“With a purposeful grimace and a terrible sound, he pulls the spitting high tension wires down.”  — Buck Dharma, Blue Öyster Cult

The preferred design of a safety function is one that deenergizes to trip. That is, a function that goes to the safe state when all sources of energy have been removed. The probability of success is much higher that we can turn things off than we can turn things on. Sometimes, though, there is no getting around it. In those cases, its important that we design a system with reliable sources of energy.

The most common source of energy is electricity. And it seems that the loss of electrical supply is becoming more common. Blizzards, tornadoes, hurricanes, extreme temperatures, earthquakes, cyberattacks are all causes. So far, creatures like Godzilla haven’t made the list of actual causes, but if they did, the effect would be the same. What they all have in common is that the source of energy that we most often rely on, electricity, goes out.

Redundant Electrical Sources

Safety systems often rely on an uninterruptable power supply (UPS) as a redundant source of electricity. Essentially, it is a bank of batteries. Typically, they provide electricity for computing and communication equipment for a relatively short period of time—less than an hour. Most are small, although the Battery Energy Storage System in Fairbanks, Alaska is one of the world’s largest, covering an area bigger than a soccer field and capable of providing 26 MW of power for 15 minutes. Commissioned in 2003, it cost $35 million.

For longer run times or for high power loads, though, we rely on back-up power. When the cause of the outage is the loss of feed, we often turn to redundant feeds. The failure of a transformer doesn’t take the system down because the redundant transformer is also on line. When the outage is further up the line, in the grid, redundant feeds won’t help because the grid failure will take them both out.

That is when we turn to back-up generators. But even back-up generators aren’t perfect.

Back-up Generator Reliability

Generator vendors talk about reliability. One reports that “third-party studies have found the average standby generator system within the market has a reliability of around 99 percent.” Another states that single generators have a reliability of 98%. But what do they mean by “reliability”? These values, depending on what they mean, suggest that back-up generators might provide as much as two-orders of magnitude risk reduction for hazards associated with power outages.

There are two aspects of reliability that matter when considering back-up generators. Most of the time, back-up generators do not run. They don’t start until there is a power outage. So, one aspect of reliability is failure to start. Then, once started, the second aspect of reliability is the probability that they will run for as long as needed. Estimating the run-time reliability depends on knowing the required run-time. The longer a back-up generator needs to run, the greater the probability that it will fail before achieving that “mission time”.

A study at the National Renewable Energy Laboratory (NREL), described in the paper, “Emergency Diesel Generator Reliability and Installation Energy Security,” does a really good job of quantifying these two aspects of reliability.

Looking at data from several sources, the authors distinguished between back-up generators that were well-maintained (about 25% of the installed base that they looked at), poorly maintained (about 17% of the installed base that they looked at), and generators with average maintenance (about 58% of the installed base that they looked at). They found that both the probability of failure to start (FTS), and the mean time to failure (MTTF) after starting, were largely dependent on the maintenance.

Failure to Start

It doesn’t matter what the MTTF is if a back-up generator fails to start. The NREL study found that FTS was

  • Well-maintained FTS = 0.0013 (Startup reliability = 99.87%)
  • Average maintenance FTS = 0.0066 (Startup reliability = 99.34%)
  • Poorly maintained FTS = 0.0165 (Startup reliability = 98.35%)

These values are consistent with those reported by vendors. The study included a sufficiently large population that it included 90% confidence intervals. Importantly, the confidence intervals did not overlap. These values represent a statistically significant difference, based on the quality of maintenance.

Mean Time To Failure

Once running, a back-up generator needs to continue running until the hazard is addressed. The NREL study found that MTTF was

  • Well-maintained MTTF = 1,662 hours (Failure rate, λ = 0.00060/hour)
  • Average maintenance MTTF = 636 hours (Failure rate, λ = 0.00157/hour)
  • Poorly maintained MTTF = 61 hours (Failure rate, λ = 0.01639/hour)

Again, the study included 90% confidence intervals which did not overlap. The probability of failure once running is very dependent on the mission time. While the NREL study was primarily interested in a 2-week mission time, most process applications would be satisfied with a 12-hour mission time, which would be enough to take the process to a safe, deenergized state.

The probability of failure, PFD, is related to failure rate and mission time by this equation:

PFD = 1 – e-λT

For a 12-hour mission time, that calculates to

  • Well-maintained PFD = 1 – e-(0.00060/hour x 12 hour) = 0.0072
  • Average maintenance PFD = 1 – e-(0.00157/hour x 12 hour) = 0.0187
  • Poorly maintained PFD = 1 – e-(0.01639/hour x 12 hour) = 0.1785

Obviously, the PFD gets worse—larger—as the mission time increases.

Overall PFD of a back-up generator with a 12-hour mission time, taking both FTS and MTTF into account, is

  • Well-maintained PFD = 0.0013 + 0.0072 = 0.0085 (Reliability = 99.15%)
  • Average maintenance PFD = 0.0066 + 0.0187 = 0.0253 (Reliability = 97.47%)
  • Poorly maintained PFD = 0.0165 + 0.1785 = 0.1950 (Reliability = 80.5%)

It is important to note that in all cases, failures following startup contribute more to the over unreliability of a back-up generator, but that the better the maintenance, the better the performance in both aspects.

What Is Good Maintenance for a Back-Up Generator?

The NREL study defined the three categories of maintenance this way:


  • Follows manufacturers recommended practices and schedules
  • Complies with either NFPA 110, Standard for Emergency and Standby Power Systems, or the DoD Unified Facility Criteria: Operation and Maintenance: Generators (UFC 3-350-07)
  • Uses specialized equipment tests (thermograph, vibration analysis, oil analysis)
  • Has a complete set of spare parts

Average maintenance:

  • Follows manufacturers recommended schedules
  • No specialized equipment tests
  • Incomplete set of spare parts

Poorly maintained

  • Fails to follow scheduled maintenance

Back-Up Generators Aren’t Perfect

It should come as no surprise that back-up generators are not perfect. They can fail. But they can reduce the risk of a power outage. Fortunately, there is a lot of data available that allows us to estimate just how reliable they are.

A well-maintained back-up generator can reduce the risk of hazards created by a power outage by two orders of magnitude. It requires a great deal of discipline, though, which may be difficult in an environment where resources are already stretched thin.

A poorly maintained back-up generator is better than no back-up generator at all, but the risk reduction is not even an order of magnitude.

A back-up generator with average maintenance, which describes most back-up generators, can be counted on to provide a solid order of magnitude in risk reduction.

Take the Appropriate Amount of Credit

If Godzilla rises from the ocean’s depths or some other disaster takes out the power grid that supplies your plant, a back-up generator will reduce the risk. It’s not enough to install it, though. It must also be maintained. When you take credit for the back-up generator, make sure that you’ve considered the mission time that you need and the maintenance that you can realistically expect.


  • Mike Schmidt

    With a career in the CPI that began in 1977 with Union Carbide, Mike was profoundly impacted by the 1984 tragedy in Bhopal and has been working on process safety ever since.