Risk Assessment of Micro Energy Grid Protection Layers

: Micro energy grids (MEGs) are used extensively to meet the combined electricity, heating, and cooling energy demands for all types of customers. This paper develops a hazard matrix for a MEG and utilizes two advanced risk modeling approaches (fault tree and layer of protection analysis ( LOPA )) for MEGs’ risk analysis. A number of independent protection layers (IPLs) have been proposed to achieve a resilient MEG, hence increasing its safety integrity level (SIL). IPLs are applied using co-generators and thermal energy storage (TES) techniques to minimize the hazards of system failure, increase efficiency, and minimize greenhouse gas emissions. The proposed modeling and risk assessment approach aims to design a resilient MEG, which can utilize those potentials efficiently. In addition, an energy risk analysis has been applied on each MEGs’ physical domains such as electrical, thermal, mechanical and chemical. The concurrent objectives achieve an increased resiliency, reduced emissions, and sustained economy.


Introduction
A micro energy grid (MEG) can be defined as a local distribution system that comprises energy sources, distribution lines, metering infrastructure, and computing/control systems.MEGs may integrate numerous types of renewable energy sources such as solar photovoltaic (PV), wind turbine (WT), small hydro, geothermal, waste-to-energy, and combined heat and power systems (CHPs) [1].
MEGs have promising contributions in achieving efficient utilization of renewable energy and in improving the resiliency of energy distribution grids.MEGs reduce energy losses and increase their self-healing capability by utilizing multi-local sources and adaptive grid topology [2].MEGs provide accumulative/integrated multi-energy systems (i.e., electricity, cooling, and heating energy) [3].MEGs include distributed generators, energy storage devices, predictive energy management to reduce both electricity costs and emissions, as well as improve energy reliability and efficiency [4].From the system's perspective, a MEG as one controllable unit which combines local energy sources, and energy storage units, has the capability of being self-sufficient to cover electricity, cooling, and heating demands for its local customers.
A MEG can apply adaptive control/scheduling algorithms to its local energy sources to realize autonomous operations during normal and/or peak demands.Moreover, those adaptive algorithms facilitate self-healing capability during main/upstream grid failure.This is because a MEG can operate independently as an isolated unit by using its generation nodes and energy storage units to cover its local demands.
Energies 2017, 10, 1176 2 of 19 Effective design of a fault-tolerant management system of a MEG realizes the full capability of resiliency and eco-friendly energy production.A MEG is comprised of complex systems with varied response characteristics at various time-scales.Therefore, a hierarchical pattern is recommended for the control topology of such complex systems [5,6].It includes an overall supervisory control independent protection layer (IPL), which determines the set-points of the significant operation parameters of the MEG based on energy demand.For instance, the decision of which distributed energy resources (DERs) should be operating (on/off states) and at what conditions they must be operating (energy levels, power levels, temperatures, pressures, mass flow rates, and so on) [7].Several advantages can be gained by utilizing resilient MEGs, as listed below:

•
Enhance the reliability of the system's performance, • Enhance customers' awareness and choices,

•
Encourage efficient decisions to be taken by the utility providers, • Better match between energy generation and energy use, and hence lower cost and/or losses.
When resilient MEG technology is applied to a city, the city is called a "Smart Green City", such as Canada's Dockside or the UAE's Masdar.On the other hand, incorporating multi-DERs, particularly renewable energy sources (RES), into existing energy grids offers significant challenges due to the intermittent and varying characteristics of the environment, Further to the uncertainty of dealing with indefinite systems' behaviors, which means constructing large complex system, MEGs, is associated with high risk levels [8].Thus, there is an increased demand for designs of MEGs with higher safety fault tolerances against numerous types of risks, compared with the various discrete systems that have been used earlier [9,10].Hereby, the risk analysis becomes a fundamental part of practical MEG.

Hazard and Risk Analysis Literature Review
A layered fault tree model was modified in ref. [11] to differentiate between islanded and grid connected modes for the micro-grid (MG).The hierarchical Monte Carlo simulation method was utilized to examine the system's reliability, by combining power sufficiency assessment with system failure insights.The design concept was enhanced based on the assumption that the load priority measures are sufficient to define the weak part of the system.
In [12], a comparison study between Bahill and Haimes risk analysis approaches was justified, and a case study of the risk of incorporating solar photovoltaic systems into a commercial electric power grid was presented.The study shows the strengths and the weaknesses of each approach.
A new design for a process named Diogenes was revealed in [13].Diogenes helps systems' engineers to identify the unintended, but predictable, consequences of fault propagation for new systems under design.
An efficient multiplayer collaboration framework was presented in ref. [14], to characterize sources of system risk from various expert opinions.It can be considered as a key solution for unstructured, multidimensional problems.
Reference [15], introduces risk analyses for pinewood derbies, and also shows several risk analysis techniques and presents the problems accompanying with them.
The article [16], proposes and implements a real-time distributed measuring nodes network to diagnose faults in uninterruptible high-power supply systems and high-power transformers of MG used for railway interlocking signaling installations.The proposed methodology is based on the thermal and electrical symptoms analysis and the mechanical degradation index by measuring the vibration.
A failure mode and effect analysis (FMEA) approach was presented in [17], for fault diagnosis of energy storage unit, Valve Regulated Lead-Acid batteries, and 3-phase high power transformers, utilized in switching converters and power isolation.The FMEA approach utilizes a distributed measuring nodes network, described in [16], based on electrical (voltage, current, impedance) and thermal degradation analysis and vibration-based mechanical stress diagnosis.Many safety instrumented function (SIF) hardware was integrated into energy distribution grids to protect human, premises and equipment from the negative consequences of the failure propagation.Hereinafter some cutting edge technologies of SIF in are presented.
Reference [18] presents a fault detection, isolation, and service restoration (FDIR) for an outage event in an electrical distribution grids.An intelligent power switch with integrated protections and self-diagnostic was proposed in ref. [19], by using HV-CMOS technology to safely handle the ordinary and extraordinary automotive electrical and environmental conditions.Zero sequence components were described in [20] for micro grid protection of single line to ground faults and [21] utilizes negative sequence components of the line current for protection of line to line faults.A survey on protection requirements of dc-micro grid was illustrated in [22,23].Numerous types of intelligent relays were proposed for micro grids that consist of various types of energy sources [24,25].Plug and play function was proposed in [26] by creating an IEC 61850 information structure of a micro energy grid.The proposal aims to create standards for design, operation and protection of micro grids.

Definition of Risk
Risk is an essential factor in any system's safety design, where, risk can be defined by the potential harm or loss correlated with an activity performed in an uncertain circumstance.The first use of "risk" was in 1667, by Arnauld and Nicole, who assumed it consisted of at least two components."Fear of some harm ought to be proportional not only to the magnitude of the harm, but also to the probability of the event" [27].
There are different methods to identify and quantify risks.Below are illustrated discussions of the existing quantifying risk methods: (1) Haimes, in [28], uses accumulate summation of the probability density function of the severity of consequences and a random variable of the severity of consequences; thus, the frequency of occurrence of the hazard is latent.(2) Bahill, in [29], uses a different method for quantifying the risk by combining the function of frequency of occurrence with the severity of failure consequences.Bahill's method is commonly used in North American industries.(3) In [30] two combining functions were illustrated:

I-
Linearly combining functions that accumulate the summation of the combined products of the weight of importance with the score variable.Weight of importance is a random variable between 0 and 1.

II-
Product combining functions that accumulate the products of the score variable to the power of the weight of importance.
(4) Exponential combining functions [31], that utilizes an exponent of the summation of a linear combining function between the weight of importance and score variable.Hence, a constant variable may used for calibration purpose.(5) Sum minus product combining function [32], which derived from the probability of unions between independent variables.However, this function is lacking when used to qualify the risk, where if severity or likelihood is 0 then the risk should be 0, which is not the case by using this equation.(6) Compromised combining function [33], that deploys two weight variables with two different score variables.(7) Reference [34] presents risk by doubling the severity weight multiplied by the frequency of fault event occurrence.(8) In [35] the failure modes and effects analysis (FEMA) comprises the difficulty of detection.
It consists product of frequency of occurrence, severity of failure consequences and difficulty of detection.(9) The hazard level can be also a product of the consequences severity and the fault class [36], fault class is a combination of the probability of failure, the fault event frequency and the system's ability to avoid failure occasion.

Problem Definition
Micro energy grid (MEG) was initiated to overcome the challenges on energy supply and distribution [37].However, details about the safety design of MEGs are unavailable, which is essential for obtaining resilient MEG.Failure in any component such as DERs might increase the hazard(s) of demand not served (DNS) and/or blackouts/brownouts.Furthermore, utilization of on-site renewables sources (RES) have accompanying intermittency that may affect the integrity of MEGs.Thus, MEGs require a high adaptive performance from the distributed energy systems.
Faults in MEGs, if not controlled properly, might propagate and cause blackouts and/or energy outages.However, fault detection and toleration actions in MEGs are still open research areas.
The existing studies about hazard estimation are on a case-by-case basis [38][39][40][41].Estimating fault propagation and analysing the consequences are major challenges for safety design verification.To implement a precise safety verification approach, it is vital to analyse and diagnose all hazard and fault events in the MEG and to study fault propagation scenarios.Figure 1 shows the MEG structure [4] which is utilized as a case study of MEG safety design.
Energies 2017, 10, 1176 4 of 20 (9) The hazard level can be also a product of the consequences severity and the fault class [36], fault class is a combination of the probability of failure, the fault event frequency and the system's ability to avoid failure occasion.

Problem Definition
Micro energy grid (MEG) was initiated to overcome the challenges on energy supply and distribution [37].However, details about the safety design of MEGs are unavailable, which is essential for obtaining resilient MEG.Failure in any component such as DERs might increase the hazard(s) of demand not served (DNS) and/or blackouts/brownouts.Furthermore, utilization of on-site renewables sources (RES) have accompanying intermittency that may affect the integrity of MEGs.Thus, MEGs require a high adaptive performance from the distributed energy systems.
Faults in MEGs, if not controlled properly, might propagate and cause blackouts and/or energy outages.However, fault detection and toleration actions in MEGs are still open research areas.The existing studies about hazard estimation are on a case-by-case basis [38][39][40][41].Estimating fault propagation and analysing the consequences are major challenges for safety design verification.To implement a precise safety verification approach, it is vital to analyse and diagnose all hazard and fault events in the MEG and to study fault propagation scenarios.Figure 1 shows the MEG structure [4] which is utilized as a case study of MEG safety design.

Research Methodology
The general objective of this research is to provide a methodology for safety design and verification of MEGs.This method offers a tool to achieve an accurate safety design of MEGs, by using developed hazard analysis and developed risk assessment evaluation methods, then

Research Methodology
The general objective of this research is to provide a methodology for safety design and verification of MEGs.This method offers a tool to achieve an accurate safety design of MEGs, by using developed hazard analysis and developed risk assessment evaluation methods, then implement the required IPLs, which consists of SIF and non-SIF systems, to achieve an acceptable safety tolerance margin.Finally, several hazard scenarios are studied to validate the MEG self-healing and resiliency performance.The research methodology is presented in Figure 2 and can be summarized as follows: (1) Study hazards and estimate risks of a MEG such as hazards in electricity, heating, cooling, transportation sectors and hazards due to natural phenomena.(2) Rank the hazard events based on the hazard level then prioritize them from most to least significant.(3) Estimate MEG risks for all identified scenarios using developed fault tree analysis, and propose safety performance indicators for safety evaluation (4) Study and develop IPLs for MEG safety design and evaluate SIL using developed LOPA analysis Hence, the propsed safety technique can be projected on different MEG configurations with minor refinment to fit the new MEG configration.
Energies 2017, 10, 1176 5 of 20 implement the required IPLs, which consists of SIF and non-SIF systems, to achieve an acceptable safety tolerance margin.Finally, several hazard scenarios are studied to validate the MEG self-healing and resiliency performance.The research methodology is presented in Figure 2 and can be summarized as follows: (1) Study hazards and estimate risks of a MEG such as hazards in electricity, heating, cooling, transportation sectors and hazards due to natural phenomena.(2) Rank the hazard events based on the hazard level then prioritize them from most to least significant.
(3) Estimate MEG risks for all identified scenarios using developed fault tree analysis, and propose safety performance indicators for safety evaluation (4) Study and develop IPLs for MEG safety design and evaluate SIL using developed LOPA analysis Hence, the propsed safety technique can be projected on different MEG configurations with minor refinment to fit the new MEG configration.

Hazard and Risk Analysis Techniques for MEGs
The hazard matrix is an effective methodology used in risk analysis.The first use of risk matrix was in 1973 [42].The hazard matrix has the ability to visualize and rank the hazard event based on its risk level.Therefore, it is an effective tool for risk analysis and decision making.
The MEG foundation design in this research does not use inherent safeguard protection layers.Table 1 shows the major hazards that threaten the MEG system in electrical, cooling, heating, natural gas and transportation grids, and it suggests the correspondent remedy actions to eliminate the negative impacts, and subsequently to avoid risks of failure or blackout.

Hazard and Risk Analysis Techniques for MEGs
The hazard matrix is an effective methodology used in risk analysis.The first use of risk matrix was in 1973 [42].The hazard matrix has the ability to visualize and rank the hazard event based on its risk level.Therefore, it is an effective tool for risk analysis and decision making.
The MEG foundation design in this research does not use inherent safeguard protection layers.Table 1 shows the major hazards that threaten the MEG system in electrical, cooling, heating, natural gas and transportation grids, and it suggests the correspondent remedy actions to eliminate the negative impacts, and subsequently to avoid risks of failure or blackout.Each row in the hazard matrix (Table 1), describes a certain hazard in the MEG and shows relative statistical parameters such as consequence severity of hazard event, risk occurrence (i.e., frequency, probability and avoidance), hazard level, which derive from Equation (1) and hazard ranks which are assessed by experts.Furthermore, fault consequences and, suggested remedy actions and solutions are presented.
Generally, the hazard events are extracted from historical maintenance data and expert knowledge.Besides, the hazard occurrence parameters, i.e., frequency, probability and avoidance, can be evaluated from historical data or judged by expertise.Hence, the quantifying risk method used in this table was descried in Section 1.2 and shown in Equation ( 1): where, C i = (P i + F i + A i ) and S i is the consequence severity of the hazard event, C i is the class hazard event likelihood, P i is the probability, F i is the frequency, and A i the ability for failure avoidance.

Safety Design, Risk Assessment and Protection Layers of MEG
MEG is commonly known as a dynamic structure system, with numerous operating conditions.Accordingly, it needs to improve adaptive protection strategies by means of intelligent control and supervisory units founded on safety measures and criteria.
The safety design of MEG is intended to improve rigidity of the energy system in the course of abnormal cases, as well as to avoid fault and damage propagation.The safety design approach can be realized by disturbing and isolating faulted or defected components in the MEG structure in addition to the inherent contribution of safety strategies on properties, the environment and public safeguards [43].
The IEC 61511 or ANSI/ISA-84.00.01-2004 standard describes safety instrumented system (SIS) as an instrumented system used to build one or more safety instrumented functions (SIF).SIS consists of groups of sensor(s), logic solver(s), and final element(s).Safety-related system is an alternative expression of SIS given by IEC 61508 [44].
Although, SIS is monitoring the process parameters, it enforces only when needed.Where control loop in basic process control system (BPCS) is utilized to keep process parameters within the tolerant marginal limits [45].The proposed hazard analysis algorithm for MEG can be demonstrated in the following steps: (1) Implement the MEG hazard table (2) Rank the hazards based on the hazard level (3) Filter the hazard events to eliminate hazards with low severity and high class as well as ones with high severity and low class.(4) Prioritize the filtered hazard events (5) Set out the feasible prevention and mitigation solutions to discuss the necessary action with the stakeholders.
In general, risk analysis idiom measures the hazardous conditions that appear during the operation intervals.Where the average time period between successive hazardous events is estimated to be over 10 years, if safety parameters are considered during the design process [46].Accordingly, the SIS is passive during normal operation, and it may probably be only activated once or less during the ten year interval.Table 2 Illustrates the SIS operating conditions [47].Fail-danger mode is the major hazard in the system, where despite the system operating ordinarily in this circumstance, the automatic protection of the SIS is not guarded, and there is no indication of that failure [48].It is clearly defined that hazard analysis alone is not sufficient for the right decision.Where the hazards should be prioritized and discussed with the decision making team in light of the affordable level of fault consequences and the available budget dedicated for remedy actions.Figure 3 illustrates MEG hazards based on the hazardous level shown in Table 1.The following hazard events, shown in Table 3, have the highest hazard ranks, where they are allocated above the proposed catastrophic range "red curve"; those hazards must have priority in mitigation and prevention actions.It is clearly defined that hazard analysis alone is not sufficient for the right decision.Where the hazards should be prioritized and discussed with the decision making team in light of the affordable level of fault consequences and the available budget dedicated for remedy actions.Figure 3 illustrates MEG hazards based on the hazardous level shown in Table 1.The following hazard events, shown in Table 3, have the highest hazard ranks, where they are allocated above the proposed catastrophic range "red curve"; those hazards must have priority in mitigation and prevention actions.While the hazard events illustrated in Table 4 which have ranks between the proposed catastrophic margin "red curve" and marginal risk margin "blue curve" are medium priority in the remedy actions.While the hazard events illustrated in Table 4 which have ranks between the proposed catastrophic margin "red curve" and marginal risk margin "blue curve" are medium priority in the remedy actions.Gas Leak in the main pipes

Safety Instrumented System Engineering Requirements
Nevertheless, a SIS is similar to a BPCS in numerous ways; the differences are found in the unique design, maintenance, and automated integrity requirements.Thus, in addition to the functional requirements of normal performance that are correlated with control system design, the following shall be considered for a SIS design [44]: Design diagnostics to detect fail-danger automatically • Design manual test procedures to detect fail-danger • Design to meet international and local standards 3.3.1.Safety Integrity Level Safety integrity level (SIL) is an expression for the relative level of risk-reduction offered by a certain SIF, where SIL is an indication for system safety performance.IEC EN 61508 has defined by the relation of PFD (probability of failure on demand) and RRF (risk reduction factor) of low demand operation with SILs as shown in Table 5: [44].Safety instrumented function (SIF) is defined, by IEC 61511, as "safety function with a specified safety integrity level which is necessary to achieve functional safety" [49].Safety function can be illustrated as "function to be implemented by a SIS, other technology safety-related system or external risk reduction facilities, which is intended to achieve or maintain a safe state for the process, with respect to a specific hazardous event."[16].

Fault Tree for MEG
Time to Failure (T) is one of the most important static parameters in safety engineering.It can be used to derive another important measurement, known as failure rate.The real-time failure rate is generally obtained by counting the number of failures per interval unit time for a selected quantity of identical components: where, t refers to the operation time line, reliability is obtained by R(t) = e −λt , probability of failure on demand is obtained by F(t) = 1 − e −λt ≈ λt and mean time to failure is obtained by MTTF = 1/λ.The fault tree technique is widely used to present probability combinations.This technique starts with the definition of an "undesirable event", generally a process failure of some type.Then, the technique determines all the hazard events and the combinations of events that outcome in the undesirable event.Therefore, the fault tree is useful in modeling failure roots for a specific failure mode.Different failure modes can be presented by means of different undesirable events in different specific fault trees.Figure 4 illustrates a developed fault tree analysis for MEG.The top event is a probability of failure on demand (PFD) for a MEG blackout.The developed method offers a clear means to present multiple failure modes.The following equation evaluates PFD for a selected MEG [50]: where: The PFD associated with each individual system in MEG can be demonstrated from a historical operation database and engineering experience.PFDs for selected individual components were shown in Tables 6 and 7.The PFD associated with each individual system in MEG can be demonstrated from a historical operation database and engineering experience.PFDs for selected individual components were shown in Tables 6 and 7 Figure 4. Fault tree analysis of MEG blackout top event hazard.The probability of an energy blackout for the MEG can be illustrated by compensating the individual component failure rates in Equation (5).It shows that the top event risk reduced 10 −4 times by utilizing the proposed IPL and SIF components, discussed in Section 3.5, where the PFD became 1.6114 × 10 −6 while it was originally 0.1992 for the conventional energy grids.

Independent Protection Layers and Layer of Protection Analysis
The independent protection layer (IPL) can be demarcated as a system, device, or action that can prevent the process from transferring to undesired consequence scenarios.It must be independent from the initiated event or the action of any other layer of protection linked with the scenario.The essential characteristics of IPL can be summarized as follows:

•
Potential ability on suppressing the propagation of fault consequence, if the IPL functions as intended

•
Auditable capability, where it assumed effective in terms of statistical validation of risk indices (by documentation, review or testing) The layer of protection analysis (LOPA) is developed to determine whether the selected IPLs are sufficient in tolerating certain risks and suppressing the hazard of consequence scenarios [54].Each IPL has its own PFD: PFD = p n , n indicates the layer level (4) where the PFD value has a direct impact on system resiliency, as declared on the LOPA path Equation: The IPLs shown in Figure 5 were proposed to mitigate the MEG's most hazardous events mentioned in Table 3.These IPLs are required to tolerate the hazard of losing energy in the MEG, by utilizing co-generators, TES, and supervisory fault-tolerant predictive energy management control.Consequently, utilizing the IPLs realizes the concurrent goals of increasing the energy availability, improving the production quality/cost, and reducing the gas emissions.Details of the proposed IPLs in this study are as follows: IPL-1 Co-generators to overcome the lack of power production at peak hours and to cope with the intermittency of renewable resources.IPL-2 Thermal energy storage as an effective tool for MEG operation due to the following advantages: (A) Reshaping the energy profile by reserving the off-peak production to be used at on-peak demand hours.(B) Centralized infrastructure where large thermal reservoirs provide flexibility to manage cooling dynamics, as well as lower emissions and energy failure risks.
IPL-3 Supervisory fault-tolerant energy management (FTEM) controllers play a primary role the MEG reliability, where management of distributed resources near the renewable energy source is the most effective means of decreasing penetration of renewable resources.IPL-4 Safety alarm system is an important SIF layer, where its main role is to monitor the healthy status of the MEG and to provide real time information about the fault type and location, in case of a fault event.IPL-5 Emergency shutdown system (ESD) is a paramount SIF layer due to its ability in mitigating the consequences of the fault event when the above IPLs are unable to prevent the fault propagation.These IPLs can be presented in future studies to explore different techniques and compare their performances on the MEGs resiliency.

Several combinations of different
LOPA shows reduction on system risk level from 0.199054, SIL-0, for the conventional energy grid to 1.611 × 10 −6 , higher than SIL-4, with the selected non-SIF IPLs, i.e., Co-gen, TES and managements control.
By adding the selected SIF IPLs as shown in Figure 5, LOPA path value can be dramatically reduced by 10 −4 , as defined using Equation ( 7

Summary
In this paper, a study for safety design and risk analysis within the MEG was developed to achieve a resilient MEG design and implementation.Framework for the safety design methodology was presented and discussed.A developed hazard matrix was proposed for MEG, and a hazard analysis algorithm was contributed to assist the decision maker in prioritizing hazardous events.Afterward, advanced fault tree and LOPA were utilized to estimate the risk reduction and SIL parameter for incorporating selected IPLs in the MEG.Selected SIF and non-SIF IPLs were utilized to achieve a resilient MEG by increasing SIL.Extremely high hazards, that have either high severity with low class or high class with low severity, were eliminated, to focus on the major effective hazards and to propose suitable IPLs to prevent their consequences.The results showing that the proposed non-SIF protection layers reduce the risk of MEG blackout by 10 −5 and the proposed SIF protection layers offer another 10 −4 to the safety performance of the original MEG.In light of the promising results of this research, it can be affirmed that the proposed methodology offers an effective safety tool for MEG design and verification.The proposed tool can be widely utilized in design and verification of large complex systems.
Author Contributions: The main idea proposed in this paper was conceived and designed by Hossam A. Gabbar

Summary
In this paper, a study for safety design and risk analysis within the MEG was developed to achieve a resilient MEG design and implementation.Framework for the safety design methodology was presented and discussed.A developed hazard matrix was proposed for MEG, and a hazard analysis algorithm was contributed to assist the decision maker in prioritizing hazardous events.Afterward, advanced fault tree and LOPA were utilized to estimate the risk reduction and SIL parameter for incorporating selected IPLs in the MEG.Selected SIF and non-SIF IPLs were utilized to achieve a resilient MEG by increasing SIL.Extremely high hazards, that have either high severity with low class or high class with low severity, were eliminated, to focus on the major effective hazards and to propose suitable IPLs to prevent their consequences.The results showing that the proposed non-SIF protection layers reduce the risk of MEG blackout by 10 −5 and the proposed SIF protection layers offer another 10 −4 to the safety performance of the original MEG.In light of the promising results of this research, it can be affirmed that the proposed methodology offers an effective safety tool for MEG design and verification.The proposed tool can be widely utilized in design and verification of large complex systems.
Over load (above the grid capability) 2 Faults in the power systems (generation, transmission or distribution) 3 Solar farm outage Solar panel output drops by 60 MW in 15 min time.4 Cooling outage Faults in the cooling system (chiller, TES, pumps or pipes and valves) systems 5 Leak in the cooling pipe branch 6 High correlation of cooling demand with electricity demand 7 Heating outage Faults in the heating system (Cogen, boiler, TES, pumps or pipes and valves) systems 8 Transportation breakdown Transportation energy demand

Figure 4 .
Figure 4. Fault tree analysis of MEG blackout top event hazard.

Table 1 .
Excerpt list of hazards in MEG.

Table 2 .
Operating conditions of SIS.

Table 2 .
Operating conditions of SIS.

Table 3 .
Hazard events in catastrophic range.

Table 4 .
Hazard events in marginal risk range.

Table 5 .
Relationship between average probabilities of failure on demand to safety integrity levels (SIL).
IPLs can be suggested to augment MEG resiliency.The following are examples of IPLs: •MEG Storage system (E/T/C): energy storage units are classified based on their technology, the following are the most popular energy storages: batteries, super capacitors, flywheels, hydro tanks, thermal energy storage and superconducting magnetic energy storage

•
Prime mover: co-generators, fuel cells, micro gas turbines, geothermal resources and hybrid turbine systems • Intelligent control systems for normal operation to ensure rigid performance • Smart energy asset management for both sources and load within the MEG boundary • Emergency control for resilient systems on abnormal cases • Risk assessment platform and alarm system • MEG safety shutdown and restoration systems • Upper-level centralized / decentralized MEG management with utilities grids.