On July 28, 1998, a carbon dioxide (CO2 ) fire extinguishing system unexpectedly discharged as workers were performing maintenance activities in an electrical support facility at the Idaho National Engineering and Environmental Laboratory (INEEL) Test Reactor Area. Fifteen employees subsequently were exposed to high concentrations of CO2, resulting in one fatality and several serious injuries. An August 1998 Safety and Health Bulletin (Issue 98-1) addressing this incident called for evaluating CO2 system site policies and procedures to ensure workers are protected from the acute effects of agent discharge into the protected space.

The Department of Energy (DOE) has approximately 130 CO2 extinguishing systems throughout the complex protecting gloveboxes, computer rooms, electronics, and other process areas. Provisions for evaluating personnel safety in areas protected by these systems can be found in Section A-1-5 of National Fire Protection Association (NFPA) Standard 12, “Carbon Dioxide Extinguishing Systems,” as well as the OSHA Standards concerned with fixed extinguishing systems (29 CFR 1910.160 and 29 CFR 1910.162). This bulletin provides additional guidance on critical design and operational considerations relating to CO2 systems based on the lessons learned from the September 1998 INEEL Accident Investigation report.

Background
Carbon dioxide under normal conditions is a colorless, odorless, electrically nonconductive gas that is approximately 1.5 times heavier than air. It is well suited for fire extinguishment in that it can easily penetrate the fire plume, will not disturb live electrical components, is noncorrosive, and leaves no agent residue to clean up. CO2 is readily available and imposes minimal environmental impact when compared to other gaseous extinguishing agents such as Halon 1301.

The mechanism for CO2 extinguishment is by either oxygen displacement or vapor phase reduction to the point where combustion stops. Extinguishing systems consist of liquefied gas at either a high (850 psi) or low (300 psi) pressure, distribution piping, nozzles, and system actuators engineered to provide between 30 to 60 percent concentration to the protected area. Such concentration also will suppress the oxidation reaction in the human body, causing occupants to lose consciousness in a matter of seconds. An actuating CO2 system also will produce low temperatures (about -110oF) at discharge nozzles, causing the formation of very fine dry ice particles and ice crystals that completely will obstruct vision. For these reasons, it is extremely important that personnel protection be considered in their design and operation.

System Design Considerations
NFPA 12 provides minimum requirements for designing, installing, testing, inspecting, operating and maintaining carbon dioxide fire extinguishing systems. These systems are arranged in four categories: total flooding, local application, hand hose line, and standpipe/mobile supply systems. Due to the asphyxiation hazard associated with total flooding systems, and to a lesser degree with local application systems, NFPA 12 prescribes a series of safeguards for such systems including predischarge alarm warnings, system lockout requirements, alarm signal transmission upon system operation, and supervision of automatic system components. It also references NFPA 72, “The National Fire Alarm Code” as a means to impose requirements upon alarm systems when they are used as the actuation means for CO2 systems. The most significant among these requirements are discussed in detail below.

Predischarge Warning
Section 5-1.4 of NFPA 12 requires a predischarge warning of sufficient duration to allow for evacuation under a “worse case” condition, except under certain circumstances involved with manual actuation. The specifics for achieving a predischarge warning are not clear in the standard, and such warnings may be initiated in several ways. At the time of the accident, a software-based predischarge warning was in place but failed to operate. Additionally, a supplemental mechanical (pneumatic) discharge delay device was available that functioned properly when tested; but, because a releasing cylinder pressure switch was not installed, the notification of system operation was not processed at the control panel prior to agent discharge.

The INEEL Accident Investigation Board determined that an electrical power transient caused sufficient disturbance to the releasing solenoids, tripping the CO2 system without first initiating the software-based predischarge warning. The control panel’s manufacturer confirmed that any microprocessor, if sufficiently disturbed by power transients or nearby electromagnetic fields, can possibly change its program execution, making it possible to send erroneous instructions to directly actuate output or releasing circuits. Because of this, it is not recommended that sites consider software-based predischarge warning as a viable warning method in microprocessor fire alarm panels. Instead, a mechanical predischarge device is recommended along with the installation of a releasing cylinder operational pressure switch and pneumatically operated horns to actuate alarms and signal response organizations. This equipment should be attached directly to the CO2 piping manifold, between releasing and support cylinders.

Alarm Signal Transmission
Both NFPA 12 and NFPA 72 (in Sections 1-7.5.2 and 3-8.8.1, respectively) require alarm signal transmission upon the operation of the automatic fire suppression system. These requirements are primarily intended to ensure timely emergency response, but serve as well to ensure, in the case of a CO2 system, that a discharged system is appropriately serviced (e.g., reset, tested, or recharged). At the time of the accident, no alarms were actuated at the control unit or within the protected space to indicate that the system had been or was in the process of discharging. The INEEL Accident Investigation Board determined that, had a operational indicator (pressure switch) been installed in a specific location on the releasing system manifold, alarm notification would have occurred with the operation of a supplemental discharge delay device.

It should be noted that these provisions apply equally to other systems actuated by a releasing service panel, such as Halon 1301. These systems are usually not considered hazardous to workers since the concentration of the released extinguishing agent is not high enough to present an acute health risk. However, system operability should be assured through the use of an appropriate operational indicator such as a flow or pressure switch.

Operational Considerations
The application of Integrated Safety Management (ISM) principles is essential to ensure worker safety when it becomes necessary to have employees within CO2 protected areas. A thorough review of the hazards associated with all credible scenarios must be performed. After identification of these hazards, appropriate safeguards must be established and maintained. Lastly, the established safety practices and procedures should be reviewed periodically, and revised if necessary, to assure their completeness, relevancy, and effectiveness. Some considerations specific to the application of ISM principles to work within CO2 protected areas are discussed below.

Employee Awareness
NFPA 12, Section 1-5.1.2, requires appropriate warning signs to be posted in CO2 protected areas. Additionally, employees who are likely to enter such areas should receive a basic level of instruction into the operating principles of the system to include alarms and related hazards, as well as evacuation procedures. Consideration should also be given to 5-minute “escape packs” to personnel entering areas protected by total flooding systems.

System Maintenance and Testing Requirements
CO2 systems containing electronic detection, actuation and control features should have these features tested and maintained according to the test methods prescribed in Table 7-2.2 of NFPA 72. Although the documented test results for this system indicated that all NFPA required testing was satisfactorily performed, the testing failed to isolate the electronic malfunction causing the actuation of the CO2 releasing circuit. This accident reveals that successful testing of completed systems does not by itself ensure adequate safety for exposed workers.

System Lockout Requirements
Section 1-5.1.7 of NFPA 12 requires a lock-out of CO2 systems when persons not familiar with the systems and their operation are present in a protected space. This section also requires that while the system is locked out, a fire watch with appropriate knowledge and equipment must be assigned to the area. The term, “lock-out”, is not defined within the standard, but is generally understood to mean the physical disconnection of system actuators, both manual and automatic, such that agent cannot flow into the protected space. As evidenced by the accident, software based system lock-outs cannot be relied upon to replace a physical lockout of system components. It is therefore recommended that sites not use a computer-based software disconnect to disengage CO2 system releasing circuits under any circumstances where a lockout or circuit disconnect is required.

Physically locking out a system can be achieved one of two ways, by either providing a supervised control valve downstream of the piping manifold, or by removing all sources that may cause the system to actuate and supervising the releasing circuits by either electronic or administrative means. Sites may choose either method based on existing configurations and/or lockout frequency. At a minimum, it is recommended that CO2 releasing cylinders be disconnected from the discharge heads provided that manual release features are not available at support cylinders.

Administrative procedures used to perform the lockout should be verified for either method used. Procedures for removing system actuators should include preinspection, tagging, notification, and postinspection activities. Extreme care should also be taken when using this method since improper handling could result in either an inadvertent actuation or elimination of the suppression system capabilities. If a supervised control valve is used, its listing and pressure limitations, as well as the system’s overpressure and venting capabilities should be verified. Administrative procedures for this lockout method should also address tagging and notification, service restoration, and response activities to an inadvertent discharge when the valve is engaged.

In addition to locking out the system at times specifically prescribed by the standard, lockout should be considered during system maintenance and testing purposes, or in conjunction with other activities that may adversely impact system operation, such as electrical system maintenance or alteration of the boundaries of the protected area. For example, simply removing a computer room raised floor tile, which is protected underneath by a CO2 system, could cause inadvertent system actuation due to airflow changes or dust infiltration. It is important to note that the inadvertent system actuation in the INEEL incident occurred during maintenance of the building’s electrical system, not during maintenance of the of CO2 system itself.

Emergency Response Planning
Fire department pre-plan should, at a minimum, identify specific site locations that are protected by total flooding systems. Planning should address the possibility that occupants could be overcome and need medical attention. Additionally, any unusual conditions that could adversely affect emergency response, such as complex room geometries, should be considered. Walkthroughs of CO2 protected areas should be a feature of fire department familiarization tours. Where no site fire department exists, offsite emergency service organizations should be encouraged to visit the facilities on a routine basis in order to be better prepared in the event of need.

Conclusion
Although CO2 systems are widely and effectively used for fire suppression, the design and operation of such systems, particularly those of the total flooding and local application variety, must be intensely managed to ensure that worker safety and continued system effectiveness are guaranteed. Minimal compliance with code requirements in this area, however, is not enough to ensure success. Only an enhanced awareness of the hazards inherent to these systems, coupled with management attention to detail in their design, operation, maintenance and testing will help to ensure the safety and effectiveness of these systems. In many instances, this may necessitate upgrades to address identified system or operational deficiencies. In other cases, the cost of these upgrades may lead to the removal and replacement of these systems with equivalent, yet safer fire suppression alternatives.

Contact
For additional information or clarification on the contents of this Bulletin, contact:

Jim Bisker, P.E.
US Department of Energy
Office of Occupational Safety and Health Policy
270CC Building
19901 Germantown Road
Germantown, MD 20874-1290

Phone: 301-903-6542
Fax: 301-903-2239
E-Mail: jim.bisker@hq.doe.gov

This Safety & Health Bulletin is one in a series of publications issued by EH to share worker health and safety information throughout the DOE complex. To be added to the Distribution List or to obtain copies of the publication, call 1-800-473-4375 or (301) 903-0449.