By Rashi Mor and Álvaro Fernandes, Kiwa
To be able to determine whether a design is safe or not, the associated hazards expected during the lifetime of the system should be identified. This is where risk assessment comes into the picture.
Risk assessment
Risk assessment is a process that helps identify hazards and quantify the risks associated with hazards by taking into consideration factors like likelihood and severity. Several methods exist (HAZOP, FMEA, HAZID, QRA, etc.) that can be used to conduct a risk assessment for a given system. The same is applicable to electrolysers. Electrolysers are peculiar systems due to the presence of flammable gases, oxygen and electricity in the vicinity of each other, high-pressure – and possibly high-temperature – operating conditions, and potential release of toxic gases. All these characteristics can result in fatal events if not properly considered. Therefore, in addition to a risk assessment, explosion and fire safety assessment as well as appropriate certification should also be conducted for electrolyser systems.
HAZOP
A Hazards and operability study (HAZOP) is one of the methods widely used by industry for risk assessment. HAZOP provides a structured manner to review the design of the electrolyser system and identify possible hazards that may have been ignored during the general design phase. HAZOP is performed after the first design freeze, i.e., when the first version of the P&ID (piping and instrumentation diagram) is defined, detailing the complete system layout with all existing components. HAZOP is conducted in several sessions where a core team of people with relevant skills brainstorm together. The sessions should be facilitated by a HAZOP moderator experienced with the HAZOP method as well as by a scribe who documents progress. The HAZOP moderator and the scribe need not be aware of the nitty-gritty of the system. Furthermore, the team should consist of engineers involved with the system design and the operator/user if possible.
During HAZOP, a system is divided into several nodes, depending on the complexity of the system, and hazards are identified for individual nodes with the help of standard guide terms and process parameters. For electrolysers, the most commonly used nodes are:
- Anode loop
- Cathode loop
- Coolant loop, if any
- Nitrogen loop, if any
- Gas separators
- External factors such as air intake and exhaust obstructions, rain, etc.
These nodes are just an example, and the actual nodes selection depends highly on the system design and complexity. The first HAZOP study will result in system design changes to eliminate or mitigate the risks identified. A risk assessment should be performed on this revised system again to assess the emergence of new risks resulting from the design change.
Explosion and fire safety
Combustion requires three elements, commonly shown as the fire triangle: combustible, oxidant and ignition. In an electrolyser, all these three elements exist in close proximity to each other. The first common approach is to avoid ignition sources. This, however, is difficult for hydrogen due to its low ignition energy. A simple static spark is sufficient for ignition of a hydrogen-air mixture. As part of the explosion and fire safety assessment, the system design should be reviewed, also in a team of experienced engineers, to identify potential leak sources (during normal operation as well as failure modes).
Depending on the potential leaks, sufficient ventilation (natural or mechanical) should be sized and installed to dilute the formation of explosive mixture. EN-IEC 60079-10-1: Classification of areas – explosive gas atmosphere provides a guideline on identifying and characterising potential leak sources, assessing the ventilation availability and accordingly defining the hazardous areas in the installation area. It is not always possible to eliminate the risk of explosion, especially in electrolysers.
A few common practices are suggested to be adopted for electrolysers to reduce the risk of explosion:
1. Divide the system into two sections separated by a gas-tight wall – one section contains all the hydrogen-related equipment whereas the other container contains the electrical parts and control system.
2. Install hydrogen-detecting equipment at the highest possible point in the system – at a location where the chances of hydrogen leakage and accumulation are highest. Programme this detection equipment to provide an alarm at 10% LEL and automatically shut down the system at 25% LEL detection.
3. All electrical equipment should be grounded.
4. All metallic parts should be at ground potential.
5. Explosion relief panels can be installed for safe venting of explosion pressure.
6. The outlet from relief valves or purge lines should be at the top-most location and about 4–5 m above ground level. The outlets of hydrogen and oxygen should be as far from each other as possible.
Certification
Any product to be commercialised needs to comply with regulations or directives of the target market. These requirements are, however, limited to generally described fundamental objectives (termed ‘essential requirements‘).
It is the manufacturer’s responsibility to demonstrate that its product complies with these requirements according to the current state of technology (‘state of the art’). The manufacturer retains the freedom to choose how it determines the technical criteria required to demonstrate compliance. It is assumed that the current state of technology is reflected in the relevant European and/or international standards.
By affixing the market symbol (CE for the EU market) to the product and issuing the product certificate, the manufacturer indicates the ‘presumption of conformity’ of its product with relevant regulations and directives.
Electrolysers are not an exception and need to comply with certain regulations and directives, commonly PED (Pressure Equipment Directive), MD (Machinery Directive), EMCD (Electromagnetic Compatibility Directive) and others for the EU market. Although the declaration of compliance with most of the directives can be a self-declaration act by the manufacturer, for some particular directives, such as PED and ATEX, the assessment of the safety and issue of a certificate shall be performed by a legally appointed notified body (so-called NoBo) to the manufacturer. The certificate is then linked to the manufacturer’s certificate.
The process of certification usually follows four steps: the pre-assessment, constructional review, field-test testing and field-test certification (optional), and full compliance testing and certification. Field-test testing and certification is used if the electrolyser is not fully compliant with relevant standards at the end of the second step.
The objective of the first step is to assess the safety of the electrolyser design by identifying the possible hazards present in all stages of the lifetime of the electrolyser, such as operation, transportation, handling, maintenance, and misuse, among others. The main outcome is to propose design changes to eliminate or mitigate the risks presented by the hazards either by implementing good practice design solutions and/or safeguards. This is an interactive step where a number of sessions are conducted between the certification assessors and the manufacturer designers. It ends when the design has adequate safety implementation. At the end of this step, the design of the electrolyser and the HAZOP document are frozen.
Then the second step is followed and the list of components and their documentation/certificates shall be available. The design of the electrolyser is verified if it meets the requirements of the relevant standards and a test program is identified. The test program includes the testing of the product according to the type tests listed in the product, electrical, functional and EMC standards. Additional tests might be required for components that are not compliant with the relevant standards.
The optional step of field-test testing and certification allows the manufacturer to deploy a limited number of electrolyser systems in the field for a defined period. In this period, the manufacturer can then develop and implement the required changes. It requires a limited/partial test program that shall be performed in ISO 17025 accredited labs or, alternatively, at the manufacturer’s premises with ISO 17025 calibrated measuring instrumentation and witnessed by experienced test engineers. Test reports and a certificate are issued and valid for a defined period.
The final step of full-compliance testing and certification aims to conclude the test program defined in the second step. The tests shall be performed as mentioned in the previous paragraph. The passing of the tests will indicate that the electrolyser complies with the relevant directives and regulations. This needs to be documented and can be used to prove that the manufacturer satisfied the essential requirements to show that the product is safe. Only at this stage the product can be commercialised without limitations.
Ensuring confidence through quality and safety
At Kiwa, we have experience with a broad range of electrolyser technologies, and we help our clients with risk assessment – and management – of components, products and systems, their certification, as well as operational and functional evaluations. We also assist our clients in the purchasing, manufacturing, installation and commissioning of electrolysis plants, helping to ensure both their safety and quality.
* Opening image Alexandersikov| Dreamstime.com
