Reliability Analysis of Power System based on
Generalized Stochastic Petri Nets
Juliano S. A. Carneiro, Luca Ferrarini
Dipartimento di Elettronica e Informazione
Politecnico di Milano
Piazza Leonardo da Vinci 32, 20133, Milan, Italy
Abstract— Hidden failures in protection schemes, the tradi-
tional N − 1 security criterion and the introduction of the
electricity market are usually major causes in the recent wide
area blackouts. In the present work, we address the reliability
analysis of power systems using the Generalized Stochastic
Petri Nets (GSPN). The proposed modeling approach considers
not only the most common failures of power system elements,
i.e. short-circuit, breakdown, lightning, but also the improper
operations of protection schemes. In addition, the dependency on
the system operating conditions has been introduced according
to the GSPN formalism (marking-dependency), which allows for
the propagation of harmful events. At last, well-known techniques
such as reachability graph might be used to retrieve the reliability
information of the system under investigation.
I. I
NTRODUCTION
The reliability of electric power systems is currently under-
going numerous investigations, mainly after the latest wide
area blackouts. Essentially, the introduction of electricity
market and also the old-fashioned protection schemes have
been recognized as the major causes of catastrophic events.
In fact, the electrical market trends toward a more efficient
production, transmission and distribution of energy, and thus
exploiting fully the electric resources. On the other side, such
a concept shortens drastically the safety guards of power

systems and requires novel operating criteria to keep them
safe. Nevertheless, the protection schemes are still based on
the classical “N-1 criterion”, once extremely efficient, but
currently inadequate to face with critical operating conditions
created by this modern market-driven organization.
Studies conduced by NERC, UTCE and others revealed that
protection system failures are often involved in the most seri-
ous blackouts. Generally, the impact of a particular hazardous
event is minimized if the occurrence is promptly identified and
eliminated as soon as possible [2]. This procedure helps to
prevent “N-k contingencies” caused by cascading effects [1],
[4], [10], and then it reduces the probability of catastrophic
failures in power systems. Clearly, the protection system
plays an important role in this scenario, since it avoids the
disturbance propagation by removing the damaged component
and/or section from the rest of the grid.
There are two sorts of safety requirements concerning the
protection systems: the dependability, which is the ability to
operate correctly when required, and the security, which means
the ability to refrain from unnecessary tripping (undesired
tripping). The dependability is achieved by redundant protec-
tion schemes and has often taken priority with respect to the
security. However, security aspects have become particularly
important after the introduction of the electricity market.
For example, the line power flows during either heavy load
conditions or maintenance operations can induce undesired
tripping of distance protections. In this case, a line tripping will
lead to an additional stress in the system that might contribute
to widespread blackouts. This simple example illustrates a
case of hidden failures, defined in [11] as: a defect such as a

component failure, inappropriate setting or incorrect external
connection that remains undetected until some other system
event causes the hidden failure to initiate a cascading outage.
It is worth noting that hidden failures cannot be easily de-
tected and frequently lead to large outages [5], [9]. Moreover,
the example shows that a given disturbance might produce
different consequences depending on the power system state.
In conclusion, the reliability of protection schemes, understood
as the union of dependability and security, and its dependency
on the system operating conditions, deserve all attention when
analyzing and designing modern power systems [12].
The Petri Net (PN) paradigm is suitable to represent event-
driven systems, which are characterized by a set of states
(configurations) and a set of evolution rules (events). Many
authors used different types of PNs to model reliability aspects
in wide application fields [4], [6], [7]. In this paper, we
present a formal model based on Generalized Stochastic Petri
Nets (GPSN) for the reliability analysis of transmission power
systems.
II. G
ENERALIZED
S
TOCHASTIC
P
ETRI
N
ETS
Petri Nets are extremely useful for performance evaluation
and description of distributed systems characterized by sequen-
tiality, concurrency, synchronization, among others. Specifi-

cally, the GSPN [8] is one of the several extension of standard
PNs and is obtained by allowing transitions to belong to two
different classes: immediate transitions and timed transitions.
Immediate transitions fire in zero time once they are enabled.
Timed transitions fire after a random, exponentially distributed
enabling time. Formally, a GPSN can be defined as follows:
Definition 1: A GSPN is an 8-tuple:
N = {P, T, Π,I,O,H,W,M
0
}
where:
•
P is the set of places;
•
T is the set of transitions,
T = T
im
∪ T
tim
; T
im
∩ T
tim
= ∅
where T
im
means immediate transitions and T
tim
means
timed transitions;

•
Π:T → N is the priority function that maps transitions
onto natural numbers representing their priority levels,
∀t
k
∈ T
tim
, Π(t
k
)=0; ∀t
k
∈ T
im
, Π(t
k
) > 0;
•
I,O,H : T → Bag(P ), are the input, output and
inhibition functions, respectively. Bag(P) is the multiset
on P;
•
W :(T × M) →
+
is the stochastic function that maps
transitions onto real numbers representing their firing
rates depending on the marking M,
W (t
k
,M)=


λ
k
,ift
k
∈ T
tim
ω
k
,ift
k
∈ T
im
•
M
0
: P → N is the initial marking, a function that
associates each place with a natural number.
The dynamic evolution of the PN marking that is governed
by transition firings that, once enabled, remove tokens from
upstream places and add them to downstream places. In short,
a transition t
k
has concession if and only if (i) each input
place contains a number of tokens greater or equal than a given
threshold, and (ii) each inhibitor place contains a number of
tokens strictly smaller than a given threshold.
Definition 2 (Concession): Transition t
k
has concession in
marking M if and only if:

∀p ∈
•
t
k
,M(p) ≥ I(t
k
,p) ∧∀p ∈
◦
t
k
,M(p) ≤ H(t
k
,p)
Instead, a transition t
k
is said to be enabled if it has concession
in marking M , and if no other transition t
j
∈ T of priority
Π
j
> Π
k
exists that has concession in the same marking M.
Definition 3 (Enabling): Transition t
k
is enabled in mark-
ing M if and only if:
•
t

k
has concession in marking M and,
•
Π(t
k
) > Π(t
j
), ∀t
j
∈ T that have concession.
When transition t
k
fires, it deletes from each place in its input
set
•
t
k
as many tokens as the multiplicity of the arc connecting
that place to t
k
, and adds to each place in its output set t
k
•
as many tokens as the multiplicity of the arc connecting t
k
to
that place.
Definition 4 (Firing): The firing of transition t
k
, enabled in

marking M, produces marking M

such that:
M

= M + O(t
k
) − I(t
k
)
The GSPN just introduced consists in a powerful tool to
model power systems. Phenomena like component failure,
short-circuit, lightning, etc, are always present in real systems
and occur randomly. Such events, together with control and
protection actions, can be suitable represented through the
GSPN, as described in the following sections.
III. G
ENERAL
M
ODEL
S
TRUCTURE
The general model representing the power system under
investigation is composed of three major blocks: Electrical
Topology Network (ETN), Stochastic Model Network (SMN)
and Current Evaluation Network (CEN). These sub-networks
communicate and exchange the required information to repre-
sent and describe the power system evolution. Basically, the
SMN acts as the “core” of the general model, while ETN and
CEN support the logical and stochastic evolution of the SMN.

A. Electrical Topology Network
The Electrical Topology Network computes the electrical
connectivity of each component of the system. Essentially, the
ETN operates based on the information regarding the states of
the components, e.g. open/closed for circuit breakers, out-of-
order/working for lines and transformers. Such information
come from the SMN though appropriate signal connectors, as
will be discussed later. In addition, the ETN has the physical
location of generation groups in order to identify the supplied
components.
Informally, the strategy used to compute the electrical
connectivity can be so outlined: starting from the generation
groups (GEN), the search algorithm identifies step by step
the graphs representing lines (L), station bars (SB) and trans-
formers (T) connected to at least one generation point. For
such scope, we created a modular basic element that contains
two places: the electrical state (E
ST) and the physical state
(P
ST), as shown in the box of Fig. 1. The former place
is marked when the component is connected to a generation
point, whereas the latter place is marked if the the component
state permits the electrical connectivity (data available in the
SMN). Beside the places, the basic element is endowed with
immediate transitions that propagate the token representing the
electrical connection as far as possible. In short, the evolution
of ETN
1
, illustrated in Fig. 1, can be described as follows:
1) A message is sent to the ETN after changing the state

of a component of the SMN;
2) The ETN clears all electrical places once the message
from the ETN is received;
3) A token diffusion starts from the generation points and
establishes a new electrical topology.
B. Stochastic Model Network
The Stochastic Model Network is composed of several sub-
blocks interconnected among them. Such sub-blocks represent
the different components of the transmission grid, whereas
their interconnections symbolize the logical interactions.
The construction rule for each sub-block follows two steps:
1) Identification and description of states (configurations);
2) Specification of transitions (events).
The result of such a procedure can be then synthesized in a
Markov Chain enriched by extra elements. The function of
such elements regards the conditioning of internal transitions
1
Note the station bar contains only the electrical state. That because we
decided to not consider the bus breaking.
Fig. 1. An example of the Electrical Topology Network
according to external events. To clarify these concepts, we
proceed with some modeling examples of the most important
components of transmission systems: power lines, protection
schemes, circuit breakers, bus bars and transformers.
1) Transmission Line Model: The model takes into account
the fact that the line can be short-circuited temporally (L
SC
)
or permanently (L
SC P

). Furthermore, the line can be either
hit by lightnings (L
F LASH
), or it can be broken (L
FAIL
),or
clearly it can be in normal state (L
OK
). Note that the states
just introduced are mutually exclusive, which means that short-
circuit, lightning and breaking cannot happen contemporane-
ously.
The evolution of line model (Fig. 2 (a)) is governed by the
following discrete events (temporized/immediate transitions):
TL
F LASH
Line is struck by a lightning;
TL
F OK
Lightning extinguishes autonomously and
the line returns to normal state;
TL
SC
Line goes from the normal state to short-
circuit with ground;
TL
SC OK
Short-circuit extinguishes autonomously;
tL


SC
E
Short-circuit extinguishes after the interven-
tion of protections (immediate transition);
TL
SC P
Line goes from normal state to permanent
short-circuit with ground;
TL
SC REP
Line is repaired to eliminate the permanent
short-circuit;
TL
FAIL
Line failure (normally caused by an object);
TL
REP
Line is restored to normal state;
TL
F SC
Line goes to short-circuit because of a light-
ning. The energy of the lightning is consid-
ered to be discharged to the ground;
TL
F FAIL
Line failure caused by a lightning. The
effect of the lightning is extinguished;
TL
SC FAIL
Line failure due to short-circuit (normally

caused by the breaking of an insulator).
2) Protection Model: The protection model is unique for
all components. It recognizes a failure in the element under
control and commands the associated breaker to open. As
mentioned before, the protection model must describe both
dependability and security aspects. Therefore, the protection
not only can be damaged (failure to operate), but also can be
subjected to undesired tripping (operate when not required).
In addition, the protection model includes the Breaker Failure
Device (BFD). This element, located in every bus of the
system, recognizes failures in a breaker opening and orders the
remaining interrupters connected to that particular bus station
to open. The overall behavior of the protection model, as well
as its resultant Petri Net (Fig. 2 (b)), can be summarized as
follows:
TP
FAIL
Protection failure;
TP
REP
Protection is repaired;
TP
TRIP
Protection identifies properly a failure in
the component under control;
TP
UT
Protection commands the breaker opening
in absence of failure (undesired tripping);
TP

READY
Protection returns to normal state when the
fault is eliminated;
TBFD
FAIL
BFD failure;
TBFD
REP
Protection is repaired;
TBFD
TRIP
BDF identifies a failure in the breaker
opening and commands the remaining in-
terruptors to open;
TBFD
READY
BFD returns to normal state when the fault
is eliminated;
The Fig. 2 exemplifies some of the interconnections among
the internal blocks of the SMN. In particular, the place
(P
OK
) is used to condition the protection tripping (TP
TRIP
).
Moreover, it imposes constraints to the resetting of both pro-
tection (TP
READY
) and BFD (TBFD
READY

). The place
(I
OP EN
), instead, indicates an open breaker and it is used to
coordinate the protection and the BFD operation.
3) Circuit Breaker Model: The breaker has been modeled
with a similar approach. It consists of four main logical states:
open, closed, stuck closed and stuck open. Automatic circuit
reclosers (I
RECLOSE
) are also considered and have been
included inside the breaker model. The reclosers interrupt
and reclose an ac circuit with a preset sequence of trip-
ping/reclosing to eliminate temporally faults. After the first
opening, the breaker is automatic closed by the fast recloser
(TI
CLOSE
). If the breaker opens again (permanent fault),
then it can be closed only through the transition (TI
CLOSE2
).
Such a transition will be conditioned to the fact that the lines
attached to it are in normal state. The PN model of the circuit
breaker is sketched in Fig. 2 (c) and the transitions from one
state to another one are reported below:
TI
OP EN
Breaker opening triggered by the associated
protection;
TI

CLOSE
Fast reclosure of the breaker;
TI
CLOSE2
Reclosure of the breaker conditioned by the
normal state of connected elements;
TI
STUCK O
Breaker stuck in open condition;
TI
REP O
Breaker reparation (set to open state);
Fig. 2. Stochastic Model Network. (a) Line model. (b) Protection model. (c) Circuit breaker model.
TI
STUCK C
Breaker stuck in closed condition;
TI
REP C
Breaker reparation (set to closed state);
TI
REC END
Fast recloser resetting.
4) Station bus and transformers: Similarly, also bars and
transformers have been modeled. In short, the station bus
can be either hit by lightning or short-circuited, whereas the
transformers can be short-circuited or broken down. Details
are here omitted for the sake of simplicity.
To the present time, the stochastic transitions were supposed
to have constant probability of firing. However, there is a
strong correlation between the operating conditions of power

systems and the probability of harmful events. To consider this
dependency, we developed the CEN described next.
C. Current Evaluation Network
The scope of the Current Evaluation Network is to condition
the firing probability of stochastic transition defined in the
SMN according to the current flowing in the transmission
system. That could be done by associating a piecewise con-
stant function to the firing rate of stochastic transitions with
dependency on the electrical topology.
In the GSPN formalism, it is possible to work with parame-
ters of transitions that are marking-dependent. In other words,
the firing rate λ
k
of timed transitions, as well the weight ω
k
of immediate transitions, can be evaluated as the product of a
nominal rate (or weight in the case of immediate transitions)
and a dependency function defined in terms of the marking of
the places that are connected to a transition through its input
and inhibition functions.
The idea here consists in introducing a new place p
s
in
the SMN for each component that contains a transition with
marking-dependency. Such a place summarizes, by means of
its marking M(p
s
), the marking of a finite generic set of places
C = {p
n

,p
n−1
, ···,p
1
,p
0
}. Afterwards, it can be used to
condition the parameters of a transition according to the GSPN
formalism.
TABLE I
E
NCODING EXAMPLE
M(C)=(M
p2
, M
p1
, M
p0
) M(p
s
)
(0,0,0) 1
(0,0,1) 2
(0,1,0) 3
··· ···
(1,1,1) 8
For simplicity, let us suppose to work with safe Petri Nets
(1-bounded places) and that M
0
is the initial marking, then

the number of tokens in the place p
s
is computed by (1):
∀M ∈ M
0
| M(p
s
)=1+
n

i=0
M(p
i
) · 2
i
(1)
which is nothing more than the binary encoding of the string
M(C)=(M(p
n
),M(p
n−1
), ···,M(p
1
),M(p
0
)) plus 1. As
an example, let M(C) be a set of three places. Then, we have
the mapping reported in Table I.
Once defined the encoding strategy, the GPSN should be
extended to introduced the marking-dependency. Essentially,

we must include the place p
s
and an appropriate set of arcs
such that the following relations hold true:
M
0
(p
s
)=1+
n

i=0
M
0
(p
i
) · 2
i
(2)
∀p
i
∈ C
⎧
⎨
⎩
(∀t ∈
•
p
i
) t

2
i
−→ p
s
(3)
(∀t ∈ p
i
•
) p
s
2
i
−→ t (4)
The initial marking of the place p
s
is given by (2), while the
number of tokens is updated as: (3) for input arcs, and (4) for
output arcs. A graphic interpretation is shown in the Fig. 3.
Fig. 3. An example of conditioned transition. Dashed elements represent the
extra place p
s
and the auxiliary arcs inserted for conditioning procedure.
Fig. 4. Firing rate of timed transitions as a function of current.
The Table I defines an auxiliary function f
i
that associates
the current level flowing in a component with the marking of
place p
s
. Such a function will to be used later as the input

of another function, called f
t
, which specifies the firing rating
according to the current in the component:
Electrical Topology ≡ M(p
s
)
f
i
−→ i
f
t
−→ λ
t
One possible alternative to describe the function f
t
is depicted
in Fig. 4. The firing rate λ
k
grows monotonically from zero
to the maximum value according to the measured current.
By changing dynamically the firing rate of stochastic tran-
sitions, we are able to describe not only the dependency
of operating conditions, but also the cascading effects. The
transitions to be conditioned are listed in Table II. Uparrow
and downarrow indicate that the firing probability increases
and decreases proportionally to the current, respectively.
In the next section we present an illustrative example
summarizing the introduced concepts. The purpose here is
to provide some implementation/simulation hints rather than

present a real case study. The subsequent reliability assessment
can be done using reachabiliy graphs obtained from a GSPN
simulation tool, such as GreatSPN [3].
IV. A
N ILLUSTRATIVE EXAMPLE
In this section we provide a guide to exemplify the most
important features of the proposed modeling approach. In
TABLE II
C
ONDITIONED TRANSITIONS
Component Transition Firing Rate
Line
TL
SC
↑
TL
SC FAIL
↑
TL
FAIL
↑
TL
SC OK
↓
Transformer
TT
SC
↑
TT
SC FAIL

↑
TT
FAIL
↑
TT
SC OK
↓
Bar
TB
SC
↑
TB
SC OK
↓
Protection
TP
UP
↑
TP
FAIL
↑
Breaker
TI
ST UCK C
↑
TI
OP EN
↓
particular, we illustrate the dependency of undesired tripping
on the current flowing in the component under control.

Let us consider the network shown in the left bottom of
Fig. 5. It is composed of: 6 transmission lines, 5 bars, 13
circuit breaker, 11 protection modules, 5 BFDs and pair of
generator/load. Note that BFDs, protections and reclosures
have been omitted for clearness, as well as the interconnections
with the SMN counterpart. The Fig. 5 illustrates also the
equivalent ETN of the example.
Due to the large dimension of SMN, just a small section of
the overall network is depicted in Fig. 2. Specifically, Fig. 2
reports the stochastic model of the line L
1
and its associated
protection, besides the breaker I
2
. The interconnections among
the three components is also evidenced, but those with the
ETN have been removed for clarity.
In order to simplify our analysis, we suppose that only the
lines L
1
, L
5
and L
6
can break down, and the protection of
L1 can be exposed of undesired tripping. For such a modeling
choice, the possible system configurations and the respective
line currents, besides the marking of auxiliary place M(p
s
),

are reported in Table III. Since we decided to condition only
the transition TP
UT
of the protection of line L
1
, then we
only need the information contained in the column I
1
of
Table III. This column resumes the current of L
1
on each
one of the possible configurations and denotes the constant
piecewise function f
i
defined before. Concerning the function
f
t
representing the probability of undesired tripping of line
L
1
, we decided to use the example depicted in Fig. 4. Note
that currents in series branches of the electrical circuit are
the same and so the number of columns in Table III can
be significantly reduced in real systems. Furthermore, many
configurations lead to identical currents and thus clustering
procedures can be used to reduced the table dimension.
Finally, after implementing the power system model in a
GSPN simulator environment, the reliability analysis can be
performed straightforwardly using the reachability graph.

Fig. 5. Electrical Topology Network
TABLE III
P
OSSIBLE CONFIGURATIONS
Configuration Current Encoding
L
1
L
5
L
6
I
1
I
2
I
3
I
4
I
5
I
6
M(p
s
)
000
a
a
0

b
0
a
0
c
0
d
0
e
0
1
001
b
a
1
3a
1
a
1
a
1
4a
1
0 2
010a
2
a
2
a
2

a
2
02a
2
3
01100000 0 4
10003a
3
0 a
3
2a
3
a
3
5
1010 a
5
00a
5
0 6
1100 a
6
0 a
6
0 a
6
7
11100000 0 8
a
Working

b
Failure
V. C
ONCLUSION
This paper describes a modeling approach based on the
GPSN to perform reliability analyses. The proposed model
is capable to represent complex phenomena of power systems
such as cascading events and protection hidden failures.
The most important components of transmission systems
have been modeled in a modular fashion. Such approach
enhances the usability of basic elements and allows to built
complex systems by drag-and-drop the desired components.
The major drawback of the proposed methodology regards
the scalability. When implementing large power systems, the
number of tangible markings (states), and consequently the
reachability graph, may grow quite fast.
R
EFERENCES
[1] Z. Bie and X. Wang, “Evaluation of power system cascading outages,”
in International Conference on Power System Technology, 2002. Pro-
ceedings. PowerCon 2002., vol. 1, October 2002, pp. 415–419.
[2] Q. Chen, “The probability, identification, and prevention of rare events
in power systems,” Ph.D. dissertation, Iowa State University, 2004.
[3] G. Chiola, , G.Franceschinis, R. Gaeta, and M. Ribaudo, “Greatspn
1.7: Graphical editor and analyzer for timed and stochastic petri nets.”
Performance Evaluation, special issue on Performance Modeling Tools,
vol. 24, no. 1-2, pp. 47–68, 1995.
[4] I. Dobson, B. Carreras, V. Lynch, and D. Newman, “Complex systems
analysis of series of blackouts: cascading failure, criticality, and self-
organization,” in Bulk Power System Dynamics and Control, August

2004, pp. 438–451.
[5] D. Elizondo, J. de La Ree, A. Phadke, and S. Horowitz, “Hidden failures
in protection systems and their impact on wide-area disturbances,” in
IEEE Power Engineering Society Winter Meeting, 2001, vol. 2, 2001,
pp. 710–714.
[6] L. Ferrarini, J. Carneiro, S. Radaelli, and E. Ciapessoni, “Dependability
analysis of power system protections using stochastic hybrid simulation
with modelica,” in IEEE International Conference on Robotics and
Automation, 2007, April 2007, pp. 1584–1589.
[7] N. G. Leveson and J. L. Stolzy, “Safety analysis using petri nets,” IEEE
Trans. Softw. Eng., vol. 13, no. 3, pp. 386–397, 1987.
[8] M. A. Marsan, G.Balbo, G.Conte, S.Donatelli, and G.Franceschinis,
Modelling with Generalized Stochastic Petri Nets. John Wiley & Sons,
1995.
[9] A. Phadke and J. Thorp, “Expose hidden failures to prevent cascading
outages,” IEEE Computer Applications in Power, vol. 9, no. 3, pp. 20–
23, 1996.
[10] J. D. L. Ree, L. Yilu, L. Mili, A. G. Phadke, and L. Dasilva, “Catas-
trophic failures in power systems: causes, analyses, and countermea-
sures,” Proceedings of the IEEE, vol. 93, no. 5, pp. 956–964, 2005.
[11] S. Tamronglak, S. Horowitz, A. Phadke, and J. Thorp, “Anatomy of
power system blackouts: preventive relaying strategies,” IEEE Transac-
tion on Power Delivery, vol. 11, no. 2, pp. 708–715, 1996.
[12] X. Yu and C. Singh, “A practical approach for integrated power system
vulnerability analysis with protection failures,” IEEE Transactions on
Power Systems, vol. 19, no. 4, pp. 1811–1820, 2004.