Funded by FCH JU (Grant agreement No ) 1 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 1

Funded by FCH JU (Grant agreement No ) 2 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 2  A hazard is a source or situation with a potential of corporal, material or environmental damage, or a combination of them. Examples of hazards are fires, explosions.  Hazards are associated to feared events potentially producing the hazard, i.e. a deviation - such as a hydrogen leak – that may result in a fire or an explosion.  The risk is a quantitative measurement of a hazard in terms of its probability P and severity S. The risk of a hazard (also called criticality) is assessed on the basis of these two parameters.  Safety is freedom from unacceptable risk. This implies some level of risk is tolerable. Hydrogen is mostly found in combination with other elements in form of e.g. water, methane, biomass, etc.

Funded by FCH JU (Grant agreement No ) 3 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 3  Hazard is a chemical or physical condition that has the potential for causing damage to people, property and the environment. Hydrogen accident could have different hazards, e.g. asphyxiation due to release in closed space, frostbite by liquefied hydrogen, thermal hazards from jet fire, pressure effects from deflagrations and detonations, etc. Hazard could lead to no damage, if the proper safety measures are applied, or could lead to costly consequences up to fatalities if the system or infrastructure has been designed and used without professional knowledge in hydrogen safety.

Funded by FCH JU (Grant agreement No ) 4 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 4 Risk areas The risk R of a hazard is assessed on the basis of its probability P and its severity S: R = P x S.  An unacceptable risk area (red area): this area indicates an unacceptable severity probability combination. Measures must be taken to mitigate the risk.  A low risk area (green area ): this area represents a combination of severity and probability for which the risk is considered low and thus tolerable.  The intermediate risk area (yellow area): the ALARP zone ( A s L ow a s R easonably P racticable). In this area, additional investigations are required to see whether the risk could be decreased to the low risk area.

Funded by FCH JU (Grant agreement No ) 5 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 5 (Source: Air Liquide)

Funded by FCH JU (Grant agreement No ) 6 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 6  The criticality matrix considers these three levels of criticality and allows for an assessment of the risk of a hazard.  Hazards are classified according to their probability of occurrence and to their severity. There are several classes of probability: the class with the highest probabilities corresponds to frequent events, while the class with the lowest probabilities corresponds to improbable events. There are also several levels of severity, depending on the severity of the consequences of a hazard (on safety, production, environment...).

Funded by FCH JU (Grant agreement No ) 7 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 7 (Source: Methodology for Rapid Risk Ranking of H2 Refuelling station Concepts, by Norsk Hydro ASA and DNV, Sept 2002, European Integrated Hydrogen Project 2) (Source: Methodology for Rapid Risk Ranging of H2 Refuelling station Concepts (Sept. 2002). Norsk Hydro ASA and DNV. European Integrated Hydrogen Project 2) LevelDescription High (H) High risk, not acceptable. Further analysis should be performed to give a better estimate of risk. If this analysis still shows unacceptable or medium risk redesign or other changes should be introduced to reduce the criticality Medium (M) This risk may be acceptable but redesign or other changes should be considered if reasonably practical. Further analysis should be performed to give a better estimate of the risk. When assessing the need of remedial actions, the number of events of this risk level should be taken into consideration. Low (L)The risk is low and further risk reducing measures are not necessary.

Funded by FCH JU (Grant agreement No ) 8 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 8  The criticality matrix displays the values of the probabilities allowing for an assessment of the probability category of a hazard, and it also displays the criteria allowing for an assessment of the severity level of the hazard.  Hazards are classified according to their probability of occurrence and to their severity. (Source: Methodology for Rapid Risk Ranking of H2 Refuelling station Concepts, by Norsk Hydro ASA and DNV, Sept 2002, European Integrated Hydrogen Project 2)

Funded by FCH JU (Grant agreement No ) 9 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 9  The criticality matrix then shows whether the risk of a given hazard is tolerable (low risk), unacceptable (measures must then be taken to reduce the risk) or medium (additional investigations are then required to see whether the risk could be decreased to the low risk area).  A possible risk assessment approach one might take is:  Identify the hazards  Identify who might be harmed and how evaluate the risks and decide on precaution  Can the risk be eliminated?  Can the risk be controlled?  Record the findings and implement them  Review the risk assessment and update if necessary.

Funded by FCH JU (Grant agreement No ) 10 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 10  The calculation of the Probability Failure on Demand (PFD) is based on databases. Currently there are no specific databases for hydrogen applications. Therefore the calculation is mainly based on databases from the petrochemical and energy industry:  OREDA (Offshore Reliability Data): OREDA is a project organization sponsored by eight oil and gas companies with worldwide operations. OREDA's main purpose is to collect and exchange reliability data. Offshore subsea and topside equipment are primarily covered, but onshore equipment is also included.  EIREDA (European Industry Reliability Database): The EIREDA database was first published in The database concerns critical failures of components important for the safety of nuclear plant, and covers experience from 1978 to 1987, and then updated with data up to EIRDEA contains data on electrical, mechanical and electromechanical equipment of thermal power plants.  TNO Red Book: TNO is an independent research organization. The “colored books” are used as valuable standard reference material in safety studies.

Funded by FCH JU (Grant agreement No ) 11 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 11  The individual risk represents the annual frequency of an individual dying due to a hazard. The individual is assumed to be unprotected and to be present 24/7. Individual risk can be further defined in a way that takes into account the location specific probability that an individual may be killed because of an accident linked to the industrial activity. This risk thus depends on the frequency of occurrence of the events (examples: rupture of piping, explosion of liquid oxygen storage tank). This approach takes a “worst case” type of scenario for individual exposure.  In an industrial context, the assessment of an individual risk is made as following :  The feared event is described.  The causes of the feared event are described.  The consequences of the feared event are listed.  The probability of the causes and the severity of the consequences are assessed.  The criticality matrix then shows whether the risk associated to the hazard is tolerable, unacceptable or intermediate and if risk reduction measures should be taken.  If needed, the risk reduction measures are listed.

Funded by FCH JU (Grant agreement No ) 12 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE per year per year per year Not tolerable; risk can only be accepted under extraordinary circumstances Undesirable; only tolerable if reduction is not practicable or causes exceptionally high costs Tolerable if the costs for reduction exceed the benefit of improvement Widely acceptable Acceptable I II III IV V Risk Categories Level of tolerability / acceptability Typical values for Quantification per year Death rate – all forms of road accident Death rate – being struck by lightning Death rate – gas incidents (private sector) Death rate – „Service industries“  Individual risk   ALARP-risk categories:

Funded by FCH JU (Grant agreement No ) 13 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 13 (Source: Air Liquide)

Funded by FCH JU (Grant agreement No ) 14 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 14  The societal risk represents the frequency of having an accident with N or more people being killed simultaneously. The people involved are assumed to have some means of protection.  Societal risk differs from individual risk in that it takes into account the total number of people who may be harmed at the same time by a single accident. The level of societal risk from an installation is determined by three factors :  The probability of an incident occurring on a major hazard site  The nature of the incident and its severity  The density and location of the population working on or living in and around the site.

Funded by FCH JU (Grant agreement No ) 15 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 15  Therefore, a specific approach has been developed for the assessment of risks run by people in public areas. The societal risk is presented as an FN curve, where N is the number of deaths and F the cumulative frequency of accidents with N or more deaths. This FN curve corresponds to the societal risk criteria.  Once the number of fatalities of a given hazard is known (depending among others on the population density), the societal risk curve indicates the maximum allowed frequency of this hazard. Then, measures to reduce the frequency of the risk below this maximum frequency can be taken. (Source: Air Liquide)

Funded by FCH JU (Grant agreement No ) 16 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 16  Designing for safety aims at making systems intrinsically safe. This is achieved by ensuring that the all possible deviations ( initial events ) that could potentially generate a feared event (e.g. injury) are either sufficiently unlikely or handled by the system in order to avoid the feared event.  In this approach, once a system concept has been established, all hazardous deviations (also called initial event - e.g. hydrogen release) are reviewed. For each hazardous deviation, a safety objective is set, and the associated means to achieve the safety objective are identified. The design of the system is then made so that safety objectives are met and the system is therefore intrinsically safe. (Source: Air Liquide)

Funded by FCH JU (Grant agreement No ) 17 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 17  Hazards may occur by the following conditions:  Human error  Unreliable operation mode  Unreliable loads  Maintenance and repair  Physical properties:  Pressure  Temperature  Filling grade  Chemical properties:  Corrosivity  Toxicity  Flammability  Every single parameter can cause a dangerous situation for a system.  Ambient conditions:  Oscillation  Ambient temperature  Corrosion  Abrasion  External fire

Funded by FCH JU (Grant agreement No ) 18 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 18  An effective form of design for safety is to translate safety objectives (frequency limit for feared event) into practical design objectives that can be implemented by design engineers:  For expectable events, there should be no damage. A typical safety strategy for expectable leaks is a passive ventilation or permanent active ventilation allowing a concentration of 1% hydrogen max.  For foreseeable events, there should be no injury (and loss of property).  For conceivable events, the effects of the feared events should be reduced to harm persons (or damage property).  No design objectives are set for unlikely feared events – which are acceptable as the frequency of these events is very low. There is no specific measure other than prevention (material choice...), only considered for emergency responses.

Funded by FCH JU (Grant agreement No ) 19 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 19  All deviations called initial events potentially generating a hazardous situation can be identified and characterized in terms of associated immediate risk (probability and initial severity) assuming absence of mitigation.  Following a ranking by initial severity, sets of deviations can be defined in terms of frequency: expectable, foreseeable, conceivable or unlikely. (Source: Air Liquide)

Funded by FCH JU (Grant agreement No ) 20 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 20  For a given feared event, the safety objectives can be expressed as a frequency limit. Safety measures aim at lowering the frequency of the feared event below the frequency limit (safety objective).  To achieve this, several strategies can be combined:  The severity of the initial events can be reduced to the point that having a feared event is unlikely, in order to avoid the need of mitigation.  Mitigation measures can be taken, to lower the frequency of the feared event (which in that case is the frequency of failure of the mitigation measures)  Small ( frequent ) events with escalation potential require the most reliable mitigation.  The severity of the initial events can be reduced and the Mitigation measures can be taken, to lower the frequency of the feared event.

Funded by FCH JU (Grant agreement No ) 21 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 21 Designing for safety means acting on the severity of the initial events (2) and taking mitigation measures (4), knowing the probability of initial events becoming feared events (3), so as to meet the frequency limits (1) set as safety objectives. (Source: Air Liquide)

Funded by FCH JU (Grant agreement No ) 22 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 22 If the probability and severity of the initial event as well as the conditional probability are high, the required performance level ( reliability ) of the safety measure should be high. On the contrary, if the probability and severity of the initial event as well as the conditional probability are low, a lower reliability of the safety measure is tolerable. S: severity of the initial event F: probability of the initial event P: conditional probability PL: performance level (Source: EN ISO 13849)

Funded by FCH JU (Grant agreement No ) 23 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 23  H ydrogen S afety E ngineering ( HSE ) is defined as the application of scientific and engineering principles to the protection of life, property and environment from adverse effects of incidents/accidents involving hydrogen.  HSE includes but is not limited to high pressure under-expanded leaks and dispersion, spontaneous ignition of sudden hydrogen releases to air, deflagrations and detonations, etc.

Funded by FCH JU (Grant agreement No ) 24 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 24  The HSE process includes three main steps: 1.A Qualitative Design Review ( QDR ) is undertaken by a team that can incorporate owner, hydrogen safety engineer, architect, representatives of authorities having jurisdiction, e.g. fire services, and other stakeholders. 2.A quantitative safety analysis of selected scenarios and trial designs is carried out by qualified hydrogen safety engineer(s) using the state-of-the-art knowledge in hydrogen safety science and engineering and validated models and tools. 3.Finally, the performance of a HFC system and/or infrastructure is assessed against acceptance criteria predefined by the team. If none of the trial designs developed by the QDR team satisfies the specified acceptance criteria, the QDR and quantification process should be repeated until a hydrogen safety strategy satisfies acceptance criteria and other design requirements. When a satisfactory solution has been identified, the resulting HSE strategy should be fully documented in a “Report on Hydrogen Safety Engineering”.

Funded by FCH JU (Grant agreement No ) 25 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 25 (Source: Molkov and Saffers, 2011)

Funded by FCH JU (Grant agreement No ) 26 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 26  This performance-based methodology offers the flexibility to assess trial safety designs using separately or simultaneously three approaches: deterministic, comparative or probabilistic. 1.The objective of a deterministic study is to analyse the performance of trial safety design(s) selected by QDR team for chosen scenarios with models based on physical, chemical, thermodynamic and human behavioural relationships, derived from scientific theories and empirical correlations. 2.In some projects, recommendations of prescriptive codes and standards when they are available might provide the near optimum solution for a safe design. If the hydrogen system is regulations and codes compliant, a full HSE study may not be necessary. For comparative type of study, the acceptance criteria may simply be defined in terms of compliance with existing code requirements. 3.The objective of a probabilistic study is usually to show that the risk of a given event occurring is acceptable or tolerably small.

Funded by FCH JU (Grant agreement No ) 27 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 27  Safety objectives are defined from the beginning of the product design. This often highlights knowledge gaps and raises new R&D questions. R&D efforts should therefore focus on closing the knowledge gaps for supporting “design for safety”: this is pre-normative research.  Some examples of safety related pre-normative research topics:  Behavior of hydrogen once released (leak rates, dispersion and ventilation, combustion…). Examples of PNR objectives:  Specify ventilation openings that will prevent the development of a flammable atmosphere in case of a leak,  Specify maximum flammable mixture concentration in order to avoid exceeding a specified overpressure.  Resistance of composite cylinders to accidental loads (e.g. fire). Example of PNR objectives:  Specify maximum time to empty cylinder in order to avoid burst,  Specify thermal protection for withstanding fire conditions during a pre-defined amount of time.  Effects of hydrogen on metallic materials (hydrogen embrittlement).  The knowledge base set up by the pre-normative research is then used to support the recognition of the means to achieve safety objectives by standardization: it supports the creation of regulations, codes and standards.

Funded by FCH JU (Grant agreement No ) 28 © HyFacts Project 2012/13 CONFIDENTIAL – NOT FOR PUBLIC USE 28  Role of regulations, codes and standards Regulations, codes and standards provide performance requirements ( effectiveness, reliability ) with regards to the means ( prevention, mitigation ) used to achieve safety targets. They provide design criteria ensuring fitness for purpose by relating requirements to conditions of use and standard solutions for meeting the performance requirements or safety targets. (Source: Air Liquide)