The definition of functional reads, “to contribute to the development or maintenance of a larger whole,” where safety’s definition states, “the condition of being safe from undergoing or causing hurt, injury, or loss.” The combination of these words presents functional safety as the growth and preservation of a safe product.
With respect to boiler assemblies, functional safety relates to all functions, including control, protection, and monitoring, intended to reduce the risk of fire, electric shock, or injury to persons.
Boiler safety evaluation
Functional safety evaluations cover the system of control for a boiler, including programmable electronics (e.g., hardware and embedded software) and components with hardware-implemented functions only.
Note: Software may be the embedded instructions that reside in a programmable component and perform some of the functions of the boiler assembly. Software can be application-specific, e.g., the software is limited to a specific, dedicated, designated use, or the software may include operating systems, support tools, firmware, and/or application systems.
Functional safety investigations often include the following elements:
• A review of the engineering documentation produced during the development, operation, and maintenance of the product or system;
• Risk analysis, including hazard-based safety engineering (HBSE) analysis; and
• Safety life cycle management.
Boiler control system evaluation
In general, there are two overall approaches for evaluating the functional safety of a control system:
Deterministic — In this approach, a single component fault will not render the system “out of control,” e.g., the component must still perform its function. This approach can be found in the IEC/UL 60730 series of automatic electric controls standards. This methodology of component/control certification is specified in codes and standards such as ASME CSD-1.
Historically, it has been the intent to cover faults by considering two levels of protection due to the explosion risk present in gas-fired and steam-generating systems. The typical “push and turn” requirement for household gas range ignition is a mechanical representation of this concept. In UL 60730 series of standards, this is accomplished by considering two independent faults and is defined as a Class C control function. For safety functions with a less significant direct hazard in the case of failure, e.g., motor over-temperature, the hazards can be adequately addressed by considering a single failure, which is defined as a Class B control function.
Where the safety of the function is not relied upon to prevent hazards of an abnormal situation within the appliance, UL does not need to define protection against these events, and without such fault tolerance, these operating controls are defined as having a Class A control function. This approach provides a straightforward path to investigate specific known faults, using the bounds of explicit failure modes defined by decades of experience from the residential, commercial, and industrial controls technical committees.
Probabilistic — in this approach, the component accepts a certain number of failures out of a million instances. This approach is related to the safety integrity levels (SIL) found in the IEC 61508 series of electrical/electronic/programmable electronic safety-related system standards. This methodology of component/control certification is specified in codes and standards such as National Fire Protection Association (NFPA) 85.
With respect to IEC 61508, SIL is defined as a discrete level of one to four, except in the typical residential/commercial/industrial space, generally bounded on the upper end at three, corresponding to a range of safety integrity values. The maximum SIL that can be claimed by the system design for use in safety-related applications is in relation to architectural constraints and systematic safety integrity and corresponds to one of these values. Accordingly, SIL capability 3 has the highest level of safety integrity for the target equipment, and SIL capability 1 has the lowest. Certification of a safety function to a certain SIL capability will, in addition to systematic safety integrity and architectural constraints, include the probability of failure on demand per hour (PFH).
This approach is less contingent on specific technologies and is more readily adaptable to new and unique solutions. Techniques such as hazard and operability (HAZOP) and layer of protection analysis (LOPA) can be applied to innovative technologies, offering a level of safety that is independent of field history and particular designs.
Functional Safety for Boilers
Functional safety addresses these concerns from using the well-defined methodologies of both approaches. The deterministic approach is based on known experience and careful analysis of new technologies to develop updated requirements and solutions. Probabilistic analyses offer a unique ability to quantify results of such analyses against industry-accepted approaches that can be used in manifold applications.
It’s not possible to instantly interchange between probabilistic and deterministic evaluation processes; however, both have their benefits and places in the market in terms of how hazards can be addressed, and in the coming years, it will be critical to ensure these diverse but similar approaches are both addressed in clear and consistent ways. Both deterministic and probabilistic approaches have been used for many decades across the globe. The origin of boiler codes and standards is generally reactive. When incidents occurred, it was deemed necessary to establish a basic, minimum level of safety to ensure these failures would not be repeated.
Boiler Testing Services
Historically, boilers were intentionally engineered well beyond any expected usage to prevent issues; however, over time, this became impractical, and methods to streamline the use for large-scale applications were necessary. This led to a race to achieve the most efficient and cost-effective solutions.
UL offers expertise in deterministic and probabilistic mechanisms and can offer advisory and certification services in either deterministic, class-based functional safety service, and/or SIL or SIF/PL services with single-source solutions.