Risk Reduction Evaluation of Prescriptive Technical Codes for Hydrogen Refueling Stations Using LOPA

Abstract

This study evaluates the risk reduction performance of prescriptive technical codes applied to hydrogen refueling stations using a Layer of Protection Analysis (LOPA) approach. A representative accident scenario involving high-pressure hose rupture at the dispenser was selected as the initiating event, and the initiating event frequency was determined based on CCPS guidelines. The target mitigated event likelihood (TMEL) was set to $1.0\times {10}^{-6}$/year, resulting in a required risk reduction factor (RRF) of $1.0\times {10}^4$. Safety devices specified in the Korean Gas Safety (KGS) Codes were identified as independent protection layers (IPLs), and their probability of failure on demand (PFD) values were assigned based on commonly accepted LOPA data. The combined PFD of the identified IPLs was estimated to be $1.0\times {10}^{-5}$, leading to a mitigated event likelihood of $1.0\times {10}^{-7}$/year, which satisfies the predefined TMEL. These results indicate that the prescriptive technical codes can provide a certain level of quantitative risk reduction when all required safeguards operate as assumed. However, the analysis also reveals structural limitations associated with independence assumptions, potential common cause failures, and maintenance conditions. The findings suggest that integrating functional safety concepts and systematic risk assessment with prescriptive codes could enhance the reliability of safety management for hydrogen refueling stations.

1. Introduction

As global policies addressing climate change and carbon neutrality continue to accelerate, the energy system is shifting from a fossil fuel-based structure to low-carbon and carbon-free energy systems [1]. In this energy transition, hydrogen energy has attracted significant attention as a clean energy source and is emerging as a key energy carrier for achieving a carbon-neutral society. In particular, the deployment of hydrogen fuel cell-based mobility has increased as hydrogen is used as a transportation fuel. Consequently, the construction of hydrogen refueling stations (HRSs), which serve as essential infrastructure for the efficient operation of hydrogen mobility, has also expanded. Figure 1 shows the increasing trend of hydrogen refueling stations in the Republic of Korea [2].

In general, a hydrogen refueling station is a complex process system in which hydrogen is compressed to high pressure, stored, and subsequently dispensed to hydrogen mobility. When hydrogen is produced and utilized directly within the site boundary, the facility is classified as an on-site hydrogen refueling station (on-site HRS). In contrast, when compressed hydrogen gas is supplied from external hydrogen production facilities through tube trailers or pipelines and then used for refueling, the facility is classified as an off-site hydrogen refueling station (off-site HRS) [3,4].

Hydrogen possesses physicochemical characteristics such as low ignition energy and a wide flammability range, which create a high potential risk of fire or explosion when leakage occurs. In particular, high-pressure hydrogen may be released as a jet release or may accumulate in confined spaces [5]. If the accumulated hydrogen comes into contact with an ignition source, it can lead to fire or explosion accidents, resulting in severe damage to both personnel and facilities. In practice, numerous fire and explosion accidents have occurred at hydrogen-related facilities worldwide. These incidents suggest that accidents can occur even in facilities that comply with relevant regulations and technical standards. In other words, the possibility of accidents cannot be completely eliminated, even when facilities are designed, constructed, and inspected in full compliance with established standards and technical codes.

Table 1. Annual hydrogen accident statistics and accident types in Korea (2015–2025).

Year	Number of Hydrogen Accidents	Number Related to Refueling Station	Number of Accident Types
			Leak	Fire	Explosions
2015	1	-	1	-	-
2016	-	-	-	-	-
2017	3	-	-	2	1
2018	5	-	-	5	-
2019	1	-	-	1	-
2020	3	1	1	2	-
2021	1	-	-	1	-
2022	4	2	-	4	-
2023	4	-	-	3	1
2024	2	1	-	1	1
2025	4	-	-	2	2

summarizes hydrogen-related accidents that occurred in Korea between 2015 and 2025.

Table 2. Hydrogen refueling station accident cases in Korea.

Date	Accident Type	Description
4 August 2020	Leak	Hydrogen gas leaked from the connection part of the end plug of a hydrogen storage cylinder due to equipment deterioration
28 January 2022	Fire	During the connection of a high-pressure hose to a tube trailer at a hydrogen refueling station, the nut connecting the hose to the outlet was damaged, resulting in hydrogen leakage and a subsequent fire.
28 June 2022	Fire	During charging of a hydrogen cylinder using the self-pressure of a hydrogen tube trailer, the safety valve was activated due to overpressure, releasing hydrogen gas and causing a fire.
27 December 2024	Fire	Fire occurred due to an unknown ignition source during gas release from a safety valve.

provides detailed information on accidents specifically associated with hydrogen refueling stations in Korea [6]. Considering that all hydrogen refueling stations are operated after undergoing mandatory inspections in accordance with relevant regulations, these cases demonstrate that accidents may still occur even when technical standards are fully satisfied.

In Japan, a total of 208 hydrogen refueling stations were installed between 2002 and 2020, and 164 accidents were reported during the same period. In particular, since 2014, when the deployment of hydrogen refueling stations began to accelerate, the number of accidents has also shown an increasing trend alongside the growth in the number of installed stations. This trend may be interpreted as a result of the expansion of hydrogen refueling infrastructure and the increased frequency of station operation, which may also increase the likelihood of accident occurrence. A summary of hydrogen refueling station installations and accident cases in Japan is presented in

Table 3. Number of hydrogen refueling stations and accident cases in Japan (2002–2020).

Category	‘02	‘03	‘04	‘05	‘06	‘07	‘08	‘09	‘10	‘11	‘12	‘13	‘14	‘15	‘16	‘17	‘18	‘19	‘20	Total
Annual Number of Accidents	0	0	0	3	2	3	0	0	2	2	6	7	4	12	32	28	26	18	19	164
Number of Refueling Stations Installed	5	7	11	11	16	19	19	19	23	28	28	33	50	107	134	153	191	187	208	-
Cumulative Number of Hydrogen Refueling Stations	5	12	23	34	50	69	88	107	130	158	186	219	269	376	510	663	854	1041	1249	1249

[6,7,8].

ISO 19880-1, the international standard for hydrogen refueling stations, recommends conducting risk assessment during the design and operation stages of hydrogen refueling stations [9]. If the risk level of the facility does not meet the acceptable criteria of the site, risk reduction measures should be implemented. Furthermore, when necessary, the standard recommends assigning an appropriate Safety Integrity Level (SIL) to the control and safety systems based on the principles of functional safety in order to establish a performance-based safety management framework. In this context, the determination of the SIL should follow the international functional safety standards IEC 61508 and IEC 61511 [10,11,12]. This approach goes beyond a purely prescriptive-based approach, which relies only on regulations and technical codes. Instead, it adopts a risk-based approach, in which the operator determines the required level of safety protection based on the results of risk assessment.

In contrast, the technical codes for hydrogen refueling stations in Korea, KGS FP216 [13] and FP217 [14], follow a prescriptive-based approach. These codes specify the installation of various safety devices, such as emergency shutoff devices, safety valves, gas leak detection and alarm systems, and check valves [13,14]. When the requirements of these technical codes are satisfied, the facility is generally considered to have achieved an acceptable level of safety. Compliance with the technical codes also serves as an important criterion for approval during the legal permitting and inspection process. However, this prescriptive-based approach primarily focuses on the installation and integrity of safety devices. As a result, it has limitations in reflecting detailed factors associated with actual operating conditions, such as the independence of protection layers and the level of maintenance and management.

Previous studies have primarily focused on quantitative risk assessments of accident consequence ranges resulting from hydrogen leakage at hydrogen refueling stations or on functional safety analyses based on IEC standards [15,16,17,18,19]. However, only a limited number of studies have quantitatively evaluated the risk reduction level achieved by prescriptive safety devices alone and examined their relationship with the necessity of applying functional safety [20]. In particular, research that compares and analyzes the differences between technical code-based approaches and international standard-based approaches through risk assessment using Layer of Protection Analysis (LOPA) remains limited [21,22].

Therefore, this study establishes representative accident scenarios that may occur at hydrogen refueling stations. For each scenario, LOPA is performed by applying the safety devices specified in technical codes as Independent Protection Layers (IPLs). The occurrence frequency of the accident is estimated, and the achievement of the Target Mitigated Event Likelihood (TMEL) is quantitatively evaluated. Through this analysis, the structural limitations of the prescriptive-based approach are examined, and the necessity of applying functional safety is discussed. Ultimately, this study aims to suggest a direction for improving the safety management framework of hydrogen refueling stations.

2. Technical Codes and Standards Related to Hydrogen Refueling Stations

2.1. International Standard ISO 19880-1

The international standard “Gaseous hydrogen—Fueling stations—Part 1: General requirements (ISO 19880-1)”, published by the International Organization for Standardization (ISO), is one of the most widely recognized standards for hydrogen fueling facilities. This standard specifies general requirements for the design, construction, operation, and maintenance of hydrogen refueling stations. It addresses both technical requirements for ensuring safety and a risk-based safety management framework. In particular, ISO 19880-1 defines fundamental technical requirements for various design elements of hydrogen refueling stations, including equipment configuration, equipment layout, dispensers, hydrogen quality, electrical systems, and instrumentation and control systems. At the same time, the standard incorporates performance-based elements by allowing operators to conduct risk assessments under specific conditions and adjust safety design criteria based on the assessment results. The safety management framework defined in ISO 19880-1 is illustrated in Figure 2.

One of the key characteristics of ISO 19880-1 is that it explicitly recommends that stakeholders conduct risk assessments for hydrogen refueling stations. The standard specifies that system hazards should be identified and risk factors analyzed according to a structured risk assessment procedure. Based on this analysis, appropriate risk mitigation measures should be derived, and it should be demonstrated that the implemented improvements achieve the target risk level. In particular, the annexes related to risk assessment recommend the application of quantitative or semi-quantitative risk assessment methods. The standard also presents a framework in which risk is evaluated based on accident scenario analysis and subsequently compared with predefined risk acceptance criteria.

Although ISO 19880-1 also mentions semi-quantitative risk assessment methods, the standard primarily focuses on Quantitative Risk Assessment (QRA) and Consequence Analysis (CA). These approaches evaluate the physical effects of hydrogen release accidents, such as thermal radiation from fires and overpressure from explosions. In addition, they estimate individual and societal risks, which are then compared with predefined risk acceptance criteria. However, the standard does not provide detailed guidance on LOPA, which is a representative semi-quantitative risk assessment method used to estimate accident frequency by considering the reliability of safety instrumented functions and protection layers [9].

ISO 19880-1 also refers to the functional safety of instrumentation and control systems and Safety Instrumented Functions (SIFs). However, the standard does not provide detailed procedures or methodologies for implementing these systems. Instead, it specifies that relevant functional safety standards, such as IEC 61508 or IEC 61511, should be referenced. In other words, if the results of the risk assessment indicate that the reliability of the instrumentation and control system is insufficient and that the probability of accident occurrence cannot be adequately reduced, additional protection measures may be required. In such cases, the system should achieve an appropriate SIL in accordance with IEC 61508 or IEC 61511. This approach recognizes the importance of applying functional safety while delegating the detailed SIL determination methods and the configuration of protection systems to separate international standards. The key aspects of ISO 19880-1 related to functional safety and risk assessment are summarized in

Table 4. Structure characteristics of ISO 19880-1 safety approach.

Category	Description in ISO 19880-1	Methodological Specificity
Overall Safety Philosophy	Risk-informed and performance-oriented requirements	General framework provided
Risk Assessment Requirement	Hazard identification, risk analysis, risk evaluation and mitigation	QRA recommended (Annex)
Primary Analytical Tool	Quantitative Risk Assessment (QRA) and consequence modeling	Physical effect modeling (jet fire, explosion, thermal radiation)
Layer of Protection Concept	Mentioned in context of additional safety systems	Not formally structured as LOPA
Functional Safety	Reference to IEC 61508 and IEC 61511	SIL determination delegated to IEC standards
Treatment of Safeguards	Emphasis on control and safety systems	Mechanical/passive safeguards not quantitatively structured
Performance Demonstration	Risk must meet acceptable criteria	Through risk evaluation results

.

In summary, ISO 19880-1 recommends the implementation of risk assessment to ensure the safety of hydrogen refueling stations. However, the framework primarily emphasizes Quantitative Risk Assessment and Consequence Analysis. The application of functional safety is addressed only indirectly through references to related standards such as IEC 61508 and IEC 61511, rather than through detailed guidance within the ISO 19880-1 standard itself. In addition, ISO 19880-1 does not systematically define protection layers for hydrogen refueling stations or provide analytical methodologies to quantitatively evaluate them. This characteristic differs from the prescriptive-based approach used in technical codes. Instead, it allows safety requirements to be applied differently for each hydrogen refueling station based on the safety performance elements designed by the stakeholders.

2.2. Korea Gas Safety (KGS) Code

In Korea, the technical codes KGS FP216 and KGS FP217 are applied to regulate the facilities, technical requirements, and inspection procedures of hydrogen refueling stations. KGS FP216 applies to on-site hydrogen refueling stations, while KGS FP217 applies to off-site hydrogen refueling stations. These codes provide detailed requirements for the structure, equipment, layout, and safety devices of hydrogen refueling stations in accordance with the High-Pressure Gas Safety Control Act in Korea. The KGS Code is directly applied as a technical evaluation criterion during the licensing and approval process for hydrogen refueling stations. Therefore, it represents a prescriptive-based approach that explicitly requires the installation of specific safety devices.

KGS FP216 and FP217 specify the installation of safety devices for major equipment in hydrogen refueling stations. Representative examples include overpressure protection devices such as safety valves, emergency shutoff devices, gas leak detection and alarm systems, breakaway devices, check valves, ventilation systems, and dispenser protection facilities. The detailed requirements for these safety devices are defined according to the type of equipment and installation location. Compliance with these requirements serves as a key criterion for determining approval during the licensing process. The prescriptive-based safety management framework of the KGS Code is illustrated in Figure 3 [13,14].

The KGS Code adopts an approach in which required safety devices for specific hazard scenarios are predefined, and a minimum level of safety is ensured through the installation of these devices. In other words, the framework does not determine protection layers based on the results of a risk assessment. Instead, it follows a prescriptive structure in which safety devices specified in the code are applied uniformly. As a result, operators can demonstrate technical compliance by installing the safety devices required by the code, even without conducting a separate risk assessment for individual equipment.

However, the prescriptive-based approach evaluates safety primarily based on the installation of safety devices and compliance with specified requirements. Therefore, it has limitations in quantitatively reflecting factors such as the independence, reliability, common-cause failure, and maintenance level of each safety device. For example, if a gas leak detection and alarm system and an emergency shutoff device are connected to the same control system or power supply, multiple safety devices may appear to be installed from a numerical perspective. However, the actual risk reduction effect may be lower than expected due to the lack of independence between these devices. Nevertheless, the KGS Code does not explicitly define quantitative criteria for mutual independence between safety devices or the probability of failure on demand (PFD) when their operation is required.

Furthermore, the KGS Code does not directly specify detailed procedures for determining SIL or the safety lifecycle requirements based on IEC 61511. Instead, the code mainly focuses on the installation and performance requirements of safety devices. This approach differs from that of ISO 19880-1, which considers the implementation of additional safety systems based on risk assessment results and recommends referencing international standards related to functional safety. In summary, the KGS Code represents a prescriptive-based technical standard that ensures a minimum level of safety by requiring the installation of various safety devices in hydrogen refueling stations. However, because the code does not require a systematic analysis of risk assessment results or the reliability of protection layers, a quantitative evaluation of the actual risk level may still be necessary, even when all code requirements are satisfied. This characteristic contrasts with ISO 19880-1, which, while including prescriptive elements, simultaneously emphasizes a risk-based approach in the safety management framework.

3. Layer of Protection Analysis

3.1. Selection of Initiating Events

The objective of this study is not to comprehensively identify all potential hazards that may occur during the operation of hydrogen refueling stations. Instead, the study aims to examine whether the protection devices required by the prescriptive-based approach provide a quantitatively sufficient level of risk reduction. Therefore, rather than conducting a full risk assessment for the entire hydrogen refueling station system, a representative accident scenario for an off-site hydrogen refueling station was conservatively selected. The effectiveness of the protection layers in reducing risk was then evaluated.

Initiating events were established by considering representative accident scenarios in an off-site hydrogen refueling station configured as shown in Figure 4. Only situations satisfying the following conditions were selected as initiating events [23,24,25,26]:

• A large-scale release of high-pressure hydrogen gas is possible.
• The event is directly associated with storage facilities such as hydrogen banks or with the dispenser system.
• Hydrogen released to the atmosphere may encounter an ignition source and escalate into fire or explosion accidents.
• The occurrence frequency of the initiating event can be estimated based on reliable frequency data.

In particular, considering condition (4), shown above, accident scenarios for which the frequency data provided by the CCPS guidelines could be directly applied were selected as representative accident scenarios. The results are summarized in

Table 5. Initiating event and related frequency of incident scenarios.

No	Initiating Event	Frequency (per Year)	Applicability to HRS
IE-01	Hose failure—rupture	1.00 × 10−2	High-pressure hose rupture caused by drive-off
IE-02	Hose leak (non-rupture)	1.00 × 10−1	Leakage at connection point
IE-03	Aboveground piping full breach (≤150 mm)	1.00 × 10−6	High-pressure piping rupture
IE-04	Aboveground piping leak (≤150 mm)	1.00 × 10−5	Minor piping leakage
IE-05	Pressure regulator failure	1.00 × 10−1	Overpressure or loss of pressure control
IE-06	BPCS control loop failure	1.00 × 10−1	Abnormal pressure due to loss of control
IE-07	Single circuit loss of power	1.00 × 10−1	Possible loss of control and shutdown functions

.

Among the identified initiating events, IE-01 was selected as the representative scenario because it was considered the most conservative and practically relevant case with the potential to lead to the worst accident consequences. This selection was based on several considerations. First, there are documented accident cases at hydrogen refueling stations caused by damage to the dispenser hose. If the hose ruptures, a large amount of high-pressure hydrogen gas may be released to the atmosphere. Second, the area surrounding the dispenser has the highest level of human exposure within the hydrogen refueling station. In addition, the dispenser system is relatively standardized in accordance with SAE J2601 [27], and its safety devices are also standardized. This characteristic makes the dispenser system suitable for evaluating IPLs in LOPA [27].

Accordingly, the representative initiating event was selected not on the basis of frequency alone, but by considering the potential release severity, relevance to dispenser-area exposure, and suitability for a conservative LOPA scenario. A comparison of the candidate initiating events is provided in

Table 6. Justification for selection of the representative initiating event.

Initiating Event	Frequency (per Year)	Potential for Large High-Pressure Hydrogen Release	Relevance to Public Exposure	Suitability for Representative LOPA Scenario *
IE-01 (Hose failure—rupture)	1.00 × 10−2	High	High	High
IE-02 (Hose leak (non-rupture))	1.00 × 10−1	Medium	High	Medium
IE-03 (Aboveground piping full breach (≤150 mm))	1.00 × 10−6	High	Medium	Medium
IE-04 (Aboveground piping leak (≤150 mm))	1.00 × 10−5	Medium	Medium	Low
IE-05 (Pressure regulator failure)	1.00 × 10−1	Variable	Medium	Medium
IE-06 (BPCS control loop failure)	1.00 × 10−1	Variable	Medium	Low
IE-07 (Single circuit loss of power)	1.00 × 10−1	Indirect	Indirect	Low

* Suitability was qualitatively assessed by considering the relative initiating event frequency together with the potential release severity and relevance to public exposure.

.

LOPA is a methodology that analyzes individual accident scenarios independently, where each scenario is defined by a combination of an initiating event and a consequence. In a single analysis, the level of risk reduction is evaluated for one initiating event leading to a specific consequence [28]. Therefore, the analysis results for IE-01 may also serve as a conservative reference for other independent accident scenarios with similar or lower risk levels. For a conservative assessment, the initiating event frequency of IE-01 caused by hose rupture was assumed to be 1.0 × 10⁻² per year in this study. This value was adopted from the hose rupture frequency provided in the CCPS guidelines [29]. Since hydrogen-refueling-station-specific initiating event frequency data remain limited, the CCPS guideline values were used in this study as conservative reference values for a representative semi-quantitative LOPA evaluation.

3.2. Determination of the Target Mitigated Event Likelihood

To perform LOPA, it is necessary to establish the TMEL, which represents the acceptable accident frequency to be achieved after applying protection layers following the initiating event. TMEL refers to the acceptable final frequency of a specific accident scenario. In general, it is determined by the organization while considering factors such as societal risk acceptance, industry practices, and relevant domestic and international regulations and standards.

3.2.1. Criteria for Determining the Acceptable Accident Frequency

Hydrogen refueling stations are facilities that are accessible to the public, and according to legal requirements, station operators are required to be present at the refueling facility. Therefore, accidents at hydrogen refueling stations may result in multiple casualties. In this study, the TMEL was set to 1.0 × 10⁻⁶ per year by referencing the criteria for individual risk and societal risk interpretation provided in the related Korean regulation. This value can generally be regarded as the acceptable annual accident frequency for a single accident scenario in typical industrial facilities. In addition, this value is broadly consistent with internationally recognized acceptable accident frequency levels discussed in the literature, including risk-informed approaches used in the UK and the Netherlands [30,31,32].

3.2.2. Calculation of the Required Risk Reduction Factor

The required Risk Reduction Factor (RRF) is defined as the ratio between the frequency of the initiating event and the acceptable accident frequency. In other words, it represents the level of risk reduction required for a specific accident scenario. The RRF is calculated by dividing the initiating event frequency by the TMEL, and the resulting value indicates the minimum level of risk reduction that must be achieved by independent protection layers or safety instrumented systems. Therefore, the RRF serves as an important indicator in LOPA for determining the target level of safety risk reduction that must be achieved through independent protection layers. The RRF for IE-01 caused by hose rupture is calculated as follows, according to Equation (1). In this equation, the Initiating Event Frequency refers to the estimated annual frequency at which the selected initiating event is expected to occur before the application of any independent protection layers.

$$RRF={\displaystyle \frac{\mathit{Initiating} \mathit{Event} \mathit{Frequency}}{\mathit{Target} \mathit{Mitigated} \mathit{Event} \mathit{Likelihood}}}={\displaystyle \frac{1.0\times {10}^{-2}}{1.0\times {10}^{-6}}}=1.0\times {10}^4$$

(1)

This result indicates that a minimum risk reduction factor of 10,000 is required to establish effective safety measures for the accident scenario caused by dispenser hose rupture.

3.2.3. Allowable Total Probability of Failure on Demand

The Probability of Failure on Demand (PFD) represents the probability that an IPL fails when it is required to perform its intended function. In other words, it refers to the probability of a safety gap or loss of protection caused by the failure of a protection device to operate when demanded. In LOPA, the PFD of independent protection layers is defined as shown in Equation (2). Since the previously calculated RRF is 1.0 × 10⁴, the allowable total PFD can be determined as follows:

$$\begin{array}{ll}{PFD}_{\mathit{total}}& \le {\displaystyle \frac{1}{RRF}}\\ & \le 1.0 \times {10}^{-4}\end{array}$$

(2)

This means that the product of the PFD values of all independent protection layers must be equal to or less than 1.0 × 10⁻⁴.

3.2.4. Relationship with Functional Safety

If the identified risk is mitigated using a single Safety Instrumented System (SIS), a Safety Integrity Level corresponding to an RRF of 1.0 × 10⁴ is required. According to the IEC 61511 standard, this corresponds to SIL 3, as shown in

Table 7. Safety integrity level in accordance with PFD and RRF.

Safety Integrity Level (SIL)	Probability of Failure on Demand (PFD)	Risk Reduction Factor (RRF)
SIL 4	≥10−5 to <10−4	>104 to ≤105
SIL 3	≥10−4 to <10−3	>103 to ≤104
SIL 2	≥10−3 to <10−2	>102 to ≤103
SIL 1	≥10−2 to <10−1	>101 to ≤102

[12,31]. In general industrial practice, SIL 3 represents a high level of safety integrity. Therefore, achieving this level through a single instrumented protection layer may be challenging. However, if multiple prescriptive-based safety devices are recognized as IPLs, it becomes possible to evaluate whether their combined effect can achieve the same required risk reduction factor. This evaluation constitutes the core analytical objective of this study.

3.3. Identification of Independent Protection Layers Based on the KGS Code and Determination of PFD

The KGS Code specifies the safety devices that must be considered in the design and construction of hydrogen refueling stations. However, it does not provide specific PFD values for individual safety devices. Therefore, in this study, representative PFD values from the CCPS LOPA guidelines, which are widely used internationally, were applied [29].

It should be noted that the PFD values presented in the CCPS guidelines are empirical values based on the assumption that the integrity of safety devices is maintained through regular Inspection, Testing, and Preventive Maintenance (ITPM). Based on the previously selected initiating event involving a large hydrogen release caused by dispenser hose rupture and the TMEL, the safety devices required by the KGS Code were classified as IPLs, and the PFD of each IPL was estimated. Through this analysis, it was quantitatively evaluated whether the required RRF can be satisfied solely by applying the basic IPLs specified in the KGS Code.

3.3.1. Accident Scenario and Boundary for IPL Application

The accident scenario for the initiating event, IE-01, is described as follows:

• Rupture of the dispenser hose caused by abnormal vehicle movement during refueling.
• Occurrence of fire or explosion due to an unknown ignition source.

In general, accident scenario analysis should comprehensively consider factors such as the location of hydrogen release from the dispenser or hose, the duration and quantity of the release, and the probability of ignition. However, the objective of this study is to evaluate whether the TMEL can be achieved solely through the application of safety devices specified in the KGS Code. Therefore, the IPL assessment in this study focuses on protection layers that can rapidly isolate and shut off hydrogen leakage under a large-release condition, thereby preventing escalation to severe accidents.

3.3.2. Identification of IPL Candidates Based on the KGS Code

Among the safety devices specified in the hydrogen refueling station codes KGS FP216 and FP217, only those that can directly contribute to risk reduction for the accident scenario and can be applied as IPLs from a LOPA perspective were selected.

(1)

Breakaway Coupling

A breakaway coupling installed on the fueling hose is a mechanical protection device that automatically shuts off the release of hydrogen to the atmosphere when the hose is separated due to abnormal vehicle movement or external force during refueling. In particular, if a vehicle suddenly departs without disconnecting the nozzle from the hose, significant damage may occur not only to the hose but also to the dispenser unit itself. Such an event may lead to the release of a large amount of hydrogen gas into the atmosphere. Therefore, the breakaway coupling is considered a critical safety device designed to prevent this type of accident.

(2)

Emergency Shutdown System and Shut-off Valve Closure Logic

The KGS Code specifies the installation locations and automatic shutdown functions of the Emergency Shutdown (ESD) system, allowing operators to quickly stop the flow of gas when an emergency occurs during refueling. When the ESD system is activated, major equipment such as compressors and pumps must immediately stop operation. This mechanism can be considered a protection layer in which the operator manually shuts down the system once an abnormal condition is recognized.

(3)

Gas Leak Detection and Alarm System

The gas leak detection and alarm system detects leaked gas, activates an alarm, and automatically shuts off the gas flow. Unlike systems that only provide an alarm to notify operators of an abnormal condition, this system is integrated with an automatic shutdown function following detection. Therefore, it can be applied as an instrumentation and control-based IPL in the LOPA framework.

(4)

Excess Flow Prevention Measures

Hydrogen piping within the dispenser is equipped with control valves for flow regulation and shut-off valves for emergency isolation. These components are essential elements required to implement the refueling protocol defined in SAE J2601. Therefore, the control valve and emergency shut-off valve can be considered as IPLs that function as excess flow prevention measures in response to abnormal increases in flow rate.

The KGS Code also specifies several additional protective measures beyond the IPL candidates identified above. Typical examples include protective walls, vehicle impact protection facilities, and ventilation systems. However, safety devices that are not directly applicable to the selected accident scenario were not considered as IPLs in this study.

3.3.3. Basis and Values for PFD of Each IPL

To verify whether the allowable total PFD criterion of 1.0 × 10⁻⁴ or less is satisfied, representative PFD values were applied to each IPL. Since the KGS Code does not provide specific PFD values for individual safety devices, the representative IPL values suggested in the CCPS LOPA guidelines, which are commonly used in LOPA studies, were adopted [29]. It should be noted that the PFD values adopted in this study, in accordance with the CCPS, are conditional values based on the assumption that each IPL maintains its required performance through regular inspection, testing, and preventive maintenance.

(1)

Breakaway Coupling

According to the CCPS guidelines, a mechanical separation device with an automatic shut-off function can be recognized as an IPL, with a representative PFD value of 1.0 × 10⁻¹. It should be noted that the PFD values suggested by CCPS are applicable only when the integrity and operability of the breakaway device are ensured through regular inspection, testing, and preventive maintenance. Breakaway couplings installed in hydrogen refueling hoses are required by regulation to be certified products and are subject to periodic inspection and maintenance. Therefore, in this study, the PFD value recommended in the CCPS guidelines was applied to this protection layer.

(2)

Emergency Shutdown System and Shut-off Valve Closure Logic

According to the CCPS guidelines, an operator’s appropriate response to abnormal conditions can be recognized as an IPL. Representative PFD values of 1.0 × 10⁻¹ or 1.0 × 10⁻² are suggested. When no specific means are available for operators to detect emergency situations, a PFD of 1.0 × 10⁻¹ is typically applied. In contrast, when abnormal conditions can be recognized through alarms or monitoring systems, a PFD of 1.0 × 10⁻² may be applied. In hydrogen refueling stations, multiple instrumentation and control systems, including alarm systems, are installed, enabling operators to quickly recognize abnormal operating conditions. Therefore, a PFD value of 1.0 × 10⁻² was applied in this study. It should also be noted that this operator response IPL is recognized only when proper operating procedures are documented and operators are adequately trained. In Korea, hydrogen refueling stations are required by regulation to establish safety management procedures, and facility operations must be conducted by authorized personnel who have received appropriate education and training. Therefore, these conditions were considered to be satisfied. Since hydrogen refueling stations are relatively compact facilities and operators are required to be present at the refueling area, prompt recognition of abnormal conditions and emergency response were assumed for this operator response credit in the present study.

(3)

Gas Leak Detection and Alarm System

A safety interlock, consisting of a sensor, logic solver, and final control element, is a representative control and interlock-based IPL described in the CCPS guidelines. The gas leak detection and alarm system corresponds to this type of protection layer. When the reliability of a safety interlock is verified through periodic inspection and functional testing, the CCPS guidelines recommend a representative PFD value of 1.0 × 10⁻¹. Since the performance of gas leak detection and alarm systems is verified as a key inspection item during the facility completion inspection required by relevant regulations, the conditions for applying this IPL are considered to be satisfied. Therefore, a PFD value of 1.0 × 10⁻¹ was applied in this study.

(4)

Excess Flow Prevention Measures

An excess flow prevention device whose integrity is ensured through periodic inspection can be recognized as an IPL according to the CCPS guidelines. In such cases, a representative PFD value of 1.0 × 10⁻¹ can be applied. This PFD value is applicable when the device is installed in piping that carries fluids with low contamination potential and non-corrosive characteristics. Hydrogen supplied to fuel cell vehicles at hydrogen refueling stations is a high-purity, non-corrosive gas, and therefore, the conditions for applying this criterion are considered to be satisfied.

Accordingly, the identified IPLs based on the KGS Code and the applied PFD values are summarized in

Table 8. IPL and assigned PFD values based on CCPS.

No	IPL (Safety Device)	Category Based on CCPS	PFD
IPL-01	Breakaway coupling	Mechanical isolation device	1.00 × 10−1
IPL-02	Emergency shutdown (ESD) and isolation	Human response with sensor	1.00 × 10−2
IPL-03	Hydrogen gas detection and automatic shutoff	Safety interlock (Instrumented/Interlock)	1.00 × 10−1
IPL-04	Excess flow valve (or equivalent flow limiting device)	Excess flow valve	1.00 × 10−1

.

3.3.4. Calculation of Total PFD and Residual Accident Frequency

The total PFD is calculated as the product of the PFD values of the individual IPLs. The calculation can be expressed using Equation (3). In this study, the total PFD was calculated as the product of the individual PFD values under the assumption that the identified IPLs operate independently and that no common cause failure affects them simultaneously.

$$\begin{array}{ll}{PFD}_{\mathit{total}}& =\pi {PFD}_i\\ & =\left(1.0\times {10}^{-1}\right)\times \left(1.0\times {10}^{-2}\right)\times \left(1.0\times {10}^{-1}\right)\times \left(1.0\times {10}^{-1}\right)\\ & =1.0\times {10}^{-5}\end{array}$$

(3)

Therefore, since the allowable total PFD criterion was determined to be 1.0 × 10⁻⁴, the risk reduction capability of the IPL combination based on the KGS Code satisfies the total PFD requirement. The Final Event Likelihood, representing the mitigated accident frequency, can be calculated as follows according to Equation (4).

$$\begin{array}{ll}\mathit{Final} \mathit{Event} \mathit{Likelihood}& =\mathit{IEF}\times {PFD}_{\mathit{total}}\\ & =\left(1.0\times {10}^{-2}/year \right)\times \left(1.0\times {10}^{-5}\right)\\ & =1.0\times {10}^{-7}/year\end{array}$$

(4)

3.3.5. Achievement of the TMEL

The TMEL established in this study was 1.0 × 10⁻⁶ per year. In this study, the Final Event Likelihood refers to the mitigated annual likelihood of the selected accident scenario resulting in fire or explosion following the initiating event. The calculated Final Event Likelihood was 1.0 × 10⁻⁷ per year, which is one order of magnitude lower than the target value. Therefore, the TMEL can be considered quantitatively satisfied. The LOPA results demonstrate that when the safety devices specified in the KGS Code are applied as IPLs, the TMEL can be achieved for the selected accident scenario. This indicates that the prescriptive-based technical standards contribute to ensuring a minimum level of safety.

However, this result is valid only under the assumption that the independence and reliability of each IPL are ensured, and that regular inspection, testing, and proper maintenance activities are performed. In addition, the analysis excludes factors such as simultaneous accident scenarios and common cause failures, which are typically not considered in risk assessments. Therefore, if these conditions are not fully satisfied in actual hydrogen refueling station operations, the assumed PFD values may not be maintained. In particular, instrumentation and control-based protection layers may be vulnerable to common cause failures related to power supply or control systems, and their performance may vary depending on the adequacy of maintenance practices. In other words, safety gaps may still occur even when the KGS Code and relevant regulations are fully complied with. This limitation can be regarded as a structural limitation of prescriptive-based technical standards.

4. Results and Discussion

4.1. Summary of LOPA Results

In this study, an accident scenario involving dispenser hose disconnection and rupture caused by vehicle departure, leading to a large release of hydrogen and subsequent fire or explosion, was selected. The initiating event frequency of 1.0 × 10⁻² per year, corresponding to hose rupture, was adopted based on the CCPS guidelines. The TMEL was set to 1.0 × 10⁻⁶ per year, resulting in a required RRF of 1.0 × 10⁴. The safety devices specified in the KGS Code, representing a prescriptive-based approach, were applied as IPLs. The PFD values recommended by CCPS were assigned to each IPL. As a result, the total PFD was calculated as 1.0 × 10⁻⁵, and the Final Event Likelihood was estimated to be 1.0 × 10⁻⁷ per year, indicating that the initially defined TMEL was satisfied.

These results indicate that, when all safety devices specified by the prescriptive-based technical standards are properly implemented, there is a potential to achieve the target risk level for accident scenarios in hydrogen refueling stations from a quantitative perspective.

4.2. Quantitative Adequacy of the Prescriptive-Based Approach

The results of this study suggest that the prescriptive-based approach can achieve a certain level of risk reduction. In particular, the KGS Code for hydrogen refueling stations specifies not only mechanical safety devices but also instrumentation and control-based safety systems, forming multiple layers of protection. When these are appropriately combined, a significant risk reduction effect can be achieved. This indicates that the installation of safety devices based on a prescriptive approach is not merely a formal requirement, but can effectively contribute to actual risk reduction. In practice, the safety design of hydrogen refueling stations, where multiple safety devices are applied in combination, shows structural similarities to the multi-layered protection concept required in LOPA.

However, these quantitative results are valid only under the assumption that each IPL operates independently and that its integrity is maintained at a level equivalent to the initial design through proper maintenance. While prescriptive-based technical standards clearly specify the required safety devices during the design and construction stages, they do not systematically address the long-term reliability and performance maintenance of these devices during operation.

4.3. Assumption of Independence and the Impact of Common Cause Failures

From a LOPA perspective, an IPL must maintain independence, meaning that it is not affected by the initiating event or by the failure of other protection layers. However, in actual hydrogen refueling stations, systems such as the emergency shutdown system and gas leak detection system may share the same power supply or control panel. In such cases, a failure in the power supply or control system may render multiple IPLs simultaneously ineffective.

In addition, maintenance systems are often managed in an integrated manner. Therefore, inadequate maintenance of one safety device may lead to degraded performance of other safety devices. Under these conditions, even if multiple IPLs are identified in the LOPA, the actual risk reduction effect may be lower than the calculated value. For example, instrumentation and control-based protection layers can be simultaneously disabled by common cause failures such as power loss or control logic faults [33]. Furthermore, if the maintenance system during operation is not properly established, the failure probability of safety devices may increase, leading to a corresponding increase in the PFD of the protection layers. In such cases, the Final Event Likelihood may no longer satisfy the TMEL.

Therefore, the reported risk reduction performance should not be interpreted as an inherent consequence of guideline compliance alone. Rather, it should be interpreted as a conditional outcome that depends on the sustained operational integrity and management of the protection layers. If such maintenance conditions are not adequately achieved, the actual probability of failure on demand may increase. In that case, the mitigated event likelihood may no longer satisfy the target risk criterion.

This interpretation is consistent with recent maintenance-policy studies, which have shown that reliability under on-demand operating conditions is strongly influenced by inspection intervals, maintenance decisions, and system deterioration [34,35,36].

In addition, insufficient operator training, inadequate proof testing, or human error during abnormal situation response may further degrade the actual effectiveness of protection layers and increase the final event likelihood.

4.4. Sensitivity Analysis Considering Common Cause Failure in Instrumented Protection Layers

To examine the sensitivity of the LOPA results to the independence assumption among the identified independent protection layers (IPLs), an additional conservative sensitivity analysis was conducted. In the base-case analysis, four IPLs were credited: the breakaway coupling, the emergency shutdown (ESD) system with shut-off valve closure logic, the hydrogen gas detection and automatic shutoff system, and the excess flow prevention measure. However, among these IPLs, both the ESD-related shutdown function (IPL-02) and the gas detection-based automatic shutoff function (IPL-03) rely on instrumentation and control logic. In practical hydrogen refueling station configurations, these functions may share common elements such as the control panel, logic solver, power supply, signal transmission system, or final control architecture. Under such conditions, a common cause failure affecting the shared control logic system may impair both protection layers simultaneously. Therefore, in this sensitivity analysis case, IPL-02 and IPL-03 were conservatively not credited as independent IPLs.

Based on this assumption, only IPL-01 (breakaway coupling) and IPL-04 (excess flow valve) were credited in the sensitivity case. Using the same PFD values applied in the base-case analysis, the total PFD was recalculated as follows:

$$\mathit{Total} {\mathit{PFD}}_{\mathit{sensitivity}}=\left(1.0 \times {10}^{-1}\right)\times \left(1.0 \times {10}^{-1}\right)= 1.0 \times {10}^{-2}$$

(5)

Accordingly, the Final Event Likelihood for the initiating event was recalculated as:

$$\begin{array}{ll}{\mathit{Final} \mathit{Event} \mathit{Likelihood}}_{\mathit{sensitivity}}& =\left(1.0 \times {10}^{-2}/year\right)\times \left(1.0 \times {10}^{-2}\right)\\ & =1.0\times {10}^{-4}/year\end{array}$$

(6)

This result is two orders of magnitude higher than the TMEL of 1.0 × 10⁻⁶. Therefore, under the common cause failure assumption for the shared control logic system, the target risk criterion is no longer satisfied. The results of the sensitivity analysis are summarized in

Table 9. Comparison of base-case and sensitivity-case LOPA results.

Case	Applicable IPLs	Total PFD	Final Event Likelihood (/Year)	TMEL Satisfaction
Base case	IPL-01, IPL-02, IPL-03, IPL-04	1.0 × 10−5	1.0 × 10−7	Satisfied
Sensitivity case	IPL-01, IPL-04	1.0 × 10−2	1.0 × 10−4	Not satisfied

.

This sensitivity analysis indicates that the quantitative adequacy of the prescriptive-based safety approach is highly dependent on the assumption that instrumented protection layers operate independently. Although the base-case analysis suggests that the required risk reduction can be achieved when all identified IPLs are credited independently, the sensitivity case shows that the risk reduction performance may be substantially overestimated if common cause dependencies exist between protection layers. In other words, the existence of multiple safeguards alone does not necessarily guarantee the expected level of risk reduction unless their independence is functionally ensured.

These results reinforce the practical importance of verifying the independence of control-related protection layers in hydrogen refueling stations. They also support the need for a more systematic safety framework that considers common cause failure, architectural separation, and lifecycle management of instrumented protection functions.

4.5. Consideration of the Need for Functional Safety

The required RRF determined in this study was 1.0 × 10⁴, which requires a high SIL if the risk is to be reduced using a single instrumentation-based protection layer [37]. While the target risk reduction was achieved through a combination of prescriptive-based IPLs, an equivalent SIL corresponding to the RRF would be required if functional safety were solely relied upon. Functional safety differs in that it is not limited to assigning a high SIL, but encompasses a comprehensive safety lifecycle management framework. This includes ensuring the independence of protection layers during the design stage, as well as conducting proof testing and maintaining operational records throughout the lifecycle. Functional safety can only be considered effectively implemented when such systematic management practices are in place. Although the combination of prescriptive-based IPLs may satisfy the TMEL from a quantitative perspective, it is difficult to guarantee that the risk reduction performance will be consistently maintained in real industrial environments. Therefore, functional safety, which provides systematic performance assurance and reliability management, serves as an effective additional safety measure.

In summary, the prescriptive-based approach is effective in ensuring a minimum level of safety, but it has limitations in guaranteeing the long-term performance of risk reduction measures. The results of this study demonstrate not only the quantitative adequacy of the prescriptive-based approach, but also highlight the need for a more integrated safety management framework, including operation, maintenance, and the assurance of independence among protection layers, to adequately address real accident risks.

4.6. Limitations

This study has several limitations that should be considered when interpreting the results. First, the analysis was conducted for a representative and conservative accident scenario rather than a full comparative risk ranking of all possible hydrogen refueling station accident scenarios. Second, the initiating event frequency and IPL/PFD values were adopted from representative reference sources such as CCPS because hydrogen-refueling-station-specific quantitative reliability data remain limited. Third, the reported risk reduction performance is conditional on assumptions regarding the independence of protection layers, proper maintenance, operator presence, and timely emergency response. Therefore, the results should be interpreted as a representative semi-quantitative evaluation of prescriptive safeguards rather than as a fully site-specific demonstration of risk acceptability under all operating conditions.

5. Conclusions

In this study, a representative accident scenario involving a large hydrogen release caused by the rupture of a high-pressure dispenser hose at a hydrogen refueling station was analyzed using the LOPA methodology, with the initiating event frequency adopted from the CCPS guidelines. The TMEL was set to 1.0 × 10⁻⁶ per year, and the corresponding RRF was determined to be 1.0 × 10⁴.

Safety devices specified in the KGS Code were applied as IPLs, and their PFD values were assigned based on the CCPS guidelines. The total PFD was calculated as 1.0 × 10⁻⁵, and the resulting Final Event Likelihood, obtained by multiplying the initiating event frequency by the total PFD, was 1.0 × 10⁻⁷ per year. This result satisfies the defined TMEL, indicating that the target risk level can be achieved for the selected scenario when all safety devices required by the prescriptive-based technical standards are properly implemented. However, these results are derived under assumptions that include the independence of protection layers, regular inspection and testing, proper maintenance, and the exclusion of common cause failures. In actual hydrogen refueling station operations, these conditions may not always be fully satisfied, and the results may vary depending on operational and environmental factors. Therefore, even if a facility is designed and constructed in full compliance with prescriptive-based technical standards, it is difficult to ensure that the risk reduction performance will be consistently maintained over time.

In conclusion, the prescriptive-based approach defined in the KGS Code can contribute to ensuring a minimum level of safety in hydrogen refueling stations. However, to secure the sustainability and reliability of risk reduction performance, it is necessary to integrate periodic risk assessment and functional safety frameworks. Future research should incorporate sensitivity analyses that consider factors such as common cause failures, maintenance deficiencies, and human errors, and should further examine the integrated application of functional safety frameworks based on IEC 61508 and IEC 61511 with prescriptive-based protection systems. Future research should also address the development of hydrogen-refueling-station-specific initiating event frequency data and quantitatively validated IPL/PFD values for more facility-specific risk evaluation.

This study does not conclude that the application of functional safety-based SIS is unnecessary when prescriptive-based technical standards are applied. Rather, it quantitatively demonstrates that a combination of prescriptive-based protection layers can achieve the target risk level only under ideal conditions. In other words, the prescriptive-based approach can ensure a baseline level of safety. However, the additional implementation of functional safety frameworks, including safety lifecycle management, assurance of independence, and systematic performance maintenance, can enable more reliable and safer operation of hydrogen refueling stations. Ultimately, such an integrated approach is expected to facilitate a more stable transition toward a hydrogen-based energy system.

From a regulatory perspective, the results suggest that KGS codes could be further strengthened by supplementing prescriptive installation requirements with more explicit provisions for periodic proof testing and verification of independence for key instrumented protection functions, such as ESD and gas detection systems.