Technical Information

Hazard and risk assessment of the boiler by the manufac-

turer in accordance with EN 50156-1

TI049
Version 6 (12/22)

1 General
During the planning stage, a system must be designed in such a way, that risks are kept to a minimum from the start. The EN
50156 standard, which builds on the series of EN 61508 standards, is used as the basis for measures to prevent accidents at
a boiler system (including optional flue gas heat exchangers, superheaters etc.). This standard sets specifications for the entire
life cycle of the boiler. The methodology contained within the standard also analyses situations during the operation of a boiler,
and it evaluates the resulting risks. This analysis results in a definition of the safety measures, which are required to minimise
risks within the affected system.
When operating the system, the operator must observe the requirements arising from the national and regional guidelines (in
Germany: TRB 1115, which fleshes out the requirements of the Ordinance on Industrial Safety and Health). The aim is to per-
manently ensure the functionality of safety-relevant instrumentation and control (I&C) systems used as a technical safety mea-
sure to ensure that an installation, which also includes a system that requires supervision, is used safely. The operator must
observe the operating instructions of the installations and maintain the functionality of the safety-relevant I&C systems by ar-
ranging for maintenance, inspections and checks to be carried out taking the relevant manufacturer’s specifications into ac-
count.

2 Safety life cycle

In order to systematically minimise risk, the model of a safety life cycle forms the basis as a technical reference framework for
the EN 50156-1 standard. This means that all the necessary phases of the safety life cycle must be analysed, so that systemic
faults in the design of these phases can be excluded. This ensures, that all aspects are taken into consideration and fully doc-
umented for assessment. This sets the preconditions for fulfilling all the requirements of the safety-related equipment. The EN
50156-1 standard includes all aspects of a system's safety life cycle, including the concept, design, implementation (construc-
tion), installation, commissioning, validation, operation and maintenance, modification/retrofitting and decommissioning.
The safety life cycle therefore involves the responsibility and concern of operating companies, system builders and manufac-
turers of components.
All companies involved in the process associated with the protective devices (planning, installation, operation, tests and main-
tenance) must designate a suitably qualified person, and this can be done for example through a management team for func-
tional safety with documentation of the internal processes and persons in charge.
Note: the hazard and risk assessment in accordance with EN 50156-1 is not to be confused with the assessments stated in the
European Directives (e.g. Pressure Equipment Directive: "Analysis of hazards and risks") - see following table:

Hazard and risk assessment

In accordance with EN 50156-1 In accordance with European EU regulations and directives
Coverage provided by the safety life cycle Coverage only in certain circumstances, i.e. up to the time of
bringing into circulation
Coverage of all hazards Coverage only of special hazards (Pressure Equipment Direc-
tive: coverage of "pressure-related" hazards)
Is the responsibility of the operating company, system builder Is the responsibility of the manufacturer
and manufacturer

3 Hazard and risk assessment

One phase of the safety life cycle is concerned with the assessment of the hazards and risks, which arise from the operation
of the system. These assessment methods have the initial aim of detecting possible hazards from accidents within the system.
The consequences of an accident are then explicitly described in a risk assessment.
The use of risk graphs is described in the EN 50156-1 standard as a method of hazard and risk assessment. A risk graph cap-
tures and evaluates those risk factors, which are associated with the function of a system without protective measures. Several
risk parameters have an influence on the necessary degree of risk reduction. A distinction has to be made between the follow-
ing risk parameters:
• Effect of the dangerous incident (C):
– C1 Slight injuries
C2 Serious lasting injuries for more than one person or death of a person
C3 Several fatalities
C4 Many fatalities

1/7
Technical Information

Hazard and risk assessment of the boiler by the manufac-

turer in accordance with EN 50156-1

TI049
Version 6 (12/22)

• Frequency and duration of exposure to danger (F) (duration of stay in the danger zone):
– F1 Seldom to often
F2 Frequent to permanent
• Possibility of preventing the dangerous incident (P):
– P1 Possible under certain conditions
P2 Almost impossible
• Probability of an undesirable occurrence (W):
– W1 Very low probability
W2 Low probability
W3 Relatively high probability
Depending on how the risk parameters have been assessed in the graph, the necessary risk reduction emerges as described
in the following figure.

a No special safety requirements

1, 2, 3, 4 Safety integrity level (SIL)

Fig. 3-1 source DIN EN 50156-1: 2016-03

4 Hazard and risk assessment for the customer's specific system

Acting in accordance with the procedure described in EN 50156-1, the operating company (for example by means of a risk
graph as above) determines the required safety integrity level (SIL) for his system, based on the given outline conditions (in-
stallation site, operating method etc.). The required SIL for each safety or protective function should be determined with the
assistance of various persons, e.g. process technicians, engineers, work safety experts, system operators, electrical engineers
and production management.
The boiler manufacturer must fulfil the required safety integrity level by means of the safety equipment design (protection sys-
tems).

4.1 Hazard and risk assessment by the boiler manufacturer

Every boiler manufacturer must have carried out an internal hazard and risk assessment for all his products.
In addition to the applicable standards (e.g. EN 12953 etc.), this hazard and risk assessment forms the basis for the design of
the boiler's safety equipment and for the test intervals, which are specified in the operating instructions for testing the safety
functions.
This Technical information offers the system planner / system operator the opportunity to strike a balance between the general
hazard and risk assessment carried out by the boiler manufacturer and the specific system-related hazard and risk assess-
ment, which was carried out by the operating company. If the system-related hazard and risk assessment carried out by the
operating company produces a higher safety integrity level than that foreseen in the boiler manufacturer's hazard and risk as-
sessment (see following sections), there must be agreement with the boiler manufacturer, since the design of the safety equip-
ment has to be brought into line.

2/7
Technical Information

Hazard and risk assessment of the boiler by the manufac-

turer in accordance with EN 50156-1

TI049
Version 6 (12/22)

4.2 General outline conditions for the hazard and risk assessment by the boiler manufacturer
• Installation site for the boiler: The boiler must only be installed in a room, which complies with the local regulations for boiler
installation. The outline conditions in Technical information TI024 apply - "Requirements for the boiler installation room.
Notes for the installation of boilers and boiler house components".
• Access to the boiler house is not permitted to unauthorised persons (see TI024). Operation of the boiler and maintenance
work on it may only be carried out by qualified personnel (see Operating instructions A002 - "Basic safety information").
• Signals or equipment provided by the builder, which are incorporated into the safety chain, are not taken into consideration.
• Risk parameter C (consequences of a dangerous incident): the consequence of a dangerous incident is assumed to be
the death of one person (C2), since the assumption is that it is a locally limited occurrence. If mentioned on the particular
protection system, it is possible that persons in the wider vicinity of the boiler may also be adversely affected in certain
dangerous incidents (risk of several fatal casualties (C3)).
• Risk parameter F (frequency and duration of the time spent in the danger zone): the boiler is operated for 24 / 72 hours
without constant supervision. Staying in the boiler house is only necessary for maintenance purposes. This therefore as-
sumes a low level of frequency and duration of exposure to danger (F1).
• Risk parameter P: it is assumed that preventing the dangerous incident is almost impossible (P2).
• If further safety equipment is necessary due to special applications, the following lists must be expanded on a specific order
basis.
• All equipment which is not listed in the following overviews, is classified as operating equipment. In this case it may be
necessary, due to system-related requirements, for operating equipment to be classified as safety equipment:
– Example 1: Possible entrainment of water causes a dangerous incident in the system, and consequently a pro-
tection system in the form of a high-water monitoring device is required.
– Example 2: As the boiler system is installed in a water protection area, the oil leak monitoring device must be
designed as a protection system.
• The various subchapters must be taken into account, depending on the equipment / boiler heating system. This especially
applies for boilers with several heating modes (e.g. hybrid boiler which is heated with gas and/or liquid fuels, and is also
electrically heated).

4.3 Hazard and risk assessment of a steam boiler

Function Protection aim Protection sys-
tem classified
as
Steam boiler
Pressure limitation (maximum) Prevention of excessive pressure at the components SIL 1 (on basis of
C3)
Water level limitation 1) Prevention of water shortage in the boiler, accompanied by dan- SIL 2 (on basis of
ger of metal annealing and explosion of pressurised components C3)
Ensuring effectiveness of the limiting Prevention of the manostat tube being shut off inadvertently and SIL 1 (on basis of
devices on the manostat tube (safe- thereby deactivating the pressure limit (maximum) C3)
guarding the opened shut-off valve on
the manostat tube)

1)
In combination with a boiler that is only heated using electricity, the protection aim is to prevent a water shortage in the boiler
leading to an uncontrolled escape of steam caused by destruction of a tubular heating element. The protection system is clas-
sified as SIL 1 (on basis of C2).

3/7
Technical Information

Hazard and risk assessment of the boiler by the manufac-

turer in accordance with EN 50156-1

TI049
Version 6 (12/22)

Function Protection aim Protection sys-

Firing
Ensuring that flue gases are dis-
charged unimpeded from the firing pro-
cess to the chimney (by ensuring that
the flue gas flap is open)
Ensuring there is sufficient supply of
combustion air for firing
Safe combustion
tem classified
as
– Prevention of substoichiometric combustion accompanied SIL 2
by formation of explosive and poisonous gases in the com-
bustion chamber or flue gas system.
– Prevention of flash fires due to ignition of flammable constit-
uents in the flue gas system.
– Prevention of substoichiometric combustion accompanied SIL 2
by formation of explosive and poisonous gases in the com-
bustion chamber or flue gas system.
– Prevention of flash fires due to ignition of flammable constit-
uents in the flue gas system.
Covers all the protection aims stated in the EN 267 (oil burner) SIL 2
and EN 676 (gas burner) standards for burners, for example:
– Removal of any ignitable mixture in the combustion chamber
and flue gas system prior to firing.
– Prevention of flash fires due to ignition of flammable constit-
uents.
– Prevention of substoichiometric combustion accompanied
by formation of explosive and poisonous gases in the com-
bustion chamber or flue gas system.
– Prevention of heated pressure equipment overload.

Function Protection aim Protection sys-

tem classified as
Heating of the boiler via waste heat gas
Fail-safe shutdown of heating (due to Preventing the smoke tube pass from emerging above the sur- SIL 1
heat recovery gases) after the boiler face of the water and risk of damage to the smoke tube (caused
safety chain has responded. by evaporation of the water content accompanied by risk of dam-
age to built-on accessories and escape of steam to the surround-
ings).
Removal of any combustible mixture Prevention of flash fires due to ignition of flammable constituents SIL 1
in the combustion chamber and flue in the combustion chamber and flue gas system prior to heating.
gas system prior to heating.
Ensuring that flue gases are dis- Prevention of flash fires due to ignition of flammable constituents SIL 1
charged unimpeded from the firing in the flue gas system.
process to the chimney (by ensuring Prevention of excessive flue gas pressure in the built-on acces-
that the flue gas flap is open). sories used for routing the flue gas.

4/7
Technical Information

Hazard and risk assessment of the boiler by the manufac-

turer in accordance with EN 50156-1

TI049
Version 6 (12/22)

Function Protection aim Protection sys-

Heating the boiler with electrical energy
Temperature limiting
Failsafe shutdown of heating (electric
heating bundle) after boiler safety
chain and/or safety chain in the power
cabinet responds
tem classified
as
Prevention of overheating of the heating bundle due to deposits SIL 1
or water shortage leading to destruction of the heating bundle:
avoidance of uncontrolled escape of steam from tubular heating
elements that have been damaged beyond repair.
Preventing hot fire-tube passes and electric auxiliary heating in SIL 1
the boiler from emerging above the surface of the water due to
evaporation: avoidance of uncontrolled escape of steam via tu-
bular heating elements that have been damaged beyond repair.

Function Protection aim Protection sys-

tem classified
as
Boiler components (e.g. flue gas heat exchanger, superheater, etc.)
Temperature limiting 2) Prevention of overheating of components and downstream units. SIL 1
Pressure limitation Prevention of excessive pressure at the components. SIL 1

2) Only in the case of superheaters and flue gas heat exchangers with flue gas condensation

4.4 Hazard and risk assessment of a hot water boiler

Function Protection aim Protection sys-
tem classified
as
Hot water boilers
Pressure limiting (maximum) Prevention of excessive pressure on the components. SIL 1 (on basis of
C3)
Pressure limiting (minimum) Prevention of vapour deposition at the highest point of the sys- SIL 1
tem with the consequent danger of explosion of components and
an escape of steam.
Water level limiting Prevention of water shortage in the boiler with the consequent SIL 1 (on basis of
danger of metal annealing and explosion of pressurised compo- C3)
nents.
Temperature limiting Prevention of overheating of components and downstream units SIL 1
Flow rate monitoring Prevention of unintentional steam generation or evaporation in SIL 1 (on basis of
the boiler, as well as preventing the permitted wall temperature C3)
being exceeded.
Ensuring that the limiting devices on Prevention of the manostat tube being shut off inadvertently and SIL 1 (on basis of
the manostat tube are effective (safe- thereby deactivating the pressure limits (maximum and mini- C3)
guarding the opened shut-off valve on mum).
the manostat tube)

5/7
Technical Information

Hazard and risk assessment of the boiler by the manufac-

turer in accordance with EN 50156-1

TI049
Version 6 (12/22)

Function Protection aim Protection sys-

Firing
Ensuring that flue gases are dis-
charged unimpeded from the firing pro-
cess to the chimney (by ensuring that
the flue gas flap is open)
Ensuring there is sufficient supply of
combustion air for firing
Safe combustion
tem classified
as
– Prevention of substoichiometric combustion accompanied SIL 2
by formation of explosive and poisonous gases in the com-
bustion chamber or flue gas system.
– Prevention of flash fires due to ignition of flammable constit-
uents in the flue gas system.
– Prevention of substoichiometric combustion accompanied SIL 2
by formation of explosive and poisonous gases in the com-
bustion chamber or flue gas system.
– Prevention of flash fires due to ignition of flammable constit-
uents in the flue gas system.
Covers all the protection aims stated in the EN 267 (oil burner) SIL 2
and EN 676 (gas burner) standards for burners, for example:
– Removal of any ignitable mixture in the combustion chamber
and flue gas system prior to firing.
– Prevention of flash fires due to ignition of flammable constit-
uents.
– Prevention of substoichiometric combustion accompanied
by formation of explosive and poisonous gases in the com-
bustion chamber or flue gas system.
– Prevention of heated pressure equipment overload.

Function Protection aim Protection sys-

tem classified as
Heating of the boiler via waste heat gas
Fail-safe shutdown of heating (due to Preventing the smoke tube pass from emerging above the sur- SIL 1
heat recovery gases) after the boiler face of the water and risk of damage to the smoke tube (caused
safety chain has responded. by evaporation of the water content accompanied by risk of dam-
age to built-on accessories and escape of steam to the surround-
ings).
Removal of any combustible mixture Prevention of flash fires due to ignition of flammable constituents SIL 1
in the combustion chamber and flue in the combustion chamber and flue gas system prior to heating.
gas system prior to heating.
Ensuring that flue gases are dis- Prevention of flash fires due to ignition of flammable constituents SIL 1
charged unimpeded from the firing in the flue gas system.
process to the chimney (by ensuring Prevention of excessive flue gas pressure in the built-on acces-
that the flue gas flap is open). sories used for routing the flue gas.

6/7
Technical Information

Hazard and risk assessment of the boiler by the manufac-

turer in accordance with EN 50156-1

TI049
Version 6 (12/22)

Function Protection aim Protection sys-

Heating the boiler with electrical energy
Temperature limiting
Failsafe shutdown of heating (electric
heating bundle) after boiler safety
chain and/or safety chain in the power
cabinet responds
tem classified
as
Prevention of overheating of the heating bundle due to deposits SIL 1
or water shortage leading to destruction of the heating bundle:
avoidance of uncontrolled escape of steam from tubular heating
elements that have been damaged beyond repair.
Preventing hot fire-tube passes and electric auxiliary heating in SIL 1
the boiler from emerging above the surface of the water due to
evaporation: avoidance of uncontrolled escape of steam via tu-
bular heating elements that have been damaged beyond repair.

Function Protection aim Protection sys-

tem classified
as
Boiler components (e.g. flue gas heat exchanger)
Temperature limiting Prevention of overheating of components and downstream units. SIL 1
Pressure limitation Prevention of excessive pressure at the components. SIL 1

7/7