Part 11: What Would Kletz Do?
Part 11: What Would Kletz Do?
Series 1, previously published on LinkedIn January 10, 2023 (minor edits)
To recap, I have been looking at the critique and reaction to the domestic hydrogen QRA report, conducted by ARUP+ on behalf of BEIS. Part 1 was an exploration of the online opposition to the report’s findings and Part 2, further examined some of the mischaracterisation that became popularised in those conversations. Parts 3 to 6 scrutinised various aspects of an online article that is critical of the ARUP+ work, ‘Is it safe to burn hydrogen in the home? Let’s look at the evidence’. This was written by Tom Baxter and published by Hydrogen Insight. I will provide links in the comments later.
This brings us to the final Part 11, which examines the fundamentals behind the position advocated in the Hydrogen Insight article. In his closing paragraphs the author pays tribute to the eminent Trevor Kletz, and into the bargain, borrows some authority by association.
When I worked for ICI Petrochemicals I was fortunate enough to meet Trevor Kletz and attend his training courses. Kletz is one of a small grouping of chemical engineers that the Institution of Chemical Engineers have labelled as having “changed the world”. His contribution to process safety is immense and he is viewed as the father of inherent safety. I use much of his teachings in my own safety lectures.
Is it safe to burn hydrogen in the home? Let’s look at the evidence’ Hydrogen Insight, Tom Baxter
Mr Baxter transcribes these commandments as if hauled off the mountain in tablet form by Trevor Kletz, offering no other commentary besides saying of the stated principles, ‘none of them sit well with domestic hydrogen’.
Well you be the judge of that. I agree these principles are relevant but I'm no fundamentalist so hopefully we can do better than simply recite scripture in lieu of a decent argument. With all due reverence let’s look at what they actually tell us.
Intensification: Use small amounts of hazardous materials so the consequences of accidents arising from the escape of materials are much reduced.
Trevor Kletz, as cited in ‘Is it safe to burn hydrogen in the home? Let’s look at the evidence’ Hydrogen Insight, Tom Baxter
In other words limit the inventory of hazardous materials to what is necessary. We can say that the inventory of gas in a domestic situation is the total volume held in the system downstream of the Emergency Control Valve (ECV) and the combustion isolations/control interfaces. This is a fixed volume of unburnt gas, except in the case of leakage, where the inventory inside the building is increased without corresponding controlled combustion.
The proposed Excess Flow Valves (EFV) are intended to limit the size of leaks, by shutting down the supply, in the event that a leak exceeds 20 M3/hr. I discuss this further in my own review of the ARUP+ report, which will be published over several weeks as paid content.
Substitution: Use a less hazardous material – less flammable or less toxic.
Trevor Kletz, as cited in ‘Is it safe to burn hydrogen in the home? Let’s look at the evidence’ Hydrogen Insight, Tom Baxter
Hydrogen has a wider flammable range than natural gas but as with any fuel, safety depends upon the ability to control combustion and containment, noting that a non-flammable material would not normally be a fuel. Recognising this means that the trade-off between other types of hazards becomes clearer.
As previously shown in Part 3, hydrogen is less toxic than methane, has fewer mechanisms for NOx formation, does not produce N2O or carbon compounds. Carbon in the atmosphere is also generally recognised as a climate hazard, so it seems reasonable to conclude that Mr Kletz would now see decarbonised fuels as a hazard-mitigating substitution. Because it is a combustible fuel by definition it must be flammable.
Attenuation: If a hazardous material must be used, use it a) under less hazardous conditions or b) in the least hazardous form.
Trevor Kletz, as cited in ‘Is it safe to burn hydrogen in the home? Let’s look at the evidence’ Hydrogen Insight, Tom Baxter
So firstly, let’s establish the pre-condition that for gas heating, the gas must be flammable (i.e. a hazardous material). Now we can apply the criteria set out in a) and b) to determine the comparative merits of natural gas and hydrogen:
a) less hazardous conditions are achieved by mitigations in the operational environment including containment, ventilation, control measures and the optimisation of process parameters (air/fuel mix, pressure and combustion residency). This is generally true of any fuel, even though the methodologies to employed to meet those objectives, must be fuel-specific. To minimise hazardous conditions for hydrogen, ARUP+ had to identify additional mitigations to those provided for natural gas, and it would be a greater cause for concern if they hadn’t. No two risk assessments should be the same and if no differential risks were found it would amount to a failure of process.
b) hydrogen is the least hazardous form of gas in terms of not being toxic, producing no carbon monoxide due to having zero carbon content, plus it has several routes to mitigate combustion NOx. Hydrogen is therefore less hazardous from a toxicity standpoint. It should be noted that consideration of poisonous by-products, was deemed to be out of scope for the ARUP+ QRA, which is therefore a boundary decision that favours natural gas in the assessment. The toxicity of carbon monoxide is nevertheless relevant to Trevor Kletz’s ‘attenuation’ principle.
Combustible fuel gives up energy by virtue of its flammability, and to harness that energy, burning must be conducted under controlled conditions. The safety of any fuel is therefore a function of the methods employed in its handling and use, which refers us back to the criterion a) i.e., in instances where the material ‘must be used’.
Trevor Kletz would surely not be an advocate for non-flammable gas-fuel, no more than he would support non-cutting knives or, impact-safe marzipan golf clubs.
Limitation of effects: Limit the effects of failures by changing the design or conditions of use rather than by adding protective equipment that may fail or be neglected.
As cited in ‘Is it safe to burn hydrogen in the home? Let’s look at the evidence’ Hydrogen Insight, Tom Baxter
So adding an Excess Flow Valve (EFV) would be to ‘limit the effects of failures’ (e.g. leaks) by ‘changing the design’ of the system. In the event of gas flow in excess of 20M3/hr (indicative of a large leak), the supply would isolated without human intervention. You may wonder if adding this mechanism would fail the Kletz criterion of ‘not adding protective equipment that may fail or be neglected’. I cover this in my own review of the QRA but I will make a brief diversion here.
Failures: Rates and Modes
There are two things to consider, failure rate and failure modes. The failure rate of an EFV, inspected at 10 year intervals, is given as 0.13/year. With two EFVs (one integral to the meter and one downstream of it) the chance that both will fail is 0.0169/year. I return to this later.
Lets assume there are three failure modes, fails-to-open, fails-to-close and seat-failure.
If either EFV fails-to-open (is jammed closed) there will be no gas supply which means it has failed safe.
If either EFV fails-to-close (is jammed open) in a leakage event the other EFV will close with high probability.
If there EFV has a seat-failure (fails to fully close) in a leakage event the other EFV will close.
In the event that both valves have their seating compromised, the flow will still be significantly restricted, bringing the leakage within the capacity of the ventilation with high probability.
On the benefits redundancy would provide, ARUP+ report modestly states:
The use of two EFVs is considered as it increases the overall reliability. The combination of a conventional physical EFV, in addition to a specifically designed gas meter, containing the instrumented valve, will result in a system with a higher reliability than one relying on a single device.
They go on to say:
The two valves are assumed to not any have common cause failures, as they are different types of valve and would operate independently of each other.
I think it is useful to clearly distinguish between ‘common failures’ and ‘common-cause failures’. The diversification of valve design is good practice from a failure rate point of view because it prevents the stacking of common vulnerabilities in design or, common failures. Using the given empirically-derived reliability figures, I previously mentioned how unlikely two valve failures would be (0.0169/year).
It is important to recognise that this complex-mode failure rate is not predicated on ‘simultaneous’ failure (which is extremely improbable) but simply that the failure of the first valve is not detected before the failure of the second. Of course as soon as the first valve failed the failure rate of EFV functionality at system level would be reduced to 0.13/year.
Simultaneous failure would imply common-cause, but because the EFVs would operate independently and in different locations, their failures could not be causally linked. This means that double-failure would only result from extremely improbable coincidence.
This surely fits in with the intent that Trevor Kletz had in mind by provisions in design that did not involve more protective equipment or human intervention. ‘Limitation of effects’, is obviously intended to remove the need to physically intervene to isolate a system or to don PPE (Personal Protective Equipment), wherever possible.
On my read of the QRA I see no prescription for BA (Breathing Apparatus) sets in the kitchen.
Tom Baxter muses in his article:
I wonder what Trevor would have thought about household hydrogen using excess flow valves to mitigate the risk of fire and explosion?
I imagine Trevor Kletz would have realised that the excess flow valves are not being used to directly mitigate fire and explosion. Their purpose is to reduce the probability of creating a flammable atmosphere by shutting off the supply in the event of a large leak i.e., one that would cause gas accumulation at a rate that overwhelms the passive ventilation. A flammable environment is one that can allow ignition to evolve, through a chain of probabilistic events, including the introduction of an ignition source or temperature elevation by other means.
Tom Baxter’s take is somewhat different, and ventriloquising the answer to his own question, he finishes with:
I think he might have said: “Don’t be silly.”
Yes, quite possibly, but perhaps not for the reasons Mr Baxter thinks.