Method and system for analyzing the cause of a power system security incident
By employing a hierarchical progressive retrieval strategy and deep causal reasoning using a large language model, the problem of domain knowledge gaps and insufficient reasoning in the causal analysis of power system security events was solved, improving accuracy and reliability. A hierarchical causal network consistent with the power system security control structure was constructed, key nodes were identified, and deep insights were provided for security decision-making.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- CHINA UNIV OF MINING & TECH (BEIJING)
- Filing Date
- 2026-03-27
- Publication Date
- 2026-06-30
Smart Images

Figure CN122309567A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of power operation safety analysis technology, specifically to a method and system for analyzing the causes of power system safety incidents. Background Technology
[0002] The power system is a critical infrastructure supporting the operation of modern society, and its safe and stable operation is directly related to the normal functioning of the economy and society. With the advancement of new power system construction, the system structure is becoming increasingly complex, and its operation is dynamically changing, exhibiting significant self-evolutionary characteristics. When external disturbances or internal anomalies accumulate to a critical state, they can easily trigger cascading failures, producing a "domino effect" of collapse, leading to catastrophic consequences such as large-scale power outages. Power system safety incidents are characterized by their sudden occurrence and rapid spread, and their causal mechanisms exhibit typical characteristics of complex systems: events often originate from the coupling of multiple levels and stages of factors, including initial triggers such as equipment-level failures, as well as the nonlinear interactions of various factors during propagation, such as control strategy failures, abnormal information interaction, and malfunctions of protection systems, exhibiting characteristics of complex socio-technical systems. The causal reasoning capabilities of Large Language Models (LLMs) have long been a focus of attention, and existing technologies have largely applied LLMs to the causal analysis of power system security events. However, existing LLM-based causal mining methods suffer from the following three problems: Lack of domain knowledge limits LLMs' understanding of specific fault modes in power systems.
[0003] Existing reasoning mechanisms are insufficient to support deep, structured causal inferences.
[0004] The controllability and accuracy of the generated results still fall short of practical applications. Summary of the Invention
[0005] To address the problems existing in the prior art, this invention provides a method for analyzing the causes of power system security events, comprising: Step 1: Based on the identified system hazard information, a hierarchical and progressive retrieval strategy is adopted to dynamically generate a query sequence that matches the system hazard information, so as to realize the hierarchical derivation of system safety constraints.
[0006] Step 2 guides LLMs to conduct in-depth, systematic causal reasoning on power system security events, thereby systematically identifying comprehensive causes ranging from physical component failures to organizational decision-making deficiencies, specifically including: Step 2.1 Set up the "Causal Reasoner" and "Retrieval Agent" roles. The "Causal Reasoner" role, upon receiving a description of a power system security event, is first guided to identify the system-level "hazards" and their resulting "losses." The acquired system hazards are then passed to the "Retrieval Agent" role, which executes Step 1 for the current power system security event to obtain the security constraints that need to be met at different levels of the current power system.
[0007] Step 2.2 The “Causal Reasoner” role, based on the power system “hazards” identified in Step 2.1 and the safety constraints that need to be met at different levels, derives and constructs a safety control structure. This safety control structure includes five functional layers: regulatory layer, management layer, operational layer, physical layer, and external change layer. This safety control structure is used to express how the power system should enforce these safety constraints through components and control loops at each level, thereby keeping the hazards within acceptable limits.
[0008] Step 2.3 Based on the safety control structure in Step 2.2, guide the "Causal Reasoner" role to start from the lowest level of physical process control loop, and examine each control link layer by layer from the bottom up, in combination with the specific context of the event, in order to identify in which specific link and in what way the safety constraints were violated.
[0009] Step 2.4 The “Causal Reasoner” role summarizes and abstracts the various control defects identified in Step 2.3, thereby obtaining the potential common causes behind these surface defects.
[0010] Step 2.5 Integrate the analysis results from Steps 2.1 to 2.4 to construct a hierarchical causal network containing a complete causal chain from deep systemic defects to surface technical failures and ultimately to security incidents.
[0011] Step 3 employs a feedback verification method that combines counterfactual reasoning with logical consistency verification to perform dual verification of the comprehensive causes of the intermediate results and final output of Step 2.
[0012] Furthermore, the method described in step 1 for dynamically generating a query sequence adapted to the identified system hazard information using a hierarchical and progressive retrieval strategy includes: Step 1.1 Using the event case description A and system hazard H as initial inputs, define the set of analysis dimensions for safety constraints. These correspond to the top layer, control layer, and component layer, respectively.
[0013] Based on A and H, in each dimension The corresponding security constraints are generated respectively. For each security constraint aspect Generate the corresponding structured request. All requests constitute a set .
[0014] Step 1.2 For each search request In the domain knowledge base Vector similarity retrieval is performed to obtain K relevant document fragments with a similarity greater than a preset value, forming a set. Search results for the same security constraints To perform knowledge fusion and obtain the relevant knowledge context. .
[0015] Step 1.3 Based on the knowledge context of each security constraint aspect obtained in Step 1.2 In order to address corresponding safety constraints Generate at least one corresponding specific and executable security constraint clause. All initially generated security constraint clauses Constitutes the original set of security constraints .
[0016] Furthermore, regarding the original set of security constraints obtained in step 1.3... Optimizations will be made, specifically including: Step 1.3.1 Calculation The semantic similarity between all pairwise constraints is used to form a similarity matrix M, where .
[0017] Step 1.3.2 Set the similarity threshold traversal All clauses If their semantic similarity If the semantics of the two are highly overlapping, then the action in step 1.3.3 is executed; otherwise, the action in step 1.3.4 is executed.
[0018] Step 1.3.3 Identify semantically highly overlapping clauses. Semantic merging and refinement are performed to generate a new, more generalized constraint clause to replace the original similar clauses.
[0019] Step 1.3.4 Retain the pair of clauses.
[0020] Furthermore, the method for deriving and constructing a safety control structure for the "Causal Reasoner" role in step 2.2 is as follows: map each safety constraint to the corresponding control level and specific component responsible for executing the constraint, and identify the key control loops that transmit control instructions and feedback information between levels.
[0021] Furthermore, the method for constructing the hierarchical causal network described in step 2.5 includes: Step 2.5.1 Instantiate the control defects and systemic defects identified in Steps 2.3 and 2.4 into network nodes. And label the level to which each node belongs.
[0022] Step 2.5.2 Based on the cause-effect logic and system control structure, infer and establish directed connections between nodes to form various cause chains and fault chains, specifically including: First, for any two nodes Construct a directed edge if and only if a direct causal relationship exists. .
[0023] Then, repeat the above process to generate a series of triples in the form of "cause, relation, result". : Formula 1 in, This represents the set of all causal nodes and fault state nodes. This represents the set of causal directed edges between nodes.
[0024] Step 2.5.3 Integrate all cause chains and fault chains to form a complete, multi-level hierarchical cause network.
[0025] Furthermore, the hierarchical causal network described in step 2.5 is expressed by Equation 2: Formula 2 in, Represents a hierarchical causal network. This represents the set of all causal nodes and fault state nodes. This represents the set of directed causal edges between nodes. At this point, a hierarchical causal network... Composed of two interconnected factor networks and faulty subnetwork Composition, in which: Factor network It is used to express how static defects at each level of the system collectively create the conditions for failure to occur.
[0026] Faulty subnetwork It is used to describe how an initial disturbance is amplified step by step through the system's internal connections, eventually leading to an out-of-control event and specific losses.
[0027] Furthermore, the causative factor network Expressed by Equation 3: Formula 3 in, The set of causal nodes representing systemic defects at each level. This represents the set of fault nodes directly caused by the aforementioned defects. It is a set of nodes shared by two sub-networks. A set of directed edges representing a "cause" relationship, used to connect... Edges or connections between internal nodes point to The edge.
[0028] The causative factor network Expressed by Equation 4: Formula 4 in, Refers to the set of faulty nodes that describe the abnormal state of the system. The set of directed edges representing the "initiation" relationship.
[0029] Furthermore, the method described in step 3, which employs a feedback verification method combining counterfactual reasoning and logical consistency verification to perform dual verification of the comprehensive causal factors of the intermediate results and final output of step 2, includes: The design includes a "Counterfactual Reasoner" role and a "Logical Consistency Verifier" role. The "Counterfactual Reasoner" role performs hierarchical verification of counterfactual reasoning, while the "Logical Consistency Verifier" role verifies the logical consistency of the hierarchical causal network based on defined consistency rules.
[0030] The layered verification of the counterfactual reasoning includes: Step 3.1 Let Indicates the cause of the event The set of all necessary defects that occur, in which Let n be a defect numbered 1 to n to be evaluated.
[0031] Step 3.2 Based on Equation 5, determine the defects in the physical and operational layers. Is it an event? Necessary defects: Formula 5 in, Represents the set of all necessary defects Remove defects , Indicates the event under this condition The probability of occurrence; if the probability is 0, it indicates a defect. For the event The necessary defects.
[0032] To address the deficiencies in management and regulation, we use Formula Six to identify these deficiencies. Is it an event? Necessary defects: Formula Six in, It represents the probability of an event occurring when the set of defects is complete in the real world. It is to eliminate defects The probability after, when satisfying Time indicates defect For the event The necessary defects.
[0033] Furthermore, through feedback iterations between the "Causal Reasoner," "Counterfactual Reasoner," and "Logical Consistency Verifier" roles, the output results of multilevel causal analysis and causal networks are optimized, specifically including: When the "Causal Reasoner" role performs step 2.3, it will output a preliminary list of event causes and pass it on to the "Counterfactual Reasoner" role.
[0034] After receiving the initial list of causes of events, the “Counterfactual Reasoner” role reads the flawed factors in the initial list of causes of events one by one and performs counterfactual reasoning.
[0035] When a defective factor fails the counterfactual reasoning check, the "Counterfactual Reasoner" role outputs "Failed" and provides corresponding modification suggestions to the "Causal Reasoner" role for re-identification. This process continues until all defective factors pass the counterfactual check, at which point the "Causal Reasoner" role begins executing step 2.4.
[0036] After the "Causal Reasoner" role outputs the preliminary list of event causation network triples, it passes it to the "Logical Consistency Verifier" role. Upon receiving the preliminary list of event causation network components, the "Logical Consistency Verifier" performs logical consistency verification according to the validation rules. If a verification fails, it returns correction suggestions to the "Causal Reasoner" role until the preliminary list of event causation network components passes the logical consistency verification, at which point it outputs the final list of event causation network components.
[0037] Furthermore, this invention also provides a power system security event cause analysis system, comprising: a retrieval enhancement generation module, an enhanced reasoning module, and a feedback verification module, wherein: The retrieval enhancement generation module is used to perform the relevant steps in step 1 of the above-mentioned power system security event cause analysis method.
[0038] The enhanced reasoning module is used to execute the relevant steps in step 2 of the above-mentioned power system security event cause analysis method.
[0039] The feedback verification module is used to execute the relevant steps in step 3 of the above-mentioned power system security event cause analysis method.
[0040] The advantages of this invention are: 1. This invention systematically improves the accuracy, reliability, and structured output capability of large language models in complex causal mining, especially in the causal analysis of power system security events, where this improvement is particularly significant.
[0041] 2. The hierarchical causal network constructed in this invention is an effective form of risk representation. It not only conforms to the power system security control structure, but its network topology analysis also reveals the hierarchical role pattern of risk elements.
[0042] 3. This invention can identify strategic nodes that possess both high initiation and high transmission capabilities, providing in-depth insights for security decision-making that go beyond traditional experience. Attached Figure Description
[0043] To more clearly illustrate the specific embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the specific embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of the present invention. For those skilled in the art, other drawings can be obtained from these drawings without creative effort.
[0044] Figure 1This invention demonstrates the performance of different large models under different similarity thresholds on the task of identifying causes and fault nodes. Figure 2 This invention demonstrates the performance of different large models in simple prompts and node recognition tasks based on the HCN-MA framework. Figure 3 This is the performance of different large models on different levels of node recognition tasks when the threshold of this invention is 0.8; Figure 4 This invention demonstrates the performance of different large models under different similarity thresholds on the hierarchical causal network identification task. Figure 5 This describes the performance of different large models of the present invention in simple prompts and hierarchical causal network identification tasks based on the method of the present invention; Figure 6 This is the performance of different large models on different types of link triplet recognition tasks when the threshold of this invention is 0.8; Figure 7 This is an example of constructing a hierarchical causative network for power grid fault events, as exemplified by the present invention. Figure 8 This is an example of a hierarchical causal network diagram of power grid fault events in this invention; Figure 9 This is an example of the topological centrality of the power grid fault-causing network in this invention; Figure 10 These are the key nodes and paths of the power grid fault causation network based on weighted out-degree centrality, as exemplified in this invention. Figure 11 These are the key nodes and paths of the power grid fault causation network based on betweenness centrality, as exemplified in this invention. Figure 12 This is the topological centrality of the power grid fault network exemplified in this invention; Figure 13 These are the key nodes and paths in the power grid fault network based on weighted out-degree centrality, as exemplified in this invention. Detailed Implementation
[0045] To make the objectives, technical solutions, and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present invention, not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.
[0046] This invention provides, by way of example, a method for analyzing the causes of power system security events, comprising: Step 1: Based on the identified system hazard information, a hierarchical and progressive retrieval strategy is adopted to dynamically generate a query sequence that matches the system hazard information, so as to realize the hierarchical derivation of system safety constraints.
[0047] Step 2 guides LLMs to conduct in-depth, systematic causal reasoning on power system security events, thereby systematically identifying comprehensive causes ranging from physical component failures to organizational decision-making deficiencies, specifically including: Step 2.1 Set up the "Causal Reasoner" and "Retrieval Agent" roles. The "Causal Reasoner" role, upon receiving a description of a power system security event, is first guided to identify the system-level "hazards" and their resulting "losses." The acquired system hazards are then passed to the "Retrieval Agent" role, which executes Step 1 for the current power system security event to obtain the security constraints that need to be met at different levels of the current power system.
[0048] Step 2.2 The “Causal Reasoner” role, based on the power system “hazards” identified in Step 2.1 and the safety constraints that need to be met at different levels, derives and constructs a safety control structure. This safety control structure includes five functional layers: regulatory layer, management layer, operational layer, physical layer, and external change layer. This safety control structure is used to express how the power system should enforce these safety constraints through components and control loops at each level, thereby keeping the hazards within acceptable limits.
[0049] Step 2.3 Based on the safety control structure in Step 2.2, guide the "Causal Reasoner" role to start from the lowest level of physical process control loop, and examine each control link layer by layer from the bottom up, in combination with the specific context of the event, in order to identify in which specific link and in what way the safety constraints were violated.
[0050] Step 2.4 The “Causal Reasoner” role summarizes and abstracts the various control defects identified in Step 2.3, thereby obtaining the potential common causes behind these surface defects.
[0051] Step 2.5 Integrate the analysis results from Steps 2.1 to 2.4 to construct a hierarchical causal network containing a complete causal chain from deep systemic defects to surface technical failures and ultimately to security incidents.
[0052] Step 3 employs a feedback verification method that combines counterfactual reasoning with logical consistency verification to perform dual verification of the comprehensive causes of the intermediate results and final output of Step 2.
[0053] Step 2 is the core step in the entire power system security incident cause analysis process. The goal of Step 2 is to guide LLMs to conduct in-depth and systematic causal reasoning on power system security incidents. To this end, the applicant designed a multi-step, top-down reasoning chain and constructed a five-step reasoning process to guide LLMs to gradually complete in-depth cause analysis, build a hierarchical cause network, and thus systematically identify all-round causes, from physical component failures to organizational decision-making deficiencies.
[0054] Specifically: Step 2.1, the first step in the five-step reasoning process, is to identify hazards and safety constraints. This step aims to clarify the boundaries and objectives of the analysis. After receiving a description of a power system safety event, the Causal Reasoner is first guided to identify the system-level “hazards” and the resulting “losses”.
[0055] This step can improve the accuracy of system hazard identification by listing common errors in the process. For example, a system component failure or unsafe behavior is not a system hazard, but rather the cause of the hazard. The acquired system hazard is then passed to the Retrieval Agent, which performs Step 1 on the current power system security event to obtain the security constraints that need to be met at different levels of the system.
[0056] Step 2.2, the second step in the five-step reasoning process, involves modeling the safety control structure. Based on the system hazards and corresponding safety constraints identified in the first step, this step derives and constructs a specialized safety control structure. The core function of this structure is to characterize how the system should execute these safety constraints through components and control loops at each level, thereby keeping the hazards within acceptable limits.
[0057] Step 2.3, the third step in the five-step reasoning process, involves reviewing control deficiencies. Building upon the established safety control structure, this step guides the Causal Reasoner to examine each control link layer by layer from the bottom up, starting with the lowest-level physical process control loop and considering the specific context of the event. The analysis focuses on identifying at which specific link and in what way safety constraints are violated. For example: Did the controller issue an incorrect command? Did the execution component fail to act correctly? Or is there a missing or distorted feedback? This step aims to systematically discover direct errors and deficiencies in control actions.
[0058] Step 2.4, the fourth step in the five-step reasoning process, involves uncovering systemic causes. This step aims to move beyond the analysis of direct operational errors and delve deeper into the underlying systemic roots of the event. The Causal Reasoner needs to summarize and abstract the series of independent control deficiencies identified in Step 3, exploring the potential common causes behind these surface defects. These systemic factors are typically rooted in the organization's decision-making processes, safety culture, management systems, and communication mechanisms. Specific manifestations may include: inadequate risk assessment, insufficient allocation of safety resources, barriers to cross-departmental communication, or inaccurate sharing of risk information. This step ensures that the final cause reaches the fundamental driving factors of the event, rather than merely remaining at the surface-level direct causes.
[0059] Step 2.5, the fifth step in the five-step reasoning process, involves constructing a hierarchical causal network. This step aims to systematically integrate all the analytical results from the preceding steps to build a structured, event-specific hierarchical causal network. This network is designed to clearly reveal the complete causal chain from deep-seated systemic defects to surface-level technical failures, ultimately leading to security incidents.
[0060] The improvements made in this invention systematically enhance the accuracy, reliability, and structured output capabilities of large language models in the complex causal mining of power system security events. The resulting hierarchical causal network is an effective form of risk representation. It not only conforms to the power system security control structure, but its network topology analysis also reveals the hierarchical role patterns of risk elements. Furthermore, it can identify strategic nodes with both high initiation and transmission capabilities, providing profound insights for security decision-making that go beyond traditional experience.
[0061] This invention provides, by way of example, a method for dynamically generating a query sequence adapted to the system hazard information based on the identified system hazard information obtained in step 1, using a hierarchical and progressive retrieval strategy, comprising: Step 1.1 Using the event case description A and system hazard H as initial inputs, define the set of analysis dimensions for safety constraints. These correspond to the top layer, control layer, and component layer, respectively.
[0062] Based on A and H, in each dimension Next, generate the corresponding security constraints. square noodle For each security constraint aspect Generate the corresponding structured request. All requests constitute a set
[0063] Step 1.2 For each search request In the domain knowledge base Vector similarity retrieval is performed to obtain K relevant document fragments with a similarity greater than a preset value, forming a set. Search results for the same security constraints To perform knowledge fusion and obtain the relevant knowledge context. .
[0064] Step 1.3 Based on the knowledge context of each security constraint aspect obtained in Step 1.2 In order to address corresponding safety constraints Generate at least one corresponding specific and executable security constraint clause. Each aspect may generate one or more clauses, all of which are initially generated security constraint clauses. Constitutes the original set of security constraints .
[0065] Power system security incidents are characterized by complex and highly specialized causes. Large language models (RAGs), lacking domain knowledge guidance, struggle to accurately generate security constraints that conform to industry standards. While traditional RAG methods can effectively integrate external knowledge, their application in power system security incident causal analysis faces two key challenges: First, what query strategy should be developed to accurately represent complex, multi-layered analytical needs? Second, what knowledge base should be established to deeply align with the domain knowledge structure and support reliable retrieval? The core of these issues lies in establishing an intelligent matching mechanism that can map complex analytical tasks to structured domain knowledge.
[0066] To effectively address the illusion problem in system security constraint identification within the existing technological framework, this invention proposes an enhanced retrieval and generation method. Step 1.1 generates an adaptive retrieval request; step 1.2 performs hierarchical retrieval and knowledge fusion; and step 1.3 generates hierarchical constraints. This method employs a hierarchical, progressive retrieval strategy, dynamically generating suitable query sequences based on identified system hazards. It aims to achieve more accurate and relevant knowledge retrieval than the standard RAG (Relational Language Acquisition) model, thereby effectively integrating power system security control knowledge into the reasoning process of the large language model. Specifically, this invention proposes an adaptive query planning strategy for the automatic identification of system security constraints.
[0067] This invention provides an exemplary solution for the original set of security constraints obtained in step 1.3. The optimization methods specifically include: Step 1.3.1 Calculation The semantic similarity between all pairwise constraints is used to form a similarity matrix M, where .
[0068] Step 1.3.2 Set the similarity threshold traversal In this case, the preferred option is... If their semantic similarity If the semantics of the two are highly overlapping, then the action in step 1.3.3 is executed; otherwise, the action in step 1.3.4 is executed.
[0069] Step 1.3.3 Identify semantically highly overlapping clauses. Semantic merging and refinement are performed to generate a new, more generalized constraint clause to replace the original similar clauses.
[0070] Step 1.3.4 Retain the pair of clauses.
[0071] This optimization method effectively solves the problem. The potential semantic redundancy issues in the process ensure that the final output core security constraint set is a comprehensive and non-repeating set of core security constraints at the top, control, and component levels, effectively improving the conciseness of the constraint stripes.
[0072] To efficiently support enhanced event causation reasoning retrieval, this invention provides an exemplary knowledge base for power system safety event prevention and control. The knowledge base integrates core regulations and standard documents such as the "Eighteen Major Power Grid Accident Prevention Measures of State Grid Corporation", "Twenty-Five Key Requirements for Preventing Power Production Incidents", "Technical Specifications for Relay Protection and Safety Automatic Devices" (GB / T 14285), "Design Specifications for Power System Dispatch Automation" (DL / T 5003), "Preventive Testing Specifications for Power Equipment" (DL / T 596), and "Condition Maintenance Testing Specifications for Transmission and Transformation Equipment" (Q / GDW). Key technical content is retained through format standardization and removal of redundant information.
[0073] Because the standards and regulations documents in the aforementioned knowledge sources typically use a hierarchical numbering system such as "chapter-section-article" to organize their content, they inherently possess clear logical and semantic boundaries. Using conventional fixed-length or general semantic segmentation methods to segment this type of text would disrupt its inherent structure, leading to semantic fragmentation and thus affecting the accuracy of subsequent retrieval.
[0074] To address this issue, the present invention provides an exemplary two-stage text segmentation method that balances semantic integrity and retrieval accuracy.
[0075] Phase 1: Coarse-grained segmentation based on document structure. First, the document is strictly segmented according to its inherent hierarchical structure (with chapters, sections, and articles as basic units) to ensure that each generated text block is thematically complete and logically consistent.
[0076] The second stage: fine-grained adjustment based on semantic coherence. Subsequently, for clauses that are too long, adaptive adjustments are made through semantic coherence detection, and they are further subdivided at the boundaries of semantic transitions or topic shifts.
[0077] This method avoids the problem of excessively long or semantically mixed single text blocks, thereby further optimizing the retrieval granularity and accuracy.
[0078] The present invention provides an exemplary method for deriving and constructing a security control structure for the "Causal Reasoner" role described in step 2.2, which involves mapping each security constraint to the corresponding control level and specific component responsible for executing the constraint, and identifying the key control loops that transmit control instructions and feedback information between levels.
[0079] For example, the control responsibility for the constraint "maintaining line power flow below the thermal stability limit" may be assigned to: the regulatory layer (setting standards), the management layer (allocating resources), the operational layer (executing scheduling), and the physical layer (sensing and protection devices). This method clarifies the specific control responsibility and corresponding layer for the constraint "maintaining line power flow below the thermal stability limit" within a specific event chain, avoiding logical confusion.
[0080] This invention provides an exemplary method for constructing the hierarchical causal network described in step 2.5, comprising: Step 2.5.1 Instantiate the control defects and systemic defects identified in Steps 2.3 and 2.4 into network nodes. And label the level to which each node belongs.
[0081] Step 2.5.2 Based on the cause-effect logic and system control structure, infer and establish directed connections between nodes to form various cause chains and fault chains, specifically including: First, for any two nodes Construct a directed edge if and only if a direct causal relationship exists. .
[0082] Then, repeat the above process to generate a series of triples in the form of "cause, relation, result". : Formula 1 in, This represents the set of all causal nodes and fault state nodes. This represents the set of causal directed edges between nodes.
[0083] Step 2.5.3 Integrate all cause chains and fault chains to form a complete, multi-level hierarchical cause network.
[0084] Compared to existing hierarchical cause networks built solely through event chain models, the hierarchical cause network construction method provided by this invention not only describes "what happened" by constructing fault chains, but more importantly, explains "why it happened" by constructing cause chains, thereby providing a deeper level of insight for system security analysis.
[0085] This invention provides an exemplary hierarchical causal network as described in step 2.5, expressed by Equation 2: Formula 2 in, Represents a hierarchical causal network. This represents the set of all causal nodes and fault state nodes. This represents the set of directed causal edges between nodes. At this point, a hierarchical causal network... Composed of two interconnected factor networks and faulty subnetwork Composition, in which: Factor network It is used to express how static defects at each level of the system collectively create the conditions for failure to occur.
[0086] Faulty subnetwork It is used to describe how an initial disturbance is amplified step by step through the system's internal connections, eventually leading to an out-of-control event and specific losses.
[0087] The present invention provides an exemplary factor network. This can be expressed by Equation 3: Formula 3 in, The set of causal nodes representing systemic defects at each level. This represents the set of fault nodes directly caused by the aforementioned defects. It is a set of nodes shared by two sub-networks. A set of directed edges representing a "cause" relationship, used to connect... Edges or connections between internal nodes point to The edge.
[0088] The present invention provides an exemplary factor network. This can be expressed by Equation 4: Formula 4 in, Refers to the set of faulty nodes that describe the abnormal state of the system. The set of directed edges representing the "initiation" relationship.
[0089] The aforementioned hierarchical causative network includes causative factor networks. and faulty subnetwork The two sub-networks communicate through a shared set of faulty nodes. This achieves logical coupling, thereby forming a unified analytical view. It reveals the potential root causes and structural weaknesses of the risks, and It depicts the explicit evolution of risk and the chain of consequences. This dual representation allows the analysis to both trace the root causes and infer the consequences.
[0090] This invention provides, by way of example, a method for dual verification of the comprehensive causal factors of the intermediate results and the final output of step 2 using a feedback verification method that combines counterfactual reasoning and logical consistency verification in step 3, comprising: The design includes a "Counterfactual Reasoner" role and a "Logical Consistency Verifier" role. The "Counterfactual Reasoner" role performs hierarchical verification of counterfactual reasoning, while the "Logical Consistency Verifier" role verifies the logical consistency of the hierarchical causal network based on defined consistency rules.
[0091] The layered verification of the counterfactual reasoning includes: Step 3.1 Let Indicates the cause of the event The set of all necessary defects that occur, in which Let n be a defect numbered 1 to n to be evaluated.
[0092] Step 3.2 Based on Equation 5, determine the defects in the physical and operational layers. Is it an event? Necessary defects: Formula 5 in, Represents the set of all necessary defects Remove defects , Indicates the event under this condition The probability of occurrence; if the probability is 0, it indicates a defect. For the event The necessary defects.
[0093] To address the deficiencies in management and regulation, we use Formula Six to identify these deficiencies. Is it an event? Necessary defects: Formula Six in, It represents the probability of an event occurring when the set of defects is complete in the real world. It is to eliminate defects The probability after, when satisfying Time indicates defect For the event The necessary defects.
[0094] Although step 2 of this invention can generate a preliminary causative network, the inherent hallucination phenomena and reasoning bias risks of LLMs still exist. To ensure the accuracy and reliability of the analysis results, this invention proposes an iterative verification method driven by two roles. This method receives intermediate results and final outputs from upstream inference and employs a dual verification mechanism combining counterfactual reasoning and logical consistency verification to form a closed-loop, self-improving analysis system, thereby enhancing the quality of the event causative network.
[0095] This invention provides, by way of example, an optimization method for the output results of multilayer causal analysis and causal networks, comprising: When the "Causal Reasoner" role performs step 2.3, it will output a preliminary list of event causes and pass it on to the "Counterfactual Reasoner" role.
[0096] After receiving the initial list of causes of events, the “Counterfactual Reasoner” role reads the flawed factors in the initial list of causes of events one by one and performs counterfactual reasoning.
[0097] When a defective factor fails the counterfactual reasoning check, the "Counterfactual Reasoner" role outputs "Failed" and provides corresponding modification suggestions to the "Causal Reasoner" role for re-identification. This process continues until all defective factors pass the counterfactual check, at which point the "Causal Reasoner" role begins executing step 2.4.
[0098] After the "Causal Reasoner" role outputs the preliminary list of event causation network triples, it passes it to the "Logical Consistency Verifier" role. Upon receiving the preliminary list of event causation network components, the "Logical Consistency Verifier" performs logical consistency verification according to the validation rules. If a verification fails, it returns correction suggestions to the "Causal Reasoner" role until the preliminary list of event causation network components passes the logical consistency verification, at which point it outputs the final list of event causation network components.
[0099] This method optimizes the output results of multilevel causal analysis and causal network through feedback iteration between the "Causal Reasoner" role, the "Counterfactual Reasoner" role, and the "Logical Consistency Verifier" role.
[0100] This invention provides an exemplary power system security event cause analysis system, comprising: a retrieval enhancement generation module, an enhanced reasoning module, and a feedback verification module, wherein: The retrieval enhancement generation module is used to perform the relevant method steps in step 1 of the power system security event causation analysis method in the example above.
[0101] The enhanced reasoning module is used to execute the relevant method steps in step 2 of the power system security event causation analysis method in the example above.
[0102] The feedback verification module is used to execute the relevant steps in step 3 of the power system security event cause analysis method in the example above.
[0103] To verify the effectiveness of the method of the present invention, verification experiments were conducted, specifically including: I. Dataset Construction The dataset is sourced from the Electricity Safety Supervision Department of the National Energy Administration. This website provides a detailed record of power system safety incidents that occurred in China between 2012 and 2024, including event summaries, descriptions, identified causes, and preventative and improvement measures.
[0104] To ensure annotation quality, this invention employs a three-layer collaborative framework: manual screening → large-scale language model-assisted mining → expert review. First, 100 typical power system safety incident reports from 2012 to 2023, publicly available on the website of the Electricity Safety Supervision Department of the National Energy Administration, were used. Through regular expression matching and rule-based templates, non-text elements such as tables, headers, and footers were removed, retaining core text fields such as event details, cause analysis, and preventative measures to form an initial corpus. Then, professional technicians conducted causal analysis of the events. Finally, electrical safety experts verified the logical consistency of the identified event causes and causal networks. The resulting dataset is labeled the PS-HCN dataset, containing 100 power system safety incident cases covering various scenarios including generation, distribution, transformation, and transmission. It contains 1332 nodes and 1488 edges, including 514 fault-related nodes and 818 cause-related nodes.
[0105] II. Experiment Setup Using HCN-MA as the designation for the method of this invention, a series of experiments were conducted using large language models including DeepSeek-R1 (DeepSeek-V3.1-Terminus version updated on September 22, 2025), Qwen-Plus (Qwen-Plus-2025-09-11); GPT-4o (version released in May 2024), GLM-4-Plus (version released in August 2024), Qwen2.5-72B (qwen2.5-72b-instruct); and Qwen2.5-32B (qwen2.5-32b-instruct). The selected model set helps to systematically examine the impact of model architecture, parameter size, Chinese domain adaptability, and openness on complex knowledge mining tasks, thereby ensuring the rigor and universality of the evaluation results.
[0106] This invention draws upon research findings from WEBNLG and others regarding methods for evaluating the effectiveness of knowledge extraction based on LLMs, and designs an evaluation method based on semantic similarity adapted to the Chinese context. The core of this method lies in utilizing BERTScore to calculate candidate nodes. With reference node semantic similarity between Simultaneously calculate candidate causal triples With reference causal triplet semantic similarity between The specific calculation formula is as follows:
[0107]
[0108] Use a preset threshold S to determine matching pairs. or Does it have a valid match? Only if the match is valid. or The final similarity score exceeds the preset threshold Only then is it considered a true positive result.
[0109] To determine the final matching pairs from the candidate set and the reference set, and to avoid evaluation bias caused by a candidate matching multiple reference items (or vice versa), this invention employs a greedy matching algorithm. The algorithm's flow is as follows: First, calculate the semantic similarity between all candidate options and all reference options.
[0110] Then, the pair with the highest similarity among all possible pairings is iteratively selected. Once a pair is confirmed, its corresponding candidate and reference pairs are removed from their respective sets of pairs to be matched (i.e., a no-replacement strategy is adopted) and no longer participate in the subsequent matching process. This iteration continues until no more valid pairs with scores exceeding the threshold can be formed.
[0111] Ultimately, all confirmed matches were used to calculate the standard precision, recall, and F1 score.
[0112] This strategy ensures the uniqueness of the match and the fairness of the evaluation, effectively reflecting the model's ability to identify and generate accurate causal information.
[0113] III. Experimental Results Based on the PS-HCN dataset, this invention evaluates the performance of the proposed framework HCN-MA on DeepSeek-V3.1, GPT-4o, GLM-4-Plus, Qwen-Plus, Qwen2.5-72B and Qwen2.5-32B through multiple rounds of experiments for the task of hierarchical causal network mining of power system security events.
[0114] (1) Identification of causes and fault nodes For causal and fault node identification, the macro-average F1 and micro-average F1 performances of each model under different similarity thresholds are as follows: Figure 1 As shown in (a) and (b), overall, the performance trends of each model under both evaluation metrics are consistent, showing a downward trend as the threshold increases. When the threshold is between 0.60 and 0.80, the performance decline is relatively gradual; however, when the threshold exceeds 0.80, the F1 scores of all models show a significant drop, indicating that this range is a sensitive inflection point for performance changes. Comparing the models, DeepSeek-V3.1 consistently performs best under different threshold settings, followed by GPT-4o, while Qwen2.5-32B's overall performance is slightly lower than other models, reflecting the stability of model performance differences and their potential correlation with parameter size.
[0115] Table 1 shows the performance comparison of various large language models in the node recognition task based on the HCN-MA framework when the similarity threshold is set to 0.8. From the macro-average and micro-average results, Deepseek-V3.1 achieved the best overall performance (macro-average F1: 0.835; micro-average F1: 0.849). Models such as GPT-4o, GLM-Plus, and Qwen-Plus performed in the middle range, while Qwen2.5-32B had a significantly lower recall rate, resulting in a relatively lower F1 score, further confirming the impact of model capability differences on task performance.
[0116] Table 1. Performance of different large models in node recognition task when the threshold is 0.8.
[0117] To systematically evaluate the effectiveness of this framework, this invention establishes a baseline method for comparison. This baseline is directly based on the core concepts of the STAMP-CAST theory, designing structured cue words to guide and constrain the generation of causal analysis results from large models. Figure 2 The micro-average performance of each model under the baseline method is shown, and the results are significantly lower than the performance of the corresponding models under the full HCN-MA framework. This significant gap indicates that relying solely on theoretical hints is insufficient to stably guide the model to extract accurate and consistent structured information. In contrast, this framework, by introducing hierarchical parsing and dynamic constraints, significantly improves the model's ability to deeply understand the semantics and generate structured information about the causes of power safety events, thus verifying the substantial progress of the HCN-MA framework in terms of knowledge accuracy and reliability.
[0118] This invention further evaluates the fine-grained performance of its nodes at each level (external change layer, physical layer, operational layer, management layer, and supervisory layer) in a hierarchical causal network, and the results are as follows: Figure 3 As shown. This evaluation aims to reveal the differences in the ability of different models to handle causal categories with heterogeneous semantics and structured features.
[0119] Overall, DeepSeek-V3.1 maintained robust and leading performance across all five layers (F1 score range: 0.76–0.88), demonstrating its excellent cross-layer semantic understanding and consistent generation capabilities. In contrast, while GPT-4o performed exceptionally well at the physical layer, its performance at the external change layer, operational layer, management layer, and regulatory layer was poor, indicating an imbalance in its ability to identify different types of causal nodes.
[0120] From a hierarchical perspective, all models generally perform best at the physical layer. This is mainly because nodes at this layer typically contain explicit technical terms and clearly defined fault types (such as "relay malfunction" and "insulation breakdown"), with standardized textual expressions and clear semantic boundaries, which facilitates accurate matching and generation by large models. The recognition performance of management and regulatory layer nodes is second best. It is worth noting that all models perform worst at the external change layer. This is primarily because nodes at this layer often correspond to brief, isolated descriptions of external events (such as "lightning strike" and "strong wind"), resulting in low textual information density and a lack of semantic context. In semantic similarity-based matching, this makes them highly susceptible to matching failures due to brief descriptions or differences in synonyms.
[0121] (3) Hierarchical causal network identification In the hierarchical causative network identification task, the performance variation patterns of each model under different thresholds are basically consistent with those in the causative node identification task, such as... Figure 4 As shown, once the threshold exceeds 0.80, the F1 scores of all models show a significant decline, indicating that this interval is a performance-sensitive inflection point.
[0122] Table 2 shows the performance of each model on the hierarchical causal network identification task when the similarity threshold is 0.8. Considering both macro-average and micro-average results, DeepSeek-V3.1 shows the most balanced and outstanding performance (Macro-F1=0.833; Micro-F1=0.856), maintaining high recall (macro-average 0.924, micro-average 0.897) while also achieving high precision, demonstrating strong deep causal association identification and structured reasoning capabilities. GPT-4o has extremely high precision (macro-average 0.893) but significantly lower recall (macro-average 0.737), reflecting its tendency towards conservative predictions; GLM-plus exhibits high recall and medium precision. The Qwen series models show divergence: Qwen-plus performs steadily overall, while Qwen2.5-32B, despite having the highest precision (macro-average 0.915), has a significantly lower recall (macro-average 0.716) than other models, resulting in a relatively lower F1 score.
[0123] Table 2. Performance of different large models in the hierarchical causal network identification task when the threshold is 0.8.
[0124] Under the baseline method, the macro-average and micro-average F1 scores of all models are significantly lower than their performance under the full HCN-MA framework, such as... Figure 5 As shown, taking DeepSeek-V3.1 as an example, its macro-average F1 score dropped from 0.833 to 0.70, a significant decrease; other models also showed similar trends, with Qwen2.5-32B showing a particularly pronounced decrease in macro-average recall. This systematic performance gap indicates that relying solely on theoretical hints is insufficient to reliably guide models to achieve accurate and consistent extraction of multi-level causal networks. In contrast, the HCN-MA framework, through its hierarchical parsing mechanism and dynamic semantic constraints, significantly enhances the model's deep semantic understanding and structured generation capabilities for event causation, thereby achieving substantial improvements in the accuracy, reliability, and completeness of knowledge extraction. This strongly validates the methodological advancements of this framework in causal analysis of complex systems.
[0125] This invention further analyzes the identification results of different types of link triples in hierarchical causative networks, mainly including fault triples (fault A, cause, fault B) and causative triples (cause A, cause, cause B) or (cause A, cause, fault A), such as Figure 6 As shown.
[0126] Overall, DeepSeek-V3.1 maintains its leading position in both types of tasks, demonstrating strong capabilities in resolving complex relationships and generalizing. The remaining models can be roughly divided into two tiers based on their performance: GPT-4o, GLM-plus, and Qwen-plus are at an above-average level, and their strengths in fault chain identification are relatively consistent; the Qwen2.5 series is relatively weaker, especially Qwen2.5-32B, which ranked lowest in both tasks.
[0127] Looking at different types of link triples, all models significantly outperformed causal chains in identifying fault chains (the average F1 score for fault chains was about 0.07–0.15 higher than that for causal chains). This is largely because fault chains typically correspond to a structured and semantically clear evolutionary path of "initial fault → cascading fault → final loss," which is easy for models to capture and infer; while causal chains involve more diverse causal types and more complex semantic scenarios, thus increasing the difficulty of identification.
[0128] The technical solution of the present invention will be further illustrated below with specific examples.
[0129] First, based on the method of this invention, hierarchical causal network identification is performed on power grid fault events. Figure 7 This is a hierarchical causal network diagram of a typical power grid fault event. It clearly shows that the event was caused by "rare foggy weather" at the external change layer, leading to "condensation and contamination on the surface of insulators, resulting in insufficient insulation performance" at the physical layer, triggering the initial fault "110kV Busbar No. 2 insulator-to-ground flashover"; simultaneously, due to "defects in the principle of the bus differential protection device" at the physical layer, a cascading fault occurred "110kV bus differential protection malfunction, tripping Busbar No. 1"; and due to "weak power grid structure" at the physical layer, "110kV busbar loss of voltage, and loss of voltage at 5 substations" ultimately led to "a large-scale power outage, reducing load by 83MW". Based on the fault chain and causes at the physical layer, the event causes at the operational, management, and regulatory levels can be traced.
[0130] This invention collected 77 power grid fault events. Based on the method of this invention, hierarchical causal network identification was performed, resulting in 882 entities and 950 triples. Among them, there were 329 fault nodes; 127 physical / equipment layer nodes; 60 external change layer nodes; 110 operational layer nodes; 170 management layer nodes; and 86 regulatory layer nodes. Through BERT-based semantic similarity clustering and combined with expert experience, the nodes at each level were abstracted, resulting in 16 fault classes; 15 physical / equipment layer nodes; 10 external change layer nodes; 13 operational layer nodes; 22 management layer nodes; and 9 regulatory layer nodes. Some abstraction results are shown in Tables 3 and 4.
[0131] Table 3. Causative Nodes at Different Levels in the Hierarchical Fault Causation Network of Power Grid
[0132] Table 4. Fault nodes at different levels in the hierarchical fault causation network of the power grid
[0133] Based on the causal relationships between nodes in a hierarchical fault causation network of a power grid, by mapping these relationships to abstract nodes, the causal relationships between the abstract nodes and the frequency of their occurrence can be obtained. This allows for the construction of a network like... Figure 8 The power grid fault causation network shown is a directed weighted network consisting of 106 nodes and 666 edges, comprising 6 types of nodes. Of these, 90 are causative nodes with 565 causative edges, and 16 are fault nodes with 101 fault edges. Because the power grid fault causation network exhibits complex network characteristics, this invention employs topological centrality correlation indices for network analysis, aiming to identify key nodes and paths.
[0134] Based on the constructed causal network of power grid faults, this invention performs topological analysis on both the fault-causing network and the fault network itself. Three topological indices are calculated: weighted out-degree centrality (characterizing the influence of a node as a source of fault propagation), weighted in-degree centrality (characterizing the susceptibility of a node as a vulnerable point), and betweenness centrality (characterizing the importance of a node as a hub in a critical transmission path within the network), to identify key nodes in the network.
[0135] (1) Analysis of key nodes in the power grid fault causation network For a power grid fault-causing network, by calculating the weighted out-degree, in-degree, and betweenness centrality of the fault-causing network, the distribution of topological centrality indices is as follows: Figure 9 As shown, the distribution of key nodes exhibits the following characteristics: Key risk sources: High-degree centrality nodes are concentrated in the regulatory layer (R01, R03) and physical layer (P10, P01), indicating that insufficient design standards, lack of supervision, and inherent equipment defects are the main root causes of cascading failures. Operational layer node O07 (human error) also has significant failure initiation potential.
[0136] Vulnerability clusters: High in-degree central nodes are mainly faulty nodes (F01, F13, F02), indicating their susceptibility to multi-path causes. Among them, O07 and P01 have both high in-degree and out-degree, playing a dual role as "risk sources" and "convergence hubs".
[0137] Key transmission hubs: High betweenness centrality nodes are mostly operational and management layer nodes (O07, O13, M16, O01), indicating that process execution and organizational coordination issues are key transmission hubs for fault propagation. Physical layer node P01 further highlights its core transmission role in the causal chain.
[0138] In summary, the fault-causing network exhibits a hierarchical differentiation: the regulatory and physical layers are the main sources of risk, faulty nodes represent vulnerabilities, and operational and management layers are key amplification links. Nodes with both high initiation and high transmissibility (such as O07, P01, M16, etc.) are strategic intervention points for systemic risks (e.g., Figure 10 and Figure 11 As shown in the figure, controlling it can simultaneously suppress the generation of risks and block their spread.
[0139] (2) Analysis of key nodes in power grid fault network For a power grid fault network, it mainly consists of 16 faulty nodes and edges between faults. Its topological centrality index is as follows: Figure 12 As shown. Figure 13 As shown, we can conclude that: Key sources of diffusion: high degree centrality nodes are F02, F01, F04, etc., among which F02 scores significantly higher, indicating that line tripping is the core driving force of system-level cascading failures.
[0140] Vulnerable nodes: High in-degree centrality nodes include F02, F03, F08, etc., which further highlights that F02 plays a dual role as both "perpetrator" and "victim" in the propagation process.
[0141] Global transmission hub: F02 has extremely high betweenness centrality (0.569), and the vast majority of fault propagation paths pass through this node, constituting a decisive valve for fault spread. Protection system nodes (F04, F05) and communication control faults (F16) also play important roles in the propagation process.
[0142] The results show that F02 possesses three key attributes in faulty networks: a primary source of propagation, a vulnerable target for attacks, and a global propagation hub. Monitoring and blocking its state is the most effective strategy to curb large-scale cascading failures. Meanwhile, the reliability and selectivity of the protection system, as well as the failure risk of information and power electronic equipment, also have a significant impact on fault propagation.
[0143] The above examples demonstrate, on the one hand, that the method of this invention is an effective form of risk characterization. It not only aligns with the safety control structure of power systems, but its network topology analysis also reveals the hierarchical role patterns of risk elements: the regulatory and physical layers are mostly "risk sources," while the operational and management layers are key "transmission hubs." This systemic perspective provides a quantitative basis for implementing precise risk interventions (such as blocking key transmission paths). On the other hand, it shows that the method of this invention can identify strategic nodes with both high initiation and high transmission capabilities, providing profound insights for safety decision-making that transcend traditional experience.
[0144] Based on the above-described preferred embodiments of the present invention, and through the foregoing description, those skilled in the art can make various changes and modifications without departing from the inventive concept. The technical scope of this invention is not limited to the contents of the specification, but must be determined according to the scope of the claims.
Claims
1. A method for analyzing the causes of power system security incidents, characterized in that, include: Step 1: Based on the identified system hazard information, a hierarchical and progressive retrieval strategy is adopted to dynamically generate a query sequence that matches the system hazard information, so as to realize the hierarchical derivation of system safety constraints. Step 2 guides LLMs to conduct in-depth, systematic causal reasoning on power system security events, thereby systematically identifying comprehensive causes ranging from physical component failures to organizational decision-making deficiencies, specifically including: Step 2.1 Set up the "Causal Reasoner" role and the "Retrieval Agent" role. After receiving the description of the power system security event, the "Causal Reasoner" role is first guided to identify the system-level "danger" and its ultimate "loss". Then, the obtained system danger is passed to the "Retrieval Agent" role, which executes Step 1 for the current power system security event to obtain the security constraints that need to be met at different levels of the current power system. Step 2.2 The "Causal Reasoner" role derives and constructs a safety control structure based on the power system "hazards" identified in Step 2.1 and the safety constraints that need to be met at different levels. This safety control structure includes five functional layers: regulatory layer, management layer, operational layer, physical layer, and external change layer. This safety control structure is used to express how the power system should implement these safety constraints through components and control loops at each level, thereby keeping the hazards within an acceptable range. Step 2.3 Based on the safety control structure in Step 2.2, guide the "Causal Reasoner" role to start from the lowest level of physical process control loop, and examine each control link layer by layer from the bottom up in combination with the specific context of the event, in order to identify in which specific link the safety constraints were violated and in what way; Step 2.4 The "Causal Reasoner" role summarizes and abstracts the various control defects identified in Step 2.3, thereby obtaining the potential common causes behind these surface defects; Step 2.5 Integrate the analysis results from Steps 2.1 to 2.4 to construct a hierarchical causal network containing a complete causal chain from deep systemic defects to surface technical failures and ultimately to security incidents; Step 3 employs a feedback verification method that combines counterfactual reasoning with logical consistency verification to perform dual verification of the comprehensive causes of the intermediate results and final output of Step 2.
2. The power system security event causation analysis method according to claim 1, characterized in that, Step 1 describes a method for dynamically generating query sequences that match the identified system hazard information using a hierarchical and progressive retrieval strategy. Step 1.1 Using the event case description A and system hazard H as initial inputs, define the set of analysis dimensions for safety constraints. These correspond to the top layer, the control layer, and the component layer, respectively. Based on A and H, in each dimension Next, generate the corresponding security constraints. square noodle For each security constraint aspect Generate the corresponding structured request. All requests constitute a set Step 1.2 For each search request In the domain knowledge base Vector similarity retrieval is performed to obtain K relevant document fragments with a similarity greater than a preset value, forming a set. Search results under the same security constraints To perform knowledge fusion and obtain the relevant knowledge context. ; Step 1.3 Based on the knowledge context of each security constraint aspect obtained in Step 1.2 In order to address corresponding safety constraints Generate at least one corresponding specific and executable security constraint clause. All initially generated security constraint clauses Constitute the original set of security constraints .
3. The power system security event causation analysis method according to claim 2, characterized in that, For the original set of security constraints obtained in step 1.3 Optimizations will be made, specifically including: Step 1.3.1 Calculation The semantic similarity between all pairwise constraints is used to form a similarity matrix M, where ; Step 1.3.2 Set the similarity threshold traversal All clauses If their semantic similarity If the semantics of the two are highly overlapping, then the action in step 1.3.3 is executed; otherwise, the action in step 1.3.4 is executed. Step 1.3.3 Identify semantically highly overlapping clauses. Semantic merging and refinement are performed to generate a new, more generalized constraint clause to replace the original similar clauses; Step 1.3.4 Retain the clause.
4. The power system security event causation analysis method according to claim 1, characterized in that, The method for deriving and constructing a safety control structure for the "Causal Reasoner" role described in step 2.2 is as follows: map each safety constraint to the corresponding control level and specific component responsible for executing the constraint, and identify the key control loops that transmit control instructions and feedback information between levels.
5. The power system security event causation analysis method according to claim 1, characterized in that, The method for constructing the hierarchical causal network described in step 2.5 includes: Step 2.5.1 Instantiate the control defects and systemic defects identified in Steps 2.3 and 2.4 into network nodes. And label the level to which each node belongs; Step 2.5.2 Based on the cause-effect logic and system control structure, infer and establish directed connections between nodes to form various cause chains and fault chains, specifically including: First, for any two nodes Construct a directed edge if and only if a direct causal relationship exists. ; Then, repeat the above process to generate a series of triples in the form of "cause, relation, result". : Set 1 in, This represents the set of all causal nodes and fault state nodes. This represents the set of causal directed edges between nodes; Step 2.5.3 Integrate all cause chains and fault chains to form a complete, multi-level hierarchical cause network.
6. The power system security event causation analysis method according to claim 1, characterized in that, The hierarchical causal network described in step 2.5 is expressed by Equation 2: Formula 2 in, Represents a hierarchical causal network. This represents the set of all causal nodes and fault state nodes. This represents the set of directed causal edges between nodes; in this case, it's a hierarchical causal network. Composed of two interconnected factor networks and faulty subnetwork Composition, in which: Factor network Used to express how static defects at each level of the system collectively create the conditions for a failure to occur; Faulty subnetwork It is used to describe how an initial disturbance is amplified step by step through the system's internal connections, eventually leading to an out-of-control event and specific losses.
7. The power system security event causation analysis method according to claim 6, characterized in that, The causative factor network Expressed by Equation 3: Formula 3 in, The set of causal nodes representing systemic defects at each level. This represents the set of fault nodes directly caused by the aforementioned defects. It is a set of nodes shared by two sub-networks. This represents the set of directed edges that "cause" a relationship, and these edges are used to connect... Edges or connections between internal nodes point to The edge; The causative factor network Expressed by Equation 4: Formula 4 in, Refers to the set of faulty nodes that describe the abnormal state of the system. The set of directed edges representing the "initiation" relationship.
8. The power system security event causation analysis method according to claim 1, characterized in that, Step 3 describes a feedback verification method that combines counterfactual reasoning with logical consistency verification to perform dual verification of the comprehensive causes of the intermediate results and final output in Step 2. This method includes: The "Counterfactual Reasoner" role and the "Logical Consistency Verifier" role are designed. The "Counterfactual Reasoner" role performs hierarchical verification of counterfactual reasoning, and the "Logical Consistency Verifier" role verifies the logical consistency of the hierarchical causal network based on defined consistency rules. The layered verification of the counterfactual reasoning includes: Step 3.1 Let Indicates the cause of the event The set of all necessary defects that occur, in which For a defect numbered 1 to n to be evaluated; Step 3.2 Based on Equation 5, determine the defects in the physical and operational layers. Is it an event? Necessary defects: Formula 5 in, Represents the set of all necessary defects Remove defects , Indicates the event under this condition The probability of occurrence; if the probability is 0, it indicates a defect. For the event The necessary defect; To address the deficiencies in management and regulation, we use Formula Six to identify these deficiencies. Is it an event? Necessary defects: Formula Six in, It represents the probability of an event occurring when the set of defects is complete in the real world. It is to eliminate defects The probability after, when satisfying Time indicates defect For the event The necessary defects.
9. The power system security event causation analysis method according to claim 8, characterized in that, Through feedback iterations between the "Causal Reasoner," "Counterfactual Reasoner," and "Logical Consistency Verifier" roles, the output results of multilevel causal analysis and causal networks are optimized, specifically including: When the "Causal Reasoner" role performs step 2.3, it will output a preliminary list of event causes and pass it on to the "Counterfactual Reasoner" role. After receiving the initial list of causes of an event, the "Counterfactual Reasoner" role reads the flawed factors in the initial list of causes of an event one by one and performs counterfactual reasoning. When a defective factor fails the counterfactual reasoning check, the "Counterfactual Reasoner" role outputs "Failed" and provides corresponding modification suggestions to the "Causal Reasoner" role for re-identification until all defective factors pass the counterfactual check. Then, the "Causal Reasoner" role begins to execute step 2.
4. After the "Causal Reasoner" role outputs the preliminary list of event causation network triples, it passes it to the "Logical Consistency Verifier" role. Upon receiving the preliminary list of event causation network components, the "Logical Consistency Verifier" performs logical consistency verification according to the verification rules. If the verification fails, it returns correction suggestions to the "Causal Reasoner" role until the preliminary list of event causation network components passes the logical consistency verification, and then outputs the final list of event causation network components.
10. A power system security incident cause analysis system, characterized in that, include: The system includes an enhanced generation module, an enhanced reasoning module, and a feedback verification module, among which: The retrieval enhancement generation module is used to execute the method steps of step 1 in the power system security event cause analysis method according to any one of claims 1-9; The enhanced inference module is used to execute the method steps of step 2 in the power system security event cause analysis method according to any one of claims 1-9; The feedback verification module is used to perform step 3 of the power system security event cause analysis method according to any one of claims 1-9.