Next Article in Journal
Research Advances in the Design and Control Technologies of Electric Spindle Motors for CNC Machine Tools
Previous Article in Journal
Influence of Injection Well Location on Hydrogen Storage Capacity and Plume Migration in a Saline Aquifer: A Case Study from Central Poland
Previous Article in Special Issue
Reliability, Maintenance, and Safety of Power-to-Hydrogen: Lessons Learned from an Industrial Demonstrator
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Energies
Volume 18
Issue 23
10.3390/en18236242
energies-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Risk Assessment of an Off-Site Hydrogen Refueling Station: A Hybrid IEC 61511-CCPS LOPA Framework

by
Yonggyu Kim
1,
Shintak Han
2,
Heewon Song
3 and
Seungho Jung
1,*
1
Department of Environmental Engineering, Ajou University, Suwon 16499, Republic of Korea
2
Department of Safety Engineering, Incheon National University, Incheon 22012, Republic of Korea
3
Department of Chemical Engineering, Chungbuk National University, Cheongju 28644, Republic of Korea
*
Author to whom correspondence should be addressed.
Energies 2025, 18(23), 6242; https://doi.org/10.3390/en18236242
Submission received: 10 October 2025 / Revised: 16 November 2025 / Accepted: 24 November 2025 / Published: 27 November 2025
(This article belongs to the Special Issue Safety of Hydrogen Energy: Technologies and Applications)
Browse Figures
Versions Notes

Abstract

Off-site hydrogen refueling stations (HRS) handle large volumes of high-pressure hydrogen, requiring precise and systematic risk-reduction strategies. In this study, a Hazard and Operability (HAZOP) analysis was performed for an off-site HRS, and Layer of Protection Analysis (LOPA) was conducted for four risk-level-4 events using two different approaches. The Functional Safety only LOPA, based on IEC 61511, and the All Safeguards LOPA, developed according to the Center for Chemical Process Safety (CCPS) guideline, were both applied. The Functional Safety only approach, which considers only automated protection layers, required Safety Integrity Level (SIL) ratings of 1 and 2, whereas the All Safeguards approach, accounting for mechanical and procedural protection layers, achieved the Target Mitigated Event Likelihood (TMEL) in all scenarios without additional SIL requirements. Consequently, it was confirmed that the definition of protection layer scope significantly influences the required SIL, design cost, and system complexity. This study proposes a hybrid approach in which all safeguards are considered during the early design stage, while in the final design stage, protection measures are evaluated from a functional safety perspective in accordance with IEC 61511 to ensure both design efficiency and safety integrity.

1. Introduction

Hydrogen energy has emerged as an important clean energy source worldwide and is recognized as an essential energy carrier for achieving a carbon neutral society. Ensuring the safety and reliability of hydrogen infrastructure has thus become an urgent prerequisite for sustainable deployment. The global stock of hydrogen fuel cell vehicles has exceeded 90,000 units, with Korea, Japan, and the United States leading deployment. Although the overall growth of passenger FCEVs has recently slowed, global automakers such as Honda have introduced new fuel cell models, while commercial segments including fuel cell trucks and buses continue to expand steadily. In particular, the stock of fuel cell trucks increased by over 50% in 2023, indicating a gradual but continuous diversification of hydrogen mobility. Accordingly, the deployment of hydrogen fuel cell vehicles is progressing worldwide, and the need for installing hydrogen refueling stations (HRS) which is the core infrastructure for their safe and efficient operation is continuously increasing [1]. As HRS become more widespread, ensuring the safety and reliability of the refueling system, including functional safety, has become a critical requirement [2].
HRS can be categorized into on-site and off-site types [3]. The on-site type produces hydrogen directly at the site for immediate use in refueling, whereas the off-site type receives compressed hydrogen gas from external hydrogen production facilities via tube trailers or pipelines. In an off-site HRS, hydrogen production, storage, and refueling systems are physically separated; the station operates by receiving hydrogen from tube trailers or long-distance pipelines outside the business premises. This configuration inherently introduces unique hazards such as third-party exposure risks during tube trailer transport or long-distance piping installation. In addition, since tube trailers typically store hydrogen at pressures exceeding 200 bar, accidental hydrogen leakage could result in higher fire and explosion risks compared with on-site HRS.
Hydrogen has a low molecular weight, disperses rapidly, and burns quickly over a wide range of flammable mixtures. These characteristics make the behavior of hydrogen different from that of other conventional fuels. When hydrogen is released outdoors, it tends to disperse quickly. However, in confined or congested spaces, hydrogen can ignite easily due to its wide flammability range and low ignition energy. In off-site HRSs, the presence of a large inventory of high-pressure hydrogen further increases the potential consequences of equipment failure. These hydrogen-specific properties highlight the need for a risk-assessment framework that considers both functional safety requirements and practical mechanical safeguards. This supports the relevance of the hybrid LOPA approach presented in this study.
The international standard ISO 19880-1 recommends performing a risk assessment for HRS and specifies that [4], if the facility’s risk level does not meet acceptable criteria, the control and safety systems should be assigned a Safety Integrity Level from a functional safety perspective, following the international standards IEC 61508 and IEC 61511 [5,6,7]. On the other hand, the Center for Chemical Process Safety (CCPS) guideline for Layer of Protection Analysis (LOPA) provides a more practical framework by recognizing not only functional protection layers but also mechanical and procedural safeguards such as pressure safety valves, blast walls, and operational measures as Independent Protection Layers (IPL) [8].
Most previous studies have either focused on quantitative risk assessments analyzing the consequences of hydrogen release incidents at HRS or conducted functional safety centered analyses based solely on IEC standards [9,10,11,12,13,14,15]. However, quantitative comparative studies integrating all types of safeguards including both functional and non-functional layers are still limited. In particular, off-site HRS, which handle large quantities of high pressure hydrogen, possess distinctive risks; thus, comprehensive risk assessment approaches that combine multiple standards are essential to establish practical and effective protection strategies.
In this study, a Hazard and Operability (HAZOP) analysis was conducted for an off-site HRS, followed by two types of LOPA, one considering only functional safety layers, such as the Basic Process Control System (BPCS) and Safety Instrumented System (SIS), and another integrating all safeguard layers. The Safety Integrity Level (SIL) requirements and risk reduction effects obtained from the two approaches were quantitatively compared and analyzed. Furthermore, the influence of protection layer configurations on the design, operation, and maintenance stages was evaluated to propose a more practical and effective risk reduction strategy.

2. System and Applicable Standards

2.1. Overview of the Assessed System

The target system of this study is an off-site HRS that receives hydrogen supplied from an external hydrogen production facility, compresses it, and dispenses it to hydrogen fuel vehicles. The overall configuration of the system can be divided into three main sections: the supply section, the compression and storage section, and the dispenser section. The principal characteristics of each section are summarized in Table 1 [16,17,18].
Hydrogen is supplied to the system via a high-pressure tube trailer, it passes through the filter and the flow pressure control unit and enters the system via the connecting hose. In the supply section, an air operated valve is installed to isolate the flow under abnormal conditions, while a check valve prevents backflow. A pressure safety valve is also installed to protect the system from overpressure. The Pressure Safety Valve (PSV) represents a typical mechanical safeguard, whereas the Air Operated Valve (AOV) and the logic-based control loop belong to the functional safety domain. The supply line pressure and flow are monitored and controlled by a pressure transmitter and flow transmitter, respectively, and multiple gas detectors are installed throughout the system to detect potential hydrogen leakage.
In the compression and storage section, hydrogen is compressed and stored in three stages—low pressure, medium pressure, and high pressure—to achieve the final dispensing pressure of approximately 85 MPa gauge. The system configuration was determined by referencing a typical HRS layout, and each section was designed to include PSVs and related instrumentation. However, the internal components of the compressor were excluded from the analysis because they are within the proprietary design and manufacturing scope of the compressor supplier; therefore, they were considered out of scope for this study.
The dispenser section is designed to refuel hydrogen vehicles using either a cascade or direct filling method [20]. Hydrogen passes through a heat exchanger and various flow, temperature, and pressure control devices before being delivered to the vehicle’s system. The dispenser is assumed to comply with the SAE J2601 [21] refueling protocol and integrates several control elements such as temperature transmitters and pressure transmitters.
Ancillary components, such as isolation valves for maintenance and utility systems that are not directly related to the main process, were excluded from this study. The simplified process flow diagram representing only the primary hydrogen handling sections of the system is shown in Figure 1.

2.2. Applicable Standards

The international standard governing the safety of hydrogen refueling stations, ISO 19880-1, specifies that the results of a HAZOP study must be included as one of the mandatory technical documents for HRS design and operation. The standard also requires that the HAZOP be conducted in accordance with related methodologies. Furthermore, when functional safety is required, ISO 19880-1 recommends consideration of the SIL, which should be determined in accordance with the international standards for functional safety IEC 61508 and IEC 61511 series [4,6,7].
As illustrated in Figure 2, IEC 61508 applies primarily to manufacturers and equipment suppliers responsible for the design and development of safety related systems, whereas IEC 61511 is intended for designers, integrators, and end users of instrumentation and control systems in process industries. Accordingly, IEC 61511 was adopted as the applicable functional safety standard in this study.
Based on the HAZOP analysis results conducted in accordance with IEC 61882 [22], two LOPA approaches were performed in this study, the Functional Safety only approach following IEC 61511, and the All Safeguards approach incorporating the broader scope defined by the CCPS guideline. The Functional Safety only approach considers only the automated protection layers, namely the BPCS and the SIS, excluding mechanical or procedural safeguards. In contrast, the All Safeguards approach adopts a process safety-oriented perspective, integrating all practical means of risk reduction, including mechanical and procedural safeguards, thereby enabling a more realistic and flexible design strategy.
A comparative analysis of the two approaches was conducted to evaluate the differences in required SIL and risk reduction performance for identical accident scenarios.

2.2.1. Functional Safety Only–Based LOPA

IEC 61511 is an international standard established to ensure the functional safety of electrical, electronic, and programmable electronic systems. It defines the SIL of a SIS that enables a process system to perform its required safety functions.
The Functional Safety Only LOPA quantifies scenario-based risks focusing on the BPCS and SIS. The required SIL is determined using the average Probability of Failure on Demand (PFDavg) and the Risk Reduction Factor (RRF) associated with each protection layer. Unlike other semi quantitative methods, this approach does not consider environmental or conditional factors such as ignition probability or occupancy rate. Instead, it evaluates risk solely based on the failure probabilities of the protection layers. In practice, not every hydrogen release necessarily results in a fire or explosion. However, the Functional Safety Only LOPA conservatively assumes event occurrence and evaluates the integrity of the SIS only in terms of the likelihood of protection layer failure.
This conservative assumption is consistent with the safety assurance philosophy defined by the IEC standards, which aim to guarantee at least the minimum required level of safety integrity.

2.2.2. All Safeguards–Based LOPA

The All Safeguards-based LOPA is a semi-quantitative risk assessment methodology proposed by the CCPS. Unlike the Functional Safety Only–based approach, which focuses primarily on instrumentation and control systems, this method encompasses all IPLs, including mechanical safeguards, detection and ventilation systems, and procedural protection measures. The LOPA methodology presented by CCPS focuses less on functional safety verification and more on risk management and decision-making support. Specifically, the All Safeguards–based LOPA quantifies the effectiveness of IPLs identified through HAZOP studies and compares the resulting risk with the facility’s tolerable risk level, often defined under the As Low As Reasonably Practicable (ALARP) principle. The objective is to determine whether additional protection measures are required to achieve acceptable risk. In this approach, IPLs include not only mechanical protections such as PSV, but also detection and ventilation systems and procedural controls.
While the Functional Safety Only LOPA based on IEC 61511 focuses on maintaining the integrity of the SIS, the All Safeguards–based LOPA emphasizes risk acceptance and managerial decision making from a practical process safety perspective. To reflect realistic operating and environmental conditions, the All Safeguards approach introduces enabling conditions and conditional modifiers, both formally defined and guided by the CCPS LOPA guideline [8].
According to the CCPS, an enabling condition represents the operational or physical state required for an initiating event (IE) to occur, whereas a conditional modifier denotes a probabilistic adjustment factor that influences the likelihood of the final consequence even after the initiating event has taken place [23,24]. Applying these factors during LOPA allows for more realistic correction of event frequencies by accounting for the actual likelihood of accident progression under specific operating conditions.
Both approaches aim to reduce the overall facility risk to a tolerable level. However, the Functional Safety Only LOPA prioritizes system integrity assurance of the SIS, while the All Safeguards LOPA focuses on comprehensive and practical risk-reduction activities across all protection layers. Therefore, by quantitatively comparing the two approaches, it is possible to develop an effective strategy for optimizing SIL determination and enhancing risk reduction in the design and operation of off-site HRS.

3. Risk Assessment Methodology

This section describes the procedures used to perform the HAZOP and LOPA for the off-site HRS. It also explains the differences in implementation between the Functional Safety only–based LOPA and the All Safeguards–based LOPA approaches.
In this section, the two approaches defined in Section 2 are applied to the case study to describe the detailed procedure of HAZOP and LOPA implementation.

3.1. HAZOP Procedure

The HAZOP study is a qualitative risk assessment technique used to identify potential hazards and operability problems within a process. It is particularly effective in identifying previously unrecognized risks and is therefore suitable for new technology development or demonstration projects [25,26].
In a HAZOP, deviations from the intended design conditions are systematically examined for each node to identify their causes and consequences, and to evaluate the adequacy of existing safeguards. A node represents a section of the process that shares the same design intent and is defined to improve the efficiency and consistency of the analysis.
For the HRS, the HAZOP is typically divided into several nodes, such as the hydrogen supply section from tube trailer, the compression and storage sections classified by pressure level, and the dispenser section, where hydrogen is transferred to vehicles. However, in this study, the entire HRS system was treated as a single node, as the primary objective was to compare and analyze the methodologies of Functional Safety Only–based LOPA and All Safeguards–based LOPA. The internal structure and risks associated with the compressor were excluded from the scope of this study because they fall under the manufacturer’s proprietary design and analysis domain. This exclusion also simplified the LOPA process without compromising analytical validity. Nevertheless, although the compressor internals were excluded from the detailed scope due to proprietary design limitations, compressor-related deviations such as underrun, overrun, valve closure during high-pressure operation, and system overpressure were considered in the HAZOP analysis. The potential consequences of pressure buildup or equipment damage were also evaluated, and safeguards such as pressure transmitters within the compressor package were qualitatively taken into account. Therefore, compressor-related hazards were conceptually incorporated into the HAZOP to ensure comprehensive coverage of system-level risks.
Accordingly, the HAZOP in this study was conducted to provide the necessary input data for the LOPA stage, specifically for distinguishing between safeguards related to functional safety and non-functional safety safeguards. The HAZOP aimed to identify potential impact events and their corresponding initiating causes, serving as the foundational step for the subsequent LOPA evaluation.

3.2. LOPA Procedure

The LOPA is a methodology used to evaluate the effectiveness of IPLs that reduce the frequency or severity of undesired incidents [27]. LOPA defines accident risk as a function of event frequency and consequence magnitude and is typically applied to high-risk scenarios for which qualitative judgment alone is insufficient to determine risk acceptability. It provides a structured framework for assessing the quantitative value of each protection layer within a given accident scenario [28].
For a scenario in which an IE develops into a specific consequence, the existence of IPLs and reliability considering PFD are quantitatively evaluated to estimate the final event frequency [29,30,31]. When this calculated frequency exceeds the tolerable frequency, an appropriate SIL is assigned to the Safety Instrumented Function (SIF). Thus, LOPA serves as a semi-quantitative risk assessment method bridging qualitative hazard identification and fully quantitative risk analysis [32]. An IPL is defined as a safeguard capable of preventing the progression of an initiating event to an undesired consequence, independently of any other protection layers. In this study, IPLs were classified into two categories:
  • Functional safety safeguards, consisting of automated protection layers such as the BPCS and SIS;
  • Non-functional safety safeguards, encompassing mechanical protection devices, detection and ventilation systems, and procedural or operator response measures.
Figure 3 illustrates the hierarchical structure of IPLs. In the Functional Safety Only approach, only the automated layers related to control and instrumentation were considered. In contrast, the All Safeguards approach considered all hierarchical protection layers, including a more integrated and comprehensive protective system.
Based on the potential accident hazards identified through the HAZOP study, major accident scenarios were selected, and the corresponding IEs and their frequencies were determined. Each identified scenario was then evaluated using both the Functional Safety only–based LOPA and the All Safeguards–based LOPA approaches [33].
For each accident scenario, the relevant IPLs were defined, and PFD values were used to calculate the resulting risk level. In the Functional Safety Only approach, only the automated protection layers composed of the BPCS and SIS were considered. Conversely, in the All Safeguards approach, all available protection layers including mechanical, detection, and procedural safeguards were incorporated to reflect their total risk reduction effect. When the calculated final event frequency exceeded the tolerable frequency, the implementation of a SIF was required, and its target SIL was determined accordingly.
In summary, the Functional Safety only approach aimed to ensure the integrity of the SIS from a functional safety perspective, whereas the All Safeguards approach accounted for the combined effectiveness of all protection layers, leading to a correspondingly adjusted SIL requirement. Table 2 shows the features of the Functional Safety Only and All Safeguard’s LOPA approach.

3.3. Hybrid Approach Framework

The results of this study indicate that each LOPA approach, Functional Safety Only and All Safeguards, offers distinct advantages depending on the design maturity and operational objectives. To establish a systematic integration between the two methods, a hybrid LOPA framework is proposed, as illustrated in Figure 4.
(1)
Design Stage Classification
The hybrid framework classifies the design process of HRSs into two primary stages. The early design stage corresponds to the conceptual design and layout definition phases, during which mechanical, detection, and procedural safeguards can be flexibly configured. The final design stage refers to the detailed design phase, in which automation and control systems (BPCS and SIS) are finalized and subject to SIL verification according to IEC 61511.
(2)
Application Flow of LOPA Methods
During the early design stage, the All Safeguards-based LOPA is applied to identify all potential protection layers and to evaluate their combined effectiveness under practical constraints such as space, budget, and maintenance requirements. In the final design stage, the Functional Safety Only LOPA is performed to verify the integrity and reliability of the SIFs and to assign SIL consistent with IEC 61511.
(3)
Transition Criteria
The transition from the All Safeguards-based to the Functional Safety Only approach occurs once the independent protection layers have been clearly defined and the SIS architecture has been specified. The selection criteria for this transition include:
  • completion of the basic engineering design;
  • finalization of safeguard implementation boundaries; and
  • readiness for SIL verification and documentation.
(4)
Quantitative Basis for Hybrid Transition
To strengthen the analytical rigor of the hybrid framework, this study introduces quantitative indicators that support the transition from the All Safeguards-based approach to the Functional Safety Only approach. These indicators include:
  • confirmation of the IPL boundaries based on finalized design documentation;
  • preliminary screening of accident scenarios using the TMEL established during the early design stage; and
  • identification of candidate SIFs together with their preliminary PFD targets.
These quantitative elements provide an objective basis for determining when functional safety verification according to IEC 61511 should begin and ensure that both risk-based design considerations and functional safety requirements are consistently aligned across design stages.
(5)
Advantages of the Hybrid Approach
The proposed hybrid framework combines the practicality of the All Safeguards method during conceptual design with the rigor of the Functional Safety based verification during detailed design. This integration provides several advantages, such as:
  • consistent safety assurance throughout the HRS lifecycle;
  • avoidance of redundant or overly conservative SIL assignments;
  • improved cost-effectiveness and maintainability; and
  • a transparent linkage between risk-based design and functional safety compliance.
In summary, the hybrid approach provides a stepwise methodology that aligns engineering practicality with regulatory compliance, making it particularly suitable for complex hydrogen infrastructures that evolve from flexible early design stages to highly controlled operational environments.

4. Risk Assessment Results

This section presents the results of the HAZOP and LOPA conducted for the off-site HRS, in accordance with the risk assessment methodology defined in the previous sections.

4.1. HAZOP Results

The HAZOP study was conducted to systematically identify the major hazards associated with the off-site HRS and to derive the list of IEs and safeguards required for the subsequent LOPA.
Table 3 and Table 4 present the criteria used to determine the likelihood levels and severity levels, respectively. The severity levels were established by comprehensively considering aspects of safety, economic impact, and operational continuity, based on HRS operating history, historical accident frequency data, and expert judgment from the HAZOP team [7,34,35,36,37,38].
Table 5 shows the risk matrix developed by combining the likelihood and severity classifications, which was used to determine the final risk level for each identified accident scenario. The acceptability of each calculated risk level was evaluated according to the risk acceptance criteria summarized in Table 6 [39].
Safeguards were identified through a series of HAZOP workshops conducted by multiple process safety experts. During these workshops, the team directly derived the safeguard items required for LOPA, referencing the international standards ISO 19880-1 and IEC 61882. The identification was based on the actual process and instrumentation diagram (P&ID) of the off-site hydrogen refueling station, ensuring that only existing and functionally verifiable protection measures were considered. The derived safeguards include (1) functional-safety-related protection layers, such as the BPCS and SIS, and (2) non-functional protection layers, such as mechanical devices (e.g., PSV), detection systems, and procedural or operator actions. As a result of the HAZOP analysis, a total of 19 IEs and 23 associated consequences were identified. Table 7 summarizes the representative scenarios with a risk level of 4 that were used as the basis for the subsequent LOPA. These include hydrogen release events caused by unintended valve openings or heat exchanger failures, which may subsequently lead to large-scale fire and explosion incidents. The complete HAZOP results are provided in Appendix A for reference.
The recommendations derived during the HAZOP study were omitted from this paper, as they are not directly related to the purpose of this study specifically, the identification of impact events and initiating causes required for the subsequent LOPA.
Scenario No. 1 in Table 7 represents a case in which the pressure control valve (PCV) inside the dispenser malfunctions and becomes excessively open. In this situation, an excessive amount of hydrogen beyond the allowable limit defined in the refueling protocol may flow into the vehicles’ system through the dispenser hose. This could result in an increase in pressure and temperature exceeding the design conditions of the compressed hydrogen storage system (CHSS) inside the vehicles, potentially causing mechanical damage. Consequently, a large quantity of hydrogen could be released into the atmosphere, leading to a large-scale fire and explosion event.
To mitigate this hazard, pressure transmitters and temperature transmitters are installed downstream of the PCV. When the measured pressure or temperature exceeds the design limit, an interlock logic is configured to immediately shut down the refueling system.
Scenario No. 2 corresponds to a “Reverse flow” deviation. During the hydrogen charging process at high pressure, if the isolation valve separating the high pressure and medium pressure sides fails and remains open, high-pressure hydrogen may flow backward into the MP side, resulting in system damage. In this case, damage of the medium pressure bank could cause a substantial hydrogen release from the MP vessel, potentially leading to a large-scale fire and explosion. To prevent this, two check valves are installed in series to ensure backflow protection.
Scenarios No. 3 and No. 4 are related to “Temperature” deviations. These events may occur if colder or hotter chiller fluid flows into the heat exchanger inside the dispenser, potentially damaging the CHSS of the vehicles. A damaged CHSS could release a large amount of hydrogen into the atmosphere, resulting in a fire or explosion. Therefore, temperature transmitters are used as safeguards, triggering an immediate system shutdown when abnormal temperature conditions are detected.
The IEs and safeguard information derived from this HAZOP study were used as baseline data for the subsequent LOPA. These data served as the foundation for comparing the risk reduction performance and required SIL between the Functional Safety Only and All Safeguards approaches.

4.2. LOPA Results

In this study, the differences in evaluation outcomes between the Functional Safety Only–based LOPA and the All Safeguards–based LOPA were examined. LOPA is not applied to all hazards identified during the HAZOP study but is selectively performed for scenarios with high severity or complex consequence pathways, where qualitative judgment alone is insufficient to determine tolerable risk. Accordingly, in this study, only risk level 4 scenarios were selected for quantitative LOPA assessment, representing realistic high-severity events requiring additional risk reduction evaluation [8,25]. The analysis focused on identifying the differences between the two approaches in terms of the required SIL, the feasibility of design alternatives, and the configuration strategy of protection layers.
Table 8 and Table 9 present the initiating event frequency data and the Target Mitigated Event Likelihood (TMEL) criteria used in this LOPA. Table 10 provides the PFD data for each IPL.
The initiating event frequencies and TMEL values used in this analysis were referenced from the CCPS Guidelines for LOPA. The PFD values for the IPLs were derived based on reliability data provided in IEC 61511-3, which present representative average failure probabilities for safety instrumented and mechanical protection systems. These sources were selected to ensure consistency with international risk assessment practices and to enhance the repeatability of the analysis results [7,30].
In the case of the evaluated HRS, only the BPCS was implemented, and no SIS was installed. Therefore, under the Functional Safety only approach, the assessment primarily focused on ensuring the integrity of the automated control layer composed of the BPCS.
In accordance with the required SIL results derived based on Table 11, this study proposes implementing a SIS and assigning the corresponding SIL. In contrast, the All Safeguards approach incorporated all available safeguards such as mechanical, detection, and procedural allowing for a comprehensive evaluation of the overall risk reduction effect.
As shown in Table 12, the LOPA evaluation results for the first scenario, the High Flow event, are presented. The IEF for this scenario was set to 0.1. Under the All Safeguards–based approach, the BPCS, alarms and operator actions, and the PSV were considered as IPLs. In this case, the intermediate event likelihood was calculated to be 2 × 10−7, which is lower than the TMEL of 1 × 10−4. The PFD of the SIF was calculated as 500. Therefore, when the operator’s procedural response following alarm activation and the conditional modifiers are comprehensively considered, no SIL requirement was identified. However, under the Functional Safety Only approach, in which only the BPCS is considered, the intermediate event likelihood is 1 × 10−2, exceeding the TMEL of 1 × 10−4. In this case, the required SIF PFD is 0.01, indicating that an additional SIS with SIL 1 performance must be implemented to achieve the necessary risk reduction.
Table 13 presents the LOPA evaluation results for the second scenario, the Reverse Flow event. For this scenario, the TMEL was set to 1 × 10−5. Under the All Safeguards–based approach, the intermediate event likelihood was calculated as 1 × 10−8, and the PFD of the SIF was 1000, indicating that no SIL requirement was necessary. However, under the Functional Safety Only approach, the intermediate event likelihood was 1 × 10−2, and the SIF PFD was 0.001, requiring the implementation of a SIS with SIL 2 performance to achieve the required level of risk reduction.
Similarly, the Low Temperature and High Temperature events presented in Table 14 and Table 15 showed consistent trends. Under the All Safeguards–based approach, the SIF exhibited a PFD of 5, indicating that no SIL requirement was necessary. However, under the Functional Safety Only approach, the calculated SIF PFD was 0.01, confirming that a SIS with SIL 1 performance would be required to achieve the target risk reduction.
In summary, the All Safeguards–based approach reflects the combined effects of all protection layers including mechanical and procedural measures resulting in no SIL requirements for the analyzed scenarios. In contrast, the Functional Safety Only approach considers only the automated protection layers which consequently leads to higher SIL requirements. This clearly demonstrates how the scope of protection layer consideration directly influences the outcome of the LOPA.
When LOPA is performed based solely on the Functional Safety Only approach, the resulting SIL 1–2 requirements demand high reliability instrumentation and complex control logic architectures such as 1oo2 configurations, which can significantly increase both design and capital investment costs. Conversely, the All Safeguards–based LOPA allows the inclusion of physically implemented protection layers and manual response measures, enabling more flexible and cost-effective design alternatives for equivalent risk scenarios.

5. Discussion

The Functional Safety Only approach, which relies exclusively on automated protection layers, required a SIL assignment for all analyzed scenarios. In contrast, the All Safeguards–based approach, which incorporates procedural responses and mechanical protection measures, reflected the actual risk reduction effects more comprehensively, showing a consistent trend of no SIL requirement across all scenarios. This difference originates from the structural and methodological distinctions between the two approaches.
The Functional Safety Only approach focuses on the SIF and imposes strict requirements for independence and reliability. As a result, the PFD of a single SIF alone is often insufficient to achieve the target risk reduction, thereby leading to higher SIL requirements.
In contrast, the All Safeguards approach recognizes a wider range of practical protection measures, enabling a more holistic consideration of both system level protection layer architecture and realistic risk reduction performance. Consequently, the overall safety availability of the process improves, while the integrity burden placed on the SIS is significantly alleviated.
The results clearly demonstrate that the scope setting of protection layers has a decisive influence on the final SIL requirements derived from LOPA. Therefore, for complex systems such as off-site HRS that include multiple protection layers, applying an integrated LOPA framework encompassing all independent safeguards rather than limiting the evaluation to the Functional Safety Only approach offers distinct advantages in both design efficiency and safety assurance. Moreover, the All Safeguards–based approach helps prevent excessive SIL allocation and reduces unnecessary expansion of SIS installations, thereby contributing to cost savings and maintenance efficiency.
These findings suggest that, for future HRS designs, adopting a hybrid LOPA framework that combines the functional safety assessment with the extended safeguard evaluation would be highly effective. Such a framework allows the two methodologies to be applied complementarily rather than competitively, depending on the design phase and assessment objectives.
Although this study focuses primarily on safety performance, it is recognized that hydrogen production, storage, and transportation still face technical and economic challenges due to energy inefficiency and the high cost of fuel cells caused by rare-metal dependence. Future research should therefore integrate safety evaluation with techno–economic and life-cycle assessments to support practical and sustainable deployment of hydrogen infrastructure.
The main goal of this study is to compare risk reduction performance. The economic implications of the two LOPA approaches also affect design decisions. Previous SIS optimization studies showed that higher SIL requirements increase life-cycle costs. Higher SIL require additional redundancy, more complex logic architectures, more frequent proof-testing, and greater maintenance effort [42,43]. For example, redundant configurations such as 1oo2 or 2oo3 can increase capital cost by two to four times compared with single-channel configurations. Such architectures also raise maintenance needs because of periodic testing and management of false trips [42].
When an off-site HRS is designed using the Functional Safety Only approach, it requires high-integrity transmitters, multiple shutdown valves, and additional logic solvers to achieve SIL 1–2 performance. These requirements add significant cost, consistent with the findings of previous SIS studies. In contrast, the All Safeguards approach uses existing safeguards such as pressure safety valves and procedural layers, reducing the dependence on redundant instrumentation. This approach provides a more cost-effective protection setup during the early design stage.
Thus, even without a full techno-economic analysis, order-of-magnitude comparisons from established SIS studies indicate that expanding SIS requirements under the Functional Safety only approach leads to much higher life-cycle cost. The All Safeguards approach, by contrast, offers a more economical option for achieving similar levels of risk reduction.

6. Conclusions

In this study, the safety of an off-site HRS was evaluated using the HAZOP and LOPA methodologies. The analysis compared the differences and effects between the Functional Safety Only approach, based on IEC 61511, and the All Safeguards approach, which incorporates the broader scope defined by the CCPS guideline.
Through the HAZOP analysis, major hazard scenarios such as hydrogen leakage and storage tank overpressure were identified. For these key scenarios, LOPA was performed under both approaches to quantitatively evaluate the initiating event frequency, PFD of each IPL, and the required SIL. In the Functional Safety Only approach, protection layers were limited to SIF, resulting in SIL requirements at levels 1–2, indicating a need for high integrity SISs. Conversely, the All Safeguards approach recognized non-instrumentation safeguards, such as pressure safety valves and procedural responses, as valid IPLs. This expanded recognition improved design flexibility and economic efficiency. Furthermore, the inclusion of conditional modifiers facilitated achieving the TMEL, thereby reducing the need for additional SIFs. These results quantitatively confirmed that, for identical hazard scenarios, the scope of protection layer consideration significantly affects the required SIL, as well as the design cost, system complexity, and maintenance burden.
The Functional Safety Only approach based on IEC 61511 effectively ensures the consistency and reliability of automated control system design and should be applied in high-risk processes where strict functional safety assurance is essential. In contrast, the All Safeguards approach represents an integrated LOPA framework that acknowledges all protection layers implemented according to prescriptive standards. This approach provides a practical alternative for off-site HRS environments where budgetary, spatial, and operational constraints exist. Therefore, rather than adopting a dichotomous choice between the two standards, a combined strategy is recommended using the All Safeguards approach during the early design stage to establish optimized protection strategies and applying the IEC 61511–based functional safety verification during the final design stage to ensure compliance and documentation integrity.
Future research should integrate LOPA results with quantitative risk assessment to develop a more comprehensive safety evaluation framework for HRS that considers societal risk and multi victim exposure conditions. Additionally, the establishment of an empirical database on instrument reliability and accident case statistics specific to HRS applications is necessary. Such data will support the development of HRS-specific SIL determination criteria and tolerable risk thresholds, ultimately enhancing both the standardization and reliability of HRS safety assessments.

Author Contributions

Conceptualization, Y.K.; methodology, Y.K.; software, H.S.; validation, S.J.; investigation, H.S.; data curation, S.H.; writing—original draft preparation, Y.K.; writing—review and editing, S.J.; supervision, S.J. All authors have read and agreed to the published version of the manuscript.

Funding

This article is funded by Korea Agency for Infrastructure Technology Advancement, 21OHTI-C163280-01.

Data Availability Statement

The original contributions presented in the study are included in the article, further inquiries can be directed to the corresponding author.

Acknowledgments

This research is supported by the Korea Agency for Infrastructure Technology Advancement (KAIA) and the Ministry of Land, Infrastructure and Transport (MOLIT) of South Korea (Project name: Development of hydrogen-based public transportation infrastructure technology in foreign countries, Project number: 21OHTI-C163280-01).

Conflicts of Interest

The authors declare that this study received funding from the Korea Agency for Infrastructure Technology Advancement (KAIA). The funder was not involved in the study design, collection, analysis, interpretation of data, the writing of this article or the decision to submit it for publication.

Abbreviations

The following abbreviations are used in this manuscript:
HRSHydrogen refueling station
CHSSCompressed hydrogen storage system
SILSafety integrity level
CCPSCenter for chemical process safety
ISOInternational standard organization
LOPALayer of protection analysis
HAZOPHazard and operability
PSVPressure safety valve
IPLIndependent protection layer
IECInternational electrotechnical commission
BPCSBasic process control system
SISSafety instrumented system
SIFSafety instrumented function
LPLow pressure
MPMedium pressure
HPHigh pressure
AOVAir operated valve
SAESociety of automotive engineers
PFDProbability of failure on demand
RRFRisk reduction factor
ALARPAs low as reasonably practicable
IEInitiating event
IEFInitiating event frequency
PTPressure transmitter
TTTemperature transmitter
CVCheck valve
PCVPressure control valve
GDGas detector
TMELTarget mitigated event likelihood
1oo21 out of 2
2oo32 out of 3

Appendix A

Table A1. HAZOP results of an off-site HRS.
Table A1. HAZOP results of an off-site HRS.
GuidewordCauseConsequenceSafeguardLSR
No/Less FlowAOV-001, PRV-001 and MV-001, MV-002 inadvertently closeDegradation of H2 charging performancePT-001
FT-001		312
No/Less FlowCV-001, CV-002 inadvertently chockedDegradation of H2 charging performancePT-001
FT-001		312
No/Less FlowLine filter blockage caused by foreign particlesDegradation of system integrity due to flow rate reductionPT-001/PT-007412
No/Less FlowCompressor underrun due to malfunctionDegradation of H2 charging performance due to failure to increase pressure PT-002/PT-003
/PT-004/PT-005		312
No/Less FlowAOV-002, AOV-003, AOV-004, AOV-005, AOV-006, AOV-007 and inlet/outlet manual valve of banks inadvertently closeDegradation of H2 charging performancePT-002/PT-003
/PT-004/PT-005		312
Pressure increase in the compressor downstream may eventually lead to the rupture of equipment and piping, followed by a H2 leak resulting in flash fire or explosionPT-002/PT-003
/PT-004/PT-005
PSV in/outlet of Comp. PKG		33
No/Less FlowCV-003, CV-004 inadvertently chockedDegradation of H2 charging performancePT-005312
Pressure increase in the compressor downstream may eventually lead to the rupture of equipment and piping, followed by a H2 leak resulting in flash fire or explosionPT-005
PSV-004
PSV in/outlet of Comp. PKG		33
No/Less FlowMV-003 inadvertently closeDegradation of H2 charging performancePT-007
FT-002		312
Pressure increase in the compressor downstream may eventually lead to the rupture of equipment and piping, followed by a H2 leak resulting in flash fire or explosionPT-006
PSV-006		33
No/Less FlowAOV-008, PCV-001 inadvertently closeDegradation of H2 charging performancePT-007
FT-002		312
Pressure increase in the compressor downstream may eventually lead to the rupture of equipment and piping, followed by a H2 leak resulting in flash fire or explosionPT-006/PT-007
PSV-006		33
High FlowInadvertently opening of PRV-001 (Excessive open)Exceeding the required suction pressure of the compressor may cause damage to the LP compressorPSV-002333
High FlowInadvertently opening of PCV-001 (Excessive open)Pressure and temperature increase in the CHSS in vehicles and eventually leading to the rupture of CHSS, followed by a H2 leak resulting in flash fire or explosionPSV-007
PT-008/PT-009		344
High FlowCompressor overrun due to malfunctionPressure increase in the banks and eventually leading to the rupture of banks, followed by a H2 leak resulting in flash fire or explosionPT-002/PT-003
/PT-004
PSV-003/PSV-004
/PSV-005		253
Reverse FlowAOV-006 inadvertently open during HP compressor operationFlow with high pressure attack the Medium pressure system and eventually leading to the rupture of Medium pressure bank, followed by a H2 leak resulting in flash fire or explosionCV-003/CV-004
PT-005
PSV-004		354
Low PressurePRV-001 fail-to-open resulting in flow with less pressure into CompressorReduced suction pressure may lead to degradation of compression performance and potential damage to the compressorFT-001
PT inlet of Comp. PKG		322
Low PressurePCV-001 fail-to-open resulting in flow with less pressure into vehiclesDegradation of H2 charging performanceFT-002
PT-008/PT-009		312
Low TemperatureUnintended activation of the heat exchanger results in overcooling (e.g., Colder Chiller into Heat exchanger)Temperature decrease in the CHSS in vehicles and eventually leading to the rupture of CHSS, followed by a H2 leak resulting in flash fire or explosionTT-001/TT-002344
High TemperatureUnintended activation of the heat exchanger results in insufficient cooling (e.g., Hotter Chiller into Heat exchanger)Due to temperature regulation as required by the hydrogen filling protocol, the flow rate decreases, degradation of H2 charging performanceFT-002
PT-008/PT-009
PT in vehicles		312
Temperature increase in the CHSS in vehicles and eventually leading to the rupture of CHSS, followed by a H2 leak resulting in flash fire or explosionTT-001/TT-00244
SafetyH2 leakage from connection hose due to human errorPotential fire and explosionGD-001/GD-002
/GD-003/GD-004
Manual leak test during and after hose connection according to SOP		333
SafetyInstallation of electrical devicePotential fire and explosion due to H2 gas leakage senarioUsing the Explosion-proof electical device certified
GD-001/GD-002
/GD-003/GD-004		142

References

  1. Remme, U. Global Hydrogen Review 2024; IEA: Paris, France, 2024.
  2. Samsun, R.C.; Rex, M.; Antoni, L.; Stolten, D. Deployment of fuel cell vehicles and hydrogen refueling station infrastructure: A global overview and perspectives. Energies 2022, 15, 4975. [Google Scholar] [CrossRef]
  3. Genovese, M.; Fragiacomo, P. Hydrogen refueling station: Overview of the technological status and research enhancement. J. Energy Storage 2023, 61, 106758. [Google Scholar] [CrossRef]
  4. ISO 19880-1; Gaseous Hydrogen-Fuelling Stations—Part 1: General Requirements. International Organization for Standardization: Geneva, Switzerland, 2020.
  5. Baybutt, P. Overcoming challenges in using layers of protection analysis (LOPA) to determine safety integrity levels (SILs). J. Loss Prev. Process Ind. 2017, 48, 32–40. [Google Scholar] [CrossRef]
  6. IEC 61508; Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems, Parts 1–7. International Electrotechnical Commission: Geneva, Switzerland, 2010.
  7. IEC 61511; Functional Safety-Safety Instrumented Systems for the Process Industry Sector, Parts 1–3. International Electrotechnical Commission: Geneva, Switzerland, 2016.
  8. The Center for Chemical Process Safety. Layer of Protection Analysis: Simplified Process Risk Assessment; Center for Chemical Process Safety of the American Institute of Chemical Engineers: New York, NY, USA, 2001. [Google Scholar]
  9. Park, S.; Hashim, B.; Zahid, U.; Kim, J. Global risk assessment of hydrogen refueling stations: Trends, challenges, and future directions. Int. J. Hydrogen Energy 2025, 106, 1462–1479. [Google Scholar] [CrossRef]
  10. Chitose, K.; Ogushi, H.; Kawai, K.; Mizuno, Y.; Sadanori, A. Risk assessment methodology for hydrogen refueling station. In Proceedings of the WHEC16, Lyon, France, 13–16 June 2006; Volume 6. [Google Scholar]
  11. Liang, Y.; Pan, X.; Zhang, C.; Xie, B.; Liu, S. The simulation and analysis of leakage and explosion at a renewable hydrogen refuelling station. Int. J. Hydrogen Energy 2019, 44, 22608–22619. [Google Scholar] [CrossRef]
  12. Park, B.; Kim, Y.; Lee, K.; Paik, S.; Kang, C. Risk assessment method combining independent protection layers (IPL) of layer of protection analysis (LOPA) and RISKCURVES software: Case study of hydrogen refueling stations in urban areas. Energies 2021, 14, 4043. [Google Scholar] [CrossRef]
  13. Casamirra, M.; Castiglia, F.; Giardina, M.; Lombardo, C. Safety studies of a hydrogen refuelling station: Determination of the occurrence frequency of the accidental scenarios. Int. J. Hydrogen Energy 2009, 34, 5846–5854. [Google Scholar] [CrossRef]
  14. Gao, X.; Chen, H.; Zhou, C.; Xiong, C.; Pu, W.; Zeng, T.; Men, J.; Lv, H.; Zhao, Y.; Chen, G. A review of safety risk management strategies for hydrogen refueling stations. Renew. Sustain. Energy Rev. 2026, 226, 116297. [Google Scholar]
  15. Xie, Q.; Zhou, T.; Wang, C.; Zhu, X.; Ma, C.; Zhang, A. An integrated uncertainty analysis method for the risk assessment of hydrogen refueling stations. Reliab. Eng. Syst. Saf. 2024, 248, 110139. [Google Scholar] [CrossRef]
  16. Reddi, K.; Elgowainy, A.; Rustagi, N.; Gupta, E. Impact of hydrogen refueling configurations and market parameters on the refueling cost of hydrogen. Int. J. Hydrogen Energy 2017, 42, 21855–21865. [Google Scholar] [CrossRef]
  17. Perna, A.; Minutillo, M.; Di Micco, S.; Jannelli, E. Design and costs analysis of hydrogen refuelling stations based on different hydrogen sources and plant configurations. Energies 2022, 15, 541. [Google Scholar] [CrossRef]
  18. Genovese, M.; Cigolotti, V.; Jannelli, E.; Fragiacomo, P. Current standards and configurations for the permitting and operation of hydrogen refueling stations. Int. J. Hydrogen Energy 2023, 48, 19357–19371. [Google Scholar] [CrossRef]
  19. Schneider, J.; Meadows, G.; Mathison, S.R.; Veenstra, M.J.; Shim, J.; Immel, R.; Wistoft-Ibsen, M.; Quong, S.; Greisel, M.; McGuire, T. Validation and sensitivity studies for SAE J2601, the light duty vehicle hydrogen fueling standard. SAE Int. J. Altern. Powertrains 2014, 3, 257–309. [Google Scholar] [CrossRef]
  20. Chae, C.K.; Park, B.H.; Kang, S.K.; Choi, J.-O.; Park, J.H.; Won, W.; Kim, Y. Development of real time responding hydrogen fueling protocol and its risk assessment. Korean J. Chem. Eng. 2022, 39, 2916–2924. [Google Scholar] [CrossRef]
  21. J2601_202005; Fueling Protocols for Light Duty Gaseous Hydrogen Surface Vehicles. SAE International: Warrendale, PA, USA, 2020.
  22. Gao, D.; Xiao, Y.; Zhang, B.; Chen, X. Researching on HAZOP Information Standardization Based on Knowledge Ontology. In Proceedings of the 2019 Chinese Control Conference (CCC), Guangzhou, China, 27–30 July 2019; pp. 4956–4960. [Google Scholar]
  23. Summers, A.E.; Hearn, W.H. Risk criteria, protection layers, and conditional modifiers. Process Saf. Prog. 2012, 31, 139–144. [Google Scholar] [CrossRef]
  24. The Center for Chemical Process Safety. Guidelines for Enabling Conditions and Conditional Modifiers in Layer of Protection Analysis; Center for Chemical Process Safety of the American Institute of Chemical Engineers: New York, NY, USA, 2013. [Google Scholar]
  25. Cho, S.g.; Oh, S.; Lim, C.H.; Ko, T.K.; Park, S.; Kim, Y.; Cho, K.S.; Lee, K.S.; Kim, H.T.; Kim, K.H. Risk assessment of an offshore green hydrogen production system. Process Saf. Prog. 2025, 44, 368–378. [Google Scholar] [CrossRef]
  26. Chastain, J.W.; Delanoy, P.; Devlin, C.; Mueller, T.; Study, K. Beyond HAZOP and LOPA: Four different company approaches. Process Saf. Prog. 2017, 36, 38–53. [Google Scholar] [CrossRef]
  27. Lee, C.-H.; Rhie, K.-W.; Seo, D.-H.; Lee, D.-M.; Kim, T.-h. Methodology for Applying LOPA Risk Assessment to Liquefied Hydrogen Stations. J. Korean Inst. Gas 2024, 28, 87–94. [Google Scholar]
  28. Torres-Echeverria, A.C. On the use of LOPA and risk graphs for SIL determination. J. Loss Prev. Process Ind. 2016, 41, 333–343. [Google Scholar] [CrossRef]
  29. Murphy, J.F.; Chastain, W.; Bridges, W. Initiating events and independent protection layers. Process. Saf. Prog. 2009, 28, 374–378. [Google Scholar] [CrossRef]
  30. The Center for Chemical Process Safety. Guidelines for Initiating Events and Independent Protection Layers in Layer of Protection Analysis; Center for Chemical Process Safety of the American Institute of Chemical Engineers: New York, NY, USA, 2014. [Google Scholar]
  31. Dowell Iii, A.M. Layer of Protection Analysis and Inherently Safer Processes. Process Saf. Prog. 1999, 18, 214. [Google Scholar] [CrossRef]
  32. Baum, D.; Faulk, N.; Perez, P.J. Improved integration of LOPA with HAZOP analyses. Process Saf. Prog. 2009, 28, 308–311. [Google Scholar] [CrossRef]
  33. Harsono, A.; Waters, R.; Tearle, J.; Harkess, G. Applying the layers of protection analysis (LOPA) method to high containment level biological facilities. Sci. Rep. 2025, 15, 4428. [Google Scholar] [CrossRef]
  34. Norsk Hydro ASA and DNV. Risk Acceptance Criteria for Hydrogen Refuelling Stations; Norsk Hydro ASA and DNV: Oslo, Norway, 2003. [Google Scholar]
  35. IEC 61882; Hazard and Operability Studies (HAZOP Studies)–Application Guide. International Electrotechnical Commission: Geneva, Switzerland, 2016.
  36. McKelvey, T.C. How to improve the effectiveness of hazard and operability analysis. IEEE Trans. Reliab. 1988, 37, 167–170. [Google Scholar] [CrossRef]
  37. The Center for Chemical Process Safety. Guidelines for Hazard Evaluation Procedures, 3rd ed.; Wiley-Interscience: Hoboken, NJ, USA, 2008. [Google Scholar]
  38. The Center for Chemical Process Safety. Guidelines for Engineering Design for Process Safety, 2nd ed.; Center for Chemical Process Safety of the American Institute of Chemical Engineers: New York, NY, USA, 2012; Volume 108, pp. 72–73. [Google Scholar]
  39. Baybutt, P. A critique of the Hazard and Operability (HAZOP) study. J. Loss Prev. Process Ind. 2015, 33, 52–58. [Google Scholar] [CrossRef]
  40. IEC 60079-10-1; Explosive Atmospheres—Part 10-1: Classification of Areas—Explosive Gas Atmospheres. International Electrotechnical Commission: Geneva, Switzerland, 2020.
  41. IEC 60079-14; Explosive Atmospheres—Part 14: Electrical Installation Design, Selection and Installation of Equipment, Including Initial Inspection. International Electrotechnical Commission: Geneva, Switzerland, 2024.
  42. Machleidt, K.; Litz, L. An optimization approach for safety instrumented system design. In Proceedings of the 2011 Proceedings-Annual Reliability and Maintainability Symposium, Lake Buena Vista, FL, USA, 24–27 January 2011; pp. 1–6. [Google Scholar]
  43. Redutskiy, Y. Optimization of safety instrumented system design and maintenance frequency for oil and gas industry processes. Manag. Prod. Eng. Rev. 2017, 8, 46–59. [Google Scholar] [CrossRef]
Energies 18 06242 g001
Figure 1. Process and Instrumentation Diagram for off-site Hydrogen refueling station.
Figure 1. Process and Instrumentation Diagram for off-site Hydrogen refueling station.
Energies 18 06242 g001
Energies 18 06242 g002
Figure 2. Relationship between IEC 61511 and IEC 61508 [7].
Figure 2. Relationship between IEC 61511 and IEC 61508 [7].
Energies 18 06242 g002
Energies 18 06242 g003
Figure 3. Protection layers in accordance with IEC 61511-3 [7].
Figure 3. Protection layers in accordance with IEC 61511-3 [7].
Energies 18 06242 g003
Energies 18 06242 g004
Figure 4. Hybrid LOPA framework for HRS design stages.
Figure 4. Hybrid LOPA framework for HRS design stages.
Energies 18 06242 g004
Table 1. Overview of Off-site HRS configuration.
Table 1. Overview of Off-site HRS configuration.
CategoryDescription
Hydrogen SupplySupply of high-pressure hydrogen via tube trailer
Hydrogen Compression and StorageHydrogen is compressed by compressors separated by pressure stages and stored in LP/MP/HP vessels
DispenserDispenser compliant with H70/H35 fueling standards [19]
Control systemEmergency shutdown, pressure and temperature sensors, hydrogen detectors, etc.
Table 2. Comparison between Functional Safety only and All Safeguards LOPA approaches for off-site HRS.
Table 2. Comparison between Functional Safety only and All Safeguards LOPA approaches for off-site HRS.
CategoryFunctional Safety Only
(IEC 61511-Based Approach)		All Safeguards
(CCPS-Based Extended Approach)
ObjectiveFocused on functional safety; ensuring integrity of SISEstablishing an integrated risk reduction strategy and enhancing overall safety effectiveness
Recognized IPLsOnly automated layers such as BPCS and SIS are consideredIncludes automated, mechanical (e.g., PSV, check valve), detection, and procedural safeguards
Environmental/Conditional FactorsNot considered (Ignition and event progression assumed in all cases)Considers Enabling Conditions and Conditional Modifiers as per CCPS guidelines
Applicable SystemsHigh-risk automated systems requiring SIS verificationBroader systems including general design and operational protective layers
Typical Outcome TrendConservative (Tends to result in higher SIL requirements)Practical (Often results in reduced or no SIL requirements)
Design/Operational ImplicationsFocus on SIS performanceIncorporates diverse safeguards
Table 3. Likelihood level description.
Table 3. Likelihood level description.
Likelihood LevelDescription
5Frequent (More than once per year)
4Occasional (Once every 1 to 3 years)
3Rare (Once every 3 to 10 years)
2Unlikely (Once every 10 to 20 years)
1Extremely Unlikely (Once in more than 20 years)
Table 4. Severity level description.
Table 4. Severity level description.
Severity LevelDescription
5Catastrophic
(Fatalities, ≥5 serious injuries, damage ≥ USD 2 million, or
operation suspension/equipment repair ≥ 10 days)
4Critical
(≥1 serious injury or ≥10 minor injuries, damage between USD 0.5 million and USD 2 million, or suspension/repair ≥ 30 days)
3Moderate
(≥1 minor injury, damage between USD 0.1 million and USD 0.5 million, or suspension/repair ≥ 3 days)
2Minor
(1 light injury, damage between USD 10,000 and USD 0.1
million, or suspension/repair < 3 days)
1Negligible
(No injuries, damage < USD 10,000, improvement required for operational enhancement)
Table 5. Risk matrix for risk ranking.
Table 5. Risk matrix for risk ranking.
Likelihood
54321
Severity555433
454432
344322
233221
132211
Table 6. Classification of risk levels and corresponding acceptance criteria.
Table 6. Classification of risk levels and corresponding acceptance criteria.
Risk Acceptance Criteria
Risk LevelDescription
1Negligible RiskMaintain current safety measuresAcceptable for current work (Current operations can continue)
2Minor RiskPeriodic training
3Considerable RiskSafety measures during maintenance periodConditional acceptance of hazardous work (Implement risk reduction activities)
4Significant RiskEmergency temporary safety measures
5Severe RiskImmediate work suspensionHazardous work not permitted (Immediate cessation of work)
Table 7. Representative risk level 4 accident scenarios identified from HAZOP for off-site HRS.
Table 7. Representative risk level 4 accident scenarios identified from HAZOP for off-site HRS.
NoGuidewordCauseConsequenceSafeguardLSR
1High FlowInadvertently opening of PCV-001 (Excessive open)Pressure and temperature increase in the CHSS in vehicles and eventually leading to the rupture of CHSS, followed by a H2 leak resulting in flash fire or explosionPSV-007
PT-008/PT-009		344
2Reverse FlowAOV-006 inadvertently open during HP compressor operationFlow with high pressure attacking the medium pressure system and eventually leading to the rupture of medium pressure bank, followed by a H2 leak resulting in flash fire or explosionCV-003/CV-004
PT-005
PSV-004		354
3Low TemperatureUnintended activation of the heat exchanger results in overcooling (e.g., Colder Chiller into Heat exchanger)Temperature decrease in the CHSS in vehicles and eventually leading to the rupture of CHSS, followed by a H2 leak resulting in flash fire or explosionTT-001/TT-002344
4High TemperatureUnintended activation of the heat exchanger results in insufficient cooling (e.g., Hotter Chiller into Heat exchanger)Temperature increase in the CHSS in vehicles and eventually leading to the rupture of CHSS, followed by a H2 leak resulting in flash fire or explosionTT-001/TT-002344
Table 8. Typical initiating event frequency [30].
Table 8. Typical initiating event frequency [30].
Initiating Event DescriptionIE Frequency (per Year)
BPCS control loop failure1 × 10−1
Cooling Water failure1 × 10−1
Pressure vessel residual failure1 × 10−6
Gasket/packing blow out1 × 10−2
Safety valve opens spuriously1 × 10−2
Pump seal failure1 × 10−1
Table 9. Target mitigated event likelihood for LOPA [30].
Table 9. Target mitigated event likelihood for LOPA [30].
Severity LevelEffect on SafetyTMEL (per Year)
1No injuries1 × 10−1
21 light injury1 × 10−2
3≥1 minor injury1 × 10−3
4≥1 serious injury or ≥10 minor injuries1 × 10−4
5Fatalities, ≥5 serious injuries1 × 10−5
Table 10. Probability of failure on demand of IPL [30].
Table 10. Probability of failure on demand of IPL [30].
IPL DescriptionGeneric PFD (per Year)
Safety control loop1 × 10−1
Safety interlock1 × 10−1
SIS loopSIL 1: 1 × 10−1
SIL 2: 1 × 10−2
SIL 3: 1 × 10−3
Spring-operated pressure relief valve1 × 10−2
Check valve1 × 10−1
Human response to an abnormal condition1 × 10−1
Table 11. SILs requirements considering PFDavg and RRF [7].
Table 11. SILs requirements considering PFDavg and RRF [7].
SILPFDavgRRF
4≥10−5 to <10−4>10,000 to ≤100,000
3≥10−4 to <10−3>1000 to ≤10,000
2≥10−3 to <10−2>100 to ≤1000
1≥10−2 to <10−1>10 to ≤100
Table 12. LOPA table for a high flow event.
Table 12. LOPA table for a high flow event.
CategoryImpact Event
Description		Severity LevelInitiating CauseInitiation Likelihood (per Year)IPLCMsIntermediate Event LikelihoodTMELSIF PFDSIL
BPCS 1Alarms and Operator Action 2Additional
Mitigation		IPL Additional
Mitigation 3		Occupancy
Factor 4		Probability
of Ignition 5
All SafeguardPressure and temperature increase in the CHSS in vehicles and eventually leading to the rupture of CHSS, followed by a H2 leak resulting in flash fire or explosion4Inadvertent opening of PCV-001 (Excessive open)0.10.10.1-0.010.20.12 × 10−71 × 10−4500No SIL
Functional Safety Only0.1-----1 × 10−21 × 10−40.01SIL 1
1 Pressure transmitter activated HH trip; 2 Operator monitoring and action through pressure transmitter H alarm; 3 Pressure safety valve; 4 No operator is located except refueling. Assumed total 1 h exposure time per day for daily refueling. (1 h/8 h of daily working time = 0.125, thus 0.2 for conservation); 5 All HRS area is under zone 2 rated and Ex-proof device is installed according to IEC 60079-10-1 [40], IEC 60079-14 [41].
Table 13. LOPA table for a Reverse flow event.
Table 13. LOPA table for a Reverse flow event.
CategoryImpact Event
Description		Severity LevelInitiating CauseInitiation Likelihood (per Year)IPLCMsIntermediate Event LikelihoodTMELSIF PFDSIL
BPCS 1Alarms and Operator Action 2Additional
Mitigation 3		IPL Additional
Mitigation 4		Occupancy
Factor		Probability
of Ignition 5
All safeguardFlow with high pressure attacking the medium pressure system and eventually leading to the rupture of medium pressure bank, followed by a H2 leak resulting in flash fire or explosion5AOV-006 inadvertently open during HP compressor operation0.10.10.10.010.01-0.11 × 10−81 × 10−51000No SIL
Functional safety only0.1-----1 × 10−21 × 10−50.001SIL 2
1 Pressure transmitter activated HH trip; 2 Operator monitoring and action through pressure transmitter H alarm; 3 Check valve in series; 4 Pressure safety valve; 5 All HRS area is under zone 2 rated and Ex-proof device is installed according to IEC 60079-10-1, IEC 60079-14.
Table 14. LOPA table for a Low temperature event.
Table 14. LOPA table for a Low temperature event.
CategoryImpact Event
Description		Severity LevelInitiating CauseInitiation Likelihood (per Year)IPLCMsIntermediate Event LikelihoodTMELSIF PFDSIL
BPCS 1Alarms and Operator action 2Additional
Mitigation		IPL Additional
Mitigation		Occupancy
Factor 3		Probability
of Ignition 4
All safeguardTemperature decrease in the CHSS in vehicles eventually leading to the rupture of CHSS, followed by a H2 leak resulting in flash fire or explosion4Unintended activation of the heat exchanger results in overcooling0.10.10.1--0.20.12 × 10−51 × 10−45No SIL
Functional safety only0.1-----1 × 10−21 × 10−40.01SIL 1
1 Temperature transmitter activated LL trip; 2 Operator monitoring and action through temperature transmitter L alarm; 3 No operator is located except refueling. Assumed total 1 h exposure time per day for daily refueling. (1 h/8 h of daily working time = 0.125, thus 0.2 for conservation); 4 All HRS area is under zone 2 rated and Ex-proof device is installed according to IEC 60079-10-1, IEC 60079-14.
Table 15. LOPA table for a high temperature event.
Table 15. LOPA table for a high temperature event.
CategoryImpact event
Description		Severity LevelInitiating CauseInitiation Likelihood (per Year)IPLCMsIntermediate Event LikelihoodTMELSIF PFDSIL
BPCS 1Alarms and Operator Action 2Additional
Mitigation		IPL Additional
Mitigation		Occupancy
Factor 3		Probability
of Ignition 4
All safeguardTemperature increase in the CHSS in vehicles eventually leading to the rupture of CHSS, followed by a H2 leak resulting in flash fire or explosion4Unintended activation of the heat exchanger results in insufficient cooling0.10.10.1--0.20.12 × 10−51 × 10−45No SIL
Functional safety only0.1-----1 × 10−21 × 10−40.01SIL 1
1 Temperature transmitter activated HH trip; 2 Operator monitoring and action through temperature transmitter H alarm; 3 No operator is located except refueling. Assumed total 1 h exposure time per day for daily refueling. (1 h/8 h of daily working time = 0.125, thus 0.2 for conservation); 4 All HRS area is under zone 2 rated and Ex-proof device is installed according to IEC 60079-10-1, IEC 60079-14.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Kim, Y.; Han, S.; Song, H.; Jung, S. Risk Assessment of an Off-Site Hydrogen Refueling Station: A Hybrid IEC 61511-CCPS LOPA Framework. Energies 2025, 18, 6242. https://doi.org/10.3390/en18236242

AMA Style

Kim Y, Han S, Song H, Jung S. Risk Assessment of an Off-Site Hydrogen Refueling Station: A Hybrid IEC 61511-CCPS LOPA Framework. Energies. 2025; 18(23):6242. https://doi.org/10.3390/en18236242

Chicago/Turabian Style

Kim, Yonggyu, Shintak Han, Heewon Song, and Seungho Jung. 2025. "Risk Assessment of an Off-Site Hydrogen Refueling Station: A Hybrid IEC 61511-CCPS LOPA Framework" Energies 18, no. 23: 6242. https://doi.org/10.3390/en18236242

APA Style

Kim, Y., Han, S., Song, H., & Jung, S. (2025). Risk Assessment of an Off-Site Hydrogen Refueling Station: A Hybrid IEC 61511-CCPS LOPA Framework. Energies, 18(23), 6242. https://doi.org/10.3390/en18236242

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop