THOUGHT LEADERSHIP

When the lights go out

Major power outage events, like the one that affected Spain and Portugal this April, can be enormously disruptive and even deadly. Here Entura’s Technical Director Power, Donald Vaughan, considers the complex factors at play and their implications for grids everywhere ...

The recent power outage on the Iberian Peninsula provides a serious opportunity for reflection. Many articles have been published that try to explore the seconds and milliseconds after 12:32 PM on 28 April 2025 while only having access to the grainy frequency plots and approximate timelines that have been released (to date). This is not one of those articles. Nor is it an article that will lay blame on a particular technology or energy source. Instead, I will expand on the physics at play in this instance and reflect on whether current network security practices are adequately catering for changes to the power grid.

The physics

The power system is governed by the laws of physics, as is normal in the physical world. Quite a few of these laws tend to gang up on us during a power system event[1].

(i) conservation of energy
(ii) Ohm’s law
(iii) Newton’s laws of motion
and, of course,
(iv) Murphy’s law.

We’ll talk about the first three now and the last one later.

We learn very early that energy can neither be created nor destroyed (law i, above). This is at the heart of a power system event. The power system supplies loads by supporting voltage across the network that supplies millions of parallel loads. Each of these loads converts electrical energy into another form of energy based on the voltage it sees and its internal characteristics. This will continue as long as the voltage profile is maintained (law ii). So, demands take energy out of the power system regardless of what generation events occur. 

We know that the main trouble in the recent Iberian event started when a large amount of generation stopped in southern Spain. This led to an imbalance between generation and demand in that region. That imbalance is immediately addressed through the inertial action of synchronous generation across Europe (law iii). 

If interconnection were perfect, the burden of this inertial response would be shared perfectly across Europe and we probably wouldn’t be talking about this event quite as much as we are. Yet interconnection is rarely perfect (law ii). The frequency in Spain started to move away from frequency to the east and the AC interconnection to the east opened (which avoided the disturbance that stems from loss of synchronism). This should have been some help to the falling frequency in Spain given the eastward flows at the time. Under-frequency load shedding (UFLS) occurred around this time and should also have helped. It seems that the voltage disturbance that then occurred as a result of all these trips was the last straw.

Network security practices

It would be a gross over-simplification of network security practices to say that the power system should not lose customer load for the loss of one generation or network element (N-1 redundancy). The event on 28 April is way beyond that. Typically, for larger events, the grid should fail safely. We’ll look at that definition of ‘safely’ later. For now though, we can see that the grid did, in fact, try to fail gracefully:

  • The AC interconnectors opened to avoid damaging loss of synchronism. 
  • The under-frequency load shedding operated to try to preserve supply to some customers and keep the grid up, so as to reduce the duration of the interruption.
  • Other generating unit controls acted to either increase output or trip to avoid damage.

We see in the Iberian Peninsula outage, as we did in the major South Australian blackout in 2016, lots of independent protection operations slowly but surely weakening the grid to the extent that it is no longer viable. Each of these protection operations undergoes scrutiny after an event of this nature, and will likely lead to some changes in Spain and France as was the case in South Australia.

The 28 April event appears to be quite slow in comparison to some other network blackout events. Even so, the event lasted less than 20 seconds and had 2–3 stages within it. One of the bases of design of the AC network is that it can generally operate with minimal, fast coordination even under large events. Control relies on observation, computation and action. So, to manage an event, a control system must measure what it needs to reliably determine what control actions it must make, and then take those control actions (assuming it can control all the elements it might need to control) in time for them to have an effect. If we think about a need to deftly control the response of individual units (or control systems) in an unusual way in a short period of time, then we can quickly conclude that this may not be possible.

If we can’t manage these events in real time, we have three courses of action:

(i) Physical plant

We could design networks, network supports, and network and generator protection and control systems to be more robust in the face of large power system events, thus decreasing the likelihood of unnecessary cascading protection operation.

This would include better interconnection, more dynamic reactive support (separate from generating units and demand), system-level protection schemes, and a review of generating unit protection settings to ensure generator capability rather than network requirements setting operating limits

(ii) Dispatch rules

We could change dispatch to provide greater margin for real and reactive power control as determined by the security risk and the cost to mitigate it. 

We could continue the traditional N-X approach to system supports or we could use a stochastic approach to determining system support requirements (weighting the probability of an event occurring against its impact). Either way, we’d have to pay an ‘insurance’ premium at each dispatch interval to make large-scale system outages less possible.

(iii) Restart planning and capability

We could make recovering from major blackout events easier and faster.

We think about these events in terms of how often they occur (which is what the first two course of action cover) and how long they last. System operators typically have generic plans for system restart that rely on starting synchronous plant and re-energising transmission systems and eventually customer demand. This can be made easier with interconnection. It can also be made easier with good visibility of voltages and voltage profiles across regions (and the tools to control them). Often, for big events like in South Australia in 2016, the network is left somewhat stricken from equipment damage. System restart efforts are often hampered in this scenario because plans need to be improvised to adapt. This depends on the skill, knowledge and experience of the operators. Some jurisdictions have simulated such events as part of training operators. 

The fourth law

We know that ‘anything that can go wrong will go wrong’. Seemingly simple things can undermine the best laid plans and the best intentions. We often can’t plan for these things specifically, although HAZOPS, root-cause analyses, scenario simulations and reviews can help us understand where the problems may lie and give us a chance to close loop-holes before they become SNAFUs.

Major power outage events are serious. They often lead to loss of life or injury, and the recent Iberian Peninsula event was no exception. They also always have an economic impact, which is not always fairly distributed. As an industry we need to improve how we manage them. We also need to get better at talking about technical issues in a political environment. If there’s a risk of blackouts, we have a duty to not only mitigate that risk within the current rules but also advocate for rule changes if that mitigation is inadequate. To be most productive, this conversation should happen in a techno-economic environment. The automatic debate after power system events often focuses on the role of renewables, commercial interests and the like, which may sometimes be entertaining but inevitably affects the techno-economic outcomes in a negative way for everyone.

ABOUT THE AUTHOR

Donald Vaughan has over 20 years’ experience providing advice on regulatory and technical requirements for generators, substations and transmission systems. He has worked for all areas of the electrical industry, including generators, equipment suppliers, customers, NSPs and market operators. Donald specialises in the performance of power systems. His experience in generating units, governors and excitation systems provides a helpful perspective on how the physical electrical network behaves.

Image: Basil James on Unsplash

READ MORE THOUGHT LEADERSHIP

[1] There are more laws, but these are the main and most accessible.

23 June, 2025