PLC Failure Analysis Of An Marine Boiler Sample Assignment



Traditional marine boiler uses relay-contactor control system. The control process requires a lot of mechanical contact; the system wiring is complex; fault diagnosis and elimination are difficult; the reliability is not high. Once a fault occurs, it will affect the use of marine power plant and delay shipping, resulting in economic losses. Although after a series of optimization by manufacturers, the problem of low reliability is still difficult to solve.

PLC has many advantages which the traditional relay lacks, including fast response, convenient communication, reliability, redundancy, security, and editing characteristics. This design uses the PLC to control the boiler water level, steam pressure, combustion, water quality, excessive air discharge and alarm system, which can effectively improve the reliability of the control system of the boiler and ensure the normal operation of marine power plant.

This case study involves the root causes for the failure of PLC and followed by Hazard analysis techniques to overcome such incident in future.


The core of boiler automatic control system is PLC. All the data of the sensor are sent into the PLC input channel. PLC control boiler water level, steam pressure, water quality, combustion and alarm according to the predetermined procedures, realizing automatic start, stop and switch of water pump and oil pump and maintaining the normal operation of the boiler. When the boiler parameters exceed the set value, the system can automatically open sound and light alarm. When the steam pressure is high but not automatically stop the boiler, the steam pressure high alarm sounds firstly, then the steam pressure extra high alarm forces shut down, and boiler steam excessive release device is started automatically to release steam to the condenser and mean while make continuous alarms. At the same time in order to ensure safety, the system also includes emergency stop button to ensure that at any time a key stop can work.


Boiler automatic control system includes PLC control module, Boiler water level control module, steam pressure control module, combustion control module, water quality monitoring module, steam excess monitoring and release module, centralized alarm module and visual operation module.

PLC Failure Analysis Of An Marine Boiler img1

Figure 1 Automatic control system diagram


The boiler provided steam as one of the primary utilities for the plant. The Low-NOx burner system for the boiler consisted of primary burners coupled with natural – gas –fired igniter burners. The air stream was substoichiometric to the burners requiring a secondary air feed For stable combustion.

A natural gas fired igniter was mounted adjacent to each burner. Each igniter had a natural gas feed and an igniter primary air feed. The igniter gas/air stream was stoichiometric and relied upon the additional air feed from the wind box to achieve stoichiometric combustion.

The constant - speed forced draft (FD) fan supplied the additional air steam. Exhaust gases from the boiler exited the furnace through the boiler penthouse before entering the pollution control equipment. Exhaust gases were drawn from the furnace and through the air pollution control equipment via the constant speed induced draft (ID) fan. The FD and ID dampers controlled the rate of airflow through each fan. The discharge of ID fan excited through the stack.


The control system consisted of several interacting components and subsystems that were coordinated to control the operation of the boiler. The various devices communicated through hard-wired signals and network communications, and the operator interacted with the systems using a human machine interface (HMI).

The boiler had four systems that worked together. Burner Management System, combustion control system, HMI, and Plant Information (PI) system. The BMS and CCS were Programmable Logic Controller systems that had physical connections to the sensors and actuators, known as field elements. The PI data system was an electronic data recording systems with a historian function.

Through actuators, sensors, and interlocks, the BMS PLCs controlled various actuators (e.g., valve positions, feeders, and mills) according to permissive defined by the logic running in the PLS program. The BMS represented the standard safety functions typically to boiler systems.

The CCS was a typical PLC that consisted of several subsystem; a main processor, flexible I/O modules, power supplies, and networking cards. Much like the BMS , the I/O modules allowed the PLC ascertain the state of the boiler by reading the value of sensors. The I/O modules also allowed the PLC to control the various actuators by changing the outputs. As is typical with PLCs, a key switch was located on the main PLC in the cabinet for the CCS. Such a key switches control the state of the PLC using three settings: run (causes the PLC to immediately execute the programmed logic), remote (the state is remotely controlled by a programmer logic0, and program (ceases program execution in preparation for the downloading of new instructions.)


The investigation was very detailed and included the fault tree analysis, calculations, and other analytical tools as mentioned above. Additionally, a detailed analysis of the control hardware, PLC programs, and programming procedures were required. Based upon the detailed investigation, a set of casual factors were identified for further consideration. This set of casual factors was reduced to a more succinct set of root causes (e.g., conditions whose removal may have prevented the incident sequence of events). Several of the more sub substantial root causes are discussed below to provide lessons learned from the investigation. These root causes have been generalized to protect any confidential details.

ROOT CAUSE 1. PLC State Not Monitored

This condition refers to lack of an external indication to the BMS that the CCS had stopped or otherwise failed. The fact that the PLC State was not being monitored may have been revealed if a functional specification had called for a PLC state monitor or if an independent review of the system had occurred. Such a review could have included a comparison to current standards and recommendations, including for example, ABMA.

If the BMS is able to detect that the CCS is no longer able to control an essential field device, then the BMS may act on this information. The condition of the loss of the CCS may be detected by the BMS in advance of any safety sensors triggering as a result of improper operating conditions. This information, i.e. the loss of the CCS, would trip the boiler. Incorporating functional specifications, procedures, functional testing, and inspection requirements in the management-of-change system may have reasonably prevented this accident or similar accidents.


The default configuration for the I/O modules was to output a signal that would close the ID and FD dampers upon a PLC stoppage. This undesired fail-closed configuration may have been caught if a functional specification had been written for the CCS or if a review procedure requiring independent review of the system design had taken place. Such a review could have included a comparison to industry standards and recommendations, including for example, maintaining a minimum airflow regardless of the operating state of the control system by not closing the dampers. It is important that the default setting does not cause the dampers to close in the event of a stopped processor.


Since the damper was allowed to fully closed, the existing requirements from the NFPA 85 standard were not met. An independent review of the airflow arrangement for the system would likely have caught this issue. Administrative controls to limit the minimum setting for the damper positions are insufficient in the case of a control system outage such as that experienced in the case. NFPA 85 specifically requires that the air flow not be below the 25% level while there is fuel flow to the burner or igniters. Typically, this function is ensured through mechanical stops in the damper system to limit its minimum position.


The terminal connections for the air flow sensor where non-operational, therefore, the BMS could not detect a low air flow condition using this sensor. such a condition must lead to a master fuel trip based on the NFPA 85 code. The root cause analysis was focused on how this condition was created through the legacy system and remained hidden through the current burner upgrade project. Based upon the history of the minimum air flow monitoring strategy for the boiler, it was inferred that this condition was created during a previous system upgrade. The change in this strategy should have reasonably included verification of the final control elements but apparently did not.


A common definition for a hazard in an industrial setting is ‘’a physical or chemical condition that has the potential for causing harm to the people, property or the environment. “A steam boiler plant is a specialized type of process unit that may operate within a larger chemical process plant or as the source of municipal power generation. Steam boilers may present process hazards from combustion, high temperature, high pressure, and steam along with typical machinery and occupational hazards (e.g., rotating machinery, electricity, slip and fall). NFPA 85 recommends reviewing both initial design and changes to a boiler system for safety. NFPA 85 provides many prescriptive guidelines for designing, commissioning, operating, and maintaining boiler system. NFPA 85 does not prescribe specific hazard evaluation techniques to accomplish these safety objectives.

Several types of process hazard evaluation techniques can be applied to identifying potential hazards in steam boiler systems at the various stages in the life cycle of the process unit. The process unit lifecycle includes the stages of design, commissioning, and operation. At various points of the process life after initial commissioning, changes may be undertaken to mechanical, electrical, or control system that alter the functional characteristics. These types of changes may fall under the definition of a company’s management of change procedures. A process hazard analysis (PHA) should be recommended for any such change; however the complexity of the changes should be considered when determining what type of PHA is to be conducted. Qualitative scenario-driven hazard analysis techniques such as Preliminary Hazard Analysis (PrHA). Hazard identification studies (HAZAD), and Hazard and operability studies (HAZOP) are ubiquitous in the process industries, but these are better suited to unique process and initial designs. The boiler system discussed in this paper had been safely in service for over two decades prior to the incident; thus, most hazard scenarios that could be identified by the earlier techniques were likely already mitigated for the existing design. However, the incident occurred during a design modification, which could be used to trigger a limited PHA to address the new changes.

For the boiler system, an effective from of PHA is a checklist Analysis and detailed guidance can be found in Reference. A Checklist is a written list or table of items that is used to verify the status of a system. Individual checklist may be highly specific to a certain process or company, but they are frequently used to measure compliance with standards and guidelines. A checklist will provide criteria against which a given system is evaluated. The authors have found good success in developing boiler safety checklist for use in management of change activities for boiler systems upgrades and commissioning. Excerpts from such a generic checklist and explanation of how this checklist would have identified the specific root causes are provided below.

A checklist – based analysis on the NFPA 85 would likely have detected the root causes identified in the previous section when used by experienced and knowledgeable personnel as part of the facility’s management of change.


  1. Root cause Analysis of An Industrial Boiler Explosion
  2. Design and Application of Marine Control System Based on PLC and Touch Screen
  3. NFPA 85: Boiler and Combustion System Hazards Code. National Fire Protection Association, Quincy, MA