Renewable Energy Focus 42 (2022) 79–96

Contents lists available at ScienceDirect

Renewable Energy Focus

journal homepage: www.elsevier.com/locate/ref

Energy storage for large scale/utility renewable energy system - An

enhanced safety model and risk assessment
Boon Leong Choo, Yun Ii Go ⇑
School of Engineering and Physical Sciences, Heriot-Watt University Malaysia, 1, Jalan Venna P5/2, Precinct 5, 62200 Putrajaya, Wilayah Persekutuan Putrajaya, Malaysia

a r t i c l e i n f o a b s t r a c t

Article history: Renewables recorded 26.2% of global electricity generation in 2018 and expected to rise to 45% by 2040
Received 15 February 2022 attributed to nations commitment to reduce greenhouse gases since the signing of Paris agreement 2015.
Revised 4 May 2022 Policies friendly towards the development of renewable energy sources are developed, but the risk and
Accepted 10 May 2022
safety assessment are still based on the traditional analytic and probabilistic risk-based assessment prac-
Available online 27 May 2022
tices such as Event Tree Analysis (ETA), Fault Tree Analysis (FTA), Failure Mode Effect Analysis (FMEA),
Hazards Identification (HAZID), Hazards and Operability (HAZOP). These practices are viewed as own
Keywords:
envelop of methodology whilst sharing a lot of common parameters and working principles. Analytic
Hazard
Renewables
approach is becoming ineffective with increasingly complex energy system integrating renewables.
System thinking There are on-going research proposing systemic based risk assessment approach but without incorporat-
Reliability ing advantages from analytic approach. The aim of this paper is to provide a comprehensive analysis of
risk and safety assessment methodology for large scale energy storage currently practices in safety engi-
neering today and comparing Causal Analysis based on System-Theoretic Accident Model and Process
(STAMP) and Systems-Theoretic Process Analysis (STPA) with fault tree analysis, FMEA, HAZID, HAZOP.
This paper demonstrated that systemic based risk assessment such Systems Theoretic Process Analysis
(STPA) is suitable for complicated energy storage system but argues that element of probabilistic risk-
based assessment needs to be incorporated. This is to ensure holistic risk assessment is performed to
energy storage system and provide a new viewpoint for underlying safety model in integrated manner
based on performance requirements, human factor, environmental, management, safety, and legislation.
The results describe the improvement of risk assessment technique via Systems Theoretic Process
Analysis-Hybrid (STPA-H) using a case study of grid connected Photovoltaic (PV) system with Li-ion bat-
tery storage. The hazards and mitigation measures identified from STPA-H are presented and compared
with existing approach. STPA-H technique proposed is applicable for different types of energy storage for
large scale and utility safety and risk assessment. This paper is expected to benefit Malaysian government
with the progression of Large-Scale Solar 3 (LSS3) and serve as reference to future energy system risk
assessment.
Ó 2022 Elsevier Ltd. All rights reserved.

Introduction system and this allowed the component to be assessed indepen-

Traditional safety engineering risk assessment method such as
Event Tree Analysis (ETA), Fault Tree Analysis (FTA), Failure Mode
Effect Analysis (FMEA), Hazards Identification (HAZID), Hazards
and Operability (HAZOP) are the most popular probabilistic based
risk assessment method to energy and storage system. These risk
assessment techniques have long histories of successful applica-
tion in conventional energy system whereby addition of compo-
nents to system traditionally has limited impact to overall
⇑ Corresponding author.
E-mail address: y.go@hw.ac.uk (Y.I. Go).
dently from each other [1].
Despite traditional safety engineering risk assessment tech-
niques still being the most applied techniques, the increasing inte-
gration of renewable energy generation source introduces
additional complexity to existing energy grid and storage system
has caused difficulties for designer to consider all abnormal and
normal situation to accustom for safety design into system effec-
tively, pushed the limit of traditional safety engineering risk
assessment techniques. First, renewable energy sources are intro-
ducing large numbers of dispersed microgrid with individual
energy storage system that eventually needs to be integrated into
main energy distribution network to reach the consumer. Second,

https://doi.org/10.1016/j.ref.2022.05.001
1755-0084/Ó 2022 Elsevier Ltd. All rights reserved.
Boon Leong Choo and Yun Ii Go
Nomenclature
ETA Event Tree Analysis
FTA Fault Tree Analysis
FMEA Failure Mode Effect Analysis
HAZID Hazards Identification
HAZOP Hazards and Operability
STPA Systems Theoretic Process Analysis
STPA-H Systems Theoretic Process Analysis – Hybrid
PV Photovoltaic
the intermittent nature of solar and wind energy required more
sophisticated microgrid design for operating in both grids con-
nected mode and islanded mode to compensate for the fluctuation
in energy supply from renewable energy sources [2,3]. Surplus
energy from microgrid will be stored in local energy storage sys-
tem or delivered to the main energy distribution network when
there is demand. Energy commission of Malaysia requires indepen-
dent power provider to verify that the Power Park Module and aux-
iliary system can operate continuously over frequency of 52 Hz to
47 Hz as part of the grid frequency variation test. Third, the intro-
duction of new technology such as IoT and new software controls
to manage increasingly complex energy system inadvertently
introduce additional unknown and new hazard path. Fourth, the
shorten innovation cycle of renewable energy component in pur-
sue of more efficient system does not provide sufficient duration
for carefully planning and testing the systems design to under-
stand all potential hazards and risk.
There are researches ongoing currently on systemic based risk
assessment technique such as STPA. This technique can cope with
the complexity in energy system by applying a systemic focus per-
spective in the assessment but disregard the importance of compo-
nent centric risk assessment and failure identification, running into
chances of missing out component failure factors in assessment. As
such, it is important that existing available risk assessment tech-
niques need to be improved for applicability to storage and energy
system of the future, especially in large scale and utility.
This paper evaluates methodology and consideration parame-
ters in risk assessment by FTA, ETA, FMEA, HAZID, HAZOP and
STPA. Comparative study of the strength and weaknesses of risk
assessment techniques are performed. Using the example of grid
connected PV system with Li-ion battery storage and focusing on
inherent risk, this paper supports the perspective that systemic
based risk assessment technique is suitable for risk assessment of
complexity in energy system but argues that element of probabilis-
tic risk-based assessment needs to be incorporated and described
improvement made to the systemic based risk assessment tech-
nique in Systems Theoretic Process Analysis – Hybrid (STPA-H)
technique. This paper described STPA-H for performing risk assess-
ment to energy storage for large scale and utilities for future
energy system.
Grid connected PV system with Battery Storage
Grid connected PV system with Li-Ion Battery Storage has
become one of the most popular choices for power generation in
regions with abundance of sunshine and consist of more than 90
% of global grid energy battery storage market [1]. The system con-
tributed to the energy grid system stability with ability to store the
generated electricity from PV and supply to the grid for fulfilling
energy demand. A standard grid connected photovoltaic energy
system with Li-Ion battery storage can be viewed as consists of
components such as PV module, inverter units, isolators, fuse unit,
80
Renewable Energy Focus 42 (2022) 79–96
Li-Ion Lithium ion
LSS3 Large scale solar 3 project in Malaysia
STAMP System-Theoretic Accident Model and Process
RAW Risk Achievement Worth
LCC Lifecycle cost
SEDA Sustainable Energy Development Authorities of Malay-
sia
transformer (as required), and battery packs in delivery of its func-
tion as illustrated in Figure 1. The component view serves as the
basis for analytic and probabilistic based risk assessment.
Energy Commission of Malaysia [4] has clearly specified the
boundaries of responsibilities and ownership by large scale solar
developer in ‘‘Guidelines On large scale solar photovoltaic plant
for connection to electricity networks” under Electricity Supply
Act (Amendment) 2015 (Act A1501) as shown in Figure 2. This will
serve as the boundaries for safety analysis being discussed in this
paper. The same grid connected photovoltaic energy system with
Li-Ion battery storage can also be organised into Battery Manage-
ment System, Energy Management System, Photovoltaic, controller
and contactor that made up the feedback control loops and consist
of part of the hierarchical control structure as illustrated in
Figure 3. Various research on energy storage design and sizing
[5–7] had been carried out for both on-grid and off grid system
at transmission and distribution sides to satisfy peak demand. This
serves as the basis for systemic based risk assessment approach.
Traditional safety engineering assessment
Traditional Safety Engineering Assessment techniques such as
Event Tree Analysis (ETA), Fault Tree Analysis (FTA), Failure Mode
Effect Analysis (FMEA), Hazards Identification (HAZID) and
Hazards and Operability (HAZOP) is analytic by nature and compo-
nent centric. Risk is described as the effect of deviating system
parameters or components failed to perform intended function,
resulted in uncertainties. Careful management is required to avoid
accident and hazards. In traditional safety engineering, risk is
viewed as predictable by analysing historical data and system
design. Risk is assumed quantifiable as consequences vs likelihood
of occurrences. Risk is express in mathematical probabilities for
comparison and analysed on numerical basis to balance between
risk mitigation and cost. Mitigation measures or design change will
be put in place to reduce the safety risk to as low as reasonably
practicable.
Event Tree Analysis (ETA)
Event tree analysis (ETA) is a logical top-down inductive tech-
nique evaluating success and failure responses of single initiating
event or sometimes known as top event. Boolean logic is applied
for charting event path to assess probabilities of outcomes, follow
by frequency and risk evaluation for each event path to determine
whether the event is acceptable. Overall system will be analysed
for identification of mitigating measures to top event [9]. Design
change needs to be implemented if risk frequency is not accept-
able. The risk of the outcome by calculating the overall event path
probability, follow by risk evaluation for each event path and
determine whether the event is acceptable. Take k as the initiating
event frequency for ‘‘Short circuit in battery”, Pr(Bi) as the event
probability B(i). The probabilities of each occurrence for fire hazard
are then calculated based on Pr(Outcome 1 |fire) = =
Boon Leong Choo and Yun Ii Go
Figure 1. Simple schematic diagram of photovoltaic system with battery storage.
Figure 2. Asset demarcation of large-scale solar developer [4].
PrðB1Þ  PrðB2jB1Þ  PrðB3jB1 \ B2Þ. The frequency of fire event are
therefore calculated as k  PrðB1 \ B2 \ B3Þ: Extrapolate the infor-
mation to the event tree diagram, the frequency of the risk is
deemed acceptable, and no additional corrective actions is pro-
posed. However, if the frequency of risk is not acceptable, step
number 9 is to recommend the corrective action such as change
in design. Event Tree Analysis (ETA) apply similar mathematical
techniques and logic as Fault Tree Analysis (FTA). The key differ-
ence is Event Tree Analysis is inductive whereas Fault Tree Analysis
is deductive. The advantages of Event Tree Analysis are that it can
assess multiple co-exist fault and failures, single point of failure
and ineffective countermeasures can be easily identified. It also
supports analysis on various level of details [10,11].
Fault Tree Analysis (FTA)
Fault tree analysis (FTA) is top-down deductive tool identifying
causes of system level failures from top event, estimate event rates
81
Renewable Energy Focus 42 (2022) 79–96
of failures or safety accidents and propose best approach to reduce
risk. Both ETA and FTA techniques involve the building of tree dia-
gram by applying Boolean logic but are working on the opposite
spectrum of top event. Fault tree analysis utilized Boolean logic
for identified lower-level basic events combinations that leads to
the top event (system level failure). Safety design elements, faults
and subsystems is systematically map in the overall system logic
diagram. Conventional logic gate symbols consist of key elements
of ‘‘logic gates” and ‘‘events” are used for fault tree development
[12,13]. Minimal cut set that are mutually exclusive is then identi-
fied for calculation of probability of failure that led to top event.
Mitigation measures including change in design are pursued to
reduce the probably of occurrence of failure towards top event.
ETA and FTA are usually applied together and known as ‘‘bow-
tie” analysis.
Fault tree dictates how thoroughly on the scope of study. The
fault tree developed is prioritized accordingly to High, Medium,
Boon Leong Choo and Yun Ii Go
Energy Management System
Controller
Photovoltaic
modules
Sensors Baery Module
Strings
Heat
dissipaon
devices
Figure 3. Partial control structure [8] of photovoltaic energy system with lithium-ion battery storage.
and Low based on the safety implication towards renewable
energy storage system. An example of high priority fault is external
short circuit caused by battery internal conductors being forced
together in a crush event by mechanical forces on a pack. Based
on the minimal cut set from thermal branch, in which the minimal
cuts that are mutually exclusive, we can compute the probability of
Q  
top event by P 0 ðtÞ ¼ 1  kj¼1 1  P j ðtÞ where Pj is the probability
of failure of minimal cut set. After identified the probability of fail-
ure that contributed to top event (hazard), all possible methods are
pursued to decrease the probability of occurrence. Response vari-
able such as orientation of battery pack, protection against cell dis-
placement and vehicle velocity can be explored in design
improvement to reduce the probably of occurrence of failure
towards top event. Advantages of Fault Tree Analysis is it is suit-
able to analyse hazards arise from various circumstances and it
can identify common causes that are not apparent when consider-
ing sub-system in isolation [14]. Fault Tree Analysis does have its
own disadvantages, for instance it is very dependent on the com-
petency of analyst. Failure modes may be overlooked, or common
failures cause may be missed out unless analyst have high level of
expertise knowledge and have input from operator. One big gap is
that fault tree analysis assumes all events are independent, how-
ever with more sophisticated system in the market, especially in
the energy storage industry, computer software may cater for com-
bination of events and not mutually exclusive anymore. [15,16]
Failure Mode Effect Analysis (FMEA)
FMEA is a structured bottom-up approach to discover potential
failures of product or process design. FMEA study consist of two-
parts. First is identify the system failure mode. Second is identifica-
tion of the failure consequence(effect) and classification. Failure
classification is performed based on likelihood and severity. They
are ranked by high, medium, and low to establish the need for cor-
rective and mitigation action [9]. There is no fix guidance or rules
for the ranking matrix and risk priority number but there is a lot of
example and guidance described in the oil and gas industry. FMEA
establishes severity, probability occurrence and detection rating is
ranked accordingly to high, medium, and low to establish the need
for mitigation or corrective action. There is not fix rule to as how
the ranking matrix and risk priority number should be but there
is a lot of example and guidance described in the industry. Proba-
bility of cell internal short circuit cannot be established without
sufficient test data. However, It is estimated that out of 18650 Li
ion cells produced for computers and other electronics encounter
internal short failure rate of 1 in 5–10 million [17,18]. Investigation
82
Renewable Energy Focus 42 (2022) 79–96
Grid
Inverter
Baery Management System
Local
Main
Cells
Crical
load
load
revealed that occurrence of cell internal short circuit triggered fire
was not acceptable and need to be prevented. Example mitigation
step to prevent fire is by making design change, eliminating the
ignition source via encapsulation of PCBs with a high temperature
resistant silicone to prevent the carbonization and electrical sparks
[19]. Safety assessment for battery needs systematic approach such
as FMEA, however FMEA bottom-up approach face limitation in
identifying direct link in combination of failure mode and effects,
and sometimes need to be supplemented with experiment. FMEA
is very dependent on subjective analysis and rely on experience
of analyst. However, FMEA can indicate predominant failures that
should be focus on design [20]
Hazards Identification (HAZID)
HAZID is a qualitative technique that identify potential hazards
and threats including causes and consequences at the earliest prac-
ticable stage. HAZID started with identification of the nodes to dic-
tate the scope of study. The causes and consequences including are
then identified for each of the nodes. Frequency and severity of
each hazardous event in the HAZID node is then evaluated by rank-
ing in a risk matrix based on the combination of consequence and
likelihood of an event which eventually classified as low, medium,
and high risk. Preventive and mitigation measures identified are
identified. If high risk cannot be justified, design change is required
for managing risk associated with the hazards to as low as reason-
ably applicable [21]. Different from FMEA, HAZID is not the
bottom-up approach and take input from other technique such
as Event tree analysis, Fault tree analysis, ‘‘What if” analysis, and
Hazard checklist. Hazards and Effects register will be built as part
of HAZID process to systematically record the hazard, hazard
sources, threats, top events, the risk potential and effect of the haz-
ards, and consequences [22].
Risk ranking is typically built in 5 by 5 matrix with one axis
again the likelihood and the other axis against severity rating.
Any high-risk ranking events needs to be evaluated and additional
mitigation measures needs to be applied to reduce the risk to as
low as reasonably possible (ALARP) [23]. In the rechargeable bat-
tery storage system for a ship example, explosion and toxicity risk
need to be mitigated. This will require the secure of battery system
from mechanical damage and shield it from external heating.
Installing redundant battery management system and emergency
shutdown system, that kick in mitigation measures such as discon-
nection of the battery due to overcharging, undercharging, over-
current or a thermal event, the possibilities of multiple modules
failing simultaneously is reduced. In addition, ensure that it does
Boon Leong Choo and Yun Ii Go
not spread to the rest of the system if fire occurs in one cell/mod-
ule. The ventilation in the battery room must be able to handle off-
gassing of one cell or module, assuming that other safety barriers
in place are working. Hazards and effects register is important
because it presented the finding from HAZID structurally. The
advantages of HAZID are that it is suitable as cross-checking review
tools and relatively quick and avoids repetitive analysis. However,
the disadvantages of HAZID are potentially limited to only already
known hazards and the effects of interactions between hazards are
not easily identified, usually HAZID is not able to satisfy regulatory
requirements if used alone.
Hazards and Operability (HAZOP)
HAZOP is used to identify abnormalities in the working environ-
ment and discovery of the root causes. HAZOP start with defining
study boundaries of analysis for items of equipment or system.
Operation mode to be examined is identified. Remit of the poten-
tial problem should be clear. Guidewords and system parameters
are used for stage-by-stage study of process or operation design
to identify deviation from intended design and explore all possibil-
ities of deviation causes and consequences. Evaluation is then done
to decide where design change is required for identified hazard or
operability problem. HAZOP register in the form of table is built as
outcome of the study. HAZOP study should be done only when full
design and detailed process description is frozen. Any design
changes triggered by HAZOP study findings shall be made under
strict management of change procedure [24,25].
Example deviations in the Li-Ion battery storage system include
uneducated third-party tempering cause reaction rate more than
design envelop causing arc flash and explosion leading to burns
or electrocution or hot surrounding and poor ventilation causes
overheating of battery leading to fire explosion leading to death
or loss of property etc. The safeguards against the deviation are
then evaluated and decide if they are adequate or further change
or study is needed. Action required is recorded accordingly. HAZOP
register in the form of table is built as outcome of the study. This
table is important for HAZOP because it summarize all the finding
in the HAZOP study process. Table 5 below summarize the partial
HAZOP register for example quoted in this paper. It can be further
enhanced with column addition such as HAZOP sections, com-
ments, action allocation and status to form a complete HAZOP reg-
ister. Although HAZOP is advantages in analysing system design
capability to meet safety standards, user specifications or systems
weakness, particularly able to identify hard to quantity hazards
such as those attributed to human performance and behaviours,
hard to detect, analyse, isolate, count and predict; HAZOP still
has its own disadvantages. HAZOP is unable to assess hazards arise
from interactions between different parts of process or system. In
addition, there is no risk ranking by default following HAZOP
methodology although the team may optionally build in prioritisa-
tion capability. HAZOP is unable to assess the effectiveness of safe-
guards unless the HAZOP team opted to apply HAZOP together
with other risk management method [26,27,28].
Systemic risk assessment
Systemic risk assessment technique is built based on System-
Theoretic Accident Model and Process (STAMP). Safety is described
as emergent system properties attributed to design constraints on a
system enforced by control actions. Losses arise from interactions
flaws between organizational structures, engineering activities,
social factors, operational goal, and physical components [8,29].
These non-electrical and mechanical components causal factors is
identifiable by Systems Theoretic Accident Model and Process
(STAMP) model but sometimes missed by traditional safety engi-
neering assessment techniques. STAMP model assumes accidents
83
Renewable Energy Focus 42 (2022) 79–96
resulted from system components interactions and there is no
specific single causal factors or variables. Systems Theoretic Process
Analysis (STPA) is one of the most prominent systemic risk assess-
ment techniques is Systems Theoretic Process Analysis (STPA).
STPA is applied to identify accidents or hazards caused by nonlinear
system interactions with its environment. There are 4 main steps in
STPA risk assessment technique. First is to identify the purpose of
the analysis, that is what are the hazards and losses STPA analysis
aimed to prevent and decide the system boundaries for study. Sec-
ond, system in scope of study is modelled into control structure
which captured the system as multiple sets of feedback control
loops. Third, the control actions in the control structure are then
examined for unsafe control actions and safety constraints. Finally,
reasons for unsafe control actions are identified via causal scenario
to drive mitigations and design change recommendation to miti-
gate the hazards. STPA bear some similarity to HAZOP. Both tech-
niques are based on system modelling and apply guidewords in
performing analysis. However, STPA model is based on functional
control diagram whereas HAZOP is based on physical diagram.
The nature of guidewords used in STPA is about lack of control
and not focusing on deviation of physical parameters [30,31].
Problem Statement, Research Gap and Novelty
Traditional risk assessment methods have their histories rooted
long way back and found a lot of successful application in conven-
tional energy such as oil and gas. While the traditional safety engi-
neering risk assessment method are still applicable to new energy
storage system, the fast pace of technological change is introducing
unknown into systems and creates new paths to hazards and losses
(e.g., software control). In addition, the lifecycle for component of
new energy is greatly reduced, innovation to the components has
reduce to two or three years and does not warrant enough time
for carefully running the systems testing and design to understand
all potential hazards and risk. Application of new technologies in
the way that energy storage system is managed also increase the
complexity especially when it needs to operate in both grids con-
nected mode and islanded mode. The complexity has made it dif-
ficult for system designer to consider all normal and abnormal
situation and design the safety into system effectively, stretching
the limit of traditional safety engineering risk assessment.
Traditional Safety Engineering Assessment methods such as
Fault Tree Analysis (FTA), Event Tree Analysis (ETA), Failure Mode
Effect Analysis (FMEA), Hazard Identification (HAZID) and Hazard
and Operability (HAZOP) is component centric by nature and often
describe risk as the effect of deviation in system parameters or sys-
tem components not performing the intended function, which give
rise to uncertainties and need to be managed to avoid hazards and
accident. Risk management in the context traditional safety engi-
neering often means ensure that sufficient measures are in place
to protect people, asset, and environment from the risk. Analytic
methods are often employed to find a balance between risk mitiga-
tion and cost. Traditional safety engineering assume that risk can
be predicted through historical data and system design analysis
and quantifiable as likelihood of occurrences (probability) versus
consequences, which are the subject of mathematical probabilities
expression in attempting to compare alternatives on numerical
basis. Technique such as Event Tree Analysis and Fault Tree Analy-
sis are regularly adopted to break down the system, so that the sys-
tem components are quantifiable. This is followed by applying
mathematical function to calculate the total risk. Measures is then
put in to reduce the risk to as low as reasonably practical or com-
plete design change is required to remove hazards in the higher
risk category [32].
Although historically oil and gas energy sector rely heavily on
traditional safety engineering risk assessment methods that are
Boon Leong Choo and Yun Ii Go
analytic in nature, there are few fundamental flaws in the underly-
ing principle of traditional safety engineering risk assessment
methods in orchestrating the risk assessment especially energy
systems are becoming more complex today in transition towards
different sources of renewable energy technology. First, traditional
safety engineering risk assessment methods assume that accident
will not occur if reliability of system or component is ensured,
i.e., Safety is an attribute that increase with increasing reliability
[33]. However, reliability is ability of system or component per-
form satisfactory against designated requirements over a period
whereas safety is the absences of event that resulted in unaccept-
able loss. Safety and reliability are different properties which may
be supporting or conflicting. A system can be reliable yet unsafe
[34]. For example, a bus transporting passenger never put into ser-
vices may be a system that is relatively safe, but it is not reliable
because it never performs the intended function. There will also
be a scenario whereby a system needs to be retreated to fail-safe
state versus attempting to continue perform the system function
at the risk of accident. Secondly, the accident model in traditional
safety engineering risk assessment assuming accidents are caused
by chains of events and the risk is assessable by looking at event
chains that lead to loss. The fundamental in such model is that
events will create a condition that led to new events that create
new conditions and so on, that together they formed dominos
effect that led to catastrophic loss. However, event is an occurrence
in limited time, but conditions is persisting until event occurs that
resulted in a new condition. Taking the example of explosion acci-
dent in Li-Ion Battery Storage System, flammable gas vapour
released from Li-Ion battery system and air may be conditions that
is existed for a period because a new event, i.e., spark that has cre-
ated the ignition source and lead to explosion. Explosion then cre-
ated new conditions which is uncontrolled energy being released
to surrounding. The causal relationship between the event chain
models is limited to be direct, linear, and subjected to bias in
selecting the root cause event. The same event may result in differ-
ent types of links accordingly to mental representation of analyst
towards the event. For example, the source of spark in the Li Ion
battery is very subjected to analyst consideration and perspective.
It can be due to carbonisation of PCB board in thermal runaway cell
and continuous voltage from adjacent cell triggered the spark as
explained in FMEA section of this paper, or it can be due to external
source such as electrostatic charges when technician or operator
did not follow the proper guidelines in operating, inspecting, or
servicing the system. The reality is it is hard for analyst to accus-
tom for all possible sources by focusing on system factors only,
too often non-technical aspects are ignored in analysis. Thirdly,
traditional safety engineering risk assessment methods assumed
that initiating events in the chain are mutually exclusive in
attempt to perform probabilistic risk assessment towards it, while
too often the initiating events may be not as exclusive. In the
example of Li-Ion battery storage system, thermal runaway of bat-
tery cells and failure of battery thermal management system to
response due to no power supplied to sensor viewed as two initi-
ating events, however there is possibility that both may be attrib-
uted to unexpected mechanical impact battery module causing
mechanical deformation of battery cell that result to thermal run-
away and damaged sensor. Probabilistic risk assessment also often
omits design errors and often come into calculation indirectly
through the probabilistic calculation of failure event [34]. In this
example, the battery module design and temperature sensors
placement may need improvement. Fourth, traditional safety engi-
neering risk assessment method are subjected to hindsight bias.
Often people tend to oversimplify the causality when start from
outcome and work out the cause backwards and overestimate
the likelihood of outcome since we already knew it, this effect is
especially prominent in event chain model. In addition, it is very
84
Renewable Energy Focus 42 (2022) 79–96
easily misjudged the information and resources available at hand
for the people at time of incident. The hindsight bias always trig-
gered to analyse what people have done wrong, but no people
come to work with intend to do something wrong. There need to
be a change in the way human roles is viewed in accident. Fifth,
traditional safety engineering give rise to viewpoint that reliable
software is equivalent to safe. This hold the challenge in today’s
complicated energy system where more automation via software
is involved and introduction of next generation technology such
as Artificial intelligences that works to crunch the data for
improvement in operation. Artificial intelligences enabled opera-
tion software may be deployed to distributed microgrid with bat-
tery storage system, the software may operate reliably and may
crunch the power demands data reliably for improvement in oper-
ation pattern. However, if there is a flaw in the requirements of the
software, this may lead to catastrophic result. For instance, switch-
ing between islanded mode and grid connected mode of microgrid
with wrong software requirements may give rise to interruption in
services and put additional strain to charge discharge cycle of the
batteries, therefore shorten the lifespan of the battery cell, but this
may be missed out in traditional safety engineering risk assess-
ment methods [8].
In this project, traditional Safety Engineering risk assessment
method such Fault Tree Analysis (FTA), Event Tree Analysis (ETA),
Failure Mode Effect Analysis (FMEA), Hazard Identification
(HAZID), Hazard and Operability (HAZOP), and new risk assess-
ment method such as Causal Analysis based on System Theory
(CAST) and System-Theoretic-Process-Analysis (STPA) are
reviewed as individual technique serving different stages and pur-
pose in safety and risk assessment. Although some of the tradi-
tional safety engineering are applied together, often they are
described and executed in the envelop of own remit. The novelty
of this project is to improve the safety and risk assessment meth-
ods for large scale energy storage and utilities by combining theory
and techniques underlying risk assessment methods and describ-
ing the new ‘‘holistic safety and risk assessment (STPA-H)” method
which combined the strength and addressed weaknesses in respec-
tive methods.
Methodology
With the challenges and weaknesses of purist traditional safety
engineering risk assessment technique and systemic risk assess-
ment technique highlighted in the introduction section, it is immi-
nent to explore a new risk assessment technique for energy storage
for large scale and utility in future energy system. (e.g., grid con-
nected Solar PV system with battery storage). Research on energy
storage sizing had taken safety requirement into consideration
[35,36]. However, systematic risk assessment schemes had not
been extensity studied and proposed. This paper proposes STPA –
H (Systems Theoretic Process Analysis - Hybrid) technique which
is an improved risk assessment technique that adopts and incorpo-
rates fundamental principle of traditional safety engineering ana-
lytic and probabilistic risk assessment techniques into systemic
risk assessment. STPA-H is not a purist adaptation of systemic
based risk assessment despite the name of this technique but
aimed to combine the strength and addressed the weaknesses in
analytic and systemic risk assessment techniques. Figure 4 illus-
trates the risk assessment workflow with STPA-H technique. There
are 14 steps in this technique in total. The workflow is branched
midway into two routes depending on nature of system interac-
tions with hazards. The findings are then combined at the end.
Improvement made to the risk assessment workflow are high-
lighted in blue.
Boon Leong Choo and Yun Ii Go Renewable Energy Focus 42 (2022) 79–96

Define System Boundary

Define system hazardous properes and parameters

Define system level unacceptable loss

Idenfy System Hazards

Evaluate default
system reliability
Is system hazards aributed
to controllable factors?

Yes No

Scenario based and probabilisc based Create hierarchy control structure

analysis oazard

Evaluate component vulnerability to hazard Idenfy system level safety requirements

scenario and component importance index and constraints to prevent hazard from
occurring
Idenfy targeted hardening measure
Idenfy unsafe control acons
Perform Cost Analysis

Strategy cost effecve and No

necessary in addressing the
hazard?

Yes

Propose hardening migaon measures

Apply migaon measures and design improvement change

Legend

Improvement to technique
Adaptaon of exisng technique

Figure 4. Workflow for ‘‘STPA-H (Systems Theoretic Process Analysis-Hybrid)” technique.

The first improvement made in STPA-H technique is ‘‘the
branching”, that is the classification of the system interactions
with environment and hazards to controllable and uncontrollable
interactions factor. Controllable interaction factors will be evalu-
ated in similar manner as STPA technique, but for uncontrollable
interaction factors the analytic and probabilistic based analysis of
85
hazard is conducted. Controllable interaction factors are hazards
event can be prevented by implementing control actions/mecha-
nism whereas uncontrollable factors are not. Second improvement
made is the application of linear failure model to evaluate cumula-
tive system fragility of the system and derive the default system
reliability. Finally, the concept of life cycle cost analysis is per-
Boon Leong Choo and Yun Ii Go Renewable Energy Focus 42 (2022) 79–96

formed for cost effectiveness evaluation on the ‘‘targeted harden- Table 1

ing mitigation measures” to decide whether measures need Inherent hazard properties of PV systems with Li-Ion battery storage

applied. The outcome is then combined with the finding from con- Inherent hazard Causal factor
trollable interaction factors study route to get the overall finding properties parameter
on hazards and mitigation measures. Grid fault current Ground fault, short circuit of component
Voltage fault Inverter fault
Fire Hazard Electrical, thermal, mechanical abuse, protection
STPA – H methodology explanation: Safety analysis of grid connected circuitry design or internal cell fault
PV energy system with battery storage Arc Flash in Li-ion Accidental contact, underrated equipment for
available short circuit current or deterioration in
insulated surfaces and equipment
Foundational information Combustion from Increase of cell internal temperature, increase of
Similar with all risk assessment techniques, ‘‘Systems Theoretic vented gas in Li-ion cell internal pressure, venting of Cell, Ignition of
Process Analysis - Hybrid (STPA-H)” starts with identification of vented gases, Ejection of cell content
system boundaries for study to provide focus to risk assessment Toxic gas emission in Release of ethyl methyl carbonate, diethyl
Li-ion carbonate, ethylene carbonate, benzene, toluene,
and analyse system’s interaction with its environment. The bound-
styrene, biphenyl, acrolein, carbon monoxide,
aries of risk assessment are illustrated in Figure 5. carbonyl sulphide and hydrogen fluoride
This is followed with analysis of the inherent hazard properties
of the system. Inherent hazard is associated within the system
boundaries as a whole and its component designated to perform Table 2
the intended function. The inherent hazardous properties parame- Grid connected PV-system with Li-Ion battery storage system unacceptable loss
ters of PV system with Li-Ion battery storage are illustrated in
L-1 Fire/ Explosion/ Poisoning/ Electrical– Loss of life
Table 1 Inherent hazard properties of PV systems with Li-Ion bat- L-2 Fire/ Explosion/ Poisoning – Loss of asset
tery storage Table 1 below. L-3 Loss of operator performance
For practicality reason, system unacceptable loss was identified L-4 Loss of producer revenue
for grid connected PV system with Li-Ion battery storage to per-
form the function of supplying energy to the grid and storing the
excess generation capacity in battery storage. Establishing system Analyse Controllable Interactions
level unacceptable loss is crucial in establish system level safety Similar with STPA assessment approach, analysis for control-
hazard. System unacceptable loss are illustrated in Table 2 below. lable interactions and start with setting up of hierarchy control
structures. Hierarchical control structures help visualize the entire
socio-technical system and understand safety constraints to avoid
Improvement 1: Classification of system hazards into controllable and
unsafe states. The connections in the control structures represent
uncontrollable category
information transmission and interaction of functional component.
The inherent hazardous properties of system are analysed by
The control structure [8] shows how constraints and command are
considering system’s interaction with its environment to derive
communicated from top-down and feedback channels and illus-
the list of system level safety hazards and classified into ‘‘Control-
trated in Figure 6 for grid connected PV system with battery stor-
lable interaction category” and ‘‘Non controllable interaction cate-
age in study
gory”. Table 3 illustrated the classification of system hazards
Complete study of the whole system is required for all control-
associated with the grid connected PV system with Li-Ion battery
lable interaction factors, however for the purpose of this paper,
storage. Analysis branched out to two routes from this step. For
analysis of a representative loop as illustrated by Figure 6 is suffi-
controllable interaction factors, the analysis follows the STPA
cient to demonstrate the application of the methods. Hierarchy
routes for risk assessment [30] and mitigation measures identifica-
control structures consists of multiple control loops. The key goal
tion. However, for uncontrollable interaction factors, analytic cen-
is to go through the control loops in a systematic manner for the
tric probability-based analysis route is applied to analyse the
whole control hierarchy structure and identify the safety control
hazard scenario.

Figure 5. Safety risk assessment system boundaries for grid connected PV system with battery storage

86
Boon Leong Choo and Yun Ii Go Renewable Energy Focus 42 (2022) 79–96

Table 3
System hazards associated with PV system with Li-Ion battery storage.

Existing requirements in STPA analysis Improvement Proposed

Hazard System level safety hazard System Inherent hazardous Controllable interaction factor Non-Controllable
unacceptable properties interaction factor
loss
H1 Thermal runaway or fire hazards developing L1, L2, L3, L4 Fire Hazard, Grid fault operational, management, Flood, earthquake,
condition current, Voltage, organizational, social and design blizzard, intrusion
H2 Build-up of combustible vented gas between L1, L2, L3, L4 Combustion from vented error
lower and higher ignition limit gas, Fire Hazard
H3 Human exposure to toxic vented gases L2, L3, L4 Toxic gas emission
H4 Human exposure to lethal voltage potential L1, L3 Grid fault current, voltage
H5 Human exposure to arc-flash / explosion L1, L2, L3, L4 Arc-Flash, Grid Fault
Current, Voltage, Fire
hazard

Figure 6. Control structure [8] for grid connected PV system with Li-Ion Battery Storage.

trol required for safety is not provided, b) Unsafe control action

provided, c) Safe control action provided too early or too late and
d) Safe control action required stopped too soon or applied too
long. Causal scenario is then determined for each of the unsafe con-
trol actions and listed. Understanding of all unsafe control actions
and causal scenario is vital to ensure a good analysis. Combination
of these will cause the system to develop into hazardous state. This
step is crucial to understand what could go wrong in the system of
study. Mitigation measures to unsafe control actions is then
applied to design improvement. Each of the known Potential Cau-
sal scenarios can be ‘‘inverted” to produce a list of design
requirements.
Figure 7. Photovoltaic string line model.

Validation: Analyse Uncontrollable Interactions

actions to enforce safe constraint. Unsafe system control actions Fundamental principles from analytics-based risk assessment
are then derived by analysing ways the control actions violated. are adopted in analysis of uncontrollable interactions. This is
There are 4 ways of control actions violation [34] including a) Con- where STPA-H technique fundamentally differs from existing pur-
87
Boon Leong Choo and Yun Ii Go Renewable Energy Focus 42 (2022) 79–96

ist systemic risk based STPA assessment in including component
centric view and apply analytic and probabilistic based underlying
principles.
Improvement 2: Evaluate default system reliability. Component-
based analytic view is foundation for analysis of uncontrollable
interaction factors. Grid connected PV-Energy system with battery
storage for instance, is viewed as relying on components in the
generation, energy storage, and transmission to deliver electricity
locally or to the grid. Therefore, the risk analysis of system requires
consideration of the interaction among its components by applying
linear failure model in analysis to find out cumulative system fra-
gility for quantification of default probability of system damage
and default system reliability.
Failure of the system is defined as inability of PV strings to deli-
ver power from solar energy or inability of battery string in storing
and providing power. In the language of reliability, it is inability for
the system component to perform its intended function. The linear
failure model is adaptation of failure model by Taras et. al [37]. A
string is defined as switchable section with isolator/ connector at
its end. Consider Photovoltaic string line model shown in Figure 7.
In this model, the PV string consist of 3 PV Cell, in a module there
are multiple strings. The failure of PV cell i+1, will resulted the fail-
ure of adjacent cells (i and i-1).
Probability of failure for PV string is defined as PI1
Probability of failure of PV cell ði þ 1Þ is defined as P ðF i Þ ¼ Pi
Probability of failure of PV Cell ði  1; iÞ conditioned on the fail-
ure of PV Cell ði þ 1Þ is defined by P ðF i1 jF iþ1 Þ ¼ PðF i jF iþ1 Þ ¼ Pa
Probability of failure of the PV string is therefore:
PI1 ¼ PðF i Þ  P½ðF i1 UF i ÞjF iþ1 
Probability of failure of the whole PV module due to failure of
all the PV strings is therefore
Pm ¼ PI1  PI2  PI3 ¼ ðPðF i Þ  P½F i1 UF i jF iþ1 Þn
Where by n = number of strings in the PV module
Similar iterations of probability calculation can be applied to
battery strings, subsystem, and whole system to obtain cumulative
system fragility FR(V) based on number of subassemblies/compo-
nents of the PV system, the equation is given as
n derived from Equation (3)
Ps ¼ Pm1  Pm2  Pm3 ¼ ðPðF m1 Þ  P½F m1 UF m2 jF m3 Þ
whereby PS = probability of failure of the subassemblies
n = number of modules in subassemblies
F R ðV Þ ¼ Ps1  Ps2  P s3 ¼ ðPðF s1 Þ  P½F s1 UF s2 jF s3 Þn
whereby FR(V) = cumulative system fragility = default probabil-
ity of failure of the system
n = number of subassemblies in PV system
Standard numbers of subassemblies by PV system power rating
proposed by Ahadi et. al [38] is taken as baseline for cumulative
system fragility calculation by applying Equation (4) in this paper
and illustrated in Table 4.
Scenario based and probabilistic based analysis of hazard. Hazards
from uncontrollable interactions (e.g., flash flood) is to be calcu-
lated from probabilistic analysis where Monte Carlo simulation is
applied to simulate future flash flood occurrence and derive the
probability density functions [39]. The annual probability of sys-
tem failure due to uncontrollable interaction, Pf is given by:
Z 1
Pf ¼ F R ðv Þf v ðv Þdv ð5Þ
0
Whereby FR(V) is the cumulative system fragility derived from
Equation (4) and fv(V) is the probability density function of the
Hazards from uncontrollable interactions (e.g., flash flood) from
Monte Carlo simulation. Historical records are used as based line
for fit for purpose Monte Carlo simulation.
Evaluate component importance index and identify targeted harden-
ing measures. Risk achievement worth (RAW) is being applied to
evaluate the relative importance of component or subassemblies
whose reliability needs to be improved to reduce the risk of whole
system and this is crucial for identifying targeted hardening miti-
gation measures. RAW is a measure of worthiness of component,
I in achieving overall system reliability [40,41] The equation of
RAW is given as:
½1  Rs ðQ i  1Þ
RAW ðiÞ ¼ ð6Þ
½1  Rs 
For I = 1,2,3,. . .,n
Where Rs is the default system reliability and Rs(Q-1) is the sys-
tem reliability when component i has failed.
The equation of Rs is given as
ð1Þ
Rs ¼ 100  ðPf  100Þ ð7Þ
Where Pf is the annual probability of system failure due to
ð2Þ
uncontrollable interaction derived from Equation (5). The equation
of Rs (Qi-1) is given as
Rs ðQ i  1Þ ¼ 100  ðPs  100Þ ð8Þ
Where Ps is the probability of failure of the subassemblies
ð3Þ
Application of additional targeted hardening mitigation mea-
sures from the hazard is evaluated and based on the RAW, several
strategies for hardening mitigation measures can be applied, such
as a) Hardening all system component/subassemblies with RAW >
ð4Þ
2.5, b) Hardening the PV system and c) Hardening the sub system
of the PV. This paper is adopting strategies 1 in analysis whereby
targeted hardening mitigation measures is to be applied if RAW >
2.5.
Improvement 3: Applying Lifecycle cost analysis. Life cycle cost (LCC)
analysis is applied to evaluate cost effectiveness of implementing
targeted hardening measures [40,41]. Standard assumption such

Table 4
Number of subassemblies in PV system by power rating [38]

Number of subassemblies
Power (KW) 100 500 1500 2500
Photovoltaic modules 437 2166 6517 10868
Inverter 1 5 14 24
Isolator/ AC switches 1 1 1 1
Isolator/ DC switches 3 15 42 72
PV Fuses (AC Circuit breaker) 1 5 14 24
Battery Unit Fuses (Differential Circuit breaker) 1 1 1 1
Battery Pack/ Battery system 16 76 224 372

88
Boon Leong Choo and Yun Ii Go Renewable Energy Focus 42 (2022) 79–96

Table 5
(a) & (b) Causes and mitigation measures for Fire hazards risk assessment of grid connected PV system with Li-Ion Battery Storage

(a)
Causes
Fire Hazard Risk Assessment for gridconnected PV system with Li-Ion Battery Storage Photovoltaic Short Circuit - electrical arcing
Module Insulation failure
Overheating - defective junction box
Defective sensor
Inverter Faulty inverter
Inverter ventilation failed
Exposure to surrounding heat exceeding design
tolerance
PV Fuses Fuse with high rating current than specification
Battery Storage unexpected Immersion
Mechanical Shock
Excessive Vibration
Fire Exposure
Cycle without Thermal Control
Thermal Shock
Humidity Exposure
Short Circuit
High voltage exposure
Separator malfunction
Cell Puncture
Cell Crush
insulation failure
Cell balancing circuit fault
Voltage sensing circuit fault
Conductive fluid reaction
Conductive solid reaction
Battery management system failure
Cell temperature sensor fault
State of charge algorithm fault
Contactor control fault
Signal communication fault
Fuse fault
External heat source exceeded design tolerance
Active heating exceeding design tolerance
Conduction exceeding design tolerance
Inductive heating exceeding design tolerance
Ventilation failure
(b)
Causes Mitigation measures
Short Circuit - electrical arcing Install arc detection system, insulation and gap between parallel circuit, Install Residual Current Detector (RCD) on Positive
and Negative Array Wiring and Connect to Alarm
Insulation failure ensure adequate insulation between electricity-conducting components and module’s frame, use supplier that comply to
IEC 61215 standard
Overheating - defective junction box Install junction box accordingly to specification, use junction box with proper rating for cooling, volume, IP ratings.
Defective sensor sensor fault detection system
Faulty inverter Install Residual Current Detector (RCD) on +ve and -ve wire array and connect to Inverter Emergency Stop
Inverter ventilation failed Install Cooling system monitoring system
Exposure to surrounding heat exceeding install proper ventilation system, properly sized housing and distance between component and wirings
design tolerance
Fuse with high rating current than Reduce the Size of the Ground Fault Fuse, ensure Fuses use are rated accordingly to specification
specification
unexpected Immersion IP68 rated Battery Cell insulation
Mechanical Shock install battery protection housing,
Excessive Vibration install battery protection housing, vibration damper
Fire Exposure adequate distance between adjacent cell, Flame retardant ABS insulation materials covering cell block, protection housing,
encapsulate battery PCB with temperature resistance silicone
Cycle without Thermal Control Fault detection algorithm in BMS
Thermal Shock install battery protection housing, adequate distance between adjacent cell, insulation materials, protection housing, Heat
sink enclosure
Humidity Exposure IP68 rated Battery Cell insulation
Short Circuit insulation materials, protection housing, adequate distance between adjacent cell, separators, operator intervention,
battery management system
High voltage exposure Voltage sensing circuit, voltage sensing fault detection algorithm
Separator malfunction install battery protection housing
Cell Puncture install battery protection housing, impact insulation materials, adequate distance between adjacent cell
Cell Crush install battery protection housing, impact insulation materials, adequate distance between adjacent cell
insulation failure Periodic maintenance and inspection
Cell balancing circuit fault Cell Balancing fault detection algorithm, BMS fault algorithm
Voltage sensing circuit fault voltage sensing fault detection algorithm
Conductive fluid reaction Protection housing, insulation materials, ventilation
Conductive solid reaction Protection housing, insulation materials, ventilation
Battery management system failure BMS fault detection system and algorithm

(continued on next page)

89
Boon Leong Choo and Yun Ii Go Renewable Energy Focus 42 (2022) 79–96

Table 5 (continued)

(b)
Causes
Cell temperature sensor fault
State of charge algorithm fault
Contactor control fault
Signal communication fault
Fuse fault
External heat source exceeded design
tolerance
Active heating exceeding design
tolerance
Conduction exceeding design tolerance
Inductive heating exceeding design
tolerance
Ventilation failure
Mitigation measures
sensor fault detection system
Periodic validation of SOC algorithm, Alarm if SoC below recommended value
Contactor control algorithm check
BMS fault detection system, EMS fault detection
Current sensing algorithm and measurement, period maintenance, fault detection system
Follow manufacturer a guideline on location and storage recommendation
Cooling and ventilation system, designed immersion cooling, Heat sink enclosure
Cooling and ventilation system, designed immersion cooling, Heat sink enclosure
Cooling and ventilation system, designed immersion cooling, Heat sink enclosure
Ventilation monitoring system

Table 6 Results and discussion

Probability of failure for PV System Component [42]

System Component Probability of failure

(10^-6 Failures yr-1)
Photovoltaic modules 0.015
Inverter 40
Isolator/ AC switches 0.034
Isolator/ DC switches 0.2
PV Fuses (AC Circuit breaker) 5.7
Battery Unit Fuses (Differential Circuit breaker) 5.7
Battery Pack/ Battery system 13
as cost of electricity per unit, maintenance cost, cost for materials/-
component and energy demand remaining constant applied. The
life cycle cost (LCC) is given as
LCC ¼ C Mi þ C m þ C r þ C R þ C c
Where
CMi = cost of implementing targeted hardening measures
CM = cost of maintenance for lifespan of PV system
Cr = repair cost to PV system arises from hazards by uncontrol-
lable interaction factor
CR = lost of revenue resulted from hazards by uncontrollable
interaction factor
Cc = Cost of economic loss due to interruption of power supply
to community nearby
Take CMi = 0 if there is no component or subassemblies with
RAW > 2.5.
LCC calculation is valuable for economic justification where
the value of Cr and CM is variable depending on whether CMi is
included in calculation. The intend of LCC calculation is to find
out the cost of maintenance and repair with or without targeted
hardening measures and compare with cost of implementing tar-
geted hardening measures to decide cost effectiveness of the
strategy.
Application: Mitigation measures and design improvement change
The targeted hardening mitigation measures from the uncon-
trollable interaction analysis are compared and combined with
the mitigation measures from controllable interaction analysis. It
is normal to find overlaps in the mitigation measures proposed.
The value in doing both route of analysis is to realize the mitigation
measures that are not discoverable by analysis of unsafe control
actions. Effectively addressing the potential gap from STPA purist
view of systemic based risk assessment.
This result is summarised from focus assessment on fire hazards
in the grid connected PV systems with battery storage. The results
are used for comparison of STPA-H advantages with traditional
safety engineering risk assessment technique and STPA.
Results for controllable interactions
In analysis of controllable interaction, assessment is performed
similarly to STPA technique. The hierarchy control structure is con-
structed for components interaction within system boundaries as
shown in Figure 6, unsafe control actions for representative control
loops within the hierarchy control structure is study for unsafe
control actions. Causal scenario for the unsafe control action is
then identified and mitigation measures is proposed. The causes
and mitigation measures identified are summarized in Table 5.
ð9Þ
Results for uncontrollable interactions
In analysis of uncontrollable interaction, the calculation starts
with referencing probability of failure for each component of grid
connected PV system with battery storage from Nemes et. al [42]
and listed in Table 6. By referring to the number of subassemblies
in Table 4 by Ahadi et. al [38] with probability of component fail-
ure in Table 6 and apply Equation (4), the probabilities of failure
for subassemblies, cumulative system fragility and default relia-
bility of PV system are calculated and summarized in Table 7
for different PV system power rating. Probability of failure
excluded repair rate and linear model calculation is then applied
to the system.
The uncontrollable interaction being studied in this paper are
flash flood in Marang, Terengganu. Historical records of flash flood
in Marang are being studied to fine tune for closer to reality Monte
Carlo simulation. Based on the history from 2017 to 2020 gathered
from news articles, it was observed that flash flood only happens in
the month of January, November and December due to monsoon
rainy season. The information is used to fine tune Monte Carlo sim-
ulations. The Monte Carlo simulations are presented in Table 8 and
Probability density function derived from the simulation are pre-
sented in Table 9.
Annual probability of failure of PV system and reliability of sys-
tem due to flood in Marang is then calculated and listed in Table 10
by applying Equation (5) to cumulative system fragility from
Table 7 and probability density function from Table 9.
The value for Rs is calculated using Equation (7) whereas the
value of Rs (Qi-1) is calculated using Equation (8). RAW for PV sys-
90
Boon Leong Choo and Yun Ii Go Renewable Energy Focus 42 (2022) 79–96

Table 7
Probabilities of failure per year for subassemblies and system for different PV system power rating

Power (KW) 100 200 500 1000 1500 2000 2500

Photovoltaic modules 0.000006555 0.00001311 0.00003249 0.000065265 0.000097755 0.00013053 0.00016302
Inverter 0.00004 0.00008 0.0002 0.00036 0.00056 0.00076 0.00096
Isolator/AC switches 0.000000102 0.000000204 0.00000051 0.000000918 0.000001428 0.000001938 0.000002448
Isolator/DC switches 0.0000006 0.0000012 0.000003 0.0000054 0.0000084 0.0000114 0.0000144
PV Fuses (AC Circuit breaker) 0.0000057 0.0000114 0.0000285 0.0000513 0.0000798 0.0001083 0.0001368
Battery Unit Fuses (Differential Circuit breaker) 0.0000057 0.0000057 0.0000057 0.0000057 0.0000057 0.0000057 0.0000057
Battery Pack/ Battery system 0.000208 0.00039 0.000988 0.00195 0.002912 0.003874 0.004836
Probability of failure for PV system 0.000266657 0.000501614 0.0012582 0.002438583 0.003665083 0.004891868 0.006118368
(cumulative system fragility)
Default reliability of PV system 99.9733343 99.9498386 99.87418 99.7561417 99.6334917 99.5108132 99.3881632

Table 8
Monte Carlo Simulation of Flash flood in Marang, Terengganu with probability by months.

Probability of flood based on Monte Carlo Simulation

Year Jan Feb Mar April May Jun July August Sept Oct Nov Dec
2021 0.583525 0 0 0 0 0 0 0 0 0 0.026306 0.23283
2022 0.099732 0 0 0 0 0 0 0 0 0 0.441037 0.794127
2023 0.017177 0 0 0 0 0 0 0 0 0 0.677568 0.260257
2024 0.135958 0 0 0 0 0 0 0 0 0 0.277992 0.605452
2025 0.103878 0 0 0 0 0 0 0 0 0 0.20644 0.732218
2026 0.898982 0 0 0 0 0 0 0 0 0 0.272246 0.168522
2027 0.313283 0 0 0 0 0 0 0 0 0 0.12272 0.542493
2028 0.310851 0 0 0 0 0 0 0 0 0 0.827649 0.695768
2029 0.147876 0 0 0 0 0 0 0 0 0 0.723196 0.156475
2030 0.867037 0 0 0 0 0 0 0 0 0 0.913633 0.194789
2031 0.873713 0 0 0 0 0 0 0 0 0 0.841132 0.060855

Table 9
Probability density function of flash flood in Marang, Terengganu.

Probability Density Function calculation of flood in Marang

Year Mean for Nov, Dec, Jan Standard Deviation for Nov, Dec, Jan Value for evaluation Probability density function
2021 0.280887162 0.281700544 0.5 1.046518275
2022 0.444965437 0.347214139 0.5 1.134637712
2023 0.318334019 0.334003806 0.5 1.030195528
2024 0.339800645 0.240772624 0.5 1.327921386
2025 0.347512253 0.337088512 0.5 1.068390398
2026 0.44658322 0.395206276 0.5 1.000274586
2027 0.326165326 0.21018276 0.5 1.348269023
2028 0.611422655 0.268525145 0.5 1.363129691
2029 0.342515726 0.329707173 0.5 1.079542776
2030 0.658486578 0.402248933 0.5 0.917710887
2031 0.591899843 0.460187058 0.5 0.849798034

Table 10
Annual probability of Failure of PV system due to flood in Marang.

Cumulative System Fragility 0.000266657 0.000501614 0.0012582 0.002438583 0.003665083 0.004891868 0.006118368
Year Power (KW) 100 200 500 1000 1500 2000 2500
2021 0.849798034 1.60043E-05 3.0106E-05 7.5515E-05 0.000146 0.00022 0.000294
2022 0.917710887 2.11134E-05 3.9717E-05 9.9622E-05 0.000193 0.00029 0.000387
2023 1.000274586 8.10018E-06 1.5237E-05 3.822E-05 7.41E-05 0.000111 0.000149 0.00042
2024 1.030195528 4.51953E-06 8.5018E-06 2.1325E-05 4.13E-05 6.21E-05 8.29E-05 0.00052
2025 1.046518275 6.16745E-06 1.1602E-05 2.9101E-05 5.64E-05 8.48E-05 0.000113 0.00019
2026 1.068390398 3.19383E-06 6.008E-06 1.507E-05 2.92E-05 4.39E-05 5.86E-05 0.00011
2027 1.079542776 1.62648E-05 3.0596E-05 7.6744E-05 0.000149 0.000224 0.000298 0.00015
2028 1.134637712 6.34607E-05 0.00011938 0.00029943 0.00058 0.000872 0.001164 8.4E-05
2029 1.327921386 7.26029E-06 1.3657E-05 3.4257E-05 6.64E-05 9.98E-05 0.000133 0.00045
2030 1.348269023 5.37223E-06 1.0106E-05 2.5348E-05 4.91E-05 7.38E-05 9.86E-05 0.0016
2031 1.363129691 8.5E-05
Annual Probability of Failure 0.000151457 0.00028491 0.00071464 0.001385 0.002082 0.002778 0.00362
of PV system due to flood
Reliability of system in flood Rs 99.98485434 99.9715092 99.9285364 99.86149 99.79183 99.72215 99.6381

91
 Boon Leong Choo and Yun Ii Go
Table 11
RAW calculation for PV system subassemblies with different power rating.

Power (KW) 100 200 500

PoF Rs(Q-1) Rs RAW PoF Rs(Q-1) Rs RAW PoF Rs(Q-1) Rs RAW
subassemblies subassemblies subassemblies
Photovoltaic modules 0.000006555 99.9993445 99.98485434 1.000146388 0.00001311 99.998689 99.97150918 1.000274623 0.00003249 99.996751 99.9285364 1.00068953
Inverter 0.00004 99.996 99.98485434 1.0001126 0.00008 99.992 99.97150918 1.000207038 0.0002 99.98 99.9285364 1.00052021
Isolator/ AC switches 0.000000102 99.9999898 99.98485434 1.000152907 0.000000204 99.9999796 99.97150918 1.000287663 0.00000051 99.999949 99.9285364 1.00072186
Isolator/ DC switches 0.0000006 99.99994 99.98485434 1.000152404 0.0000012 99.99988 99.97150918 1.000286656 0.000003 99.9997 99.9285364 1.00071934
PV Fuses (AC Circuit breaker) 0.0000057 99.99943 99.98485434 1.000147251 0.0000114 99.99886 99.97150918 1.00027635 0.0000285 99.99715 99.9285364 1.00069357
Battery Unit Fuses(Differential 0.0000057 99.99943 99.98485434 1.000147251 0.0000057 99.99943 99.97150918 1.00028211 0.0000057 99.99943 99.9285364 1.00071661
Circuit breaker)
Battery Pack/ Battery system 0.000208 99.9792 99.98485434 0.999942877 0.00039 99.961 99.97150918 0.999893816 0.000988 99.9012 99.9285364 0.99972368

Power (KW) 1000 1500 2000

PoF Rs(Q-1) Rs RAW PoF Rs(Q-1) Rs RAW PoF Rs(Q-1) Rs RAW
subassemblies subassemblies subassemblies
Photovoltaic modules 0.000065265 99.9934735 99.86149265 1.001335008 0.000097755 99.9902245 99.79182954 1.002008212 0.00013053 99.986947 99.72215025 1.002682243
92

Inverter 0.00036 99.964 99.86149265 1.001036878 0.00056 99.944 99.79182954 1.001540314 0.00076 99.924 99.72215025 1.002044625
Isolator/ AC switches 0.000000918 99.9999082 99.86149265 1.001400096 0.000001428 99.9998572 99.79182954 1.002105717 0.000001938 99.9998062 99.72215025 1.002812499
Isolator/ DC switches 0.0000054 99.99946 99.86149265 1.001395562 0.0000084 99.99916 99.79182954 1.00209866 0.0000114 99.99886 99.72215025 1.002802915
PV Fuses (AC Circuit 0.0000513 99.99487 99.86149265 1.001349133 0.0000798 99.99202 99.79182954 1.002026387 0.0001083 99.98917 99.72215025 1.00270476
breaker)
Battery Unit Fuses 0.0000057 99.99943 99.86149265 1.001395259 0.0000057 99.99943 99.79182954 1.002101393 0.0000057 99.99943 99.72215025 1.002808688
(Differential Circuit
breaker)
Battery Pack/ Battery system 0.00195 99.805 99.86149265 0.999428568 0.002912 99.7088 99.79182954 0.999159551 0.003874 99.6126 99.72215025 0.998890317
Power (KW) 2500
PoF subassemblies Rs(Q-1) Rs RAW
Photovoltaic modules 0.00016302 99.9837 99.63815 1.003503
Inverter 0.00096 99.904 99.63815 1.002695
Isolator/ AC switches 0.000002448 99.99976 99.63815 1.003666
Isolator/ DC switches 0.0000144 99.99856 99.63815 1.003654

Renewable Energy Focus 42 (2022) 79–96

PV Fuses (AC Circuit breaker) 0.0001368 99.98632 99.63815 1.00353
Battery Unit Fuses(Differential Circuit breaker) 0.0000057 99.99943 99.63815 1.003663
Battery Pack/ Battery system 0.004836 99.5164 99.63815 0.998766
Boon Leong Choo and Yun Ii Go Renewable Energy Focus 42 (2022) 79–96

Table 12
Comparison of risk assessment methodology on fire hazard cause identification.

Causes Successful Identification with Risk Assessment

Methodology
FTA ETA FMEA HAZID HAZOP STPA STPA+H
Fire Hazard Risk Photovoltaic Module Short Circuit - electrical arcing Yes Yes Yes Yes Yes Yes Yes
Assessment for Insulation failure Yes Yes Yes Yes Yes Yes
gridconnected Overheating - defective junction box Yes Yes Yes Yes Yes Yes Yes
PV system with Defective sensor Yes Yes Yes Yes Yes Yes
Li-Ion Battery Inverter Faulty inverter Yes Yes Yes Yes Yes Yes Yes
Storage Inverter ventilation failed Yes Yes Yes Yes Yes Yes
Exposure to surrounding heat exceeding design tolerance Yes Yes Yes Yes Yes Yes
PV Fuses Fuse with high rating current than specification Yes Yes Yes Yes Yes Yes
Battery Storage Immersion Yes Yes Yes Yes Yes
Mechanical Shock Yes Yes Yes Yes Yes Yes
Excessive Vibration Yes Yes Yes Yes Yes
Fire Exposure Yes Yes Yes Yes Yes
Cycle without Thermal Control Yes Yes Yes
Thermal Shock Yes Yes Yes Yes Yes Yes
Humidity Exposure Yes Yes Yes Yes
Short Circuit Yes Yes Yes Yes Yes Yes Yes
High voltage exposure Yes Yes Yes Yes Yes Yes Yes
Separator malfunction Yes Yes Yes Yes Yes
Cell Puncture Yes Yes Yes Yes Yes
Cell Crush Yes Yes Yes Yes Yes
Insulation failure Yes Yes Yes Yes Yes Yes
Cell balancing circuit fault Yes Yes Yes Yes
Voltage sensing circuit fault Yes Yes Yes Yes
Conductive fluid reaction Yes Yes Yes Yes Yes
Conductive solid reaction Yes Yes Yes Yes Yes
Battery management system failure Yes Yes Yes Yes Yes
Cell temperature sensor fault Yes Yes Yes Yes Yes Yes Yes
State of charge algorithm fault Yes Yes
Contactor control fault Yes Yes Yes
Signal communication fault Yes Yes
Fuse fault Yes Yes Yes Yes Yes Yes
External heat source exceeded design tolerance Yes Yes Yes Yes
Active heating exceeding design tolerance Yes Yes Yes Yes Yes
Conduction exceeding design tolerance Yes Yes Yes Yes Yes
Inductive heating exceeding design tolerance Yes Yes Yes Yes Yes
Ventilation failure Yes Yes Yes Yes Yes Yes

*YES – Root cause assessed/detected with methodology.

tem subassemblies is then calculated by applying Equation (6) and
listed in Table 11.
From the calculation, it is observed that there is no subassembly
with RAW greater than 2.5 hence no targeted hardening preventive
measures is required for mitigating hazards due to with flood in
Marang. Mitigation measures identified in controllable interaction
analysis is sufficient to reduce the risk to as low as reasonably
practicable. In other words, it is expected that safe control actions
such as shutting down the system is sufficient to mitigate fire haz-
ards due to short circuit caused by flood or humidity.
Comparing risk assessment
Comparison is performed on the outcome of STPA-H with tradi-
tional safety engineering assessment (FTA, ETA, FMEA, HAZID,
HAZOP) and systemic risk assessment (STPA) with focus on fire
hazard indicated. The result is summarized in Table 12 and indi-
cated that adaptation of underlying principle in both analytic view
and systemic view in STPA-H risk assessment is the most compre-
hensive in coverage.
The strength of STPA-H in comprehensive coverage shows that
the most suitable framework in performing safety and risk assess-
ment for future energy system with storage requires consideration
of both systemic and component centric analytic view. STPA-H
consideration parameter and workflow proved to be the systematic
way in gathering insight from both perspective in hazards manage-
ment. Although the techniques compared are fundamentally dif-
93
ferent in their objectives, however the underlying principle are
the same and comparable. All techniques need boundaries defini-
tion to limit scope of study, hazards identification [43] to provide
focus of study, a structured approach to build relationship between
hazards and causes, systematic evaluation workflow and deliver
measures to address hazards. The consideration parameters in tra-
ditional engineering, STPA and STPA-H risk assessment techniques
are summarized in Table 13 and shows that STPA-H use all learn-
ings from existing techniques in risk assessment.
Limitation with traditional safety engineering assessment
Traditional safety engineering assessment assume that safety
increase with increasing reliability. Although ability of system or
component to perform against designated function provide some
indication that the system is working as intended and increasing
the reliability of safety function can make the system safer, but it
is not necessary guarantee that accident will not occur. For exam-
ple, consider arc fault in solar PV system. Inverter with built-in arc
detection identify a DC arc fault using the noise on cable produced
by arc and isolate the inverter upon detection. The arc detection
may reliably extinguish series arc but will not be able to isolate
parallel arc or ground fault arc. Similarly, rapid shutdown devices
in solar system are installed and may perform reliably to isolate
the DC circuit when DC arc fault is detected, however they are
unable to isolate faults that occur on many connections in the solar
array, and limited protection is offered for ground fault.
Boon Leong Choo and Yun Ii Go Renewable Energy Focus 42 (2022) 79–96

Table 13
Overview of safety/risk assessment method vs fundamental consideration parameters.

Safety/Risk Assessment Fundamental Parameters Safety Risk Assessment Method

Traditional Systematic Hybrid
Nodes/System Boundaries FTA ETA FMEA HAZID STPA STPA-H
Control Structure STPA STPA-H
Design Parameter/Elements FTA ETA FMEA HAZID HAZOP STPA-H
Design Intent FTA ETA FMEA HAZID STPA-H
Guidewords HAZOP STPA-H
Event FTA ETA FMEA HAZID HAZOP STPA STPA-H
Causes FTA FMEA HAZID HAZOP STPA STPA-H
Consequences ETA HAZID HAZOP STPA-H
Probabilities Ranking/Risk Ranking FTA ETA FMEA HAZID STPA-H
Preventive Measures FTA FMEA HAZID HAZOP STPA STPA-H
Mitigating Measures ETA FMEA HAZID HAZOP STPA STPA-H
Action Required HAZOP STPA STPA-H
Responsibilities STPA STPA-H
Constraints STPA STPA-H
Control Actions STPA STPA-H

FTA - Fault Tree Analysis

ETA - Event Tree Analysis
FMEA - Failure Mode Effect Analysis
HAZID - Hazard Identification
HAZOP - Hazard and Operation Ability
STPA - System Theoretical Process Analysis
TPA-H - System Theoretical Process Analysis Hybrid

Traditional safety engineering risk assessment accident model
assumes that chains of events lead to accidents and the risk is
assessable by evaluating loss contributing event chains. The funda-
mental view in such model is that events resulted in new condition
that led to new events that further create new conditions, together
they cause dominos effect resulted in catastrophic loss. However,
event is timebound occurrences, but conditions is persisting until
new condition resulted by additional event occurs that takes place.
For example, flammable gas vapour released from Li-Ion battery
system and air mixtures are conditions that is existed for a period
before another event, i.e., spark that has created the ignition source
and lead to explosion. Explosion will create new conditions
whereby uncontrolled energy is released to surrounding. The cau-
sal relationship between the event chain models is limited to be
direct, linear, and subjected to bias in selecting the root cause
event.
The same event may result in different causal link subjected to
interpretation of analyst towards the event. For example, the
source of spark in the Li Ion battery can be due to carbonisation
of PCB board in thermal runaway cell and continuous voltage from
adjacent cell triggered the spark, or due to external source such as
electrostatic charges when technician or operator did not follow
the proper guidelines in operating, inspecting, or servicing the sys-
tem. It is hard for analyst to accustom for all possible sources of
accidents, too often non-technical aspects are ignored in analysis.
Traditional safety engineering risk assessment methods assumed
that initiating events in the chain are mutually exclusive in
attempt to perform probabilistic risk assessment towards it, while
too often the initiating events may be not as exclusive.
Limitation with purist systemic assessment
Technique such as STPA works by taking purist system perspec-
tive on safety. STPA assumes that accident happen due to unsafe
control actions and the key towards safety is controlling the pro-
cesses in avoiding propagation of accidents. In the fire hazard
example, STPA view fire event is attributed to untimely and inaccu-
rate safety related data supplied to energy management system.
Example of potential causal scenario including disconnection
94
within the measurement circuit hence sensor has no power to per-
form its function or battery management system is incorrectly con-
figured, hence leading to unsafe control action. Disconnection may
occur during manufacturing such as terminal not tightened
properly.
The causal scenarios developed by STPA are qualitative but treat
non-probabilistic components as part of a controlled process which
potentially missed by traditional safety assessment method. For
example, STPA analysis will consider the implication of state of
charge algorithm fault in causing fire hazards that may be missed
out with traditional safety engineering techniques. It is acknowl-
edged that purist systemic risk assessment has some advantages
over traditional safety assessment techniques when it comes to
causes that can be mitigated with safe control actions consistently
implementing safety constraints. However, purist systemic tech-
nique such as STPA analysis exclude flow and signal exchange
not directly connected to the control of the process. STPA may face
limitation if the control hierarchy is not built properly. Incomplete
or improperly built control hierarchy affecting the coverage of
STPA analysis fundamentally and crucial information exchange or
interactions may be missed out.
STPA risk missing in addressing ‘‘uncontrollable system interac-
tions” whereby execution of process control in implementing
safety constraint may mitigate hazard to certain extent, but acci-
dent may still occur if component reliability of equipment failure
is ignored. For example, fire hazards due to uncontrollable system
interactions such as earthquake, flash flood, hailstorm, unintended
animal crossing or unauthorized modification of critical sensory
devices. Ignoring component centric view may also result in miss-
ing out indirect causality factors such as cable insulation degrada-
tion over time due to UV exposure and aging, insulation cracking
due to changes in temperature, damage to component due to
future building works in the assessment. Any of these may cause
DC arc and fire hazards.
Systems Theoretic Process Analysis – Hybrid (STPA- H)
Adapting both underlying principles of systemic view and com-
ponent centric analytic view in STPA-H technique has advantages
Boon Leong Choo and Yun Ii Go
over purist traditional safety engineering technique and systemic
technique. The kind of causal scenarios developed out for ‘‘control-
lable system interactions” are similar with purist STPA technique.
The fundamental differences are STPA-H technique applies compo-
nent centric views in analysing ‘‘uncontrollable system interac-
tions” whereby probability-based analysis is applied to find
many probabilities factors contributing to a hazard event. Accident
scenarios is studied to identify where component may fail, and the
interactions of the components is analysed. The component impor-
tance index is then calculated to evaluate the relative importance
of the component towards the complete system reliability and
safety performance. Targeted ‘‘hardening preventive and mitiga-
tion measures” is then identified. Lifecycle cost analysis is then
performed to evaluate whether it is feasible to implement the tar-
geted hardening measures.
The two-branching route of controllable and uncontrollable
system interactions analysis may render overlapping hazard
causes and proposed preventive or mitigation measures. One with
focus on component failures while the others on design and safety
constraint failures. Fire hazards arises from DC arc related to break-
ing down of insulation and short circuit due to water ingress or
flood is a good example. In the event of unexpected water retention
in the vicinity of PV system with battery storage, resulted in water
ingress to cables, conduits, DC isolators, inverter, solar module, or
junction box and degraded insulation or poor installation, fire haz-
ard may be started. The outcome from controllable system interac-
tions route proposed mitigation measures such as rapid system
shutdown, improvement in circuit design (e.g., distance between
parallel strings) and improve the water flow to prevent accident
from propagate. The outcome from uncontrollable system interac-
tion route proposed mitigation measures such as change of insula-
tion materials and improvement in circuit safety design.
The result from comparative study between risk assessment
techniques confirms that traditional safety engineering safety
assessment reliance on hazard and component inventory has made
it difficult for assessor to consider all abnormal and normal situa-
tion and design effectively in performing comprehensive study
with increasingly complex energy system where interactions are
becoming non-linear. This paper has similar finding with Rosewa-
ter et al. [8] and Ben Riemersma et al. [32] in stating that systemic
assessment provides a structured approach to analyse system haz-
ards in complex system by focusing on interactions between differ-
ent system components. However, this paper also finds that
adapting both component centric view and systemic view in risk
assessment technique give the best result and comprehensive cov-
erage in application to PV system with battery storage. The
assumption of the study boundary in this journal is based on the
weather information found on around proposed solar plant of LSS
project in Marang, Terengganu and reference on the earlier study
of reliability analysis of PV system by Nemes et. al [42] for proba-
bility of failure data. Assumption is made to subassemblies of grid
connected PV system with battery storage in reference to study
perform by Ahadi et. al [38].
Conclusions
This paper finds that traditional safety engineering risk assess-
ment technique (FTA, ETA, FMEA, HAZID HAZOP) is powerful and
sharp in analysis of system components failures with linear inter-
actions whereas systemic risk assessment technique (STPA) is
more suitable for analysis of complex system and components
interactions. STPA can identify accidents that arises even compo-
nents are working accordingly to design, and this is very important
with increasing automation in future energy system with introduc-
95
Renewable Energy Focus 42 (2022) 79–96
tion of IoT devices. This paper proposed Systems Theoretic Process
Analysis - Hybrid (STPA-H), consist of hybrid and improved adap-
tation of underlying principles from both traditional safety engi-
neering risk assessment and systemic risk assessment technique,
as risk assessment technique for future energy system. This paper
concludes important improvement from existing techniques in
providing comprehensive risk assessment coverage with STPA-H
technique. Illustration with STPA-H technique is performed with
grid connected PV system with battery storages as example how-
ever this technique is applicable for large-scale storage and
utilities.
The respective strength of both routes is visible when the out-
come is linked to system attributes under analysis. Controllable
system interaction routes which adopting the component centric
view are powerful in identify hazards related to components that
serve one purpose and focus analysis on linear interactions
between sub-system or components. Uncontrollable system inter-
action routes adopting the systemic centric view are powerful in
identify hazards related to interactions between components and
non-linear interactions between sub-systems. In analysis of uncon-
trollable interaction for grid connected PV system with battery
storage, the probability of failure for PV system (cumulative sys-
tem fragility) ranging from 0.000266657 to 0.006118368 for power
rating 100 kW to 2500 kW. The uncontrollable interaction being
studied in this paper are flash flood in Marang, Terengganu. It
was observed that flash flood only happens in the month of Jan-
uary, November and December due to monsoon rainy season.
The probability of flood ranging from 0.583525 (2021) to
0.873713 (2031) in January, 0.026306 (2021) to 0.841132 (2031)
in November and 0.23283 (2021) to 0.060855 (2031) in December.
Annual probability of failure of PV system and reliability of system
due to flood in Marang had been estimated as well. Risk achieve-
ment worth (RAW) had been computed for PV system subassem-
blies with different power rating. Comparison of risk assessment
methodology on fire hazard cause identification had been made.
Overview of safety/risk assessment method versus fundamental
consideration parameters had been presented as well.
This paper has two significant implications for safety engineer-
ing developments for energy system. First, it highlighted safety and
reliability although are different attributes of the system, but they
remain closely related in leading to accident events. Sustained use
of only purist systemic or analytics view may lead to underestima-
tion of system hazards. Analysis of unsafe control actions leading
to accident is important to safety from systemic view, but compo-
nent failures are still relevant and continuous attention must be
provided. Second, it highlighted the techniques developed from
hybrid of systemic and traditional safety engineering analytic
underlying principle, provided a new perspective in performing
safety and risk assessment in energy system. This paper serves as
encouragement for both academicians and practitioners in the
energy sector to explore beyond existing risk assessment method-
ologies and challenging the status quo for energy system of the
future. This paper is expected to contribute to Malaysian govern-
ment with the progression of LSS3. The awarded project vendor
and Sustainable Energy Development Authorities (SEDA) will be
benefited from this paper. The analysis of STPA-H is performed in
the context of Malaysia’s Renewable Energy development and
can serve as reference for further adoption as fit.
Declaration of Competing Interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared
to influence the work reported in this paper.
Boon Leong Choo and Yun Ii Go Renewable Energy Focus 42 (2022) 79–96

References [22] S.A. McCoy, S.J. Wakeman, F.D. Larkin, P.W.H. Chung, A.G. Rushton, F.P. Lees
(2000), ‘Hazid, A Computer Aid for Hazard Identification: 4. Learning Set, Main
Study System, Output Quality and Validation Trials’, Process Safety and
[1] Environment and Energy Study Institute, ‘Fact Sheet Energy Storage 2019’.
Environmental Protection, Volume 78, Issue 2, Pages 91-119, ISSN 0957-5820.
[Online] Available at https://www.eesi.org/papers/view/energy-storage-
[online] Available at https://doi.org/10.1205/095758200530501.
2019#2
[23] Kavanian, H. R., Rao, J. K., & Brown, G. V. (1992). Application of hazard
[2] M. Mohanan, Y.I. Go, Optimized Power System Management Scheme for LSS PV
evaluation techniques to the design of potentially hazardous industrial
Grid Integration in Malaysia Using Reactive Power Compensation Technique,
chemical processes. Cincinnati, Ohio, U.S. Dept. of Health and Human
Global Challenge 4 (4) (2020) 1900093.
Services, Public Health Service, Centers for Disease Control, National
[3] Rehan Khan, Yun Ii Go, Assessment of Malaysia’s Large-Scale Solar Projects:
Institute for Occupational Safety and Health, Division of Training and
Power System Analysis for Solar PV Grid Integration, Global Challenge 4 (2)
Manpower Development.
(2019) 1900060.
[24] Frank Crawley (2020), ‘Hazard and operability study (HAZOP)’, A guide to
[4] Energy Commission of Malaysia (2019), ’Guidelines On large scale Solar
hazard identification methods, 2nd edition. [online] Available at https://doi.
Photovoltaic Plant for Connection To Electricity Network [Electricity Supply
org/10.1016/B978-0-12-819543-7.00004-5
Act (Amendment) 2015 (ActA1501)]
[25] British Standard Institution (2016), Hazard and Operability Studies (HAZOP
[5] Mahmoud Laajimi, Yun Ii Go, Energy storage system design for large-scale
Studies), BS EN 61882:2016. [online] Available at https://shop.bsigroup.com/
solar PV in Malaysia: technical and environmental assessments, Journal of
ProductDetail/?pid=000000000030309555.
Energy Storage 26 (2019), https://doi.org/10.1016/j.est.2019.100984, ISSN
[26] F. Crawley, B. Tyler (2015), HAZOP Guide to Best Practice, third ed., Elsevier,
2352-152X.
ISBN: 978-0-323-39460-4. [online] Available at https://www.
[6] M. Laajimi, Y.I. Go, Energy storage system design for large-scale solar PV in
elsevier.com/books/hazop-guide-to-best-practice/crawley/978-0-323-39460-
Malaysia: techno-economic analysis, Renewables 8 (2021) 3.
4
[7] Yi Lin Teo, Yun Ii Go, Techno-economic-environmental analysis of solar/
[27] Guidelines for Hazard Evaluation Procedures, 3rd edition. AIChE Centre for
hybrid/storage for vertical farming system: A case study, Malaysia, Renewable
Chemical Process Safety, USA, 2008. [online] Available at https://www.aiche.
Energy Focus 37 (2021) 50–67, https://doi.org/10.1016/j.ref.2021.02.005, ISSN
org/resources/publications/books/guidelines-hazard-evaluation-procedures-
1755-0084.
3rd-edition
[8] David Rosewater, Adam Williams (2015), ‘Analyzing system safety in lithium-
[28] Jones, Derek (2016), Initiation and Installation HAZOPS Report, CONSORT
ion grid energy storage’, Journal of Power Sources, Volume 300, 2015, Pages
Bruny Island Battery Trial. Tasmanian Networks Pty Limited. [online] Available
460–471, ISSN 0378-7753, [online] Available at https://doi.org/10.1016/j.
at http://brunybatterytrial.org/wp-content/uploads/2016/09/HazOpS-Report.
jpowsour.2015.09.068.
pdf.
[9] Clemens, P.L.; Rodney J. Simmons (1998). ‘System Safety and Risk
[29] David Rosewater (2014), Engineering System Theory Applied to Stationary
Management’. NIOSH Instructional Module, A guide for Engineering
Energy Storage Safety’, Sandia National Laboratory, SAND2014-19648C.
Educators. Cincinnati, OH: National Institute for Occupational Safety and
[online] Available at https://www.osti.gov/servlets/purl/1367598
Health: IX-3–IX-7. [online]. Available at https://www.cdc.gov/niosh/docs/96-
[30] Nancy G. Leveson, John P. Thomas (2018), ‘STPA Handbook’, The MIT Press,
37768/pdfs/96-37768.pdf.
Aeronautics and Astronautics and Engineering system division, Massachusetts
[10] Eun-Soo Hong, In-Mo Lee, Hee-Soon Shin, Seok-Woo Nam, Jung-Sik Kong
Institute of Technology. [online] Available at https://psas.scripts.mit.edu/
(2009), ‘Quantitative risk evaluation based on event tree analysis technique:
home/get_file.php?name=STPA_handbook.pdf.
Application to the design of shield TBM’, Tunnelling and Underground Space
[31] C. Schmittner, Z. Ma, P. Puschner [online] Available at Limitation and
Technology, Volume 24, Issue 3, Pages 269-277, ISSN 0886-7798. [online]
Improvement of STPA-Sec for Safety and Security Co-analysis 9923 (2016)
Available at https://doi.org/10.1016/j.tust.2008.09.004.
195–209. https://link.springer.com/chapter/10.1007/978-3-319-45480-1_16.
[11] Kim, D., Kim, S., Kim, E., & Park, Y. (2016). ‘Risk Assessment of Energy Storage
[32] B. Riemersma, R. Künneke, G. Reniers, A.d. Correljé, Upholding Safety in Future
System using Event Tree Analysis’. [online]. Available at https://doi.org/
Energy Systems: The Need for Systemic Risk Assessment, Energies 13 (2020),
10.14346/JKOSOS.2016.31.3.34.
https://doi.org/10.3390/en13246523. [online] Available at doi: 10.3390/
[12] W.E. Vesely, F.F. Goldberg, N.H. Roberts, D.F. Haas, Fault Tree Handbook,
en13246523.
Systems and Reliability Research Office of Nuclear Regulatory Research U.S
[33] K.E. Weick, K. Sutcliffe, D. Obstfeld, Organizing for high reliability, Research in
Nuclear Regulatory Commission, 1981.
Organizational Behavior 21 (81–123) (1999) 1999.
[13] Andrija Volkanovski, Marko Čepin, Borut Mavko (2009), ‘Application of the
[34] Nancy G. Leveson (2012), ‘Engineering a safer world’, The MIT Press,
fault tree analysis for assessment of power system reliability’, Reliability
Aeronautics and Astronautics and Engineering system division,
Engineering & System Safety, Volume 94, Issue 6, Pages 1116-1127, ISSN 0951-
Massachusetts Institute of Technology
8320. [online] Available at https://doi.org/10.1016/j.ress.2009.01.004.
[35] M.A.M. Khan, Y.I. Go, Design, optimization and safety assessment of energy
[14] Y.Y. Haimes (2009), Risk assessment, modelling and management, 3rd ed., A
storage: A case study of large-scale solar in Malaysia, Energy Storage. 3 (2021),
John Wiley & Sons Inc. publication. [online] Available at https://onlinelibrary.
https://doi.org/10.1002/est2.221 e221.
wiley.com/doi/book/10.1002/9780470422489
[36] A. Faruhaan, Y.I. Go, Energy storage sizing and enhanced dispatch strategy
[15] A.A. Baig, R. Ruzli, A.B. Buang, Reliability Analysis Using Fault Tree Analysis: A
with temperature and safety considerations: A techno-economic analysis,
Review [online] Available at International Journal of Chemical Engineering and
Energy Storage. 3 (6) (2021), https://doi.org/10.1002/est2.260 e260.
Applications 4 (3) (2013). http://www.ijcea.org/papers/287-I20009.pdf.
[37] A. Taras, G. Ratel, L. Chouinard, A life-cycle cost approach to the maintenance
[16] Masias, A. (2019). Ford safety performance of rechargeable energy storage
of overhead line supports, Reliability and Optimization of Structural Systems:
systems, Report No. DOT HS 812 756. Washington, DC: National Highway
Proceedings of the 11th IFIP WG7. 5 Working Conference, Banff, Canada, 2-5
Traffic Safety Administration. [online]. Available at https://trid.trb.org/view/
November 2003, 2004.
1644416
[38] A. Ahadi, N. Ghadimi, D. Mirabbasi, Reliability assessment for components of
[17] M. Held, R. Brönnimann (2016) ‘Safe cell, safe battery? Battery fire
large-scale photovoltaic systems, J. Power Sources 264 (2014) 211–219.
investigation using FMEA, FTA and practical experiments’, Microelectronics
[39] A. Salman, Risk-Based Assessment and Strengthening of Electric Power
Reliability, Volume 64, Pages 705-710, ISSN 0026-2714. [online]. Available at
Systems Subjected to Natural Hazards, Michigan Technological University,
https://doi.org/10.1016/j.microrel.2016.07.051.
2016.
[18] Pesaran, Ahmad & Kim, G.-H & Keyser, M. (2009). ‘Integration Issues of Cells
[40] M. Rausand, A. Høyland, System reliability theory: models, statistical methods,
into Battery Packs for Plug-In and Hybrid Electric Vehicles’. NREL/CP-540-
and applications, John Wiley & Sons, 2004.
45779
[41] Jesús María Pinar Pérez, Fausto Pedro García Márquez, Andrew Tobias,
[19] Dai, Wei & Maropoulos, Paul & Cheung, Wai & Tang, Xiaoqing. (2011).
Mayorkinos Papaelias (2013),‘Wind turbine reliability analysis’, Renewable
‘Decision-making in product quality based on failure knowledge’. Int. J. of
and Sustainable Energy Reviews, Volume 23, 2013, Pages 463-472, ISSN 1364-
Product Lifecycle Management. 5. 143 - 163. [online] Available at doi:10.1504/
0321.[online] Available at https://doi.org/10.1016/j.rser.2013.03.018.
IJPLM.2011.043185.
[42] Nemes, C.; Munteanu, F.; Rotariu, M.; Astanei, D. (2016) ‘Availability
[20] Braglia, M. (2000). ‘MAFMA: multi-attribute failure mode analysis.
assessment for grid-connected photovoltaic systems with energy storage’, In
International Journal of Quality & Reliability Management, 17, 1017-1033.
Proceedings of the 2016 International Conference and Exposition on Electrical
[online] Available at https://doi.org/10.1108/02656710010353885
and Power Engineering (EPE), Iasi, Romania, 20–22 October 2016; pp. 908–
[21] Gerd Petra Haugom, Terje Sverud , Andrea Aarseth Langli, Nathaniel Frithiof
911.
(2020) Electrical Energy Storage for Ships, Report No.: 2019-0217, Rev. 04.
[43] C.A. Ericson, Hazard Analysis Techniques for System Safety, 2nd Edition., John
Portugal. EMSA European Maritime Safety Agency. [online]. Available at http://
Wiley & Sons Inc, 2015.
www.emsa.europa.eu/publications/item/3895-study-on-electrical-energy-
storage-for-ships.html

96