A Framework for Integrating Virtualized PAC into Availability Model of a Digital Substation: An Exploratory Adaptation of Software Aging and Rejuvenation Model

1. Introduction

The power grid is undergoing a significant transformation toward a smart grid paradigm. Since protection, control, and monitoring functions in a smart grid are predominantly executed within substations, achieving overall grid reliability fundamentally depends on the reliability of these substations. As the transition toward a net-zero energy system accelerates, digital substations (DS), serving as critical nodes within this evolving infrastructure, are advancing to leverage modern developments in communication and computing technologies [1]. The secondary system of a digital substation consists of a Substation Automation System (SAS) and a Protection, Automation, and Control (PAC) system. The SAS typically manages higher level functions within the substation, including communication with Supervisory Control and Data Acquisition (SCADA) systems, interfacing with the Human Machine Interface (HMI), and handling alarms. In contrast, the PAC system mainly provides protection for primary assets as well as real-time control and monitoring at the lower level. This complete secondary system in an automated substation is oftentimes referred to as DSAS in the literature. PAC functions, which were mainly distributed in the beginning (i.e., different Bay Control Units (BCUs) and Protection IEDs in a substation) [2], are transitioning towards a centralized and virtualized PAC system. The transformation borrowed from the enabling technology of virtualization from the field of computer science has proved to be promising as a result of early performance investigations [3]. Traditionally, physical PAC devices comprised tightly integrated hardware and software layers, each designed and optimized for a specific set of protection and control functions. Because these devices were delivered as purpose-built units, their performance characteristics were predetermined and guaranteed by the manufacturer. With the introduction of virtualization, these layers are now decoupled, enabling the hardware platform to be selected independently of the PAC application. In this model, the vendor provides the PAC functionality as software, while utilities can deploy it on robust hardware computing platforms that meet their operational requirements and can be adapted as the grid evolves. This architectural separation offers utilities significant flexibility, as it allows them to mix and match components from different suppliers to construct a solution tailored to their needs. However, this increased freedom also introduces a critical challenge: ensuring that the independently sourced hardware and software components operate seamlessly and reliably together, an essential requirement given the stringent dependability expectations of power system infrastructure.

Aging of the software layer in the virtualized architecture poses a critical performance [5] and reliability challenge for long-running systems, where prolonged execution leads to gradual performance degradation and increased failure likelihood. This degradation typically results from aging-related bugs that accumulate over time through mechanisms such as memory leaks, resource exhaustion, and corrupted internal states. These effects progress along the fault-error-failure chain and are often reflected in observable indicators, including rising resource consumption and reduced responsiveness [6]. To counter these effects, software rejuvenation provides a proactive recovery strategy that restores system health through controlled restarts or state refresh operations [7]. Rather than removing underlying defects, rejuvenation aims to release consumed resources and reset deteriorated system states, thereby postponing failures associated with cumulative errors. This technique is especially effective in continuously operating environments where planned rejuvenation can prevent unscheduled outages. Its effectiveness depends on determining an appropriate rejuvenation schedule that balances system availability with maintenance overhead, making timing decisions a central challenge [8]. Considering the pivotal role of dependability and performance aspects during the design and operation stages of the system life cycle, an exploration of model choices and system failure mechanisms during the pilot deployment stage [4] can build confidence prior to real-world deployments.

To the author’s knowledge, no work exists to date that addresses the Software Aging and Rejuvenation (SAR) model aspect and its impact on substation reliability indices; this may be due to the infancy of virtualization technology in digital substations. The phenomenon, however, is well understood and have been the topic of research in the field of computer science. Owing to this fact we will present here some important work of SAR pertinent to virtualization technology in the field of computer science. This background serves both as a relevant literature review and a brief introduction to the field for power system researchers.

In virtualized environments, software aging appears as performance degradation and resource exhaustion, exacerbated by the additional abstraction layers of virtualization. Aging analysis seeks to estimate the likely time to failure caused by these effects and enable timely rejuvenation. Existing techniques fall into three main categories: model-based, measurement-based, and hybrid approaches [8]. Model-based techniques use analytical and stochastic models to derive optimal rejuvenation schedules. Common formalism examples include continuous time Markov chain (CTMC) [9], semi-Markov process (SMP) [10], Markov regenerative process (MRGP) [11], and Petri-net–based models such as stochastic Petri-net (SPN) [12] and stochastic reward net (SRN) [13], applied across configurations involving single or multiple hosts and various Virtual Machine (VM) states (cold, warm, migrated, failover). These approaches enable systematic evaluation of alternative rejuvenation policies but often rely on simplifying assumptions that reduce accuracy in dynamic virtualized environments [8]. Measurement-based approaches rely on observable aging indicators at both the Virtual Machine Monitor (VMM) and VM layers. System-level metrics capture CPU, memory, storage, and network usage, while VM-level indicators include latency, throughput, and Service Level Agreement (SLA) compliance. Collected data can be analyzed using time-series forecasting [14], machine learning [15], or threshold-based methods [16], with dimensionality reduction or feature selection applied when indicators are correlated [17]. Although effective in revealing unanticipated aging patterns, these methods require extensive monitoring effort and often lack generalizability across systems. Hybrid strategies combine the strengths of both approaches by parameterizing analytical models with empirical data, thereby improving model fidelity and adaptability to real workloads [18,19]. Rejuvenation mechanisms operate at multiple layers of the virtualization stack. At the VM layer, techniques include cold-VM restarts and failover [16]. At the VMM layer, options include cold- and warm-VM rejuvenation, [20] suspend/resume or quick reboot [21], various VM migration [22] strategies (stop-and-copy, pre-copy, return-back, stay-on), and micro-reboots [23] of virtual infrastructure components. However, virtualization can introduce additional aging challenges—such as increased memory fragmentation—that accelerate degradation and complicate rejuvenation planning [24]. Given the diversity and operational trade-offs among these techniques and the nonexistence of mission-critical virtualized PAC systems in utility infrastructures it is quite a challenge to propose a standard model at this stage. This challenge is further exacerbated due to unavailability of field data, lack of standardization at VMM or hypervisor and application level, and technology choices at the server hardware and network layer level. This leaves the choice of model and analysis methodology selection completely open for VPAC-based DSAS. This work is thus deemed to be of an exploratory nature, an impetus to draw electrical power system researchers’ attention to explore the modeling possibilities and further investigation in this emerging area. The work contributes by:

• Extending and incorporating an existing SAR model using a hierarchical modeling framework into the availability model of a DSAS.
• Analyzing and evaluating the reliability indices of the primary and secondary systems of the substation and later deriving the combined substation indices.

The paper is organized as follows: Section 2 presents the primary system and secondary architecture chosen for the study and proposed modeling methodology. Section 3 presents, analysis of primary and secondary systems along with combined system evaluation model. Reliability indices of primary, secondary and combined system are derived with discussion in Section 4. Finally, the paper concludes with Section 5.

2. System Modeling and Methodology

2.1. Primary and Secondary Systems for Study

The primary system of a digital substation considered in this study is a breaker-and-a-half substation configuration, widely regarded as one of the most dependable high-voltage substation layouts [25]. The selected topology is partitioned into four protection zones, two bus zones and two diameter zones, as illustrated in Figure 1. All protection and control functions associated with these zones are hosted on a centralized virtualized VPAC system. These protection zones are not fixed and may be adapted according to the underlying protection philosophy.

The secondary system architecture comprises two redundant VPAC servers interconnected through the Parallel Redundancy Protocol (PRP), an established standard for high-availability industrial communication [27,28,29]. The architecture and corresponding Reliability Block Diagram (RBD) are presented in Figure 2 and Figure 3, respectively. The RBD considers a single Power Supply (PS), a Time Source (TS), two VPAC servers, and four Process Interface Units (PIUs), with the Process Bus (PB) modeled as the PRP communication backbone. For the configuration in Figure 1, each VPAC server is responsible for complete substation protection, control, and monitoring functionality. The PIUs provide the interface to the primary equipment by acquiring current, voltage, and binary status signals, and by issuing control commands to circuit breakers and disconnectors. Both the PS and TS are required for the system to remain operational; the TS is essential for synchronized sampling, particularly for differential protection, and for maintaining consistent event timestamps across the substation. The PIUs are modeled as an n-out-of-n subsystem because certain protection functions and control actions, such as breaker failure protection or busbar fault clearing, require all PIUs to operate correctly to ensure coordinated switching, tripping, interlocking, and signaling at the PB. The VPAC servers form the core of both the PB and station bus (SB) communication networks, enabling full remote control and monitoring capabilities as expected in a fully digital substation.

The availability of a system with n components in series is given by:

$$A_{ser}={\mathrm{\Pi }}_{i=1}^n{A}_i$$

(1)

while the availability of two components in parallel is

$$A_{par}=A_1+A_2-A_1·A_2$$

(2)

For a configuration requiring k out of n components to be operational, the availability is expressed as

$$A_{kofn}(k,n)=\sum _{i=k}^n\left({\displaystyle \genfrac{}{}{0pt}{}{n}{i}}\right)A^i·A^{(n-i)}$$

(3)

The steady-state availability of a component having a failure $\lambda$ and repair rate $\mu$ is defined as.

$$A_{ss}={\displaystyle \frac{\mu }{\lambda +\mu }}$$

(4)

where typically, $\lambda$$<<$$\mu$.

Based on the RBD in Figure 3 and using (1) the availability of the VPAC architecture can be written as

$$A_{Arch,VPAC}=A_{PS}·A_{TS}·A_{SC}·A_{PIU}·A_{VPAC}·A_{PB}·A_{SB}$$

(5)

The availability of the PRP-based PB can simply be obtained using (2), while the detailed evaluation of VPAC availability is presented in the following sections.

2.2. Proposed Methodology for Availability Modeling of VPAC-Based DSAS

2.2.1. Hierarchical Reliability Modeling of DSAS

Although RBDs offer an efficient means of computing reliability indices, they are limited in their ability to represent complex system states and the dynamic interactions between hardware and software components. More expressive formalisms, such as Markov chains, Petri nets or Bayesian networks, are often used for such purposes. In this work, we employ Markov chains to capture the dynamics of SAR, owing to their closed-form steady state solutions, memoryless property aligned with exponential failure and repair assumptions, and computational efficiency resulting from small, fixed-size transition matrices [30].

Model decomposition technique is used to manage system complexity and to integrate heterogeneous modeling approaches. Under this paradigm, a system is partitioned into subsystems whose outputs become inputs to higher-level models, forming a hierarchical structure that can be solved sequentially [30]. The VPAC-based DSAS adopts such a hierarchical modeling framework by embedding an SAR model within the RBD architecture shown in Figure 3. In this hierarchy, the availability of VPAC servers 1 and 2 is received through a lower-level SMP model (L1-SMP). The limiting up state probabilities represent steady-state availability, as illustrated in Figure 4. The resulting VPAC subsystem, comprising two servers in parallel, can then be evaluated using (2). This hierarchical approach preserves the analytical simplicity of RBDs while enabling the SMP layer to capture system interactions and SAR-related dynamics, thereby encapsulating model complexity without compromising computational tractability.

2.2.2. Software Aging and Rejuvenation (SAR) Modeling

Software Rejuvenation Policy:

Software rejuvenation in a VPAC-based virtualized system may be carried out as either a partial or full rejuvenation procedure. Partial rejuvenation refers to refreshing a specific VM hosted on the hypervisor. This process is comparatively fast and can mitigate performance degradation of the targeted VM without affecting co-located VMs or applications; however, it does not fully restore the VM to its most robust operational state. Full rejuvenation involves restarting the hypervisor (Type-1), including the underlying operating system and VMM. This proactive maintenance action halts all applications, optionally preserves selected VM/VMM states, and reinitializes the hypervisor to release all accumulated resource burdens. If resource exhaustion occurs before any rejuvenation action can be initiated, the system transitions into a crash state. Recovery then requires either an automatic post-crash reboot or manual intervention, both of which return the system to a fully restored state. The aging and rejuvenation dynamics are modeled using an extended version of the two-level SMP proposed in [31], shown in Figure 5, with an additional eighth state (F). A summary of the state definitions is provided below:

• State U (UP): The most robust and fully available state. The system returns to this state after full rejuvenation, a crash recovery, or hardware repair.
• State M (Medium-efficient): An available but moderately degraded state. The system enters this state from U due to performance decline or after completing partial rejuvenation.
• State L (Low-efficient): The least robust available state. Severe degradation triggers an alert, prompting a rejuvenation decision before the system transitions to a crash.
• State D (Decision): An instantaneous state where the system selects either partial (level-1) or full (level-2) rejuvenation. Its sojourn time is negligible.
• State P (Partial rejuvenation): The system executes level-1 rejuvenation.
• State R (Full rejuvenation): The system executes level-2 rejuvenation.
• State B (Reboot): Represents the crash-recovery process. The system reaches this state when degradation becomes critical, requiring a reboot to restore state U.
• State F (Server Failure): A hardware failure state that can be entered from any available state. All hardware-related failures of the server hosting the hypervisor, VPAC application, or other associated applications are aggregated here, whereas software aging dynamics are represented in the remaining states.

From a VPAC performance perspective, all states within the available set (U, M, L) are considered acceptable as long as the system continues to meet the most stringent protection performance requirements.

L1 SMP Modeling:

To derive the availability of a VPAC server from the underlying SMP, only the steady state solution of the SMP in Figure 5 is required. The analysis follows a two-step procedure in which the SMP is fully characterized by its kernel matrix $\mathbf{K}\left(\mathbf{t}\right)$ [32,33]:

$$\mathbf{K}\left(\mathbf{t}\right)=\left[\begin{array}{cccccccc}0& k_{01}\left(t\right)& 0& 0& 0& 0& 0& k_{07}\left(t\right)\\ 0& 0& k_{12}\left(t\right)& 0& 0& 0& 0& k_{17}\left(t\right)\\ 0& 0& 0& k_{23}\left(t\right)& 0& 0& k_{26}\left(t\right)& k_{27}\left(t\right)\\ 0& 0& 0& 0& k_{34}\left(t\right)& k_{35}\left(t\right)& 0& 0\\ 0& k_{41}\left(t\right)& 0& 0& 0& 0& 0& 0\\ k_{50}\left(t\right)& 0& 0& 0& 0& 0& 0& 0\\ k_{60}\left(t\right)& 0& 0& 0& 0& 0& 0& 0\\ k_{70}\left(t\right)& 0& 0& 0& 0& 0& 0& 0\end{array}\right]$$

(6)

The kernel elements are defined as

$$\begin{array}{cc}\hfill k_{01}\left(t\right)& ={\int }_0^t\overline{F_{07}}\left(x\right)\mathrm{d}{F}_{01}\left(x\right),k_{07}\left(t\right)={\int }_0^t\overline{F_{01}}\left(x\right)\mathrm{d}{F}_{07}\left(x\right),\hfill \\ \hfill k_{12}\left(t\right)& ={\int }_0^t\overline{F_{17}}\left(x\right)\mathrm{d}{F}_{12}\left(x\right),k_{17}\left(t\right)={\int }_0^t\overline{F_{12}}\left(x\right)\mathrm{d}{F}_{17}\left(x\right),\hfill \\ \hfill k_{23}\left(t\right)& ={\int }_0^t\overline{F_{26}}\left(x\right)·\overline{F_{27}}\left(x\right)\mathrm{d}{F}_{23}\left(x\right),\hfill \\ \hfill k_{26}\left(t\right)& ={\int }_0^t\overline{F_{23}}\left(x\right)·\overline{F_{27}}\left(x\right)\mathrm{d}{F}_{26}\left(x\right),\hfill \\ \hfill k_{27}\left(t\right)& ={\int }_0^t\overline{F_{23}}\left(x\right)·\overline{F_{26}}\left(x\right)\mathrm{d}{F}_{27}\left(x\right),\hfill \\ \hfill k_{34}\left(t\right)& ={\int }_0^t\overline{F_{35}}\left(x\right)\mathrm{d}{F}_{34}\left(x\right),k_{35}\left(t\right)={\int }_0^t\overline{F_{34}}\left(x\right)\mathrm{d}{F}_{35}\left(x\right),\hfill \\ \hfill k_{41}\left(t\right)& =F_{41}\left(t\right),k_{41}\left(t\right)=F_{41}\left(t\right),k_{50}\left(t\right)=F_{50}\left(t\right),\hfill \\ \hfill k_{60}\left(t\right)& =F_{60}\left(t\right),k_{70}\left(t\right)=F_{70}\left(t\right)\hfill \end{array}$$

Here, $F_{ij}\left(t\right)$ denotes the transition cumulative distribution function (CDF), while ${\overline{F}}_{ij}\left(t\right)$ is its complementary form. The allowable transition set is

$$\begin{array}{c}{\overline{F}}_{ij}\left(t\right)=1-F_{ij}\left(t\right),\mathrm{for}(i,j)\in \mathcal{E},\\ \mathcal{E}=\left\{\right(0,1),(0,7),(1,2),(1,7),(2,3),(2,6),(2,7),\\ (3,4),(3,5),(4,1),(5,0),(6,0),(7,0)\}.\end{array}$$

Step 1. Embedded DTMC: The one-step transition probability matrix of the embedded Markov chain is:

$$\begin{array}{cc}\hfill \mathbf{P}=\mathbf{K}(\infty )& =\left[\begin{array}{cccccccc}0& p_{01}& 0& 0& 0& 0& 0& p_{07}\\ 0& 0& p_{12}& 0& 0& 0& 0& p_{17}\\ 0& 0& 0& p_{23}& 0& 0& p_{26}& p_{27}\\ 0& 0& 0& 0& p_{34}& p_{35}& 0& 0\\ 0& p_{41}& 0& 0& 0& 0& 0& 0\\ p_{50}& 0& 0& 0& 0& 0& 0& 0\\ p_{60}& 0& 0& 0& 0& 0& 0& 0\\ p_{70}& 0& 0& 0& 0& 0& 0& 0\end{array}\right]\hfill \end{array}$$

where $p_{ij}\triangleq k_{ij}(\infty )$.

The limiting state probabilities v of this embedded discrete time Markov chain (DTMC) are obtained from

$$v=v·\mathbf{P}andv·\mathbf{e}=1$$

(7)

Step 2. SMP Steady-State Probabilities: The SMP steady-state probabilities ${\pi }_i$ are computed using the limiting state probabilities $v_i$ and the mean sojourn times $h_i$:

$${\pi }_i={\displaystyle \frac{v_i·h_i}{{\sum }_j{v}_j·h_j}}$$

(8)

The mean sojourn times for the SMP in Figure 5 are

$$\begin{array}{cc}\hfill & h_0={\int }_0^{\infty }\overline{F_{01}}\left(t\right)·\overline{F_{07}}\left(t\right)dt,h_1\left(t\right)={\int }_0^{\infty }\overline{F_{12}}\left(t\right)·\overline{F_{17}}\left(t\right)dt,\hfill \\ \hfill & h_2={\int }_0^{\infty }\overline{F_{23}}\left(t\right)·\overline{F_{26}}\left(t\right)·\overline{F_{27}}\left(t\right)dt,h_3={\int }_0^{\infty }\overline{F_{34}}\left(t\right)·\overline{F_{35}}\left(t\right)dt,\hfill \\ \hfill & h_4={\int }_0^{\infty }\overline{F_{41}}\left(t\right)dt,h_5={\int }_0^{\infty }\overline{F_{50}}\left(t\right)dt,\hfill \\ \hfill & h_6={\int }_0^{\infty }\overline{F_{60}}\left(t\right)dt,h_7={\int }_0^{\infty }\overline{F_{70}}\left(t\right)dt\hfill \end{array}$$

Finally, VPAC availability is defined as the probability of the system residing in any of the three acceptable operational states (U, M, L), which correspond to states 0, 1, and 2:

$$A_{VPAC}={\pi }_0+{\pi }_1+{\pi }_2$$

(9)

This availability value is propagated to the each VPAC server blocks in the higher-level RBD of Figure 4, then $A_{VPAC}$ can be found using (2), and substituted into (5), thereby incorporating the effects of software aging and rejuvenation into the overall architectural availability.

3. Primary and Secondary System Analysis

3.1. Secondary System Architectures Analysis

The modeling methodology described in Section 2 is applied to the secondary system architecture shown in Figure 2, with the corresponding reliability parameters summarized in Table 1.

Choice of Model Parameters

The objective of this work is to demonstrate how the SAR model can be integrated into the DSAS architectural reliability analysis. Accordingly, in the absence of any field data from utility, the parameter selection is solely based on reasonable assumptions rather than site-specific measurements.

State 0 represents the most robust operating condition, from which the system initiates operation after deployment or a full refresh. As utility DSAS environments are highly constrained, where system access and software updates occur infrequently, an exponential distribution with an assumed mean time to failure (MTTF) of one year is assigned, i.e., ${\lambda }_{01}=1failures/year$ . This transition models the effect of updates or patches applied to the VPAC-VM, the VMM, or the host OS. The transition to state 1 reflects a moderate degradation phase and is assigned an increased failure rate ${\lambda }_{02}=2failures/year$. State 2 captures the more pronounced degradation phase and is modeled using a Weibull distribution with increasing failure rate (IFR) parameters $(4,2)$, representing the accelerating impact of aging-related faults. State 3 is the decision state, in which the system is taken offline to select either level-1 or level-2 rejuvenation. This transition is modeled using a deterministic function $u(t-r)$, where r represents the scheduled rejuvenation time, consistent with maintenance policy or available downtime opportunities. Partial (level-1) and full (level-2) rejuvenation actions occur in states 4 and 5, respectively. These procedures can be executed remotely without physical site access, and are assigned fixed durations of $t_4=6hours$ and $t_5=10hours$ . In contrast, the crash recovery state 6 may require dispatching maintenance personnel, including logistics time; thus, a fixed duration of $t_6=20hours$ is assumed.

Finally, state 7 models hardware failure of the server hosting the hypervisor, VPAC applications, or associated services. Hardware failure rates are typically provided by the manufacturer as MTTF values and are commonly represented using exponential distributions.

3.2. Primary System Analysis

Well-established analytical techniques exist for evaluating the reliability of primary substation busbar schemes. Among these, the minimal cut set method is widely applied and computationally efficient [35,36]. To automate this process, the procedure begins by assigning identifiers to all primary equipment in the bus scheme and constructing a Proposed Connection Matrix (PCM), derived from the topology illustrated in Figure 1. The PCM, together with the reliability parameters of the primary components, forms the complete input to the analysis program, which then automatically generates the minimal cut sets associated with loads $L_{d1}$ and $L_{d2}$. Detailed descriptions of the minimal cut-set algorithm can be found in [37,38]. In this work, following cut sets up to second order are considered:

• First-Order Total Minimal Cut Sets (FOTMC)
• Second-Order Total Minimal Cut Sets (SOTMC)
• First-Order Active Minimal Cut Sets (FOAMC)
• Second-Order Minimal Cut Sets with Active + Total Failures (SOMCAT)
• Second-Order Minimal Cut Sets with Active + Active Failures (SOMCAA)
• First-Order Failure Events with Stuck Breaker (FOFES)
• Second-Order Failure Events with Stuck Breaker (SOFES)

These categories reflect different combinations of total failures, active failures, and switching-related events such as stuck breakers.

Analytical Method for Primary System

The analytical expressions used to compute the equivalent failure rate $\lambda$ and repair rate r for each minimal cut set are summarized below. These expressions form the basis for the analytical results presented in Table 6.

1.

FOTMC

$$\lambda ={\lambda }_{1}r=r_1$$

(10)

2.

SOTMC

$$\lambda ={\lambda }_1·{\lambda }_2·(r_1+r_2)r={\displaystyle \frac{r_1·r_2}{(r_1+r_2)}}$$

(11)

3.

FOAMC

$$\lambda ={\lambda }_1^{a}r=t_{sw1}$$

(12)

4.

SOMCAT

$$\lambda ={\lambda }_1^a·{\lambda }_2·(t_{sw1}+r_2)r={\displaystyle \frac{t_{sw1}·r_2}{(t_{sw1}+r_2)}}$$

(13)

5.

SOMCAA

$$\lambda ={\lambda }_1^a·{\lambda }_2^a·(t_{sw1}+t_{sw2})r={\displaystyle \frac{t_{sw1}·t_{sw2}}{(t_{sw1}+t_{sw2})}}$$

(14)

6.

FOFES

$$\lambda =P_s·{\lambda }_1^{a}r=t_{sw1}$$

(15)

7.

SOFES

$$\lambda =P_s·{\lambda }_1^a·{\lambda }_2·(t_{sw1}+r_2)r={\displaystyle \frac{t_{sw1}·r_2}{(t_{sw1}+r_2)}}$$

(16)

Here, $P_s$ denotes the probability of a stuck breaker; ${\lambda }_1$, ${\lambda }_2^a$, ${\lambda }_2$, and ${\lambda }_2^a$ represent total and active failure rates of the involved components; and $r_1$, $r_2$, $t_{sw1}$, $t_{sw2}$ denote their corresponding repair and switching times. Table 2 lists the reliability data for all primary components. A MATLAB implementation automated the entire process, generating minimal cut sets directly from the reliability dataset and the PCM matrix. Additional busbar configurations were also evaluated as test cases to validate the correctness and robustness of the developed tool.

3.3. Evaluation of Combined Reliability Indices

Finally, the reliability contributions of the primary and secondary system models are integrated using the following relations. The overall system failure rate is obtained by summing the failure rates of all relevant minimal cut sets:

$$\lambda =\sum _{i=1}^k{\lambda }^k$$

(17)

The system unavailability U is determined by combining the repair characteristics of the first and second order minimal cut sets with the availability of the secondary system architecture:

$$U=r^1+r^2+\sum _{i=3}^k(U_{ds}·r^k+A_{ds}·t_{sw,ds})$$

(18)

where ${\lambda }^k$ and $r^k$ correspond to the failure and repair parameters of the minimal cut sets defined in 10-16. Here, $U_{ds}$ and $A_{ds}$ denote the unavailability and availability of the DSAS, respectively. Additionally, $r^1$ and $r^2$ represent the repair times associated with the FOTMC and SOTMC groups defined in (10) and (11), while $t_{sw,ds}$ represents the switching time attributable to the DSAS. The overall outage duration is then computed directly using:

$$r={\displaystyle \frac{U}{\lambda }}$$

(19)

which yields the complete reliability indices of integrated system.

4. Case Study for Combined System Reliability Indices

The reliability indices model for the individual primary, secondary and combined systems were presented in Section 3. The SAR models introduced in Section 2.2.2 enable the computation of the health and reliability attributes of the VPAC-based server through different software and hardware states. Correspondingly, the primary system failure modes are represented through the minimal cut sets summarized in Table 3.

All minimal cut sets obtained for load $L_{d1}$ are presented in Table 3 Suffixes “A” and “S” denote conditions involving active failures and stuck breakers, respectively. To evaluate the overall system reliability, the primary and secondary models are integrated to determine the combined reliability indices for each load point. Either of the two load points. $(L_{d1}$ or $L_{d2})$ may be considered, as the methodology applies identically to both. The combined analysis focuses on quantifying:

• The failure rate of each load point, reflecting the contribution of both primary equipment failures and secondary system outages; and
• The interruption duration, determined by the combined repair and switching characteristics of the two subsystems.

An analytical framework is employed to evaluate these combined indices, enabling systematic incorporation of the failure modes and architectural characteristics of both the primary and secondary systems depicted in Figure 2.

4.1. Primary System Reliability Indices

The reliability indices associated with each minimal cut set, along with their aggregated contributions, are presented in Table 4. As expected, the results indicate that first-order cut sets dominate both the overall failure rate and the annual downtime of the primary system. These cut sets represent single-component failures that have a direct and immediate impact on load-point reliability, and thus constitute the primary contributors to system risk.

In the second stage of the analysis, the RBD models of the secondary system architecture shown in Figure 3 were evaluated using the equations introduced in Section 2. The architectural logic and corresponding availability expressions were implemented in MATLAB to compute the reliability indices of DSAS.

4.2. Secondary System Reliability Indices

The reliability indices for the VPAC-based DSAS architecture in Figure 2, computed with and without incorporating the SAR model, are summarized in Table 5. The baseline case, which excludes SAR, considers only the hardware failure rate of the VPAC server irrespective of the failure modes associated with the software executed on the platform, reflecting the conventional assumption. Under the selected model parameters, this omission does not significantly influence the overall DSAS availability. However, when the SAR model is integrated, both the failure rate and annual downtime increase, capturing the impact of software aging processes.

The resulting availability of the VPAC server, computed using (9) from the steady-state solution of the SMP in Figure 5, is illustrated in the 3D surface plot in Figure 6. The rejuvenation interval r is expressed in years, and the maximum availability occurs at $r=0.08yr$ and $p=0$, corresponding to a full rejuvenation strategy. This maximum or optimum availability value, for given parameters, can be obtained analytically or numerically, as explained in [31]. The values of indices for VPAC-based SAR architecture in Table 5 is listed for the maximum availability value occurred in Figure 6.

These secondary system indices can then be combined with the primary system results from Table 4 using (17), (18), and (19), from Section 3.3 to derive the final reliability indices for each load point.

4.3. Combined System Reliability Indices

For the combine system analysis, the analytical method introduced in Section 3.3 is adopted. Two key observations arising from the results presented in Table 6 are now examined and discussed in detail.

Table 6. Reliability Indices of CB-and-half Scheme with and without SAR Model.

Architecture	Failure rate	Outage Duration	Annual Downtime
	($f/yr$)	($hr/f$)	($hr/yr$)
CB-and-half without VPAC-SAR	0.14487	4.9111	0.71145
CB-and-half with VPAC-SAR	0.14487	4.9111	0.71145

Table 6. Reliability Indices of CB-and-half Scheme with and without SAR Model.

Architecture	Failure rate	Outage Duration	Annual Downtime
	($f/yr$)	($hr/f$)	($hr/yr$)
CB-and-half without VPAC-SAR	0.14487	4.9111	0.71145
CB-and-half with VPAC-SAR	0.14487	4.9111	0.71145

4.3.1. Decrease in annual downtime achieved through DSAS

The indices in Table 4 were obtained assuming a manual switching time of $t_{sw,m}=1h$ for restoring supply to load point $L_{d1}$ in the absence of a DSAS. When a DSAS is available, this time is reduced to $t_{sw,ds}=0.1h$ in Table 6, owing to automatic, pre-defined switching sequences. However, during periods when the DSAS itself is unavailable, the switching time reverts to the manual value of $1h$. Additionally, it is assumed that approximately two-thirds of feeder faults are transient in nature [39], enabling rapid isolation and restoration through reclosing operations or protection actions. The capability of the DSAS to automatically isolate feeder faults and to initiate swift switching actions significantly decreases both annual downtime and outage duration in the combined system results in Table 6 relative to the aggregated primary-system indices in Table 4. This demonstrates a clear operational advantage offered by the DSAS architecture.

4.3.2. Influence of DSAS Failure Modes

A comparison of the results in Table 6 with those in Table 4 shows that the overall failure rate remains unchanged. Moreover, no difference exists between combined indices with or without SAR architectures, see Table 6. This outcome follows directly from the evaluation methodology, which is based primarily on the failure modes of the primary system. Under the assumptions of this study, a failure within the secondary system does not directly interrupt supply to the load point, and therefore does not alter the failure rate of the combined system which might be unrealistic.

Table. 8 investigates this assumption further, where the “base case” refers to the architecture results obtained using the analytical method summarized in Table 6. Table 7 demonstrates how specific failure modes within a DSAS architecture can influence the reliability indices of load $L_{d1}$. For example, failure of the PS of a critical device such as a VPAC server or a PIU responsible for the protection and control of $L_{d1}$ may force the primary system into a fail-safe state until the faulty component is repaired. In such scenarios, the secondary system failure effectively propagates to the load point, contributing to its interruption duration.

Table 8 introduces some other hypothetical failure modes pertinent to a VPAC server and shows how they influence the primary-side downtime. For clarity, only one failure mode is incorporated per row to highlight its isolated impact. In practice, however, multiple such failure modes may exist within an a system, and their combined effects must be considered to accurately assess overall system reliability. This observation underscores the importance of collecting and analyzing historical reliability data for VPAC-based DSAS architectures. As these systems are almost non-existent in utility environments; therefore, empirical data on secondary system failure behavior is unavailable, yet such information is essential for comprehensive reliability modeling and fully capturing the interdependence between primary and secondary system failure modes.

5. Conclusions and Suggestion

This paper presented a hierarchical modeling framework for integrating software aging dynamics into the RBD representation of a VPAC-based DSAS. The primary aim of this work is to stimulate early research into the selection of software aging models, identification of aging indicators, and deployment of appropriate instrumentation within the VMM/hypervisor and potential VPAC applications in utility grid to enable systematic data collection in laboratory environments or pilot installations. Using the selected parameters to populate the SMP model, the developed SAR model reliability indices showed an increase in failure rate and annual downtime as compared to the model without SAR i.e. to only account for server hardware in the model. Combined substation reliability indices with both these models did not show any influence on substation indices except reduction in downtime due to improvement in switching time as a result of DSAS employment. However, subsequent analysis revealed that this can be attributed to the unavailability of historical failure modes data, and availability of such data can impact the overall substation indices more significantly.

The literature emphasizes the importance of adopting a hybrid approach for software aging prediction. Implementing such an approach requires identifying meaningful aging indicators or system-level metrics capable of revealing degradation trends. In newly deployed systems, the number of potential indicators may be large, necessitating the use of classification, feature selection, or dimensionality reduction techniques to isolate the most informative metrics. These selected indicators can then be analyzed using statistical or machine learning methods to detect early signs of aging. Once the relevant metrics are identified, a suite of established models from the SAR literature may be used to estimate optimal rejuvenation intervals, validate model accuracy, and enhance predictive performance.