It’s a familiar tale in the boiler industry: something goes wrong with the feedwater supply to a boiler, the boiler runs out of water, and it does not trip offline. The steam pressure goes to zero (because no water is in the boiler), so the boiler ramps up to high fire to make up for the lost steam pressure. Without water-side cooling, the metal in the boiler glows as it heats up. In minutes, the boiler is irreparably damaged due to high-temperature metal creep.
Ironically, that’s the best outcome to this situation. The worst outcome occurs when a boiler operator sees that the boiler is out of water and then energizes another feedwater pump to restore water to the boiler. The water hits the glowing hot metal, flashes, and then expands 2,000 times its original volume, ripping apart the boiler tube sheet. The boiler turns into a torpedo and launches itself into the parking lot.
With all of the redundant safety interlocks required on a steam boiler, this scenario should never happen, but one dry-firing boiler occurs almost every year in the U.S. The progression toward unmanned boiler rooms—and away from trained boiler operators—places an increasing emphasis on the proper selection, installation and periodic inspection of boiler drum level controls and other safety limits.
For a dry-firing incident to occur with a modern firetube or watertube boiler, five separate failures have to occur:
1. The feedwater supply to the boiler must be interrupted. This could occur if a feedwater pump trips off, the feedwater isolation valve is left closed when a boiler is brought online, or the drum level control malfunctions and the feedwater control valve shuts off tight.
2. The low-water cutout alarm does not work or is not noticed by plant personnel. High-end boiler controllers that use a drum level transmitter usually have a programmable low-water alarm that works off the transmitter’s analog signal. Many boilers have an additional hardwired low-water alarm, which is either a float switch or a level relay activated off a water level probe that communicates to the boiler flame safeguard system via a 120 VAC hardwired contact.
3. NFPA 85: Boiler and Combustion Systems Hazards Code requires boilers to have a hardwired low-water cutout. This can be either a float switch or a level relay. It is typically a 120 VAC switch that is wired directly to the flame safeguard system. It can be wired as either a recycle limit switch or a non-recycle limit switch. A recycle limit switch is one that, when opened, causes the flame safeguard system to shut down the boiler, but does not generate an alarm. The boiler will light off automatically when the recycle limit switch is made again. This can occur, for instance, when the water level rises above the reset point of the low-water cutout switch.
4. The boiler code requires a second auxiliary low-water cutout that is wired into the non-recycle limit circuit of the flame safeguard system. When the auxiliary low-water cutout switch opens, the flame safeguard system executes a safety shutdown of the boiler and sounds the alarm. A safety shutdown of the boiler requires an operator to manually reset the flame safeguard controller to relight the burner. Typically, if the low-water cutout is a float switch, the auxiliary low-water cutout is a level probe or vice versa. (Note: the terminology for low-water cutout and auxiliary low-water cutout is not universal throughout the boiler industry. Sometimes the term auxiliary low-water cutout refers to the first [recycle] low-water switch.)
5. The fifth and final cause of dry-fire boiler failure is human error. Boilers are required to have gauge glasses so the boiler operator can see the water level in the boiler regardless of what the drum level transmitter is telling them. One of the primary responsibilities of boiler operators is to detect abnormal operating conditions before dangerous situations occur. If the plant’s management decides to operate the boiler without trained operators, they have decided to rely solely on the boiler controls and have lost one level of redundancy that contributes to safe boiler operation.
Enhanced boiler safety through advanced controls
As plant owners have moved toward eliminating the position of boiler operator and running more unattended boiler rooms, they have increased their reliance on boiler controls for the safe operation of boilers. Consequently, suppliers of modern boiler control systems have added features to their control systems to make the possibility of dry-firing even less likely. A few of these features follow.
Headered feedwater pumps with lead/lag control
It is common now to header up to three redundant feedwater pumps to a single feedwater header. Auxiliary contacts in the feedwater pump’s motor starters wire into the feedwater controls. If a pump fails, a lag pump is energized automatically and an alarm is sounded to notify plant personnel.
Feedwater header-pressure transmitters
Typically used when feedwater pumps are run by variable-speed drives, a feedwater header-pressure transmitter alerts the feedwater control system when feedwater header pressure is too high or too low. If feedwater header pressure is too low, the controls will energize another feedwater pump and sound an alarm.
Automated low-water cutout testing
Boilers have been equipped with low-water cutout (LWCO) bypass pushbuttons for decades. Once a day or once per shift, the operator depresses the LWCO bypass pushbutton and opens a valve to blow down the water column housing the LWCO probe or float switch. The operator verifies that the switch opened, closes the valve, and takes his finger off the pushbutton. This is an essential test. However, in this age of maintenance workers performing the tasks previously done by trained boiler operators, how does plant management know that the low-water cutout tests are really being performed—or that they are being performed correctly?
New control systems automate this task using an actuated ball valve in the blowdown line and software to initiate a daily LWCO test. If the LWCO switch opens and the test is successful, it is logged in the alarm history. If the test is unsuccessful (the LWCO switch didn’t open when it should have), the flame safeguard can sound the alarm and keep running the boiler, or it can be set up to trip the boiler.
Stack temperature monitoring
New controllers monitor stack temperature as part of calculating boiler efficiency, but this input can also be used to trip the boiler if the stack temperature goes too high. Typically, the stack temperature doesn’t exceed 100°F above the saturated steam temperature of the boiler—450 to 550°F depending on operating pressure and boiler efficiency. A high stack temperature cutoff set at 750°F will not produce nuisance trips, but will quickly indicate if a boiler runs out of water in time to shut down the burner and notify plant personnel. A stack temperature thermocouple is inexpensive, reliable and included in many boiler control packages already designed for efficiency monitoring.
Enhanced boiler safety through testing
The U.S. Department of Veterans Affairs (VA) deserves credit for requiring additional testing of boiler limits and standardizing these testing procedures throughout its network of hospitals. According to Doug Ryan, Consulting Support Service for the Veteran’s Administration, the VA requires all boiler plant safety devices to be tested every six months in the mode that they would see a failure.
Operators at VA steam plants are required to test the low-water cutouts on each boiler by shutting off the feedwater supply and letting the boiler steam off to gradually lower the water level. The “balls” in a float switch can get corroded or deformed and hang up in the normal water level condition. The daily LWCO blowdown test won’t detect a stuck float—the high-pressure differential caused by opening the blowdown valve will likely unstick the float and mask the real problem.
In contrast, gradually lowering the water level in a boiler will likely detect a stuck ball float and alert operators to the problem. For this test, the operators temporarily install a highly visible wire jumper across the first low-water cutout and slowly steam the boiler water level down to test the second low-water cutout. Then they remove the jumper and repeat the procedure to test the first low-water cutout. At the conclusion of the test, two people are required to sign off on the procedure, indicating that the wire jumpers have been removed. A similar test is required for the high steam pressure cutout switches.
For suppliers, engineers, and technicians working in the boiler industry, boiler safety must be the first consideration. Unstaffed boiler rooms can benefit from boiler controls that incorporate enhanced safety features like those described above. A smarter approach to periodic boiler inspections will ensure that boiler safety systems will work as planned in the event of an equipment failure, thus preventing a dangerous boiler meltdown or explosion.
NFPA 85 dictates the absolute minimum in boiler safety. The steering committee that writes the code is made up of approximately one-third owners’ representatives, one-third design engineers, and one-third boiler industry suppliers. Technological advances in boiler safety are not adopted by the NFPA code unless these three groups reach a consensus. Code revisions take time to work their way through the revision process and get incorporated into the next code update. As a result, specifying a control system to be NFPA 85 compliant is insufficient. Plant owners and engineers need to take an active role in researching and specifying the latest advancements in boiler safety.
Care needs to be taken in the execution portion of the specification to require all boiler safeties to be commissioned correctly and demonstrated to plant personnel. A large watertube boiler in Texas with a new burner exploded several years ago. The root cause of the explosion was found to be that the separate flame safeguard and combustion control systems were not integrated correctly. The low-fire proving switch on the boiler’s gas-flow control valve should have detected the problem and prevented the explosion, but it was never checked by the burner’s startup engineer. Regardless of any mistakes made upstream, it is the responsibility of the commissioning engineer to correctly start up, test and demonstrate the safety devices on a boiler.
It is tempting for boiler inspectors to give cursory examinations when they see that the boilers, burners, and controls are all brand new and under warranty. However, just because equipment is new does not mean it was started up and tested correctly. Owners and their engineers should require thorough testing of new boilers and demonstration of all safety limit devices. Involving the plant personnel in this testing is a good way to familiarize the operators with the new equipment and get them ready to operate and inspect the equipment on their own.
David Eoff is a mechanical engineer with a background in boiler, burner and generator controls. He is the manager of National Sales at Preferred Utilities in Danbury, Conn.