One person died and three were taken to hospital after a carbon dioxide leak at the Ascó nuclear power plant in Catalonia, Spain, on Nov. 24. Emergency services said the incident was not related to radiological activity, but was likely caused by a failure of the plant and fire prevention system.
Catalonia’s fire brigade said it was called to the nuclear power plant near Ascó around 6:55 p.m. local time. A total of seven firefighting teams helped secure the site and checked the extractors before making sure the fire prevention system was safe and working again. Four crews stayed overnight as a precaution, but left after the site was confirmed to be safe, the fire department said.
The operator of the Ascó nuclear power plant, Association Nuclear Ascó-Vandellòs (ANAV), said in a statement that the incident had occurred in Unit 1. The deceased and the three injured were all technicians from the plant and were performing maintenance tasks when working on the fire prevention system when the leak occurred. The injured were treated at a local hospital for minor injuries from co2 inhalation.
ANAV said it joins the grief of the family of the deceased worker and expressed its condolences. He added that he has opened an investigation into the accident, which has not compromised the safety of the facility or the environment.
Functional Safety Measures That Could Have Helped
- Redundant Gas Detection Systems Install multiple, SIL-rated CO₂ detectors in critical zones to ensure early leak detection, even if one sensor fails.
- Automatic Ventilation and Purge Systems Triggered by gas detection, these systems can rapidly dilute and evacuate CO₂ from enclosed areas to prevent asphyxiation.
- Fail-Safe Fire Suppression Design Ensure that fire suppression systems using CO₂ are interlocked with occupancy sensors and alarms to prevent discharge when personnel are present.
- Access Control with Safety Interlocks Prevent entry into high-risk zones during maintenance or system testing unless safety conditions are verified (e.g., gas levels, ventilation status).
- Emergency Shutdown and Isolation Logic Functional safety PLCs (programmable logic controllers) can isolate affected zones and shut down non-essential systems to contain the hazard.
- Integrated Alarm and Evacuation Systems Audible and visual alarms, combined with automated evacuation guidance, can reduce response time and save lives.
- Lifecycle Safety Management (IEC 61508/61511) Apply the full safety lifecycle — from hazard and risk analysis to validation and periodic testing — to ensure systems remain effective over time.
Sample Functional Safety Architecture for CO₂ Leak Mitigation
| Functional Layer | Safety Function | SIL Target | Standard Reference |
|---|---|---|---|
| Gas Detection System | Continuous monitoring of CO₂ levels with redundant sensors | SIL 2 or 3 | IEC 61508 / IEC 61511 |
| Fire Suppression Interlock | Inhibit CO₂ discharge if human presence is detected (e.g., via occupancy sensors) | SIL 2 | IEC 61508 |
| Automatic Ventilation Control | Trigger forced ventilation to evacuate CO₂ when thresholds are exceeded | SIL 2 | IEC 61511 |
| Zone Access Control (Safety Lockout) | Prevent entry if CO₂ levels are unsafe or if maintenance mode is active | SIL 1–2 | ISO 13849 / IEC 61508 |
| Safety PLC with Safety Instrumented Functions (SIFs) | Coordinate alarms, shutdowns, and isolation commands | SIL 2–3 | IEC 61508 |
| Audible & Visual Alarm System | Alert personnel with escalating urgency and distinct failure tones | SIL 1 | IEC 61511 / ISO 13849 |
| Emergency Shutdown (ESD) Logic | Isolate affected section and activate emergency procedures | SIL 3 | IEC 61511 |
Integration with ISA/IEC-62443 (Cybersecurity Lifecycle)
Functional safety measures must be cybersecure to remain reliable:
- Secure Sensor Networks: Ensure gas detectors and PLCs are protected from spoofing or denial-of-service attacks.
- Access Management: Only authorized personnel should configure or override safety logic.
- Network Segmentation: Safety-critical systems should be isolated via DMZs or unidirectional gateways.
- Secure Configuration Backup & Recovery: In case of failure or breach, configurations can be restored safely.
Key Takeaway
Functional safety saves lives — but without cybersecurity, even the most reliable system is vulnerable to manipulation or failure. An integrated approach, where SIL integrity is preserved by secure infrastructure, is crucial in today’s industrial environments.
Source: Link
Get Involved & Participate!
Comments