FMEA and Risks Assessment for Thermochemical Energy Storage Systems Based on Carbonates

: Thermochemical energy storage systems from carbonates, mainly those based on calcium carbonate, have been gaining momentum in the last few years. However, despite the considerable interest in the process, the Technology Readiness Level (TRL) is still low. Therefore, facing the progressive development of the technology at different scales is essential to carry out a comprehensive risk assessment and a Failure Mode Effect and Analysis (FMEA) process to guarantee the safety and operation of the technology systems. In this study, the methodology was applied to a ﬁrst-of-its-kind prototype, and it is a valuable tool for assessing safe design and operation and potential scaling up. The present work describes the methodology for carrying out these analyses to construct a kW-scale prototype of an energy storage system based on calcium carbonate. The main potential risks occur during the testing and operation stages (>50% of identiﬁed risks), being derived mainly from potential overheating in the reactors, failures in the control of the solar shape at the receiver, and potential failures of the control system. Through the assessment of Risk Priority Numbers (RPNs), it was identiﬁed that the issues requiring more attention are related to hot ﬂuid path to avoid loss of heat transfer and potential damages (personal and on the facilities), mainly due to their probability to occur (>8 on a scale of 10). The results derived from the FMEA analysis show the need for speciﬁc control measures in reactors, especially in the calciner, with high operation temperatures (1000 ◦ C) and potential effects of overheating and corrosion.


Introduction
Large-scale energy storage has become one of the great challenges to achieving the ambitious goals set to increase the penetration of renewables significantly. Concentrating Solar Power (CSP) plants have a great potential for energy storage integration, which gives them great dispatchability compared to other renewable technologies, such as PV or wind energy [1]. The market for energy storage in solar thermal plants is clearly led by technology based on the exchange of sensible heat from molten salts [2]. However, molten salts present a series of drawbacks, such as corrosion [3], the need to keep them at temperatures higher than ∼220 • C to avoid their solidification (which involves an important energy consumption) [4], and the maximum temperature limitation to ∼550 • C to avoid salt degradation [5], which limits the power block efficiency. the energy previously stored to a power cycle by its exothermic nature. Figure 1 shows a conceptual scheme for the CSP-CaL integration. The equipment represented in Figure 1 is included in the SOCRATCES prototype. The calciner is an EF reactor in which a stream composed of CaCO3 particles and CO2 enters through a pneumatic conveying system. A 40 m 2 solar field provides the required energy to carry out the endothermic calcination. Another EF reactor is constructed for the carbonation reaction, which is coupled with a Stirling engine to produce electricity from the stored materials. The power output constrains the selection of the power block. At an industrial scale, more efficient power cycles would be considered at [25]. The reactors include several heaters to guarantee isothermal operation at a prototype scale and emulate different operating conditions. A schematic of the pilot plant configuration of the SOCRATCES project is shown in Figure 2.  The equipment represented in Figure 1 is included in the SOCRATCES prototype. The calciner is an EF reactor in which a stream composed of CaCO 3 particles and CO 2 enters through a pneumatic conveying system. A 40 m 2 solar field provides the required energy to carry out the endothermic calcination. Another EF reactor is constructed for the carbonation reaction, which is coupled with a Stirling engine to produce electricity from the stored materials. The power output constrains the selection of the power block. At an industrial scale, more efficient power cycles would be considered at [25]. The reactors include several heaters to guarantee isothermal operation at a prototype scale and emulate different operating conditions. A schematic of the pilot plant configuration of the SOCRATCES project is shown in Figure 2. the energy previously stored to a power cycle by its exothermic nature. Figure 1 shows a conceptual scheme for the CSP-CaL integration. The equipment represented in Figure 1 is included in the SOCRATCES prototype. The calciner is an EF reactor in which a stream composed of CaCO3 particles and CO2 enters through a pneumatic conveying system. A 40 m 2 solar field provides the required energy to carry out the endothermic calcination. Another EF reactor is constructed for the carbonation reaction, which is coupled with a Stirling engine to produce electricity from the stored materials. The power output constrains the selection of the power block. At an industrial scale, more efficient power cycles would be considered at [25]. The reactors include several heaters to guarantee isothermal operation at a prototype scale and emulate different operating conditions. A schematic of the pilot plant configuration of the SOCRATCES project is shown in Figure 2. The SOCRATCES technological concept and reaction have been proven successful at the laboratory scale [26]. However, the scale-up of the processes at the prototype level and  The SOCRATCES technological concept and reaction have been proven successful at the laboratory scale [26]. However, the scale-up of the processes at the prototype level and higher scales will show new challenges regarding materials behavior and components performance, including additional issues on the operation and efficiency effects. One of the SOCRATCES project objectives is to learn about the performance of solid materials at high temperatures in terms of their transport, storage, and cyclability. It involves a series of kW-prototype scale challenges that must be assessed based on a detailed risk assessment.

CSP-CaL Prototype Risk Assessment
The risk assessment aims to reduce the risks in prototype design, construction, and scaling up, identifying risks early on and planning how to manage them. According to ISO 31010, the risk is a combination of the consequences of an event (hazard) and the associated likelihood/probability of its occurrence. The following factors should be considered: • Nature and types of risks assessed. • Definition of likelihood (Table A1 in Appendix A).

•
Definition of consequences of the risk. The consequences will be described quantitatively as a function of its impact on the project's objectives (Table A2 in Appendix A).

•
Definition of the risk level. It is the magnitude of risk or combination of risks, expressed in terms of probability and consequence combination. Depending on the level of the risk, it is classified as low, medium, moderate, high, very high, or extreme risk.
The risks identified within the CSP-CaL prototype construction were consolidated and grouped by the different parts of the project life cycle (Figure 3), with the full description of each of the project's risks and their corresponding mitigation actions. The first group includes those general transversal risks identified as those that affect the entire project life cycle. The second group comprises those that affect specific parts and components. The third group includes all those linked to testing and operation, and finally, the fourth group includes those identified as affecting the scalability and pathway to commercialization.
high temperatures in terms of their transport, storage, and cyclability. It involves a series of kW-prototype scale challenges that must be assessed based on a detailed risk assessment.

CSP-CaL Prototype Risk Assessment
The risk assessment aims to reduce the risks in prototype design, construction, and scaling up, identifying risks early on and planning how to manage them. According to ISO 31010, the risk is a combination of the consequences of an event (hazard) and the associated likelihood/probability of its occurrence. The following factors should be considered:


Nature and types of risks assessed.  Definition of likelihood (Table A1 in Appendix A).  Definition of consequences of the risk. The consequences will be described quantitatively as a function of its impact on the project's objectives (Table A2 in Appendix A).  Definition of the risk level. It is the magnitude of risk or combination of risks, expressed in terms of probability and consequence combination. Depending on the level of the risk, it is classified as low, medium, moderate, high, very high, or extreme risk.
The risks identified within the CSP-CaL prototype construction were consolidated and grouped by the different parts of the project life cycle (Figure 3), with the full description of each of the project's risks and their corresponding mitigation actions. The first group includes those general transversal risks identified as those that affect the entire project life cycle. The second group comprises those that affect specific parts and components. The third group includes all those linked to testing and operation, and finally, the fourth group includes those identified as affecting the scalability and pathway to commercialization.

Risk Assessment Development
This section collects the main risks of the scaling-up process divided into categories according to Figure 3. The present work is mainly focused on prototype construction and testing, these being the categories in which we go into more detail along this section.
Firstly, the main risks affecting the construction of the prototype are assessed (Table  1). They appear as a potential gap between design and on-site installation work. Special attention requires equipment manufacturing (when they are not commercially available) and plant integration work: foundations, piping, instrumentation, mechanical supports, and others. An action plant with a clear definition of tasks and responsibilities, as well as a daily evaluation, is fundamental to the success of the construction.

Risk Assessment Development
This section collects the main risks of the scaling-up process divided into categories according to Figure 3. The present work is mainly focused on prototype construction and testing, these being the categories in which we go into more detail along this section.
Firstly, the main risks affecting the construction of the prototype are assessed (Table 1). They appear as a potential gap between design and on-site installation work. Special attention requires equipment manufacturing (when they are not commercially available) and plant integration work: foundations, piping, instrumentation, mechanical supports, and others. An action plant with a clear definition of tasks and responsibilities, as well as a daily evaluation, is fundamental to the success of the construction.  Table 4 classified the items shown in Table 1 according to the risk level. Note that classification is made based on the combination of likelihood and consequence of each risk following (Appendix A section). Thus, very high risks are related to issues on modules construction, transport, or erection and issues with licenses or permits on-site, a situation that could lead to delays in the tests planned to validate the technology. Following is described the most prominent risks in each part and system of the pilot plant and their evaluation associated with the plant's operation and the testing campaign. This phase of the project is where the most significant risks were identified. Because of this, this stage of pilot plant testing and operation is also studied in the Product Failure Mode Analysis (FMEA) developed in the next section. Table 4 summarizes the main risks associated with this stage from a general perspective, whilst specific issues with each main system of the prototype are analysed under the FMEA assessment in Section 4. Table 3 and ?? evaluates the risk level of each item affecting the testing and operation of the prototype. Higher risks are associated with loss of remote control and potential inadequate operation of systems because of issues in the signal tracing, which can cause materials failures and compromise the safe operation of the plant. Table 3. Definition of main risks affecting the testing and operation of the pilot plant.

R9
Delays in laboratory facilities startup. Non-availability for testing equipment Planning Laboratory facilities startup with adequate time before starting main activities.

R10
Inconsistent measures from different sources

Measurement equipment and protocols
Setting of templates and standards for data collecting and information presentation at the beginning of the tasks.

R11
Incorrect records keeping Data management Clear definition in the Action plan of the responsibilities for information keeping at each subsequent step.

R12
Low availability of demonstration cases/modules testing

Modules construction
Definition in the action plan of strategies for validation of modules.

R13
Excessive fatigue of materials of construction due to cyclic operation

Materials failure
The materials of construction must be chosen for their ability to withstand high temperature and still perform mechanically. Regular programmed materials inspection will be performed to avoid catastrophic failures.
The reactors should be designed to be extracted and replaced (if needed) for mechanical and material analyses after operation time. Table 3. Cont.

R14
Disfigurement of units due to differential thermal expansion at high temperatures (calciner and carbonator operation up to 1000 • C)

Magnitudes resizing with operation and heating
Lateral fixations should be included to allow displacements. System includes monitoring of displacement. Need for a control system actuation to avoid disfigurement or structural damages.

R15
High emissivity losses leading to unexpected results Heat losses at solar receiver The receiver's cavity design should be selected based on its better ability to retain radiation than others (e.g., a bare tube). At prototype; Integration of measures to control surface absorptivity and beam down (low emissivity losses design). Absorptivity losses evaluated and included in calculations R16 Errors in programming the control software cause malfunctions, e.g., an incomplete reaction in the carbonization process Incomplete tested control software for the carbonator Simulating the control software as far as possible; foreseen remote access to fix errors remotely.

R17 Bad data acquisition and observation
An incomplete programmed master control unit (MCU) Remote access to the MCU to fix any errors quickly.

R18
Loss of remote control and loss of data acquisition Control Duplicate control system in the equipment for automatic stop procedure and position of components.

R19 Potential inadequate operation on systems Control
Commissioning procedure for labeling. Periodic revision status. Finally, risks affecting the CSP-CaL prototype scalability and commercialization must be considered. They are related to (i) the appearance of unexpected performance in the testing stage, compromising the technology deployment; (ii) ownership's conflict for novel technology developments; (iii) difficulties in commercializing products and services; and (iv) higher investment costs of the technologies than expected before the testing stage. None of these items should fall into the classification of very high or severe risks. However, they do expose the need to include mitigation actions such as: (i) evaluation of technologies at different levels of integration, in a sequential process, from laboratory to demonstrators, to identify separate effects related to the unexpected performance of the facility; (ii) design of the warning and control systems to detect abnormalities in the performance; (iii) redesign of alternatives as soon as problems appear; (iv) identification of suitable applications and

Product and Process Failure-Mode Effect and Analysis (FMEA)
FMEA is an essential reliability analysis technique that evaluates designs and identifies potential failures and their probability of occurring. Generally, FMEA is a proactive method for evaluating a process to identify the need for and the effects of design changes [27]. It departs from the risk analysis and complements it with additional information for implementing monitoring actions and control actions to reduce potential failures in the system, components, and processes. Due to the nature of the analyses, FMEA is focused on this work in the CSP-CaL prototype operation and testing, as an engineering tool whose objective is to increase the technology reliability. CSP plants, in general, experience different issues resulting from failures of different impacts, reducing efficiency, and increasing downtime and maintenance costs. Besides, in developing novel prototypes, unexpected performances are probable due to the lack of previous experiences. Therefore, in order to minimize them and reduce the involved risks, it is critical to identify the critical failure modes in the facilities.
The FMEA aims to eliminate potential failures or reduce their impacts. The tool provides the structure for a cross-functional critique of a design or a process. This analysis is built around three elements: the effect, the cause, and the detection. The effect is the result of what potential failure can cause to the project; the cause will indicate the reasons why this problem has appeared; finally, detection is the selected way of controlling the process to avoid possible failures. For the analysis, the CSP-CaL integration is divided into subsections: solar side (receiver and heliostats field), materials storage, solid-gas reactors (calciner and carbonator), and power block.

Evaluation Method and Risk Criteria
The generic form of an FMEA is designed relatively simple and straightforward for worthy data acquisition and classification. Figure 4 presents a basic form that identifies all essential information to reduce or eliminate a root cause from either a design and/or a process. The rankings or criteria, as they are commonly known, are not globally standardised. There are no global criteria that everyone is using for all FMEAs and industries. The criteria must be based on logic, knowledge, and experience about the process at hand. In the present work, these criteria are based on the expertise of the authors in the study of the CaL process [26], as well as the experience in prototypes construction. process. The rankings or criteria, as they are commonly known, are not globally standardised. There are no global criteria that everyone is using for all FMEAs and industries. The criteria must be based on logic, knowledge, and experience about the process at hand. In the present work, these criteria are based on the expertise of the authors in the study of the CaL process [26], as well as the experience in prototypes construction. The evaluation includes the Severity (S), Probability (P), and Detection (D) of the risks [28]. Severity is a relative measure of the importance of the effect. When the severity changes depending on the point in time, we consider the worst-case scenario. Reducing the severity are necessary changes in the design, construction or operation and focus on reducing the standards, procedures, and instructions. Probability is the estimated number of failures, based on experience, that may occur for a given cause during the design life. changes depending on the point in time, we consider the worst-case scenario. Reducing the severity are necessary changes in the design, construction or operation and focus on reducing the standards, procedures, and instructions. Probability is the estimated number of failures, based on experience, that may occur for a given cause during the design life. Finally, the detection rate is a numerical rating of the probability that a given set of control measures or examinations will uncover a failure mode.
Risks inevitably exist in any system, design, or manufacturing process. The FMEA process aids in the identification of main risks then provides help to reduce its impact. It was carried out using Risk Priority Numbers or the RPN index. The RPN for each potential failure detected is calculated by multiplying the three scores, such as Severity (SEV), Probability (PRO), and Detectability (DET). These RPNs are considered for prioritising the risks with a potential failure mode [29]. Criteria for S, P and D are shown in Tables A1-A3 (Appendix A section).
The primary focus will be on the failures detected with a high number of RPN. For obtaining the RPN number of a potential failure mode, the three factors were introduced using an evaluation scale of 10 points (Tables A1-A3). The higher the RPN of a failure mode, the greater the risk for the CSP-CaL prototype reliability. As design criteria, RPN values higher than 100 are considered critical and need to be evaluated carefully. Regarding the scores of RPNs, the failure mode assessed them and considering the results, and the proper actions were taken on the high-risk failure types.

FMEA Analysis for the CSP-CaL Prototype Operation and Testing
In this section, a detailed review of the potential issues derived from the operation of a prototype of a CSP-CaL plant at kW-scale is carried out. Potential failures are divided into (i) supplies and control system, (ii) solar side and power block, and (iii) reactors. Table 5 shows those potential failures related to supplies and control systems.  The FMEA analysis of the supplies and CO 2 compression system previous analysis is the resulting values are relatively low, and no significant values or actions to be taken are identified, additional to those already taken. Table 6 shows those potential failures related to solar side, control and power block systems. As in the supplies and compression systems, the FMEA analysis of the solar side, control system and power block results in favorable evaluations, and none of them results in a value above a level to be remarkable and additional actions to be taken.  A comprehensive list of potential issues for the power block is difficult to compile unless a particular choice for a thermal-electrical conversion approach is detailed. The relevant failure modes for a Rankine cycle plant, for example, can be of an entirely different class in comparison to those anticipated to be encountered in a Brayton cycle or a Stirling cycle plant. However, literature pertaining to technology-specific treatment of risk analysis of this kind is quite rich, as documented by [30,31], for example. For a Stirling cycle power plant, which was the case in the investigation for the pilot-scale plant built by the SOCRATCES consortium, perhaps the principal potential failure to be feared is the overheating and the consequent over-speeding of the engine, possibly propagating the problem to the electrical side or encountering mechanical issues. In Table 6, only a glimpse of a handful of issues generally considered relevant to power plants is listed. Table 7 shows those potential failures associated with both reactors, namely calciner and carbonator.
Since the calciner and carbonation units are the core reactors of the overall plant, most of the risks faced are similar. Therefore, the most important risks based on severity scores concern the construction parts and the design of both units. In order to reduce the overall failure risk, the use of specific materials is used, and monitoring methods are implemented.

Contingency Measurements
The previous analyses are summarized in Figure 5. It provides a graphical overview of the complete analysis and allows the risks to be grouped into four main groups linked to different required actuation levels.   Since the calciner and carbonation units are the core reactors of the overall plant, most of the risks faced are similar. Therefore, the most important risks based on severity scores concern the construction parts and the design of both units. In order to reduce the overall failure risk, the use of specific materials is used, and monitoring methods are implemented.

Contingency Measurements
The previous analyses are summarized in Figure 5. It provides a graphical overview of the complete analysis and allows the risks to be grouped into four main groups linked to different required actuation levels. Based on the assessment carried out on each risk, they were placed in one of the riskmap quadrants. Where they are placed will determine whether a risk control action will be taken on the identified risk, whether risk monitoring will be applied, whether a particular precaution will be taken or whether no action will be taken at all. Based on the assessment carried out on each risk, they were placed in one of the risk-map quadrants. Where they are placed will determine whether a risk control action will be taken on the identified risk, whether risk monitoring will be applied, whether a particular precaution will be taken or whether no action will be taken at all.
Risks that fall into the "Warning" quadrant have high levels of severity or probability of failure but were classified as having a high probability of being detected and are therefore considered hazardous. Actions are provided to minimize the severity and/or probability of failure. The risks detected in this part of the analysis are linked to the coolant filling hose, the compression system and the heat-transfer structure. In the measures applied to the hose, it is proposed as action a daily review, before starting the tests, by visual inspection, of the hose condition, which increases the probability of detecting bad connections or cracks. As for the compression system, the severity of failure is reduced by the availability of sealing rings. Finally, in the heat-transfer structure, daily checks of the heat-transfer structure condition are introduced before starting the tests, reducing the probability of failure by early detection of deterioration of the structure.
The risks that fall into the "Control and Supervision" quadrant do not have very high severity levels or failure probability. However, they were classified with a high probability level, so it is necessary to control them and periodically supervise that they are under control of not being detected. Therefore, in the risks framed within "Control and Supervision", periodic reviews of the equipment condition are established to increase failure detection probability.
Risks that fall into the "Action Control" quadrant have both high levels of severity or probability of failure and a high level of probability of not being detected, so it is necessary both to minimize the severity and/or probability of failure and to control them and periodically monitor that they are under control. By means of the daily check of the condition of the heat-transfer structure, introduced earlier, before starting the tests, the probability of failure is reduced by early detection of deterioration of the structure. In addition, if more than five tests are performed on the same day, the structure must be rechecked, increasing the probability of detection.

Discussion
The results from risk assessment and FMEA are fundamental for a successful and safe prototype design, construction and testing, identified as the riskiest stages in the development of the thermochemical systems from the lab (TRL4) to the relevant environment (TRL5).
The risks affecting the design and construction of the prototype can be extrapolated to other projects related to the energy sector: energy storage, thermal systems, thermal reactors and chemical reaction control. Thus, a risk assessment was carried out for the entire life cycle of the project, from the theoretical development phase through prototype construction and experimental testing to the scale-up and commercialization phase.
The risk assessment shows how special attention and effort should be given to the construction of the individual modules during the construction phase so that problems and/or construction delays do not occur, clear control and understanding of the legal framework must be available within the project or use external support. In order to avoid delays in the implementation, flexibility in the assembly and integration of the modules should be identified and foreseen.
During the operation and testing phase, the risk assessment identifies as relevant a redundant control system to avoid loss of remote control and data acquisition or malfunctioning of the systems. The duplication of the control system in the equipment for the automatic shutdown procedure and the positioning of the components or a start-up procedure could help in this respect. Finally, it should be noted that the risks affecting the theoretical development or the scalability and commercialization of the CSP-CaL prototype do not fall into the classification of very high or severe risks, according to the risk assessment carried out.
As for the FMEA analysis, it focuses only on the operation and testing phase of the pilot plant. In the "Warning" quadrant, risks were placed with high levels of severity or probability of failure, but they have a high probability of being detected, so actions are foreseen to minimize the severity and/or probability of failure. The risks that fall into the "Control and Supervision" quadrant do not have very high levels of severity or probability of failure, but they were classified as having a low probability of being detected, and therefore periodic reviews of the condition of the equipment are established to increase the probability of detecting failures. The risks that fall into the "Action Control" quadrant have both high levels of severity or probability of failure and a high level of probability of not being detected, so it is necessary both to minimize the severity and/or probability of failure and to control them and periodically supervise that they are under control.
All failure modes detected in the analysis that require severity reduction measures or control and monitoring pertain to the reactors: calciner and carbonator. They correspond to failures in the seals or in the heat-transfer structure. In the heat-transfer structure, very different failure modes are assessed, such as a stress crack due to cooling losses, leakage due to corrosion, perforation or breakage, and plugging. Once severity or probability of failure mitigation and/or control and monitoring measures are applied, all detected failures fall within the "no action required" zone. In addition to being fundamental to avoid accidents in the plant, applying these measures would be key to increase the useful life of the different equipment in the plant.
This methodology of risk assessment and failure mode analysis described and applied in this work is of great interest and can provide clear benefits in the process of prototypes design and construction, especially for low TRL prototypes, and also contributes to scaling up. Specifically, it is identified that it can be directly extrapolated to thermal energy systems prototypes, including energy storage systems. The SOCRATCES research project, on which this work is based, develops the first prototype of new technology, a thermochemical energy storage plant based on Calcium-Looping on this scale (TRL 5). The methodology applied to its novel components and integration, which are the first of their kinds, is of high interest for successful development and scaling up of low TRL prototypes and their scaling up.

Conclusions
This paper shows the methodology followed for a comprehensive risk assessment and Failure Mode and Effects Analysis (FMEA) in a real case: the construction of the first full-scale prototype (TRL5) to assess CaL-based TCES in solar thermal plants, through the SOCRATCES project, in Seville, with a planned completion date of 2021.
The risk assessment aims to maximize the chances of successful prototype design and construction by identifying risks from the outset and planning how to manage, reduce, and/or control them. The risks identified in the construction of the CSP-CaL prototype were consolidated and grouped by the different parts of the project life cycle.
Focusing on the construction of the prototype, the highest risks are related to problems in the construction, transport, or assembly of the modules and to licensing or permitting issues on site, which could lead to delays in the planned tests to validate the technology. For pilot plant testing, the highest risks are associated with loss of remote control and possible malfunctioning of the systems due to signal routing problems, which can lead to material failures and compromise the safe operation of the plant.
FMEA is an essential reliability analysis technique that evaluates designs and identifies potential failures and their probability of occurrence. The FMEA assessment aims to eliminate potential failures or reduce their impact. The tool provides the structure for a cross-functional critique of a design or process. This analysis is built around three elements: effect, cause, and detection. These three elements allow risks to be classified into four quadrants.
These analyses show that the main potential risks for the case analyzed in this work occur during the test and operation stages, deriving mainly from potential overheating in the reactors, from failures in the control of the solar part in the receiver, and from potential failures in the control system. The results warn of the need to increase control measures in the reactors, especially in the case of the calciner, given the high temperatures (1000 • C) that can be reached, with potential overheating and corrosion effects. The methodology shown is of high value for the design and construction of novel experimental prototypes, with high uncertainties. It entirely complements and supports the technical design approaches. The methodology here presented and applied can be directly extrapolated to the analysis of other thermal systems.

Conflicts of Interest:
The authors declare no conflict of interest. Table A1. Likelihood criteria.

E Almost certain
The event is expected to occur on a regular basis. The probability of occurring is greater than 90%.

D Likely
The event is expected to occur from time to time. The probability of occurring is between 60 and 90%.

C Possible
The event could occur at the same time. The probability of occurring is between 40 and 60%.

B Unlikely
Event not expected, but it is possible that one could occur. The probability of occurring is between 10 and 40%.

A Rare
The event will only occur in exceptional circumstances. The probability of occurring is less than 10%. Table A2. Consequence criteria.

Severe
If it occurs, a risk event will have a severe impact on achieving desired results, to the extent that one or more of its critical outcome objectives will not be achieved.

Major
If it occurs, a risk event will have a significant impact on achieving desired results, to the extent that one or more stated outcome objectives would fall below acceptable levels.

Moderate
If it occurs, a risk event will have a major impact on achieving desired results, to the extent that one or more stated outcome objectives would fall below goals but above minimum acceptable levels.

Minor
If it occurs, a risk event will have a minor impact on achieving desired results, to the extent that one or more stated outcome objectives will fall below goals but well above minimum acceptable levels.

Insignificant
If it occurs, a risk event will have little or no impact on achieving outcome objectives.

Effect Severity Ranking
Hazardous without warning Very high severity ranking when a potential failure mode effects safe system operation without warning.

10
Hazardous with warning Very high severity ranking when a potential failure mode affects safe system operation with warning.
9 Very high The system is inoperable with destructive failure without compromising safety. 8

High
The system is inoperable with equipment damage. 7

Moderate
The system is inoperable with minor damage. 6

Low
The system is inoperable without damage. 5

Very low
The system is operable with significant degradation of performance. 4

Minor
The system is operable with some degradation of performance. 3

Very Minor
The system is operable with minimal interference. 2 None No effect. 1 Table A4. Probability criteria.

Likelihood of Detection by Design Control Ranking
Absolute uncertainty Design control cannot detect potential cause/mechanism and subsequent failure mode.

10
Very remote Very remote chance the design control will detect potential cause/mechanism and subsequent failure mode.

Remote
Remote chance the design control will detect potential cause/mechanism and subsequent failure mode. 8

Very low
Very low chance the design control will detect potential cause/mechanism and subsequent failure mode.

Low
Low chance the design control will detect potential cause/mechanism and subsequent failure mode. 6

Moderate
Moderate chance the design control will detect potential cause/mechanism and subsequent failure mode.

Moderately high
Moderately high chance the design control will detect potential cause/mechanism and subsequent failure mode.

High
High chance the design control will detect potential cause/mechanism and subsequent failure mode.

Very high
Very high chance the design control will detect potential cause/mechanism and subsequent failure mode.
2 Almost certain Design control will detect potential cause/mechanism and subsequent failure mode. 1