1
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
2
 A hazard is a source or situation with a potential of corporal, material or
environmental damage, or a combination of them. Examples of hazards
are fires, explosions.
 Hazards are associated to feared events potentially producing the
hazard, i.e. a deviation - such as a hydrogen leak – that may result in a
fire or an explosion.
 The risk is a quantitative measurement of a hazard in terms of its
probability P and severity S. The risk of a hazard (also called
criticality) is assessed on the basis of these two parameters.
 Safety is freedom from unacceptable risk. This implies some level of
risk is tolerable. Hydrogen is mostly found in combination with other
elements in form of e.g. water, methane, biomass, etc.
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
3
 Hazard is a chemical or physical condition that has the potential for
causing damage to people, property and the environment. Hydrogen
accident could have different hazards, e.g. asphyxiation due to release
in closed space, frostbite by liquefied hydrogen, thermal hazards from
jet fire, pressure effects from deflagrations and detonations, etc. Hazard
could lead to no damage, if the proper safety measures are applied, or
could lead to costly consequences up to fatalities if the system or
infrastructure has been designed and used without professional
knowledge in hydrogen safety.
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
4
Risk areas
The risk R of a hazard is assessed on the basis of its probability P and its severity S: R
= P x S.
 An unacceptable risk area (red):
this area indicates an unacceptable severity probability combination. Measures must
be taken to mitigate the risk.
 A low risk area (green):
this area represents a combination of severity and probability for which the risk is
considered low and thus tolerable.
 The intermediate risk area (yellow):
the ALARP zone (As Low as Reasonably Practicable). In this area, additional
investigations are required to see whether the risk could be decreased to the low risk
area.
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
5
Probability
Frequent
Rare
Unacceptable area
(Source: Air Liquide)
Low risk area
Minor
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Major
Severity
Funded by FCH JU (Grant agreement No. 256823)
6
 The criticality matrix considers these three levels of criticality and
allows for an assessment of the risk of a hazard.
 Hazards are classified according to their probability of occurrence
and to their severity. There are several classes of probability: the class
with the highest probabilities corresponds to frequent events, while the
class with the lowest probabilities corresponds to improbable events.
There are also several levels of severity, depending on the severity of
the consequences of a hazard (on safety, production, environment...).
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
7
 The criticality matrix displays the values of the probabilities allowing
for an assessment of the probability category of a hazard, and it also
displays the criteria allowing for an assessment of the severity level of
the hazard.
 Hazards are classified according to their probability of occurrence and
to their severity.
(Source: Methodology for Rapid
Risk Ranking of H2 Refuelling
station Concepts, by Norsk Hydro
ASA and DNV, Sept 2002,
European Integrated Hydrogen
Project 2)
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
8
(Source: Methodology
for Rapid Risk Ranking
of H2 Refuelling
station Concepts, by
Norsk Hydro ASA and
DNV, Sept 2002,
European Integrated
Hydrogen Project 2)
(Source: Methodology
for Rapid Risk Ranging
of H2 Refuelling station
Concepts (Sept. 2002).
Norsk Hydro ASA and
DNV. European
Integrated Hyprogen
Project 2)
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
9
 The criticality matrix then shows whether the risk of a given hazard is
tolerable (low risk), unacceptable (measures must then be taken to
reduce the risk) or medium (additional investigations are then
required to see whether the risk could be decreased to the low risk
area).
 A possible risk assessment approach one might take is:




Identify the hazards
Identify who might be harmed and how evaluate the risks and decide on
precaution
 Can the risk be eliminated?
 Can the risk be controlled?
Record the findings and implement them
Review the risk assessment and update if necessary.
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
10
 The individual risk represents the annual frequency of an individual dying due to a
hazard. The individual is assumed to be unprotected and to be present 24/7. Individual
risk can be further defined in a way that takes into account the location specific
probability that an individual may be killed because of an accident linked to the
industrial activity. This risk thus depends on the frequency of occurrence of the
events (examples: rupture of piping, explosion of liquid oxygen storage tank). This
approach takes a “worst case” type of scenario for individual exposure.
 In an industrial context, the assessment of an individual risk is made as
following:






The feared event is described.
The causes of the feared event are described.
The consequences of the feared event are listed.
The probability of the causes and the severity of the consequences are assessed.
The criticality matrix then shows whether the risk associated to the hazard is tolerable,
unacceptable or intermediate and if risk reduction measures should be taken.
If needed, the risk reduction measures are listed.
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
Causes
Consequences Probability Severity
Criticality
Risk reduction measures
11
Feared event
Severity of the
consequences
Effects of
the feared
event
Description
Description
of the causes
of the
feared event
Additional risk reduction
measures needed to
reach a low risk level
Probability
of
the causes
Assessment
of the risk
level according
to the
criticality matrix
(Source: Air Liquide)
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
12
 The societal risk represents the frequency of having an accident with
N or more people being killed simultaneously. The people involved
are assumed to have some means of protection.
 Societal risk differs from individual risk in that it takes into account the
total number of people who may be harmed at the same time by a
single accident. The level of societal risk from an installation is
determined by three factors:



The probability of an incident occurring on a major hazard site
The nature of the incident and its severity
The density and location of the population working on or living in and around the
site.
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
13
 Therefore, a specific approach has been
developed for the assessment of risks run by
people in public areas. The societal risk is
presented as an FN curve, where N is the
number of deaths and F the cumulative
frequency of accidents with N or more deaths.
This FN curve corresponds to the societal risk
criteria.
 Once the number of fatalities of a given hazard
is known (depending among others on the
population density), the societal risk curve
indicates the maximum allowed frequency of
this hazard. Then, measures to reduce the
frequency of the risk below this maximum
frequency can be taken.
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Frequency of N or more fatalities per year
Unacceptable risk
zone
ALARP
(As Low as
Reasonably
Practicable)
Low risk zone
Number of fatalities ( N )
(Source: Air Liquide)
Funded by FCH JU (Grant agreement No. 256823)
14
 Designing for safety aims at making systems intrinsically safe. This is achieved by
ensuring that the all possible deviations (initial events) that could potentially generate
a feared event (e.g. injury) are either sufficiently unlikely or handled by the system in
order to avoid the feared event.
 In this approach, once a system concept has been established, all hazardous
deviations (also called initial event - e.g. hydrogen release) are reviewed. For each
hazardous deviation, a safety objective is set, and the associated means to achieve
the safety objective are identified. The design of the system is then made so that safety
objectives are met and the system is therefore intrinsically safe.
Product design
System
Concept
Safety
Strategy
Safe
Design
(Source: Air Liquide)
Hazardous
deviation
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Safety objective
for each feared
event
Means to
achieve
objective
Funded by FCH JU (Grant agreement No. 256823)
Frequency
15
 All deviations called initial events potentially generating a hazardous situation can be
identified and characterized in terms of associated immediate risk (probability and
initial severity) assuming absence of mitigation.
 Following a ranking by initial severity, sets of deviations can be defined in terms of
frequency: expectable, foreseeable, conceivable or unlikely.
< 10 – 2 /yr
< 10 – 4 /yr
(Source: Air Liquide)
< 10 – x /yr
Initial event
class
frequency
limits
Expectable Foreseeable Conceivable
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Unlikely
Initial severity
Funded by FCH JU (Grant agreement No. 256823)
16
 For a given feared event, the safety objectives can be expressed as
a frequency limit. Safety measures aim at lowering the frequency of
the feared event below the frequency limit (safety objective).
 To achieve this, several strategies can be combined:


The severity of the initial events can be reduced to the point that having a feared
event is unlikely, in order to avoid the need of mitigation.
Mitigation measures can be taken, to lower the frequency of the feared event
(which in that case is the frequency of failure of the mitigation measures)
 Small (frequent) events with escalation potential require the most
reliable mitigation.
 The severity of the initial events can be reduced and the Mitigation measures can be taken, to lower the frequency of the feared event.
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
Frequency
Frequency vs Initial severity
Frequency of
Initial event
FE cond. prob.
3 without mitigation
4
17
2
Frequency* of
Feared event (FE)
without mitigation
FE cond. prob.
with mitigation
Frequency* of
Feared event
with mitigation
i.e. residual risk
< 10 – 2 /yr
*Considering potential
escalation
< 10 – 4 /yr
< 10 – x /yr
Initial event
class
frequency
limits
1
OK
OK
OK
Expectable Foreseeable Conceivable
Frequency limit
for Feared event
OK
(Source: Air Liquide)
Unlikely
Initial severity
Design for safety : Act on 2 and 4 , knowing 3 to meet 1
Designing for safety means acting on the severity of the initial events (2) and taking
mitigation measures (4), knowing the probability of initial events becoming feared
events (3), so as to meet the frequency limits (1) set as safety objectives.
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
 An effective form of design for safety is to translate safety objectives
(frequency limit for feared event) into practical design objectives that
can be implemented by design engineers:
18




For expectable events, there should be no damage. A typical safety strategy for
expectable leaks is a passive ventilation or permanent active ventilation allowing a
concentration of 1% hydrogen max.
For foreseeable events, there should be no injury (and loss of property).
For conceivable events, the effects of the feared events should be reduced to
harm persons (or damage property).
No design objectives are set for unlikely feared events – which are acceptable
as the frequency of these events is very low. There is no specific measure other
than prevention (material choice...), only considered for emergency responses.
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
19
If the probability and severity of
the initial event as well as the
conditional probability are high,
the required performance level
(reliability) of the safety measure
should be high. On the contrary, if
the probability and severity of the
initial event as well as the
conditional probability are low, a
lower reliability of the safety
measure is tolerable.
(Source: EN ISO 13-849)
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
S: severity of the initial event
F: probability of the initial event
P: conditional probability
PL: performance level
Funded by FCH JU (Grant agreement No. 256823)
20
 Hydrogen Safety Engineering (HSE) is defined as the application of
scientific and engineering principles to the protection of life, property
and environment from adverse effects of incidents/accidents involving
hydrogen.
 HSE includes but is not limited to high pressure under-expanded leaks
and dispersion, spontaneous ignition of sudden hydrogen releases to
air, deflagrations and detonations, etc.
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
 The HSE process includes three main steps:
21
1.
2.
3.
A Qualitative Design Review (QDR) is undertaken by a team that can incorporate owner,
hydrogen safety engineer, architect, representatives of authorities having jurisdiction, e.g. fire
services, and other stakeholders.
A quantitative safety analysis of selected scenarios and trial designs is carried out by qualified
hydrogen safety engineer(s) using the state-of-the-art knowledge in hydrogen safety science
and engineering and validated models and tools.
Finally, the performance of a HFC system and/or infrastructure is assessed against
acceptance criteria predefined by the team. If none of the trial designs developed by the QDR
team satisfies the specified acceptance criteria, the QDR and quantification process should be
repeated until a hydrogen safety strategy satisfies acceptance criteria and other design
requirements.
When a satisfactory solution has been identified, the resulting HSE strategy
should be fully documented in a “Report on Hydrogen Safety Engineering”.
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
22
(Source: Molkov and Saffers, 2011)
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
23
 This performance-based methodology offers the flexibility to assess trial safety
designs using separately or simultaneously three approaches: deterministic,
comparative or probabilistic.
1. The objective of a deterministic study is to analyse the performance of trial
safety design(s) selected by QDR team for chosen scenarios with models based
on physical, chemical, thermodynamic and human behavioural relationships,
derived from scientific theories and empirical correlations.
2. In some projects, recommendations of prescriptive codes and standards when
they are available might provide the near optimum solution for a safe design. If
the hydrogen system is regulations and codes compliant, a full HSE study may
not be necessary. For comparative type of study, the acceptance criteria may
simply be defined in terms of compliance with existing code requirements.
3. The objective of a probabilistic study is usually to show that the risk of a given
event occurring is acceptable or tolerably small.
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)

24

Safety objectives are defined from the beginning of the product design. This often highlights
knowledge gaps and raises new R&D questions. R&D efforts should therefore focus on closing
the knowledge gaps for supporting “design for safety”: this is pre-normative research.
Some examples of safety related pre-normative research topics:

Behavior of hydrogen once released (leak rates, dispersion and ventilation,
combustion…). Examples of PNR objectives:



Resistance of composite cylinders to accidental loads (e.g. fire). Example of PNR
objectives:



Specify ventilation openings that will prevent the development of a flammable atmosphere in
case of a leak,
Specify maximum flammable mixture concentration in order to avoid exceeding a specified
overpressure.
Specify maximum time to empty cylinder in order to avoid burst,
Specify thermal protection for withstanding fire conditions during a pre-defined amount of time.

Effects of hydrogen on metallic materials (hydrogen embrittlement).
The knowledge base set up by the pre-normative research is then used to support the
recognition of the means to achieve safety objectives by standardization: it supports the
creation of regulations, codes and standards.
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)
Product design
System
Concept
Safety objective
for each feared
event
Standards
Means to
achieve
objective
25
Feared
Events
Safe
Design
Safety
Strategy
Questions
Answers
(Source: Air Liquide)
H2 Safety Knowledge Base
Shared H2 Safety Knowledge Base
Pre Normative Research
 Role of regulations, codes and standards
Regulations, codes and standards provide performance requirements (effectiveness,
reliability) with regards to the means (prevention, mitigation) used to achieve safety
targets. They provide design criteria ensuring fitness for purpose by relating
requirements to conditions of use and standard solutions for meeting the performance
requirements or safety targets.
© HyFacts Project 2012/13
CONFIDENTIAL – NOT FOR PUBLIC USE
Funded by FCH JU (Grant agreement No. 256823)