Created by Lauren Reising in the summer of 2020 as a part of a directed studies course.
Introduction to Engineering Safety
Safety systems are crucial in any work environment, including labs like HYPER where we deal with cryogenic hydrogen that can leave you with severe injuries if not handled properly. This webpage was created for HYPER Lab members to:
- Provide easily accessible information about safety systems that will better prepare you to be a part of a safe laboratory.
- Provide resources to guide you through the process of developing and implementing your own safety plan.
The HYPER lab is primarily tasked with developing proof of concept experiments, typical of a university setting. This information is by no means comprehensive for a work place safety plan. More comprehensive information can be found at H2 Tools. We’ve compiled this information after consultation with multiple safety experts including Nick Barilo and the Department of Energy Hydrogen Safety Panel, David Farese from AirProducts, Tom Witte (formerly of AirProducts), NREL (National Renewable Energy Laboratory), and our lab’s founding membership with the International Center for Hydrogen Safety. Thank you to WSU safety professionals Shawn Ringo and Billy Schmuck for providing excellent tips and advice on this page.
If you would like to learn more about the directed studies course, see the ME 466 Introduction to Engineering Safety Syllabus.
Safety Dos and Don’ts
Before beginning safety, you need to get yourself in the right mindset. These are helpful to remember throughout the safety system design and implementation process from Gullo and Dixon Design for Safety 2018.
Preliminary Hazard Analysis
All activities in the HYPER Lab need to first consider safety. The level of safety varies by project; you may not need a full safety plan for something simple like a quick hammer and drill modification. But it’s difficult to decide when a full safety plan is needed. We’ve created this simple HYPER Initial Project Safety Sheet to help determine the level of safety your activity needs. The following subsections provide additional detail and definitions necessary for completing the safety sheet.
1. Create a Block System Diagram
This can also be known as a system definition diagram and serves the purpose of identifying all of the types of energy present in your system to then be able to identify the potential hazards in your activity. The first law of thermodynamics requires energy to be conserved which means the energy is going somewhere and you need to identify it. If you can’t track the energy it can sneak up and hurt you.
Completing the following table will allow you to compile and expand on the information in your block system diagram drawing.
2. Evaluate the Hazards to Determine Overall Risk
In order to asses the overall risk of a particular system, you must fist follow the steps below to asses each hazard within the system. This risk table based hazard analysis approach is adapted from the ANSI/AIHA Z10 standard.
Repeat each of the following steps for each hazard within a system.
Assess the potential severity of the hazard.
Determine the likely frequency of the hazard.
3. Calculate your Risk
Multiply the severity and frequency of a hazard together to find a risk rating for the particular hazard. Note that if your system has more than one hazard, you will need to add the risk ratings for each hazard together to arrive at your total risk.
Since academia typically performs proof-of-concept experiments with untrained operators, all of our projects need to be in the routine to low risk category. This safety planning process is designed to help people determine whether their risk is low or routine. If not, the full safety plan process is designed to take moderate to high risks and engineer safety systems to make them low or routine. For example, 208 volt power supply would be easily moderate to high risk if done for the first time in human history. But with careful planning and error proofing, plugging in this type of cable is now low or routine risk.
Is your risk rating below 10?
Your activity is considered routine or low risk and likely doesn’t involve power greater than 1.5 kw or strong chemical or thermal sources. Use this simple, expedited safety system outline and procedure to design and implement your safety system.
Is your risk rating 10-25?
Your activity likely requires a lab specific training before beginning. This is because the amount of energy could send you to the hospital. Refer to the training section below and complete the training before having the sheet signed off by your team lead.
Is your risk rating greater than 25?
Your activity could send multiple people to the hospital and therefore requires a more formal safety plan and lab specific trainings before beginning. Proceed with the more formal safety plan below.
Finishing the Initial Safety Worksheet
Once you have completed your preliminary hazard analysis, be sure to communicate your plan to others. At HYPER, we post our Initial Project Safety Sheets on clipboards next to your planned activity. You will need to get your worksheet approved by your team lead and/or Mark or Jake.
The HYPER lab conducts system specific trainings at the start of every trimester for new personnel and uses this opportunity to test all safety systems following the procedures in each system safety plan. In addition to these system specific trainings, the lab has the following general trainings:
- High Mechanical Power (machine shop and rotary machinery)
- High Electrical Power (anything greater than 208 volt power or 10 amps)
- High Fluid Power (vacuum or compressed gas)
- High Thermal Power (cryogenics, liquid nitrogen, etc.)
- High Chemical Power (fuels and oxidizers)
The safety systems in place at HYPER are based off of the DOE (Department of Energy) Hydrogen Safety Panel’s Safety Planning for Hydrogen and Fuel Cell Projects – March 2016. The safety plan outline below is based around the safety plan outline in this document. To efficiently develop a full safety plan, you should begin this process when a design has completed a preliminary design review or when the design is about 33% complete and the key components and how they’re connected are defined.
Safety Plan Outline
- Scope of Work
- Organizational Safety Information
- Project Safety
- Communication Plan
- Other Comments or Concerns
1) Scope of Work
Also known as system definition. We’re defining the purpose, goals, and objectives of an activity. Then, we define the equipment, tools, pieces, and people involved with the activity and how it will be used. A simple picture or sketch of these key things can be the most efficient way to show these things and how they’re connected. We ultimately need the same block system diagram as in the preliminary hazard analysis. The important part is to clearly define boundaries of the system in question and scope of work.
2) Organizational Safety Information
- Prior HYPER experience with a related system or activity
- Relevant HYPER safety trainings and plans
- Relevant WSU policies and procedures (Safety Policies and Procedures Manual)
- Relevant national standards and codes (National Fire Protection Association, Center for Hydrogen Safety, Compressed Gas Association, etc.)
- Clear delineation of authority and responsibility with contact information (eg. you (the experimenter), Jake, Shawn Ringo or Jason Sampson (WSU safety officials), WSU fire marshal, city of Pullman fire marshal)
3) Project Safety
A step-by-step analysis of how to identify safety vulnerabilities (HAZOP), how to mitigate those safety vulnerabilities through careful operating procedures, how to respond to potential failures (FMEA), and how to analyze and correct if failures do occur (Fault Tree Analysis, Management of Change).
For an example of a safety plan in place at HYPER, see WSU CHEF Safety Plan – 2020.
HAZOP (Hazard and Operability Analysis)
The steps for completing a HAZOP are very similar to the preliminary hazard analysis you completed above, just much more comprehensive.
Step 1: Create Block Flow System Diagrams and Other Supporting Documents
The flow of the block should follow the primary energy vector from start to finish (eg. the hydrogen is delivered, processed, and vented to the atmosphere). Each block is numbered and becomes a topic of the HAZOP. Ideally, the system is as fully designed as possible with a Block System Diagram (see example below), Plumbing and Instrumentation Diagram (P&ID) (see examples below), a Bill of Materials (see example: MHGU BILL OF MATERIALS 7-10-2020), and any other system layout drawings (bring these documents and lists with you to the HAZOP meeting). The more detail you can provide up front, the more robust your HAZOP will be.
HYPER Example Block System Diagram (from MHGU project):
HYPER Example P&IDs:
Step 2: Define Guide Words
For each block, the following guide words are applied to identify potential hazards for a system. The guide words are potential unwanted outcomes. Some example guide words we commonly use at HYPER include:
- High flow / Low/no flow
- High level / Low level
- High pressure / Low pressure
- High temperature / Low temperature
- High concentration / Low concentration
- High power / Low power
- Reverse / misdirected flow
- Leak / Rupture
- No movement / Unintended movement
This guidewords list is by no means comprehensive. You need to evaluate potential ways that the energy in your system could deviate from nominal operation. This includes passive safety controls as they are only less susceptible to guide word deviations.
Step 3: Perform HAZOP
For each block or node, each of the guide words above becomes a row or rows in the following table. Make sure not to skip a guide word.
This can take a while! For a typical block or node in a HYPER system, we estimate about 3 hours which is about a week or two for an entire system. For an example of a HAZOP performed at HYPER, see HAZOP VCS Tank. When performing a HAZOP, assemble a team, assign roles (HAZOP lead, HAZOP veteran, note taker, document visual lead, and time keeper), and meet in a place where you can really focus and sustain the energy. Here are some example HYPER HAZOP guidelines and expectations:
- All team members have an equal say
- Any concern, no matter how inconsequential it appears, is fair to suggest
- All team members are expected to contribute
- Spin off questions derived from a deviation or what-if question will be given a priority before moving on
- Criticism of questions or ideas is not allowed
- The focus is to identify hazards, solutions can be discussed later
- Please refrain from emailing and texting, we will take breaks.
Always remember that your system operates within the bigger system of the university or a campus building. Deviations to these overarching systems can influence the assumptions that your HAZOP is predicated upon. Hence, lab members should sign up for WSU myFacilities event notifications. This will alert teams members to potential service disruptions such as those affecting power and HVAC. Lab members should also sign up for WSU Alerts.
If you can’t fully mitigate the issue in the HAZOP (if you have deviations with no recommendations), this will become part of the FMEA (Failure Modes & Effects Analysis) in a later section. But first, we need to carefully list all of the operating procedures to ensure they comply and conform with the HAZOP.
If a multi-step process is going to be repeated in the future by anyone, it should be developed as a written procedure. Good procedures are part of our 6s system at HYPER. The 6s’ include: sort, systemize, sweep, standardize, sustain, safety. As WSU’s assistant director for environmental health and safety, Shawn Ringo, says, “Poor housekeeping contributes significantly to injury frequencies, and as frequencies increase, so does the potential for more severe injury.” Example procedures could include:
- Make sure the area is sorted, systemized, and swept prior to starting
- Operation Readiness Inspection (ORI) and safety system testing
- Purging the system
- System startup
- Data sampling
- System shutdown
- System passivation for safe storage
See MHGU LH2 Transfer Standard Operating Procedure for an example checklist used in HYPER. These should be simple and easy to understand by someone unfamiliar with the experiment including freshman and fire fighter/first responders.
After all operating procedures are developed and comply and conform with the HAZOP, the next step is to complete an FMEA based around the issues that could not be fully mitigated in the HAZOP.
FMEA (Failure Modes & Effects Analysis)
The important thing to understand when completing an FMEA is that it works in conjuncture with the HAZOP. HAZOPs help you identify and minimize hazards. However, not all hazards can be totally mitigated and the potential for failure, despite our best engineering, always exists. The Failure Modes & Effects Analysis matrix considers those potential failure modes and how they will affect other systems and what maintenance and detection processes should be in place. FMEA is a process that allows you to identify potential failures. According to the Safety Planning for Hydrogen and Fuel Cell Projects – March 2016, the FMEA process is meant to identify top level hazards and events. These are only the most severe, catastrophic events that a system could have. This information can be used for the Site Emergency Response Plan.
See the tables in the How to Begin a Safety Analysis section for severity and frequency. See the table below for how to quantify detectability.
Below is an example of an FMEA done at HYPER. This is a small part of a larger FMEA done by the H2Flo team.
When a safety control failure contributes to unacceptable risk outcomes, the FMEA table should identify the need for redundant safety controls.
The FMEA provides a detailed approach to mitigating potential hazards in a system. Academia most often performs proof-of-concept experiments which require approaches like the HAZOP and FMEA method. In the case of a higher risk experiment or project, a more thorough approach can be taken in which the HAZOP and FMEA are performed in addition to a Fault Tree Analysis (FTA).
Fault Tree Analysis (FTA)
FTA is typically performed in two situations:
- Scenario 1: during the design phase typically for high consequence vehicles, systems, etc.
This is typically part of a system safety assessment and related activities to ensure adequate levels of safety are provided. In regulated industries, there are typically regulations and standards that define the type of analysis required. This type of FTA, while important, is outside the scope of this webpage.
- Scenario 2: after a near miss, incident, or accident has occurred and you want to understand causes of the specific event, or other combination of failures that can result in the unwanted outcome.
In this scenario, FTA is performed when a deviation has occurred from the nominal operation plan (an unwanted outcome (near miss, incident, etc.) has occurred). FTA can be qualitative only or qualitative and quantitative. Most of the research in HYPER is completed on prototype proof-of-concepts, meaning we often do not have enough data for a rigorous fault tree analysis. The following steps on how to construct a fault tree are inspired by and adapted from the course Diagnosing Unwanted Outcomes™. This is a type of Root Cause Analysis (RCA) based on proven methods and tools such as Fault Tree Analysis and Failure Modes & Effects Analysis. Note that the creator of this course periodically offers heavily discounted courses for college engineering students.
The Fault Tree Analysis Process (supporting scenario 2 above):
- Define the system: quick summary of the deviation, block flow system diagram, list knowns, unknowns, and assumptions.
- Develop a fault tree: write the event sentence hierarchy (see the Diagnosing Unwanted Outcomes™ example below), draw the fault tree and apply the sentence hierarchy to the tree, rank in order the most likely contributors to the fault. (For current FTA experts: Diagnosing Unwanted Outcomes™ and similar RCA methods are revealing a single cut set of a larger fault tree. This is the cut set that occurred as part of the deviation).
- Provide recommendations and a monitoring plan before executing a management of change process.
For an example of how a Fault Tree analysis is performed using Diagnosing Unwanted Outcomes™, see MHGU Unwanted Valve Opening Analysis.
Fault Tree Analysis is an effective way to either thoroughly identify potential hazards or to understand causes of a specific event (near miss, incident, accident). After identifying, analyzing, and mitigating potential hazards, there are often changes that need to be made to the experiment and overall safety plan. This is done through Management of Change.
Management of Change
When managing change to a system or project, it is helpful to have procedures in place to identify and make those changes. The following steps are an example of what we do here at HYPER and can be seen in the CHEF Management of Change Procedures document. We’ll first discuss the process, then tools to help facilitate, and finally communicating management of change.
Management of Change Process:
- A need to change is identified that involves changing a procedure, operating set point, or part component layout.
- The change is discussed with at least two knowledgeable members of the lab to get second opinions on the necessity of the change. Details of what should be changed and how are discussed.
- A proposal for change is created, stating the need for change and details of what the change will include:
a. applicability and compliance with relevant engineering standards,
b. necessary sizing calculations,
c. details of implementation of the change, and
d. how the change affects this document, including HAZOP and FMEA matrix and operating procedures.
- The full proposal is discussed with the PI and experiment operators. If it is agreed upon the details of the change, the change is implemented, otherwise the change is discarded or is redesigned. The PI has the final decision on approval.
- Implement the changes. Document these changes (i.e. the proposal) for future reference. Communicate the implementation and completion of the changes with others in the lab through the proper lab Microsoft Teams channel.
- If procedures are affected by the change, update this document with new operating procedures. Detail any changes or updates to the document in the changelog at the end of the document.
- If new maintenance / safety concerns arise from the change, note them in the proper areas in this document.
Management of Change Tools:
The plumbing and instrumentation diagram used in the safety plan above is only part of the spectrum of components used by a system. We have these additional tools to manage part numbering and change. See the MHGU BILL OF MATERIALS 7-10-2020 for the system that H2Flo uses. To learn more about the Bill of Materials, see How to Procure Parts Easily and Efficiently – The HYPER Way.
Communicating Management of Change:
The above change tools and procedure automatically updates the most current safety plan in the experiment’s Microsoft Teams channel. However, you should post a note to the channel notifying everyone of the change.
Even seasoned experimentalists can be caught off guard by an assistant making changes and not properly notifying everyone. Management of change procedures are important to take into account when constructing a lab safety plan. If a change slips through the cracks or fails to work as intended, it is important to be prepared with emergency response plans and procedures.
What exactly is an emergency and how do you respond to one? There is no exact definition that can prepare you for an emergency situation. Generally, if you’re concerned about severe damage to people and/or equipment, that is considered an emergency. Proper training and continually improving judgement and discretion can help prepare you for emergencies and how to respond to them.
With cryogenic hydrogen, everything should go as planned. However, with complex systems, it’s impossible to plan for everything. Our near miss in 2016 was a close call but the judgement and discretions applied in the situation prevented an incident. Below are the emergency response steps in place at HYPER.
HYPER Emergency Response Steps:
- Follow the system safety plan shut down procedure (note that all of our systems are designed to safe themselves if left alone, however this is only a last resort).
- Should deviations occur from the system safety plan shut down procedure, call the PI (Jake) and exercise judgement and discretion to manually safe the system (also empower others to use their own judgement and discretion).
- If an emergency or incident is unavoidable, refer to the emergency site response plan and follow the steps to communicate and notify relevant authorities. Call 911 whenever additional assistance could mitigate damage to people or property. It is a free resource.
For an example of an emergency response plan in place at HYPER within the H2Flo team, see HYPER Emergency Plan 001 – Hydrogen Research Station.
Note: any safety plan should include Material Safety Data Sheets (MSDS) for all chemicals in or around the experiment. This should conclude the safety plan.
The purpose of developing a safety plan is to reduce the risk of unwanted outcomes from occurring in your workplace, but it is impossible to completely eliminate risk factors. Part of safety is continual improvement. Learn from everything.
Mistakes happen. Don’t grade them. Fix them. Fix them so that they never happen again.
Here at HYPER we are learning every day to develop the first cryogenic hydrogen lab at a university while training the next leaders in engineering. We have never had an accident in the ten years we’ve existed. This demonstrates the potential safety of this field in the future. However, we must continue to fiercely manage and reduce our risk until the point where we realize our lab’s vision for hydrogen to be safer than conventional fuels for the general public.