ ½ ¾ ½ Í Î Ï Â ¼ ¾É È Ç » À Â Ç Ç ¿ Î Ï Â ¼ ¾ É È Ç » À Â Ç Ç¹ Ã ¿ ¼ Â Ç Ç ËÆ È À ¼ ¾ » ¿ À

Ð ¿ Ñ Ñ È À » ¼ ½ ¾ » ¿ À¹ ½ ¾ ÒÓ Â ¾ Ô ¿ Ã ÕÓ ¿ Ö ÂÌ Â Ä » ¼ ÂÁ × Ç ¾ Â Ñ Á ¿ Æ ¾ Ô ½ Ã Â¸ Ã ¾ » Æ ½ ¼ ¾

É È Ç » À Â Ç Ç Ã ¿ º Â É È Ç » À Â Ç Ç¸ ¼ ¾ ¿ ÃÉ È Ç » À Â Ç ÇÐ ¿ º º ½ Î ¿ Ã ½ ¾ » ¿ ÀØ Ã ¿ Ö È ¼ ¾Ù Â ¹ Ã Â Ç Â À Ú¾ ½ ¾ » ¿ À Ð ¿ À ¾ Ã ½ ¼ ¾ Û Ä Â À ¾ Ü ½ º È Â¸ ¹ ¹ º » ¼ ½ ¾ » ¿ ÀÐ ¿ Ñ ¹ ¿ À Â À ¾É È Ç » À Â Ç Ç¸ ¹ ¹ º » ¼ ½ ¾ » ¿ À

¸ ¹ ¹ º » ¼ ½ ¾ » ¿ ÀÝ Â ¼ Ò À ¿ º ¿ Þ ×ß Â ½ À » À Þ

¸ ¹ ¹ º » ¼ ½ ¾ » ¿ ÀÐ ¿ º º ½ Î ¿ Ã ½ ¾ » ¿ ÀÅ À Æ ¿ Ã Ñ ½ ¾ » ¿ À ½ Ç ¹ Â ¼ ¾ É Â Ò ½ Ä » ¿ Ã ½ Ç ¹ Â ¼ ¾ Á ¾ Ã È ¼ ¾ È Ã Â ½ Ç ¹ Â ¼ ¾

Å À Æ ¿ Ã Ñ ½ ¾ » ¿ À ½ Ç ¹ Â ¼ ¾ É Â Ò ½ Ä » ¿ Ã ½ Ç ¹ Â ¼ ¾ Á ¾ Ã È ¼ ¾ È Ã Â ½ Ç ¹ Â ¼ ¾Figure 2.3: ArchiMate metamodel [59]

Where technology supports the applications and the applications in turn supports thebusiness. Each layer consists of a number of entities and defined entity relations. Theentities in each layer are categorized into three aspects of enterprise architecture:

1. Information structure - modeling informational objects

2. Behavioral structure - modeling the dynamic events of enterprise architecture

3. Structure structure - modeling the components in the architecture that perform thebehavioral aspects

A concept that is not widely used in the power community is the concept of services.This is however used extensively in ArchiMate. Services aim to encapsulate and hide theinternal behavior of underlying layers and give the overlying layers access to functionalityfrom underlying layers through well-defined interfaces. For instance, an Application Serviceis seen to encapsulate a number of internal Application Functions to make them useful tothe business actors of the business processes. By using services the business actors neitherhave to consider the internal behavior of the information systems nor the technology used torealize the behavior. However, the use of services to model the relations between functionsof separate layers is not a requirement. For example, a business function can directly bemodeled with a relation to an application function.

2.3. RELIABILITY ANALYSIS 17

Enterprise Architecture Analysis

The utilization of EA for information system analysis is primarily from the context ofmodeling, i.e. same as the scope of this thesis. In [16] the authors present an exploratorystudy of the utilization of different analysis approaches. The result of the study showed thatthere was no difference in the use of analysis techniques between the four sectors that werestudied. Neither did any of the eight analysis techniques stand out in terms of utilizationnor scoring high in terms of regular usage. Without drawing to much conclusions out ofthat, it could be that at that time (2006) EA, and in particular EA analysis, was ratherimmature. As stressed in [69], for EA to be a solid support for analysis, and hence decisionmaking, not only are architectural models needed, but also architectural theory needs tobe made explicit. Architectural models without explicit architectural theory are of limitedvalue, since it is not possible to assess their potential as decision-making support. Some ofthe attempts to structure the analysis possible with EA are for instance [58], [26], [17] [68],[72], [71] and [70]. A categorization of different approaches of EA analysis is summarizedin [18]. Even a meta-language of EA analysis has been developed, as presented in [21].

The application of architectural theory in combination with architecture models arefound for a number of purposes, e.g. for maintainability [87], [34]; modifiability [89], [88],[90]; cyber security [33], [124], [125]; interoperability [132], [131], [67], [133]; availability[44]; dependency [42]; data accuracy [99]; performance [92], [100]; profitability risk [73];and multi-attribute [101], [116] analysis. The utilization of the ArchiMate metamodel ispresented in [92], [98], [111]. Proper tool support is also needed to combine architecturaltheory with architecture models, as presented in [22] and [23]. As trivial as it may seem,architectural theory as part of this thesis is presented in the form of the PRM, with thetheory being found in the existence of the attribute reliability and its propagation in thearchitecture. Let’s continue with a presentation of applicable theory on reliability.

2.3 Reliability analysis

The definition of reliability is according to the IEEE Standard Computer Dictionary [47] theability of a system or component to perform its required functions under stated conditionsfor a specified period of time. As stated, reliability could either regard components orsystems. Components, in contrast to systems, generally have natural defined boundarieswhereas systems can consist of a number of components of different types or even of othersystems (systems of systems), and so it is important to define the boundaries of the systemin focus. Using the definition in [47] a system is: a collection of components organized toaccomplish a specific function or set of functions; whereas a subsystem, using the samesource of reference, is defined as: a secondary or subordinate system within a larger system.In our case we are focusing on both systems and subsystems. The system, or subsystem,boundary is naturally determined by the functions to be analyzed. I.e. only the componentsneeded to realize the target function(s) are included in the analysis.

The definition also states that the main concern is for the system (or component) toperform its intended function. ICT systems interacting with the power grid offers a varietyof functions which are realized of both hardware and software components of different types.Models provide an effective tool for understanding and analyzing systems and their archi-tecture. They are also useful for the understanding of dependencies between components,for example when analyzing and identifying the impact of a single component’s failure onthe rest of the system. Most of the well-known methods for reliability analysis, such as FaultTree Analysis (FTA), Reliability Block Diagrams (RBDs), Markov chains and Bayesian Net-works (BNs), provide a visual modeling language to improve the understanding and ease


the analysis. In the next section some of these methods are presented and discussed in thecontext of suitability for reliability analysis of substation automation system architecture.

Methods for reliability analysis

System reliability analysis is a mature field and there is an abundance of system reliabilityanalysis techniques. In the category of qualitative methods we find for example FMEA[126]. In FMEA, each system component’s failure mode and its impact on the rest of thesystem is documented. The method is particularly useful for systems with single componentfailures. Thus the approach is not well suited for systems with a fair degree of redundancy[115]. An alternative approach is state-based analysis. State-based methods enumerate allpossible system failure states and are not limited to stochastically independent failure ofcomponents. This expressiveness comes at a price: models for state-based analysis usingMarkov chains [96] grow exponentially with the number of system components [5]. Oneof the most frequently adopted methods is FTA, which translates the failure behavior of aphysical system into a visual diagram and a logical model [115]. The modeling structureof FTA allows the modeler to visualize the system architecture in terms of primary com-ponent’s relational dependency on subcomponents [135]. Reliability analysis using FTA ismuch similar to the approach based on RBDs [115] and [66]. The concept behind RBD isto identify undirected relational paths between components within the architecture. Firsttwo nodes s and t are defined. Secondly, relational paths comprising system componentsbetween the nodes are identified. A system is said to be available if there exists at leastone path comprising a chain of available components from s to t. In [10] and [108] Bobbioet-al. showed how FTA can be translated into BNs [65] thus augmenting the intuitivenessof FTA with the probabilistic reasoning capabilities of BNs. Bayesian networks are also asubset of Probabilistic Relational Models (PRM), described in Section 1.4. Casually put,the PRM formalism uses BNs to describe and quantify probabilistic dependencies betweenclass attributes in class diagrams.

The application of PRMs for dependability analysis is presented in [103] as well as forsupporting assessment of maintenance strategies in [64] and [95].

Lets continue with a brief overview of a few of these methods. For further reading, thereader is referred to the literature references given in each section.

Fault Tree Analysis

One of the most frequently adopted methods is FTA, which translates the failure behavior ofa physical system into a visual diagram and a logical model [115]. FTA is based on reliabilitytheory, Boolean algebra and probability theory [36]. The modeling structure of FTA allowsthe modeler to visualize the system architecture in terms of primary component’s relationaldependency on subcomponents [135]. FTA can be classified into two separate types ofanalysis – qualitative and quantitative. The qualitative part focuses on a logic diagramthat visualizes the interrelationships between a potential critical event and the cause forthis event to occur [115]. The fault tree represents how combinations of basic events leadto the occurrence of a particular undesired event called the TOP event. A graph is drawn,where the nodes are either events or gates. Events concern the failure of components,subsystems or of the whole system, and they are graphically represented by rectangles.

For quantitative analysis, each event is a Boolean variable, where its initial state is falseand changes to true whenever failure occurs [25]. All events that are neither TOP eventsnor basic events are called internal events. Gates are connected by arcs (the edges of thegraph) to several input events and to a single output event. Thus, a gate propagates failure


to its output event if a particular combination of input events occurs. The TOP eventsmust be the output of a gate and cannot be the input of any gate, hence it is the root ofthe fault tree. Furthermore, arcs respect a logic circuit orientation: from the input eventsto the gate, and from the gate to the output event.

Left side of Figure 2.4 shows a simple fault tree with the TOP event A1 and its depen-dency to the basic events E11, E21 and E22 through various gates. A2 is the output eventof the two input events E21 and E22 with the dependence of AND-logic represented by theAND-gate. This gate specifies that both E21 and E22 must simultaneously occur for outputevent A2 to occur. For A1 the gate represent OR-logic, specifying that either event E11 orA2 could occur for A1 to occur.

FTA is a binary analysis where all events are assumed to occur or not to occur [115].However, in [10, 108] Bobbio et-al. shows how FTA can be translated into Bayesian networks[65] thus augmenting the intuitiveness of FTA with the probabilistic reasoning capabilitiesof BNs.

Reliability analysis using FTA is much similar to the approach based on RBDs [115, 66].àá â â á ã â á ã ãä ä àä äà àFigure 2.4: Left showing a simple fault tree - right showing a simple reliability block diagram

Reliability Block Diagrams

The concept behind RBD is to identify undirected relational paths between componentswithin the architecture. Together these components realize a function of the system whichsets the boundary conditions of the analysis. I.e. for each function a new RBD has tobe designed with all supporting system components present. The process follows: Firsttwo nodes s and t are defined. Secondly, relational paths comprising system componentsbetween the nodes are identified. A system is said to be available if there exists at least onepath comprising a chain of available components from s to t.

The component forming a path from s to t can be set in a series of a parallel structure,forming different chains of dependencies in accordance with the system architecture. Ina series structure the system function is only available if all the components in the chainare functioning correctly, i.e. there exists only one path from s to t. A parallel structurehowever is represented by forming multiple paths from s to t, meaning that only one of thepaths formed by a single or a number of components needs to be functioning for the systemfunction to be available. Right part of Figure 2.4 shows an RBD with parallel (componentE21 and E22) and series structure (component E11 with the parallel structure of E21 and


E22). As seen, RBDs are much similar to FTA, where AND and OR gates transformsinto series and parallel structures. With method to apply depends primarily on the goalof the analysis, where RBDs focuses on the availability of system functions in relation tosuccessful operation of system components whereas FTA bases the analysis on failures andevents potentially causing these to occur. However, transforming an FTA into an RBD andvise versa is normally a straight forward task.

Markov chains

An alternative approach to the above described methods is state-based analysis. State-basedmethods enumerate all possible system failure states and are not limited to stochasticallyindependent failure of components. In other words, the Markov approach is not limitedto Boolean events and states as the previous methods. The Markov chain is a stochasticprocess based on the Markov property, i.e. the process is memoryless [115], and modelssystems with multiple states with transitions between these states. The Markov propertymakes the transition into different state only depend on the present state and not on thepast sequences of states. The collection of possible states, i.e. the state space, we denote asχ and is either finite or countable infinite [115], and denote the transition probability withp.

Figure 2.5 shows a state diagram with state space χ = {S1, S2, S3} and transitionsbetween them pij , i ∈ {1, 2, 3} Ð j. The arrows represent possible transitions betweeneach state, i.e. the transition from state S1 to S2 is represented by the relating arrow withprobability p12. As seen, from state S1 it is also possible with transition to state S3 withprobability p13. The sum of transition probabilities from one state is alway equal to 1,leading to p11 = 1 − (p12 + p13). The state diagram shows that transitions are possiblebetween all states except from state S3 to S1. This could for example represent a systemwith states Normal (S1), Repair (S2) and Failure (S3) where one could transit from each ofthe states except from Failure directly to Normal without going through the Repair state.

Figure 2.5: Simple Markov state diagram

Markov chains are very useful when for example analyzing repairable systems or common-cause failures of redundant components. This expressiveness comes at a price: models forstate-based analysis using Markov chains [96] grow exponentially with the number of systemcomponents [5]. More on the mathematical treatment of Markov chains is detailed in [115].


Bayesian Networks

For the modeling and analysis of uncertain phenomena, Bayesian networks are often pro-posed [102]. Bayesian networks are composed of nodes with associated values, and arcsbetween the nodes in a directed acyclic graph. The nodes’ probabilistic dependencies oneach other are specified by the arcs and by so called conditional probability distributions.In a Bayesian network, the vertices denote a domain of random variables also called chancenodes. Each chance node may assume a value from the finite domain. The advantage ofthe graph representation is that it provides a compact way of expressing the dependencyrelations between the random variables, i.e. which variables are conditionally independentgiven another variable. Each edge denotes a causal dependency between its nodes. In orderto specify the joint distribution, the respective conditional probabilities that appear in theproduct form must be defined [46]. The second component describes distributions for eachpossible value of the chance node, given the values of its causal parents. These conditionalprobabilities are represented in matrices, here forth called Conditional Probability Matrices(CPMs). Using a Bayesian network, it is possible to answer questions such as what is theprobability of a variable being in a certain state given that causally related variables beingin a certain state.

Hence, Bayesian networks provide support for modeling causality, causal uncertaintyand empirical uncertainty.

Figure 2.6: Simple Bayesian network

Figure 2.6 shows an example using the graphical notation of BNs. Let’s define that X1

represents the probability of grass being wet; X2 sprinkler system active; X3 potential rain;and X4 the degree of cloudiness. Then we could specify causality between X1, X2 and X3

represented by the arrows that defines the probability of wet grass holds causal relationto the probability of sprinkler system being active and possible rain. The arrow betweenX2 and X3 specifies the probability of sprinkler system activation with dependence to theprobability of rain. X4 also holds causal relation to X2 and X3 by the fact that probabilityof rain heavily depends on the cloudiness and the activation of the sprinkler system dependson the cloudiness as well but in the terms of keeping the sun way.

In [49] Bayesian networks are applied for reliability assessment of software based digitalsystems. Further, in [54] the same authors present a case study demonstrating the applica-tion of Bayesian networks on reliability estimation of software design on a protection relayand in [55] an a posteriori estimation of the failure rates for different software versions ofthe protection relay is presented.


The adaptation of Bayesian networks has been successful in various fields, however theyare often inadequate for describing large and complex domains [48].

Reliability analysis of power system control and protection

Reliability analysis in general is widely adopted within the power industry. Most frequentlyapplied are methods focusing on primary system component e.g. transformers, breakers,cable lines etc, and the architecture which they constitute e.g. substations. In [8] issuesregarding reliability of power systems are addressed and a variety of methods are applied todifferent systems and scenarios. A further illustration of the range of probabilistic methodsfor reliability analysis applied to power system is found in [9].

Numerous work can also be found in the research literature addressing the issue of reli-ability analysis of power system control and protection. In [118] fault tree analysis is usedto analyze the availability and reliability of different system architectures. The analysisincludes availability figures of both control and protection systems as well as power sys-tem components, in this case a circuit breaker. Similar work is presented in [30] whereFTA is applied in a case study of a large substation integration project as well as in [122]which details the application of FTA for various transmission protection architectures. In[112] a combination of FTA, FMEA and event trees combined with dynamic power systemsimulations as used for probabilistic analysis of power system reliability. The analysis in-cludes failure probabilities of both power system components and ICT components, howeverthe logical structure in relation to the ICT infrastructure in not taken into any particularconsideration.

How to apply FTA techniques, in particularly for protection reliability assessment, ispresented in [7]. The authors only presents an elementary background to the application ofFTA; however an important aspect they address is the importance of establishing bound-aries and limitations of the analysis. Otherwise the analysis may become way to detailedwhich leads to large amounts of effort being spent for no reason. Another interesting articleis [51] which analyses different SA system architectures using RBDs. In extent to presentingsystem unavailability and reliability figures two types of component importance measures,Birnbaum’s measure of importance and criticality importance, are applied to each architec-ture. However, none of the articles address the aspect of logic relations and their allocationin the SA system architecture.

In [4] a Markov state model is used for reliability analysis of various SA system archi-tectures, particularly focusing on communication architecture and functional redundancy.The paper also addresses different architectures and their impact on distributed functions,for example if a function is allocated to bay or station level. In [140] a methodology forcalculating reliability and availability parameters for IEC 61850-based SA systems is pre-sented. The paper describes a methodology for reliability and availability calculations andhow to apply it to analyze different parts of a SA system. A number of functional use cases,including communication system, protection, control and human-machine interface (HMI)functions, are discussed as applications for the analysis methodology.

A more thorough effort on addressing interactions between functions in SA systems ispresented in [40] and [39]. In these papers the reliability and availability assessment isstructured in a three-step process, starting with an assessment of a functional model, thena hardware model, and as the final step assessing the hardware and functions interfaces.The functional model is described in an event tree which is mapped to the hardware usingan interface table. Both papers focus primarily on reliability of secondary systems and doesnot count for the probability of failing primary equipment.


The most relating work is presented in [52], where the author describes a techniquefor reliability evaluation of SA systems. In contrast to previous referred related work thispaper consider both the hardware infrastructure, including both power system componentsand ICT components, as well as the logical structure and their relation to the hardware.The hardware infrastructure is modeled using RBDs, and the functional modeling by usingevent trees. Relations between hardware components and in this case control functions aredocumented using a linking table. Although useful, the method requires a total of threedifferent modeling approaches to capture all the aspects for reliability analysis of the SAsystem and its functions which is two more than the framework presented in the currentpaper. In [53] the authors demonstrate their technique in various comparative studieswith different setups in terms of SAS configurations, distribution schemes and distributionsystems.

Chapter 3

Research design

This chapter details the research design utilized in the project. At first, the research process,including sub-steps and their results including dissemination is presented. Thereafter, theresearch methods utilized in the process are presented and briefly discussed. At the end ofthe chapter, the validity of the research results are highlighted.

3.1 Research process

The conducted research follows the principles of design science research process [110]. Theoverall research process is depicted in Figure 3.1.

Starting at the entry point (a), the research project follows a problem centered paradigmstarting with the research paper [76] as a first attempt to state and address future issuesregarding analysis of non-functional properties of ICT integrated into the power system.Problem definition and justification of the value of a solution were at that point describedas:

"Without a proper ICT infrastructure capable of supporting the future func-tionality, controllability and observability of the distribution grid will not beachieved. However, it is much less common for the characteristics of this sup-

å æ ç å è ç å é çFigure 3.1: Design science research process from [110]

25

26 CHAPTER 3. RESEARCH DESIGN

porting ICT infrastructure to be discussed or analyzed. It is often assumed thatthe contemporary high speed of development within the ICT field will providethe necessary tools and systems for operation of the future distribution grid.With the increased interdependence between the distribution system and theICT infrastructure, proper assessment of ICT system characteristics are criticalin order not to risk the reliability of the power system." [76]

At that point the objective of the solution was focused toward analysis of runtimecharacteristics impacting the controllability and observability of the power system withregards to ICT, stated as follows:

"This paper presents the first steps in development of a method, supportedby modeling formalisms, intended for evaluation of ICT system characteristicsthat are critical to achieve observability and controllability of active distributiongrids. The long term goal of the research is to provide a tool for decision supportwhen designing protection, automation and control systems architectures foractive distribution networks." [76]

In Paper 1, the first paper included in this thesis, limited focus was put on the objectiveon the solution, but instead it jumps ahead to the design and development step by combiningEA, FTA and PRMs. Instead, in Paper 2, the second paper included in this thesis andwritten in parallel with Paper 1, the objective changed to focusing more on reliability ratherthan a wide range of runtime properties. The reason for this being that in the problemdefinition it states that reliability of the power systems being the main concern. Hence,the problem identification and motivation were identical to as before but the objective ofa solution changed. This iteration, represented by a combination of Paper 1 and 2, isdescribed by iteration (b) in Figure 3.1. The updated objective states:

"The scope of this paper is to present a novel method for reliability analysisof software intense control and automation systems that includes the reliabilityof primary system components. The framework is based on Probabilistic Re-lational Models - specifying a template for a probability distribution over anarchitecture model. As such, the methods may be adapted to study of othersystem architecture aspects, but the focus herein is on reliability." [79]

In Paper 2 the artifact in terms of the reliability analysis framework were based on PRMsand aimed at analysis of software intense control and automation systems including theirinteraction with primary equipment. An instantiation of the framework was demonstratedon a system for automatic voltage control described in the research literature includingconcluding remarks regarding the framework’s applicability. The result is communicated in[79].

From thereon the effort was put on refining and developing the artifact, i.e. the analysisframework, with each iteration presented in Paper 1-7. Every iteration starts from designand development followed by demonstration, evaluation and communication, as describedby (c) in Figure 3.1. Table 3.1 presents each iteration of (c)

3.1. RESEARCH PROCESS 27

Table 3.1: Iterations describing design and development, demonstration, evaluation andcommunication

Design & Develop-ment

Demonstration Evaluation Comm-unica-tion

Paper 1Combining EA with FTA

and PRMs

Applied to a voltage con-

trol function

– [78]

Paper 2A novel multi-attribute

PRM is presented includ-

ing analyze of primary

system components

Applied to a voltage con-

trol function similar to Pa-

per 1

– [79]

Paper 3Mapping substation ob-

jects from the IEC 61850

standard to entities of

the EA framework Archi-

Mate to improve confor-

mity of the object in the

PRM analysis framework

between the two domains

The mapping is demon-

strated on a IEC 61850-

based SA system configu-

ration

The mapping shows in-

equalities in terms of mod-

eling primary equipment

using ArchiMate with a

suggestion of adding a new

entity to the EA framework

[80]

Paper 4The PRM is modified to

better capture the interre-

lations between ICT com-

ponents and power system

components

The PRM is instantiated

on different architecture

scenarios

The PRM instantiation is

evaluated with regards to

the well-known reliability

block diagrams

[82]

Paper 5The PRM is expanded with

logic gates to better cap-

ture structure properties in

the system architecture

The gate logic is demon-

strated on one of the archi-

tecture scenarios presented

in Paper 4

– [81]

Paper 6The PRM framework is ex-

panded with more realistic

failure rates, especially for

software-related failures

A demonstration of the

framework is carried out on

a real system used for volt-

age control in a substation

using the tool EAAT

The framework success-

fully captures both hard-

ware and logic as well as

their relations

[77]

Paper 7The logical PRM frame-

work element are mod-

eled using PICOM:s of IEC

61850

The framework is applied

to a IEC 61850-based SA

system

An evaluation of the use of

PICOMs shows that they

successfully captures func-

tions related to control and

protection systems, but

not for switchyard-related

functions

[83]


3.2 Reliability and validity

The conducted research resulting in the results presented in this thesis have taken differentforms and shapes along the road. At the introductory stage a position paper [76] was pre-sented with the identification and description of the problem area. The paper also presentsan early attempt to a possible solution the the identified problem. The research methodsapplied were formally literature research focusing on the context of ICT properties of com-ponents influencing power system reliability and formalizing the fundings in an architectureanalysis framework based on extended influence diagrams and enterprise architecture. Theuse of literature as research foundation has extensively been utilized throughout the researchprogress which evidently is present in the included Papers 1-7.

Research validity and reliability is presented paper by paper.Paper 1 presents a novel framework for analysis of availability of control and automation

systems for active distribution networks based on EA and PRMs. What is central is theactual use of EA, PRM’s, Availability and FTA combined. However, it is not as importantthat the framework calculates entirely accurate or captures all aspects that affect availability.The use of FTA is very common within availability analysis and thus valid as the appliedmethod. Bayesian networks – being the analysis engine of PRMs – have also been shown toapply for FTA analysis [10], [42], thus valid as analysis engine. The definition of reliabilitythat is being used is also well-known and part of standardization. For the actual adaptationof the EA framework ArchiMate definitions have been gathered directly from the standard.

In paper 2 the aim is still on the level of presenting a novel framework will basically noempirical data. The relevance is instead demonstrated on an example system to, in someterms, validate the framework’s applicability.

The mapping between IEC 61850 and ArchiMate presented in Paper 3 holds its validityprimarily by involving researchers with domain expertise in either one of the two fields.The process of reaching the final result included included a number of sessions with detaileddiscussions, iteratively carving the final outcome. In terms of reliability, the sources usedwere the IEC 61850 standard and the ArchiMate standard them selfs. The mapping was thenconducted by using the descriptions of each individual object in SCL and see if it matchesthe description of any entity in ArchiMate. Once all possible mappings were identified theresult was screened by all participants to identify its completeness. The outcome showeda close but still not accurate mapping between two objects which resulted in a suggestedextension of the ArchiMate metamodel.

Paper 4 contributes both by presenting a PRM-based framework as well as by identifyingcomponent failure rates. The entities in the framework are based on reliable sources in formof standards and well-renowned literature with each domain. Regarding failure rates theyare collected from well-cited peer-review sources and multiple sources when possible. Thefailure rates provide very little contribution, if any, but is primarily for validating thecorrectness of the framework’s qualitative analysis engine. To do so RBDs were applied toa number of fully realistic architecture scenarios for SA systems and the result as contrastedwith the outcome using the PRM framework.

Paper 5 contributes with an extension of the analysis framework by introducing ANDand OR gates. Hence, the paper includes no contribution in terms of empirical data. A fewexamples demonstrate the gates’ mathematical operations.

Paper 6 goes a bit further and present results based on empirical data describing fail-ures and their causes in modern control and protection systems at a power utility. Eachfailure from the failure log was mapped to either relate to software or hardware of the relaycomponent with help from an expert working actively with the failure data. A best effortmapping was also done in parallel by the author of this thesis and then the results were

3.3. EXPERT VALIDATION 29

compared with each other. The two mappings were then contrasted with each other byand the best mapping for each failure was picked. Based on the result a failure probabilityof relay software could be calculated. To show the framework’s ability to capture relevantcomponents from reliability analysis of SA systems, the framework was applied to a realsystem. The system setup was identified by using technical documentation, which shouldsomewhat be the preferred option in a real scenario when applying the framework, as is wassaid to be the most reliable source of information by the system experts.

Paper 7 expands the coherence in the logical part of the framework by using PICOMsas part of IEC 61850. The PICOMs helps formalize the logical interpretation which iscentral for accurate reliability analysis. Together with the logical gates the PICOMs aredemonstrated on a fictitious but realistic system presented in the research literature.

In summary, validity and reliability have been maintained by using multiple well-citedsources of evidence, external screening and review, and a structured theory foundation.

3.3 Expert validation

The validation process is fairly straight forward and includes interviews with a set of four ex-perts within the concerned domains. The experts listed below represent different industrialstakeholders and possess relevant knowledge within IEC 61850.

• Respondent 1: Senior engineer with extensive experience from both power utility andconsultant firms.

• Respondent 2: Senior technical specialist at system vendor. Multiple years experiencefrom international standards organization.

• Respondent 3: Senior research engineer at power utility.

• Respondent 4: Substation automation specialist at power utility.

Interview approach

The aim of each interview is to evaluate the relevance of the analysis framework based onthe expert’s specific expertise. In order to do so, a short presentation of the framework ofapproximately 10 minutes was given as well an a quick demonstration using the EAAT tool.

Each interview contained at least the following questions:

• Give a short presentation of your work process from idea to an operating station

• Are external partners involved?

• Attached to this form are different process descriptions of the engineering process ofan IEC 61850-based station. Are your process similar to any of the presented ones?If YES, which is most similar to then?

• Which competences are involved in each phase?

• At what stage of the process would you find it useful to analyze the reliability?

• Who is responsible for assuring the system reliability throughout the process?

• Is any reliability analysis carried out? If YES, describe the process and responsibleparties in short.


• Do you find it possible, and appropriate, to relate to the Substation ConfigurationLanguage (SCL), and specifically configuration files (.SCD), when performing relia-bility analysis of an SA system?

The process descriptions being referred to are presented in [105], [29], [61] and [13].In addition to the presented questions the interviewees also responded to the question

about applicability of the analysis framework and if the methods seemed sound and reason-able and held any potential. Basically if it fulfilled its purpose even though not not beingcomplete, still being in the development stage.

Interview findings

The responses were positive from all the experts about the potential of the framework andthe direction of the development. In terms of reliability analysis no such thing is done todayon the level of the presented framework. Although, there is a need for tools were the vendorscan demonstrate that reliability of a system is maintained according to specifications. Herethe framework has a clear potential application.Other interesting findings were:

• The SCD file is according to current practice perhaps created too late into the de-velopment of a new substation. Instead, the usage of the information in SCD filescould potentially be utilized of reliability analysis when reconfiguring current substa-tions. The data in an SCD file in combination with an SSD file could perhaps providerelevant information.

• Regarding SA system reliability, today the analysis is focusing on communicationnetwork configurations rather than IEDs and functions.

• The reliability requirements are given to the system and component supplier and thesupplier mush show that these are maintained. Depending on the requirement thiscould be stated either in direct relation to components or functions.

In general all of the respondent had very coherent views on the details in procuring,developing and installing an IEC 61850-based substation. The design always starts withthe physical layout whereas the functionality is deployed thereafter. There seems to be notrend towards more functional procurement.

Chapter 4

Conclusions & Future work

The objective of the thesis is to present a framework for reliability analysis by potentiallyutilizing EA concepts that supports the industrial engineering issues that follow with theimplementation of modern SA systems. Addressing the aspects of ICT system failure andits impact on the power system operation will be critical for successful operation of thefuture power systems. As a consequence, this becomes more a cyber-physical concern,including everything from system software to power cables and transformers, rather than thetraditional reliability concern of only focusing on power system components. The functionalarchitecture, i.e. functions allocation in the system architecture and their interrelations, isbecoming more important when designing ICT system architecture. For instance the IEC61850 standard enables functional allocation independent from the physical infrastructurein a harmonized way. ICT system architecture development includes the design of physicalinfrastructure together with a logical structure with proper allocation of functionality. Theparadigm change by separating physical and logical structure enabled by the standardsopens new ways of reasoning when designing future systems. The discipline of EA has provensuccessful in capturing the complexity of systems in architectural models. In particular,the layering of systems into a separation between physical infrastructure and functionalstructure is a feature in many EA frameworks.

In conclusion, the conducted research has shown that more integration of ICT will callfor new methods and tools in order to secure system reliability. Aspects such as software,configuration functional deployment etc. is going to play an even more important role interms of keeping costs low without jeoperdizing the supply of power to the customers. Todaythere is very little practical work done regarding these aspects. In terms of the applicationsof PRMs and EA for reliability analysis, they have the potential of solving some of thepresented issues, but much work is still needed.

4.1 Contributions

The contribution of the research presented in the thesis is summarized as follows:

Applying Enterprise Architecture frameworks for SA systems The use of the EAframework ArchiMate as frame of reference when designing the analysis framework isunique in the field of substation automation. Using the more general ICT componentsand business processes found in ArchiMate and mapping these objects to more processrelated ICT, in this case SAS, is a contribution to the domain. It particularly showsthat the gap between enterprise-wide ICT and process-close ICT is more narrow than

31

32 CHAPTER 4. CONCLUSIONS & FUTURE WORK

one at first could believe. Similar result is shown for business processes, showingthat the fact that enterprise services preformed by humans are much similar to thefunctions performed by the components compounding the power system.

A PRM for reliability analysis The research has proven successful in applying prob-abilistic relational models for reliability analysis in general. According to currentknowledge this contribution is new to the field and has not been done before. Also,on top of that, a specific PRM-based framework for reliability analysis of functions isubstation automation systems is developed in an iterative progression. This frame-work stands out against related work in terms of its specific domain of application.

The use of IEC 61850 and the Substation Configuration Language The researchhas shown a potential advancement by the use of information from IEC 61850-basedconfiguration files which has the potential of reducing the modeling effort when cap-turing the system in an architectural model. Similar ideas have shown fruitful forperformance analysis of IEC 61850-based SA systems, but has not to our knowledgebefore been done for reliability purpose.

4.2 Future work

During the research process a number of interesting aspects have been identified, a fewqualifying as potential future work.

PRM framework improvement

By using the PRM formalism the framework is limited in the aspect of performing analysisbased on the instantiation in terms of for instance the number of devices that are used torealize a certain function. An option would instead be to build the framework on the P2AMFformalism [74] which supports such aspects. By switching to P2AMF the framework couldbe designed to for instance automatically identify redundancy based on the instantiatedframework with objects and their relations.

Another aspect is that the causal relations between structural component and functions,as well as between functions, are in the current form deterministic. This however could bethe case that the relations are probabilistic, e.g. a failure in an ICT component will onlyby a certain probability cause a failure of the overall functionality. An example could be afunction that is triggered by events that very rarely occurs.

Extending the framework with other objects, e.g. power supply to the ICT components,is also potential future work.

Continued IEC 61850 integration

An interesting continuation is to further make use of the IEC 61850 standard. Such an ad-vancement could improve the industry relevance and reduce the effort spent on the analysis.The focus should be on making use on the information in the configuration files, in par-ticular .SCD, since they contain much of the relevant information needed for instantiatingthe analysis framework. It could even be possible to automatically extract the informationinto for example the EAAT tool and instantiate parts of the framework without modelingeffort.

4.2. FUTURE WORK 33

Enhanced reliability analysis

Another interesting continuation is to expand the framework with more explicit supportfor commonly applied features in reliability analysis such as common cause failures, failurepropagation, component importance, redundancy etc. Adding additional attributes, aspartly demonstrated in Paper 1 and 2, in extension to reliability is also an interestingcontinuation.

Bibliography

[1] S. Aier, S. Buckl, U. Franke, B. Gleichauf, P. Johnson, P. Närman, C. M. Schweda, andJ. Ullberg. A survival analysis of application life spans based on enterprise architecturemodels. In EMISA, pages 141–154, 2009.

[2] S. Aier, B. Gleichauf, and R. Winter. Understanding enterprise architecture manage-ment design – an empirical analysis. In Wirtschaftsinformatik, page 50, 2011.

[3] Alstom Grid. Network Protection and Automation Guide: Protective Relays, Mea-surement and Control. 2011.

[4] L. Andersson, K.-P. Brand, C. Brunner, and W. Wimmer. Reliability investiga-tions for SA communication architectures based on IEC 61850. In IEEE PowerTech,St.Petersburg, Jun. 2005.

[5] J. Andrews and C. A. Ericson. Fault tree and Markov analysis applied to variousdesign complexities. In 18th International System Safety Conference, Fort WorthTexas, USA, Sep. 2000.

[6] A. Apostolov. UML and XML use in IEC 61850. In Transmission and DistributionConference and Exposition, 2010 IEEE PES, pages 1–6, 2010. doi: 10.1109/TDC.2010.5484325.

[7] R. Beresh, J. Ciufo, and G. Anders. Basic fault tree analysis for use in protectionreliability. International Journal of Reliability and Safety (IJRS), 2(1/2), 2008.

[8] R. Billinton and R. N. Allan. Reliability Evaluation of Power Systems. Plenum Press,New York and London, 2nd edition, 1996.

[9] R. Billinton, M. Fotuhi-Firuzabad, and L. Bertling. Bibliography on the appli-cation of probability methods in power system reliability evaluation 1996-1999.Power Engineering Review, IEEE, 21(8):56, Aug. 2001. ISSN 0272-1724. doi:10.1109/MPER.2001.4311539.

[10] A. Bobbio, L. Portinale, M. Minichino, and E. Ciancamerla. Improving the analysisof dependable systems by mapping fault trees into Bayesian networks. ReliabilityEngineering &; System Safety, 71(3):249–260, 2001.

[11] K. P. Brand. The introduction of IEC 61850 and its impact on protection and au-tomation within substations. Technical report, Cigré SC B5 WG11, Paris, France,Dec. 2006.

[12] K.-P. Brand, V. Lohmann, and W. Wimmer. Substation Automation Handbook. UtilityAutomation Consulting Lohmann, 2003.

35

36 BIBLIOGRAPHY

[13] K. P. Brand, C. Brunner, W. Wimmer, and A. Switzerland. Design of IEC 61850based substation automation systems according to customer requirements. In CIGREPlenary Meeting, Paris, France, 2004.

[14] A. G. Bruce. Reliability analysis of electric utility SCADA systems. IEEE Trans-actions on Power Systems, 13(3):844–849, 1998. ISSN 0885-8950. doi: 10.1109/59.708711.

[15] J. Bruinenberg, L. Colton, E. Darmois, J. Dorn, J. Doyle, O. Elloumi, H. Englert,R. Forbes, J. Heiles, P. Hermans, et al. Smart grid coordination group technicalreport reference architecture for the smart grid version 1.0 (draft) 2012-03-02. CEN,CENELEC, ETSI, Tech. Rep, 2012.

[16] T. Bucher, R. Fischer, S. Kurpjuweit, and R. Winter. Enterprise architecture analysisand application. an exploratory study. In EDOC Workshop TEAR, 2006.

[17] S. Buckl, U. Franke, O. Holschke, F. Matthes, C. M. Schweda, T. Sommestad, andJ. Ullberg. A pattern-based approach to quantitative enterprise architecture analysis.In AMCIS, page 318, 2009.

[18] S. Buckl, F. Matthes, and C. M. Schweda. Classifying enterprise architecture analysisapproaches. In Enterprise Interoperability, pages 66–79. Springer, 2009.

[19] S. Buckl, F. Matthes, S. Roth, C. Schulz, and C. M. Schweda. A conceptual frameworkfor enterprise architecture design. In Trends in Enterprise Architecture Research,pages 44–56. Springer, 2010.

[20] S. Buckl, F. Matthes, and C. M. Schweda. Towards a method framework for enterprisearchitecture management–a literature analysis from a viable system perspective. In 5thInternational Workshop on Business/IT Alignment and Interoperability (BUSITAL2010), pages 46–60. Citeseer, 2010.

[21] S. Buckl, M. Buschle, P. Johnson, F. Matthes, and C. M. Schweda. A meta-languagefor enterprise architecture analysis. In Enterprise, Business-Process and InformationSystems Modeling, pages 511–525. Springer, 2011.

[22] M. Buschle, J. Ullberg, U. Franke, R. Lagerström, and T. Sommestad. A tool forenterprise architecture analysis using the PRM formalism. In Information SystemsEvolution, pages 108–121. Springer, 2011.

[23] M. Buschle, P. Johnson, and K. Shahzad. The enterprise architecture analysis tool–support for the predictive, probabilistic architecture modeling framework. 2013.

[24] CIO Council. Federal enterprise architecture framework version 1.1. Retrieved from,page 80, 1999.

[25] D. Codetta-Raiteri. Extended fault trees analysis supported by stochastic petri nets.PhD thesis, University of Torino, Torino, Italy, 2005.

[26] F. S. de Boer, M. M. Bonsangue, J. Jacob, A. Stam, and L. Van der Torre. Enterprisearchitecture analysis with XML. In System Sciences, 2005. HICSS’05. Proceedings ofthe 38th Annual Hawaii International Conference on, pages 222b–222b. IEEE, 2005.

[27] Department of Defense Architecture Framework Working Group and others. DoDarchitecture framework, version 1.5. Department of Defense, USA, 2007.

BIBLIOGRAPHY 37

[28] DMTF. Common Information Model (CIM) Specification. Distributed ManagementTask Force, Jun. 1999.

[29] DKE Working Group 952.0.1. ArbeitsKreis 952.0.1: Description of the EngineeringProcess, version 1.0 edition.

[30] D. Dolezilek. Case study of a large transmission and distribution substation automa-tion project. Technical report, Schweitzer Engineering Laboratories, Inc., Pullman,US, 1999.

[31] F. Edström and L. Söder. Impact of remote control failure on power system restorationtime. In 2010 IEEE 11th International Conference on Probabilistic Methods Appliedto Power Systems, PMAPS 2010, pages 343–347. IEEE, 2010.

[32] F. Edström and L. Söder. A circuit breaker reliability model for restoration planningconsidering risk of communication outage. In 2011 IEEE PES Trondheim PowerTech: The Power of Technology for a Sustainable Society, Powertech 2011, pages 1–6.IEEE, 2011.

[33] M. Ekstedt and T. Sommestad. Enterprise architecture models for cyber securityanalysis. In Power Systems Conference and Exposition, 2009. PSCE’09. IEEE/PES,pages 1–6. IEEE, 2009.

[34] M. Ekstedt, U. F. P., Johnson, R. Lagerstrom, T. Sommestad, J. Ullberg, andM. Buschle. A tool for enterprise architecture analysis of maintainability. In Soft-ware Maintenance and Reengineering, 2009. CSMR ’09. 13th European Conferenceon, pages 327–328, 2009. doi: 10.1109/CSMR.2009.44.

[35] W. Engelsman, D. Quartel, H. Jonkers, and M. van Sinderen. Extending enterprisearchitecture modelling with business goals and requirements. Enterprise InformationSystems, 5(1):9–36, 2011.

[36] C. A. Ericson. Fault tree analysis - a history. In The 17th International System SafetyConference, Seattle, Washington, 1999. The Boeing Company.

[37] European Technology Platform SmartGrids. Smartgrids SRA 2035, strategic researchagenda, update of the smartgrids SRA 2007 for the needs by the year 2035, 2012.

[38] R. Feng, X. Cheng-Jun, M. Peng, and X. Yang. Performance analysis for substationautomation systems: A PICOM approach and improvement. In IEEE PES Trans-mission and Distribution Conference and Exhibition: Asia and Pacific, pages 1–6,2005.

[39] L. C. Ferreira, P. Crossley, J. Goody, and R. Allan. Reliability evaluation of substationcontrol systems. IEEE Proceedings - Generation, Transmission and Distribution, 146(6):626–632, 1999. doi: 10.1049/ip-gtd:19990851.

[40] L. C. Ferreira, P. Crossley, and R. Allan. The impact of functional integration onthe reliability of substation protection and control systems. Power Delivery, IEEETransactions on, 16(1):83–88, Jan. 2001. ISSN 0885-8977. doi: 10.1109/61.905599.

[41] U. Franke and P. Johnson. An enterprise architecture framework for applicationconsolidation in the swedish armed forces. In 2009 13th Enterprise Distributed ObjectComputing Conference Workshop (EDOCW 2009), pages 264–273. IEEE, 2009.

38 BIBLIOGRAPHY

[42] U. Franke, W. R. Flores, and P. Johnson. Enterprise architecture dependency analysisusing fault trees and bayesian networks. In Proceedings of the 2009 Spring SimulationMulticonference, page 55. Society for Computer Simulation International, 2009.

[43] U. Franke, D. Hook, J. Konig, R. Lagerstrom, P. Narman, J. Ullberg, P. Gustafs-son, and M. Ekstedt. EAF2 – a framework for categorizing enterprise architectureframeworks. In Software Engineering, Artificial Intelligences, Networking and Paral-lel/Distributed Computing, 2009. SNPD’09. 10th ACIS International Conference on,pages 327–332. IEEE, 2009.

[44] U. Franke, P. Johnson, and J. König. An architecture framework for enterprise ITservice availability analysis. Software & Systems Modeling, pages 1–29, 2013.

[45] C. Frei, O. Preiss, and T. Kostic. Method and system for bi-directional data conversionbetween IEC 61970 and IEC 61850. ABB Research, 05 2011. US 7949947 B2, Patent,filing 11/707,170.

[46] N. Friedman, M. Linial, I. Nachman, and D. Pe’er. Using bayesian networks to analyzeexpression data. In Proceedings of the Fourth Annual International Conference onComputational Molecular Biology, RECOMB ’00, pages 127–135, New York, NY,USA, 2000. ACM.

[47] A. Geraci, F. Katki, L. McMonegal, B. Meyer, J. Lane, P. Wilson, J. Radatz, M. Yee,H. Porteous, and F. Springsteel. IEEE Standard Computer Dictionary: Compilationof IEEE Standard Computer Glossaries. IEEE Press, Piscataway, NJ, USA, 1991.ISBN 1559370793.

[48] L. Getoor and B. Taskar. Introduction to Statistical Relational Learning. Adaptivecomputation and machine learning. MIT Press, 2007. ISBN 9780262072885.

[49] B. A. Gran and A. Helminen. A bayesian belief network for reliability assessment. InU. Voges, editor, Computer Safety, Reliability and Security, volume 2187 of LectureNotes in Computer Science, pages 35–45. Springer Berlin Heidelberg, 2001. ISBN978-3-540-42607-3.

[50] D. Greefhorst and E. Proper. Architecture Principles: The Cornerstones of EnterpriseArchitecture. Enterprise engineering series. Springer, 2011.

[51] H. Hajian-Hoseinabadi. Reliability and component importance analysis of substationautomation systems. International Journal of Electrical Power & Energy Systems,2010. ISSN 0142-0615.

[52] H. Hajian-Hoseinabadi. Impacts of automated control systems on substation reli-ability. IEEE Transactions on Power Delivery, 26(3):1681–1691, Jul. 2011. ISSN0885-8977. doi: 10.1109/TPWRD.2011.2119404.

[53] H. Hajian-Hoseinabadi, M. E. H. Golshan, and H. A. Shayanfar. Composite auto-mated distribution system reliability model considering various automated substa-tions. International Journal of Electrical Power & Energy Systems, 54(0):211 – 220,2014.

[54] A. Helminen. Case study on bayesian reliability estimation of software design of motorprotection relay. In F. Saglietti and N. Oster, editors, Computer Safety, Reliability,and Security, volume 4680 of Lecture Notes in Computer Science, pages 384–396.Springer Berlin Heidelberg, 2007.

BIBLIOGRAPHY 39

[55] A. Helminen and U. Pulkkinen. Quantitative reliability estimation of a computer-based motor protection relay using Bayesian networks. In V. Palade, R. Howlett, andL. Jain, editors, Knowledge-Based Intelligent Information and Engineering Systems,volume 2773 of Lecture Notes in Computer Science, pages 92–102. Springer Berlin /Heidelberg, 2003. ISBN 978-3-540-40803-1.

[56] N. Higgins, V. Vyatkin, N.-K. C. Nair, and K. Schwarz. Distributed power systemautomation with IEC 61850, IEC 61499, and intelligent control. IEEE Transactionson Systems, Man, and Cybernetics, Part C, 41(1):81–92, 2011.

[57] R. Hilliard. IEEE recommended practice for architectural description of software-intensive systems. IEEE Std 1471-2000, 2000.

[58] M. Iacob and H. Jonkers. Quantitative analysis of enterprise architectures. In Inter-operability of Enterprise Software and Applications, pages 239–252. Springer, 2006.

[59] M. Iacob, H. Jonkers, M. Lankhorst, and H. Proper. Archimate 1.0 specification. TheOpen Group. Reading. ISBN-13, 857067441, 2009.

[60] M. Iacob, D. H. Jonkers, M. Lankhorst, E. Proper, and D. D. Quartel. Archimate2.0 specification: The open group. Van Haren Publishing, 2012. URL http://doc.

utwente.nl/82972/.

[61] IEC-TC57. Communications networks and systems in substations - part 6: Substa-tion configuration description language for communication in electrical substationsrelated to ied. Technical Report International Standard IEC 61850-6, InternationalElectrotechnical Commission, Geneva, 2009.

[62] IEC-TC57-WG10/11/12. Communications networks and systems in substations.Technical Report International Standard IEC 61850-1..10, International Electrotech-nical Commission, Geneva, 2003.

[63] IFIP-IFAC Task Force. GERAM: Generalised enterprise reference architecture andmethodology. 1(2):30, 1998.

[64] B. Iung, G. Medina-Oliva, P. Weber, and E. Levrat. Using probabilistic rela-tional models for knowledge representation of production systems: A new approachto assessing maintenance strategies. CIRP Annals - Manufacturing Technology,61(1):419 – 422, 2012. ISSN 0007-8506. doi: 10.1016/j.cirp.2012.03.059. URLhttp://www.sciencedirect.com/science/article/pii/S0007850612000613.

[65] F. V. Jensen. Bayesian Networks and Decision Graphs. Statistics for engineering andinformation science. Springer, 2001. ISBN 9780387952598.

[66] B. W. Johnson, editor. Design & Analysis of Fault Tolerant Digital Systems. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1988. ISBN 0-201-07570-9.

[67] P. Johnson. Architecture modeling for interoperability analysis on the future internet.Enterprise Interoperability: I-ESA’12 Proceedings, page 111, 2012.

[68] P. Johnson and M. Ekstedt. Enterprise Architecture: Models and Analyses for Infor-mation Systems Decision Making. Lightning Source Incorporated, 2007.

40 BIBLIOGRAPHY

[69] P. Johnson, M. Ekstedt, E. Silva, and L. Plazaola. Using enterprise architecture forCIO decision-making: On the importance of theory. In Proceedings of the SecondAnnual Conference on Systems Engineering Research, 2004.

[70] P. Johnson, R. Lagerström, P. Närman, and M. Simonsson. Extended influence dia-grams for enterprise architecture analysis. In Enterprise Distributed Object ComputingConference, 2006. EDOC’06. 10th IEEE International, pages 3–12. IEEE, 2006.

[71] P. Johnson, E. Johansson, T. Sommestad, and J. Ullberg. A tool for enterprisearchitecture analysis. In Enterprise Distributed Object Computing Conference, 2007.EDOC 2007. 11th IEEE International, pages 142–142. IEEE, 2007.

[72] P. Johnson, L. Nordström, and R. Lagerström. Formalizing analysis of enterprisearchitecture. In Enterprise Interoperability, pages 35–44. Springer, 2007.

[73] P. Johnson, M. E. Iacob, M. Välja, M. van Sinderen, C. Magnusson, and T. Ladhe.Business model risk analysis: Predicting the probability of business network prof-itability. In Enterprise Interoperability, pages 118–130. Springer, 2013.

[74] P. Johnson, J. Ullberg, M. Buschle, U. Franke, and K. Shahzad. P2AMF: Predictive,probabilistic architecture modeling framework. In Enterprise Interoperability, pages104–117. Springer, 2013.

[75] H. Jonkers, M. M. Lankhorst, H. W. ter Doest, F. Arbab, H. Bosma, and R. J.Wieringa. Enterprise architecture: Management tool and blueprint for the organisa-tion. Information Systems Frontiers, 8(2):63–66, 2006.

[76] J. König and L. Nordström. Assessing impact of ICT system quality on operationof active distribution grids. In 2009 IEEE Bucharest Powertech, pages 1977–1984.IEEE, 2009.

[77] J. König and L. Nordström. Reliability analysis of substation automation systemfunctions. In Reliability and Maintainability Symposium (RAMS), Reno, US, Jan.2012.

[78] J. König, U. Franke, and L. Nordström. Probabilistic availability analysis of controland automation systems for active distribution networks. In IEEE PES Transmissionand Distribution Conference and Exposition, pages 1–8, New Orleans, US, Apr. 2010.

[79] J. König, L. Nordström, and M. Ekstedt. Probabilistic relational models for assess-ment of reliability of active distribution management systems. In 2010 IEEE 11th In-ternational Conference on Probabilistic Methods Applied to Power Systems, PMAPS2010, pages 454–459. IEEE, 2010.

[80] J. König, K. Zhu, L. Nordström, M. Ekstedt, and R. Lagerström. Mapping thesubstation configuration language of iec 61850 to archimate. In Enterprise DistributedObject Computing Conference Workshops (EDOCW), 2010 14th IEEE International,pages 60–68. IEEE, 2010.

[81] J. König, P. Närman, U. Franke, and L. Nordström. An extended framework for relia-bility analysis of ICT for power systems. In IEEE PowerTech, pages 1–6, Trondheim,Jun 2011.

BIBLIOGRAPHY 41

[82] J. König, L. Nordström, and M. Ekstedt. An architecture-based framework for re-liability analysis of ICT for power systems. In Power and Energy Society GeneralMeeting, 2011 IEEE, 2011.

[83] J. König, L. Nordström, and M. Österlind. Reliability analysis of substation automa-tion system functions using PRMs. IEEE Transactions on Smart Grid, 4(1):206–213,2013.

[84] T. Kostic, O. Preiss, and C. Frei. Towards the formal integration of two upcomingstandards: Iec 61970 and iec 61850. In Power Engineering, 2003 Large EngineeringSystems Conference on, pages 24–29, 2003. doi: 10.1109/LESCPE.2003.1204674.

[85] T. Kostic, O. Preiss, and C. Frei. Understanding and using the IEC 61850: a casefor meta-modelling. Computer Standards & Interfaces, 27(6):679–695, 2005. ISSN0920-5489. doi: http://dx.doi.org/10.1016/j.csi.2004.09.008.

[86] S. Kurpjuweit and R. Winter. Viewpoint-based meta model engineering. In EMISA,volume 143, page 2007, 2007.

[87] R. Lagerström. Analyzing system maintainability using enterprise architecture mod-els. In Proceedings of the Second Workshop on Trends in Enterprise ArchitectureResearch (TEAR 2007), pages 31–39. Telematica Instituut, 2007.

[88] R. Lagerström, U. Franke, P. Johnson, and J. Ullberg. A method for creating enter-prise architecture metamodels applied to systems modifiability. IJCSA, 6(5):89–120,2009.

[89] R. Lagerström, U. Franke, P. Johnson, and J. Ullberg. A method for creating enter-prise architecture metamodels–applied to systems modifiability analysis. InternationalJournal of Computer Science and Applications, 6(5):89–120, 2009.

[90] R. Lagerström, P. Johnson, and D. Höök. Architecture analysis of enterprise systemsmodifiability - models, analysis, and validation. Journal of Systems and Software, 83:1387–1403, Aug. 2010. ISSN 0164-1212.

[91] M. Land and E. Proper. Enterprise Architecture: Creating Value by Informed Gover-nance. The enterprise engineering series. Springer, 2008.

[92] M. Lankhorst. Enterprise architecture at work: Modelling, communication and anal-ysis. Springer, 2013.

[93] M. Lankhorst et al. Archimate language primer. Telematica institute, 2004.

[94] R. Mackiewicz. Overview of IEC 61850 and benefits. In IEEE Power EngineeringSociety General Meeting, 2006, page 8 pp., 2006.

[95] G. Medina-Oliva, P. Weber, and B. Iung. PRM–based patterns for knowledge formal-isation of industrial systems to support maintenance strategies assessment. ReliabilityEngineering & System Safety, 116:38–56, 2013.

[96] S. Meyn and R. L. Tweedie. Markov Chains and Stochastic Stability. CambridgeUniversity Press, New York, NY, USA, 2nd edition, 2009. ISBN 0521731828,9780521731829.

42 BIBLIOGRAPHY

[97] D. Minoli. Enterprise Architecture A to Z: Frameworks, Business Process Modeling,SOA, and Infrastructure Technology. Auerbach publications. Taylor & Francis, 2008.

[98] P. Närman, M. Schönherr, P. Johnson, M. Ekstedt, and M. Chenine. Using enter-prise architecture models for system quality analysis. In Enterprise Distributed Ob-ject Computing Conference, 2008. EDOC’08. 12th International IEEE, pages 14–23.IEEE, 2008.

[99] P. Närman, P. Johnson, M. Ekstedt, M. Chenine, and J. König. Enterprise architec-ture analysis for data accuracy assessments. In Enterprise Distributed Object Com-puting Conference, 2009. EDOC’09. IEEE International, pages 24–33. IEEE, 2009.

[100] P. Närman, H. Holm, M. Ekstedt, and N. Honeth. Using enterprise architectureanalysis and interview data to estimate service response time. The Journal of StrategicInformation Systems, 2012.

[101] P. Närman, M. Buschle, and M. Ekstedt. An enterprise architecture framework formulti-attribute information systems analysis. Software & Systems Modeling, pages1–32, 2013.

[102] R. E. Neapolitan. Learning Bayesian Networks. Pearson Prentice Hall Upper SaddleRiver, 2004.

[103] G. M. Oliva, P. Weber, E. Levrat, and B. Iung. Use of probabilistic relational model(PRM) for dependability analysis of complex systems. In 12th IFAC Symposium onLarge Scale Systems: Theory and Applications, France, 2010.

[104] C. Ozansoy, A. Zayegh, and A. Kalam. Object modeling of data and datasets in theinternational standard IEC 61850. Power Delivery, IEEE Transactions on, 24(3):1140–1147, 2009. ISSN 0885-8977. doi: 10.1109/TPWRD.2008.2005658.

[105] P. Paananen. Specifying configuration of control equipment according to IEC 61850.Master’s thesis, Royal Institute of Technology, Oct. 2008.

[106] M. Panteli. Impact of ICT Reliability and Situation Awareness on Power SystemBlackouts. PhD thesis, The University of Manchester, 2013.

[107] M. Panteli and D. Kirschen. Assessing the effect of failures in the informationand communication infrastructure on power system reliability. In Power Sys-tems Conference and Exposition (PSCE), 2011 IEEE PES, pages 1–7, 2011. doi:10.1109/PSCE.2011.5772565.

[108] A. Pasquini, A. Bobbio, L. Portinale, M. Minichino, and E. Ciancamerla. Comparingfault trees and Bayesian networks for dependability analysis. In K. Kanoun, editor,Computer Safety, Reliability and Security, volume 1698 of Lecture Notes in ComputerScience, pages 689–689. Springer Berlin / Heidelberg, 1999.

[109] R. Paulo and A. Carvalho. Towards model-driven design of substation automation sys-tems. In Electricity Distribution, 2005. CIRED 2005. 18th International Conferenceand Exhibition on, pages 1–5, 2005.

[110] K. Peffers, T. Tuunanen, C. E. Gengler, M. Rossi, W. Hui, V. Virtanen, and J. Bragge.The design science research process: a model for producing and presenting informationsystems research. In Proceedings of the first international conference on design scienceresearch in information systems and technology (DESRIST 2006), pages 83–106, 2006.

BIBLIOGRAPHY 43

[111] Per Närman. Enterprise Architecture for Information System Analysis: Modeling andassessing data accuracy, availability, performance and application usage. PhD thesis,KTH, 2012.

[112] L. Pottonen, U. Pulkkinen, and M. Koskinen. A method for analysing the effect ofsubstation failures on power system reliability. In 15th Power Systems ComputationConference, Liege, Belgium, Aug. 2005.

[113] O. Preiss and A. Wegmann. Towards a composition model problem based on IEC61850. Journal of Systems and Software, 65(3):227 – 236, 2003. ISSN 0164-1212.

[114] E. Proper, D. Greefhorst, et al. Principles in an enterprise architecture context.Journal of Enterprise Architecture, 7(1):8–16, 2011.

[115] M. Rausand and A. Høyland. System Reliability Theory: Models, Statistical Methods,and Applications. Wiley series in probability and statistics: Applied probability andstatistics. Wiley–Interscience, New Jersey, 2004. ISBN 9780471471332.

[116] M. Razavi, F. S. Aliee, and K. Badie. An AHP-based approach toward enterprisearchitecture analysis based on enterprise architecture quality attributes. Knowledgeand information systems, 28(2):449–472, 2011.

[117] J. Ross, P. Weill, and D. Robertson. Enterprise Architecture as Strategy: Creating aFoundation for Business Execution. Harvard Business School Press, 2006.

[118] G. W. Scheer. Answering substation automation questions through fault tree analysis.In 4th Annual Texas A&M Substation Automation Conference, 1998.

[119] J. Schekkerman. Extended enterprise architecture framework (E2AF) essentials guide.Institute for Enterprise Architecture Developments, 2004.

[120] J. Schekkerman. How to Survive in the Jungle of Enterprise Architecture Frameworks:Creating Or Choosing an Enterprise Architecture Framework. Trafford, 2004.

[121] M. Schöenherr. Towards a common terminology in the discipline of enterprise ar-chitecture. In Service-Oriented Computing–ICSOC 2008 Workshops, pages 400–413.Springer, 2009.

[122] E. O. Schweitzer, B. Fleming, T. J. Lee, and P. M. Anderson. Reliability analysis oftransmission protection using fault tree methods. In Proceedings of the 24th AnnualWestern Protective Relay, 1997.

[123] D. Simon, K. Fischbach, and D. Schoder. An exploration of enterprise architectureresearch. Communications of the Association for Information Systems : CAIS, 2013.

[124] T. Sommestad, M. Ekstedt, and P. Johnson. A probabilistic relational model forsecurity risk analysis. Computers & Security, 29(6):659–679, 2010.

[125] T. Sommestad, M. Ekstedt, and H. Holm. The cyber security modeling language:A tool for assessing the vulnerability of enterprise system architectures. SystemsJournal, IEEE, 7(3):363–373, 2013.

[126] D. Stamatis. Failure Mode and Effect Analysis: FMEA from theory to execution. ASQQuality Press, Milwaukee, 2003. ISBN 9780873895989.

44 BIBLIOGRAPHY

[127] The European Electricity Grid Initiative (EEGI). Roadmap 2010-18 and detailedimplementation plan 2010-12, 2010.

[128] The Open Group. TOGAF Version 9.1, 2011. URL http://pubs.opengroup.org/

architecture/togaf9-doc/arch/.

[129] C. Tranchita, N. Hadjsaid, M. Viziteu, B. Rozel, and R. Caire. Ict and powers systems:An integrated approach. In Z. Lukszo, G. Deconinck, M. P. C. Weijnen, and A. V.Gheorghe, editors, Securing Electricity Supply in the Cyber Age, volume 15 of Topicsin Safety, Risk, Reliability and Quality, pages 71–109. Springer Netherlands, 2010.

[130] UK MoD. Ministry of defence architecture framework, 2008.

[131] J. Ullberg and P. Johnson. Predicting interoperability in an environmental assurancesystem. In Enterprise Interoperability V, pages 25–35. Springer, 2012.

[132] J. Ullberg, U. Franke, M. Buschle, and P. Johnson. A tool for interoperability analysisof enterprise architecture models using pi-ocl. In Enterprise Interoperability IV, pages81–90. Springer, 2010.

[133] J. Ullberg, P. Johnson, and M. Buschle. A language for interoperability modeling andprediction. Computers in Industry, 2012.

[134] Utility Consulting International (UCI). Guidelines for implementing substation au-tomation using IEC 61850, the international power system information modeling stan-dard. Technical report, Electric Power Research Institute - EPRI, 2004.

[135] W. Vesely, J. Dugan, J. Fragola, J. Minarick, and J. Railsback. Fault tree handbookwith aerospace applications. Handbook, National Aeronautics and Space Administra-tion, Washington, DC, 2002.

[136] V. Vyatkin, G. Zhabelova, N. Higgins, K. Schwarz, and N. Nair. Towards intelligentsmart grid devices with IEC 61850 interoperability and IEC 61499 open control ar-chitecture. In Transmission and Distribution Conference and Exposition, 2010 IEEEPES, pages 1–8, 2010.

[137] A. Wegmann. On the systemic enterprise architecture methodology (seam. In SEAM).Published at the International Conference on Enterprise Information Systems 2003(ICEIS 2003, pages 483–490, 2003.

[138] K. Winter, S. Buckl, F. Matthes, and C. M. Schweda. Investigating the state-of-the-art in enterprise architecture management methods in literature and practice. MCIS,90, 2010.

[139] R. Winter and R. Fischer. Essential layers, artifacts, and dependencies of enterprise ar-chitecture. In Enterprise Distributed Object Computing Conference Workshops, 2006.EDOCW’06. 10th IEEE International, pages 30–30. IEEE, 2006.

[140] B. Yunus, A. Musa, H. Ong, A. Khalid, and H. Hashim. Reliability and availabilitystudy on substation automation system based on IEC 61850. In IEEE 2nd Interna-tional Power and Energy Conference, Dec. 2008.

[141] J. Zachman. A framework for information systems architecture. volume 26, pages276–292, 1987.

Part II

Papers 1 to 7

Paper 1

Probabilistic Availability Analysis of

Control and Automation Systems for

Active Distribution Networks

47

Paper 2

Probabilistic Relational Models for

Assessment of Reliability of Active

Distribution Management Systems

57

Paper 3

Mapping the Substation Configuration

Language of IEC 61850 to ArchiMate

65

Paper 4

An Architecture-Based Framework for

Reliability Analysis of ICT for Power

Systems

77

Paper 5

An Extended Framework for

Reliability Analysis of ICT for Power

Systems

87

Paper 6

Reliability Analysis of Substation

Automation System Functions

95

Paper 7

Reliability Analysis of Substation

Automation System Functions using

PRMs

103

analyzing substation automation system reliability using ...715620/...analyzing substation...

Documents