Hydrogen fuel cells – functional safety considerations
Hydrogen fuel cells potentially have an important role to play in the energy transition, particularly with the use of fuel cells to power vehicles and machinery. However, as hydrogen can present a significant safety risk, what role do functional safety standards play in the life cycle of fuel cells?
INTRODUCTION
Hydrogen fuel cells have potential to play a key role for many industries in their transition to provide greener, more sustainable energy, and this is particularly true of the industrial and automotive industries and the applications for machinery, cars, buses and trucks.
However, due to the properties of hydrogen, any loss of containment presents a significant safety hazard, including a high risk of an immediate or delayed ignition and subsequent explosion. Dependent upon the scale of the hydrogen system, this can lead to potentially catastrophic consequences.
Thorough risk assessment and management is therefore required, and this includes consideration of the type of fuel cell, its ultimate use and the functional safety considerations which this implies.
FUEL CELL TYPES
The main function of a hydrogen fuel cell is to produce and provide electrical energy to a system by utilising hydrogen from an external supply and oxygen from filtered air. The subsequent redox reaction provides electrical energy and pure water as waste product (Figure 1).
Figure 1 – Example hydrogen fuel cell vehicles
Although ultimately performing the same job in the same way, fuel cells can have different configurations and characteristics. For the purposes of functional safety this is best considered at a high level by function delivered, for example:
- A stand-alone fuel cell without machinery directly attached; or
- A fuel cell with a machinery directly attached and housed within one system enclosure.
This distinction is important, as it impacts the relevant functional safety standard to follow, and the associated Safety Integrity Level (SIL) determination process.
INDUSTRIAL APPLICATIONS
For a stand-alone fuel cell without machinery directly attached, IEC 61508 (Ref. 1) is applied, and where the fuel cell powers directly attached machinery within one system enclosure, IEC 62061 (Ref. 2) and ISO 13849-1 (Ref. 3) apply.
Focussing on stand-alone fuel cells falling under IEC 61508, a checklist-based hazard identification is utilised. Often, the number of identified hazards is quite high, and a phased approach in the determination of the SIL can be used.
The first phase is the use of the risk graph methodology. The risk graph method is assumed as overconservative for SIL determination, therefore any hazards rated as without a SIL requirement during this conservative risk graph assessment can be assumed to have a non-SIL rating if a less conservative approach was used. The example risk graph calibrations in IEC 61508-5 can then be utilised to get the first indications for the SIL rating.
The second phase is to utilise a less conservative approach, such as Layers of Protection Analysis (LOPA), to assess the remaining hazards. Based on the risk graph analysis and the follow-on LOPA, the SIL ratings can be determined and allocated to certain functions and equipment, leading to the identification of the Electrical, Electronic and Programmable Electronic (E/E/PE) safety-related systems.
AUTOMOTIVE APPLICATIONS
Automotive safety uses the ISO 26262 functional safety standard (Ref. 4) which is very prescriptive regarding the risk assessment methodology.
While in IEC 61508 the safety functions are determined as for industrial applications, ISO 26262 identifies the hazards based on the vehicle function with this recorded in the hazard register.
The hazard register is used in conjunction with a situation catalogue, which depicts basic situations and their parameters for use in hazard and risk analysis, for example VDE 702 (Ref. 5), to determine Automotive Safety Integrity Levels (ASIL).
The criticality and therefore the ASIL rating of the fuel cell also depends on the application of the fuel cell. Typical vehicle applications are:
- Provision of electrical energy to the powertrain
- Provision of electrical energy to auxiliary equipment
- Provision of electrical energy to secondary power storage (e.g. a battery pack)
A fuel cell supplying power to the powertrain as its primary source can have severe consequences on failure, as this indicates that the powertrain functionality needs to be fail-operational. For example there is a need to prevent a sudden, unexpected stop at high speed on a motorway in the event of a dangerous failure of the fuel cell, and therefore this can justify an ASIL D rating.
A fuel cell purely feeding the auxiliary or a secondary power supply however might be only an ASIL A or ASIL B rating, which indicates fail-safe, as in the event of a dangerous failure a safety mechanism can be activated to enter the safe state.
IEC 61508 IN THE AUTOMOTIVE ENVIRONMENT
The ISO 26262 standard assumes that some vehicle types represent a quasi-industrial application, and this is the case for Truck and Bus (T&B), trailers and semi-trailers which are large and assumed to be produced in low quantities.
Within ISO 26262-8, Clause 16 describes how equipment developed according to other functional safety standards can be utilised for use in these quasi-industrial applications. One requirement is to justify the application of this clause by providing evidence of a functional safety compliant development.
Assuming an IEC 61508 development, an appropriate mapping of the SIL and ASIL for a Hardware Fault Tolerance (HFT) of 0 and Equipment Type B is shown in Figure 2. In this case the Safe Failure Fraction (SFF) and the Single Point Failure Matrix (SPFM) are used to map both standards.
Figure 2 – ASIL-SIL mapping (HFT 0 and Type B)
The main weakness of this approach is that the application in industry and the automotive sector are different. While an industrial environment is a protected environment, in automotives the fuel cell is used within the public domain, with the associated potential of fatalities in the event of a loss of containment and a subsequent explosion. This might lead to differences in the SIL and the expected ASIL rating.
In ISO 26262 the safety functions are on vehicle level, and in cases where the hydrogen system includes equipment outside the fuel cell system boundaries, additional measures may be required to achieve ASIL D. Additional measures at vehicle level may include hydrogen sensors throughout the driver cabin, chassis, passenger or goods compartments, as well as measures around the hydrogen storage tank. This means that any gaps in the ASIL rating between equipment design and safety function requirements need to be addressed at an overall vehicle level.
CONCLUSION
Where hydrogen fuels are expected to be used in the industrial and automotive setting, it is important to recognise the different consequences, protection measures available, and ultimately the standards which drive the functional safety needs of the system.
Integration of non-ISO 26262 equipment into T&B applications is possible, but the conclusions from previous functional safety assessment must be used with caution as they may be different in terms of safety functions and SIL/ASIL ratings, even in cases where ISO 26262 Clause 16 is applied.
References
- Functional safety of electrical/electronic/programmable electronic safety-related systems, IEC 61508:2010
- Safety of machinery – Functional safety of safety-related control systems, IEC 62061:2021
- Safety of machinery – Safety-related parts of control systems, Part 1: General principles for design, ISO 13849-1:2023
- Road vehicles — Functional safety, ISO 26262-6:2018
- Low-voltage electrical installations, DIN VDE 0100-702:2012-03
