Though much of the workshop focused on what to do to prevent future outages, Jay Apt, CMU, observed that despite the best efforts of extremely talented power engineers, blackouts will continue to happen, which means that the resilience of the system will inevitably be dependent not just on reducing the number of outages but also on how the system responds to them. Large blackouts can be particularly devastating and happen much more frequently than a normal distribution predicts. Therefore, Clark Gellings, EPRI, asked the central question: How resilient is the grid to high-impact, low-frequency events?
Mike Adibi, IRD Corp., pointed out that the impact of a blackout exponentially increases with the duration of the blackout, and the duration of restoration decreases exponentially with the availability of initial sources of power. For several time-critical loads, quick restoration (minutes rather than hours or even days) is crucial. Blackstart generators,1 which can be started without any connection to the grid, are a key element in restoring service after a widespread outage. These initial sources of power include pump-storage hydropower, which can take 5-10 minutes to start, to certain types of combustion turbines, which take on the order of hours. According to Mr. Adibi, automated operation of these generators is more likely to be successful than manual operation; however, he noted that a “conservative operating philosophy” has limited the deployment of devices enabling automatic blackstart operation.
There was some question as to whether requirements of NERC for blackstart generation are sufficient. Mr. Whitley, NYISO, has found that they serve his customers well thus far. Typically, the level of blackstart operation is based on past experience; however, moving forward there may be some challenges owing to reduced reserve margins from phasing out older generators. Mr. Adibi felt that it is not sufficient to simply set a reserve for the system but that it is important to divide the grid into its respective subsystems and determine whether there is sufficient reserve for these subsystems as well.
1 A blackstart resource is defined as “a generating unit(s) and its associated set of equipment which has the ability to be started without support from the System or is designed to remain energized without connection to the remainder of the System, with the ability to energize a bus, meeting the Transmission Operator’s restoration plan needs for real and reactive power capability, frequency and voltage control, and that has been included in the Transmission Operator’s restoration plan.” See Glossary of Terms Used in NERC Reliability Standards.
FIGURE 4-1 Center Point Energy personnel repair a downed power line (Houston, TX, September 23, 2005). Utility companies were out early to repair damage caused by Hurricane Rita. SOURCE: Ed Edahl, FEMA.
Beyond the challenge of generator response, there is also a concern for the distribution system, which was touched upon in Chapter 2. John Kassakian, MIT, pointed out that it is crucial to think about the challenges of both restoration and repair. For a limited outage, restoration can be rapid, which will then allow sufficient time for repair to bring the system to full operability, although there may be a challenge for subsurface cables in metropolitan areas. On the other hand, in widespread outages, restoration itself may be a significant barrier, as was the case in the 1965 and 2003 Northeast blackouts. Natural disasters, however, can also lead to significant issues of repair—after Hurricanes Rita and Katrina, full repair of the electric power system took several years (Figure 4-1). In the case of Hurricane Sandy, David Owens, Edison Electric Institute, and William Ball, Southern Company Services, both pointed out that granting first-responder status to the utilities enabled more rapid response than would occur under normal conditions, which is one way to improve restoration time at the local level.
Gerald Galloway, University of Maryland, pointed out that economic and social systems are becoming increasingly interdependent. Massoud Amin, University of Minnesota, noted that this interconnectedness is one of the major reasons the electrical grid is an attractive target for terrorist attack—namely, other services have become dependent on the electric power system. David Kaufman, FEMA, recognized that impacts of overlapping interdependency could cascade because the supply chain for many industries has become globalized—for
example, according to Mr. Kaufman, truck production in Louisiana was shut down by the earthquake in Japan, which halted the supply of a particular mineral needed for metallic paint. Thus, evaluating resilience in response to a power outage goes far beyond the electric power sector.
Resilience and Risk
According to a recent NRC report,2 resilience is “the ability to prepare and plan for, absorb, recover from, or more successfully adapt to actual or potential adverse events.” Dr. Apt noted that the services critical to a community are diverse, including elevators, subways, traffic signals, police stations, cell phone towers, grocery stores, ATMs, and gas stations. Joseph McClelland, FERC, pointed out that not only does the electric power system feed into these services, but in some cases it is reliant on these systems as well. For instance, with a shift in generation fuel from coal to natural gas, the energy sector is increasingly reliant on the natural gas pipeline infrastructure; with events like the Telvent compromise in 20123 and the Shamoon cyberattack in 20124 in Saudi Arabia and Qatar, resilience to terrorism and natural disaster for the electric power system involves both upstream and downstream dependencies. The natural gas system may be particularly stressed during the winter when it is being used for heating, making the system especially vulnerable to attack. As Susan Tierney, Analysis Group, LLC, pointed out, it is important to view the electric power delivery system in an integrated way: How are the systems of governance and communities of interest affected by the operation of the grid?
Because risk cannot be completely eliminated, residual risk must be effectively managed according to Dr. Galloway. Much of the work in this area has tended to be based on anecdotal response, and there was significant discussion at the workshop on how to organize these responses in a controlled, systemic way. Currently, a community finds out it is vulnerable when a storm hits, which is obviously suboptimal. Mr. Kaufman agreed, noting that current models of risk assessment are based largely on historical record. Given the shifting environment of the electricity delivery system and the interdependencies among a number of infrastructures,
2 National Research Council, 2012, Disaster Resilience: A National Imperative, The National Academies Press, Washington, D.C.
3 Telvent Canada is a company that provides remote administration and monitoring tools for the energy sector. In September 2012, the company discovered that its internal firewall and security system had been breached by a Chinese hacking group.
4 Shamoon is a computer virus capable of transmitting information about the files of the infected computer as well as deleting all data from the hard drive. It was first used on August 15, 2012, by hackers from a group called the Cutting Sword of Justice in an attack on Saudi Arabia’s national oil company, Aramco. It was also suspected in a later cyberattack on a large liquefied natural gas company in Qatar, RasGas.
this methodology not only likely underestimates today’s risks, but it is also grossly inadequate for future projects. Miles Keogh, National Association of Regulatory Utility Commissioners, pointed out that there is always a component of residual risk to be managed, and it is crucial for regulators to determine precisely where such risk may be acceptable. Ways of identifying and prioritizing such risk were, however, not discussed at the workshop.
Coordination and Engagement
Mr. Kaufman acknowledged that there is a tremendous amount of ongoing effort to improve community resilience; however, how to engage regulators and other interested parties is unclear. At the community level, planning tends to occur at the “last mile of distribution,” which Mr. Kaufman found appropriate, but on a broader regional scale, the “strategic capacity,” or “wholesale,” level of planning is not filling in. According to Dr. Tierney, there is a significant amount of siloing that restricts the engagement of the relevant regulatory authorities. In a recent discussion of community resilience to power outages in Massachusetts, she observed that there was a quick segmentation into things like emergency generators, responsive backup, and the like.
Various agencies are involved in these issues, but to date it is unclear who is ultimately responsible for coordination and response, which was the central focus of the Massachusetts planning meeting attended by Dr. Tierney. The agencies might include state emergency management offices; state energy offices, who handle issues such as fuel coordination and waivers for moving product; the public utility commission, which is a rate-setting body; the utilities themselves; fuel operators, which are an unregulated community; standards-setting bodies for reliability at both the federal and local levels (FERC and NERC, respectively); and DHS, which includes FEMA. Mr. Kaufman discussed the role of FEMA in response to Hurricane Sandy to illustrate current federal efforts (Box 4-1).
Despite the breadth of these actors, none of them have any authority except to enlist the involvement of institutions such as hospitals, banks, and police and fire departments, all of which provide critical services for the community. Thus, according to Dr. Tierney, it is difficult to determine what an appropriate role for governance is: How do we think about offering encouragement for participation, and what is a prudent role for the utilities and the utility commissioners? An added complication with any engagement is that much of the information necessary to make good decisions is classified and/or proprietary, but any such decision-making needs to be made in the public domain. While there is some agreement to engage in this process under the idea of adaptation, particularly in response to natural disasters and climate change, Dr. Tierney found it problematic to disseminate the best practices for outreach to the relevant parties.
Given the broad scope of resilience, there are a number of areas where action can be taken to improve future responses to natural disasters and terrorist attacks. Patricia Hoffman, DOE,
Responding to a Crisis: Hurricane Sandy
David Kaufman, Federal Emergency Management Agency, discussed recent government involvement in response to Hurricane Sandy as an illustration of the current level of community engagement. FEMA was involved in two major issues in response to Sandy, the fuel sector and the power sector. In the case of fuel, Mr. Kaufman noted that FEMA was largely responding to developing symptoms instead of addressing a central cause. This led to a focus on how fuel is distributed to the marketplace. In the case of power, FEMA convened calls with major utilities in impacted areas. The agency also mobilized federal military air assets to fly crews to impact areas, though this was a small fraction of the overall utility response. Mr. Kaufman found that because of FEMA’s limited resources, government response was meant not as the main actor but as an accelerant to engage the relevant local groups such as utilities and other service providers. The question then becomes what these relevant industries need from government in order to meet local demand and to then build resilience in those systems.
noted that improvements to facilities related to industries that interact with the electric power system could provide increased resilience. Establishing standards and guidelines for fuels facilities, revising current building and rehabilitation codes, and developing alternative system configurations for critical facilities all harden the infrastructure, which could improve resilience to widespread outages. Fred Hintermeister, NERC, noted that the electric power industry is the only industry (apart from nuclear) with mandatory and enforceable critical infrastructure protection standards.
Dr. Galloway stressed a proactive approach as well, noting that building resilience will be more effective in reducing losses of life, property, and economic productivity than other current approaches. This was discussed at length in the NRC report Disaster Resilience: A National Imperative.5 Dr. Galloway cited an example from Cedar Rapids, Iowa—in 2008, the town was able to evacuate quickly in response to an unforeseen flood due to the years of preparation for evacuation that it had practiced out of fear of an accident in a nearby nuclear plant. While community resilience does begin with strong local capacity, Dr. Galloway emphasized that a top-down “culture of resilience” approach could address some of the issues of consistency and coordination (Box 4-2). Policies designed to improve national resilience must also take the long-term view to help avoid short-term expedients that can diminish resilience. For example, some policies allow levees to be rebuilt only to the same level as before they were damaged, but not to be improved.
Ms. Hoffman cautioned that a national resilience policy should not mean “one size fits all”—each area of the country has its own strengths and its own risks. Mr. Kaufman agreed,
5 National Research Council, 2012, Disaster Resilience: A National Imperative.
Characteristics of a Resilient Nation in 2030
• Individuals and communities are their own first line of defense against disasters.
• National leadership in resilience exists throughout federal agencies and Congress.
• Community-led resilience efforts receive federal, state, and regional investment and support.
• Site-specific risk information is readily available, transparent, and effectively communicated.
• Zoning ordinances are enacted and enforced. Building codes and retrofit standards are widely adopted and enforced.
• A significant proportion of post-disaster recovery is funded through private capital and insurance payouts.
• Insurance premiums are risk based.
• Community coalitions have contingency plans to provide service particularly to the most vulnerable populations during recovery.
• Post-disaster recovery is accelerated by infrastructure redundancy and upgrades.
SOURCE: National Research Council, 2012, Disaster Resilience: A National Imperative, The National Academies Press, Washington, D.C.
challenging the common notion that massive disasters primarily occur along the coasts. According to Mr. Kaufman, the most expensive issue FEMA has been dealing with lately is flooding, but then many of those same areas have successively been dealing with drought. Any such plan should thus recognize that these are systemic issues.
A number of attendees noted how better data sharing could play a role in enhancing community resilience. Dr. Galloway felt that a significant amount of relevant data is hidden from the public, and that it was important to rethink what data is truly worth classification. Mr. Ball did note that the discussions in the power sector are often by necessity going on “below the radar” in a classified setting. Dr. Galloway felt that such data issues can inhibit the ability of workers on the ground to communicate results effectively to decision-makers so that they can be aggregated in a meaningful way. Although they may be useful, tabletop exercises often may not actually handle the underlying problems. Dr. Tierney stressed that the open sharing of best practices would offer significant aid to those areas that have not yet been hit.
Mr. Gellings suggested that it may be possible to leverage new technologies to ensure the continuation of essential missions, even after the grid has failed. One example cited was a light-emitting-diode traffic light paired with photovoltaics and battery storage, which would allow traffic lights to operate even without a connection to the bulk power system. Photovoltaics could also be used to provide solar chargers for cell phones, thus improving the resilience of the communications system, which is obviously heavily reliant on the electric power system.
According to Mr. Gellings, breaker panels are currently being designed that could respond to a photovoltaic array, enabling a customer to select which panels are turned on in a home and run directly from the photovoltaic array when the system is disconnected from the grid.
Granger Morgan, CMU, also stressed the potential impacts of distributed generation and microgrids. For example, in the case of heavily distributed generation, if there were ways to prioritize and select which customers to service, it would be possible to bring online through the distribution system just those components that are critical, such as police stations, ATMs, gas stations, or maybe even schools. Although this approach may not be effective in the case of a natural disaster that disables the distribution circuit (e.g., Hurricane Sandy), Dr. Morgan argued that in some scenarios at least part of the distribution circuit remains intact, capacity that could be used to make critical services far more resilient. This capability is discussed in further detail in Chapter 8 of Terrorism and the Electric Power Delivery System.6
6 National Research Council, 2012, Terrorism and the Electric Power Delivery System, The National Academies Press, Washington, D.C.