Abstract

With the global drive towards carbon neutrality, the development of hydrogen technologies and infrastructure has accelerated rapidly. This expansion has brought hydrogen safety engineering into sharper focus, prompting extensive research into the unique hazards posed by hydrogen. Yet a critical question persists: How effectively are these research findings being integrated to ensure that hydrogen system designs are inherently safe?

Are conventional safety engineering methodologies - such as hazard identification, risk assessment, and consequence analysis - adequate for hydrogen applications, or do they require adaptation to address hydrogen’s distinctive physical and chemical properties? Furthermore, do current design codes and standards sufficiently reflect hydrogen’s unique behaviours compared to traditional fuels, thereby ensuring that safety tools remain fit for purpose?

This article explores the applicability and effectiveness of established safety engineering methods and tools within the context of hydrogen technologies. It examines their role in hazard identification, operational risk assessment, fire and explosion modelling, and consequence evaluation for people and assets. The focus is on key hydrogen applications including electrolysers, fuel cells (for vehicles and refuelling stations), and hydrogen-powered generation facilities.

The objective is to determine whether existing methodologies adequately address hydrogen-specific risks or whether recent advances in hydrogen safety research necessitate the development of new approaches for risk management and hazard mitigation.

1.0           Introduction

Safety engineering is a critical discipline in the design of hazardous technologies, processes, and facilities. Its primary objective is to ensure that whatever is being designed is safe - not just during steady-state operations, but throughout all lifecycle phases, including start-up, maintenance, shutdown (both controlled and emergency), and abnormal conditions. This includes ensuring that the plant and site layout are designed to prevent the escalation of accident events.

The safety engineer’s focus is solely on safety - not on production throughput, product quality, or commercial viability. Their responsibility is to determine whether the technology, process, or facility can be safely started, operated, maintained, and shut down. In essence, the safety engineer ensures that what is being developed is inherently safe - where the presence of a hazard and its corresponding control measures cannot be separated or decoupled.

Important Distinction:
The content presented in this article pertains to safety engineering, not process safety management. While both play vital roles in ensuring safe design and operation, they are distinct disciplines. Safety engineering is focused on technical design and hazard mitigation, whereas process safety management encompasses organisational systems, procedures, and governance frameworks to manage risk across operations.

2.0           What is Safe?

From an external perspective, a plant is often incorrectly considered "safe" when its calculated risk falls below a defined threshold. However, risk does not equal safety.

For example, a facility capable of causing multiple fatalities but with a very low probability of occurrence may be classified as a "low to moderate risk." If that same facility is only periodically manned, the calculated risk could be even lower - yet the inherent danger remains. Is that truly safe?

Risk is simply a comparative tool - a benchmark used to contrast one design against another. It is not a measure of inherent safety.

An inherently safe facility is one in which:

·       Process upsets are difficult to initiate during start-up, operation, and shutdown;

·       The chemical and thermodynamic behaviour of process fluids is controlled and predictable;

·       Materials of construction are compatible with the process and environmental conditions;

·       The system can be brought to a safe state without escalation during an accident event.

Inherently safe design integrates hazard controls directly into the technology, process, or facility - not as add-ons, but as fundamental design elements.

3.0           Assessment of Safety

While it is the role of discipline engineers (process, mechanical, electrical, instrumentation, materials, etc.) to develop a design that meets safety requirements, the safety engineer is responsible for working across all disciplines to guide and ensure the inherent safety of the integrated system.

Since its formalisation in the 1960s, safety engineering has relied on a set of well-established assessments and analyses tailored to hazardous industries. These methods have been refined over decades and supported by substantial operational data, equipment failure records, and research into material and fluid behaviour.

However, safety engineering is not a "paint-by-numbers" exercise. The application of each analysis varies based on:

·       The complexity of the technology or process;

·       The nature and magnitude of associated hazards;

·       The interdependencies between safety assessments;

·       The maturity and structure of the design.

Safety engineering is often highly iterative, with overlapping and interrelated studies influencing one another throughout the design lifecycle.

A high-level representation of how safety engineering is applied during the design of hazardous technologies, processes, and plants is shown in the diagram below.

Note:
Due to graphical limitations, the high degree of interconnectivity between each "puzzle piece" cannot be fully represented. Additionally, the order shown may not reflect the actual sequence in which each activity is undertaken. It is the responsibility of the Lead Safety Engineer to define the scope, boundaries, and sequencing of the safety engineering program based on project-specific considerations.

With the increasing standardisation of equipment, design practices, and plant layouts, along with higher levels of automation and a well-established understanding of hazardous material behaviour across most industries, the application of the standard suite of safety engineering studies - commonly referred to as Formal Safety Assessments (FSAs) - is often sufficient to achieve the required level of inherent safety.

When executed by appropriately trained and experienced safety engineers, these assessments provide a robust framework for evaluating whether a technology, process, or plant meets the necessary safety objectives and whether the associated risks fall within the organisation’s defined risk appetite.

Importantly, FSAs should not be treated as a ‘pick and mix’ menu. No single assessment is designed to fully capture or manage a hazard in isolation. These studies are highly interconnected, and their true value lies in being applied in the correct sequence and at the appropriate stages of the design process. When integrated effectively, FSAs are instrumental in managing hazards and enabling the design of inherently safe facilities.

Table 1 – Formal Safety Assessments

As stated earlier, it is the responsibility of the Lead Safety Engineer to determine which FSAs are required, the sequence in which they should be undertaken, and the appropriate stages of the project lifecycle at which they should be applied.

However, this raises an important question: Are these conventional safety engineering studies equally suitable for industries that are still emerging, where the behaviour of hazardous materials is not yet fully characterised - such as the use of hydrogen as a carbon-neutral fuel?

4.0           Assessment of Hydrogen Technologies and Plants

4.1           Unique Safety Challenges of Hydrogen

Although liquid hydrogen has been used as rocket fuel for decades, the generation and use of hydrogen gas as a fuel for power generation, and as an energy source for military, commercial, and domestic vehicles and aircraft, remains a relatively new and evolving application. Consequently, much of hydrogen’s behaviour - both within process and storage systems and in the external environment - is still being actively studied and understood.

That said, there are several well-established hazardous properties of hydrogen that are already recognised and that clearly distinguish it from other commonly used flammable gases, such as methane and liquefied natural gas (LNG). For clarity, both methane and LNG will be referred to collectively as natural gas in this document.

A comparison of key hazardous behaviours of hydrogen versus natural gas is presented in Table 2.

Table 2 – Key Hydrogen and Natural Gas Properties

*mJ - millijoules

[1] Zanganeh et al. 2016

The key hydrogen properties of particular interest to a safety engineer, as outlined in Table 2, include its wide flammability range, extremely low ignition energy, and its permeability and material compatibility characteristics. These properties present challenges that differentiate hydrogen from natural gas in both behaviour and risk profile.

One notable hazard arises from hydrogen’s wide flammability range (4–75% by volume in air) and low ignition energy (~0.02 mJ), which significantly increase the likelihood of ignition from causes such as adiabatic compression within process equipment - posing a much higher risk than comparable scenarios involving natural gas.

Additionally, due to being significantly lighter than air, hydrogen released within enclosed or semi-enclosed environments can lead to a phenomenon known as the Pressure Peaking Phenomenon (PPP) (Brennan and Molkov, 2018). This phenomenon can result in the accumulation of hydrogen in upper enclosure regions, and under specific conditions, cause the rapid generation of significant overpressures - even in the absence of ignition. While PPP is not exclusive to hydrogen, the magnitude of overpressure generated by hydrogen releases is considerably greater than for other gases and can exceed the structural resistance of typical enclosures.

These characteristics underscore the need for specialised safety considerations and design adaptations when working with hydrogen, particularly in multi-energy or retrofit environments.

4.2 Hydrogen Safety Assessments

Due to the distinct flammability, ignition, and permeability characteristics of hydrogen compared to natural gas, the safety engineering approach must be adapted from traditional methodologies used for non-hydrogen systems (as illustrated in Figure 1). A high-level overview of a modified safety engineering approach, tailored to the design of hydrogen technologies, processes, and facilities, is presented in Figure 2.

As with Figure 1, due to graphical constraints, the high degree of interconnectivity between the elements depicted cannot be fully represented. Similarly, the illustration does not reflect the sequence in which activities must be undertaken. The sequencing, scope, and prioritisation tasks are determined by the Lead Safety Engineer at the outset of the project. These decisions are informed by the facility’s design, its intended operation, and the specific characteristics and risks associated with the hydrogen application.

A comparison of Figures 1 and 2 reveals three additional safety engineering steps specific to hydrogen technologies, processes, and facilities:

1.          Permeability and Material Compatibility Review

2.          Ventilation Design Assessment

3.          Start-up and Shutdown Hazard Review

The inclusion of these steps reflects the unique properties and risks associated with hydrogen, particularly its high diffusivity, low ignition energy, and material compatibility issues. However, the application and depth of these assessments depend on several project-specific factors, such as whether hydrogen is used or stored in enclosed spaces, the nature of operations (continuous vs batch), and the design life of the facility.

As shown in Table 1, Formal Safety Assessments (FSAs) remain the foundational tools used by safety engineers to understand hazard behaviour and verify that the required control measures are embedded in the design to achieve an acceptable level of inherent safety.

This brings us to the critical question:

Are FSAs equally applicable and effective for hydrogen facilities?
The answer is yes - but with important caveats.

While FSAs are still relevant and valuable, they cannot be directly transferred or applied using a simple "plug-and-play" approach. The chemical, thermodynamic, and reactive properties of hydrogen differ significantly from those of natural gas and other traditional fuels. These differences affect everything from release behaviour and ignition potential to dispersion and explosion risk.

The complexity increases when using consequence modelling software, most of which was not originally developed or validated for hydrogen-specific scenarios. Although many software vendors have implemented workarounds to enable hydrogen modelling, the underlying equations and assumptions are typically still geared toward hydrocarbon gases, and often fall short when applied to hydrogen.

Additionally, hydrogen is far more prone to in-pipe ignition and explosion events than natural gas - a phenomenon that cannot be accurately captured by standard consequence modelling tools. These scenarios require Computational Fluid Dynamics (CFD) software with embedded algorithms specifically developed and validated for hydrogen fire and explosion modelling.

In emerging industries such as hydrogen, where operational experience is limited and failure data is either scarce or protected under commercial confidentiality, the determination of quantitative risk values using traditional methods becomes highly constrained. Inputs typically required for probabilistic risk assessments such as failure frequencies, consequence modelling parameters, and operational exposure rates are often unavailable or lack the reliability needed for accurate analysis. Consequently, alternative risk evaluation approaches must be adopted to assess safety performance and inform design decisions. Notably, generic failure data sources such as OREDA or HSE databases are not suitable for hydrogen-related applications due to fundamental differences in fluid behaviour and system response characteristics.

Therefore, a robust assessment of hydrogen fuel hazards demands:

·       A deep understanding of hydrogen behaviour both within and external to process equipment;

·       Awareness of the limitations of traditional safety engineering tools;

·       The ability to identify and apply suitable alternative methods and modelling approaches where necessary.

Only by combining domain-specific hydrogen knowledge with critical engineering judgement can safety engineers effectively manage the risks associated with this emerging fuel.

5.0 Conclusion

While the sequence of safety engineering activities for hydrogen closely mirrors that for traditional fuels, and the same Formal Safety Assessments (FSAs) remain fundamental to achieving inherent safety, traditional FSAs cannot be applied to hydrogen facilities without adaptation. Safety engineers must tailor their approach to address hydrogen’s unique properties and behaviours, which necessitates:

·       Deep, domain-specific knowledge of hydrogen characteristics;

·       A clear understanding of the limitations inherent in standard safety assessment tools;

·       Expertise in selecting and applying appropriate alternative methodologies, including advanced modelling techniques.

In essence, the same safety engineering tools remain applicable, but different techniques must be employed. Failure to implement the necessary adaptations risks creating a false sense of safety within the plant design, potentially undermining operational integrity and compromising public safety.

6.0 References

1. Kundu, Sazal & Zanganeh, Jafar & Moghtaderi, Behdad. (2016). A Review on Understanding Explosions from Methane-Air Mixture. Journal of Loss Prevention in the Process Industries. 40. 10.1016/j.jlp.2016.02.004.

2. Brennan, S., & Molkov, V. (2018). Pressure peaking phenomenon for indoor hydrogen releases. International Journal of Hydrogen Energy, 43(39), 18530-18541. https://doi.org/10.1016/j.ijhydene.2018.08.096