IEC 62282 3 100 Edition 1 0 2012 02 INTERNATIONAL STANDARD Fuel cell technologies – Part 3 100 Stationary fuel cell power systems – Safety IE C 6 22 82 3 1 00 2 01 2( E ) ® C opyrighted m aterial lice[.]
General safety strategy
The manufacturer must conduct a written risk analysis to identify all foreseeable hazards and hazardous situations throughout the fuel cell power system's lifetime This includes estimating the risk associated with each hazard based on its probability of occurrence and severity Additionally, the manufacturer should eliminate or reduce these risks to a level that does not exceed acceptable limits, as far as practical.
1) inherently safe design of the construction and its methods; or
2) passive control of energy releases without endangering the surrounding environment
(for example, burst disks, release valves, thermal cut-off devices) or by safety related control functions; and
For residual risks that cannot be mitigated by previous measures, it is essential to implement labels, warnings, or special training requirements These measures must be clearly understood by individuals in hazardous areas to ensure their safety.
For functional safety, the required severity level, performance level or the class of control function shall be determined and designed in accordance with:
• IEC 62061 (respectively ISO 13849-1) for applications according to IEC 60204-1;
• IEC 60730-1 for appliances according to IEC 60335-1;
• IEC 61508 (all parts) for other applications
For failure mode and effects analysis (FMEA) and fault tree analysis methods the following standards can be used as guidance:
Physical environment and operating conditions
General
The design and construction of the fuel cell power system and its protective systems must ensure their ability to function effectively under the specified physical environment and operating conditions outlined in sections 4.2.2 to 4.2.8.
Electrical power input
The fuel cell power system must be engineered to function properly under the electrical power input conditions outlined in the applicable electrical product application standard, as detailed in section 4.7, or as specified by the manufacturer.
Physical environment
The manufacturer shall specify the physical environment conditions for which the fuel cell power system is suitable Consideration should be given to:
– the altitude above sea-level up to which the fuel cell power system shall be capable of operating correctly;
– the range of air temperatures and humidity within which the fuel cell power system shall be capable of operating correctly;
– the seismic zone where it may be sited.
Fuel input
The fuel cell power system must be engineered to function effectively within the specified composition limits and supply characteristics of its intended fuels, such as pipeline natural gas The manufacturer's user manual will detail the acceptable composition limits and supply characteristics for the fuels designated for use in the fuel cell power system.
Water input
The quality and supply characteristics of the water to be used in the fuel cell power systems shall be specified by the manufacturer.
Vibration, shock and bump
To mitigate the negative impacts of vibration, shock, and bumps from machinery and the surrounding environment, it is essential to choose appropriate equipment, position it away from the fuel cell power system, or utilize anti-vibration mountings Seismic shock effects are not covered in this context and should be addressed separately if deemed necessary by the manufacturer.
Handling, transportation, and storage
The fuel cell power system must be engineered to endure transportation and storage temperatures ranging from -25 °C to +55 °C, with the capability to handle short durations of up to 24 hours at temperatures as high as +70 °C Manufacturers may specify alternative temperature ranges as needed.
The fuel cell power system or each component part thereof shall
– be capable of being handled and transported safely, and when necessary, be provided with suitable means for handling by cranes or similar equipment,
– be packaged or designed so that it can be stored safely and without damage (for example, adequate stability, special supports, etc.)
The manufacturer shall specify special means for handling, transportation and storage if required.
System purging
Fuel cell systems must include a purge mechanism to ensure a passive state for safety after shutdown or before startup, as directed by the manufacturer This purge system should utilize a medium specified by the manufacturer, such as nitrogen, air, or steam, in non-hazardous conditions appropriate for the intended application.
Selection of materials
4.3.1 All materials shall be suitable for the intended purpose
Manufacturers must take necessary precautions and provide essential information to mitigate risks associated with hazardous materials used in fuel cell power systems, ensuring the safety and health of individuals.
Asbestos and asbestos-containing materials are prohibited in the construction of fuel cell power systems Additionally, the use of other hazardous substances, including lead, cadmium, mercury, hexavalent chromium, polybrominated biphenyl, polybrominated diphenyl ether, and polychlorinated biphenyl, must comply with national and regional regulations.
Materials used in fuel cell power systems, both metallic and non-metallic, must be suitable for all physical, chemical, and thermal conditions expected throughout the equipment's lifespan This includes components exposed to moisture or containing process gas or liquid streams, as well as sealing and interconnection materials like welding consumables.
The materials must maintain their mechanical stability, including strength, fatigue properties, endurance limit, and creep strength, throughout the entire range of service conditions and lifespan as defined by the manufacturer.
– they shall be sufficiently resistant to the chemical and physical action of the fluids that they contain and to environmental degradation;
– the chemical and physical properties necessary for operational safety shall not be significantly affected within the scheduled lifetime of the equipment unless replacement is foreseen;
When choosing materials and manufacturing methods, it is essential to consider factors such as corrosion and wear resistance, electrical conductivity, impact strength, and aging resistance Additionally, one must account for temperature variations, potential galvanic corrosion when materials are combined, the impact of ultraviolet radiation, and the degradation effects of hydrogen on the material's mechanical performance.
NOTE Guidance to account for the degradation effects of hydrogen on the mechanical performance of a material can be found in ISO/TR 15916, ASME B31.12 and Annex B
4.3.4 Where conditions of erosion, abrasion, corrosion or other chemical attack may arise, adequate measures shall be taken to
To mitigate the impact, it is essential to implement suitable design strategies, such as increasing thickness, or to employ effective protective measures, including liners, cladding materials, or surface coatings, while considering the intended and reasonably foreseeable applications.
– permit replacement of parts which are most affected;
It is essential to highlight the type and frequency of inspection and maintenance measures required for the safe continued use of equipment, as outlined in section 7.4.5 Additionally, it should be specified which components are prone to wear and the criteria for their replacement.
General requirements
Accessible components of the fuel cell power system must be designed to eliminate sharp edges, angles, and rough surfaces to prevent potential injuries.
The design and construction of the fuel cell power system, or its accessible components, must prioritize safety by preventing slips, trips, and falls.
The design and construction of the fuel cell power system and its components must ensure stability under expected operating conditions, including climatic factors, to prevent risks of overturning, falling, or unexpected movement If necessary, suitable anchorage methods should be included and clearly outlined in the instructions.
The design, construction, and arrangement of the moving components in the fuel cell power system must prioritize safety by minimizing hazards In cases where hazards cannot be eliminated, appropriate guards or protective devices should be implemented to prevent any risk of contact that could result in accidents.
The components of the fuel cell power system must be designed to ensure that, under normal operating conditions, there is no risk of instability, distortion, breakage, or wear that could compromise safety.
The design and construction of the fuel cell power system must effectively mitigate risks associated with the release of gases, liquids, dust, or vapors during its operation and maintenance.
4.4.7 All parts shall be securely mounted or attached and rigidly supported The use of shock-mounts is permitted when suitable for the application
All components of the safety shutdown system that could lead to a hazardous event, as identified in the risk analysis, must be acknowledged, certified, or individually tested for their specific intended use.
The design and construction of the fuel cell power system must ensure that risks associated with the release of gases, liquids, dust, or vapors during its operation or maintenance are effectively mitigated.
The manufacturer must implement measures to mitigate any potential injury risks associated with contact or close proximity to the high-temperature external surfaces of the fuel cell power system enclosure, handles, grips, or knobs.
If users may come into contact with the external surfaces of the fuel cell power system's enclosure, handles, grips, knobs, or similar components without personal protective equipment, the manufacturer must ensure that the temperature of these surfaces is consistently maintained within safe limits.
Table 1 or the manufacturer shall fix guards or protective devices in such a way as to prevent risk of contact that could lead to accidents
Table 1 – Allowable surface temperatures rises
External enclosures, except handles held in normal use 60
Surfaces of handles, knobs, grips and similar parts which are held for short periods only in normal use
– of moulded material (plastic), rubber or wood 60
The maximum surface temperature of external surfaces, which may be touched by individuals without personal protective equipment during operation, exceeds the ambient temperature These values are detailed in Table 3 of IEC 60335-1:2010.
NOTE 2 The values in the table are based on an ambient temperature not normally exceeding
25 °C but occasionally reaching 35 °C However, the temperature rise values specified are based on 25 °C
The temperatures on walls, floor and ceiling adjacent to a stationary fuel cell power system shall not exceed 50 °C above ambient temperature under the test conditions of 5.12 b)
The design and construction of the fuel cell power system must minimize airborne noise emissions to meet the requirements of the intended use or location, ensuring compliance with relevant regional or national noise regulations and standards.
Under normal steady-state operating conditions, the exhaust from the fuel cell power system must not exceed a carbon monoxide concentration of 0.03% by volume in an air-free sample This sample is adjusted mathematically to reflect a scenario with zero percent excess air.
The CO concentration of the dry, air-free combustion products is given by the formula:
CO = (CO) avg × (CO 2 ) max / (CO 2 ) avg where
CO is the carbon monoxide concentration of air-free combustion products in percent;
(CO 2 ) max is the maximum carbon dioxide concentration of the dry, air-free combustion products for test fuel in percent;
(CO) avg and (CO 2 ) avg are the average values of measured concentrations in the sample taken at least 3 times during the test, both expressed in percent
CO = (CO) avg × (21) / (21 – (O 2 ) avg ) where
(CO) avg and (O 2 ) avg are the average values of measured concentrations in the sample taken at least 3 times during the test, both expressed in percent
4.4.14 Where explosive, flammable, or toxic fluids are contained in the piping, appropriate precautions shall be taken in the design and marking of sampling and take-off points
4.4.15 The maximum temperatures of components and materials, as installed in the fuel cell power system, shall not exceed their temperature ratings
The manufacturer must assess the fuel cell power system's ability to function effectively in environments where contaminants such as dust, salt, smoke, and corrosive gases are present.
The design of the fuel cell power system enclosure must ensure safe containment of any potential hazardous liquid leaks, as outlined in section 4.5.2 f regarding liquid fuel Additionally, the containment system should have a capacity that is 110% of the maximum expected fluid volume that could leak.
4.4.18 The manufacturer shall take measures to ensure against condensate accumulation
The manufacturer shall take measures to ensure that vent gas does not escape through condensate drain lines.
Pressure equipment and piping
Pressure equipment
Pressurized vessels, including reactors, heat exchangers, gas-fired tube heaters, electric boilers, coolers, and accumulators, along with their pressure relief mechanisms like relief valves, must be built and labeled according to relevant regional or national pressure equipment codes and standards.
Vessels like tanks and similar containers not covered by national pressure equipment standards must be made from appropriate materials as specified in section 4.3 and must comply with the requirements outlined in section 4.4 These vessels, along with their joints and fittings, should be designed and built to ensure sufficient strength for operational efficiency and leakage prevention, thereby avoiding unintended releases.
Hydrogen stored in metal hydrides assemblies shall comply with ISO 16111.
Piping systems
Piping and its associated joints and fittings shall conform to the applicable clauses of
Piping systems intended for internal gauge pressures between zero and 105 kPa, which transport non-flammable, non-toxic fluids that do not harm human tissue, and operate within a temperature range of −29 °C to 186 °C, are excluded from the scope of this regulation.
ISO 15649 mandates that piping systems must be made from appropriate materials as specified in section 4.3 and must comply with the requirements outlined in section 4.4 The design and construction of these pipes, along with their joints and fittings, must ensure sufficient strength to maintain functionality and prevent leaks, thereby avoiding unintended releases.
The design and construction of rigid and flexible pipes and fittings must adhere to specific requirements, including the use of compliant materials and thorough cleaning of internal surfaces to eliminate loose particles To prevent damage from fluid condensate or sediment in gaseous fluid piping, manufacturers must implement drainage solutions and ensure access for maintenance, particularly in fuel gas controls where sediment traps or filters are essential Similarly, measures must be taken to prevent sediment accumulation in liquid fuel controls, with appropriate guidelines provided in technical documentation Non-metallic piping for combustible gases should be safeguarded against overheating and mechanical damage, following risk analysis protocols Additionally, liquid fuel cell power systems must incorporate mechanisms for capturing, recycling, or safely disposing of released liquid fuel, utilizing drip pans, spill guards, or double-walled pipes to avert uncontrolled releases.
Flue gas venting
The fuel cell power system must include a vent system to safely expel combustion products outdoors The manufacturer is responsible for either supplying a compliant vent pipe system or providing detailed instructions for selecting one Key requirements include using corrosion-resistant materials, ensuring durability to prevent unsafe operation, and properly supporting the vent pipe with features like a rain cap to maintain gas flow Additionally, drainage must be implemented to avoid blockages from water or debris, and the system must be leak-tight The exhaust outlet collar should accommodate standard vent connectors, and any pressure switches must be factory set or adjusted by authorized personnel, with clear markings for identification Components in contact with exhaust gas condensate must resist corrosion, and the system should operate effectively under specified pressure conditions while maintaining acceptable carbon monoxide levels Finally, the venting system must not exceed temperature limits for the materials used, and its length should adhere to established testing parameters.
Gas-conveying parts
The gas-conveying parts shall comply with the following condition:
– the gas passage shall be gas-tight such that the tightness shall not be undermined under ordinary transportation, installation and use.
Protection against fire or explosion hazards
Prevention against fire and explosion hazards in fuel cell power
The fuel cell power system must be designed to mitigate hazards related to flammable atmospheres To ensure safety, the dilution boundary for normal internal releases should be established to remain below 25% of the lower flammable limit (LFL), utilizing methods such as computational fluid dynamics or tracer gas analysis, as outlined in IEC 60079-10 All devices within these dilution boundaries must comply with specified requirements, and the volume within these boundaries should be classified according to IEC 60079-10, which also provides LFL values for common gases.
IEC 60079-20 c) Cabinet compartments with internal sources of flammable gas/vapour release are defined as fuel compartments Fuel compartments shall be designed to
– maintain gas mixtures below 25 % (LFL), except in dilution boundaries; and
– limit the extent of dilution boundaries to within the fuel compartment d) Methods to maintain normal internal releases below 25 % (LFL), except in dilution boundaries, include
1) Controlled oxidation of normal internal releases
To achieve effective combustion of released gases, it is essential to provide continuous and reliable sources of ignition and oxidants, or to utilize catalytic oxidation units.
The manufacturer must guarantee that the maximum credible release generates pressures and temperatures that can be safely contained within the fuel compartment and withstanded by the components exposed to these conditions.
2) Air dilution of normal internal releases
Mechanical ventilation can effectively reduce the concentration of normal releases to below 25% of the lower flammable limit (LFL), provided it remains within specified dilution boundaries Additionally, the minimum ventilation rate must align with the allowable leakage rate test outlined in section 5.4.
Ventilated fuel compartments in fuel cell power systems must maintain a negative pressure compared to other compartments and the surrounding environment, achieved through methods like induced or exhaust ventilation It is essential to verify the proper functioning of the ventilation system by measuring flow or pressure, as any ventilation failure will necessitate a shutdown of the process equipment Control functions for this ventilation must comply with the functional safety standards outlined in section 4.1 However, if effective measures are in place to keep flammable gas concentrations below 25%, fuel compartments may operate without negative pressure ventilation.
LFL under all conditions of use except within dilution boundaries or as described in
Fuel compartments that rely on ventilation for protection against accumulation of flammable atmospheres shall be purged in such a way that the atmosphere will be brought below 25 % of the LFL
NOTE 1 One method of accomplishing this is with at least four air exchanges within an appropriate time interval to ensure this result
Purging must occur before energizing any devices that do not meet the area classification requirements outlined in 4.6.1 b) If the atmosphere in the compartment and associated ducts is proven to be non-hazardous by design, purging is unnecessary All devices that need to be energized before or during purging must comply with the specifications in 4.6.1 e) In hazardous areas classified under 4.6.1 b), manufacturers must eliminate ignition sources, except for units utilizing the protection method described in 4.6.1 d) 1).
– installed electrical equipment is suitable for the area classification according to
IEC 60079-0 and other applicable parts of the IEC 60079 series;
– installed electrical resistance trace heating, if available, complies with IEC 60079-30-1;
Surface temperatures must remain below 80% of the auto-ignition temperature, measured in degrees Celsius, for any flammable gas or vapor For detailed information on the auto-ignition temperatures of different flammable fluids, refer to IEC 60079-20.
Equipment designed with materials that can catalyze the reaction of flammable fluids with air must effectively prevent the spread of this reaction to the surrounding flammable environment.
Proper bonding and grounding, along with appropriate material selection, have effectively eliminated the potential for static discharge According to IEC 60079-2, compartments housing electrical or mechanical equipment must maintain positive pressure compared to adjacent areas with flammable gas or vapor, unless specific equipment requirements are met Additionally, the fuel cell power system must incorporate both passive and active measures, or a combination of both, to ensure that abnormal internal releases remain below 25% of the lower flammable limit (LFL), except within dilution boundaries.
In this analysis, sudden and catastrophic failures are not regarded as a release scenario if the design of pressure equipment and piping has already accounted for protection against such failures.
"Passive" refers to methods that restrict the release of flammable gases or vapors to a predetermined maximum value This includes mechanical limitations such as pipe orifices and flow restriction techniques, as well as permanently secured joints designed to control the release rate effectively.
Active safety measures for fuel cell power systems include flow measurements, controls, and safety devices like combustible gas sensors, which must comply with specified requirements These systems are designed to shut down if flammable gas concentrations in the ventilation exhaust exceed 25% of the lower flammable limit (LFL) For indoor installations, proper design ensures safe dispersal of ventilation and process exhaust through a flue or venting system Additionally, static discharge risks are mitigated by bonding and grounding metallic components and using materials that do not generate ignitable charges A control function is also implemented to prevent exceeding 25% LFL by diluting with air and measuring gas concentrations, with automatic shut-off if limits are breached.
NOTE 2 Non-metallic tubing carrying hydrogen gas may accumulate electrostatic charge along its surface
Discharges from the surface of a tube can ignite flammable gas or vapor mixtures in the surrounding area To mitigate electrostatic discharges in Zones 1 and 2, IEC 60079-10 recommends using tube materials with adequate conductivity or controlling gas flow velocity to prevent the accumulation of electrostatic charge.
NOTE 3 Metal braid coverings, or conductive wires within the non-metallic tubing wall may increase the chance of electrostatic discharge if those conductors become disconnected from their bonding conductor.
Prevention of fire and explosion hazards in burners
Fuel cell power systems must be designed to prevent the unsafe accumulation of flammable or explosive gases in burners, including start, main, and auxiliary burners in the reformer section The main burner should include a pilot or direct ignition device that is automatically controlled to avoid damaging the burner This ignition device must be securely positioned relative to the main burner ports, with safeguards to prevent incorrect assembly Pilots must also be automatically controlled and capable of igniting any pilot fuel, ensuring proper placement in relation to the burners they serve If a pilot is part of the start burner, it will be evaluated according to the construction and performance specifications outlined in the standard Additionally, the automatic electrical burner control system must meet specified requirements.
4.9.2 and shall be fitted to the burner to ensure safe start-up, operation and shutdown including lock-out if required Flame or oxidation monitoring is an integral function of this control f) The main burner or pilot flame, or both, shall be supervised by a flame detector or other adequate means If a main burner is ignited by a pilot, the presence of flame at the pilot shall be detected before gas is released to the main burner A system having an interrupted pilot shall provide supervision of the main burner flame following the main burner flame-establishing period g) The supervised pilot flame shall be capable of effectively igniting the fuel at the main burner even when the fuel supply to the pilot is reduced to the point where the pilot flame is just sufficient to actuate the flame supervision according IEC 60730-2-5 h) If the heat input of a pilot does not exceed 0,250 kW, there is no requirement for the flame establishing period i) If the heat input of a pilot exceeds 0,250 kW, or in case of direct ignition of the main burner, the start-up lock-out time is determined by the manufacturer so that, in accordance with the delayed ignition test (5.10.2), no health or safety hazard for the user or damage to the fuel cell power system occurs j) Each pilot or direct main burner ignition attempt begins with the opening of the fuel valves and ends with the closing of the fuel valves The spark shall continue at least until ignition occurs or until the end of the flame-establishing period k) Pilot or direct main burner ignition shall be attempted a maximum of 3 times, each time followed by recycling of the burner control system A higher number of attempts shall be determined by the manufacturer on the basis of a safety analysis
If there is no flame detected after three attempts, a lock-out will occur In the event of a flame failure, the system must initiate re-ignition, recycling, or lock-out The lock-out time for pilot or main burner flame failure should not exceed 3 seconds, although a longer duration may be permitted based on the manufacturer's safety analysis.
The primary safety control is not required to de-energize all fuel safety valves if the burner cavity temperature exceeds the fuel's auto-ignition temperature If re-ignition occurs, the direct ignition device must be re-energized within 1 second after the flame signal disappears, with the flame-establishing period starting upon energization A lack of flame at the end of this period will result in a lock-out In the case of recycling, it must be preceded by a gas supply interruption and purging, with the ignition sequence restarting from the beginning Recycling attempts are limited to three, each followed by purging, and a failure to establish a flame after the third attempt will also lead to a lock-out An automatic electrical burner control system must prevent feedback from energizing a fuel valve or ignition device after the main burner is shut off Additionally, for safety, a means must be provided to automatically purge the burner housing of any flammable gas mixture before ignition trials, ensuring a minimum of four air changes in the combustion chamber.
The air purging process must be monitored by a safety-related control function, with safety levels determined by risk analysis Automatic burner control system components should be installed to ensure that their operation and main burner ignition remain unaffected by falling particles or condensation Effective measures must be in place to prevent backflow of air into the fuel line or fuel into the air supply when primary air is mixed with fuel The fuel and air supply must be controlled to ensure airflow before ignition and to prevent fuel from entering the reformer burner until air is available, with provisions to shut off the fuel supply in case of air fan failure Mechanical linkages for fuel and air controls should be designed to maintain the correct fuel/air ratio and resist accidental breakage Upon shutdown, hazardous gases must be safely contained, purged, or reacted The manufacturer must ensure that the fuel cell power system prevents air from crossing into fuel lines or vice versa Additionally, under blocked outlet conditions, the fuel cell power system must not produce carbon monoxide concentrations exceeding 0.03% in an air-free sample of the effluents, in compliance with national regulations.
The fuel cell power system must maintain a carbon monoxide concentration below 0.03% in air-free effluents when the air supply inlet is blocked, as per test 5.15.2.3 If the combustion compartment's temperature exceeds the auto-ignition temperature, flame supervision can be replaced with temperature monitoring Should the temperature fall below this threshold, the safety shut-off valves will be de-energized, and gas flow will only be released once the self-ignition temperature is confirmed The control function must adhere to the safety standards outlined in IEC 60730-2-5.
Prevention of fire and explosion hazards in catalytic fuel oxidation
In fuel cell power systems that involve catalytic burners, it is crucial to prevent the unsafe accumulation of flammable or explosive gases during controlled catalytic fuel oxidation reactions To ensure safety during start-up or after shutdown, a purging system must be implemented, utilizing mediums such as nitrogen, air, or steam as specified by the manufacturer The purging process should be tailored to the system's flow characteristics, dynamics, and geometry, with the purge gas monitored by a safety-related control function based on a thorough risk analysis Additionally, when air is mixed with fuel, manufacturers must implement effective measures to prevent backflow of air into the fuel line or fuel into the air supply.
To ensure optimal reactor performance, it is essential to regulate the fuel and air supply effectively This involves providing air before the initiation of the reaction and preventing fuel from entering the reactor until the air supply is ready.
The fuel and air supply must be precisely controlled to ensure fuel availability before reaction initiation and to prevent air from entering the reactor prematurely Mechanical linkages for fuel and air controls should be designed to maintain the correct fuel-air ratio and resist accidental breakage The reaction initiation time must account for the response time of control devices and the buildup of a safe flammable mixture based on flow rates and system dynamics If the catalytic reaction does not establish within this time, the system must automatically shut off the fuel supply Catalyst temperature must be monitored, and if it falls outside the manufacturer's specified range, the system should also shut off the fuel supply The reaction failure lock-out time should not exceed 3 seconds, although longer times may be acceptable based on safety analysis Manufacturers must ensure that any potential buildup of fuel and air mixtures does not exceed safe pressure and temperature limits Upon shutdown, hazardous gases must be safely contained or disposed of, and adequate measures should be in place to prevent health or safety risks from air and fuel stream cross-contamination in the thermal management system.
NOTE Subclause 4.6.3 is also applicable to anode exhaust catalytic reactor.
Electrical safety
The design and construction of electric systems, along with the use of electrical and electronic equipment such as electric motors and enclosures, must comply with applicable electrical product application standards.
• IEC 60335-1 (e.g residential/commercial and light industrial);
The selection of the appropriate application will be provided in the technical specification
The fuel cell designer shall also consider the following fuel cell specific issues:
• residual charge on the fuel cell stack;
Electromagnetic compatibility (EMC)
The fuel cell power system must not produce electromagnetic disturbances that exceed acceptable levels for its designated usage areas Additionally, it should possess sufficient immunity to electromagnetic disturbances to ensure proper operation in its intended environment Compliance with relevant standards, including IEC 61000-3-2, IEC 61000-3-3, IEC 61000-3-4, and IEC 61000-3-5, is required for the fuel cell power system.
IEC 61000-3-11, IEC 61000-6-1, IEC 61000-6-2, IEC 61000-6-3, and IEC 61000-6-4.
Control systems and protective components
General requirements
4.9.1.1 The risk analysis as specified in 4.1 shall provide the basis to set the protection parameters of the safety circuit
4.9.1.2 The fuel cell power system shall be designed in such a way that the single failure of a component does not cascade into a hazardous condition Means to prevent cascade failures include, but are not limited to
– protective devices in the fuel cell power system (for example, interlocking guards, trip devices),
– protective interlocking of the electrical circuit,
– use of proven techniques and components,
– provision of partial or complete redundancy or diversity, and
The evaluation of the required measures to avoid and/or control failures if they occur are given in the application relevant control standards as shown in 4.1.
Control systems
Automatic controls for fuel cell power systems must be designed for safety and reliability Fuel cell systems used in residential, commercial, and light industrial applications should comply with IEC 60730-1 standards.
Automatic electrical burner control systems shall comply with IEC 60730-2-5
Automatic electrical control systems for catalytic oxidation reactors shall comply as applicable with IEC 60730-2-5 Specific requirements are provided in 4.6.3
Manual controls shall be clearly marked and designed to prevent inadvertent adjustment and activation
In particular, the following requirements apply
The start of an operation shall be possible only when all the safeguards are in place and are functional
Suitable interlocks shall be provided to secure correct sequential starting
Automated plant operations can only be resumed in automatic mode after ensuring all safety conditions are met Additionally, the fuel cell power system can be restarted through a designated control mechanism, as long as this action is confirmed to be safe.
This requirement does not apply to the restarting of the fuel cell power system resulting from the normal sequence of an automatic cycle
As determined by the risk analysis indicated in 4.1, the functional requirements of the fuel cell power system shall be provided with the following shutdowns:
An emergency shutdown occurs when the main fuel flow is de-energized during air-rich operations, or when both the process air flow and main fuel flow are de-energized in fuel-rich operations This action is triggered by a limiter, a cut-out, or the detection of an internal system fault.
A normal shutdown in air-rich operation involves de-energizing the main fuel flow, while in fuel-rich operation, it requires de-energizing both the process air flow and the main fuel flow This shutdown occurs when a control device, like a thermostat, opens a control loop, leading the system to revert to its initial state.
Emergency shutdowns are essential components of fuel cell power systems, designed to prevent actual or imminent hazards that cannot be resolved through standard controls.
– stop the dangerous condition without creating additional hazards,
– trigger or permit the triggering of certain safeguard actions where necessary,
– override all other functions and operations in all modes,
– prevent reset from initiating a restart,
Restart lock-outs must be implemented to ensure that a new start command can only be activated during normal operation after the restart lock-outs have been intentionally reset Additionally, an emergency stop feature is essential for safety.
Manual emergency shutdowns (i.e emergency stops), if required by the risk analysis in
4.1 shall have clearly identifiable, clearly visible and quickly accessible controls in accordance with ISO 13850 c) Control functions in the event of control systems failure
In case of fault in the control system logic or failure of, or damage to, the control system hardware
– the fuel cell power system shall not be prevented from stopping once the stop command has been given,
– automatic or manual stopping of the moving parts shall be unimpeded,
– the protection devices shall remain fully effective,
– the fuel cell power system shall not restart unexpectedly
In the event of a safety shutdown triggered by a protective device or interlock in the fuel cell power system, the control system's logic must be notified of this condition It is crucial that resetting the shutdown function does not lead to any hazardous situations Additionally, control and monitoring systems capable of functioning safely during hazardous conditions may remain powered to ensure the availability of system information.
Upset conditions that are manageable and not immediately hazardous can be addressed through a normal shutdown, which may either cut off all power to the equipment or maintain power to the fuel cell power system actuators.
Permissives shall be implemented consistent with requirements established from the risk analysis described in 4.1
When designing a fuel cell power system to operate alongside other equipment, it is essential to incorporate a shutdown function, including an emergency stop This function should include signal interfaces that facilitate a coordinated shutdown with upstream and/or downstream equipment when continued operation poses a safety risk.
4.9.2.6 Operating modes a) Fuel cell power systems operating modes include:
• an operational state (substantial electrical output power); and
• a standby state (zero net power output)
Non-operating modes can include:
• storage state b) There shall be two primary transitions: start-up and shutdown:
• start-up is the transition from NON-OPERATING to OPERATING MODE and shall be initiated from an external signal;
A shutdown refers to the automatic shift from OPERATING to NON-OPERATING MODE, which can be triggered by either an external signal or an internal signal due to out-of-limits conditions detected by the fuel cell power system controller Additionally, secondary operating modes and transitions may be implemented to accommodate varying power output rates or to facilitate adjustment, maintenance, or inspection activities Mode selection is an essential aspect of this process.
The fuel cell power system must be designed for multiple control or operating modes, each with distinct safety levels, allowing for adjustments, maintenance, and inspections It should feature a secure mode selection mechanism, where each position corresponds to a specific operating mode and includes restart lock-outs A new start command can only be executed in normal operation after these lock-outs are intentionally reset Mode selection should utilize securable methods, such as knobs, key locks, or software commands, to prevent accidental changes that could create hazardous conditions Additionally, the design may restrict user access to certain operating modes through access codes for specific functions The selected mode will take precedence over all other control systems, except for safety shutdowns.
4.9.2.7 Remote monitoring and control systems
Fuel cell power systems designed for remote operation must include a clearly labeled local switch or alternative method to disconnect from remote signals during inspections or maintenance Remote monitoring and control systems are permitted only if they do not create unsafe conditions and must not override locally established safety controls.
Protective components
Suitable protective devices, and combinations thereof, comprise
Effective monitoring devices, including indicators and alarms, are essential for ensuring that fuel cell power systems operate within permissible limits These devices facilitate timely actions, whether automated or manual, to maintain optimal performance and safety.
The design and construction of devices must ensure reliability and suitability for their intended purpose, while also considering the necessary maintenance and testing requirements.
– have their protective functions independent of other possible functions;
– comply with appropriate design principles in order to obtain suitable and reliable protection These principles include, in particular, fail-safe modes, redundancy, diversity and self-diagnosis
To prevent dangerous overloading of equipment, it is essential to incorporate integrated measurement, regulation, and control devices during the design phase These devices include over-current cut-off switches, temperature limiters, differential pressure switches, flow-meters, time-lag relays, and over-speed monitors, among others.
Protective devices equipped with measuring functions must be designed to handle expected operational demands and specific usage conditions Additionally, it should be possible to verify the accuracy of readings and the functionality of these devices when necessary.
Devices must include a safety factor to ensure that the alarm threshold is set well beyond the limits that could be detected, especially considering the installation's operating conditions and potential measurement system anomalies If the protective control involves electronic components, it should be designed in accordance with the requirements outlined in section 4.1.
4.9.3.2 Type of components a) Pressure limiting devices, such as pressure switches, shall comply with IEC 60730-2-6 b) Temperature monitoring devices shall have an adequately safe response time, consistent with the measurement function, according to IEC 60730-2-9 c) A fuel cell power system may elect to use a gas detector as a protective component to mitigate against possible gas leakage A gas detector, if used in the fuel cell power system, shall comply with ISO 26142 or IEC 60079-29-1, as appropriate d) A gas sensor control loop (sensing element, electronic circuit, shut-off of the fuel supply) shall be fail safe and designed according to the requirements in 4.1 e) All parts of fuel cell power systems which are set or adjusted at the stage of manufacture, and which should not be manipulated by the user or the installer, shall be appropriately protected f) Levers and other controlling and setting devices shall be clearly marked and given appropriate instructions so as to prevent any error in handling Their design shall be such as to preclude accidental manipulation.
Pneumatic and hydraulic powered equipment
Pneumatic and hydraulic equipment of fuel cell power systems shall be designed according to
Valves
Shut-off valves
Shut-off valves are essential for all equipment and systems requiring the containment or blockage of process fluid flow during shutdowns, testing, maintenance, or emergencies These valves must be rated for the specific service pressure, temperature, and fluid characteristics Additionally, actuators on shut-off valves should be designed to endure local ambient temperatures and any extra heat from the valve body Furthermore, electrically, hydraulically, or pneumatically operated shut-off valves must be of a type that automatically moves to a failsafe position if actuation energy is lost.
Fuel valves
Supply fuel valves must adhere to specific criteria: a) All fuel directed to the fuel cell power system must pass through a minimum of two automatic valves in series, functioning as both safety shut-off and operating control valves b) Fuel supplied directly to equipment like start-up boilers or reformer start burners must also go through at least two automatic valves in series, serving as operating and safety shut-off valves, which may be housed in a single control body c) Electrically operated supply fuel valves are required to comply with ISO 23551-1 standards.
According to ISO 23553-1, when recycling fuel gases from appliances utilizing the fuel cell power system output gas, the connection may not require shut-off valves if safety is confirmed through a risk analysis as outlined in section 4.1 Additionally, manual shut-off valves for flammable gases must be appropriate for their specific application in compliance with ISO 23550.
Rotating equipment
General requirements
Rotating equipment must be engineered to withstand the specific pressures, temperatures, and fluids encountered during normal operations It is essential to ensure that fluid inlet and outlet lines are protected from vibration-related damage Additionally, shaft seals should be compatible with the fluids being pumped and the anticipated operating conditions, including both normal and emergency shutdowns, to prevent hazardous fluid leakage In cases where leakage occurs, manufacturers are required to implement containment or dilution measures to mitigate health and safety risks Furthermore, motors, bearings, and seals must be appropriate for the expected duty cycles.
Compressors
4.12.2.1 Where appropriate, packaged compressors shall conform to one of the following standards: ISO 5388; ISO 10439; ISO 10442; ISO 13707; ISO 10440-1; ISO 10440-2 or
4.12.2.2 Unless considered unnecessary by the risk analysis in 4.1, compressors, or compressor systems, shall be provided with the following: a) Pressure-relief devices that limit each stage pressure for the compression cylinder and piping associated with that stage of compression
The requirement applies when compression equipment can generate pressure beyond its design limits It includes an automatic shutdown control for high discharge and low suction pressure, an unloading device for capturing and recycling blow-down gas or safe venting upon restart, and a pressure-limiting device to prevent over-pressurization at the inlet.
4.12.2.3 Compressors excluded from the scope of the standards referenced in 4.12.2.1 due to small capacity or low discharge pressure need only comply with the requirements specified in 4.12.2.2
Packaged low-discharge pressure compressors (fans and blowers) shall be guarded according to ISO 12499 (see also 4.4.4).
Pumps
4.12.3.1 Packaged electric pumps for process liquids shall conform to ISO 13709 or
Packaged electric pumps for water shall conform to IEC 60335-2-51, if applicable
4.12.3.2 Electric pumps, or electric pump systems, shall be provided with the following: a) Pressure-relief devices that limit both inlet and outlet pressure to less than the design pressure of the piping If the shut-off head of the electric pump is less than the pressure rating of the piping, relief valves are not required b) An automatic shutdown control for high discharge pressure
4.12.3.3 Pumps excluded from the scope of the standards referenced in 4.12.3.1 due to small capacity or low discharge pressure shall comply with the requirements specified in
Cabinets
Fuel cell power system cabinets must possess adequate strength, rigidity, and durability, along with resistance to corrosion and other physical properties These features are essential to support and safeguard all components and piping of the fuel cell power system, while also ensuring compliance with the requirements for storage, transport, installation, and final placement conditions.
4.13.2 Fuel cell power system cabinets intended for use indoors or under conditions of weather-protected outdoor locations shall be designed and tested so as to meet a minimum
IP20 rating according to IEC 60529
4.13.3 The fuel cell power system intended for use outdoors shall be designed and tested so as to meet a minimum IP23 rating
4.13.4 Ventilation openings shall be so designed that they will not become obstructed during normal operation either by dust, snow or vegetation in accordance with the expected application
All materials utilized in cabinet construction, including joints, vents, and door gaskets, must endure the expected physical, chemical, and thermal conditions throughout the lifespan of the fuel cell power system.
Access panels, covers, or insulation intended for regular servicing and accessibility must be designed to withstand repeated removal and replacement without causing damage or reducing their insulating effectiveness.
4.13.7 Access panels, covers or insulation that need to be removed for normal servicing and accessibility shall not be interchangeable if that interchange may lead to an unsafe condition
Access panels, covers, or doors designed to safeguard equipment from unauthorized entry must be securely retained and require a tool, key, or similar mechanical means for opening This requirement applies to all residential units.
4.13.9 Means shall be provided to drain collected liquids and to pipe them to the exterior for disposal or redirect them to processes associated with the fuel cell power system
4.13.10 Where personnel can fully enter the cabinet, access procedures shall be provided in the product’s technical documentation.
Thermal insulating materials
Insulation systems employed in the fuel cell power system shall be designed to attain:
– chemical compatibility with the metals being insulated, the atmosphere and temperatures to which the systems will be exposed, and the various components of the insulation system itself;
– protection of insulation systems from expected thermal and mechanical abuse (including damage by atmospheric conditions);
– fire safety, by limiting surface temperatures of heat-producing objects to prevent the ignition of materials in proximity to them;
– future accessibility of piping, fittings, etc for maintenance purposes
In particular, thermal insulating materials and their internal bonding or adhesive attachment means mounted on components of the fuel cell power system shall
– be mechanically or adhesively retained in place and shall be protected against displacement or damage from anticipated loads and service operation;
– withstand all air velocities, temperatures and fluids to which they may be subjected in normal operation
If necessary, to avoid hazards to health and safety, the manufacturer shall specify in the maintenance manual the thermal insulation system inspection and safety requirements.
Utilities
General requirements
The fuel cell power system must be engineered to ensure that, in the event of a utility supply failure, it does not create any health, safety, or environmental risks, nor does it result in permanent damage to the system.
Water supply
Fuel cell power systems require a reliable water supply, which can be sourced from an on-site connection or a self-contained system, ensuring compliance with local regulations It is essential to prevent process water from contaminating potable water sources, adhering to local guidelines Additionally, measures must be implemented to prevent backflow of steam into the water treatment system, with a check valve or equivalent device serving this purpose effectively.
Fuel gas supply
If applicable, means shall be provided to prevent backflow of processed fuel gas and/or purge gasses into the fuel source.
Electrical connections
A service receptacle outlet, or lighting circuit, not under control of a disconnecting means may be part of the fuel cell power system, provided:
1) the voltage does not exceed nominal domestic mains voltage;
3) the receptacle is so located as not to constitute a hazard when servicing the fuel cell power system; and
4) a suitable marking indicating the voltage and current limitation of the receptacle is located adjacent to the receptacle
4.15.4.2 Disconnection from the mains supply
Electrical disconnection devices must include a locking mechanism to ensure they cannot be inadvertently reconnected before service personnel complete their work, thereby enhancing safety during maintenance.
NOTE Instructions can be provided to allow servicing parts of the equipment with or without opening the disconnection device
Disconnection devices shall be provided to disconnect the fuel cell generator from the AC or
Qualified personnel should service DC supplies, ensuring that isolation means are located in the service access area or externally The disconnection device must be suitable for the overvoltage category of the application and, if integrated into the equipment, should be as close as possible to the incoming supply Functional switches can serve as disconnection devices if they meet all necessary requirements For stationary fuel cell systems, the disconnection device should be part of the equipment unless installation instructions specify that an external device is required.
To minimize the risk of accidental contact by service personnel, all components of a disconnection device that remain energized when the device is turned off must be properly guarded and clearly labeled.
If the operating means of the disconnection device is operated vertically rather than rotationally, or horizontally, the “UP” position of the operating means shall be in the “ON” position
For three-phase equipment, it is essential that the disconnection device simultaneously disconnects all line conductors of the AC mains supply In cases where a neutral connection is required, a four-pole disconnection device must be used to disconnect all line and neutral conductors If the equipment does not include this four-pole device, the installation instructions must clearly indicate the necessity for an external device Additionally, if the disconnection device interrupts the neutral conductor, it must also ensure the simultaneous interruption of all line conductors.
4.15.4.2.6 Single-phase and DC equipment
A disconnection device must simultaneously disconnect both poles of the equipment, unless specific conditions are met If the earthed conductor in a DC mains supply or an earthed neutral in an AC mains supply can be reliably identified, a single-pole disconnection device may be used to disconnect the unearthed (line) conductor Conversely, if identification is not possible and the equipment lacks a two-pole disconnection device, the installation instructions must mandate the provision of an external two-pole disconnection device.
Manual safety shutdowns, or emergency stops, must feature easily identifiable, visible, and accessible controls, as specified by ISO 13850, if indicated by the risk analysis Fuel cell generators equipped with a built-in emergency stop device or terminals for a remote emergency stop must ensure that power supply export is halted in all operational modes If the system relies on additional disconnection of power supplies through building wiring, this must be clearly stated in the installation instructions Additionally, plug-connected fuel cell generators are exempt from requiring an emergency switching device if the plug itself can fulfill that role.
Installation and maintenance
Installation
The manufacturer shall provide instructions for the proper installation, adjustment, operation, and maintenance of the fuel cell power systems
To minimize risks associated with fitting or refitting certain parts, their design should incorporate safety features, or alternatively, clear information should be provided on the parts and their housings This includes guidance on moving parts and their housings to ensure the direction of movement is understood, thereby reducing potential hazards Additionally, any further necessary information should be included in the accompanying instructions.
To mitigate risks associated with faulty connections, it is essential to minimize incorrect connections through thoughtful design If design adjustments are not feasible, providing clear information on pipes, cables, and connector blocks is crucial.
Maintenance
Adjustment, lubrication, and maintenance points must be positioned outside areas where individuals may face injury or health risks, or detailed maintenance instructions should be included in the product's manual to mitigate such risks All maintenance activities, including adjustment, repair, cleaning, and servicing, should be feasible while the fuel cell power system is not in operation If these tasks need to be performed while the system is running, it must be designed to ensure safety during such operations Additionally, components of the automated fuel cell power system that require frequent replacement should be easily removable and replaceable without posing any injury risk, with access designed to facilitate these procedures using the appropriate technical means.
When utilizing tools and measuring instruments, it is essential to follow the product's technical documentation Additionally, health and safety instructions or diagrams related to the fuel cell power system must be displayed in a permanent manner, ensuring they are resistant to or protected from the environmental conditions in which they are used.
General requirements
Operating parameters for tests
5.1.1.1 Unless there are specific test conditions called for elsewhere in the standard, test conditions shall be formulated from the most unfavourable combination of the manufacturer’s operating specifications and the parameters set out below: a) supply voltage; b) supply frequency; c) physical location of equipment and position of movable parts; d) operating mode; e) adjustment of thermostats, regulating devices or similar controls in end user access areas, which are
1) adjustable without the use of a tool, or
2) adjustable using a means, such as a key or a tool, deliberately provided for the end user
5.1.1.2 Except where otherwise stated in the particular clauses, measurements shall be carried out with the maximum uncertainties indicated below: a) atmospheric pressure (Pa) (0,5 kPa); b) combustion chamber and test flue pressure ± 5 % full scale or (50 Pa); c) gas pressure (Pa) ± 2 % full scale; d) water-side pressure loss (Pa) ± 5 %; e) water rate (l/h, m 3 /h) ± 2 %; f) gas rate (m 3 /h) ± 2 %; g) air rate (m 3 /h) ± 2 %; h) time (h)
– for all other timings ± 0,1 %; i) auxiliary electrical energy/performance kWh or kW ± 2 %; j) temperatures: °C or K
– fuel gas ± 1 K at T < 100 °C; ± 1 % of reading in °C:
The measurements for various parameters are as follows: surface temperature is accurate to ± 5 K; the concentrations of CO, CO2, and O2 used for calculating flue losses have a precision of ± 6 %; the gas calorific value is measured in kWh/m³ with an accuracy of ± 1 %; gas density is recorded in kg/m³ with a tolerance of ± 1%; mass is measured in kg with a precision of ± 1%; torque is expressed in Nm with an accuracy of ± 10 %; force is measured in N with a tolerance of ± 10 %; current is recorded in A with an accuracy of ± 1 %; voltage is measured in V with a precision of ± 1 %; and electrical power is expressed in W or kW with an accuracy of ± 2 %.
The full range of the measuring apparatus is chosen to be suitable for maximum anticipated value
For the determination of the leakage rate, a method is used which gives such accuracy that the error in its determination does not exceed 2 % of related volume per hour
Measurement uncertainties pertain to individual measurements When combining these measurements for calculations such as efficiency, it is crucial to consider the lower uncertainties of the individual measurements to minimize the overall uncertainty.
Operating voltages are determined by the manufacturer’s specifications.