International Journal of Hydrogen Energy: Franco Ferrucci

International Journal of Hydrogen Energy 51 (2024) 1096–1119
Contents lists available at ScienceDirect
International Journal of Hydrogen Energy

journal homepage: www.elsevier.com/locate/he
Design and implementation of the safety system of a solar-driven smart

micro-grid comprising hydrogen production for electricity & cooling
co-generation
Franco Ferrucci
GEPASUD Laboratory, University of French Polynesia, BP 6570, 98702 Tahiti, French Polynesia
A R T I C L E I N F O A B S T R A C T
Keywords: This article presents a comprehensive description of the safety system of a real installation that comprises PV
Safety system design panels, lithium-ion batteries, an electrolyzer, H2 storage, a fuel cell, and a barium chloride/ammonia thermo
Hydrogen safety chemical prototype for heat recovery and cooling production. Such a system allows for the increase of the overall
Experimental
efficiency of the H2 chain by exploiting the waste heat and transforming it into a cooling effect, particularly
Microgrid
ATEX
useful in tropical regions like French Polynesia.
Heat recovery The study provides a great deal of detail regarding practical aspects of the system implementation and a
consistent reference to the relevant standards and regulations applicable to the subject matter. More specifically,
the study covers the ATEX classification of the site, the safety features of each component, the electrical power
distribution, the main safety instrumented system, fire safety and the force ventilation system. The study also
includes safety assessment and a section on lessons learned that could serve as guidance for future installations.
In addition, an extensive amount of technical data is readily available to the reader in repository (P&ID, electrical
diagrams, etc.).
to 5.8 kWh/m2/day [6]. Such high solar potential makes solar energy
1. Introduction exploitation in French Polynesia an enticing prospect, especially for
photovoltaic technology due to its maturity, decreasing costs, and suit
The energy situation in tropical insular regions, such as French ability for projects of varying scales. Refer, for instance, to the work of
Polynesia, poses several challenges, including heavy reliance on im Bosetti [7] for insight into the future prospects of photovoltaic tech
ported fuel, expensive mainland transport, and weak electricity grids. nology, and to the article by Zhang [8] for an assessment of PV tech
However, these regions boast abundant renewable energy resources, nologies from the sustainability perspective.
making them well-suited for smart microgrids and energy storage Despite the aforementioned points, the inherent stochastic nature of
technologies. In terms of electricity demand, the consistently high solar energy poses a challenge as its production cannot be easily regu
temperatures in these areas result in a significant portion of energy lated to meet electricity demands. However, the integration of smart
usage (about 40%) dedicated to space cooling. electricity grids with energy storage systems has emerged as a successful
French Polynesia encompasses over one hundred islands and atolls, solution to overcome these difficulties [9]. In this context, Lamnatou
spanning an area roughly equivalent to Western Europe [1]. A signifi [10] provides a review of smart-grids state-of-the-art in relation to
cant portion of these islands remains uninhabited, while others have photovoltaic electricity, storage systems, buildings and the
sparse populations. The region’s primary energy imports account for environment.
more than 94% of total energy consumption, rendering it vulnerable to Concerning electricity storage, Koohi-Fayegh [11] provides a review
fluctuating oil prices [2]. Additionally, the cost of electricity for a small of energy storage types, applications, and recent developments,
household (3000 kWh/year) stands at around 0.50 USD/kWh [3], sur including thermochemical and hydrogen technologies, both of which
passing prices in North America [4] and Europe [5] by two to threefold. are employed within the context of this study. Among the array of
On a positive note, French Polynesia boasts abundant renewable available storage technologies, hydrogen is being increasingly explored
resources, particularly solar energy. For instance, the average global as a viable alternative to lithium-ion (Li-ion) batteries for various ap
solar horizontal irradiation across the most populated islands amounts plications, such as seasonal storage, power systems [12] and
E-mail address: [email protected].
https://doi.org/10.1016/j.ijhydene.2023.09.318
Received 7 June 2023; Received in revised form 21 August 2023; Accepted 30 September 2023
Available online 8 November 2023
0360-3199/© 2023 The Author(s). Published by Elsevier Ltd on behalf of Hydrogen Energy Publications LLC. This is an open access article under the CC BY license
(http://creativecommons.org/licenses/by/4.0/).
F. Ferrucci International Journal of Hydrogen Energy 51 (2024) 1096–1119
Nomenclature & abbreviations N Normal (see NTP)

N2 Nitrogen gas
1oo2 One-out-of-two configuration (in the context of safety NC Normally closed
systems with redundancy) NE Negligible extent
316L Marine grade stainless steel NF French standard (from the French name Norme Française)
AC Alternating current or Air conditioning NH3 Ammonia
ASHRAE American Society of Heating, Refrigerating and Air- NIST National Institute of Standards and Technology (United
Conditioning Engineers States Department of Commerce)
ATEX Explosive atmosphere (from the French ATmosphere NO Normally open
EXplosible) NOP Number of operations
atm atmosphere NTP Normal temperature and pressure (NIST definition)
ASTM American Society for Testing and Materials P Pressure
AVG Average PA Polyamide (tubing material)
B10 Bearing life (i.e. the point at which 10% of units in a PEM Proton-exchange membrane
population will fail) PFH Probability of a dangerous failure per hour
BaCl2 Barium chloride PL Performance level (ISO 13849-1 standard)
barg bar gauge (i.e. pressure referenced to atmospheric PLr Required performance level (ISO 13849-1 standard)
pressure) PLC Programmable logic controller
Buna-N Nitrile butadiene rubber (tubing material) PV Photovoltaic
CCF Common cause failure R-717 Ammonia (ASHRAE refrigerant code)
coord Coordinates (used in the text to identify elements in the PRV Pressure relief valve
figures) P&ID Piping & instrumentation diagram
DC Direct current or Diagnostic coverage RECIF Micro-RÉseau isolé de Cogénération Intelligente
EN European Standard (from the German name Europäische d’électricité/Froid French for isolated micro-grid for smart
Norm) cogeneration of electricity/cold)
ENG Expanded natural graphite SCADA Supervisory control and data acquisition
EU European Union SIL Safety integrity level (IEC 61508 standard series)
FP French Polynesia SIS Safety instrumented system
H Height SIF Safety instrumented function
H2 Hydrogen T Temperature
HVAC Heating, ventilating and air conditioning TPRD Thermal pressure relief device
IEC International Electrotechnical Commission TR Thermochemical reactor
INERIS French National Institute for Industrial Environment and UFL Upper flammability limit
Risks (from the French Institut national de l’environnement v/v Volume fraction
industriel et des risques) W Width
ISO International Organization for Standardization
L, l Liter or length Greek letters
LFL Lower flammability limit λ Failure rate
MCB Miniature circuit breaker Subscripts
MPP Maximum power point D Dangerous or Detected
MPPT Maximum power point tracking U Undetected
MTTF Mean time to failure
MVC Mechanical vapor compression refrigeration cycle
transportation [13]. Another benefit is the fact that hydrogen systems the work of N. Endo [16]).
can be easily scaled up to meet growing energy demands. Furthermore, In broader terms, the RECIF project revolves around the integration
hydrogen can be produced from renewable energy using electrolyzers of hydrogen in smart buildings and smart grids. In that context, readers
which split water into its constituent elements, hydrogen and oxygen. can refer to the work by Lin [17], which provides a comprehensive
Subsequently, electricity can be produced from hydrogen in a fuel cell. overview of the subject. Moving to a more practical aspect, Valverde
However, electrolyzers and fuel cells have a limited efficiencies [18,19] presents an example of an experimental set-up focusing on the
(~40.80%), meaning that a non-negligible amount of energy is released modeling & real-time control of an installation that comprises a
as heat into the environment. For a critical review of hydrogen energy hydrogen chain. It’s important to note that the proposed set-up does not
systems, including applications, trends, and challenges, see the work by include heat recovery.
Yue [14]. Thermochemical processes enable the storage of energy in the form
In this context, the RECIF project [15] was launched in 2018 with the of chemical potential with virtually no losses, which can be used to
objective of studying and implementing a smart micro-grid that couples produce cold during the evening hours without the need for running a
a hydrogen chain (electrolyzer + storage + fuel cell) with a thermo compressor. These processes are implemented using thermochemical
chemical unit in the tropical insular region of French Polynesia. The reactors, where a reversible chemical reaction between a solid com
thermochemical unit is designed to recover waste heat from the elec pound and a gas takes place. This technology has found its footing in
trolyzer and fuel cell to enable deferred cooling production for air solar cooling applications, where it is mainly utilized in conjunction
conditioning purposes. This coupling permits an improvement in the with solar thermal collectors. Detailed reviews of these systems are
overall efficiency of the installation, distinguishing it from other in provided by Kim [20] and Ferreira [21]. A recent application of this
stallations that release heat into the environment (refer to, for example, technology is seen in the MiniStor project [22] (2019–2024), which
1097
combines photovoltaic thermal systems, solar collectors, thermochem French Polynesia has a Labor Code that slightly differs from the
ical technology, and phase-change materials for thermal energy storage, French one and some of the articles related to explosive atmospheres
heating, and cooling production. have been left out. This unclear regulatory context produced an initial
The thermochemical solid/gas pair used in the RECIF installation is confusion about the legal requirements of the installation regarding
barium chloride salt (BaCl2) reacting with ammonia (NH3), which also explosion prevention & safety. Finally, in concertation with the in
serves as the coolant fluid in the refrigeration circuit [6]. This pair has spection and certification company that was commissioned to validate
the advantage of being able to work with heating sources of relatively installation, it was decided to follow the French code.
low temperature (55 ◦ C), making it compatible with PEM electrolyzers
and fuel cells. A comprehensive review of PEM fuel cells and electro 2.2. Use of ammonia in refrigeration systems
lyzers heat recovery methods has been conducted by Wilberforce [23].
The RECIF installation is located on the campus of French Polynesia Ammonia (NH3) is an efficient refrigerant due to its superior ther
University and it comprises a hybrid inverter, PV panels, a PEM elec modynamic properties. Using NH3 has the advantages of being readily
trolyzer for H2 production, a H2 storage tank, a PEM fuel cell for elec available, inexpensive, does not contribute to ozone layer depletion,
tricity production from stored H2, a Li-ion battery pack for power greenhouse effect or global warming, and is biodegradable [32]. How
balance and short-term energy storage, a controllable electrical load, ever, its toxicity is such that it requires taking unique safety measures.
and a custom-made air conditioning system with a barium chloride/ Ammonia is a lighter than air gas with a unique pungent odor and can be
ammonia thermochemical unit. All these components are installed in a easily detected by smell when the concentration is well below any
20-foot container. dangerous level.
The commissioning of such an installation was very challenging, In Europe, the use of NH3 as a refrigerant is governed by EN 378
mainly due to the lack of experience in the territory with this type of standard series [33–35] which sets the safety and environmental re
installation and an unclear regulatory context regarding safety systems quirements for refrigeration systems and heat pumps. According to this
and explosive atmospheres. It is worth mentioning that the fuel cell from standard, ammonia is classified in the safety group B2L, which means
RECIF project is the only one installed in French Polynesia so far. Based that it is considered mild flammability and high toxicity. Table 11 in the
on the author’s experience in safety systems, the project team decided to Appendix gives information about the flammability and occupational
undertake in-house the development of the safety system, with the exposure limits of ammonia.
valuable support and expertise of an international inspection and cer
tification company. 3. Installation description
This article focuses on the technical, practical and regulatory aspects
of the safety system of RECIF installation. Readers can also refer to other 3.1. Overview
research works for a more in-depth understanding of ventilation aspects
in relation to other hydrogen installations, such as the studies performed Fig. 1 shows a block diagram of RECIF installation, comprising the
by Dixit [24], Lee [25], Cerchiara [26] and Patel [27]. In the former following components: a hybrid inverter, PV panels, a Li-ion battery
three articles, the ventilation design and sensor placement are analyzed pack, a PEM electrolyzer for H2 production, a H2 storage tank, a PEM
with the aid of computational fluid dynamics (CFD), while the latter fuel cell for electricity production from stored H2, a controllable elec
takes a more experimental approach. Other researchers focus their trical load and a custom-made air conditioning system with a thermo
attention on the analysis of incidental events databases and the lessons chemical unit for thermal energy storage and deferred cold production.
learned from them. Refer, for example, to the work of J. Wen [28] and Table 1 summarizes the technical specifications of the system
M. West [29] for more information. In a similar theme to that of this components.
work, Nieto [30] presents a preliminary study regarding the adequacy of The inverter is connected to the grid and it can also work off-grid
a laboratory to accommodate electrolyzers, hydrogen storage, and fuel (hence the term hybrid inverter), producing a 3-phase voltage gener
cells, covering hazardous area classification and ventilation design. ator. When connected to the grid, the inverter can either draw power to
The rest of this work is organized as follows. Section 2 presents the supply the inverter’s AC output, or it can channel power generated by
regulatory context of installations involving H2 and NH3, where an the PV panels into the grid. The electrical load corresponds to a custom-
explosive atmosphere may be formed. Section 3 provides a description made single-phase AC load emulator, comprising an array of power re
of the RECIF installation and site. Section 4 offers a comprehensive ex sistors controllable by a network link. The thermal load shown in Fig. 1
amination of the safety system. Section 5 presents the discussions. Sec corresponds to the space inside the container in which the components
tion 6 lays out the conclusions of the work. Finally, the Appendix are installed, which needs air conditioning.
provides additional information about the installation and the safety The inverter also features a DC connection, where the Li-ion battery
system. pack and the fuel cell are linked. This input serves to draw power from
the battery (with a fast response time) and/or the fuel cell (with a slower
2. Regulatory context response time) when there is insufficient PV power to meet the load
demand, and when the grid is inaccessible or deliberately avoided. In
2.1. Explosive atmospheres this scenario, the fuel cell functions as a controllable current source
connected in parallel to the battery pack (refer to Fig. 11 for a detailed
In the European regulatory context, the use of hydrogen is governed illustration of this arrangement), charging the battery while potentially
by various regulations and standards aimed at ensuring safety, envi supplying power to the inverter. Conversely, the inverter’s DC connec
ronmental protection, and harmonized practices. They include Euro tion is also utilized for charging the Li-ion batteries using surplus elec
pean Union (EU) Directives, safety standards and harmonized tricity generated by the PV panels.
certification and approval. The regulations for hazardous locations are The air conditioning system corresponds to an ammonia-refrigerant
covered by the ATEX (ATmosphères EXplosibles) directives, which set out mechanical vapor compression (MVC) refrigeration unit (i.e. evapo
the requirements for equipment and protective systems intended for use rator, compressor, condenser, reservoir and throttling valve) for
in potentially explosive atmospheres. The standards that cover explosive instantaneous cold production and a thermochemical unit for energy
atmospheres corresponds to the EN 60079 series. storage and deferred cold production. The thermochemical storage re
In France, the EU ATEX directives was transposed into law by a covers heat from the electrolyzer and fuel cell and transforms it into
number of decrees amending the Labor Code, notably 4216-31 and chemical potential energy that is used later to produce a cooling effect
4227-42 to 4227-54 articles [31]. without the need to run the electrical compressor. The unit is a prototype
1098
Fig. 1. General block diagram of RECIF installation.
built by the author of this article during his PhD studies [36]. 3.3. Piping & instrumentation
The power flow between all the components is controlled by a su
pervisory control and data acquisition (SCADA) system that implements an In this section the piping & instrumentation diagram (P&ID) of the
optimization strategy and it is enhanced by a weather short-term fore installation is described (Figs. 5–9). Note that all the components have a
casting (sky imaging and a neural network algorithm) and an electrical distinct nomenclature which is listed in Appendix, Table 12.
& thermal load forecasting. The forecasting and optimization work was Fig. 5 depicts the P&ID of the container, open space, where the H2 tank
the subject matter of two PhD thesis under RECIF project (see Refs. [37, is located. There are two H2 wall crossings between the open and closed
38]). While not depicted in Fig. 1, the SCADA system receives infor space of the container that connect to the electrolyzer and fuel cell. Since
mation from all system components to enable its operation. This in this zone is classified as Zone 2 (see Sec. 4.1), all the instrumentation
cludes data such as instantaneous electrical power from all components, installed there is ATEX-certified. The pressure and temperature trans
battery state of charge, available H2 mass, thermal heat transfers, and mitters TT001 and PT001 (D5 coord.) allow for an estimation of the
more. content of gas in the H2 tank while the flow rate meter FT001 (D3
In broad terms, the primary goal of the installation is twofold: to coord.) is used to compute the fuel cell gas consumption (0.30 N L/min,
provide power to the electrical load and maintain a suitable level of 5bar max). The pressure regulator PV001 is used to fix the fuel cell inlet
thermal comfort inside the container. All of this must be achieved while pressure to 4bar. The solenoid valve FV002 is part of the safety system
minimizing, or even avoiding, power drawn from the grid and opti and interrupts the gas supply to the fuel cell. A number of other com
mizing the system performance, thereby extending the lifespan of key ponents shown in Fig. 5 also belong to the safety system of the instal
components such as the fuel cell, electrolyzer, and Li-ion batteries. lation and are further developed in Sec. 4.5.1.
Fig. 6 shows the water circuit that feeds the electrolyzer. It is
3.2. Site composed by two demineralized water tanks, a pump and a deminer
alizer. Water from the first tank (1 m3 reservoir with demineralized
The RECIF facility is located on the campus of the University of water, <50 μS/cm) passes through the pump and demineralizer and it is
French Polynesia, in Punaauia, Tahiti, French Polynesia. It consists of a stored at the second tank (100L, reservoir with ASTM type-II deminer
conventional 20-foot container (LxHxW 6 m × 2.60 m x 2.44 m) alized water). An outlet of this second tank is connected to the electro
specially fitted out, installed on a concrete slab inside a fenced enclosure lyzer water inlet. Additionally, the condensed humidity extracted by the
whose access is strictly reserved for operators. Fig. 2 shows some pho H2 dryer is recycled back to the first tank.
tographs of the installation and Fig. 3 represents isometric sketch with Figs. 7 and 8 show the electrolyzer/dryer and the fuel cell, respec
all the main components. Note that the PV panels do not appear in the tively. The electrolyzer and fuel cell are cooled by a common water
photographs since their installation in ongoing. The container is located circuit, as described below.
~10 m away from a pre-existing machine room that contains the chiller The path of H2 flow, from production to storage, is as follows: H2 gas
system of one of the buildings of the University. exits the electrolyzer (Fig. 7, coord. D7) through a stainless-steel tube
The container has a side access door and two hinged doors at both and passes through the metallic wall that separates the container’s close
ends and it is divided into two by a metallic wall that provides a physical space from the container’s open space (refer to bulkhead union fitting
separation against gas leaks. The division creates two isolated spaces, X106 in Fig. 5, coord. C2) to reach the H2 reservoir, shown in Fig. 5,
namely closed space and open space. The former (~25 m3) contains most coord. E6.
of the equipment (electrolyzer, fuel cell, etc.) and it is where the oper The H2 flow path from storage to consumption is as follows: H2 from
ators work (2 people). The latter (~8 m3) has two openings of 2 m2 each, the reservoir crosses the same metallic wall (refer to bulkhead union
protected by a wire mesh, and contains a distilled water tank, an 850L fitting X004 in Fig. 5, coord. D2) and reaches the fuel cell, as indicated in
H2 reservoir and a number of maneuver, safety and instrumentation Fig. 8, coord. B3. Most of this path is comprised of stainless-steel tubing,
devices. Fig. 4 shows some photographs of the container close and open except for the last meter, which employs a flexible connection (refer to
spaces. component X 111 in Fig. 8, coord. B4) compatible with pressurized H2
gas circuits.
1099
Table 1
System components specifications.
Function Component Specifications
H2 production PEM electrolyzer Nominal: 5.5 kWelec (AC input with internal AC/DC converter), 1Nm3/h H2, 50bar max, 5L/h demineralized water, water-
cooled,1.3kWth, 70 ◦ C max.
Operating point: 2.1kWelec, 0.64Nm3/h H2 (53 g/h H2), 25bar max, η = 0.71.
H2 dryer O2 and water removal. 0.4 kWelec nominal, 1.8 kWelec at startup, 1Nm3/h H2, 50bar max.
H2 storage H2 storage tank 850L, 50 bar max. Type IV pressure vessel.
H2 utilization PEM fuel cell P = 0.1.4kWelec. Stack: 0.80A, 0.18VDC, followed by an internal DC/DC converter to interface with the 48VDC battery
bus. ηmax ≈ 53%, 1Nm3/h H2 (80 g/h H2), water-cooled, 70 ◦ C max. Input pressure: 4 bar.
Water storage and Water tanks & 1000L untreated water tank, 100L demineralized water tank. Demineralization capacity: 7L/min.
demineralization demineralizer
Electrical storage Li-ion batteries LiFePO4, 2 × 2.4 kWh (parallel connection), 48V, 25A charge/discharge nominal, <6000 cycles.
Generic electrical load Electrical load Custom-made AC load emulator, comprising an array of power resistors. Range: 0.3 kW in steps of ~11W, controllable via
Modbus protocol.
Electricity flow management Inverter Output: 10 kW (400V ~3AC, 3.3 kW per phase). PV: 2 MPPT inputs, 15kWPV,max. Grid: 10 kW grid input (400V ~3AC).
Battery: 48VDC, 200Amax.
Renewable electricity PV panels 4.9kWMPP, 23m2 (12 panels, three different models, bifacial, 17◦ elevation, north-oriented). PV panels shared with
production PVCAM program [39].
NH3-based air conditioning Thermochemical 3kWe compressor (variable speed); 6kWth cooling capacity; cooling temperature range: 15◦ .+10◦ .
prototype
Thermochemical storage Thermochemical reactor Salt pair: BaCl2/NH3. 13.6 kg BaCl2, 2.21 kg ENG, 9 kg NH3, 100 L, 3 kWhth of cooling production @ 7 ◦ C.
Fig. 9 shows the cooling water system of the installation and the
thermochemical prototype. The water system has two main functions:
(a) to extract heat from the electrolyzer and fuel cell (which are never
turned on at the same time) and transports it either to the thermo
chemical reactor (TR) for energy storage or, if the TR cannot absorb any
more heat, to a water-air heat exchanger installed outside the container
(HX101, C1 coord.); (b) to cool-down the TR (by connecting it to HX101)
when the thermochemical prototype is using the energy previously
stored to produce a cooling effect (without the need of the electrical
compressor of the MVC cycle). A detailed working principle of the
thermochemical prototype can be found in Ref. [6] and an its basic
operating modes are also described in Appendix A.4.
As indicated in Table 1, the thermochemical prototype has 9 kg of Fig. 2. Photographs of RECIF site (installation of PV panels is ongoing). Site
NH3. This charge agrees with the limits imposed by EN 378-1 [33] for a geolocation: 17◦ 34′34.2″S 149◦ 36′33.7″W.
site with access category ‘c’ (reserved access), site classification ‘class
IV’, i.e. ventilated enclosure, machine room (see EN 378-1, §C.1). As a. Identify substances that may release flammable gases or vapors
‘class IV’, the site respects the requirements for a ventilated enclosure implemented at the RECIF site.
stated in EN 378-2 [34], §6.2.15 (requirements for ventilated b. Locate areas where explosive atmospheres may occur based on the
enclosures). implemented processes.
c. Through the application of standard IEC 60079-10-1 [41], define the
4. Safety system nature of ATEX zones (Z0, Z1, Z2, Z2-NE [negligible extent] or
non-hazardous zone) and their extent. See example E.3 from that
As mentioned in the introduction, the RECIF installation has an standard. In certain situations, validate the contribution of forced
automatic safety system that protects the facility and personnel from the ventilation in conjunction with the safety system operation in
following risks: i) fire hazard, ii) explosion risks related to H2 and NH3 diluting potential emissions of NH3 and H2 through a simulation, as it
gases and iii) poisoning risk associated with NH3. will be shown in Sec. 5.2.
This section describes the safety system and is organized as follows.
Sec. 4.1 gives an overview of the risk analysis performed during the The resulting hazardous area classification is commonly depicted in
project conception and the resulting ATEX zone classification retained. two-dimensional views of the installation, as shown in Fig. 10 for the
Sec. 4.2 describes the electrical power distribution. Sec. 4.3 details the RECIF installation. In these views, each hazardous area is displayed
container ventilation system and its operating modes. Sec. 4.4 presents using a distinctive hatch pattern.
the fire safety measures. Sec. 4.5 describes the safety system integrated The application of the aforementioned standard led to the identifi
into the individual equipment. Lastly, Sec. 4.6 discusses the automatic cation of eight hazardous areas (#1 to #8 in Fig. 10). Many of the
safety instrumented system that protects the overall installation. hazardous areas have a spherical shape (possibly limited by walls, floor,
ceiling, etc.), centered around the potential leak origin or gas discharge
source. This configuration applies to areas #2, #4, #5, #6 and #8. The
4.1. Classification of ATEX areas & risk analysis radii of the spheres were determined by the aforementioned standard
(refer to Figure D.1 of [41]). Area #1 pertains to the container’s open
The methodology adopted to determine the presence of ATEX zones space, where H2 storage and distribution are carried out (refer to the
is divided into three steps: bottom-center photograph in Fig. 4). Area #3 refers to the regions
1100
Fig. 3. Isometric view of RECIF site once the solar panels and the corresponding structure will be installed.
Fig. 4. Photographs of container open and close spaces: (1) Fuel cell (2) Electrolyzer (3) Dryer (4) Thermochemical reactor (5) Extractor #1 (6) H2 transmitter #1 (7)
NH3 transmitter (8) H2 transmitter #2 (9) Automatic fire extinguisher (10) Water demineralizer (11) Bottom air vent (12) Top air vent (13) 100L distilled water tank
(14) Inverter (15) CAB-3 cabinet(*) (16) Transformer(*) (17) Cooling water system (18) Air conditioner(**) (19) Visual alarm (20) Extractor #2 (21) Thermochemical
prototype (22) Network rack (23) PC with SCADA (24) CAB-2 cabinet, exterior (25) 1 m3 water tank (26) H2 tank (27) H2 purges (28) H2 distribution. (*)See electrical
diagram in Ref. [46]. (**) Does not correspond to the thermochemical unit; used to acclimatize the room when the thermochemical prototype is not in operation.
immediately outside the two 2 m2 ventilation grids placed on each side Regarding the quantitative risk analysis, it followed a procedure
of the container’s open space. Lastly, area #7 corresponds to the con suggested by the inspection & certification company specialized in ATEX
tainer’s close space, where the main components are situated (refer to installations commissioned to validate RECIF installation, using a
the three upper photographs in Fig. 4). It’s important to note that this number of matrices, namely: explosion probability matrix, ignition sources
area is classified as a non-hazardous zone due to the combined operation probability matrix, severity matrix and explosion risk matrix. This analysis
of the forced ventilation and the safety system (see Sec. 5.2). made it possible to define the measures to be taken (both technical and
1101
Fig. 5. P&ID, hydrogen storage and distribution.
Fig. 6. P&ID, water storage and demineralization to feed the electrolyzer.
organizational) to ensure that the ignition of a possible explosive at AC power and safety system AC power, which comes from the same
mosphere cannot occur within the framework of the normal use of the connection point to the 3-phase AC utility power. This connection is
equipment and the installation. done in ‘CAB-1’ electrical cabinet, installed in a pre-existing machine
room that is located 10 m away from the container (see Fig. 3).
The two power supplies are protected against short-circuits and
4.2. Electrical power distribution
overcurrent by electromagnetic MCB (-Q.1.1 & -Q.1.2), which are me
chanically linked to undervoltage release coils. These last devices are
Fig. 11 shows a simplified view of the electricity distribution of
commanded by an emergency stop button (-S.1.0, Fig. 11, B2 coord.)
RECIF installation. The complete electrical diagram of the installation is
which triggers a power trip when pushed. The use of this emergency
fully available at [46].
button is in case of a maintenance operation or, for instance, in case of a
The installation has two distinct power supplies, namely conventional
1102
Fig. 7. P&ID, electrolyzer & dryer.
Fig. 8. P&ID, hydrogen fuel cell.
fire hazard, where the operator can produce an AC power trip while through underground cables. Fig. 12 shows a front view of CAB-2, which
staying away from the installation. is installed on the front outside wall of container (see the isometric view
The two power supplies are connected to ‘CAB-2’ electrical cabinet of Fig. 3). This cabinet contains all the safety instrumentation, such as
1103
Fig. 9. P&ID, fuel cell and electrolyzer cooling system & thermochemical prototype for cooling production and storage.
Fig. 10. ATEX zones definition of RECIF installation.
AC/DC power, safety PLC, contactors and relays. Fig. 11 shows that these components can be disconnected through a
The safety system AC power line enters CAB-2 cabinet and supplies number of contactors which are controlled by the safety PLC (see Sec.
electricity to the extractors, lights and all the 24VDC safety instrumen 4.6.2). Table 2 gives a description of each of these contactors, which are
tation (Fig. 11, C3 coord.). all installed in CAB-2, outside the container (so the contactors can switch
Inside the container the inverter distributes all the power sources/ in an environment where an explosive atmosphere is extremely unlikely
sinks (utility, PV, Li-ion battery, fuel cell, electrolyzer, NH3 prototype to happen).
and general electrical loads) according to an optimizing algorithm. Regarding the operation of the inverter, Fig. 13 illustrates its
1104
Fig. 11. Electricity and hydrogen supply to container.
Table 2
Description of all the contactors used to disconnect the power flow in the
container.
ITEM DESCRIPTION
Ⓐ Solenoid valve of fuel cell H2 supply.

24Vdc power interrupted via safety relay -K.2.54 (relay with supervised
internal safety function, category 4/PL e). -K.2.54 is commanded by the
safety PLC.
Ⓑ Power supply to electrolyzer (H2 production).
Single-phase power interrupted via contactors -K.2.50 and -K.2.51
connected in series (230VAC, 25A; with NC mirror contacts). Contactors
commanded by the safety PLC.
Ⓒ Connection between fuel cell, Li-ion batteries and inverter.
These components are isolated from each other via -K.2.06 contactor
(75VDC, 32A; with NC mirror contact). Contactor commanded by the safety
PLC.
Ⓓ Conventional AC power.
Three-phase power interrupted via contactor -K.2.04 (400VAC, 25A; with
NC mirror contact). Contactor commanded by the safety PLC.
Ⓔ Connection of PV solar panel strings to inverter.
Strings 1 and 2 are interrupted via contactors -K.2.40 and -K.2.41
respectively (900VDC, 50A, commanded by the safety PLC).
These contactors do not have mechanically linked NC auxiliary contacts
(almost non-existent on the market for the application of >800V DC).
Therefore, the verification procedure for non-soldered contacts is done via
periodic tests.
Ⓕ Safety system AC power.
Three-phase power interrupted via contactor -K.2.42 (400VAC, 25A; with
NC mirror contact).
Contactor commanded by a safety relay (see SIF #3 in Sec. 4.6.2 and Fig. 15).
Ⓖ Conventional and Safety System AC power.
Miniature circuit breakers -Q.1.1 (4 × 50A “D”) and -Q.1.2 (4 × 32A “D”)
with under-voltage release coils wired to stop button –S.1.1.
permissible operating modes. It’s worth noting that the power harvested
Fig. 12. “CAB-2” electrical cabinet that contains the safety PLC; it is installed from the PV panels can be fed back into the grid in what is commonly
on the front outside wall of container. Some of the components coding (e.g.
referred to as “grid-tied” mode.
-S.2.40, -PF.2.14) can also be found in Figs. 11, Figs. 14 and 15.
1105
emergency ventilation. The safety PLC controls these two operating

modes, as it will be explained further below (see Fig. 14).
The system is implemented by two identical turret-type extractors
(extractor # 1 and #2) installed on the roof of the container. Each
extractor has a 3-phase AC induction motor and has a nominal flow rate
of 1080 m3/h. The container air inflow is through four 20 × 20 cm air
vents mounted at the bottom of the side walls (two on each side). There
are also four 4 × 4 cm air vents installed at the top of the side walls to
allows for natural ventilation (buoyancy-induced ventilation) when the
forced ventilation system is not active. The estimated net air volume
inside the container is 22 m3.
Both extractors are powered through the safety system AC power
(Fig. 11, B4 coord.). Extractor #1 is energized through a variable speed
Fig. 13. Permissible operating modes of the inverter. The arrows correspond to drive unit and extractor #2 is connected to the 3-phase input power.
the direction of power flow. Continuous air renewal mode is manually controlled by the user
(-S.2.04 rotary switch on the front of CAB-2, Fig. 12) and must be acti
4.3. Forced ventilation system vated when the installation is in operation, otherwise the safety system
will cut-off all the power supplies to the container, including the lights
The closed space of the container (where the electrolyzer, fuel cell, and the H2 solenoid valve that feeds the fuel cell. In this mode, an
battery and thermochemical prototype are installed) has a forced airflow of 460 m3/h is obtained using extractor #1 (via its variable
ventilation system with two operating modes: continuous air renewal and speed driver unit), while extractor #2 is turned-off. This airflow value
Fig. 14. Block diagram of the logic solver of the SIS implemented in the safety PLC. Note that a logic ‘1’ represents a normal condition and ‘0’ a triggered condition
(for the inputs, outputs and internal states).
Fig. 15. Block diagram of the logic solver that implements SIF #3. Note that a logic ‘1’ represents a normal condition and ‘0’ a triggered condition.
1106
Table 3 4.5. Safety systems integrated into individual equipment

Airflow of forced ventilation system specifications.
Airflow of forced ventilation system 4.5.1. Hydrogen storage and distribution
3 The H2 storage is located in the open space of the container,
Operating mode Air flow (m /h) Renewal rate (air changes per hour)
comprising an 850L H2 tank at a maximum pressure of 60 bar, equipped
Continuous air renewal 460 20 (1 air change per 180 s) with a set of maneuvering and safety elements and instrumentation
Emergency ventilation 2160 (2 × 1080) 94 (1 air change per 38 s)
devices. Fig. 5 shows the P&ID from which a number of safety devices
are identified, namely:
was established taking into account three parameters: i) the minimal
allowed extractor motor speed (20 Hz), ii) a noise level inside the 1. FSV 001 (E8 coord.), manual emergency relief valve. The action on
container compatible with a workplace and iii) the value recommended this valve allows the release of almost all the H2 contained in the
by the electrolyzer manufacturer (100 m3/h minimum). installation (except perhaps for the gas trapped inside the electro
To verify that the continuous air renewal mode is operational when lyzer and the fuel cell) through a pipe that leads to the rear top of the
activated by the user, a differential pressure transmitter for HVAC ap installation (area #4 in Fig. 10), where a H2 gas discharge does not
plications (±50 Pa) is installed inside ‘CAB-2’ cabinet. This device reads present any danger. Possible uses of this valve are: a) before certain
the pressure difference between two inlets (high & low pressure) and maintenance operation, b) in the event of a fire in the facility itself or
sends a 4.20 mA signal to a signal conditioner, which controls a NO in its surroundings (so if the fire reaches the tank, it would already be
contact that closes when the pressure difference is sufficiently high. empty), c) an uncontrolled H2 leak in some part of the installation.
Each pressure inlet is connected to a Ø8mm PVC tube that enters the 2. TSV 001 (D6 coord.), thermal pressure relief device (TPRD) set at
container. The low-pressure tube end is positioned close to extractor #1 110 ◦ C with irreversible opening. It empties the H2 in case of over
air intake and the high-pressure tube end is located away from the ex heating. The discharge is done in the open space of the container.
tractors. This way, the safety system verifies that the aforementioned 3. PSV 001 (E7 coord.), H2 tank pressure relief valve, set to 60 bar.
contact closes when the user activates the continuous air renewal system Protection of the tank against overpressure. The discharge is through
(thus creating a pressure difference) and that it opens when deactivated a pipe that follows the same path that the discharge of FSV 001 valve.
by the user (both cases with a 10-s delay), otherwise, a safety action is 4. PSV 002 (D3 coord.), pressure relief valve set to 15 bar, installed
triggered (see Sec. 4.6.2). downstream of the pressure regulator PV 001. Protection of the H2
In emergency ventilation mode, the two extractors work at their supply to the fuel cell. The release is through the same pipe of FSV
nominal speed, producing a total airflow of 2160 m3/h. Table 3 sum 001 valve.
marizes the airflow parameters of the forced ventilation system. 5. X 007 (B4 coord.), nitrogen gas cylinder. Use to for nitrogen purging of
The extractors are ATEX-certified, adapted to work with a variable H2 piping before certain maintenance operations and to inert the H2
speed drive unit. Their motors have thermistors in contact with their piping before a long period without operating the installation.
stator windings to detect any overheating, particularly important when 6. FV 003 (D3 coord.), downstream purge valve. Used to purge the gas
they are not operated at their nominal speed (see IEC 60079-14 [42], trapped between the H2 tank and the fuel cell, where several
§11.3.4). Each motor thermistor is connected to an ATEX-certified instrumentation devices are installed, allowing for maintenance
thermistor-controlled relay that commands a contactor that discon operations on them.
nects the motor in case of an overheating detection. 7. FV 004 (A3 coord.), upstream purge valve. Used to purge the
Finally, the variable speed unit of extractor #1 has an integrated electrolyzer.
circuit breaker that protects the extractor motor and extractor #2 has a
dedicated motor circuit breaker. 4.5.2. Fuel cell
This device has an internal H2 sensor set to 25% of the LFL. In the
4.4. Fire safety and personnel protection event of a gas detection, its internal safety system automatically cuts off
its gas supply (solenoid valve, Fig. 8, B5 coord.), a red LED on the front
The fire safety is composed by fire extinguishers (manual & auto panel lights up and an error flag is raised in the Modbus interface so the
matic), an ATEX-certified smoke detector inside the container, a manual SCADA system can read it. The reset of the system after such an event is
call point and a sound alarm. All these three last components are con manual. The device also has an emergency stop push button for manual
nected to the University fire alarm system, whose interaction with RECIF shutdown.
safety system is detailed in Sec. 4.6.2. Table 4 gives the characteristics of
the fire extinguishers. 4.5.3. Electrolyzer
Regarding personnel protection, the staff that operates the installa This device also has an internal H2 sensor set to 25% of the LFL which
tion are equipped with antistatic clothing and footwear and portable H2 performs the following action upon a gas detection: i) interruption H2
and NH3 detectors (ATEX-certified) with integrated sound and visual production if applicable, ii) activation of the extractor fan installed at
alarms. Furthermore, they have received ATEX training with an inde the back of the device housing, iii) raise of an error flag in the Modbus
pendent and certified organization. interface that communicates to the SCADA, iv) lunch of its shutdown
procedure that produces a purge of H2 in order to depressurize the
device.
In order to protect the electrolyzer against uncontrolled rise in
pressure, the H2 outlet that connects to the dryer has a 55 barg pressure-
Table 4
List of fire extinguishers of RECIF installation.
Fire extinguishers
Number Class (agent) Agent quantity (kg/L) Manual/automatic Localization
#1 AB (H2O + AFFF) 6L Manual Exterior

#2 B (CO2) 5 kg Manual Exterior
#3 ABC (ADEX K) 6 kg Automatic, passive (68 ◦ C) Inside container, closed space
1107
relief valve whose discharge is connected to the H2 purge line (Fig. 7, C5 Table 6
coord.). Description of the blocks in Figs. 14 and 15.
Block Description
4.5.4. Air conditioner with thermochemical storage
AND gate. The output is ‘1’ only if all inputs are ‘1’, otherwise the output
This prototype has all the components of a conventional ammonia is ‘0’.
heat pump (compressor, condenser, ammonia tank, expansion valve,
evaporator), with the addition of a thermochemical reactor which is Memory element. The output is set to ‘0’ at the negative edge of RESET
heated by a water circuit at a maximum temperature of 70◦ . input. The output is set to ‘1’ if RESET input is ‘1’ and there is a positive
pulse (positive edge followed by a negative edge) into SET input. The
The prototype is placed in a metal structure which protects all the
output is initialized to ‘0’ at system startup.
components of the ammonia circuit against shocks. Additionally, to NOT gate followed by an indicator light. The light is ‘on’ if the input is
prevent ammonia spill reaching surface waters and to reduce the ‘0’, otherwise it is ‘off’.
evaporating surface in case of a liquid leak, a catchment system was
installed (in accordance to EN 378-3 [35], §5.14.3: Additional re
quirements for R-717).
then the SIS structure is described and all the SIF are detailed; the sec
From a safety point of view, the most critical element when the
tion ends with some notes on the instrumentation used to implement the
prototype is in operation corresponds to the compressor. To avoid
SIS.
accidental conditions due to an operation error, a number of trans
mitters (pressure, temperature and refrigerant level) were installed to
4.6.1. Fixed gas detectors
implement a safety system that interrupts the power supply to the
Besides the gas detectors installed inside the equipment, there are
compressor when a dangerous condition is detected. The reset of the
two H2 detector and one NH3 detector installed in the close to the
safety system is passive. The prototype also has a dedicated NH3 gas
container celling (since both gases are lighter than air). These three
detector that automatically shuts down the prototype (see Table 5) and
detectors are part of the SIS and are connected to the safety PLC. The H2
an emergency stop push button for manual shutdown. Ref. [36]
detectors are of different brands (Table 7) and measuring principle,
§A4.10.10 contains the description of the prototype safety logic.
which greatly reduces the common cause failures (CCF) (see Table 8).
Table 5 summarizes all the gas detectors installed inside the container.
4.5.5. SCADA system
Regarding the alarm set points of the gas detectors, the French
The SCADA system is implemented in a desktop computer installed
regulation was followed. More specifically, the circular of May 9, 1985
inside de container and it performs real-time data acquisition & control
of the French Labor Code stays that [.] when substances are flammable
(both in automatic & manual mode) of the following elements: fuel cell,
gases or vapors, their concentration must be kept as low as possible and
electrolyzer, thermochemical prototype, inverter, water cooling system
remain below 25% of the LFL [.] and at 10% of the LFL if people work in that
and hydrogen storage. It also verifies the following safety conditions:
atmosphere [40]. Note that the European regulation does not enforce any
specific value (see IEC 60079-29-2 [44] regarding the installation, use
- that the pressure and temperature of the H2 tank does not exceed 55
and maintenance of gas detector for flammable gases, §8.11.3, Adjust
bar and 60 ◦ C respectively (PT001 and TT001 transducers, Fig. 5, D5
ment of alarm set points). With all this taken into consideration, a value of
coord.);
5% and 10% of the LFL was established for the two H2 detectors
- that the fuel cell and electrolyzer do not indicate a hydrogen leak
respectively and a much lower value for the NH3 detector (due to its
alarm (via their Modbus links).
toxicity danger as previously stated in Table 11). The reason of the
disparity of the set points of the H2 detectors is due to equipment
If at least one of these conditions is not met, the supervisory system
availability at the moment of the purchases.
will send Modbus commands to turn off the electrolyzer and fuel in a
safe manner and it will also energize a relay called the “SCADA interface
4.6.2. Safety instrumented functions (SIF)
relay” whose main contact is connected to the safety instrumented sys
The SIS implements a number of safety instrumented functions (SIF),
tem (the corresponding action is explained in Sec. 4.6.2).
namely:
- SIF #1: disconnection of H2 supply and electricity supply to

4.6. Safety instrumented system (SIS)
container, comprising the following sub-functions:
#1a disconnection of fuel cell H2 solenoid valve power supply
A safety instrumented system (SIS) is a specialized control system
(FV002, Fig. 11, D4 coord.);
used to detect hazardous conditions and prevent accidents. It monitors
#1b disconnection of electrolyzer power supply (-K.2.50 & -K.2.51,
process parameters and initiates safety responses when dangerous or
Fig. 11, E7 coord.);
abnormal states are detected. It is composed of sensors (gas detectors,
#1c disconnection of all the electricity supplies in or toward the
emergency stop buttons, etc.), a logic solver (implemented in a safety
container: AC utility, PV, Li-ion battery, fuel cell;
PLC), and final elements. As it will be shown shortly, the SIS has a
- SIF #2: activation of the forced ventilation system in emergency
number of safety-related tasks, each one implemented in a separate
mode (i.e. start of extractors #1 & #2), accompanied by a visual
safety instrumented function (SIF). The rest of this section is organized
alarm;
as follows: first, a description of the installed fixed gas detectors is given,
Table 5
Gas transmitters and trigger thresholds.
Gas Detector name Location Measuring principle Alarm level (% of LFL)
H2 H2 transmitter #1 (-B1) Container, closed space Catalytic combustion (CC) 10% (4000 ppm)
H2 transmitter #2 (-B3) Container, closed space Electrochemical (EC) 5% (2000 ppm)
N/n Inside fuel cell cabinet Catalytic combustion (CC) 25% (10,000 ppm)
N/n Inside electrolyzer cabinet Not available 25% (10,000 ppm)
NH3 NH3 detector Container, closed space Electrochemical (EC) 0.015% (25 ppm)
N/n Thermochemical prototype Semiconductor (SC) 0.015% (25 ppm)
1108
Table 7
Reliability data of components of the safety functions shown in Fig. 18.
Component Brand & model Parameter Value Notes Source
(Unit)
H2 transmitter #1 (-B1) GfG, CC28 λD (1/h) 6.31E-8 MTTFD = 1809 y Manufacturer

DC (%) 81.4 – Manufacturer
H2 transmitter controller GfG, GMA 44 λD (1/h) 2.59E-8 MTTFD = 3869 y Manufacturer
(-K.2.30) DC (%) 89.5 – Manufacturer
H2 transmitter #2 (-B3) DEGA, NSH-EL II LCD RE MTTFD (year) 3 No information from manufacturer, so a very low –
value of MTTFD was considered.
DC (%) 60 Processing unit: self-test by software. ISO 13849–1:2015 [51],
Table E.1
Safety PLC (-K.2.53) ABB, Pluto B46 v2 PFHD (no 2.0E-9 Manufacturer ensures PL e compliance. Manufacturer
units)
Safety expansion relay ABB, BT50 PFHD (no 1.22E-8 Manufacturer ensures PL e compliance. Manufacturer
(-K.2.54) units)
Trip contactor #1 & #2 Schneider electric, B10D (cycles) 1,369,863 NOP = 12 cycles/year Manufacturer
(-K.2.50 & -K.2.51) LC1DT40BL + LAD4TBDL DC (%) 99 Direct monitoring (monitoring by mechanically ISO 13849-1: 2015 [51],
linked contact elements). Table E.1
Table 8
Reliability data of the sub-systems of Fig. 18, computed by SISTEMA. The CCF points where calculated according to ISO 13849–1:2015 [51], Table F.1. See Table 6.2 of
[56] for more information about the column ‘category’.
Sub-system MTTFD (years) PFHD (1/h) DCAVG (%) CCF (points) Category PL
H2 transmitters 66.7 1.9E-07 60.1 90 3 d

Safety PLC Not relevant 2.0E-09 Not relevant Not relevant 4 e
Safety expansion relay Not relevant 1.2E-08 Not relevant Not relevant 4 e
Two-trip contactors 100 2.5E-08 99 75 3 d
- SIF #3: disconnection of all electricity power sources of the instal The re-initialization of all the SIF and alarm & status signaling re
lation: conventional AC power and safety system AC power (in case of quires manual intervention (by pressing the corresponding push button
maintenance or fire hazard). on the front of CAB-2 cabinet).
Fig. 15 shows a block diagram of the SIF #3. Note that there are two
Fig. 14 shows a block diagram of the logic solver implemented in the ways of interrupting AC power to the container. The first one is by
safety PLC and Table 6 gives a description of all the blocks used in the pushing the emergency button -S.1.1 in the machine room next to the
figure. Note that, as in all safety logic functions, a ‘1’ state represents a RECIF installation, which interrupts both AC power supplies as previ
normal condition (e.g. emergency button not pressed, alarm not initi ously shown in Fig. 11, B2 coord. The second way is by de-energizing
ated, etc.), while a ‘0’ means a triggered condition. (via a safety relay) -K.2.42 contactor which interrupts the safety sys
The inputs to the SIF are the following (from top to bottom on the left tem AC supply and, by cascading effect, opens -K.2.04 contactor, thus
side of Fig. 14): disconnecting the conventional AC power (Fig. 11, B3 coord.).
As indicated in Fig. 15, the University fire system alarm disconnects
• H2 and NH3 detectors discussed in Sec. 4.6.1; AC power to RECIF installation if one of the following conditions are
• a potential-free contact of the SCADA interface relay previously dis met: (a) a smoke detection inside container, (b) a trigger signal from the
cussed in Sec. 4.5.5; University general fire system alarm (e.g. as a preventive action due to a
• an emergency button installed outside the container, on the front of fire hazard in another building of the University), and (c) a manual
CAB-2 cabinet (-S.2.02, Fig. 12); activation of the fire alarm by a button press of the call point installed
• an emergency button installed inside the container, close to the door; outside the container, next to the door.
• an Extractors OK signal that indicates if the extractors are As a reminder, the shutdown of the safety system due to a fire hazard
operational; is necessary since the extractors are not adapted to work as a smoke
• a contact of the rotary switch that activates the air renewal mode of extraction system (Sec. 4.4).
the force ventilation system. More detailed information of how the PLC safety outputs interact
with the final safety components (H2 solenoid valve, extractors, etc.) can
The Extractor OK signal is ‘1’ if and only if all of the following con be found in the electrical diagrams of the installation, available in the
ditions are met: (a) the extractor #1 variable speed unit has no error GitHub project repository [46].
(overcurrent, loss of phase, software fault, etc.), (b) extractor #2 motor
circuit breaker is not tripped, (c) the extractors thermistor protection are 4.6.3. Notes on instrumentation & electrical components
not tripped (Sec. 4.3), (d), the differential pressure transmitter that
verifies the operation of extractor #1 in the air renewal mode indicates 4.6.3.1. ATEX-certified equipment. As previously stated in Sec. 3.3, all
the correct output (Sec. 4.3). the electrical components installed in the open space of the container are
Besides the SIF, the logic solver has signaling outputs (i.e. non-safety at least category 3 equipment, suitable for use in ATEX Zone 2.
functions) that activate a sound alarm and an indication to the Univer Additionally, all the components inside the closed space of the
sity general fire system alarm. Fig. 14 also shows that the logic solver container that remain energized after a safety system trigger (e.g. H2
implements an interlocking logic that triggers SIF #1 if the operator detection) are also at least category 3 equipment. They include the H2 &
does not activate the air renewal mode of the forced ventilation system NH3 gas transmitters, the extractors, the emergency stop button, the
(-S.2.04 rotary switch on the front of CAB-2), thus preventing any useful lights (normal light & battery-equipped emergency light), the visual
utilization of the installation. alarm and the smoke detector. The rest of the components (electrolyzer
1109
& dryer, fuel cell, inverter, thermochemical prototype) are not ATEX- 4.6.3.4. Cabling. IEC 60079-14 standard [42] (§9, Cables and wiring
certified since they are turned-off upon a safety system trigger. systems) covers general requirements of cable types used in explosive
atmosphere, such as sheathed material, flame propagation properties,
4.6.3.2. Safety PLC. Safety PLC are controllers that have a number of protective earthing, cable entries, etc. The standard does not specify
safety features not found in regular PLC and that allow for the imple voltage ratings, except for intrinsically safe circuits, for which only cables
mentation of safety functions. They feature failsafe inputs with dynamic with rated insulation between the conductor to earth, conductor to
signals (as opposed to static 24V input signals) for short-circuit detection screen and screen to earth of at least 500 V AC or 700 V DC shall be used.
and they normally have two separate processors that compute the same Additional requirement may come from national standards. For
logic function and a final voting circuit that command the safety out instance, French standard NF C15-100 [54] defines in §424 the external
puts. Additionally, the manufacturers certify their safety parameters influence class BE3 as the locations where an explosive atmosphere may
(PL, MTTF, etc.) in accordance with the corresponding standards. occur. In that section, requirements regarding cable voltage ratings are
The safety PLC used in RECIF installation corresponds to the ABB stated: power cables must have a nominal voltage of 1000V for rigid
Pluto B46 v2 model. The connections of the inputs sensors to the connections (such as U1000 R2V cables), or 750V when flexible con
controller followed the manufacturer recommendations (see Ref. [59], nections are needed (such as 07RN-F cable). The complete list of
§6). accepted power cables is found in Table 52D of the standard (“Condi
tions of use of insulated conductors and cables, BE3 class”). Regarding
4.6.3.3. Contactors and relays. Contactors and relays are considered as instrumentation cables, they must comply with NF M 87–202 French code
well-tried components as switching devices to trip a safety action in [55], although the standard is somewhat ambiguous in that case (see
accordance with Table D.3 of ISO 13849-2 standard [52] as long as they point 5 of §424.8 of NF C15-100).
comply with some additional conditions, such as protection against vi All the power cables of ATEX-certified components of RECIF instal
bration, overcurrent protection and having contacts that are positively lation comply with the aforementioned French standard and IEC stan
mechanically guided. dards and all the instrumentation cables are shielded and with a voltage
Positively mechanically guided contacts are linked with one another rating of at least 500V.
in such a way that the normally close (NC) contacts and normally open Finally, the cables of ATEX components with intrinsically safe mode of
(NO) contacts can never be closed at the same time, even in case of protection (marking “ia/ib/ic”) have their inductance and capacitance
contact welding, which represents one of the most dangerous accidental computed in order to complete the descriptive system document (accord
conditions of these devices. See Ref. [57], §3.5.1 for more information. ing to IEC 60079-25 [43]). Fig. 16 shows an extract of such a document
Relays with positively mechanically guided contacts allow for (the complete version can be found in Ref. [46], in French).
detection of a welded NO contact during a test procedure by de-
energizing the coil and reading back a NC contact. In this way, if the 5. Discussion
NC contact fails to close, it means that one of the NO contacts is still close
thus the fault is detected. 5.1. Reliability computation of the gas detection system
The standards that regulate the positively driven operation are IEC
60 947-4-1 [47], appendix H for contactors and IEC 60 947-5-1 [48], The inspection & certification company specialized in ATEX in
amendment 2, annex L for relays. All the contactors and relays used to stallations that was commissioned to validate RECIF installation, based
implement RECIF safety system comply with these standards. on the risk analysis of the installation, gave advice on the required
Fig. 16. Extract of the Descriptive System Document (DSD) of all the ATEX components with intrinsically safe mode of protection (see IEC 60079-25 [43], §4 and Annex
E). The complete DSD can be found in Ref. [46] (in French).
1110
integrity of the safety system. More specifically, they recommended to Table 9 shows the final result of the analysis performed by SISTEMA
give SIL-2 capability to the safety function that stops the production of tool, which indicates that both SIF have obtained the required PL d. The
H2 from the electrolyzer and shutdown the H2 gas supply to the fuel cell table also shows the equivalency with the SIL method, indicating a SIL-2
(which corresponds to SIF #1a and #1b) in case of a gas detection value. The equivalency follows IEC 62061 standard [53], Table 3 (also
triggered by one of the two H2 transducers installed inside the container. found in Ref. [56], Figure 3.2).
To provide some regulatory context, IEC 60079-29-3 [45] gives Note that the complete study of performance level is out of the scope
recommendations regarding the functional safety of fixed gas detection of this article. However, a full study was conducted as part as the
systems. In that standard, the safety integrity requirements are documentation of the RECIF safety system. The study followed the
expressed in a parameter called safety integrity level, SIL, which is based structure of the examples given in Ref. [56] §8, describing the corre
on IEC 61508 standard series [50] and is directly associated with the sponding functional description, its design features and the calculation
probability of failure of a safety function. The standard stays that it is of the probability of failure.
rare for any risk study to determine a SIL higher than SIL 2 for a fixed gas
detection system. 5.2. Forced ventilation system simulation
To compute the SIL of the aforementioned SIF, it was decided, in
concertation with the inspection & certification company, to follow the This Section presents the study of an estimate of the evolution of the
method from ISO 13849-1 standard [51] that relates to safety of ma gas concentration inside the container in the event of a leak. The
chinery, and then to trace an equivalency with the SIL method from the objective is to have an order of magnitude of the time it takes for the leak
IEC 61508 series. to stop and for the ventilation system to reduce the gas concentration.
ISO 13849-1 standard provides safety requirements and guidance on This study takes into account not only the leak process itself by also the
the principles for the design and integration of safety-related parts of safety system response. The results of this sections helped the declassi
control systems; it defines a performance level (PL) of a SIF in terms of fication of the interior of the container from a possible Zone 2 to non-
probability of failure per hour and gives guidance in the determination hard zone by showing that the leak is promptly detected and bounded
of the required PL (PLr) based on the severity of injury (S), the frequency and the safety system quickly reduces the gas concentration to negligible
and/or exposure time to hazard (F) and the possibility of avoiding levels.
hazard or limiting it harm (P). Fig. 19 depicts the overall concept. In the event of a H2 leak, there are
The analysis of the PL of SIF #1a and #1b was conducted using two possible situations: (a) a leak in the fuel cell supply line, and (b) a
SISTEMA tool [49], a free piece of software developed by DGUV leak in the H2 production system (electrolyzer). In the event of an NH3
(German Social Accident Insurance) which provides support in the leak, the entire content of the fluid is, in a worst-case scenario, released
evaluation of safety in the context of ISO 13849-1 standard. The SIS inside the container. The figure indicates that, following a gas detection,
TEMA project is available for the reader from RECIF safety system the safety system will instantly and simultaneously close the H2 supply
GitHub repository [46]. and turn off the electrolyzer and the remaining trapped gas in the
The determination of the required performance level was fixed based equipment will be progressively released.
on a decision tree called “risk graph” from ISO 13849-1. Fig. 17 shows a The leak release rate model uses the equations from IEC 60079-10-1
screen capture of the risk graph of SIF #1a and #1b from SISTEMA tool, [41], §B.7.2.3, “Release rate of gas or vapor” (which are nothing but the
which resulted in a PLr of ‘d’. compressible flow equations in a converging nozzle) for an ideal gas
Once the PLr has been determined, the next step is to propose a with sonic (chocked) and subsonic (non-chocked) flow, namely:
compatible instrumentation architecture. In the case of the SIF analyzed, √̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅
[ ̅
√ ( )ν− 1/ν ]( )
this is fulfilled by a two-channel gas detection system in a one-out-of-two √ M2Y
√ Pa Pa
mg, in = CdSP 1− 1 / ν (non − chocked flow)
configuration (1oo2), followed by a safety PLC and an expansion safety ZRT ν − 1 P P
relay. An additional 1oo2 two-channel contactor array is necessary for
(1)
the SIF #1b since in that case the safety function must disconnect a
power circuit (~2 kW). All this is depicted in Fig. 18, which shows the √̅̅̅̅̅̅̅̅̅̅̅̅( )
M Pa
reliability block diagram of SIF #1a and #1b (left) and the corresponding mg, in = CdSP ν ν + 1 / ν − 1 (chocked flow) (2)
ZRT P
tree structure of the project build with SISTEMA (right).
Table 7 shows the reliability parameters of all the components from
where ṁg,in (kg/s) is the gas flow rate toward the container, Cd is a
Fig. 18. This information was entered into SISTEMA project and the tool
dimensionless flow coefficient (0.50–0.75 for sharp-edged orifices and
computed the reliability parameters of each sub-system, as shown in
0.95 to 0.99 for rounded orifices), S is the section of the leak hole (m2), T
Table 8.
and P are the gas temperature and pressure upstream of the leak (K, Pa),
Pa is the pressure downstream of the leak, equal to atmospheric pressure
(Pa), γ is the adiabatic index of the gas upstream of the leak (dimen
sionless), Z is the gas compressibility factor upstream of the leak
(dimensionless and equals to 1.0 for ideal gases) and R is the Universal
gas constant (8314 J/kmol-K). The critical pressure Pcrit at which the mass
flow changes from sub-sonic to sonic is determined by the following
equation ([41] eq. B.2):
( )γ
γ + 1 /γ− 1
Pcrit = Pa (3)
2
The trapped gas inside the electrolyzer and fuel cell is treated as an
ideal gas at constant temperature T (K) in a constant volume V (m3). As a
result, the relationship between pressure P (Pa), temperature T and mass
m (kg) is governed by the ideal gas law, which can be solved for the
pressure P, resulting in:
Fig. 17. Risk graph of SIF #1a and #1b (image extracted from SISTEMA
[49] project).
1111
Fig. 18. Reliability block diagram of SIF #1a and #1b. Left: graphical representation. Right: SISTEMA [49] project tree structure.
Table 9
Performance level (PL) computation results of safety functions shown in Fig. 18. (*) SIL equivalency according to IEC 62061 [53], Table 3 (also found in Ref. [56],
Figure 3.2).
Safety function PL obtained PFHD (1/h) SIL equivalency (*)
SIF #1a. Disconnection of fuel cell H2 solenoid valve power supply d 2.0E-7 SIL 2
SIF #1b. Disconnection of electrolyzer power supply d 2.3E-7 SIL 2
( )
m RT
PV = RT⇒P = m (4) RT
M MV Ṗ = − ṁg,in (6)
MV
where M corresponds to the molar mass of H2 (2.016 10− 3 kg/mol). Note Combining eq. (6) with (1), (2) and (3) yields a first-order ordinary
that all the variables inside the parenthesis in eq. (4) are considered differential equation (ODE) whose solution describes the evolution of P
constant. (t) inside the trapped volume and the gas flow rate toward the container
The pressure rate of change dP/dt can be obtained by differentiating ṁg,in (t).
both sides of eq. (4) with respect to time, yielding: In order to evaluate the instantaneous gas concentration, the
container is modeled as a control volume with an input flow of fresh air,
RT
Ṗ = ṁ (5) another input of leaked gas and an output flow of the mix air/gas
MV
through the extractors. The model assumptions are the following: (a) the
In this last eq., the term ṁ equals the negative of ṁg,in from eqs. (1) temperature is constant; (b) the air in the room is incompressible; (c) the
and (2), since gas is coming out of the trapped volume and entering the air/gas mixture is considered as an ideal gas, therefore, Amagat’s law of
container, that is,
Fig. 19. Model of a leak process inside the container used to simulate the evolution of gas concentration. After detection of a gas leak, the safety system will turn on
the extractors and the quantity of gas trapped inside the equipment will progressively leave the container.
1112
partial volumes applies; (d) an imperfect mixing of air and gas is Fig. 21 (a) shows the case of a the fuel cell leak, which starts at 0:30
assumed, expressed in the form of the safety coefficient ‘f’; (e) the ex and a min later the concentration reaches 10% of LFL. Before the
tractors are a source of volumetric flow which removes the air/gas detection, the leak flow rate remains constant (~33 Nl/min) since gas is
mixture from the room. Note that (b) represents a basic assumption in supplied by the H2 tank through a pressure regulator (4 bar). After
HVAC engineering, which means, for example, that the addition/sub detection, the H2 solenoid valve FV002 is closed so the flow rate starts
traction of gas does not modify the pressure of the room, considered at descending (i.e. the pressure in the trapped volume starts dropping).
atmospheric pressure. Viewed differently, any increase/decrease in Simultaneously, the extractor flow rate increases to the emergency set
pressure will be immediately balanced by airflow through the openings. point. The leak stops 1 min after the detection, when the pressure of the
Finally, the equations of the model are the following: trapped volume attains 1 atm. The spike of the H2 flow rate out of the
container (orange curve) is explained by the raise of the ventilation flow
1
V̇ g,in = ṁg,in (7) rate. Finally, 4 min after the start of leak, the concentration attains
ρg
negligible values (<1%).
Fig. 21 (b) depicts the case of a leak in the electrolyzer, which is
V̇ extr
V̇ g,out = Xg (8) initially turn on and producing H2 (~11 Nl/min, 25 bar, yellow curve).
f The leak at 0:30 produces a spike of H2 flow rate toward the container
(blue curve) that rapidly decreases due to the depressurization of the
dVg
= V̇ g,in − V̇ g,out (9) electrolyzer volume that contains the gas, reaching an equilibrium be
dt
tween the gas produced and the gas leaked (blue & yellow curves). Note
1 that during this initial phase the concentration does not attain the alarm
Xg = V g (10) level, which finally happens 3:30 after the start of the leak. The rest of
Vmix f
the evolution is analog the case of a fuel cell leak previously analyzed,
where V̇ g,in is the flow rate of the leaked gas (in m3/s, equal to the mass attaining a negligible value of Xg 6 min after the leak started.
flow rate divided by the gas density ρg at atmospheric pressure), V̇ g,in is The simulation results offer a means of observing that smaller leaks
the flow rate of the gas out of the container (m3/s), Vg is the instanta cannot be detected with detectors that trigger at 10% or even 5% of the
LFL. For those cases, leak search during period test is the appropriate
neous partial volume of gas in the container (m3), V̇ extr is the extractors
course of action. Additionally, the SCADA system could also implement
flow rate (m3/s), Vcont is the container volume (m3) and f is the safety
an algorithm that correlates the pressure change in the H2 tank with the
coefficient (>1) that accounts for imperfect mixing (see Ref. [41], production and utilization of H2 to early detect anomalies.
§C.3.6.2). This last factor is considered twice: it reduces the air/gas Finally, the reader can refer to Ref. [46] to find additional study
mixing volume and it decreases the effective air/gas mix flow rate out of cases, particularly leak events combined with failures in the safety sys
the container (note that f ×˙ V /V̇ extr = V̇ g,in corresponds to the eq. of
g,in tem (one extractor fails to start, H2 valve fails to close, etc.).
the background concentration of IEC 60079-10-1 [41], eq. C.1, where
the factor f is defined).
5.3. Lessons learned and guidance for future installations
Fig. 20 shows the block diagram of all the equations presented so far,
with the addition of the safety system that changes the extractor flow
The implementation of RECIF project was very challenging due to
rate when the gas concentration Xg reaches the alarm level Xalarm. This
the initial lack of experience in H2 installations. In this regard, provided
model was implemented in MATLAB/Simulink with the parameters
below is a list of recommendations for any laboratory or research center
presented in Table 10.
that wants to start implementing a system that integrates a chain of
Fig. 21 shows the simulation results for the case of a H2 leak in the
production and use of H2. These recommendations result from the les
fuel cell circuit (left) and electrolyzer (right). The case of a NH3 leak is
sons learned during the design and commissioning of RECIF installation.
not presented in this article; however, the complete study which in
cludes the case of NH3 is available in Ref. [46] and shows that the values
- In order to comply with the regulations of the corresponding country
of Xg remains very low (Xg<2.5% LFL throughout the release of ~9 kg of
or region, get in contact with an inspection & certification company
NH3), so the danger of explosion is negligible in comparison to the
specialized in ATEX installations at the earliest stage of the project
toxicity hazard.
and budget their services.
Fig. 20. Simplified block diagram of the model of a leak of a reservoir at initial pressure P0 into the container.
1113
Table 10
Simulation parameters of a gas leak.
Simulation parameters
Parameter Value Unit Notes
Pressure in the volume of trapped H2 25 bar Worst-case scenario: maximum working pressure found on the electrolyzer. See Table 1.
(electrolyzer)
Pressure in the volume of trapped H2 (fuel cell) 4 bar H2 fuel cell inlet pressure.
Total volume of trapped H2 (electrolyzer) 1 L Value deduced from information received from electrolyzer & dryer supplier.
Total volume of trapped H2 (fuel cell) 5 L 0.6g of trapped H2 @ 1.5bar (manufacturer data)
Section of the leak hole 0.25 mn2 Hypothesis of a valve leak. Value according to IEC 60079-10-1 [41], Table B.1 “Suggested hole
cross sections for secondary grade of releases”: valve stem packing (release opening will not expand).
Flow coefficient Cd 0.75 Dimensionless Hypothesis of a sharp orifice. Value according to IEC 60079-10-1 [41], §B.1.
Temperature 30 ◦
C Air and H2 temperature.
Extractors flow rate, continuous air renewal 460 m3/h See Table 3.
mode
Extractors flow rate, continuous air emergency 2 × 1080 m3/h See Table 3.
mode = 2160
H2 detection threshold 10 % of LFL Worst case scenario between detector #1 & #2 (Table 5)
Extractor time constant when flow rate set- 2 s 0–99% in 5τ, thus startup time = 10s.
point change
Detection chain delay 1 s Electronic detection circuit, relays, contactors, etc.
Container volume 22 m3 Net volume.
Ventilation inefficiency, safety factor ‘f’ 3.0 Dimensionless Inefficient mixing (note that IEC 60079-10-1 [41], §C.3.6.2 establishes f = 1.5 for a mildly
according to IEC 60079-10-1 [41], Annex C. inefficient mixing and 5 for very inefficient mixing.).
- Regarding the selection of ATEX-certified components, 5.3.2. Design of the water cooling circuit
▪ When possible, avoid “category 3” components (marking “II The design of the water cooling circuit, depicted in Fig. 9, represents
3”). Manufacturers of category 3 devices follow a self- a non-negligible aspect of the installation. An alternative option
certification procedure that does not require any submis explored involved the incorporation of a water buffer tank (~30L) be
sion of documentation to a notified body. As a consequence, tween the components responsible for heating water (fuel cell & elec
sometimes theirs ATEX certificates have inconsistences. trolyzer) and the thermochemical reactor, which relies on hot water for
▪ Read and comply with special conditions of utilization section its endothermic reaction. While the buffer tank offers advantages as a
found in the EC-type examination certificates (max ratings, decoupling component that simplifies the control strategy, it also in
use of special fuse, etc.). troduces complexities such as the requirement for additional pumps and
▪ The EU defines, in the guide for the application of directive potential extended transients at the beginning of each experimentation.
2014/34/EU, a list of equipment for which the application Ultimately, a solution without a buffer tank was adopted.
of the directive could be misinterpreted. This is the
“Borderline List”. Check this list when there is a doubt about 5.3.3. Electrolyzer operating mode
the need or not to use ATEX-certified material. The electrolyzer acquired for the RECIF installation is designed to
- Make sure that all the components used in the gas detection chain in operate under nominal conditions and is not adaptable to variable power
the safety system comply with standards for functional safety, such levels due to the significant risk of generating an explosive atmosphere
as EN 61508 standard series [50]. Their corresponding certificates at its purge outlet during low-power operation. Consequently, the H2
will provide safety parameters such as MTTF, λDU, etc., required to production cannot align with the instantaneous power output of the PV
evaluate the safety integrity level of the installation. panels. While this design simplifies the electrolyzer operation, it in
- Plan and implement a documentation system with a revision coding troduces additional constraints to the optimization strategy governing
for documents, electrical diagrams, P&IDs and program codes. This the installation, which were not foreseen at the initial stage of the
will allow traceability control. Store all the documentation in a project.
server.
- Budget and provide ATEX training to the staff that will work in the 6. Conclusions
design or implementation of the installation and to the personnel
that will operate and maintain it. This article provides a thorough description of the safety system of a
real installation of a smart microgrid that includes PV panels, Li-ion
As a concluding note, the subsequent paragraphs describe key design batteries, an electrolyzer, H2 storage, a fuel cell, and a BaCl2/NH3
choices and challenges encountered during the installation’s design thermochemical prototype for heat recovery and cooling production for
phase. These discussions encompass not only the safety system’s alter air conditioning purposes. The installation is part of RECIF project and is
natives but also broader considerations regarding the general located in French Polynesia, where a significant portion of energy usage
installation. is dedicated to space cooling.
The study offers comprehensive information on the practical aspects
5.3.1. Technology for implementing safety logic of system implementation and consistently refers to the relevant regu
At the outset of the project, a decision was made to employ a hard- lations, particularly the IEC 60079 standard series related to explosive
wired logic, primarily utilizing relays, to execute the safety instru atmospheres. The interconnection of components is carefully detailed
mented function. While this choice simplified the process by avoiding through process and piping diagrams (P&ID), which highlight the safety
the need for expertise in PLC programming and manipulation, it pre features of each component, as well as the operational, maintenance,
sented challenges in conforming to the ISO 13849-1 standard for and emergency gas purging systems of the installation.
assessing installation safety levels. Additionally, a hard-wired logic This work is notable for its extensive treatment of safety instru
lacked flexibility for post-implementation modifications. Subsequently, mented logic implementation and detailed electrical power distribution
the decision was made to transition to a safety PLC to address these from diverse sources (grid, PV panels, fuel cell, Li-ion battery). Sup
concerns. plementary information, listed in Sec. A1.4, is accessible to readers via a
1114
Fig. 21. Simulation results of a gas leak process inside the container. (a) Fuel cell leak that starts at 0:30 and a minute later the concentration reaches 10% of LFL. (b)
Electrolyzer leak that starts at 0:30 and at 04:00 the concentration reaches 10% of LFL. On both cases, once the concentration reaches the alarm level, the safety
system turns off the fuel cell and electrolyzer, closes the fuel cell H2 supply and raise the ventilation flow rate.
GitHub repository [46]. Additionally, the study establishes the reli and infrastructure investments that facilitate industry decarbonization
ability of the gas detection system, affirming its adherence to safety and emission reduction. Additionally, ammonia’s adoption as a refrig
integrity level SIL-2 based on risk analysis and recommendations from erant is expected to rise in the small and medium refrigeration systems
the specialized inspection and certification company overseeing RECIF market [60], enhancing component availability and affordability. This
installation validation. shift also aligns with the focus on environmental impact reduction, a
The operation of the forced ventilation system is presented in detail, critical aspect of modern energy systems.
along with a thorough description of the instrumentation used for
malfunction detection. Furthermore, the simulations conducted
demonstrate that the safety system promptly detects and stops any leaks Declaration of competing interest
inside the container, effectively reducing the gas concentration to
negligible levels. The authors declare that they have no known competing financial
The study also presents valuable lessons learned from the design and interests or personal relationships that could have appeared to influence
commissioning of the installation, providing guidance for future pro the work reported in this paper.
jects, especially for laboratories or research centers aiming to implement
a system that integrates a hydrogen chain. Acknowledgements
The next step in this research will involve completing the commis
sioning of the PV panels and operating the micro-grid under various This study was founded by the French National Research Agency
conditions, while utilizing different optimization algorithms. This will (ANR) under project identifier ‘ANR-18-CE05-0043’. The author wishes
allow for the validation of the theoretical work already performed as to acknowledge the partners of RECIF project: H2SYS (fuel cell inte
part of the RECIF program. grator, France), FCLAB (Fuel cell laboratory, CNRS, Franche-Comté
As final remarks, from a techno-economic standpoint, hydrogen University, France) and PROMES laboratory (CNRS, France). Special
technology’s promising future rests on its potential for growth in diverse thanks to Pascal Ortega (GEPASUD laboratory, University of French
sectors. Advancements in production, storage, and fuel cell efficiency Polynesia) and Fabien Harel (fuel cell research engineer, H2SYS scien
will drive broad adoption, reinforced by supportive government policies tific advisor).
A1 Appendix.
A1. 1H2 and NH3 flammability and occupational exposure limits
Table 11 summarizes the flammability and occupational exposure limits of hydrogen and ammonia. The practical limit of a refrigerant represents
the highest level of concentration in an occupied space that does not result in an acute adverse effect for emergency evacuation and does not create a
risk of refrigerant ignition. The ILV-8h (8-h vapor limit index, EU) and TWA (time-weighted average, USA) are the maximum average exposure on the
basis of 8 h/day, 40 h/week work. The ILV-15min and STEL (short-term exposure limit, USA) are a 15-min exposure that should not be exceeded
during a workday. The SER-1 min. (1-min reversible effects threshold) represents the maximum exposure during 1 min that does not cause any lasting
health effects. Finally, the SP (perception threshold) refers to the lowest concentration that a person can detect through senses; its low value indicates
that ammonia can be detected by smell before it could produce any negative effect on the health.
1115
Table 11
Flammability and occupational exposure limits for hydrogen and ammonia. Note: the unit ‘kg/m3’ refers to mass of
gas divided by the volume of air/gas mix. The last six parameters refer to occupational exposure limits.
Parameter H2 [61] NH3
CAS number 1333-74-0 7664-41-7

Lower flammability limit (LFL) 4% v/v 16% v/v [62]
40,000 ppm 160,000 ppm
0.003,560 kg/m3 0.116 kg/m3
Upper flammability limit (UFL) 77% v/v 25% v/v [62]
770,000 ppm 250,000 ppm
0.068,500 kg/m3 0.187 kg/m3
Auto-ignition temperature 560 ◦ C 630 ◦ C ([33], Annex E)
Practical limit n/a 0.05% v/v
467 ppm
0.000,350 kg/m3 ([33], Annex E)
ILV 8h (EU) n/a 20 ppm
TWA (USA) n/a 25 ppm
ILV 15 min. (EU) n/a 50 ppm
STEL (EU) n/a 35 ppm
SER 1 min (France) n/a 280 ppm [62]
SP (France) n/a 5–50 ppm [62]
A1.2 P&ID components list
Table 12 shows the list of all the elements found in the P&ID of Figs. 5–9.
Table 12
P&ID components list.
Code Description Function
FCV 001 Check valve Prevents flow from fuel cell toward H2 tank
FCV 002 Check valve Prevents flow from H2 tank toward electrolyzer
FSV 001 Ball valve H2 manual emergency relief valve.
FT 001 H2 flow transmitter H2 gas flow measurement
FT 101 Flow transmitter Fuel cell/electrolyzer/thermo-chemical reactor cooling system
FT 102 Flow transmitter Thermo-chemical prototype, chiller circuit
FV 001 Gate valve H2 tank isolation
FV 002 Solenoid valve Enabling of H2 flow to fuel cell
FV 003 Ball valve Downstream purge
FV 004 Ball valve Upstream purge
HX 101 Air-water heat exchanger Heat removal from fuel cell/electrolyzer/thermo-chemical reactor
HX 102 Water-glycol/air heat exchanger Thermo-chemical prototype, chiller
P 101 Water pump Water pumping from 1m3 water tank to demineralizer
P 102 Water pump Fuel cell/electrolyzer/thermo-chemical reactor cooling system
P 103 Water-glycol pump Thermo-chemical prototype, chiller circuit
PG 001 Pressure gauge H2 tank pressure measurement & display
PG 002 Pressure gauge Fuel cell inlet pressure measurement & display
PG 003 Pressure gauge N2 cylinder pressure measurement & display
PG 004 Pressure gauge N2 pressure regulator, pressure measurement & display
PSV 001 Pressure safety valve H2 tank overpressure protection (60 bar)
PSV 002 Pressure safety valve Fuel cell overpressure protection (15 bar)
PT 001 Pressure transmitter (4.20 mA) H2 tank pressure measurement
PV 001 Downstream pressure regulator Fuel cell input pressure regulation
PV 002 Downstream pressure regulator N2 pressure regulation
TE 101 Thermocouple Electrolyzer cooling system, water inlet temperature
TE 102 Thermocouple Electrolyzer cooling system, water outlet temperature
TE 103 Thermocouple Fuel cell cooling system, water inlet temperature
TE 104 Thermocouple Fuel cell cooling system, water outlet temperature
TE 105 Thermocouple HX 101 heat exchanger, fluid temperature
TE 106 Thermocouple HX 101 heat exchanger, fluid temperature
TE 107 Thermocouple Thermo-chemical reactor, water inlet temperature
TE 108 Thermocouple Thermo-chemical reactor, water outlet temperature
TE 109 Thermocouple Thermo-chemical prototype, chiller circuit, “cold” temperature
TE 110 Thermocouple Thermo-chemical prototype, chiller circuit, return temperature
TT 001 Temperature transmitter (4.20 mA) H2 temperature measurement
X 001 H2 tank, 850 L H2 storage
X 002 Micron filter Dirt & debris removal from H2 circuit
X 003 Water tank, 1m3 Electrolyzer feed water
X 004 Bulkhead union fitting Wall crossing for H2 tube toward fuel cell
X 005 Tube gland Wall crossing for water tube toward electrolyzer
(continued on next page)
1116
Table 12 (continued )
Code Description Function
X 006 Gas diffuser Fuel cell purge

X 007 Nitrogen cylinder Piping passivation
X 101 Water tank, 100 L Demineralized water storage
X 102 Water demineralizer Water demineralization before storing in X 101 reservoir
X 103 Tube gland Water return from dryer to 1m3 water tank
X 106 Bulkhead union fitting Wall crossing for H2 tube from electrolyzer
X 107 Bulkhead union fitting Wall crossing for fuel cell purge
X 108 Tube gland Wall crossing for electrolyzer & dryer H2 purge
X 109 Tube gland Wall crossing for electrolyzer O2 purge
X 111 Flexible tube Flexible connection of fuel cell H2 gas inlet.
A1.3 Periodic tests
Table 13 show the list of periodic test of RECIF installation.
Table 13
Safety system periodic tests.
Safety system periodic tests
Element Period Notes
Visual & sound alarm Beginning of every Actuation of selector switch mounted on the door of CAB-2
experimentation (-S.2.45).
Safety system electrical cabinet lamp test Same actuation as “emergency extractors test” (-S.2.03).
Emergency extractors test Actuation on dedicated selector switch mounted on the door of
CAB-2 (-S.2.03).
‘SCADA - safety system’ interface relay Monthly Actuation on a test button to energize interface relay.
Search for gas leaks Use of gas leak detector.
Stop buttons: 1. machine room 2. outside container 3. inside container 6 months Manual action on corresponding buttons.
Gas transmitters Bum tests using calibrated sample gas bottles.
Power disconnection toward container Specific protocol to rule out soldered contacts of relays &
contactors.
Extractors thermistor thermal protection Annual Actuation on test buttons on thermistor relays.
Extractors motors circuit breakers test Actuation on test buttons on motor circuit breakers.
Verification of airflow Use of anemometer at the container air intake openings.
Smoke detector inside container Use of smoke detector test equipment.
Fire alarm call point Manual action on button.
Hydrogen supply solenoid valve (FV 002) Specific protocol to rule out valve internal leak.
Emergency manual H2 discharge valve (FSV 001) Specific protocol to rule out valve jamming.
Earth resistance verification (piping, instruments, container, fenced enclosure, Use of an earth ground resistance tester.
metallic doors, etc.)
Insect barrier at tube outlets Visual inspection.
Pressure relief valves (PSV 001 @ 60bar, PSV 002 @ 15 bar) 3 years Use of N2 cylinder X007 (see Fig. 5, coord. B4).
A1.4 Supplementary material
Listed below is additional information available to the reader in a GitHub repository [46], which includes:
- All the electrical diagrams (power and control), including the brand and model of all the components (bill of material).
- The description of the safety PLC programming code developed in Ladder language, accompanied by the corresponding PLC project file (using ABB
Pluto Manager software [58]).
- The descriptive system document for the intrinsically safe circuits (according to IEC 60079-25 [43]).
- The project file created with SISTEMA tool [49] used to compute the safety system reliability.
- A list of all ATEX equipment, including brand, model and ATEX marking.
- The complete study of the evolution of the gas concentration inside the container due to a gas leak, with the corresponding Matlab/Simulink files.
A1.5 Thermochemical prototype operating modes
Table 14 describes the operating modes of the thermochemical prototype, composed by a MVC unit (i.e. evaporator, compressor, condenser,
reservoir and throttling valve) that uses NH3 as refrigerant and a BaCl2 TR for energy storage and deferred cold production. The TR recovers heat from
the electrolyzer and fuel cell and transforms it into chemical potential energy that is used later to produce a cooling effect without the need to run the
electrical compressor.
1117
Table 14
Thermochemical prototype operating modes.
Operating mode Reactor state NH3 Chiller Valves arrangement Notes

compressor (HX102)
V01 V02 V03 V04
Traditional air Not in use ON ON Closed Closed Open Open Traditional MVC cycle: evaporator → compressor →
conditioning condenser → reservoir → evaporator.
Storage (i.e. heat Desorbing (NH3 OFF OFF Open Open Closed Closed The salt/NH3 pair inside the TR is heated thus the NH3 gas
recovery) leaving the leaves the TR (endothermic reaction), passes through the
reactor) condenser and accumulates into the liquid reservoir.
Cooling production Synthesis (NH3 OFF ON Open Closed Closed Open The accumulated liquid NH3 evaporates and returns to the
from storage entering the TR to reacts with the salt in an exothermic manner (hence
energy reactor) the need for cooling using HX101).
References [22] Zisopoulos Georgios, Nesiadis Athanasios, Atsonios Konstantinos,

Nikolopoulos Nikos, Stitou Driss, Coca-Ortegón Adriana. Conceptual design and
dynamic simulation of an integrated solar driven thermal system with
[1] Institute of Statistics of French Polynesia. French Polynesia at a glance. 2020 (in
thermochemical energy storage for heating and cooling. J Energy Storage 2021;41:
French and English). Available online here (accessed June 2023).
102870. https://doi.org/10.1016/j.est.2021.102870.
[2] Polynesian Energy Observatory. Key energy figures in French Polynesia. 2021.
[23] Wilberforce Tabbi, Olabi AG, Muhammad Imran, Abed Alaswad, Enas Taha
edition” (in French). Available online here (accessed June 2023).
Sayed Ahmed G, Abo-Khalil, Maghrabie Hussein M. Khaled Elsaid, Mohammad Ali
[3] Électricité de Tahiti (EDT). "Les tarifs". Available online here (accessed June 2023).
Abdelkareem, “Recovery of waste heat from proton exchange membrane fuel cells
[4] Energy Information Administration, U.S. Department of energy (accessed June
– a review”. Int J Hydrogen Energy 2022. https://doi.org/10.1016/j.
2023).
ijhydene.2022.08.069.
[5] Statistical office of the European Union, Eurostat. Electricity prices (including
[24] Dixit Marm, Fulpagare Yogesh, Shukla Jalay, Basarkar Pratik, Parikh Dhrupad,
taxes) for household consumer, first half. 2022. Available online here (accessed
Jain Rajat, Bhargav Atul. Design of fuel cell systems laboratory for hydrogen,
February 2018).
carbon monoxide and hydrocarbon safety. Int J Hydrogen Energy 2014;39(31):
[6] Ferrucci F, Stitou D, Ortega P, Lucas F. Mechanical compressor-driven
17929–40. https://doi.org/10.1016/j.ijhydene.2014.08.094.
thermochemical storage for cooling applications in tropical insular regions.
[25] Lee Jaewon, Cho Sunghyun, Cho Hyungtae, Cho Seungsik, Lee Inkyu, Moon Il,
Concept and efficiency analysis. Appl Energy 2018;219:240–55. https://doi.org/
Kim Junghwan. CFD modeling on natural and forced ventilation during hydrogen
10.1016/j.apenergy.2018.03.049. ISSN 0306-2619.
leaks in a pressure regulator process of a residential area. Process Saf Environ
[7] Bosetti Valentina, Catenacci Michela, Fiorese Giulia, Elena Verdolini. The future
Protect 2022;161:436–46. https://doi.org/10.1016/j.psep.2022.03.065.
prospect of PV and CSP solar technologies: an expert elicitation survey. Energy Pol
[26] Cerchiara GM, Mattei N, Schiavetti M, Carcassi MN. Natural and forced ventilation
2012;49:308–17. https://doi.org/10.1016/j.enpol.2012.06.024.
study in an enclosure hosting a fuel cell. Int J Hydrogen Energy 2011;36(3):
[8] Zhang Dianfeng, Li Yanlai, Chin Kwai-Sang. Photovoltaic technology assessment
2478–88. https://doi.org/10.1016/j.ijhydene.2010.03.124.
based on cumulative prospect theory and hybrid information from sustainable
[27] Patel Parth, Baalisampang Til, Arzaghi Ehsan, Garaniya Vikram, Abbassi Rouzbeh,
perspective. Sustain Energy Technol Assessments 2022;52:102116. https://doi.
Salehi Fatemeh. Computational analysis of the hydrogen dispersion in semi-
org/10.1016/j.seta.2022.102116. Part B.
confined spaces. Process Saf Environ Protect 2023;176:475–88. https://doi.org/
[9] Clastres C. Smart grids: another step towards competition, energy security and
10.1016/j.psep.2023.06.019.
climate change objectives. Energy Pol 2011;39(9):5399–408. https://doi.org/
[28] Wen Jennifer X, Marono Marta, Moretto Pietro, Reinecke Ernst-Arndt,
10.1016/j.enpol.2011.05.024.
Sathiah Pratap, Studer Etienne, Vyazmina Elena, Melideo Daniele. Statistics,
[10] Lamnatou Chr, Chemisana D, Cristofari C. Smart grids and smart technologies in
lessons learned and recommendations from analysis of HIAD 2.0 database. Int J
relation to photovoltaics, storage systems, buildings and the environment. Renew
Hydrogen Energy 2022;47(38):17082–96. https://doi.org/10.1016/j.
Energy February 2022;185:1376–91. https://doi.org/10.1016/j.
ijhydene.2022.03.170.
renene.2021.11.019.
[29] West Madison, Al-Douri Ahmad, Hartmann Kevin, Buttner William, Groth Katrina
[11] Koohi-Fayegh S, Rosen MA. A review of energy storage types, applications and
M. Critical review and analysis of hydrogen safety data collection tools. Int J
recent developments. J Energy Storage 2020;27:101047. https://doi.org/10.1016/
j.est.2019.101047.
ijhydene.2022.03.244.
[12] Egeland-Eriksen Torbjørn, Amin Hajizadeh, Sartori Sabrina. Hydrogen-based
[30] Nieto Beatriz, Manjavacas Gonzalo, Merino Carlos, Quintana Rubén. Preliminary
systems for integration of renewable energy in power systems: Achievements and
study for the adequacy and implementation of a hydrogen laboratory. Int J
perspectives. Int J Hydrogen Energy 2021;46(63):31963–83. https://doi.org/
10.1016/j.ijhydene.2021.06.218.
ijhydene.2013.02.132.
[13] Hwang Joonsik, Maharjan Krisha, Cho HeeJin. A review of hydrogen utilization in
[31] French Institute for Research and Security (INRS). ED945 document.
power generation and transportation sectors: Achievements and future challenges.
Implementation of regulations relating to explosive atmospheres (ATEX) -
Int J Hydrogen Energy 2023. https://doi.org/10.1016/j.ijhydene.2023.04.024.
Methodological guide December 2020 (in French). Regulatory context, page 4.
[14] Yue Meiling, Lambert Hugo, Pahon Elodie, Roche Robin, Jemei Samir,
Available online here (last accessed June 2023).
Hissel Daniel. Hydrogen energy systems: a critical review of technologies,
[32] ASHRAE position document on ammonia as a refrigerant. February 1, 2017.
applications, trends and challenges. Renew Sustain Energy Rev 2021;146. https://
Available online here (accessed June 2023).
doi.org/10.1016/j.rser.2021.111180.
[33] EN 378-1. Refrigerating systems and heat pumps - safety and environmental
[15] RECIF program website. https://recherche.upf.pf/fr/projet/recif/.
requirements - Part 1: basic requirements, definitions, classification and selection
[16] Endo Naruki, Shimoda Eisuke, Goshome Kiyotaka, Yamane Toshihiro,
criteria. 2020.
Nozu Tsuyoshi, Maeda Tetsuhiko. Construction and operation of hydrogen energy
utilization system for a zero emission building. Int J Hydrogen Energy 2019;44
requirements - Part 2: design, construction, testing, marking and documentation.
(29):14596–604. https://doi.org/10.1016/j.ijhydene.2019.04.107.
2017.
[17] Lin Rong-Heng, Zhao Ying-Ying, Wu Bu-Dan. Toward a hydrogen society: hydrogen
and smart grid integration. Int J Hydrogen Energy 2020;45(39):20164–75. https://
requirements - Part 3: installation site and personal protection. 2020.
doi.org/10.1016/j.ijhydene.2020.01.047.
[36] Ferrucci F. PV-driven vapor compression cycle integrating a solid-gas
[18] Valverde L, Rosa F, Del Real AJ, Arce A, Bordons C. Modeling, simulation and
thermochemical storage for cooling applications. PhD manuscript. March 2020.
experimental set-up of a renewable hydrogen-based domestic microgrid. Int J
Available online here (accessed June 2023).
Hydrogen Energy September 2013;38(27):11672–84. https://doi.org/10.1016/j.
[37] Sansine V. Implementation of a forecasting tool for solar energy production, to
ijhydene.2013.06.113.
modelize and optimize a micro-grid. PhD thesis. University of French Polynesia;
[19] Valverde L, Rosa F, Bordons C, Guerra J. Energy management Strategies in
2022. https://www.theses.fr/s296668.
hydrogen smart-grids: a laboratory experience. Int J Hydrogen Energy August
[38] Lambert H. Modeling, control and optimization of a trigeneration system based on
2016;41(31):13715–25. https://doi.org/10.1016/j.ijhydene.2016.05.279.
renewable energies and hydrogen-energy. PhD thesis. France: Bourgogne Franche-
[20] Kim DS, Infante Ferreira CA. Solar refrigeration options – a state-of-the-art review.
Comté University; 2022. https://www.theses.fr/s227131.
Int J Refrig 2008;31(1):3–15. https://doi.org/10.1016/j.ijrefrig.2007.07.011. ISSN
[39] PVCAM program. Plateforme Photovoltaïque pour la Caractérisation et la
0140-7007.
Modélisation. 2020. https://recherche.upf.pf/fr/projet/pvcam/.
[21] Ferreira Infante, Kim Dong-Seon. Techno-economic review of solar cooling
[40] French labor code. Circular of 09/05/85 relating to the technical commentary of
technologies based on location-specific data. Int J Refrig 2014;39:23–37. https://
decrees 84-1093 and 84-1094 of 7/12/1984 concerning the ventilation and
doi.org/10.1016/j.ijrefrig.2013.09.033.
sanitation of workplaces. Available online here (accessed June 2023).
1118
[41] IEC 60079-10-1. Explosive atmospheres – Part 10-1: classification of areas [52] ISO 13849-2. Safety of machinery — safety-related parts of control systems — Part
-Explosive gas atmospheres. 2020. 2: validation. 2012.
[42] IEC 60079-14. Explosive atmospheres – Part 14: electrical installations design, [53] IEC 62061. Safety of machinery - functional safety of safety-related control
selection and erection. 2013. systems. 2021.
[43] IEC 60079-25. Explosive atmospheres – Part 25: intrinsically safe electrical [54] NF C-15 100. Low voltage electrical installations. French standard; 2015.
systems. 2020. [55] NF M87-202. Petroleum industry - instrumentation cables - specifications. French
[44] IEC 60079-29-2. Explosive atmospheres - Part 29-2: gas detectors - selection, standard; 1987.
installation, use and maintenance of detectors for flammable gases and oxygen. [56] Hauke M, Schaefer M, Apfeld R, Bömer T, Huelke M, Borowski T, Büllesbach K-H,
2015. Dorra M, Foermer-Schaefer HG, Uppenkamp J, Lohmaier O, Heimann K-D,
[45] IEC 60079-29-3. Explosive atmospheres - Part 29-3: gas detectors - guidance on Köhler B, Zilligen H, Otto S, Rempel P, Reuß G. Functional safety of machine
functional safety of fixed gas detection systems. 2015. controls – application of EN ISO 13849 – (IFA Report 2/2017e). Berlin. In:
[46] RECIF project - “RECIF_safety_system” GitHub repository, available online here Deutsche Gesetzliche Unfallversicherung e. V. (DGUV); 2019. ISBN: 978-3-86423-
(accessed June 2023). 232-9. ISSN: 2190-7994. Available online here (accessed June 2023).
[47] IEC 60947-4-1. Low-voltage switchgear and controlgear – Part 4-1: contactors and [57] Ferrucci F. Design and reliability assessment of the final actuation logic of a
motor-starters – Electromechanical contactors and motor-starters. 2018. nuclear reactor protection system. Thesis for Master of Systems Optimization and
[48] IEC 60947-5-1. Low-voltage switchgear and controlgear – Part 5-1: control circuit Security, UTT. Advisor: Anne Barros March 2014. https://doi.org/10.13140/
devices and switching elements – Electromechanical control circuit devices. 2016. RG.2.1.1895.6323.
[49] DGUV, Deutsche Gesetzliche Unfallversicherung (German Social Accident [58] ABB Pluto manager software, available online here (accessed June 2023).
Insurance). Software-assistant SISTEMA: safety integrity software tool for the [59] ABB PLUTO Safety-PLC Operating instructions hardware v12A. Document code
evaluation of machine applications. A tool for the Easy application of the control 2TLC172001M0212_A.
standard EN ISO 13849-1. Software version 2.04 build 4. Available online here [60] Ciconkov R. Refrigerants: there is still no vision for sustainable solutions. Int J
(accessed June 2023). Refrig 2018;86:441–8. https://doi.org/10.1016/j.ijrefrig.2017.12.006.
[50] IEC 61508-2. Functional safety of electrical/electronic/programmable electronic [61] Air Liquide safety datasheets database. Hydrogen safety datasheet. Site available
safety-related systems - Part 2: requirements for electrical/electronic/ here. Specific safety datasheet available here (accessed June 2023).
programmable electronic safety-related systems. 2010. [62] INERIS document DRC-08-94398-11812A. French national Institute for industrial
[51] ISO 13849-1. Safety of machinery — safety-related parts of control systems — Part environment and risks. Chemical substances portal. Information on ammonia,
1: general principles for design. 2015. available online here (accessed June 2023).
1119

International Journal of Hydrogen Energy: Franco Ferrucci

Uploaded by

Copyright:

Available Formats

International Journal of Hydrogen Energy: Franco Ferrucci

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

International Journal of Hydrogen Energy: Franco Ferrucci

Uploaded by

Copyright:

Available Formats

International Journal of Hydrogen Energy 51 (2024) 1096–1119

Contents lists available at ScienceDirect

International Journal of Hydrogen Energy

Design and implementation of the safety system of a solar-driven smart

E-mail address: [email protected].

Nomenclature & abbreviations N Normal (see NTP)

Fig. 1. General block diagram of RECIF installation.

Fig. 5. P&ID, hydrogen storage and distribution.

Fig. 6. P&ID, water storage and demineralization to feed the electrolyzer.

Fig. 7. P&ID, electrolyzer & dryer.

Fig. 8. P&ID, hydrogen fuel cell.

Fig. 10. ATEX zones definition of RECIF installation.

Fig. 11. Electricity and hydrogen supply to container.

Ⓐ Solenoid valve of fuel cell H2 supply.

emergency ventilation. The safety PLC controls these two operating

Table 3 4.5. Safety systems integrated into individual equipment

Number Class (agent) Agent quantity (kg/L) Manual/automatic Localization

#1 AB (H2O + AFFF) 6L Manual Exterior

- SIF #1: disconnection of H2 supply and electricity supply to

H2 transmitter #1 (-B1) GfG, CC28 λD (1/h) 6.31E-8 MTTFD = 1809 y Manufacturer

H2 transmitters 66.7 1.9E-07 60.1 90 3 d

Parameter Value Unit Notes

A1. 1H2 and NH3 flammability and occupational exposure limits

Parameter H2 [61] NH3

CAS number 1333-74-0 7664-41-7

A1.2 P&ID components list

Code Description Function

X 006 Gas diffuser Fuel cell purge

A1.3 Periodic tests

Table 13 show the list of periodic test of RECIF installation.

Safety system periodic tests

Element Period Notes

A1.4 Supplementary material

A1.5 Thermochemical prototype operating modes

Operating mode Reactor state NH3 Chiller Valves arrangement Notes

References [22] Zisopoulos Georgios, Nesiadis Athanasios, Atsonios Konstantinos,

You might also like