Funded by FCH JU (Grant agreement No ) 1 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 1

Funded by FCH JU (Grant agreement No ) 2 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 2  A hazard is a source or situation with a potential of corporal, material or environmental damage, or a combination of them. Examples of hazards are fires, explosions.  Hazards are associated to feared events potentially producing the hazard, i.e. a deviation - such as a hydrogen leak – that may result in a fire or an explosion.  The risk is a quantitative measurement of a hazard in terms of its probability P and severity S. The risk of a hazard (also called criticality) is assessed on the basis of these two parameters.  Safety is freedom from unacceptable risk. This implies some level of risk is tolerable. Hydrogen is mostly found in combination with other elements in form of e.g. water, methane, biomass, etc.

Funded by FCH JU (Grant agreement No ) 3 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 3  Hazard is a chemical or physical condition that has the potential for causing damage to people, property and the environment. Hydrogen accident could have different hazards, e.g. asphyxiation due to release in closed space, frostbite by liquefied hydrogen, thermal hazards from jet fire, pressure effects from deflagrations and detonations, etc. Hazard could lead to no damage, if the proper safety measures are applied, or could lead to costly consequences up to fatalities if the system or infrastructure has been designed and used without professional knowledge in hydrogen safety.

Funded by FCH JU (Grant agreement No ) 4 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 4 Risk areas The risk R of a hazard is assessed on the basis of its probability P and its severity S: R = P x S.  An unacceptable risk area (red): this area indicates an unacceptable severity probability combination. Measures must be taken to mitigate the risk.  A low risk area (green): this area represents a combination of severity and probability for which the risk is considered low and thus tolerable.  The intermediate risk area (yellow): the ALARP zone (As Low as Reasonably Practicable). In this area, additional investigations are required to see whether the risk could be decreased to the low risk area.

Funded by FCH JU (Grant agreement No ) 5 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 5 (Source: Air Liquide)

Funded by FCH JU (Grant agreement No ) 6 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 6  The criticality matrix considers these three levels of criticality and allows for an assessment of the risk of a hazard.  Hazards are classified according to their probability of occurrence and to their severity. There are several classes of probability: the class with the highest probabilities corresponds to frequent events, while the class with the lowest probabilities corresponds to improbable events. There are also several levels of severity, depending on the severity of the consequences of a hazard (on safety, production, environment...).

Funded by FCH JU (Grant agreement No ) 7 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 7  The criticality matrix displays the values of the probabilities allowing for an assessment of the probability category of a hazard, and it also displays the criteria allowing for an assessment of the severity level of the hazard.  Hazards are classified according to their probability of occurrence and to their severity. (Source: Methodology for Rapid Risk Ranking of H2 Refuelling station Concepts, by Norsk Hydro ASA and DNV, Sept 2002, European Integrated Hydrogen Project 2)

Funded by FCH JU (Grant agreement No ) 8 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 8 (Source: Methodology for Rapid Risk Ranking of H2 Refuelling station Concepts, by Norsk Hydro ASA and DNV, Sept 2002, European Integrated Hydrogen Project 2) (Source: Methodology for Rapid Risk Ranging of H2 Refuelling station Concepts (Sept. 2002). Norsk Hydro ASA and DNV. European Integrated Hyprogen Project 2)

Funded by FCH JU (Grant agreement No ) 9 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 9  The criticality matrix then shows whether the risk of a given hazard is tolerable (low risk), unacceptable (measures must then be taken to reduce the risk) or medium (additional investigations are then required to see whether the risk could be decreased to the low risk area).  A possible risk assessment approach one might take is:  Identify the hazards  Identify who might be harmed and how evaluate the risks and decide on precaution  Can the risk be eliminated?  Can the risk be controlled?  Record the findings and implement them  Review the risk assessment and update if necessary.

Funded by FCH JU (Grant agreement No ) 10 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 10  The individual risk represents the annual frequency of an individual dying due to a hazard. The individual is assumed to be unprotected and to be present 24/7. Individual risk can be further defined in a way that takes into account the location specific probability that an individual may be killed because of an accident linked to the industrial activity. This risk thus depends on the frequency of occurrence of the events (examples: rupture of piping, explosion of liquid oxygen storage tank). This approach takes a “worst case” type of scenario for individual exposure.  In an industrial context, the assessment of an individual risk is made as following :  The feared event is described.  The causes of the feared event are described.  The consequences of the feared event are listed.  The probability of the causes and the severity of the consequences are assessed.  The criticality matrix then shows whether the risk associated to the hazard is tolerable, unacceptable or intermediate and if risk reduction measures should be taken.  If needed, the risk reduction measures are listed.

Funded by FCH JU (Grant agreement No ) 11 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 11 (Source: Air Liquide)

Funded by FCH JU (Grant agreement No ) 12 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 12  The societal risk represents the frequency of having an accident with N or more people being killed simultaneously. The people involved are assumed to have some means of protection.  Societal risk differs from individual risk in that it takes into account the total number of people who may be harmed at the same time by a single accident. The level of societal risk from an installation is determined by three factors :  The probability of an incident occurring on a major hazard site  The nature of the incident and its severity  The density and location of the population working on or living in and around the site.

Funded by FCH JU (Grant agreement No ) 13 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 13  Therefore, a specific approach has been developed for the assessment of risks run by people in public areas. The societal risk is presented as an FN curve, where N is the number of deaths and F the cumulative frequency of accidents with N or more deaths. This FN curve corresponds to the societal risk criteria.  Once the number of fatalities of a given hazard is known (depending among others on the population density), the societal risk curve indicates the maximum allowed frequency of this hazard. Then, measures to reduce the frequency of the risk below this maximum frequency can be taken. (Source: Air Liquide)

Funded by FCH JU (Grant agreement No ) 14 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 14  Designing for safety aims at making systems intrinsically safe. This is achieved by ensuring that the all possible deviations ( initial events ) that could potentially generate a feared event (e.g. injury) are either sufficiently unlikely or handled by the system in order to avoid the feared event.  In this approach, once a system concept has been established, all hazardous deviations (also called initial event - e.g. hydrogen release) are reviewed. For each hazardous deviation, a safety objective is set, and the associated means to achieve the safety objective are identified. The design of the system is then made so that safety objectives are met and the system is therefore intrinsically safe. (Source: Air Liquide)

Funded by FCH JU (Grant agreement No ) 15 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 15  All deviations called initial events potentially generating a hazardous situation can be identified and characterized in terms of associated immediate risk (probability and initial severity) assuming absence of mitigation.  Following a ranking by initial severity, sets of deviations can be defined in terms of frequency: expectable, foreseeable, conceivable or unlikely. (Source: Air Liquide)

Funded by FCH JU (Grant agreement No ) 16 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 16  For a given feared event, the safety objectives can be expressed as a frequency limit. Safety measures aim at lowering the frequency of the feared event below the frequency limit (safety objective).  To achieve this, several strategies can be combined:  The severity of the initial events can be reduced to the point that having a feared event is unlikely, in order to avoid the need of mitigation.  Mitigation measures can be taken, to lower the frequency of the feared event (which in that case is the frequency of failure of the mitigation measures)  Small (frequent) events with escalation potential require the most reliable mitigation.  The severity of the initial events can be reduced and the Mitigation mea- sures can be taken, to lower the frequency of the feared event.

Funded by FCH JU (Grant agreement No ) 17 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 17 Designing for safety means acting on the severity of the initial events (2) and taking mitigation measures (4), knowing the probability of initial events becoming feared events (3), so as to meet the frequency limits (1) set as safety objectives. (Source: Air Liquide)

Funded by FCH JU (Grant agreement No ) 18 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 18  An effective form of design for safety is to translate safety objectives (frequency limit for feared event) into practical design objectives that can be implemented by design engineers:  For expectable events, there should be no damage. A typical safety strategy for expectable leaks is a passive ventilation or permanent active ventilation allowing a concentration of 1% hydrogen max.  For foreseeable events, there should be no injury (and loss of property).  For conceivable events, the effects of the feared events should be reduced to harm persons (or damage property).  No design objectives are set for unlikely feared events – which are acceptable as the frequency of these events is very low. There is no specific measure other than prevention (material choice...), only considered for emergency responses.

Funded by FCH JU (Grant agreement No ) 19 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 19 If the probability and severity of the initial event as well as the conditional probability are high, the required performance level ( reliability ) of the safety measure should be high. On the contrary, if the probability and severity of the initial event as well as the conditional probability are low, a lower reliability of the safety measure is tolerable. S: severity of the initial event F: probability of the initial event P: conditional probability PL: performance level (Source: EN ISO )

Funded by FCH JU (Grant agreement No ) 20 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 20  Hydrogen Safety Engineering ( HSE ) is defined as the application of scientific and engineering principles to the protection of life, property and environment from adverse effects of incidents/accidents involving hydrogen.  HSE includes but is not limited to high pressure under-expanded leaks and dispersion, spontaneous ignition of sudden hydrogen releases to air, deflagrations and detonations, etc.

Funded by FCH JU (Grant agreement No ) 21 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 21  The HSE process includes three main steps: 1.A Qualitative Design Review ( QDR ) is undertaken by a team that can incorporate owner, hydrogen safety engineer, architect, representatives of authorities having jurisdiction, e.g. fire services, and other stakeholders. 2.A quantitative safety analysis of selected scenarios and trial designs is carried out by qualified hydrogen safety engineer(s) using the state-of-the-art knowledge in hydrogen safety science and engineering and validated models and tools. 3.Finally, the performance of a HFC system and/or infrastructure is assessed against acceptance criteria predefined by the team. If none of the trial designs developed by the QDR team satisfies the specified acceptance criteria, the QDR and quantification process should be repeated until a hydrogen safety strategy satisfies acceptance criteria and other design requirements. When a satisfactory solution has been identified, the resulting HSE strategy should be fully documented in a “Report on Hydrogen Safety Engineering”.

Funded by FCH JU (Grant agreement No ) 22 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 22 (Source: Molkov and Saffers, 2011)

Funded by FCH JU (Grant agreement No ) 23 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 23  This performance-based methodology offers the flexibility to assess trial safety designs using separately or simultaneously three approaches: deterministic, comparative or probabilistic. 1.The objective of a deterministic study is to analyse the performance of trial safety design(s) selected by QDR team for chosen scenarios with models based on physical, chemical, thermodynamic and human behavioural relationships, derived from scientific theories and empirical correlations. 2.In some projects, recommendations of prescriptive codes and standards when they are available might provide the near optimum solution for a safe design. If the hydrogen system is regulations and codes compliant, a full HSE study may not be necessary. For comparative type of study, the acceptance criteria may simply be defined in terms of compliance with existing code requirements. 3.The objective of a probabilistic study is usually to show that the risk of a given event occurring is acceptable or tolerably small.

Funded by FCH JU (Grant agreement No ) 24 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 24  Safety objectives are defined from the beginning of the product design. This often highlights knowledge gaps and raises new R&D questions. R&D efforts should therefore focus on closing the knowledge gaps for supporting “design for safety”: this is pre-normative research.  Some examples of safety related pre-normative research topics:  Behavior of hydrogen once released (leak rates, dispersion and ventilation, combustion…). Examples of PNR objectives:  Specify ventilation openings that will prevent the development of a flammable atmosphere in case of a leak,  Specify maximum flammable mixture concentration in order to avoid exceeding a specified overpressure.  Resistance of composite cylinders to accidental loads (e.g. fire). Example of PNR objectives:  Specify maximum time to empty cylinder in order to avoid burst,  Specify thermal protection for withstanding fire conditions during a pre-defined amount of time.  Effects of hydrogen on metallic materials (hydrogen embrittlement).  The knowledge base set up by the pre-normative research is then used to support the recognition of the means to achieve safety objectives by standardization: it supports the creation of regulations, codes and standards.

Funded by FCH JU (Grant agreement No ) 25 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 25  Role of regulations, codes and standards Regulations, codes and standards provide performance requirements ( effectiveness, reliability ) with regards to the means ( prevention, mitigation ) used to achieve safety targets. They provide design criteria ensuring fitness for purpose by relating requirements to conditions of use and standard solutions for meeting the performance requirements or safety targets. (Source: Air Liquide)