Operational Resilience Metrics for Complex Inter-Dependent Electrical Networks

: The electrical distribution network (EDN) is a critical infrastructure that plays a primary role in a person’s life. Its resilience is a primary property to be achieved in order to withstand all types of perturbations affecting their functions, thus guaranteeing service continuity in adverse conditions. Resilience arises from a combination of a number of properties and actions related to both intrinsic system technologies and management skills. This work proposes a model enabling the estimation of the EDN operational resilience. The proposed model accounts for most of the parameters inﬂuencing the resilience of the network, such as network topology, technological properties of its active elements, the SCADA systems, automation procedures and management efﬁciency. Results conﬁrm that the model can appropriately handle a real network with a large dimension and provide valuable insights to electrical operators.


Introduction
Electrical transmission/distribution networks provide the essential power delivery service to the principal core infrastructures and services of a country. Disturbances affecting electrical networks in a particular area will affect its services provided to citizens and, in general, through the perturbation produced to other infrastructures and services (e.g., telecommunication networks, urban mobility, banking systems) to a large part of the community in an area that can also be much larger than the initial ones. Depending on the magnitude of disturbances, the impacts on the dependent services and on citizen activities and well-being can be significant.
In general, the disturbances of an electrical network can be the result of different events that may have more or less pronounced effects on the system functionality, from a light perturbation up to the complete disruption of one or more of its components. Perturbations may arise from different sources (natural or anthropic) and associated with different agents: physical (e.g., lightning, floods [1], earthquakes, fires), or cyber (e.g., denial of services attacks affecting the RTU of an electric substation). These aspects are further worsened by the fact that perturbations could also affect other systems, which may generate negative feedbacks, thus amplifying the effects and reducing system capability to return to an equilibrium state. The electrical network disturbances may span from minor or routine disturbances as in normal conditions, that, in general, are mitigated and restored through protection and automation devices and/or by the operators' interventions, to major disturbances, due to extreme meteorological, catastrophic events and cyber-attacks. In general, this kind of disturbance causes electrical network disruptions that last for hours. As reported in [2], in Italy in February 2015, over 360,000 customers were left without power for more than 8 h, and more recently in the Abruzzo and Marche regions in January 2017, with disruptions that lasted over 72 h affecting 39,000 customers.
Nowadays, frameworks for resilience assessment are relevant for electrical operators as the demand of a resilient electrical delivery service is increasing and the requirements imposed by the electrical authorities are more and more strict. Moreover, electrical operators have to improve the efficiency of their operational procedures in order to adapt to the increase of user demand, the adoption of smart operative modes and the increase of competition among operators. The requested resilience assessment approaches can be divided in short term or electric utility-centric approaches where the objective is the evaluation of actual or hypothetical power grid design and the optimisation of normal, daily network operations and configurations) and long-term, strategic resilience assessment to help decision makers, infrastructure operators, public agencies which drive investments to establish better policies for the resilience improvement of the power grid and to improve the resilience of a specific region against natural disasters [3][4][5][6]. Moreover, resilience assessment frameworks will play a central role in the analysis of mitigation measures to contrast the increase of extreme and catastrophic events ( Figure 1) and the increase of the number and the dangerousness of cyber-attacks on industrial control systems (in Ukraine, 230,000 customers were without power for 6 h in one of the first attacks on a nation's power grid [7]). Different definitions of resilience can be currently found [8][9][10], each reflecting a different domain where the concept of resilience can be applied. An exhaustive literature review is out of the scope of the paper, however, in the context of this work, resilience can be defined as "the ability of a Critical Infrastructure (CI) system exposed to hazards to resist, absorb, accommodate to and recover from the effects of a hazard in a timely and efficient manner, for the preservation and restoration of essential societal services" [11].
An analytical expression to measure resilience R as for the above-mentioned definition, is a piecewise function that captures the reduction of the quality of service as a function of time QoS(t); QoS(t) ranges from 0 (total loss of functionality) to 1 (no reduction in functionality). The equation for resilience proposed hereafter is modified after Bruneau and Reinhorn [12] and represented mathematically as: (1) where t 0 is the time of occurrence of the event and T RE is the recovery time (i.e., the time at which the full functionality of the system is regained and the QoS takes the unit value. According to (1) resilience R is essentially a measurement of the total functionality lost in a system and recovered over time, when subjected to a crises event. Resilience can be estimated in terms of QoS(t) at the individual component level, or at the system level.
There are four key properties outlined by [12] that can influence QoS(t) and therefore the extent to which a system will be more or less resilient, namely: (i) robustness, a system's or component's ability to withstand stress; (ii) redundancy, the substitutability of different elements within the system; (iii) resourcefulness, the ability of a system to adapt in order to prevent or reduce disruption of the system and rapidity and/or the availability of necessary resources; (iv) rapidity, the ability to respond to and mitigate disruption in a timely manner.
In this work, we propose an operational metric to evaluate the resilience R of electrical distribution networks that encompass all the above-mentioned resilience-building properties. The term "operational" indicates that the framework aims to assess the resilience of a network defining operational models that consider the different factors affecting the resilience of the network itself. Such factors span from the technological ones (e.g., the network topology, the functioning status of the SCADA system) to network management procedures adopted by the operators. In particular, the proposed framework can be considered an electric utility-centric approach for the assessment of the resilience of large power distribution grids also under normal, daily network operations (in contrast with the approach proposed in [3] that considers the resilience of a power distribution grid limited to natural extreme events). According to [13], where a system is said to perform in a resilient manner when "it can sustain required operations under both expected and unexpected conditions by adjusting its functioning prior to, during or following events (changes, disturbances and opportunities)", the proposed resilience assessment approach also considers opportunities in the assessment process. Indeed, the proposed framework can be used to estimate the impact of: (i) technological improvements (e.g., a larger density and a wiser positioning of automatic devices along the network topology) and (ii) changes in operational configurations, as for example increasing the number of emergency technical crews available to manage and solve an EDN crisis. Moreover, as improving the resilience of a system considering the interdependent infrastructures systems and services [14,15] is a fundamental aspect, the proposed framework allows us to quantify the resilience of an EDN considering the availability of other services and infrastructures that may impact the performance of the power grid as, for instance, the telecommunication network providing the communication services to the SCADA system and the urban mobility infrastructure allowing the operations of the emergency technical crews.
In general terms, as it has been stressed in [16] "the assessment of resilience should therefore identify the critical functionality of a system and evaluate the temporal profile of system recovery in response to adverse events". The problem is thus shifted to the identification of a state function whose measure can be associated to the resilience property. This function should be able to reproduce the behavior of the system during a perturbation and it should consider all factors (or system properties) influencing the resilience level of the system.
Similarly to [12], in this work the considered metric is represented in Figure 2 where the quality of service (QoS) is defined as a quantitative metric for the resilience of EDNs on a temporal horizon. The temporal behavior of the state function showed in Figure 2 can be ideally divided into four phases: • Normal behavior and aging (t < t 0 ). During this phase, in the absence of perturbations, the QoS of the system is optimal. The service is delivered thus producing the "wealth" of all users. Maintenance actions are required to maintain this optimal (or nearoptimal) behavior. During this phase, events prediction and the set up of preparedness actions should be considered. • Shock (t 0 ≤ t < t 1 ). This phase follows a perturbation. From this point on, the QoS typically decays rapidly following an exponential behavior. The decay rate depends on the infrastructure and might vary from a few seconds to hours. In an EDN, for instance, protection devices and/or procedures require the disconnection or isolation of system components to avoid the spreading of the impact. The decay behavior of this phase could be affected by several factors: involvement of a large number of components, and possible negative feedbacks from interdependent networks [17]. Shock phase ends up at time t 1 corresponding to the time when CI operators starts acting on the network control and QoS(t 1 ) = m where: 0 ≤ m < 1 reaches the minimum.
. This phase starts when the activity of contingency management is implemented to recovery from the fault through automatic and manual interventions in order to increase the QoS. Success in the recovery phase, however, could be hindered, again, by negative feedback arising from the losses in other services; they could reduce the efficiency of recovery strategies (i.e., the absence of tele-control functionality, reduced by a severe electric outage, would force the use of longer manual restoration procedures). In general, this phase has the primary goal to start supplying services to critical users through the rapidly deployable contingency actions.
. This phase, which might extend on time scales larger than those of the previous phases, allows us to recover the full functionality of the network (i.e., the QoS before the perturbation, if possible). In principle, a wise and efficient restoration phase could also originate new properties of the network, which might produce a super-elastic behavior, i.e., allowing the system to gain a larger QoS with respect to that displayed before the crisis (i.e., a new network configuration could guarantee the service supply with lesser operational costs in term of electrical losses).
In this work we do not consider other actions (i.e., the long term activities enabling to rebuild disrupted items and/or improve existing infrastructures) but the actions needed to return, at least, at the function level of the system before the occurrence of the perturbation. The proposed state function or system performance curve is similar to the resilience model proposed in [14,18]. In our case, we clearly differentiate the recovery and restoration phase as this model is more suitable to describe the performance of an electrical network when affected by disturbances [5,6]. In this work, the performance of the EDN system is defined through a contingency indicator commonly used as a key performance indicator (KPI) to estimate the level of service continuity of an EDN that is the customers minutes of interruption (CMI) index [19]. For each electrical substation impacted by a disturbance, the indicator is equal to the number of disconnected customers d supplied by electrical substation times the time duration τ of its disconnection expressed in terms of kilominutes (i.e., 10 3 min). The CMI indicator is suitable to measure the performances of large and complex networks where, in general, it is very difficult-if not impossible-to obtain the detailed electrical model needed to compute detailed electrical quantities as power delivered and the power flows used in other quantitative resilience assessment frameworks [20]. Indeed, the proposed quantitative resilience assessment model is a simulation-based approach that considers different factors/system properties that have a strong influence on the electrical distribution network performances; the factors are: 1.
EDN-robustness of main components. The robustness of the EDN components has to do with their ability to withstand stress while sustaining limited or no damage. The structural hardening or in any case structural suitability of the main power delivery components, such as individual substations, transmission lines and distribution feeders, is a common approach to decrease vulnerability, i.e., their propensity to sustain damage if stressed, and enhance electric power system robustness. The magnitude of the loss of functionality at the time of the shock, i.e., mQoS(t1) of Figure 2 mainly depends on the robustness of main EDN components; 2.
EDN topology. The topology of the network has a significant impact on its robustness and functionality. For the EDN, the term topology encompasses both the graph structure of the network and the position of the switches along the distribution lines. Both the properties have an impact in determining the overall resilient response of the network ( [21] and references therein); 3.
Tele-controlled devices. A large fraction of CI elements along the distribution network is tele-controlled, i.e., their control could be remotely performed by using telecommunication systems. Among them, "automatic" CI elements allow for a rapid decoupling of the faulted branch from the rest of the line. The lower the number of such units, the weaker the remote controllability of the system and the longer the required restoration time; 4.
EDN-Telecommunication dependencies. The topology of the EDN-Telco interconnection, to discover how perturbation spreads on the different networks and which feedback should be expected; 5.
Efficiency of remote-controlled devices. This can be achieved by redundant connections to telecommunication networks or private (and more secure) proprietary, wired communication networks; 6.
Efficiency of restoration procedures. This can be achieved, for instance, by decreasing the time required to carry out the different restoration actions including tele-controlled and manual actions; 7.
Number of available technical crews. The amount of technical resources available on the field when manual interventions on CI elements are required can lower the time of the intervention.
This work describes the resilience assessment results of a large EDN (the Rome metropolitan EDN) obtained with RecSIM, a tool developed within the projects RoMA ("Resilience enhancement Of a Metropilitan Area", Italian project) and CIPRNet ("Critical Infrastructures Preparedness and Resilience Research Network", EU FP7 project) in collaboration with Areti SpA, the electrical distribution operator of the metropolitan area of Rome.
Currently, RecSIM is a component of the CIPCast Decision Support System, referred hereafter as CIPCast-DSS [22], developed as part of the CIPRNet project and one of the main platforms used within the European Infrastructure Simulation and Analysis Centre (EISAC) that aims to establish a collaborative, European-wide network of national centers, empowered by advanced technologies, to inform, support and empower the different players involved in the urban resilience enhancement and assessment [23,24]. Regarding the influence of energy systems and, in particular, of EDNs to contribute to implementing resilient cities, RecSIM is used to assess the speed of action and recovery of EDNs following a perturbation. RecSIM is part of the CIPCast-DSS, a large platform containing models and tools for decision makers in order to optimize the management of a crisis and/or to proactively improve the systems resilience relying on the platform situational awareness data and risk assessments results [13,25]. Similarly to what is proposed in [26], where the authors developed a modeling and analysis tool allowing us to detect the critical chains of dependency in a inter-dependent scenario, the RecSIM tool performs a topology-based simulation of an EDN crisis by providing a prediction of its extension, of its impact in terms of KPI, the best strategy to recover the system functionality, thus being a valuable support to decision makers and infrastructure operators to estimate the effect of different security controls and thus to select the best actions that may contribute to an increase in the overall resilience.
The CIPCast DSS operates in two different modes: situational awareness online mode and simulation offline mode. In the former case, the platform uses different sources of data (e.g., weather forecast and now-casting data), basic territorial data (e.g., primary services, hospitals, roads) to anticipate, as much as possible, infrastructure networks contingencies (e.g., contingencies due to extreme weather conditions). In particular, in the situational awareness online mode the DSS needs to exchange data with the operator data center. For instance, the CIPCast DSS instance designed and deployed for the Metropolitan City of Rome established a secure communication channel with the ARETI SpA data center to constantly exchange data with it. More in particular, CIPCast DSS needs to update the EDN topology configuration on a regular basis, which may change due to issues such as maintenance interventions or for failure events. On the other hand, the ARETI SpA receives alerts in case the platform foresees possible outage scenarios involving the EDN. The CIPCast DSS platform can also be used to assess significant physical damage to infrastructure due to extreme events such as earthquakes (Section 4). In the latter case (i.e., in the simulation offline mode), the platform can be used to assess the performances of the technological networks in synthetic scenarios such as synthetic earthquakes events. In both cases RecSIM receives input of a damage scenario (i.e., a set of electrical stations in the not-working state), the functioning state of other infrastructures (telecommunication networks and roads infrastructure) and, considering the actual EDN topology and the operator operation procedures, it computes the impact of the damage scenario on the EDN in term of the chosen KPI.
The present paper is organized as follows. Section 2 introduces the operational resilience metric that has been used in RecSIM for the quantitative assessing of the resilience of EDNs. The same metric can be used to estimate the resilience of EDN during large crises due extreme natural events [27,28] and during daily, normal operations (that represents the main contribution of this paper). It is worth noting that the proposed resilience assessment approach, similar to [17], considers the dependencies of EDNs with other urban infrastructure networks such as roads and telecommunications networks.
Section 3 describes the RecSIM model in detail, with the identification of its inputs and output results. Section 4 describes how the CIPCast DSS assesses the physical damage that a shock might cause on EDN components and that will cause a loss of their functionality.
Section 5 summarizes the results of the operational resilience assessment of the electrical distribution network of the metropolitan area of the city of Rome.
The final discussion refers to the obtained results in terms of the potentiality of the RecSIM model to support EDN operators for the network management, for stress testing and also for planning activities.

Operational Resilience Metric for Electrical Distribution Networks
This section describes how to link the QoS time behavior with the measure of the resilience property. The estimation of the proposed QoS requires a model of the EDN allowing the assessment of the QoS as a function of the many different properties (that were introduced in the previous section) that influence the response of the system to a perturbation [3,4].
Formally, the EDN is represented by a node-weighted directed graph G = {V, E , W } without loops and a telecommunication network B providing tele-control functionality containing a number of BTS b i s.t. b i ∈ B with |B| = X, where: represents an electric primary station (PS) containing high-to-medium tension transformers equipped with remote control functionality provided by a proprietary telecommunication network; • v i ∈ R represents an electric secondary station (SS) containing medium-to-low tension transformers equipped with remote controlled switches (that depend on some BTS b i ; • v i ∈ A represents an electric secondary station (SS) containing medium-to-low tension transformers equipped with automatic switches; • v i ∈ D represents an electric secondary station (SS) containing medium-to-low tension transformers without remote control functionality; • edge set E = {e ij } where the generic e ij represents the portion of an electrical line connecting the two electric stations v i and v j ; • weight set W = {on, disc, dam} associated to each vertex v i where: (i) on represents a physically intact and fully available station, (ii) disc represents a physically intact and functionally unavailable station and (iii) dam represents a physically damaged and functionally unavailable station; In the following, the QoS function described in Section 1 is first formalized in order to describe and analyze the behavior of a medium-voltage (MV) line l over the time horizon [0, t f ]. Then, the formulas to compute the operational resilience of the overall electrical distribution network are described.
The QoS function, describing a perturbed MV line, is represented by a piecewise linear function ( Figure 3). Let us assume that a perturbation affecting some electrical stations v i occurs at time t 0 (with 0 < t 0 < t f ) and that, following the recovery operations, the MV line returns fully operational at time Let us define the function QoS l (t) : The QoS of the line reaches the maximum value if the line is not perturbed or when, after a perturbation, the line is completely restored within a time interval T (pre and post disturbance green lines of Figure 3). • QoS l (S(t)) = m = 0 f or t 0 < t < t 1 . The QoS for the line l reaches the minimum value at time t 0 when there exists at least one v i in the line l is in the dam state. For EDN medium-voltage lines the QoS almost instantly reaches the minimum value (i.e., the zero value) because of the opening of protection devices that disconnect all electrical SS in the interested line. • QoS l (S(t)) = r with m < r < M for t 0 ≤ t < t 1 . The electrical utility operator using the SCADA system (if available) is able to restore the service in a number of substations of the line l. The time-to-restore by SCADA value is, in general, short. According to the electrical utility operator of the metropolitan area of Rome (Areti SpA) this value is approximately 3 min. The value r will depend on the number of substations that can be restored by remote actions. More of these substations are closer to the r value than they will be to M. Anyway, in general, there exist substations that cannot be restored using the SCADA system. In such case the electrical utility operator has to coordinate manual operations (e.g., to isolate a failure) using the available technical emergency teams. As is shown in the next section, the time-torestore by manual operations depends on the availability of the technical crews and the state of congestion of the urban viability infrastructure. According to the operator, a value for this quantity is approximately 45 min.
Let us assume that the only way to repair a damaged node is to replace it with a power generator (PG) to ensure electrical continuity to the node's customers. Thus, in the proposed model, a damaged node will be not repaired during the simulation. In particular, the functioning status of a damage node is restored through the settlement of a PG (operation that requires time T in the previous QoS formula). The disconnected nodes, in turn, are reconnected either through a tele-control operation (if available) or by dispatching technical crews to provide manual reconnection. Such interventions may require specific times, which are considered when defining a restoration sequence of interventions. The QoS l (S(t)) function of a line l, over the time horizon [0, t f ], can be represented by the following function: (2) where N l is the total number of customers connected to the line l, m is the number of substations on the line l, d j represents the number of customers of the v j and δ j (t) is a function that equals 1 if s j (t) = {disc, dam} and 0 if s j (t) = on. It is worth recalling that ∑ m j=1 d j = N l . The QoS l (t) metric can be appropriately normalized in order to be bounded to the [0, 1] interval. In other terms, in order to measure the impact of a perturbation on an MV line and in general on an EDN, our framework uses a parameter similar to the CMI index introduced in Section 1, that measures the total loss area due to a perturbation as showed in Figure 4. This index is denoted by Γ(kmin) in the following. Indeed, the quantity Γ expressed in kmin for a line l is computed as follows: where τ tlc = t 1 − t 0 , τ crews = T − t 1 and d = N l − r (d represents the customers that has to be reconnected through manual restoration procedures). In case of a double failure on two distinct secondary substations on the same medium voltage line the Γ value can be computed as follow: A double failure can be considered the worst case as, in general, this will result in a number of isolated substations. In this case, the only possibility to restore the power delivery to the final customers is to deploy mobile power generators. As indicated by the electrical operator, mobile power generator deployment is a time-consuming operation (the mean time to deploy a mobile power generator has been indicated as τ pg ). Then, the Γ l value of Figure 5 is greater than the total loss area of Figure 4. The terms τ and d of Equations (3) and (4) depend on the factors that have been indicated as influencing the resilience behavior of an MV line described in Section 1. For example, the term τ tlc depends on the availability and efficiency of the SCADA system, τ crews on the number of technical crews available and the urban viability state of congestion. The term d depends, in general, on the network topology and the possibility to use other feeders during contingencies. Then, the total loss area can be used to measure the capability of the network to withstand the perturbation in terms of consequences that the EDN customers will suffer. Then, it would not be inappropriate to correlate the value of Γ with the inverse of the resilience indicator. In other terms: In the proposed resilience assessment framework we use the basic Equations (3) and (4) to compute a resilience indicator of the entire electrical distribution network. In particular, the results obtained with the N − 1 analysis are described in [29]. The resilience indicator for the N − 1 analysis has been computed considering the mean value of the Γ values computed considering in failure each substation of the electrical network. Denoting with L the set of the MV lines i and with N the total number of substations in the considered EDN, the resilience indicator has been computed as follows: In general, RecSIM enables the capability to carry on a "crisis game" consisting in the estimate of all Γ values resulting from the application of different EDN perturbations. Each "crisis game" is carried out by configuring some parameters that will allow us to simulate different conditions as for example the unavailability of some SCADA system functions or urban traffic congestion impacting manual restoration procedures. The objective is to provide a quantitative method that, through a resilience indicator, allows analyzing variables in different operational conditions. Different kinds of analysis have been performed, as described in the following. The results of these analysis are discussed in Section 5.

Resilience Assessment of EDN in the Case of Metropolitan Contingency Scenarios
In this analysis, RecSIM simulates network restoration procedures adopted in case of extraordinary network failures due to, for example, extreme weather conditions. These scenarios consider the failure of secondary substations and the possible restoration procedures that may be applied considering the available resources. Different failures cases have been considered: • N − 1. This case represents the usual N − 1 power grid analysis where one substation is considered in failure for each simulation run. • N − 2 worst case. In this case, for each MV line in the EDN, all the combinations of double failures on a single MV line have been considered. In general, each MV line can be fed by two or more primary substations. Then, if it is not possible to restore some substations on the normally configured MV line, the electrical operator can operate the electrical network switches to feed the isolated substations using the available next MV line(s). If this happens, the electrical network switches from the normal to a temporary configuration. The N − 2 worst-case analysis considers double failures on a single MV line to prevent the electrical operator from switching from a normal to a temporary configuration. • Heuristic case. In this case, the substations configured in failure state have been chosen through an educated guess considering their effective rate of faults (as declared by the electrical operator). Indeed, statistics have been collected along several years and the number of observed faults normalized over the number of days of observation has been defined. This value is ρ i and indicates the rate of faults per day that can be assimilated to the daily probability that the specific substation goes in a damaged state. The heuristic perturbation scheme has thus been applied to the network by simulating M working days: in each day of operations, the damaged state of each substation has been sampled (as in a Monte Carlo scheme) by extracting a random number r i (r i = [0,1]) and by comparing it with the ρ i value: if r i < ρ i the i-th substation is put in the damaged state, whereas it remains unperturbed elsewhere. The substation set in the damage state has been put simultaneously in the damaged state, in order to simulate the worst-case scenario. This procedure is repeated N times to scan each substation and then repeated M times to simulate different working days.
For each case, the resilience indicator is represented by the mean value of Γ with respect to the total number of simulation runs representing the total number of combinations. In particular, considering the N − 2 worst-case analysis, we define the set Next = (l i , l j ) containing all pairs of MV line identifiers that can be used to switch to temporary network configurations for service restoration during a crisis (i.e., Next represents the set of suitable backup feeders). C is the total number of combinations for the N − 2 case; the resilience indicator is computed considering all possible double failures: For the N − 1 analysis, the total number of combinations coincides with the total number of substations in the network, whereas in the heuristic case, the total number of combinations coincides with the total number of damaged configurations obtained through the Monte Carlo method, such as the simulation described above. In particular, this procedure generates very few damaged states, as the rate of faults of the substations is usually small. However, it generates cases where one (or even more than one) substation will result in a damaged state. This procedure thus allows us to sample (among the manifold of possible damaged network states) those states where one or more substations are simultaneously damaged, in agreement with the rate of faults of the different stations. Over n h = 1515 damaged configurations were obtained with the Monte Carlo sampling, of which 1163 were constituted by single damaged substations; 296 with two damaged substations; 49 with three damaged substations; 5 with four damaged substations; 2 with five damaged substations [30].

Assessing the Impact of Improved Distribution Automation Systems (DAS) on the EDN Resilience
In this case, RecSIM was extended to simulate the operator operational procedures for fault detection, isolation (FDIR) [19]. The proposed framework was used to assess the performance of the EDN during normal and daily operational conditions. In particular, the extended tool was used to assess the performances of the Distribution Automation System (DAS) and to evaluate the improvements that could be achieved by adopting new communication technologies for the DAS network. Similar to the works in [31][32][33], ENEA and Areti SpA are currently working on an optimization framework to support the optimal placement and composition of automatic switches (ASs) to improve the distribution power grid reliability. Indeed, as noted in [32], a greater number of automatic switches allows for better operation; however, there are practical limitations because of the increasing of installation costs and more strict maintenance requirements for the ASs . This work shows preliminary results that were obtained using the improved RecSIM to assess the benefits of an improved DAS schema (currently under testing in Areti SpA), where the ASs collaborate using the 4G communication network. Figure 6 shows the input of RecSim and its output (i.e., the consequence of a perturbation in terms of Γ i ). In particular, Figure 6 highlights the relationships among the simulator input and the resilience properties introduced in Section 2. The RecSIM inputs are:

The RecSIM Tool
• Network topology-expressed as the EDN graph and the perturbation P represented by the SS is in the damaged state. In this work, perturbation P is introduced by the user. However, the node in the damaged state can also result from the analysis of external perturbation (i.e., weather forecast) and result from an over-threshold probability of damage of a node induced by a natural hazard (e.g., in the CIPCast platform, see [22,34]); • SCADA system-expressed in terms of the set Ω of SS that can be remotely tele-controlled; • Efficiency of SCADA system-expressed in terms of the functioning status of the BTS b i providing communication service to the EDN and in terms of tlc t , the time needed to perform a remote operator action (using the EDN SCADA functionalities); • Efficiency of restoration procedures-expressed in terms of the time needed by an emergency crew (a) to reach a damaged SS (tr t ), (b) to perform a manual reconnection action (m t ) and (c) to set in place a PG to feed the users of the damaged SS (or of other SS, which will result in being isolated and thus needing a PG as they were damaged). The input time values represent "mean" values as they have been provided by the electrical operator. RecSim performed simulations by using these values as mean values of a flat distribution from which time values to be used in the simulation were randomly extracted; • Technical resources-expressed in terms of the number C of technical crews available in the field. The number of available PGs is assumed to constitute an unlimited resource. Further development of the algorithm will consider the finiteness of available PGs. The output of RecSim is represented by the value of the impact of the damage scenario (represented by the perturbation P and by its cascading effects) on the EDN, considering all the actions performed (in series or in parallel, as many technical crews were simultaneously available): (a) the damaged node and, whenever the case, the isolated node substitution with a PG; (b) the manual reconnection of disconnected nodes by the available technical crews and (c) the automatic reconnections made through remote tele-control operations. These actions restore the EDN to a normal operating status and allow all users to be reconnected to the grid. As previously stated, damaged SS are just substituted by a PG and, at the end of the simulation, they are still in the damaged state although their function is recovered by the PG. The impact of the perturbation P on the network is thus computed using the Equation (2). Figure 7 shows the different elements of a RecSim EDN model. The electrical MV lines start from primary stations (the node A in Figure 7) and they connect the secondary substations forming, in general a tree structure. As it as already explained in the previous section, some of the secondary substations can be: normal, remotely telecontrolled, automated and "frontier" substations that are represented, respectively, as white, grey, orange and purple nodes in Figure 7. The automated substations are very important as they are able to perform automatically the isolation and restoration procedures needed to react to failures happening to they descendants substations (e.g., the substations P, Q, R, S in Figure 7 are the descendants of the automated substation F). The "frontier" substations can be used to restore a portion of an MV line from another MV line backup feeders. For instance, in case of an outage in some of the substations on the MV line 1 in Figure 8, the descendant substations of the failed substation can be restored using line 2 or 3 using the "frontier" nodes (D1, C2, C3). Furthermore, in the RecSim models, there are dependencies between the EDN SCADA components and the telecommunication components providing the communication service. As shown in Figure 9, the tele-controlled substations use the communication service that is provided by telecommunication network components (i.e., the Base Transceiver Station of the tlc network ); this also works in the other direction-the BTS are fed by the secondary substations of the EDN. In this work, we assume that the BTS do not have battery backup. Then, if a BTS B x depends on a substation S y and S y is in a damaged or disconnected status, the consequence is that B x will immediately stop functioning.

Assessing Robustness of Electrical Distribution Network Components and Possible Physical Damage Scenarios
This section describes how to assess the physical damage that a possible shock might cause on EDN components, causing a loss of QoS that from the unit value will fall to the mQoS of Figure 2. The entity of mQoS will depend, among other factors, on the level of physical damage induced by the shock on the EDN components, if they are not totally robust to the shock. Properly designed components according to the most advanced design standard will guarantee a good level of robustness. However, it is usually not possible or, in any case, economically not feasible to guarantee full robustness of EDNs components to the different shocks that might arise from extreme natural events. Therefore, it might be useful to be able to assess their vulnerability (i.e., the propensity to be affected by perturbation of certain types, which can be considered as the complementary term of the robustness) and the physical damage that a shock might induce on them. A first step toward the assessment of vulnerability is the collection of relevant information related to the design level and the geometric and constructive features of the components. Table 1 proposes a taxonomy for assessing the vulnerability of EDNs.

EDNs Exposed Components Type Vulnerability Factors Damage Metric
Generators Node Building characteristics (geometry, node typology, earthquake resistant design (ERD). Internal elements characteristics (i.e., type of anchoring).

Damage level
Primary and Secondary Substations Node Dedicated or multipurpose structure. Building characteristics (geometry, typology, earthquake resistant design (ERD)). Internal elements characteristics (i.e., type of anchoring). The assessment of a possible damage scenario can then be carried out by overlaying and convoluting information on the exposed EDNs components, including those regarding their vulnerability to the specific hazard under analysis (referred to as vulnerability factors in Table 1), and the perturbation intensity at the location of the exposed EDNs.
This concept is summarized in the equation below, where the symbol * expresses convolution among factors: Damage = Hazard * Vulnerability * Exposure Damage can be described with different metrics for different types of EDN components (Table 1). Damage to infrastructure nodes is represented in CIPCast-DSS according to a four-level damage scale, i.e., D1 slight/minor damage, D2 moderate damage, D3 extensive damage and D4 total disruption; with D0 representing the absence of damage.
Damage of infrastructure nodes should consider both the physical damage and operational failure. Although components are located inside buildings, it may be necessary to separately assess the operational state of the equipment and the physical damage of the building. In these cases, it is possible that the structure is significantly damaged and that the component is fully operational, as none of the equipment is damaged. Conversely, it is possible for the structure to be unaffected and the component has lost its function due to the damage of the equipment.
Damage of infrastructure edges (a cable, for instance) can be assessed quantitatively in terms of a damage rate DR, a deterministic estimate of the number of damages that a cable is expected to experience per unit of length (usually per kilometer). Specific damage functions implemented to assess the expected damage level or damage frequency of different EDN components can be seen in [27,35,36] for assessing earthquake-induced damage and damage induced from heat waves.
CIPCast-DSS was used to evaluate the resilience of urban infrastructure networks at systemic level. For example, in [28], the authors simulated a realistic earthquake event occurring in the city of Florence (Italy) by predicting disruptions on buildings and critical infrastructure and by designing a reliable scenario, accounting for road obstructions due to building collapse, to be used to design efficient contingency plans for infrastructure networks using an approach similar to that described in [17].

Results
This section summarizes the results obtained using RecSIM to analyze the behavior of the large and complex EDN of the metropolitan area of Rome (Roma Capitale) containing N = 14,206 electrical cabins.

Resilience Assessment of EDN in Case of Metropolitan Contingency Scenarios
The present work extends the results presented in [29] describing the N − 1 case analysis of the Rome EDN. In the present work, RecSIM was used for the assessment of the resilience of the EDN by: (1) considering the N − 2 worst case analysis of the EDN and (2) considering more realistic crisis scenarios obtained through Monte Carlo simulations by appropriately weighting the probability of occurrence of a given fault with the effective substations rate of faults resulting from historical data provided by the EDN operator.
First of all, the proposed resilience assessment approach provides a quantitative approach to measure the global operational resilience of a network and it provides a mean for the electrical operator to evaluate technological and/or operational improvements to increase the resilience of the network. At the same time, the proposed framework allows for the identification of the most critical components (e.g., MV lines) of the network in terms of impacts in case of contingencies. Then, the electrical operator can use the framework to optimize and to simulate different mitigation strategies. Figure 10 reports the distribution function D (1) (Γ) for all resulting Γ i considering the simulation parameters showed in Table 2 with two crews available. The network configuration (topology, position of switches along the MV lines) is referred to as a normal configuration. Different distributions will be obtained applying different perturbations to the network. For example, we used the proposed approach for the assessment of the N − 2 worst case and heuristic contingency analysis. Figure 11 shows the comparison among the different distribution functions. As pointed out in [30], the overall system resilience could be estimated as a series of terms, each one representing the contribution towards resilience for different (and progressively large) perturbations.
where the terms R (i) will be achieved by applying equations similar to and to the different D (i) (Γ). The terms a (i) can be related to the probability of the event; this would produce a series of progressively smaller terms, which would reduce the impact of the high order contributions to the total value of the global resilience score. For the three cases considered in our analysis, the corresponding R (1) , R (2) and R (h) are R (1) = 2.1710 −2 , R (2) = 7.6010 −3 and R (h) = 1.7810 −2 . It is interesting, in turn, to notice that crises produced in the heuristic case (i.e., involving substations that have shown a large propensity to fault), although in some cases involving more than a substation, produce impacts which, even in the largest cases, are of the same dimension of those produced by worst cases in the (N − 1) simulation. This is probably due to the fact that more vulnerable substations are located along lines, which do not produce relevant outages in case of faults (either for the presence of a few non-remotely controlled substations and/or for the presence of a small number of connected customers).

Electrical Distribution Network N − 2 Sensitivity Analysis
Analogously to what was reported in [29] for the N − 1 case simulation, RecSIM was used to analyze how the performances of the considered EDN depend on the factors/system properties that have been recognized to have a strong influence on them: (1) EDN topology, (2) tele-controlled devices, (3) EDN-telecommunication dependencies, (4) efficiency or remote controlled devices, (5) efficiency of restoration procedures and (6) number of available technical crews.
In this case, the worst scenario for the N − 2 contingency analysis is considered, that is, a double failure on the same semi-line or line. Indeed, as we have already discussed, in this case, a number of secondary stations will be isolated and the only way to restore the electricity service to users is to use mobile power generators.
We evaluated the sensitivity of the results with respect to the input parameters. We kept fixed all parameters but one and performed several simulations, each based on a different value of that parameter to estimate the effects on the resulting EDN resilience value.

EDN Resilience vs. Number of Available Technical Crews
In the first set of simulations we have varied the number of available technical crews on the field. Table 2 reports the parameters used for these type of simulations (S1 simulations), whose results are shown in the graphs of Figure 12. According to Equation (5) the curve shows the behavior of the resilience score that is proportional to the inverse of the CMI impacts obtained for the different simulation settings. Anyway, as the simultaneous number of SS to be restored is always quite small, the increase of the number of technical crews does not produce significant improvements where, for convenience, the score with two technical crews available is considered as a baseline. Moving from two to four technical crews produces a sizable resilience improvement (CMI decrease); the further increase of this number to six and eight does not provide any sizable resilience improvement.

EDN Resilience vs. Traffic Congestion
The objective of these simulations was to analyze the effects of traffic congestion on the EDN resilience values. The effects of low traffic and high traffic are reproduced by reducing (or dilating) the characteristic averages times needed for the different types of interventions. Tables 3 and 4 report the parameters used for the low traffic and high traffic scenarios (S2 and S3 simulations, respectively).

Model Parameters S2 Simulations
network topology normal configuration number of technical crews available on the field 4 time for tele-control operation (tlc t ) 5 ± 2 min time for technical intervention on-site (travel t ) 35 ± 10 min time for installing an electrical generator (pg t ) 160 ± 20 min fraction of tele-controllable SS being not tele-controllable 0.4%

Model Parameters S3 Simulations
network topology normal configuration number of technical crews available on the field 4 time for tele-control operation (tlc t ) 5 ± 2 min time for technical intervention on-site (travel t ) 60 ± 10 min time for installing an electrical generator (pg t ) 220 ± 20 min fraction of tele-controllable SS being not tele-controllable 0.4% The results provide evidence ( Figure 13) that traffic might have a relevant impact on the operational resilience of the EDN. However, "traffic" is just a metaphor to indicate the need of a rapid deployment of the technical crews on the field. Manual restoration times could be reduced by optimized technical crew fleet management, and by a wise assignment of intervention to the technical crew closer to the point where the intervention is needed. This could be easily realized by a GNSS tracking of the crews and their automatic assignment during emergency procedures.

Assessing the Impact of Improved Distribution Automation Systems (DAS) on the EDN Resilience
Moving forward from these previous efforts and works, ENEA and Areti SpA, the Roma EDN operator, started a collaboration with the objective to improve the proposed resilience framework by including: (1) a more realistic power grid topology and (2) the simulation of the actual restoration procedures, also considering the fault detection procedures adopted by the operator to individuate the faulted components of the grid. Moreover, the improved RecSIM allows for the assessment of the performances of the power grid considering normal or most-likely failure conditions, which are failures on sections of MV lines connecting two substations.
These improvements make RecSIM a valuable framework for the operator to assess the impact of technological improvements and to optimize the company investments needed to implement them.
This section describes the results that were obtained using the improved RecSIM to assess the impact on the power grid performances of different algorithms for the power grid distribution automation systems (DAS). In particular, simulations considered the N − 1 case analysis of the subset of MV lines (denoted with L hc in the following) identified by the operator as high concentration lines, i.e., MV lines supplying a large number of customers.
For each line l ∈ L hc the tool performed a N − 1 case analysis considering (i) the actual DAS procedures described in Appendix A and denoted FRG in the following, where the automatic failure detection ad isolation was operated through the timely coordination of automatic switches in the line and (ii) a possible improvement of these procedures through the cooperation, through 4G network communication, of automatic switches along the line. In the former case, DAS avoids the disconnection of the substations upstream of the last automatic station before the faulted MV line section (please refer to the Figure A3, which shows an example of how the current DAS procedure works).
On the other hand, the cooperation of automatic switches in the improved DAS procedure would avoid the disconnection of substations upstream of the last automatic station before the faulted MV line section (as in the previous case) and the substation downstream the first automatic substation after the faulted MV line section. Figure 14 shows an example of how the improved DAS procedure is able to isolate the failure of the D-E line section through the cooperation of the automatic switches in substations C, F, H and X. Please note that the new DAS procedure requires that all switches in the frontier substations (e.g., substations F and H in Figure 14) are equipped so that they are able to perform the automatic procedures. Figure 14. Automatic selection of a failure with the improved 4G DAS procedure. Figure 15 compares the results of the N − 1 case analysis preformed considering the MV lines in the L hc set. The plot represents the mean impact values (kmin) obtained adopting (i) the actual FRG procedure (blue area) and a (ii) the improved 4G procedure (red area). Results show that adopting the 4G procedure for all lines in L hc the KMI N TOT computed summing up all mean impacts of each line decrease of a percentage of 16%. It is reasonable to assume that the transformation process to the new improved DAS procedure is constrained by the available budget. Then, it is worthwhile to compute the optimal development planning to maximize the network performances gain w.r.t the available budget. An optimization framework is going to be realized to support the electrical operator in the adoption of the best network development strategy. As a preliminary result, this work reports the Pareto efficiency that can be computed assuming that the cost for the transformation of each line does not depend on the number of automatic switches present in the different lines. Figure 16 shows the cumulative delta curve obtained by the cumulative sum of the 4G impact gains, ordered in descending order. For example, transforming the first 20% of MV lines (i.e., these lines are the lines with the greatest gain factor) the 52% of theoretical gain can be reached.

EDN Resilience vs. SCADA System Availability
The improved resilience framework was used to analyze the resilience of the distribution grid as a function of the SCADA system availability. In this case, the objective is to analyze EDN performances considering problems on the tele-control system (S4 simulation in Table 5). These problems can have different causes as for example telecommunication network failures (i.e., in these cases the SCADA components are working properly but there is no communication between the control room and the EDN elements) or SCADA components failures. The electrical operator constantly monitors the availability of the network SCADA system. A low SCADA system availability condition represents the case when the fraction of not-controllable SS is twice as much as in normal conditions (i.e., 1% with respect to the "physiological" 0.4%; see Table 2). The sensitivity of the resilience with respect to SCADA system availability is shown in Figure 17. For example, considering the 3% of tele-controllable SS as not tele-controllable, the resilience index decreases of ≈9%. In case of large telecommunication blackout (10% of SS tele-controllable with problems) the resilience decrease of ≈20%.

Model Parameters S4 Simulations
network topology normal configuration number of technical crews available on the field 4 time for tele-control operation (tlc t ) 5 ± 2 min time for technical intervention on-site (travel t ) 45 ± 10 min time for installing an electrical generator (pg t ) 180 ± 20 min fraction of tele-controllable SS being not tele-controllable 0.4%, 1%, 2%, 3%

Discussion
The Electrical Distribution Network (EDN) is a critical infrastructure that plays a primary role in citizen life. The resilience of an EDN, intended as its service continuity, should be pursued both in business as usual and adverse conditions. These EDN systems should be able to withstand different types of perturbations possibly affecting their functions through a combination of technical solutions and management strategies spanning from intrinsic system technologies to effective operational plans.
This work proposed a framework enabling: (1) the estimation of the physical impacts and consequent functional perturbations that might affect EDN, and (2) the testing of the effectiveness of different strategies to achieve operational resilience. Factors that are considered within the framework to set resilient response strategies include: the EDN topology; the technological properties of EDN active elements; the SCADA systems; automation procedures and management efficiency.
In particular, the proposed approach is related to a novel integrated metric (similar to the metric proposed in [14]) for operational resilience to be used in systems showing a functional behavior whose management, particularly in crises scenario, might be highly dependent on the functioning of other systems from which it takes operational services.
The obtained results show that RecSIM is a valuable tool to assess the resilience of EDN considering either (i) the normal EDN operational procedures and (ii) in case of natural disasters and/or critical contingencies.
A primary use of the RecSIM model is in the optimization of the positioning of new automation devices along the network. Automation devices are useful to improve the quality of the EDN response, to improve its capability to isolate the perturbed trunk line. In a limited resource strategy, the positioning along the lines should be attentively considered in order to maximally improve the benefits in terms of controllability and resilience gain. The RecSim model is particularly suited to carry out such an optimization strategy: new device positioning is positioned along the lines and an heuristic strategy can be used to select the possible n-device positioning in a way to provide a sub-optimal improvement to resilience, which will be considered as the objective function for the optimization strategy. This will be the primary application of the RecSim model to the EDN case and will provide new understanding on the use of appropriate optimization strategies to be used in combination with RecSim.
A further research direction could consider resilience as a "systemic" property. As the rebound from a perturbed to the equilibrium state, in a specific infrastructure (in our case the EDN), is related to the availability of external services (in our case the telecommunication service), which could fail due to the perturbation to the hit infrastructure, the overall efficiency for restoration will thus depend on the properties and the management of both systems. The case could be even more complex when multiple infrastructures are involved: this is the case, for instance, of water distribution networks (WDN) and railway networks [37][38][39], where electrical and telecommunication functions are both needed for supporting normal and crisis management . In this respect, the "Systemic Operational Resilience" score should be able to gather, in a unique definition, the functionality losses in all the infrastructures that can be hit by a perturbation inserted somewhere in the "system of systems", a perturbation that could hit one or the other of the interdependent infrastructure. This will open a "generalization" of the two-systems case, which could provide, at the end, the settlement of a unified model for the resilience in the real case of multiple, interconnected infrastructures [15,40].
In particular, the proposed approach was applied to the case study of Rome city, whose large distribution network contains more than 14.000 electrical substations, to show how the model can appropriately handle a real EDN of large dimensions.
RecSIM has proven to be able to realize a simulated stress test to the electrical infrastructure by simultaneously considering the different network properties that have an impact on resilience (topology, tele-control, appropriate interaction with the telecommunication operation providing tele-control, cabin automation, level of network management in terms of number of technical crews and times of interventions). In this respect it allows us, by appropriately varying those factors in the model, to establish the impact of each of them on the final resilience score. This would have a large impact on the industrial point of view for determining, through educated analysis, the best approach in terms costs/benefits for progressively improving the overall network resilience. RecSIM will be made available to operators: in this perspective, the Infrastructure Simulation and Analysis Centre (EISAC) is working to establish a collaborative, European-wide network of national centers, empowered by advanced technologies, to inform, support and empower the different players involved in the resilience enhancement of EDNs, among other critical infrastructures. One of the tools developed by EISAC is the CIPCast Decision Support System (CIPCast-DSS), whose development has been part of the EU-funded FP7 project CIPRNet ("Critical Infrastructures Preparedness and Resilience Research Network") and of the Italian project RAFAEL ("System for Risk Analysis and Forecast for Critical Infrastructures in the AppenninEs dorsaL Regions") [22]. CIPCast provides a database, an interoperable platform and a user-friendly WebGIS interface, conceived as a combination of free/open source software environments, for the real-time and operational (24/7) monitoring and risk analysis of built and natural environments, with special focus on interdependent critical infrastructures including the EDNs. CIPCast-DSS can be coupled with RecSIM, providing a complex simulation model to enable the effective assessment of resilience enhancement strategies for EDNs, considering the specific situational awareness data and functional impact scenarios predicted/assessed by CIPCast-DSS. In this sense, CIPcast-DSS can be used to assess the possible damage and impact scenarios for real events, supporting an effective and rapid emergency management and response, as well as for simulated events (e.g., earthquakes) [28], to inform risk mitigation and resilience enhancement strategies. Indeed, as pointed out in [25], considering risk and situation awareness results can improve resilience assessment and management.
At the current stage, RecSIM is able to assess the resilience of an electrical distribution network according to the given enforced organizational and automated security systems. Concerning the implementation of other resilience protocols, further work could focus on optimizing the positioning of rescue teams, their availability during the event and the different levels of automation of the substations and their remote controllability. Section 4 shows the application of the proposed approach to assess the possible performance improvement that can be obtained using an improved distribution automation system protocol. The infrastructure operators may rely on these results to plan network investments and developments.
Integrating RecSIM with security monitoring platforms used by operators would significantly improve the situational awareness capability of the CIPCast-DSS platform. In recent years, various studies have proposed advanced techniques to enhance the resilience of cyber-physical systems and industrial control systems [41,42]; however, this integration would entail the overcoming of a number of problems related to operators requirements concerning with data confidentiality, liability management and security that will deserve a constraint-mediated approach.

Conflicts of Interest:
The authors declare no conflict of interest.

Abbreviations
The following abbreviations are used in this manuscript:  Figure A1 summarizes the main procedures executed by RecSim. The initializeSimula-tionParameters() procedure initializes all the parameters needed to configure a simulation. For example, these parameters ( Figure 6) represent the efficiency of the SCADA system (BTS st , tlc t ), the efficiency of the restoration procedures (tr t , m t , PG t ) and the number |C| of technical emergency crews available. These parameters have been initialized according to the information provided by the EDN operator. In particular, within the proposed operational resilience assessment framework, these parameter values will be changed in order to assess the resilience of the EDN in different operational setting scenarios (see Section 5). The loadEDN() procedure loads the EDN topology into RecSim. The network topology is represented as a map of MV lines. Each MV line, that is uniquely identified through its name, is represented as a tree data structure where the root element is represented by the MV line primary station. The EDN operator provided these data as excel csv files containing the network topology and the EDN components characteristics (e.g., the type of secondary substation). The loadDependencies() procedure initializes the data structures used to represent the dependencies between the electrical distribution and the telecommunication network. In particular, the algorithm uses the target_BTS_dict to store the dependency of the base transceiver station (BTS) elements to the secondary cabins (i.e., the target_BTS_dict contains tuples such as (BTS i , SS j ) indicating the SS j feeds the BTS i element) and the target_SS_dict to store the dependency of the SS elements to the BTS (i.e., the target_SS_dict contains tuples such as (SS i , BTS j ) indicating the BTS j provides the communication service to the SS i element). The sets BTS st and P (that is the set of secondary substations SS F in damage state) are initialized by the procedures loadBTSFunctioningStatus() and loadPerturbation() respectively.
Then, the simulate() procedure computes the consequences of the perturbation scenario P depending on the reconfiguration actions that can be performed by the electrical operator, using the available resources (in term of emergency crews and SCADA system availability). The simulate() algorithm is summarized in Figure A2. IntervationsQueue ← ∅; LineWithFailure ← ∅; for each bts ∈ BTS st do propagateBTSFailure(bts, target_SS_dict) end for each ss ∈ SS F do IntervationsQueue ← intervation(ss) ; LineWithFailure ← getLine(ss) ; propagateSSFailure(ss, target_BTS_dict); assignPowerGenerator(ss) end assignIntervationToCrew(IntervationsQueue, Cr list ); for each MV l ∈ LineWithFailure do simulateProtections(MV l ); setDisconnectionLast(MV l ); end • the subtree T l ssr contains automated secondary stations and at least one of these nodes belong to the path (ss r , ss f ) P . Formally: ∃y : ss y is automated and ss y ∈ (ss r , ss f ) P If there are more of such automated nodes the simulateProtections() chooses the last automated 733 node in the path (i.e the nearest automated node to ss f ). The procedure choose the next node of 734 this node in the path (ss r , ss f ) P . Let's indicate this node with ss k .Then, the procedure sets the 735 status of all nodes belonging to the subtree rooted with ss k (T l ss k )as disconneted;

736
• there are no automated nodes in the MV l line. In this case the simulateProtections() sets the status 737 of all nodes in T l ssr as disconnected. 738 An example of the execution of the simulateProtections() on a MV line is shown in Figure A3. The simulator initializes the data structures IntervationsQueue and LineWithFailure that will store the set of interventions to be assigned to the technical emergency crews and the set of MV lines containing at least the ss in a damaged state (i.e., ss ∈ SS F ). Then, for each BTS in failure, the simulator updates the dependent remotely controlled secondary substations SCADA system as not functioning. Indeed, a remotely controlled secondary substations that cannot rely on the telco service is considered a normal secondary substation. Next, the simulator for each ss ∈ SS F updates the IntervationsQueue and LineWithFailure data structures and, if needed, updates the functioning status of the BTS using the set target_BTS_dict. For each ss ∈ SS F the procedure assigns a mobile power generator. The simulateProtections() procedure simulates the behavior of the EDN protection devices. Indeed, the MV lines use such devices to protect the various electrical equipment that can be seriously damaged by voltage drops and/or line over-current. For the sake of clarity, the following explanation is related to single failures for each MV lines. The procedure takes in the input of the set SS F of secondary substations (referred to also as nodes in the following) that are in a damaged state and the topology of the network. Let's assume that an MV line is identified by the tuple MV l = (l id , ss r , T l ss r ) where l id is the unique identifier of the line, ss r is the name of the MV line root secondary station and T l ss r is the tree (rooted in ss r ) that models the MV line topology. Let us indicate with (ss i , ss j ) P the direct path from node ss i to node ss j and with ss f that the node of MV l is in failure. Two different cases are possible: • the subtree T l ss r contains automated secondary stations and at least one of these nodes belong to the path (ss r , ss f ) P . Formally: ∃y : ss y is automated and ss y ∈ (ss r , ss f ) P If there are more of such automated nodes the simulateProtections() chooses the last automated node in the path (i.e., the nearest automated node to ss f ). The procedure chooses the next node of this node in the path (ss r , ss f ) P . Let us indicate this node with ss k . Then, the procedure sets the status of all nodes belonging to the subtree rooted with ss k (T l ss k )as disconnected; • there are no automated nodes in the MV l line. In this case the simulateProtections() sets the status of all nodes in T l ss r as disconnected. An example of the execution of the simulateProtections() on an MV line is shown in Figure A3. Then, after simulating the protection devices behavior the simulate procedure calls the setDisconnectionLast procedure that sets the disconnection time of each ss ∈ T l ss r . The rationale of this procedure is explained as follow: 1.
The procedure checks if there exist tele-controlled nodes in the path (ss r , ss f ) P . Let us assume that ss tlc y is the last tele-controlled node in this path and that the SCADA system is working properly. Then, the procedure computes the subtree T l ss r obtained removing the outcoming edges from ss tlc y . The procedure sets the disconnection time of all the nodes in T l ss r equal to tlc t (the mean time needed to perform a tele-controlled action). If there are no tele-controlled nodes in the path (ss r , ss f ) P or their SCADA system is not working (because of BTS failures) the procedure sets the disconnection time to all nodes ss f ∈ T l ss r (where T l ss r in this case, is obtained by removing the incoming edge to ss f ) to tr t + m t , that is, the time that the technical crew needs to travel to the failed node and to perform the manual actions to isolate the failure.

2.
The procedure sets the disconnection time to all nodes of all subtrees {T l ss f } obtained by removing the outcoming edges from ss f . For each T l ss f ∈ {T l ss f } the procedure checks if there are frontier nodes in order to energize T l ss f or part of it, using another MV line. In general, there are different cases: There exists a frontier node (denoted by ss f r x )that can be connected to another line MV l1 and the related frontier node in MV l1 has the functioning status (i.e., there are no failures and/or disconnections on MV l1 ). Moreover, the connection of the two frontier nodes can be performed using the SCADA system. In this case, the procedure checks if there exist tele-controlled nodes in the path (ss f , ss f r x ) P . Let us assume that ss tlc y is the first tele-controlled node in this path and that the SCADA system is working properly. Then, the procedure computes the subtree T l ss y obtained, removing the incoming edge to ss tlc y . The procedure sets the disconnection time of all the nodes in T l ss y equal to tlc t . (b) There exists a frontier node (denoted by ss f r x )that can be connected to another line MV l1 and the related frontier node in MV l1 has the functioning status; however, the connection of the two frontier nodes has to be performed manually. In this case, the procedure assigns this new intervention to the technical crew, that can be available or not, to set the disconnection time of all node in T l ss f according to the time needed to the technical crew to perform the operation. (c) There does not exist a frontier node. In this case, the nodes in T l ss f are isolated and the disconnection time is set equal to PG t , that is, the time needed to connect the node users to a mobile power generator.

3.
The procedure sets the disconnection time of node ss f equal to PG t . 4.
In steps 1 and 2, the procedure simulated all possible remotely controlled actions. In general, there remain a number of nodes that will be reconnected after manual isolation and restoration actions. The disconnection time of these nodes will be set accordingly.
If the line MV l has an automated substation in the path (ss r , ss f ) P the procedure performs the same computations as illustrated above but using the automated secondary station as subtree root.
The assignIntervationToCrew() procedure assigns to the available crews the interventions needed to perform manual isolation and restoration procedures. Depending on the emergency crew number and availability the time needed to perform manual operations changes accordingly. In general, given |I| the number of interventions, IntervationsQueue not assigned to any emergency technical crew and |Cr| the number of available emergency crews, the procedure assigns the interventions to the crews in the following way: • |I| ≤ |Cr|. In this case, the time needed to perform the manual operation is t r + m t ; • |I| > |Cr|. In this case, |Cr| manual operations will be performed in t r + m t whilst the remaining interventions will be added, using a uniform work load criteria, to the intervention list of some emergency crew. For instance, if an intervention is added in the second position of the intervention list of a technical crew the time needed to perform this operation will be 2 * (t r + m t ).
In general, the IntervationsQueue contains the interventions needed to isolate faulted secondary stations and interventions added by the setDisconnectionLast. Indeed, manual operations are required whenever it is not possible to perform remotely control actions (e.g., manual interventions are required in step 2 case c) of setDisconnectionLast procedure described above).