ABSTRACT Title of Thesis: IDENTIFYING RISK SCENARIOS OF A SOLID OXIDE ELECTROLYSIS FACILITY FOR HYDROGEN PRODUCTION AT NUCLEAR POWER PLANTS Victoriia Grabovetska Master of Science, Reliability Engineering, 2025 Thesis Directed by: Associate Professor Katrina M. Groth University of Maryland, Reliability Engineering Solid Oxide Electrolysis (SOE) is a developing technology for the production of clean hy- drogen. SOE is a key technology used in a high temperature electrolysis facility, named for the high temperature steam at the inlet of the electrolyzer stack. The required steam temperature of 750 ◦C, can provided via thermal energy from a Nuclear Power Plant (NPP), which also reduces the electricity required to produce the hydrogen. At present, the U.S. government and industry are researching and testing SOE designs connected to NPPs to enable commercial-scale system hydrogen production at NPPs. Commercial SOE facilities have the potential to produce clean hydrogen at a high efficiency and more flexible operating paradigms for NPPs. The deployment of these systems requires a more robust understanding of the operational hazards of the SOE fa- cility’s design. However, to date the published literature has not presented a detailed description of the relevant hazards. This work adds to the growing body of engineering knowledge about hydrogen production facilities by identifying a comprehensive list of failure modes, mechanisms, and consequences. We describe our approach for conducting this analysis and document the SOE system we analyzed. To understand the hazards, a failure modes and effects analysis (FMEA) was conducted on a high temperature electrolysis test facility with a maximum power input of 25 kW and hydrogen production rate of 0.726 kg/hr developed at INL. All identified risk sig- nificant scenarios leading to the consequences of membrane degradation, hydrogen and oxygen mixing, hydrogen release, or nitrogen release are discussed. We identified system components that contribute to the most high-risk scenarios and proposed mitigation strategies to reduce these risks. These results were used to develop fault tree structures at a high level of abstraction to identify significant combinations of failures within the system. We created an enumerated list of risk significant scenarios. This research will assist the hydrogen stakeholders to make informed design choices to ensure safety and reliability in the continued development and deployment of SOE technologies. In the future, these results have the potential to be scaled to commercial SOE facility designs. The research provides a starting point for a comprehensive quantitative risk as- sessment needed to establish the risk-informed regulatory foundations that will ensure the safe and reliable deployment of solid oxide electrolysis coupled to nuclear power plants. IDENTIFYING RISK SCENARIOS OF A SOLID OXIDE ELECTROLYZER SYSTEM FOR HYDROGEN PRODUCTION AT NUCLEAR POWER PLANTS by Victoriia Grabovetska Thesis submitted to the Faculty of the Graduate School of the University of Maryland, College Park in partial fulfillment of the requirements for the degree of Master of Science 2025 Advisory Committee: Associate Professor Katrina M. Groth, Chair/Advisor Professor Mohammad Modarres Assistant Professor Yunfei Zhao © Copyright by Victoriia Grabovetska 2025 Acknowledgments I owe my gratitude to all the people who have made my graduate experience one that I will cherish forever. Being a student provides an opportunity to be endlessly curious about a variety of topics, and I knew I wasn’t ready to end that chapter of my life just yet. With the knowledge that there was still so much I didn’t know about the world of engineering, I embarked on my graduate school journey. Now, as I reflect on my time at the University of Maryland, I am confident this was the right decision. First, I would like to thank my advisor, Dr. Katrina Groth, for recognizing my potential as an undergraduate and introducing me to the field of reliability engineering. Your determination, work ethic, and ambition will always inspire me. I am grateful for the opportunity to work on a project that was both valuable to your lab and incredibly interesting to me. I would also like to thank my committee members Dr. Mohammad Modarres and Dr. Yun- fei Zhao. I have learned a lot from both of you whether it was from your courses or discussions with you about your own research and career paths. I will carry this knowledge with me into the next chapters of my life. A special thank you to all of the members of the SyRRA Lab, especially Samantha Wismer, Lauren Reising, Matthew Paul, Ava Gholipour, and Cristian Schaad for providing support and feedback on my work. Samantha, thank you for being an amazing student mentor and helping me learn so much about electrolyzers. Thank you all for the wonderful conversations, lab dinners, and being a fantastic group of people to work with. ii Thank you to my friends for being the best support system. A special thank you to Elizabeth for being my best friend and always reminding me that it is okay to take a break when I need one. Most importantly, I would like to thank my parents, Oleksandr and Iryna. Both of you are some of the most hardworking people I know and I will always be grateful for the opportunities you were able to provide me as a child. Your love, support, and endless faith in me has helped me become the person I am today. I have achieved more then I knew was possible because of your encouragement. And I hope I can continue to make you proud. Lastly, this research was funded in part by the Department of Defense Science, Mathemat- ics, and Research for Transformation (SMART) Scholarship-for-Service Program and the De- partment of Energy’s Nuclear Energy University Program (NEUP) under grant DE-NE0009406. Any opinions, findings, and conclusions expressed in this presentation are those of the author and do not necessarily reflect the views of the funding agencies or any other organization. iii Table of Contents Acknowledgments ii Table of Contents iv List of Tables vii List of Figures viii List of Abbreviations ix Chapter 1: Introduction 1 1.1 Motivation and Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.3 Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3.1 Task 1: Document the current state of the art of Solid Oxide Electrolysis technology and risk modeling by conducting a literature review . . . . . . 5 1.3.2 Task 2: Establish a detailed Solid Oxide Electrolysis facility based on publicly available information gathered in the literature review . . . . . . 6 1.3.3 Task 3: Identify component failure modes and risk scenarios for a Solid Oxide Electrolyzer facility by conducting and documenting a comprehen- sive FMEA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.3.4 Task 4: Identify significant areas of failure within the system via high level fault tree analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.4 Technical Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.5 Thesis Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Chapter 2: Background 11 2.1 Current Challenges of Solid Oxide Electrolysis . . . . . . . . . . . . . . . . . . 11 2.2 Current State of SOE Risk Modeling . . . . . . . . . . . . . . . . . . . . . . . . 14 2.3 Current State of Nuclear-SOE Integration . . . . . . . . . . . . . . . . . . . . . 15 2.4 Knowledge Gaps, Opportunities for Research, and Approach . . . . . . . . . . . 17 Chapter 3: System Description 19 3.1 Definition of Solid Oxide Electrolysis . . . . . . . . . . . . . . . . . . . . . . . 19 3.2 Design of a Solid Oxide Electrolysis Facility . . . . . . . . . . . . . . . . . . . . 21 3.2.1 System Process Description . . . . . . . . . . . . . . . . . . . . . . . . 22 3.2.2 System Operating Conditions . . . . . . . . . . . . . . . . . . . . . . . . 26 iv 3.3 Hydrogen Production at a Nuclear Power Plant . . . . . . . . . . . . . . . . . . 27 Chapter 4: Identify Component Failure Modes and Risk Scenarios for a Solid Oxide Electrolyzer Facility 30 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 4.2 Approach for conducting the FMEA . . . . . . . . . . . . . . . . . . . . . . . . 31 4.2.1 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 4.2.2 Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 4.2.3 Failure Modes, Mechanisms and Consequences . . . . . . . . . . . . . . 36 4.2.4 Risk Ranking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 4.2.5 Analysis Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4.3 Results: Failure Scenarios for a Solid Oxide Electrolyzer test facility by Func- tional Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 4.3.1 Functional Group 1: Water supply and Steam Generation Scenarios . . . 43 4.3.2 Functional Group 2: High Temperature Electrolysis Scenarios . . . . . . 45 4.3.3 Functional Group 3: Oxygen Processing and Production Scenarios . . . . 46 4.3.4 Functional Group 4: Hydrogen Production and Recycle Scenarios . . . . 47 4.3.5 Functional Group 5: Nitrogen Supply Scenarios . . . . . . . . . . . . . . 48 4.3.6 Functional Group 6: Chilled Water Supply Scenarios . . . . . . . . . . . 48 4.3.7 Functional Group 7: Safe Gas Supply Scenarios . . . . . . . . . . . . . . 49 4.4 Discussion and Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 4.4.1 Insights from the Risk Scenarios . . . . . . . . . . . . . . . . . . . . . . 49 4.4.2 Synthesized List of Critical Risk Scenarios . . . . . . . . . . . . . . . . 53 4.4.3 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Chapter 5: Identify Critical Combinations of Failure Modes for a Solid Oxide Elec- trolyzer Facility 64 5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 5.2 Methodology and Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 5.3 Results: Fault Tree Structures for a Solid Oxide Electrolyzer Test facility . . . . . 67 5.3.1 Leak of 95% Steam, 5% Hydrogen Mixture during Normal Operation . . 67 5.3.2 Minor Release of Hydrogen during Normal Operation . . . . . . . . . . . 70 5.3.3 Major Release of Hydrogen during Normal Operation . . . . . . . . . . . 73 5.3.4 Membrane Degradation during Normal Operation . . . . . . . . . . . . . 75 5.3.5 Oxygen and Hydrogen Mixing Outside of Normal Operation . . . . . . . 77 5.3.6 Release of Nitrogen Outside of Normal Operation . . . . . . . . . . . . . 81 5.4 Discussion and Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 5.4.1 Insights from the Hydrogen Release Fault Trees and Minimal Cut Sets . . 83 5.4.2 Insights from the Membrane Degradation Fault Tree and Minimal Cut Sets 84 5.4.3 Insights from the Hydrogen and Oxygen Mixing Fault Tree and Minimal Cut Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 5.4.4 Insights from the Nitrogen Release Fault Tree and Cut Sets . . . . . . . . 88 5.4.5 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Chapter 6: Summary, Contributions and Opportunities for Future Work 90 v 6.1 Summary of Research and Contributions . . . . . . . . . . . . . . . . . . . . . . 90 6.2 Publications and Presentations . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 6.2.1 Peer-reviewed Journal Publications . . . . . . . . . . . . . . . . . . . . . 92 6.2.2 Reports and Presentations . . . . . . . . . . . . . . . . . . . . . . . . . . 93 6.3 Opportunities for Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 6.4 Broader Research Impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Appendix 97 Bibliography 142 vi List of Tables 3.1 Component IDs for the SOE Facility . . . . . . . . . . . . . . . . . . . . . . . . 24 3.2 SOE facility operating conditions . . . . . . . . . . . . . . . . . . . . . . . . . . 27 4.1 Sensor control logic for the SOE facility . . . . . . . . . . . . . . . . . . . . . . 35 4.2 Primary failure modes considered in analysis adapted from West et al.[40] . . . . 37 5.1 Minimal cut sets of the 95% Steam 5% Hydrogen Release fault tree . . . . . . . 68 5.2 Minimal cut sets of the Minor Hydrogen Release fault tree . . . . . . . . . . . . 72 5.3 Minimal cut sets of the Major Hydrogen Release fault tree . . . . . . . . . . . . 73 5.4 Minimal cut sets of the Membrane Degradation fault tree . . . . . . . . . . . . . 77 5.5 Minimal cut sets of the Oxygen and Hydrogen Mixing fault tree . . . . . . . . . 80 5.6 Minimal cut sets of the Nitrogen Release fault tree . . . . . . . . . . . . . . . . . 81 vii List of Figures 1.1 Thesis task breakdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1 Example Planer SOE Cell Configuration . . . . . . . . . . . . . . . . . . . . . . 21 3.2 25 kW SOE test facility at INL [16] . . . . . . . . . . . . . . . . . . . . . . . . 22 3.3 SOE Facility P&ID adapted from O’Brien et al. [16] . . . . . . . . . . . . . . . 23 3.4 Simplified PFD for SOE Facility . . . . . . . . . . . . . . . . . . . . . . . . . . 25 4.1 A summary of the FMEA process . . . . . . . . . . . . . . . . . . . . . . . . . . 33 4.2 Risk Matrix used by Wismer et al. [36] . . . . . . . . . . . . . . . . . . . . . . . 40 4.3 Identified failure scenarios organized by functional group . . . . . . . . . . . . . 43 4.4 Summary of Functional Group 1 risk ranked scenarios by component type . . . . 44 4.5 Summary of Functional Group 2 risk ranked scenarios by component type . . . . 45 4.6 Summary of Functional Group 3 risk ranked scenarios by component type . . . . 46 4.7 Summary of Functional Group 4 risk ranked scenarios by component type . . . . 47 4.8 Summary of Functional Group 5 risk ranked scenarios by component type . . . . 48 4.9 Summary of Functional Group 6 risk ranked scenarios by component type . . . . 49 4.10 Summary of Functional Group 7 risk ranked scenarios by component type . . . . 49 5.1 Primary event and gate symbols used in the construction of these fault trees adapted from Modarres and Groth [35] . . . . . . . . . . . . . . . . . . . . . . . 66 5.2 Overview of the 95% steam 5% hydrogen release fault tree for normal operating conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 5.3 Overview of the minor hydrogen release fault tree for normal operating conditions 71 5.4 Overview of the major hydrogen release fault tree for normal operating conditions 74 5.5 Overview of the membrane degradation fault tree for normal operating conditions 76 5.6 Overview of the oxygen and hydrogen mixing fault tree for outside of normal operating conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 5.7 Overview of the nitrogen release fault tree for outside of normal operating condi- tions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 viii List of Abbreviations BWR Boiling Water Reactor DI Deionized FMEA Failure Modes and Effects Analysis FG Functional Group H2 Hydrogen HAZOP Hazard and Operability Analysis HTGR High Temperature Gas Reactor HTEF High Temperature Electrolysis Facility HTSE High Temperature Steam Facility INL Idaho National Laboratory kW Kilowatt MMT Million Metric Ton NPP Nuclear Power Plant O2 Oxygen P&ID Piping and Instrumentation Diagram PEM Proton Exchange Membrane PFD Process Flow Diagram PRA Probabilistic Risk Assessment PWR Pressurized Water Reactor QRA Quantitative Risk Assessment SLPM Standard Liter per Minute SOE Solid Oxide Electrolysis SOEC Solid Oxide Electrolysis Cell ix x Chapter 1: Introduction 1.1 Motivation and Context Hydrogen technologies stand to play a crucial role in the transition to renewable energy, reduction of greenhouse gas emissions in high-carbon emitting sectors, and achieving net zero emissions by 2050 [1]. Currently, approximately 95% of hydrogen production in the United States relies on steam methane reforming [2]. However, this production method produces a sig- nificant amount of carbon dioxide due to the reliance on fossil fuels. With global demand for hydrogen projected to range between 115 and 130 MMT by 2030, the continued development of electrolyzer technology is essential for meeting these needs [3]. Clean hydrogen is produced from water electrolysis coupled with a clean source of electricity. Three types of electrolysis technologies are in various stages of commercialization for use deployment with clean energy sources. Specifically, Solid Oxide Electrolysis (SOE) integrated with nuclear power can effi- ciently produce clean hydrogen while also supporting numerous sectors’ transition away from fossil fuels. SOE is a key technology for integrating high-temperature steam electrolysis (HTSE) facil- ities, also known as high-temperature electrolysis facilities (HTEF), with clean energy sources. The required steam temperature of 750 ◦C, can provided via thermal energy from a Nuclear Power Plant (NPP), which also reduces the electricity required to produce the hydrogen [4]. Incorpo- 1 rating SOE technology with NPPs is advantageous because the HTEF effectively utilizes excess thermal and electrical energy generated by an NPP to produce high-purity hydrogen. Addition- ally, during periods of high electricity demand, a reversible solid oxide electrolyzer operated in fuel cell mode can use hydrogen as a fuel to produce electricity for the power grid [5]. SOE technologies offer favorable thermodynamics and reaction kinetics, leading to a higher conver- sion efficiency and reduced electricity demand for hydrogen production when compared to other electrolyzer technologies [2, 6, 7]. Conversely, Proton Exchange Membrane and Alkaline elec- trolyzers operate at a lower temperature and require more electrical energy input to split liquid water into hydrogen and oxygen. SOE is a highly efficient technology for meeting projected demands, especially with research efforts driving development towards mega-watt and giga-watt capacities. The U.S Department of Energy and Idaho National Laboratory (INL) are actively research- ing and testing SOE systems in anticipation of commercial-scale system developments at NPPs [5, 8–10]. SOE facilities have the potential to produce clean hydrogen at a high efficiency high ef- ficiency and more flexible operating paradigms for NPPs. However, nuclear-integrated hydrogen plants are complex engineered systems that have not been fully analyzed from a risk assessment perspective. Research on SOE technology has yet to address one of the fundamental questions of risk analysis: what can go wrong? To date, most electrolyzer risk and reliability research has focused narrowly on identifying materials that enhance the performance and durability of the electrolyzer stack, to extend the lifespan and further increase efficiency [11–13]. However, while the electrolyzer stack is a critical component of the electrolyzer system, the full-scale electrolyzer system includes a balance of plant, which includes all of the auxiliary equipment that supplies process medium to the stack, that is often neglected. The balance of plant is responsible for 2 ensuring the electrolyzer stack’s ability to safely and reliably produce high-purity hydrogen [14, 15]. Moreover, the design of the balance of plant introduces unique components and operating conditions that may result in complex failure events, which have not been fully addressed. This thesis aims to identify and characterize relevant component failure modes, mecha- nisms, and risk scenarios for SOE. We start by conducting a failure modes and effects analysis (FMEA) following a standardized process on a detailed, publicly available SOE facility design. Furthermore, we accounted for the co-location of an SOE facility with an NPP by including risk scenarios that could arise outside of normal operation. For example, NPPs may provide variable thermal and electrical energy to SOE facilities, resulting in various operational states, includ- ing hot standby, startup, and shutdown. The risk scenarios associated with these operational states serve as a basis for understanding the potential interactions between an SOE facility and an NPP. The results of the FMEA are leveraged in developing fault tree structures at a high level of abstraction to identify combinations of critical component failures and discuss the key safety controls within the system. By identifying risk scenarios and constructing high-level fault tree logic models, we have built both critical insights for early deployment decisions and the founda- tion for a comprehensive quantitative risk assessment (QRA) of an SOE facility. In the future, these results have the potential to be scaled to commercial SOE facility designs and establish the risk-informed regulatory foundations that will ensure the safe and reliable deployment of SOE technologies. 3 1.2 Objective The objective of this research is to identify component failure modes and risk scenarios for a solid oxide electrolyzer to inform hydrogen system development and provide the foundations for a future QRA by conducting and documenting a comprehensive FMEA on an SOE facility coupled to an NPP. To achieve this goal, the work was divided into four separate tasks as follows: 1. Document the current state of the art of Solid Oxide Electrolysis technology and risk mod- eling by conducting a literature review 2. Establish a detailed SOE facility based on publicly available information 3. Identify component failure modes and risk scenarios for an SOE by conducting a compre- hensive FMEA 4. Identify significant areas of failure by developing fault trees at a high level of abstraction The tasks, results, and impact of the work are summarized in Figure 1.1. 4 Figure 1.1: Thesis task breakdown 1.3 Approach 1.3.1 Task 1: Document the current state of the art of Solid Oxide Electrolysis technology and risk modeling by conducting a literature review For Task 1, we conducted a literature review on the current state of knowledge related to SOE, risk modeling, and system integration of SOE facilities with NPPs. A thorough review of SOE technology aided in gaining a deeper understanding of the complexity and unique aspects of the system. Reports published by INL provided the basis for understanding how the excess thermal energy can be extracted from an NPP for use in co-located facilities, such as HTEFs [9, 10]. We built upon the literature review conducted by Al Douri and Groth [15] that identified research opportunities in electrolysis risk and reliability. From the expanded literature review, we 5 learned that there are a limited number of analyses on SOE risk modeling. We also identified that designs for hydrogen-nuclear integration thus far have only proposed heat extraction systems, which reside on the nuclear island, for transferring the necessary thermal energy to the hydrogen facility. We identified current research gaps and established our approach to address the specific gap of a lack of well documented insights from a comprehensive and rigorous risk scenario identification process to inform QRA. 1.3.2 Task 2: Establish a detailed Solid Oxide Electrolysis facility based on publicly available information gathered in the literature review In Task 2, we synthesized the knowledge acquired in Task 1 to adapt a publicly avail- able SOE design and conduct our analysis. A diagram of a 25-kW input power test-bed design published by O’Brien et al. [16] was selected because the design provided the level of detail necessary for the analysis. Additionally, O’Brien et al. [16] provided a detailed system descrip- tion, nominal operating conditions for the 25-kW testing, and photos of the system configuration which aided in our understanding of the system. We modified the original design to include nec- essary sensors that would be present in the safety and control system of large-scale facilities. We defined a new system boundary in an effort to account for all of the components that would be present in a containerized SOE facility. Next, we decomposed the system into functional groups based on the primary purpose of each component to better visualize the system’s process flow. As a result, we established a 25 kW SOE facility design with all of the necessary information to inform QRA and aid in the scalability of key insights to commercial scale system designs. 6 1.3.3 Task 3: Identify component failure modes and risk scenarios for a Solid Oxide Electrolyzer facility by conducting and documenting a comprehen- sive FMEA Task 3 consists of four sub-tasks: assembling the FMEA team, conducting the analysis, synthesizing and validating the results. We assembled the FMEA team using five experts whose combined knowledge included hydrogen system safety and low temperature water electrolysis system risk and reliability. We assembled the knowledge base, we developed a system reference guide to outline the functional group system description, the risk ranking, and a taxonomy for the failure modes, mechanisms, and consequences. In the analysis, the consequences we considered were hydrogen release, nitrogen release, hydrogen and oxygen mixing, and membrane degrada- tion leading to significant system downtime. We selected these consequences due to the risks they can potentially pose to facility personnel, user and general population safety. We further refined the risk scenarios by collaborating with the experts who work directly with the test-bed SOE facility, from INL, such that we could produce detailed scenarios that reflect normal system operations. We synthesized the results to document the 65 critical risk scenarios that could be utilized by engineers and scientists as they continue to iterate on the design of SOE facilities coupled to NPPs. 7 1.3.4 Task 4: Identify significant areas of failure within the system via high level fault tree analysis In Task 4, we establish the high-level failure understanding and logic of the analyzed SOE system by developing fault tree logic models at a high level of abstraction. Each potential con- sequence of interest, such as hydrogen release, hydrogen and oxygen mixing, membrane degra- dation, or nitrogen release, became a top event in a fault tree logic model. We leveraged the FMEA results to categorize component failures by consequence type. Then, Boolean logic was employed to model how various component interactions led to a specific top event. Additionally, the fault tree logic models visually displayed combinations of critical component failures and highlighted the significant safety controls that are necessary to mitigate the occurrence of unde- sired system failures. These results provided a basis for subsequent quantification of the fault tree structures in an effort to prioritize key safety measures and the reliability of specific areas of the system to inform future iterations of SOE facility designs. 1.4 Technical Contributions Compared to previous work, the key technical contributions of this work are: • Contribution 1: SOE Facility Failure Modes and Causes. The development of a com- prehensive set of relevant failure modes, for over 80 components of an SOE facility span- ning water supply and steam generation, electrolysis stack, oxygen processing and produc- tion, hydrogen production and recycle and additional critical functional groups. Through the FMEA process, we also qualitatively evaluated the likelihood of occurrence and sever- 8 ity of each component failure mode to classify the risk posed to the overall SOE system. For each component and its failure modes, we provide the number of high and medium risk-scenarios. • Contribution 2: Critical Risk Scenarios List for an SOE Facility. We synthesize a list of the 65 most critical risk scenarios from over 650 risk scenarios we identified. These critical risk scenarios apply to an SOE facility both during normal operation and outside of normal operation. We have provided a readily available record of critical scenarios, which are fully discussed and elaborated upon within the FMEA documentation. • Contribution 3: Basis for QRA for an SOE Facility. We created system failure under- standing and logic that provide the foundation for QRAs needed to establish the regulatory foundations to ensure the safe and reliable deployment of solid oxide electrolysis. We developed fault trees to identify combinations of critical component failures and visually display the relevant component failure modes that result in specific undesired system fail- ures which can pose undue risk as a basis for subsequent quantification in QRA. In all, we were able to contribute to the overall state of knowledge of SOE system failure in an effort to support the roll out of early stage deployments and lay the foundations for informing future design and siting recommendations with QRA. 1.5 Thesis Structure The remainder of this document is structured as follows. Chapter 2 contains background information on SOE technology and a literature review on the current efforts in SOE risk mod- eling and hydrogen-nuclear integration. Then, Chapter 3 provides a piping and instrumentation 9 diagram (P&ID) and complete system description, including operating conditions, for the 25-kW test-bed design used in our analysis. Chapter 4 presents the risk scenarios identified via a com- prehensive FMEA. Then, the results of the FMEA are leveraged to develop fault trees at a high level of abstraction. The high-level failure logic for our system is also presented in Chapter 5. Lastly, Chapter 6 concludes with a brief summary of the project, its impact, a list of completed and expected publications and opportunities to extend the work further. 10 Chapter 2: Background 2.1 Current Challenges of Solid Oxide Electrolysis SOE is an emerging technology in the research and development phase, aiming to enable large-scale hydrogen production. High degradation rates due to the intrinsic properties of the electrolyzer stack impact the performance and efficiency over time. Multiple studies have in- vestigated and summarized the impacts of degradation on electrolyzer stack performance [17– 20]. However, component failures within the balance of plant have the potential to cause or ac- celerate degradation that could lead to irreparable damage to the electrolyzer stack. A limited number of available works briefly discuss how failures in the overall facility negatively impacted the electrolyzer stack. Ghezel-Ayagh [21] noted that steam starvation due to faulty control of the humidifier resulted in severe irreparable damage to the electrolyzer. Aicart et al. [22] also briefly discussed the series of events, including human error, and controlled and uncontrolled facility shutdowns that resulted in irreversible degradation of the electrolyzer stack. Mougin et al. [23] also noted that the system underwent several unplanned events, one of which was caused by failures of the steam supply. However, even though these events impact the behavior and temperature evolution of the stack, they were not considered in the degradation analysis. Lang et al. [24] focused on the long-term behavior of a solid oxide electrolyzer in electrolysis and fuel cell operation modes. They mention that the stack experienced 3 startup and shutdown cycles 11 due to facility issues, however in their analysis they did not consider the impact of these events on stack performance. Although failure events within the facility were the cause of pronounced electrolyzer stack degradation and failure, current research efforts remain focused on improving the stack materials and design. Research efforts are evaluating the electrochemical performance and conducting post-mortem analyses of electrolyzer stacks to improve current designs. Frey et al. [25] conducted a 20,000- hour test on a two-layer solid oxide electrolyzer stack at 800 ◦C and -0.5 A/cm2. Through elec- trochemical characterization, they concluded that increasing ohmic resistance was the leading degradation mechanism. Visual inspection after stack dissection revealed signs of burning in the second layer of the stack and partial delamination of the air electrode due to chromium poisoning from the uncoated metal foil at the ends of the cell. In practical applications, the damage and delamination lead to significant decreases in stack efficiency and would ultimately require stack replacement. While there are valuable insights from studying a two-layer SOE stack, practical applications require analysis and testing of larger electrolyzer stacks and the parallel coupling of multiple stacks to achieve giga-watt capacities. An increasing number of cells introduces new challenges for electrolyzer stack reliability, including the homogeneity of cell performance and the durability of the interconnects. Aicart et al. have published several studies conducting performance and post-mortem anal- yses of solid oxide electrolyzers with 25 cells, 30 cells, and four-stack modules. In the analysis of the 25-cell stack, they investigated the effect of 6,700 hours of normal operation on the cells, seals, and interconnects to assess durability [26]. The results indicated that the fuel electrode ex- perienced nickel depletion, which resulted in significant performance loss. In their investigation of the 30-cell stack, two different electrolyzer stacks were tested under thermoneutral conditions, 12 with temperatures ranging from 780 ◦C to 850 ◦C [22]. The first stack featured multiple cell variants and had a manufacturing defect that caused an internal gas leak early in testing. The subsequent mixing of gases resulted in the combustion of hydrogen and oxygen, which increased individual cell degradation and resulted in a stack lifespan of 6,800 hours, respectively. Dur- ing the post-mortem analysis, the over-temperature caused by the combustion was identified as the likely cause of cell fractures in two other stack layers. The second stack, which only used the best cell variants, exhibited a decreasing degradation rate, which resulted in a stack lifes- pan of approximately 11,500 hours. Aicart et al. [27] explored the performance of a reversible large stack solid oxide electrolysis module to determine the feasibility of further scaling up SOE technologies. Throughout the experiment, the reversible module demonstrated low performance dispersion and responded well to a fast current ramp rate. Collectively, this body of research provides valuable insights into the performance and longevity of SOE stacks and modules, rein- forcing the feasibility of commercializing this technology for integration with clean sources of electricity. However, despite including process flow diagrams (PFDs) and test setup descriptions, their work falls short of providing a sufficient level of depth on the system necessary to conduct a QRA. Additionally, the decreases in performance identified in these studies are due to inherent features of the electrolyzer stacks, including quality and manufacturing defects. However, they do not consider how component failures within the balance of plant can induce these same or worse effects on the stack performance. 13 2.2 Current State of SOE Risk Modeling Al-Douri and Groth [15] conducted a comprehensive literature review on the current state of risk and reliability analysis for electrolysis technologies. To date, existing research has focused on Proton Exchange Membrane (PEM) and Alkaline water electrolysis due to their broader com- mercial deployment. In their review, Al-Douri and Groth [15] identified only three publications addressing risk and reliability for SOEs. Bao et al. [28] developed a multi-physics model to eval- uate the electrochemical performance and structural reliability of SOECs in an effort to optimize SOEC designs for hydrogen production without the need for significant testing. The structural reliability analysis on a large area planar SOEC revealed a low risk of rupture failure probability with minor localized potential damage under the chosen operating conditions. While it is impor- tant to characterize how normal operating conditions impact a SOEC’s structural integrity, they did not consider the impact of balance of plant component failures on operating conditions or the subsequent effects on SOEC operation. In another study, Cipolleta et al. [29] carried out an inherent safety assessment using process flow diagrams (PFDs) of alkaline, PEM, and reversible SOECs, each with a hydrogen production rate of 60.8 kg/hr. They considered three loss of con- tainment scenarios, utilized event trees to identify potential release accident scenarios, and calcu- lated two inherent safety indices. They concluded that SOE technology was the least inherently safe option due to its high operating temperature and increased compression requirements for hydrogen storage. However, they only considered hydrogen release, which highlights the need to study other consequences, including membrane degradation and hydrogen and oxygen mix- ing. Similarly, Glover et al. [30] performed a consequence analysis using a PFD of a large-scale HTEF. The study investigated the risk posed by an HTEF coupled with an NPP at a separation 14 distance of 1 km. They briefly discussed the methodology of the hazard and operability analysis (HAZOP) used to identify leakage scenarios and provided a list of 15 operational state scenarios for various system sections. The full rupture consequence did not impact the fragility of target areas of the NPP, which led them to conclude that the separation distance can be safely reduced from 1 km. Each of these three studies contributes to the characterization of operational hazards of SOE systems under normal operating conditions. However, due to limited system detail and lack of in-depth discussion of the identified failure scenarios in these analyses, they cannot sup- port QRA efforts for SOE systems. QRA needs a comprehensive hazard identification of an SOE facility coupled with an NPP as a starting point. 2.3 Current State of Nuclear-SOE Integration INL has developed designs for integrating SOE with NPPs. Westover et al. [10] developed conceptual designs for the integration with 100 MWe and 500 MWe high-temperature electrolysis plants linked to pressurized water reactors (PWRs). They selected a 4-loop Westinghouse PWR design, representative of the current NPP fleet in the USA, to create the preliminary integration design. Their work includes design details for the steam extraction, reboiler, and electrical sys- tems necessary for the NPP to supply thermal and electrical power to the hydrogen production facility. However, they provide limited detail on the components and safety and control systems required to span the separation distance between the nuclear island and the high-temperature electrolysis facility. Without this design information, characterizing the critical component fail- ure modes and postulating the resulting risk scenarios is a significant challenge. As the next generation of reactors is being developed by companies like X-Energy and 15 NuScale, Novotny et al. [9] have established preliminary P&IDs of advanced reactors coupled to high-temperature steam electrolysis facilities and oil refineries. These simplified P&IDs outline the heat extraction system and describe how deionized water is preheated using steam from the reactor. They also considered thermodynamic and electrical balance to justify the configurations and proposed the necessary adjustments to the nominal operation control scheme on the nuclear side. Through various projects, INL laid the groundwork for designing heat extraction systems that will assist in the deployment of SOE technologies at NPPs. Heat extraction is critical to coupling SOE facilities to NPPs because nuclear steam cannot be used directly in electrolysis. Deionized water is required to produce high-purity hydrogen and ensure minimal degradation of the electrolysis facility components. Additionally, Agbaje et al. [31] investigated the design and operation of heat extraction systems for coupling boiling water reactors (BWRs) to high temperature electrolysis facilities. However, the lack of detail on the exact components needed to connect the heat extraction system to the SOE facility poses a challenge to characterizing the risks imposed by either system on the other. Additionally, Vedros et al. [8] expanded their initial hazard assessment and probabilistic risk assessment (PRA), found in [32], to incorporate a heat extraction system and direct electrical connection to support co-location. Their FMEA was conducted at the system level, focusing exclusively on the hazards presented to the NPP. The subject matter experts identified hydrogen detonation at the HTEF as one of the primary hazards affecting the NPP. The PRA used generic PWR and BWR models, factoring in the thermal and electrical integration with HTEFs. The PRA results for co-location indicated that the core damage frequency increased minimally, with the largest increase being 7.7%. However, their work takes a conservative system-level approach by identifying a limited number of the high-consequence events that would lead to NPP damage. 16 Focusing exclusively on the effects on NPP operation results in an analysis that only considers one direction of scenario evolution that provides insights into a subset of the overall risks. By considering only the effect of various hydrogen detonations, steam pipe ruptures, and stacked SOE modules falling over, their analysis excludes both how a transient event in the NPP could negatively impact the SOE facility and how the balance of plant equipment can cause critical SOE system failures that could evolve to pose undue risk on the NPP. Therefore, it becomes crucial to characterize the failure modes of an SOE facility at the component level to help inform design choices and ensure the safe and reliable deployment of SOE technology. 2.4 Knowledge Gaps, Opportunities for Research, and Approach The literature review examined ongoing efforts in SOE technology development, risk mod- eling, and integration of SOE facilities with NPPs. Groth et al. [33] highlighted that four of the ten barriers to wider adoption of hydrogen technologies, as identified by a U.S Department of Energy survey, are closely linked to the concerns regarding the safe and reliable deployment of electrolysis technology. The International Association for Hydrogen Safety identified several opportunities for research to advance the state of hydrogen safety, including the need for elec- trolyzer risk analysis and the need for QRAs of electrolysis technology coupled to NPPs. The Hydrogen Systems Risk and Reliability Workshop identified electrolysis risk analyses with em- phasis on the balance of plant as a key way to ensure reliable up-time of mega-watt capacity facilities [14]. Al-Douri and Groth [15] summarized the extent of the knowledge gaps in water electrolysis risk and reliability. The first crucial gap involves the lack of dissemination of detailed SOE system designs. As the literature review highlighted, simplified PFDs including most of the 17 major components are available; however, they lack sufficient detail on the temperature and pres- sure conditions, flow rates, and other key information required to inform a comprehensive QRA. Risk analysis are highly design specific, therefore detailed design information is essential to the scalability of early QRA insights to commercial system. Additionally, some studies conducted analysis solely on an electrolyzer cell or stack; however, no studies conducted an analysis on the whole SOE system which includes the balance of plant. This lack of system-level reliability modeling was another critical gap identified by Al-Douri and Groth [15]. Evaluating electrolysis reliability at the system level requires the consideration of the balance of plant to fully understand how an undesired system failure is initiated by a component failure within the balance of plant. Our approach to address these gaps is described as follows and further elaborated upon in the following chapters. We began by reviewing and synthesizing the literature to select an SOE facility design with a sufficient level of detail in order to conduct our analysis. Using the P&ID provided in [16], we defined a new system boundary, all necessary safety and control systems and complied the relevant system operating conditions. We established a 25 kW SOE facility design with all of the necessary information to inform future QRA and aid in the scalability of key insights to commercial system designs. We rigorously documented our approach to conduct the FMEA by following the IEC 60812 (2018) FMEA standard [34], guidance from Modarres and Groth [35] and Wismer et al. [36]. Lastly, we leveraged the results of the FMEA to create fault tree structures which describe the system failure understanding and logic at a high level of abstraction by following guidelines from Modarres and Groth [35] and the NUREG fault tree handbook [37]. We aim to address the identified gaps by providing a comprehensive set of failure modes and causes, a list of critical risk scenarios and a basis for QRA for an SOE facility. 18 Chapter 3: System Description 3.1 Definition of Solid Oxide Electrolysis During high temperature electrolysis, an furnace is used to maintain the proper operating temperature of an SOE stack. The balance of plant supplies a mixture of steam and hydrogen into the cathode compartment of the stack. The steam is split into hydrogen and oxygen ions via the hydrogen evolution reaction at the boundary between the electrolyte and hydrogen electrode [13]. The presence of hydrogen at the inlet is needed to maintain the proper reducing conditions in an effort to minimize the occurrence of oxidation in the cathode compartment of the stack [16]. The produced hydrogen diffuses back into the gas flow and continues into the rest of the electrolyzer system for cooling, drying, compression and storage. Meanwhile, oxygen ions travel across the electrolyte to the anode, where they react to form oxygen gas and electrons via the oxygen evolution reaction [2, 13]. The balance of plant then supplies air to remove the oxygen gas from the anode of electrolyzer stack. The mixture of air and oxygen gas then travels to the rest of the electrolyzer system either for storage or venting. An SOE stack is made up multiple Solid Oxide Electrolysis Cells (SOECs), which are connected in series. SOECs are classified based on their geometry and the type of ions they transport within the electrolyte [12]. SOECs can have either a tubular or planer design and one of three flow field patterns. Norman et al. [19] identify parallel, counter, and cross-flow as the 19 most common patterns. Planer SOECs are more prevalent today due to their simpler geometry, which reduces manufacturing costs. Furthermore, SOECs are categorized according to the type of electrolyte used in the cell. The two main types of electrolytes are those that conduct oxygen ions or hydrogen protons. Oxygen-ion conducting cells, known as O-SOECs, are the more widely used because the oxygen ions have shown higher migration rates and better performance under higher temperatures [12]. The design introduced in this section uses an oxygen-ion conducting SOE stack with a parallel flow pattern. In contrast, proton-conducting electrolytes, known as H-SOECs, are suitable for lower-temperature operation. However, no demonstration systems or industrial-scale applications have been reported for H-SOECs. Herein, we refer to O-SOECs as SOECs in the discussion. Planar SOECs have a sandwich structure comprised of a cathode electrode, electrolyte, and anode electrode. A barrier layer is often introduced between the electrolyte and the anode elec- trode to account for differing thermal expansion coefficients and to prevent unwanted reactions at the interface. The state-of-the-art configuration typically consists of a nickel-based cermet cath- ode electrode, yttria-stabilized zirconia (YSZ) electrolyte, Ce1−xGdxO2−δ (CGO) barrier layer and an La0.6Sr0.4Co0.2Fe0.8O3−δ (LSCF) anode electrode [13]. While the exact size of each of these layers depends on the support configuration of the cell, the operation of the cell is un- changed. The configuration of a single planar SOEC is shown in Figure 3.1. A set of SOECs is connected in series to form a solid oxide electrolyzer stack. A set of electrolyzer stacks can then be connected in parallel for large capacity industrial applications. The overall SOE system gains its name from the electrolyzer stack. The electrolyzer stack is responsible for reducing the steam into hydrogen and oxygen ions, but it cannot function without the balance of plant which supplies 20 the process medium and electrical power. All of the components that make up the balance of plant ensure that the electrolyzer is operating within the proper parameters to ensure a long and safe system life. Herein, we use the term electrolyzer to refer to the stack, while SOE system or facility refers to the balance of plant and the stack. Figure 3.1: Example Planer SOE Cell Configuration 3.2 Design of a Solid Oxide Electrolysis Facility The design used in this analysis is a SOE test facility with 25 kW maximum input power and hydrogen production rate of 0.726 kg/hr from O’Brien et al. [16]. INL has developed the facility to evaluate the performance of SOE stacks from various industry partners, including Bloom and OxEon. The facility is located inside one of their laboratory buildings, with the SOE stack and balance of plant components housed within a ventilated enclosure, as shown in Figure 3.2. The P&ID used in our analysis, which is an adapted version of the original diagram from 21 O’Brien et al. [16], is shown in Figure 3.3. To adapt the original design, we added components that were deemed necessary for safe and reliable system operation. Specifically, a flood sensor, hydrogen in air detection sensor, and an air monitoring sensor that would likely be present in a large-scale SOE system. We defined our system boundary to align more with a containerized SOE facility in an effort to produce risk scenarios that can be translated to larger capacity systems. In our adapted design, there are a total of 116 components, that we categorized into seven functional groups. The definitions of abbreviations and brief descriptions of components are given in Table 3.1. (a) Overview of the facility (b) Interior of the facility Figure 3.2: 25 kW SOE test facility at INL [16] 3.2.1 System Process Description The process flow for the system shown in Figure 3.3 is described as follows. A high-purity DI water supply system provides purified water to the steam generator, which produces steam at 400 ◦C and ambient pressure. For H2 production, a mixture of steam (95%) and hydrogen (5%), by volume, is introduced to the cathode side of the high-temperature electrolyzer cells. Nitrogen is included in the cathode inlet gas mixtures sometimes to provide independent variation 22 Figure 3.3: SOE Facility P&ID adapted from O’Brien et al. [16] 23 ID Name Description AC Air Cooler Finned-tube heat exchanger AH Air Heater In line heater that heats process air to 400 ◦C AT Air Quality Sensor Detects nitrogen gas inside the facility BPR Back Pressure Regulator Valve that maintains set upstream process medium pressure CO Compressor Pressurizes process medium CV Check Valve Valve that prevents backflow of process medium ES Electrolyzer Stack Splits steam into hydrogen and oxygen GH Guard Heater In line heater to increase temperature of process medium GV Gate Valve Valve that is either fully open or fully closed HS Hydrogen Sensor Detects hydrogen gas inside the facility HU Humidifier Mixes water vapor with nitrogen HV Hand Valve Manually operated valve HX Heat Exchanger Counter flow heat exchanger to further cool hydro- gen gas LI Level Indicator Water level indicator MF Mass Flow Controller Control device that automatically regulates the flow of a process medium NV Needle Valve Valve that restricts flow of process medium OS Oxygen Sensor Detects oxygen gas inside the facility PCW Chilled Water Pipe Chilled water Functional Group piping PH Hydrogen Pipe Hydrogen Functional Group piping PN Nitrogen Pipe Nitrogen Functional Group piping PO Oxygen Pipe Air and Oxygen Functional Group piping PT Pressure Transducer Detects abnormal pressure in piping or compo- nents PRV Pressure Relief Valve Valve that prevents overpressure of process medium PS Power Supply Provides electrical energy to components PSG Safe Gas Pipe Safe Gas Functional Group piping PW DI Water Pipe DI Water Supply and Steam Generation Func- tional Group piping SG Steam Generator Induction heating, atmospheric pressure steam generator SV Solenoid Valve Electronically controlled valve TT Temperature Transducer Detects abnormal temperature in piping or compo- nents V Vessel Storage vessel for process medium WS Water Flood Sensor Detects external leakage of water WT Water Trap Collects excess water 3WV 3 Way Valve Control the path of process medium by allowing only two of three paths to open at once Table 3.1: Component IDs for the SOE Facility 24 of partial pressures of the other process gases while operating at a total pressure equal to ambient. However, nitrogen is primarily used as a purge gas to purge air and O2 out of the stacks and H2 from the exhaust line. During operation, H2 flow is required at the stack inlet to maintain reducing conditions on the nickel cermet SOEC cathodes and reduce the migrate of nickel across the cathode. Upon startup, inlet H2 is supplied from a compressed gas cylinder. For long-term operations, recycled electrolytically-produced H2 is supplied from a recycle system including condensers, compressors, a high-pressure heat exchanger, and H2 storage tank. Produced O2 is mixed with preheated compressed air on the anode side of the stacks and vented from the system. During an alarm condition, a safe gas mixture of nitrogen (96.04%) and hydrogen (3.96%) is supplied to the SOEC cathode to prevent oxidation damage. To better visualize the way in which process mediums travel across the P&ID, we developed Figure 3.4. Figure 3.4: Simplified PFD for SOE Facility Components were grouped into one of 7 functional groups based on a careful analysis of 25 their function within the system. Functional Group 1 is DI water supply and steam generation, which provides purified water to the steam generator that produces steam at ambient pressure to 400 ◦C. Functional Group 2 is high temperature electrolysis. The components include the SOE stack, the furnace and DC power supply. Functional Group 3 is oxygen processing and produc- tion, which provides preheated air at 400 ◦C that is used to sweep out oxygen on the anode side of the electrolyzer. The components include the sweep gas preheat system and ventilation pip- ing directly after the electrolyzer stack. Functional Group 4 is hydrogen production and recycle. Hydrogen production transports produced hydrogen to be vented, while hydrogen recycle trans- ports some produced hydrogen to be cooled, compressed and stored for use in the inlet to the electrolyzer. Functional Group 5 is nitrogen, which is used for maintenance and start up activi- ties to flush the system and also to provide independent pressure variation of partial pressures of other process gases. Functional Group 6 is chilled water, which provides recirculated water used to cool produced hydrogen prior to compression and storage. Lastly, Functional Group 7 is safe gas, which is used during alarm conditions to continue the flow of nitrogen and hydrogen through the cathode of the electrolyzer to prevent oxidation damage. 3.2.2 System Operating Conditions In order the conduct a comprehensive analysis, the system operating conditions are re- quired. O’Brien et al. [16] published a list of nominal operating conditions for the full 25 kW test setup at INL. Jorgensen [38] published a design review on INL’s proposed SOE test layouts, which included the 25-kW test bed design and operating pressure and temperature information for the system. Table 3.2 presents the complied operating information from both sources, in addition 26 to information we received directly from our collaboration with INL. The operating conditions that are absent from the table represent values that were not published or able to be given directly by INL. System Area Operating Pressure Operating Temperature Flow rate PW-1 through PW-2 40 psig 20 ◦C 10.8 kg/hr PH-1 < 1 psig 400 ◦C 24.9 SLPM H2 and 224 SLPM Steam PO-1 through PO-2 < 1 psig 400 ◦C 160 SLPM PO-4 < 0.5 psig 800 ◦C 227 SLPM PH-3 < 0.5 psig 800 ◦C 159 SLPM H2 and 89.6 SLPM Steam PH-4 < 0.5 psig 150 ◦C - PH-5 < 0.5 psig 15 ◦C - 20 ◦C - PSG-1 40 psig - - PN-1 40 psig - 150 SLPM Water Cooling - 5 ◦C - Table 3.2: SOE facility operating conditions 3.3 Hydrogen Production at a Nuclear Power Plant SOE technology demonstrates the highest efficiency and the ability to produce high-purity hydrogen. It operates at temperatures above 600 ◦C, making it an excellent candidate for inte- gration with NPPs, specifically high-temperature gas reactors (HGTRs). Kupecki et al. [39] con- ducted a study on the qualitative and quantitative assessment of the efficiency of an HTGR cou- pled to an SOE system. The authors considered when the HGTR supplied only high-temperature steam and the HGTR supplied electricity and high-temperature steam to the SOE facility. The au- thors concluded that the highest electrical efficiency, 89.11%, is achieved in the second scenario. However, the higher hydrogen production rate is achieved when the HGTR only supplies high- temperature steam. These results substantiate that SOE is a suitable candidate for integration 27 with advanced reactors such as HTGRs. There are two proposed methods of integrating SOE facilities with NPPs. In the first method, the SOE facility includes a stand-alone electrical energy source, and the NPP supplies only high-temperature steam to the SOE facility. However, an NPP’s high temperature steam can- not be directly fed into a solid oxide electrolyzer stack. The steam in an NPP’s nominal balance of plant has strict chemical control due to the potential for increased levels of radiation from possible steam generator leaks and proximity to primary nuclear coolant [9]. Specifically, to reduce the possibility of tritium migration outside of the nuclear fence, a heat exchanger system is required to extract the necessary thermal energy from the NPP for use in an SOE system. Additionally, a solid oxide electrolyzer requires DI water to achieve the highest possible efficiencies and preserve the integrity of the stack. Water containing minerals and other ions can cause adverse side reac- tions that could potentially damage the electrolyzer stack and reduce facility uptime. Therefore, the SOE facility will require its own water supply that will be heated to temperature by way of excess nuclear process heat. In addition to requiring steam at the correct operating temperature, an SOE facility also requires an electrical energy input. For the SOE facility to produce clean hydrogen, this electrical energy input also needs to be considered clean. The second method of integration involves the NPP supplying both thermal and electrical energy to the SOE facility. The heat extraction method remains the same across both methods of integration. However, an electrical tie-in is introduced in the switchyard to provide the needed electrical energy to the SOE facility. Westover et al. [10] proposed the high-voltage side of the NPP’s generator step-up transformer as the tie-in site. The major components to construct this tie-in include a high-voltage circuit breaker, MOD switches, and a high-voltage transmission line. Westover et al. [10] also proposed the generator-isolated phase bus as an alternative tie-in point; 28 however, tapping the bus is expensive therefore the authors did not explore the option further. When considering both methods of integration, the next question becomes which is the more effective option, in terms of hydrogen production, efficiency and safe and reliable deployment. In our analysis, we developed risk scenarios for a stand alone test-bed SOE system. In an effort to capture potential risk scenarios that could arise due to the integration of these systems, we considered the effects thermal cycling when an NPP was supplying high-temperature steam. An SOE facility coupled to an NPP would not be continuously in operation, therefore the SOE system can be in hot standby mode or be cycled through startup and shutdown. When certain issues, such as gaseous crossover, go unnoticed the thermal cycling of startup and shutdown procedures has the potential to exacerbate certain undesired consequences. However, we did not consider the second method of integration because the electrical input to the electrolyzer falls outside the system boundary and scope of our analysis. 29 Chapter 4: Identify Component Failure Modes and Risk Scenarios for a Solid Oxide Electrolyzer Facility 4.1 Introduction In this chapter, we document our approach for identifying risk scenarios of an SOE facility via a comprehensive FMEA. An FMEA is a comprehensive, bottom-up approach used to identify risks associated with operational hazards of a design and determine which components contribute to the most high-risk scenarios. This method allows a team of engineers to discuss all of the rel- evant failure modes of a component and postulate the local, next higher level of abstraction and end effects of each failure mode [35]. Local effects are the effects the failure mode has on the function of that specific component. Meanwhile, the next level of abstraction and end effects describe the effect of a failure on downstream components and the overall system, respectively. The engineering team can organize the scenarios by component type, failure mode, and conse- quence type to generate insights into which areas of the system contribute to the most high-risk scenarios. We summarize all 650 risk scenarios identified and propose mitigation strategies. We synthesize the risk scenarios into a list of the 65 most critical scenarios. These results can be used by operators in early-stage deployments. The following chapter outlines the processes taken in planning, executing, and evaluating the results of the FMEA. 30 4.2 Approach for conducting the FMEA Prior to conducting the FMEA, a system reference guide was developed to define key as- pects of the methodology, the system boundary, and the scope of the analysis, determine the risk ranking, and establish relevant failure modes, mechanisms, and consequences. The purpose of this document was to ensure a consistent analysis of all components within the SOE system. The document kept the primary outcomes of the analysis at the forefront of the engineering team’s minds. The two primary outcomes of the FMEA were building the foundation for a compre- hensive QRA and providing critical insights for early development decisions. The FMEA was conducted with the knowledge that the resulting failure modes and risk scenarios would be lever- aged in developing fault trees at a high level of abstraction. This allowed the engineering team to consider all relevant failure modes and the resulting consequences of each component within the electrolyzer system. The following section summarizes the reference document used in the FMEA. 4.2.1 Methodology The primary goal of the FMEA was to identify failure scenarios, which serve as the initial step towards a complete QRA of an SOE facility. Secondly, providing a list of failure scenarios on a well-documented system allows for the potential scaling of results to commercial SOE facility designs. Additionally, the insights developed from the FMEA were leveraged to create fault trees at a high level of abstraction. To conduct the FMEA on an SOE facility design, we followed the IEC 60812 (2018) FMEA standard [34] and guidance from Modarres and Groth [35]. The approach to conduct this FMEA is as follows: 31 1. Plan the FMEA 1.1 Assemble the necessary information and define the system, function, boundaries and operating conditions. 1.2 Define the terms of reference, methodology and assemble a diverse team for the FMEA. 2. Perform the FMEA 2.1 For each component, identify critical failure modes and their effects on the immediate function of the system. 2.2 Assign a severity class by qualitatively evaluating the consequences of each failure mode. 2.3 Assess the likelihood of occurrence of each failure mode on a defined scale. 2.4 Identify current failure detection methods, safeguards and controls. 2.5 Recommend actions to eliminate or control the risk. 3. Review additional literature surrounding the evaluation of Solid Oxide Electrolyzers and augment identified failure scenarios as necessary. 4. Document the analysis. 32 Figure 4.1: A summary of the FMEA process 4.2.2 Scope This bottom-up FMEA reviews a normal operation scenario with active hydrogen recycling and the potential for mal-operation or malfunction of control instruments and safety systems for the system given in Figure 3.3. The black dashed line defines the system boundary. Components outside the system boundary were considered at a high level, either failed or operating, in our analysis. To better incorporate the coupling to a nuclear power plant, we documented the ef- fect of startup and shutdown procedures on identified consequences in the FMEA. This section summarizes the necessary distinctions and assumptions made before conducting the FMEA. The P&ID, in Figure 3.3, identifies the piping directly downstream of the steam generator to contain approximately 5% hydrogen by volume, which is needed to maintain the proper re- 33 ducing conditions in the cathode. Due to the presence of hydrogen in this line, the piping and components directly downstream of the steam generator were considered part of the hydrogen functional group because of the potential for an accumulation of hydrogen. The original design from O’Brien et al. [16] used preheated air to continually sweep oxygen out of the anode side of the electrolyzer. In this analysis, all components associated with the sweeping of oxygen were considered part of the oxygen functional group. All hydrogen-containing components reside in a ventilated enclosure with a gas monitoring system for abnormal hydrogen and oxygen levels. In this analysis, the steam generator and DI water supply are considered. However, in large-scale deployments, steam would likely be produced on the nuclear island and instead require topping heat before reaching the electrolyzer stack. O’Brien et al. [16] and Jorgensen [38] provided limited information regarding safety and control system (SCS), which discusses what transmitters trigger which systems. We considered the SCS to the level of depth of the information provided and introduced modifications based on prior knowledge of PEM electrolysis facility designs. The following description of the SCS was given in O’Brien et al. [16]. The gas monitoring system activates an alarm if hydrogen, elevated oxygen, or nitrogen levels are detected. The alarm signals are interlocked to a solenoid valve on the hydrogen gas supply line [16]. An alarm condition cuts off power to the electrolyzer stack and initiates the flow of the safe gas through the cathode to prevent oxidation. Laboratory occupants would be notified of the presence of a potentially hazardous buildup of gases by relay outputs, a display readout, visual and audible alarms, and an autodialer [16]. The SCS description provided a basis for identifying which sensors and transmitters are used in alarm conditions. However, to document which features of the SCS are barriers to each identified scenario, a trigger state is required. For each sensor and transmitter in Figure 3.3, the engineering team leveraged prior 34 knowledge to determine an associated trigger state for each sensor, which are given in Table 4.1. Later, the engineering team confirmed the appropriateness of these assigned states with INL system operators. Sensor Control Logic TT-01 No Associated Trigger TT-02 Trigger Low/High TT-03 Trigger Low/High TT-04 Trigger Low/High TT-05 Trigger Low/High TT-06 Trigger Low/High TT-07A/B/C Trigger Low/High TT-08A/B/C/D Trigger Low/High TT-09 Trigger Low/High TT-10 Trigger Low/High TT-11 Trigger Low/High TT-12 Trigger Low/High TT-13 Trigger Low/High TT-14 Trigger Low/High TT-15 Trigger Low/High TT-16 Trigger Low/High TT-17 No Associated Trigger MF-01 Trigger Low Flow MF-02 Trigger Low Flow MF-03 Trigger Low Flow MF-04 Trigger Low Flow MF-05 Trigger Low Flow PT-01 Trigger Low/High PT-02 Trigger Low PT-03 Trigger Low/High OS-01 Trigger High HS-01 Trigger High WS-01 Trigger High LI-01 Trigger Low/High LI-02 Trigger Low/High Table 4.1: Sensor control logic for the SOE facility 35 4.2.3 Failure Modes, Mechanisms and Consequences The failure modes, which describe the ways in which components fail, were developed by West [40] and Groth et al. [41]. These failure modes were appended as needed based on prior electrolysis FMEA experience and relevant literature. A summary of failure modes used in this analysis are provided in Table 4.2. A predefined list of failure modes is used as a guide when analyzing to ensure all relevant failure modes were considered for every component within the system. In addition to the failure modes listed in Table 4.2, the engineering team identified sev- eral other relevant failure modes, including full and partial plugging, full and partial freezing, leaks and ruptures of water, air, nitrogen or nitrogen and hydrogen mixtures. We make these distinctions because these failure modes have different local and next-highest level of abstraction effects on surrounding components. A full blockage results in a loss of water, meanwhile a partial blockage results in turbulent conditions that can dislodge surrounding components. The release of various process and utility mediums also poses varying hazards to facility personnel and the general population. These failure modes are detected in various ways, which were important to capture in the analysis as the safety and control system is necessary for developing the fault tree structures in Chapter 5. 36 Failure Mode Definition Abnormal output-high Above normal output indicates potential failure(s) Abnormal output-low Below normal output indicates potential failure(s) Bent/warped/damaged Visible mechanical damage Contamination Component allows foreign material to contaminate product Erratic output Inconsistent output External leak hydrogen Hydrogen leak from within system to environment External leak utility medium Utility medium leak from the system to the environment External rupture hydrogen Complete loss of containment, hydrogen exhausts to the environment External rupture utility medium Complete loss of utility medium to the environment Fail closed Component stops working in the closed position Fail open Component stops working in the open position Fail to close Component does not close on demand Fail to operate Component does not function on demand Fail to stop Component does not stop on demand Freezing Component is frozen and becomes inoperable/requires maintenance Plugging Buildup of material restricting flow Insufficient heat transfer Target parameters for temperature are not met in a heat exchanger Internal leak hydrogen Hydrogen leak within system boundary (e.g. across a closed valve) Internal leak utility medium Utility medium leak within system boundary (e.g. across a closed valve) Internal rupture hydrogen Complete loss of containment, hydrogen stays within the system boundary Internal rupture utility medium Complete loss of containment, utility medium stays within the system boundary Open circuit Electrical circuit that is not complete Overheating Component is exposed to temperatures above design specifications Restrict flow Component is restricting flow when not intended to do so Short circuit Diversion of current Spurious operation Activation without specified demand (components normally idle) Spurious stop Stop without specified demand (components normally active) Table 4.2: Primary failure modes considered in analysis adapted from West et al.[40] 37 To conduct the FMEA, a terms of reference document for the SOE system was created based guidance from Wismer et al. [36] to define the system, system boundary and establish relevant failure modes, causes and consequences. Each failure mode was paired with at least one failure mechanism. Wismer et al. [36] considered the following failure mechanisms and we supplemented as needed: • Inadequate design, testing, manufacturing, installation, or maintenance • Impurities in reactants and products • Foreign debris/objects in water supply • Abnormal output of the power supply • Failure in an electrical or activation system • External impacts • External fires • Overpressure • Material degradation For each failure mode and mechanism pair, the following consequences were considered: • Hazardous release potentially leading to: – Fire – Explosion – Asphyxiation • Dislodging/fracture of components due to an inertial release of process medium • Membrane degradation that leads to a significant decrease in electrolyzer stack efficiency • Loss of function 38 During the analysis, the loss of function of a component was considered, however, only scenarios resulting in potential hazardous hydrogen release, membrane degradation, hydrogen and oxygen mixing, and nitrogen release conditions are presented in the results. The release of a gas, either hydrogen or nitrogen, can pose a risk to the SOE facility and personnel. Due to hydrogen’s low density, low minimum ignition energy, and wide flammability range of 4-75 vol% in the air [42], various consequences can manifest from a release. An undetected release in the presence of an ignition source can immediately ignite to create a jet fire or fireball. Al- ternatively, a delayed ignition would result in an explosion and overpressure event. The release of nitrogen into the facility will pose an asphyxiation hazard to facility personnel because nitro- gen is colorless, odorless, and denser than air so it settles towards the ground, displacing the air [43]. Next, we considered membrane degradation due to the risk-critical hazards associated with operating a degraded stack. When a high-temperature electrolyzer stack membrane degrades, the voltage across a cell increases well beyond the thermo-neutral voltage, which elevates the internal temperature of the stack. Operating a degraded membrane can result in a mixture of hydrogen and oxygen in the electrolyzer stack. This flammable mixture can result in the com- bustion and subsequent burning of the electrolyzer cells during normal operation, as observed in [25]. Alternatively, should membrane degradation remain undetected during normal operation, more significant gaseous crossover can occur during or after the system has been cycled through startup and shutdown. Outside of normal operation, the electrolyzer stack is continuously flushed with a mixture of nitrogen, steam, and hydrogen. Therefore, this can result in an accumulation of hydrogen and oxygen mixture in the downstream hydrogen storage and compression subsystems. 39 4.2.4 Risk Ranking The severity and likelihood of each failure scenario were evaluated using the risk matrix from Wismer et al. [36]. The matrix was used to address risks revolving around operator and general population safety. Each combination of likelihood of occurrence and severity result in a risk level ranging from negligible to high, for each scenario. Figure 4.2: Risk Matrix used by Wismer et al. [36] The likelihood of occurrence of an event was defined as the occurrence per electrolyzer machine-year. Wismer et al. [36] defines an electrolyzer machine-year to be 4,000 operating hours based on an EU Joint Research Commission report [44] that estimated this value to be 3,000-5,000 operating hours per year. The likelihood of occurrence categories were defined as follows: 1. Remote – Failure expected to occur less than once in 1000 machine-years 40 2. Unlikely – Failure expected to occur less than once per 100 machine-years 3. Likely – Failure expected to occur more than once per 10 machine-years 4. Very Likely – Failure expected to occur more than once per machine-year Severity categories consider the effect of an incident in a commercial scale SOE facility. This will aid in the future development of a complete QRA and scaling of results to full scale hydrogen facilities. The severity categories used in Wismer et al. [36] as follows: 1. Insignificant – no injury or illness 2. Minor – requiring first aid 3. Moderate – minor injury or illness requiring offsite medical treatment 4. Serious – serious bodily injury or serious work caused illness 5. Catastrophic – death or permanent disability 4.2.5 Analysis Approach The engineering team was made up of a diverse group with experience in PEM electrolysis FMEAs, hydrogen safety, and PRA. Additionally, prior knowledge was leveraged in principles of reliability analysis and PRA to conduct a comprehensive analysis. The core group of three engineers conducted the analysis over multiple sessions. To complete the analysis, the core team of engineers gathered together for two-hour team meetings once a week over six months. The engineering team began the analysis by considering the first component (HV-01) within FG 1 and continuing on to consider each subsequent component individually by following the flow of the process medium through the system. For each component, the team consulted the list of failure modes given in Table 4.2 and identified all applicable modes that would lead to one of the 41 consequences of interest. For each failure mode, we postulated the local, next highest level of abstraction and end effect on the overall system. Then, we assigned a likelihood of occurrence and severity based on the failure mode and resulting consequence. To further refine the developed risk scenarios, the core team consulted two additional engineers with backgrounds in hydrogen system safety to gain further insights into the exact function and purpose of particular components within the system. Lastly, we consulted system operators at INL to discuss unique features of the system design to capture any unique failure modes for those components. 4.3 Results: Failure Scenarios for a Solid Oxide Electrolyzer test facility by Functional Group On the modal level we identified 650 failure scenarios, 495 of which were classified as high risk and 155 of which were medium risk. To display our results, we organized the scenarios by functional group, component type and failure type. The following categories of components were used to organize the results: condenser, electrolyzer, power supply, sensor, steam generator, valve and water trap. The following failure types were used to organize the scenarios: blockage, damage, electrical, leak, mechanical, rupture and thermal. A summary of the results across functional groups are shown in Figure 4.3. The complete FMEA is provided in the Appendix. 42 Figure 4.3: Identified failure scenarios organized by functional group 4.3.1 Functional Group 1: Water supply and Steam Generation Scenarios Figure 4.4 presents all of the failure scenarios, organized by component type, for the DI water supply and steam generation functional group. There are 23 components considered in this functional group. 43 Figure 4.4: Summary of Functional Group 1 risk ranked scenarios by component type 44 4.3.2 Functional Group 2: High Temperature Electrolysis Scenarios Figure 4.5 summarizes the risk scenarios of functional group 2. There are 5 components considered in this functional group. The majority of the scenarios are for the electrolyzer stack itself. However, as the technology continues to evolve and mature, the exact ways in which the electrolyzer stack fails may also change. Figure 4.5: Summary of Functional Group 2 risk ranked scenarios by component type 45 4.3.3 Functional Group 3: Oxygen Processing and Production Scenarios Figure 4.6 presents a summary of the risk scenarios for the oxygen processing and produc- tion functional group. There are 11 components considered in this functional group. Figure 4.6: Summary of Functional Group 3 risk ranked scenarios by component type 46 4.3.4 Functional Group 4: Hydrogen Production and Recycle Scenarios Figure 4.7 presents the risk scenarios for the hydrogen production and recycle functional group. There are 29 components considered in this functional group. Figure 4.7: Summary of Functional Group 4 risk ranked scenarios by component type 47 4.3.5 Functional Group 5: Nitrogen Supply Scenarios Figure 4.8 presents the risk scenarios for the nitrogen supply functional group. There are 8 components considered in this functional group. Figure 4.8: Summary of Functional Group 5 risk ranked scenarios by component type 4.3.6 Functional Group 6: Chilled Water Supply Scenarios Figure 4.9 summarizes the risk scenarios for the chilled water supply functional group. There are 4 components considered in this functional group. 48 Figure 4.9: Summary of Functional Group 6 risk ranked scenarios by component type 4.3.7 Functional Group 7: Safe Gas Supply Scenarios Figure 4.10 presents the risk scenarios for the safe gas supply functional group. There are 6 components considered in this functional group. Figure 4.10: Summary of Functional Group 7 risk ranked scenarios by component type 4.4 Discussion and Conclusions 4.4.1 Insights from the Risk Scenarios Functional Group 1, DI water supply and steam generation contributed to the most high-risk scenarios for this system, with 289 scenarios classified as high risk. Blockage failures of valve 49 components resulted in a total of 128 high-risk scenarios. A blockage is either a full blockage or a partial blockage. The occurrence of a full blockage before the electrolyzer stack will result in steam starvation of the electrolyzer stack. Steam starvation has been shown to lead to membrane degradation [21, 45]. A partial blockage before the electrolyzer stack can cause turbulent condi- tions, which could dislodge surrounding components and starve the stack of steam. Before the condensers, a full blockage would result in improper cooling and drying of recycled hydrogen. Improper cooling results in recycled hydrogen at elevated temperatures, which causes a higher- than-intended temperature differential between the process medium and the electrolyzer stack. The temperature differential can stress the stack and result in accelerated membrane degradation during normal operation, ultimately decreasing the longevity of the stack. Degradation studies on SOE stacks have shown that increasing temperatures result in higher degradation rates [46]. Improper drying of recycled hydrogen can result in wet hydrogen entering the electrolyzer stack. A high-temperature SOE stack would experience degradation because these components are not designed for a liquid water environment. During normal operation, these conditions would re- sult in membrane degradation, which can significantly reduce the efficiency. Additionally, during startup or shutdown, these conditions would result in a gaseous crossover with the potential for an accumulation of a combustible mixture in the hydrogen storage tank or a release of this mixture into the external environment. Mitigation strategies for these failure modes will differ based on the blockage type. For full or partial freezing-type blockages, it is recommended that a robust heating and ventilation system be put in place to ensure suitable temperature control of the facility. Due to the acidic nature of DI water, corrosion of the inside of components can cause full or partial plugging and contamination-type failure modes to occur. Ensuring all components that interact with DI water 50 are properly passivated is required to mitigate against these failure modes. Additionally, regular inspection of the steam generator is recommended to mitigate against undesired consequences because it is critical for the longevity of the electrolyzer stack that sufficient steam and hydrogen, within operating parameters, are present at the inlet. In Functional Group 4, hydrogen production and recycling, there were 109 risk scenarios, 85 of which were classified as high-risk. Mechanical failures of valve components result in 20 high-risk scenarios, the largest number of scenarios of any component type in this functional group. A mechanical failure of a valve in the recycle portion of this functional group could starve the electrolyzer stack of the necessary hydrogen required at the inlet to maintain the proper re- duction conditions and cause membrane degradation. To mitigate against these consequences, we recommend including an inline hydrogen detection sensor before the inlet of the stack to continuously monitor the volume of hydrogen. Outside of normal operation, the consequence of interest is the occurrence of gaseous crossover. During the analysis, we identified that the hydrogen and oxygen flammable gas mixture would accumulate in a downstream hydrogen stor- age tank (outside the system boundary shown in Figure 3.3) after the system is cycled through operating modes. During startup and shutdown procedures, the continued cycling of a degraded electrolyzer stack would exacerbate membrane degradation further. The occurrence of crossover becomes more likely outside of normal operation due to the potential of a varying pressure differ- ential in the electrolyzer stack. However, crossover into the anode would result in the flammable mixture being vented directly to the hot zone and then swept to the outdoor environment. To de- tect the occurrence of significant crossover, we recommend an inline hydrogen detection sensor downstream of the anode side outlet to ensure that this flammable mixture does not pose undue harm to facility personnel. 51 We identified 76 risk scenarios in Functional Group 3, Oxygen processing and produc- tion, 38 of which were classified as high risk. The failure mode types of most concern for this functional group include leaks and ruptures of all components, mechanical failures of the air com- pressor or valves and thermal failures of the inline heaters. The leak and rupture failure modes can result in an accumulation of oxygen on the anode side due no sweep air flow. The buildup of pressure on the anode side can cause delamination of the oxygen electrode. Additionally, mechanical failures of the air compressor or valves would result in scenarios of excess sweep air flowing across the electrolyzer stack. These scenarios can result in an increased degradation rate [47]. Lastly, thermal failures of the inline heaters result in scenarios where the temperature differential between the sweep air and stack induces thermal stress to the stack. The safety and control system includes an inline mass flow controller (MF-04) that can detect abnormal flow upstream. However, to detect leaks and ruptures downstream of MF-04, we recommend a flow indicator prior to the anode inlet. In Functional Group 6, the chilled water supply, we identified 52 risk scenarios, 36 of which were classified as high risk. Blockage failures in the valves resulted in the most high- risk scenarios. A blockage in this functional group would result in either insufficient drying or insufficient cooling of recycled hydrogen gas. As described previously, both wet hydrogen and above operating temperature hydrogen would impact the degradation rate of the membrane dur- ing normal operation. When the membrane is cycled through other operational modes, more significant gaseous crossover can occur which results in hydrogen and oxygen mixing. To miti- gate these consequences, we recommend ensuring adequate control over the chiller and adequate installation and maintenance of the temperature transmitters. Lastly, we identified 18 risk scenarios in Functional Group 5 and 28 risk scenarios in Func- 52 tional Group 7. Both functional groups supply the system with primarily nitrogen outside normal operation. For Functional Group 5, the nitrogen supply, all 18 scenarios were high risk due to the potential for asphyxiation of facility personnel if a leak or rupture remains undetected. For Functional Group 7, the 14 high-risk scenarios were also due to the asphyxiation hazard posed by a nitrogen release. While the 14 medium risk scenarios were a result of the small amount of hydrogen, approximately 4%, that is present in the safe gas supply. Ensuring adequate gas detection systems will mitigate the risks posed by these consequences. Another potential barrier we recommend is individual nitrogen detection sensors that can be worn by facility personnel. 4.4.2 Synthesized List of Critical Risk Scenarios We identified a total of 650 risk scenarios by conducting a comprehensive FMEA. In an effort to provide insights to early deployments, we synthesized the results into a list of critical risk scenarios, organized by consequence that are relevant to engineers as they continue to iterate on the design of SOE facilities. The list of the 65 critical risk scenarios is as follows: 1. Membrane Degradation which leads to a significant loss of efficiency during normal op- eration 1.1 Obstruction to water flow can cause turbulent conditions and dislodging/fracture around components. This results in water starvation of SG-01 and steam starvation in ES-01 which leads to irreversible degradation of the membrane, mechanical damage of the membrane or cathode oxidation of ES-01. 1.2 Obstruction to water flow can cause turbulent conditions and dislodging/fracture around components. Insufficient water level in the condensers can cause insufficient drying 53 of H2. Wet H2 is fed back into ES-01 leading to accelerated membrane degradation. 1.3 Obstruction to water flow can cause turbulent conditions and dislodging/fracture around components. Insufficient water level in the condensers can cause insufficient cooling of H2, which is fed back into ES-01 at above optimal temperature leading to acceler- ated membrane degradation. 1.4 Total obstruction of water flow causes water starvation of SG-01 and steam starva- tion in ES-01 which leads to irreversible degradation of the membrane, mechanical damage of the membrane or cathode oxidation of ES-01. 1.5 Total obstruction to water flow upstream of the condensers can cause insufficient dry- ing of H2. Wet H2 is fed back into ES-01 leading to accelerated membrane degrada- tion. 1.6 Total obstruction to water flow upstream of the condensers can cause insufficient cooling of H2, which is fed back into ES-01 at above optimal temperature leading to accelerated membrane degradation. 1.7 Stagnation of water downstream of the condensers can cause insufficient drying of H2. Wet H2 is fed back into ES-01 leading to accelerated membrane degradation. 1.8 Stagnation of water downstream of the condensers can cause insufficient cooling of H2, which is fed back into ES-01 at above optimal temperature leading to accelerated membrane degradation. 1.9 Release of water can cause water starvation of SG-01 and steam starvation of ES-01, which leads to irreversible degradation of the membrane, mechanical damage of the membrane or cathode oxidation of ES-01. 54 1.10 Release of water causes insufficient drying of H2. Wet H2 is fed back into ES-01 leading to accelerated membrane degradation. 1.11 Release of water causes insufficient cooling of H2, which is fed back into ES-01 at above optimal temperature leading to accelerated membrane degradation. 1.12 Insufficient water flow into SG-01 causes steam starvation of ES-01, which leads to irreversible degradation of the membrane, mechanical damage of the membrane or cathode oxidation of ES-01. 1.13 Insufficient seal with downstream piping causes steam starvation over time, which leads to irreversible degradation of the membrane, mechanical damage of the mem- brane or cathode oxidation of ES-01. 1.14 Insufficient seal with upstream piping causes water starvation of SG-01 and steam starvation of ES-01, which leads to irreversible degradation of the membrane, me- chanical damage of the membrane or cathode oxidation of ES-01. 1.15 Loss of steam production in SG-01 causes steam starvation which leads to irreversible degradation of the membrane, mechanical damage of the membrane or cathode oxi- dation of ES-01. 1.16 SG-01 produces insufficient quantities of steam, which can cause steam starvation which leads to irreversible degradation of the membrane, mechanical damage of the membrane or cathode oxidation of ES-01. 1.17 H2 is not present at the inlet of ES-01, which can cause improper reducing conditions and can lead to accelerated membrane degradation. 1.18 In-line components, in FG 1, prior to ES-01 heat steam and H2 mixture to above 55 optimal temperatures, which can cause accelerated membrane degradation. 1.19 Insufficient cooling in AC-01A/B/C can cause improper cooling H2 which results in above optimal temperature H2 at the inlet of ES-01. This can cause accelerated membrane degradation. 1.20 Insufficient gas removal from ES-01 can cause accelerated membrane degradation and the loss of the H2 recycle system. 1.21 A blockage of the cathode outlet results in accumulation of H2 in ES-01. This can cause an increase in pressure which leads to irreversible degradation of the membrane, mechanical damage of the membrane or cathode oxidation of ES-01. 1.22 Internal leak of hydrogen can lead to oxidation of the cathode, Nickel depletion or damage to the membrane of ES-01. 1.23 High output from the power supply for ES-01 can cause thermal damage to the mem- brane or accelerated degradation of ES-01. 1.24 A lack of sweep air results in accumulation of oxygen in the anode of ES-01. This leads to a buildup of pressure which can cause irreversible membrane degradation, including delamination. 1.25 Excess air has the potential to expose the anode electrode to boron, sulfur or silica which can cause irreversible membrane degradation of ES-01 through poisoning. 1.26 In-line components, in FG 3, prior to ES-01 heat sweep air to above optimal temper- atures, which can cause accelerated membrane degradation. 1.27 Accumulation of H2 in PH-5 results in CO-1 unable to supply V-01 with the correct amount of H2. Over time, V-01 will drain and cause an insufficient amount of H2 at 56 the inlet of ES-01. Which can cause improper reducing conditions and can lead to accelerated membrane degradation. 1.28 Accumulation of H2 in PH-6 results in the loss of H2 recycle system. Overtime, this can cause less then 5% H2 at the inlet of ES-01, which can cause improper reducing conditions and can lead to accelerated membrane degradation. 1.29 High output from CO-01 can create a vacuum upstream which can cause H2 to flow through the drying and cooling components at a faster then intended rate. This can cause insufficient cooling of H2, which is fed back into ES-01 at above optimal tem- perature leading to accelerated membrane degradation. 2. Hydrogen Release 2.1 External release of H2. 2.2 Release of water from a component causes an insufficient water seal which provides a path for H2 to escape into the atmosphere. 2.3 Insufficient seal with downstream piping provides a path for H2 to escape into the atmosphere. 2.4 Accumulation of H2 in V-01 beyond the holding capacity of the vessel which provides a potential path for H2 to escape into the atmosphere. 2.5 Accumulation of H2 in PH-6, which can cause H2 to back feed into upstream com- ponents which provides a potential path for H2 to escape into the atmosphere. 3. Oxygen and Hydrogen Mixing 3.1 Insufficient gas removal from ES-01 can cause an increase in pressure in ES-01 which 57 can lead to a rupture of the membrane and the occurrence of a flammable mixture of oxygen and hydrogen during normal operation. 3.2 Accumulation of H2 in PH-5 can result in the back feeding of hydrogen into ES-01. This can cause an increase in pressure in the cathode which could lead to a rupture of the membrane and the occurrence of a flammable mixture of oxygen and hydrogen during normal operation. 3.3 Obstruction to water flow can cause turbulent conditions and dislodging/fracture around components. This results in water starvation of SG-01 and steam starvation in ES-01 which leads to irreversible degradation of the membrane and the occurrence of sig- nificant crossover outside of normal operation. 3.4 Obstruction to water flow can cause turbulent conditions and dislodging/fracture around components. Insufficient water level in the condensers can cause insufficient drying of H2. Wet H2 is fed back into ES-01 leading to accelerated membrane degradation and the occurrence of significant crossover outside of normal operation. 3.5 Obstruction to water flow can cause turbulent conditions and dislodging/fracture around components. Insufficient water level in the condensers can cause insufficient cooling of H2, which is fed back into ES-01 at above optimal temperature leading to accel- erated membrane degradation and the occurrence of significant crossover outside of normal operation. 3.6 Total obstruction of water flow causes water starvation of SG-01 and steam starvation in ES-01 which leads to irreversible degradation of the membrane and the occurrence of significant crossover outside of normal operation. 58 3.7 Total obstruction to water flow upstream of the condensers can cause insufficient dry- ing of H2. Wet H2 is fed back into ES-01 leading to accelerated membrane degrada- tion and the occurrence of significant crossover outside of normal operation. 3.8 Total obstruction to water flow upstream of the condensers can cause insufficient cool- ing of H2, which is fed back into ES-01 at above optimal temperature leading to ac- celerated membrane degradation and the occurrence of signi