SAFETY-BARRIER DIAGRAMS FOR DOCUMENTING SAFETY OF HYDROGEN APPLICATIONS

SAFETY-BARRIER DIAGRAMS FOR DOCUMENTING SAFETY OF HYDROGEN APPLICATIONS

F. Markert and N.J. Duijm

Systems Analysis Department, Risø National Laboratory,

Technical University of Denmark, P.O. Box 49, DK-4000 Roskilde, Denmark

[email protected],

[email protected]

Paper 4.1.143 - 2nd ICHS, San Sebastian 11th-13th September 20072

Background

Barrier diagrams serve two main purposes:

1) Evaluation of adequateness of safety measures (part of accident prevention)

Are the barrieres reasonable and independent? Are barriers missing?

2) Communication to all stakeholdersIllustrating the possible accident scenarios and safety measures taken to prevent them

- Safety-barrier diagrams have been popular in Denmark as a risk analysis tool.

- Safety-barrier diagrams are also useful for analysisng the new hydrogen technologies


Definition of a safety barrier

• A barrier function is a function planned to prevent, control, or mitigate the propagation of a condition or event into an undesired condition or event;

• A safety barrier is a series of elements that implement a barrier function, each element consisting of a technical system or human action.

L

Levelindicator

Alarm

Operator

Button Poweredvalve

Signal Signal

Detection Diagnosis Action


Graphical presentation of a safety barrier

Fault tree representationSafety barrierCondition on success is optional


BARRIER DIAGRAMS

Barriers can be of different types:

Active versus passive barriers Automatic versus manual barriers

Examples of barriers: An alarm for high level in a tank. A sprinkler system in a building to prevent fires in developing. A dike surrounding a tank, designed to contain accidental spillage

from the tank.


CONSTRUCTION OF BARRIER DIAGRAMS

The construction of barrier diagrams consists of 4 steps:

1. Construction of e.g. the event chains

When constructing barrier diagrams one must start with ignoring all the existing barriers! The main structure of the barrier diagram is the event chains, which may consist of elements from both the event tree and the fault tree method.

Event B

Event D

Event C

Event E

Event A


STEPS IN CONSTRUCTING BARRIER DIAGRAMS

2. Inclusion of the barriers.

Barrier a

Barrier b

Barrier c

Event B

Event D

Event C

Event E

Event A

Event F


STEPS IN CONSTRUCTING BARRIER DIAGRAMS

3.Once the barrier diagram is finished, the level of safety should be evaluated

to determine whether there are sufficient barriers against the undesired events happening

When evaluating the diagram one must consider:• The frequency/probability of the initiating events

• The severity of the end events (consequence assessment)

• The number, coverage and reliability of barriers in each of the event chains in the diagram

4. (optional) Classification of barriers according to type or evaluated reliability of the barrier.

.


Safety-barrier diagrams are simpler than fault trees


Dependency can be included via the ”Common Element”

Common Elementindicated:”Single Operator”


• Barriers may not be bypassed

• Events/conditions and barriers are unique

• Paths through diagrams can converge and diverge; divergence can be exclusive (as in an event tree) or simultaneous (or parallel)

Important properties of safety-barrier diagrams

Exclusive Simultaneous/parallel

DivergenceConvergence


Important properties (continue)

• Diagrams can be split into connected sub-diagrams; Connected diagrams can be put together into a single diagram that fulfils the above conditions

• The probability of conditions in a safety-barrier diagram can be derived from the

• probability of the initial conditions and

• probabilities of failure on demand of the barriers.


Comparison with other (graphical) risk analysis methods

• Barrier diagrams are developed from cause-consequence diagrams

• Cause-consequence diagrams combine fault trees and event trees

• Barrier diagrams simplify the presentation of safety systems (”and” gates in fault trees)

• A ”Bowtie” diagram is a safety-barrier diagram with a single ”Critical Event”


Example safety-barrier diagram

P-5

Delivery truck Dispenser

Liquid storage Evaporator Compressor

Process flow diagram for a hydrogen refuelling facility with cryogenic delivery


Safety-barrier diagram for the unloading of a LH2-truck

Safety-barrier diagram for the unloading of a liquid hydrogen truck at a refuelling station on the basis of the FMEA study by Venkatesh S., et.al.; Failure modes and effects analysis for hydrogen fueling options. California Energy Commission;2004.


Barrier diagram evaluation & type classificationBarrier Name Barrier Type

Description

Unloading Inspection

Activated Barrier - Procedural (Observation of local conditions not using instruments)

On arrival of the truck, the truck is inspected visually for defects by driver or station operator (need to be decided who). The mitigation action what to do in case defects are noted need to be included.

Hydrogen sensors

Activated Barrier - Warned (Human Action based on passive warning)

Hydrogen sensors are located near the unloading facilityThe sensors themselves do not mitigate the presence of an explosive atmosphere, so a follow up has to be found in terms of alarms, evacuation, close down of unloading operation, close down of potential ignition sources

Inspection of hoses


Inspection of hoses before unloading/connection


Barrier diagram evaluation & type classification

Inspection of connections


Connections are inspected before unloading action is started

Supervision during unloading


The unloading action is monitored by personnel.Note that the personnel may become disabled by freeze burn - consider additional remote monitoringDeviations of the unloading lead to aborting the unloading action


Barrier diagram evaluation & type classification

Barrier Name Barrier Type Description

Personal protection

Temporary Passive Barrier - Put in place (and removed) by person

Unloading operator and truck driver have donned protective clothing against cryogenic burn ("Nomex suit")

Limited access Activated Barrier - Warned (Human Action based on passive warning)

A safety distance around the truck and unloading facility where access is prohibited to third parties and personnel not involved in the unloading action.

Venting prior disconnection


Unloading hoses need to be vented prior to disconnection

Collision prevention

Temporary Passive Barrier - Put in place (and removed) by person /Permanent Passive Barrier/Activated Barrier - warned

Temporary Passive BarrierThe unloading facility can be protected against external impacts such as third party traffic by: a) caution cones, b) concrete poles, and c) impact resistant movable fences/barriers


Conclusions

The methodology of safety-barrier diagrams has been introduced and exemplified by the safety analysis of two sections of a hydrogen refueling station.

• Safety-barrier diagrams offer a good overview of the safety precautions that are included in the different sections, and the consequences of the failure of these precautions.

• Safety-barrier diagrams support hazard analysis; they do not support or replace the preceding phase of hazard identification, for which exist a range of more suitable methods, such as FMEA or HAZOP

• The logic framework used for safety-barrier diagrams and the use of a classification for the different safety barriers forces the analysts to consider the completeness of the barriers (in terms of the detect-diagnose-act sequence) and the role of the safety barrier in the system.


Conclusions

• The safety-barrier diagrams allow both quantitative and qualitative assessments to be made.

• The presentation by means of safety-barrier diagrams is simpler, and thereby easier to understand by non-experts than other graphical methods such as fault trees or event trees.

• Therefore safety-barrier diagrams are excellent means for documenting system safety and for communication with authorities and other stakeholders.


Thank you for your attention

Documents

SAFETY-BARRIER DIAGRAMS FOR DOCUMENTING SAFETY OF HYDROGEN APPLICATIONS