See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/267592647

Root Cause Analysis of an Industrial Boiler Explosion (and How Hazard Analysis
Could Have Prevented It)

Conference Paper · January 2010

DOI: 10.1115/IMECE2010-37944

CITATIONS READS
0 1,479

4 authors, including:

Juan C Ramirez Mark Fecke

Rimkus Consulting Group Exponent
43 PUBLICATIONS   503 CITATIONS    6 PUBLICATIONS   14 CITATIONS   

SEE PROFILE SEE PROFILE

Delmar R. Morrison
Exponent
29 PUBLICATIONS   58 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Juan C Ramirez on 23 March 2015.

The user has requested enhancement of the downloaded file.

 Proceedings of the ASME 2010 International Mechanical Engineering Congress & Exposition
November
November 12-18,
12-18, 2010,
ROOT CAUSE ANALYSIS OF AN INDUSTRIAL BOILER EXPLOSION
(AND HOW HAZARD ANALYSIS COULD HAVE PREVENTED IT)
Juan C. Ramirez
Exponent
Lisle, IL, USA
Delmar “Trey” Morrison
Exponent
Lisle, IL, USA
ABSTRACT
An explosion occurred in the firebox of an industrial boiler
with a nominal fuel input rate of 100 MW (340 million Btu/hr),
in a processing plant during final commissioning of the burner
systems. This paper describes the investigation of the incident,
root cause analysis, and lessons learned from the incident. The
original burners in the boiler had recently been replaced with
low NOx burners, and the facility was in the process of
commissioning the new burner system. The boiler was running
only on natural gas igniters at the time of the incident. While
firing on igniters, an undetected stoppage of the control
equipment occurred, which led to a restriction of airflow
through the secondary air dampers. The boiler controls
included programmable logic controllers (PLCs) for both the
combustion control system (CCS) for regulation and the burner
management system (BMS) for safety functions. The BMS was
intended to detect a loss of control such as this and immediately
stop fuel to the boiler; however, it did not. The BMS PLC was
not configured to detect the dangerous states and allowed the
igniters to continue to fire. An explosion subsequently
occurred within the boiler firebox that caused extensive
damages to the facility and equipment. This paper will describe
the incident investigation and determination of multiple root
causes for failure of the BMS to prevent the explosion. The
inadequate configuration of the control systems was likely
present for some time prior to the incident, and the explosion
was eventually caused when the right conditions occurred
during this commissioning. We found through the investigation
that the BMS deficiencies could have been detected and
prevented (and almost were) through standard hazard analysis
techniques common in the chemical processing industries. This
paper will also discuss how hazard analysis can be applied to
detect and prevent similar system failures.
1 Copyright © 2010 by ASME
IMECE2010
2010, Vancouver,
Vancouver, British Columbia, Canada
IMECE2010-37
IMECE2010-37944
Mark Fecke
Exponent
Lisle, IL, USA
John D. Martens
Exponent
Lisle, IL, USA
INTRODUCTION
This paper is divided into several sections. The
Background section provides information on the equipment
involved in the explosion; this includes the boiler and a
description of the controls system. The Incident Summary and
Analysis section discusses some important facts and witness
observations preceding the accident. This section is a brief
summary of the accident sequence of events but has been
generalized to protect confidential details. This is followed by
the Root Causes section in which we identify the root causes
for the failure. We finish the paper with a Hazard Analysis
section, which provides an introduction to this field and
describes how we are currently applying the techniques of
hazard analysis to assists plant personnel avoiding events like
this one in the future.
BACKGROUND
As part of the investigation we used several codes,
standards, and guidelines [1,2,3,4] as authoritative references.
The boiler in question is a two drum design with superheat
yielding superheated steam at a design pressure of 7 kPa (1000
psig), at 450°C (842°F). The boiler produces steam at a rate of
25 kg/s (200,000 lbs/hr) that can be used for either process heat
or a power turbine.
Boiler System and Equipment
The boiler provided steam as one of the primary utilities
for the plant. A block flow diagram is provided in Annex A to
illustrate the fuel and air flow to the boiler. The Low-NOx
burner system for the boiler consisted of primary burners
coupled with natural-gas-fired igniter burners. The air stream
was substoichiometric to the burners requiring a secondary air
feed for stable combustion.
 A natural gas fired igniter was mounted adjacent to each
burner. Each igniter had a natural gas feed and an igniter
primary air feed. The igniter gas/air stream was
substoichiometric and relied upon the additional air feed from
the windbox to achieve stoichiometric combustion.
The constant-speed forced draft (FD) fan supplied the
additional air stream. Exhaust gases from the boiler exited the
furnace through the boiler penthouse before entering the
pollution control equipment. Exhaust gases were drawn from
the furnace and through the air pollution control equipment via
the constant speed induced draft (ID) fan. The FD and ID
dampers controlled the rate of airflow through each fan. The
discharge of the ID fan exited through the stack.
Control System
The control system consisted of several interacting
components and subsystems that were coordinated to control
the operation of the boiler. The various devices communicated
through hard-wired signals and network communications, and
the operator interacted with the systems using a human-
machine interface (HMI).
The boiler had four systems that worked together: Burner
Management System, Combustion Control System, HMI, and
Plant Information (PI) system. The BMS and CCS were
Programmable Logic Controller systems that had physical
connections to the sensors and actuators, known as field
elements. The PI data system was an electronic data recording
system with a historian function.
Through actuators, sensors, and interlocks, the BMS PLCs
controlled various actuators (e.g., valve positions, feeders, and
mills) according to permissives defined by the logic running in
the PLC program. The BMS represented the standard safety
functions typical to boiler systems.
The CCS was a typical PLC that consisted of several sub-
systems: a main processor, flexible I/O modules, power
supplies, and networking cards. Much like the BMS, the I/O
modules allowed the PLC to ascertain the state of the boiler by
reading the value of sensors. The I/O modules also allowed the
PLC to control the various actuators by changing the outputs.
As is typical with PLCs, a key switch was located on the main
PLC in the cabinet for the CCS. Such key switches control the
state of the PLC using three settings: run (causes the PLC to
immediately execute the programmed logic), remote (the state
is remotely controlled by a programmer, which is typically a
personal computer), and program (ceases program execution in
preparation for the downloading of new instructions).
INCIDENT SUMMARY AND ANALYSIS
The explosion occurred in an industrial boiler. The burners
on this boiler had recently been replaced, and the plant was in
the process of commissioning the new burner system. The
boiler was running on natural gas igniters only during the day
of the accident, the boiler operator realized that he had lost
control over the boiler system. The explosion occurred within
minutes of this upset. No personnel were injured in the incident
and facility damages were limited to the boiler, boiler house,
and nearby equipment.
The underlying cause of the explosion in the boiler and the
events leading up to the incident are discussed below. The focus
of the investigation was on the industrial boiler and the control
system (BMS, CCS, and operator interface).
A few minutes before the explosion, a series of
observations were noted regarding the control system and final
control elements in the field. Unbeknownst to the operator, the
CCS had stopped execution. The boiler operator reported a loss
of control of the boiler and was working with a field operator to
troubleshoot the issue. Multiple control elements were observed
to be only intermittently responding to control signals from the
boiler operator. The field operator reported that these control
elements not only did not respond but operated in contradiction
with the boiler operator’s commands. The boiler operator was
unable to control the boiler due to a loss of control system
response.
An examination of the PI data after the incident revealed
that the data from some sensors was not recorded for a period
of several minutes surrounding the explosion. The data also
showed that the control of various process variables resumed
after the outage. Furthermore, the PI data for pressures
upstream and downstream of the pollution control equipment
were recorded during the outage (i.e., non-CCS process data
was not lost during the outage). The recorded PI data indicated
that there was a loss of airflow through the boiler firebox
during the control outage.
Based on fault tree analyses (which we omit for the sake of
brevity) and incorporating all information from witness
statements, physical evidence and calculations, we concluded
that the igniters approached a near flamed-out condition and the
conditions in the boiler reached the LEL (Lower Explosive
Limit) of gas/air. In order to reach this condition, it is
hypothesized that the airflow was reduced and that this was
caused by the FD and ID dampers closing due to a loss of
control.
ROOT CAUSE ANALYSIS
The investigation was very detailed and included the fault
tree analyses, calculations, and other analytical tools as
mentioned above. Additionally, a detailed analysis of the
controls hardware, PLC programs, and programming
procedures were required. Based upon the detailed
investigation, a set of causal factors were identified for further
consideration. This set of causal factors was reduced to a more
succinct set of root causes (e.g., conditions whose removal
may have prevented the incident sequence of events). Several
of the more substantial root causes are discussed below to
provide lessons learned from the investigation. These root
causes have been generalized to protect any confidential details.
Root Cause 1. PLC State Not Monitored
This condition refers to lack of an external indication to the
BMS that the CCS had stopped or otherwise failed. The fact
that the PLC state was not being monitored may have been
2 Copyright © 2010 by ASME
revealed if a functional specification had called for a PLC state
monitor or if an independent review of the system had
occurred. Such a review could have included a comparison to
current standards and recommendations, including for example,
ABMA. [3]
If the BMS is able to detect that the CCS is no longer able
to control an essential field device, then the BMS may act on
this information. The condition of the loss of the CCS may be
detected by the BMS in advance of any safety sensors
triggering as a result of improper operating conditions. This
information, i.e. the loss of the CCS, would trip the boiler.
Incorporating functional specifications, procedures, functional
testing, and inspection requirements in the management-of-
change system may have reasonably prevented this accident or
similar accidents.
Root Cause 2. I/O Module Configuration
The default configuration for the I/O modules was to
output a signal that would close the ID and FD dampers upon a
PLC stoppage. This undesired fail-closed configuration may
have been caught if a functional specification had been written
for the CCS or if a review procedure requiring independent
review of the system design had taken place. Such a review
could have included a comparison to industry standards and
recommendations, including for example, maintaining a
minimum airflow regardless of the operating state of the control
system by not closing the dampers. It is important that the
default setting does not cause the dampers to close in the event
of a stopped processor.
Root Cause 3. Minimum Damper Position
Since the damper was allowed to fully close, the existing
requirements from the NFPA 85 standard were not met. An
independent review of the airflow arrangement for the system
would likely have caught this issue. Administrative controls to
limit the minimum setting for the damper positions are
insufficient in the case of a control system outage such as that
experienced in this case. NFPA 85 specifically requires that the
airflow not be below the 25% level while there is fuel flow to
the burners or igniters. Typically, this function is ensured
through mechanical stops in the damper system to limit its
minimum position.
Root Cause 4. Non-Operational Minimum Airflow
Sensor.
The terminal connections for the airflow sensor were non-
operational, therefore, the BMS could not detect a low airflow
condition using this sensor. Such a condition must lead to a
master fuel trip based on the NFPA 85 code. The root cause
analysis was focused on how this condition was created through
the legacy system and remained hidden through the current
burner upgrade project. Based upon the history of the minimum
airflow monitoring strategy for the boiler, it was inferred that
this condition was created during a previous system upgrade.
The change in this strategy should have reasonably included
verification of the final control elements but apparently did not.
HAZARD ANALYSIS
A common definition for a hazard in an industrial setting is
“a physical or chemical condition that has the potential for
causing harm to people, property, or the environment.” [7] A
steam boiler plant is a specialized type of process unit that may
operate within a larger chemical process plant or as the source
of municipal power generation. Steam boilers may present
process hazards from combustion, high temperature, high
pressure, and steam along with typical machinery and
occupational hazards (e.g., rotating machinery, electricity, slip
and fall). NFPA 85 recommends reviewing both initial design
and changes to a boiler system for safety. NFPA 85 provides
many prescriptive guidelines for designing, commissioning,
operating, and maintaining boiler systems. NFPA 85 does not
prescribe specific hazard evaluation techniques to accomplish
these safety objectives.
Several types of process hazard evaluation techniques can
be applied to identifying potential hazards in steam boiler
systems at the various stages in the life cycle of the process
unit. The process unit lifecycle includes the stages of design,
commissioning, and operation. At various points of the process
life after initial commissioning, changes may be undertaken to
mechanical, electrical, or control systems that alter the
functional characteristics. These types of changes may fall
under the definition of a company’s management of change
procedures. A process hazard analysis (PHA) should be
recommended for any such changes; however, the complexity
of the changes should be considered when determining what
type of PHA is to be conducted. Qualitative scenario-driven
hazard analysis techniques such as Preliminary Hazard
Analyses (PrHA), Hazard Identification Studies (HAZID), and
Hazard and Operability studies (HAZOP) are ubiquitous in the
process industries, but these are better suited to unique
processes and initial system designs. The boiler system
discussed in this paper had been safely in service for over two
decades prior to the incident; thus, most hazard scenarios that
could be identified by the earlier techniques were likely already
mitigated for the existing design. However, the incident
occurred during a design modification, which could be used to
trigger a limited PHA to address the new changes.
For boiler systems, an effective form of PHA is a Checklist
Analysis and detailed guidance can be found in Reference. [6]
A checklist is a written list or table of items that is used to
verify the status of a system. Individual checklists may be
highly specific to a certain process or company, but they are
frequently used to measure compliance with standards and
guidelines. [7] A checklist will provide criteria against which a
given system is evaluated. The authors have found good
success in developing boiler safety checklists for use in
management of change activities for boiler systems upgrades
and commissioning. Excerpts from such a generic checklist
and explanation of how this checklist would have identified the
specific root causes are provided below.
A checklist-based analysis on the provisions of NFPA 85
would likely have detected the root causes identified in the
previous section when used by experienced and knowledgeable
3 Copyright © 2010 by ASME
personnel as part of the facility’s management of change. For
instance, careful consideration of section 4.6.3.2.3 of NFPA 85
may have addressed the conditions creating root causes 1, 2 and
3 as it explicitly requires evaluating specific failure modes such
as processor faults.
The lack of state-of-health monitor between BMS and CCS
(Root Cause #1) may have been detected by implementing a
checklist including ABMA - Combustion control guidelines
2001, Section 3.3. This section states: The control system is to
send a signal to the BMS anytime there is an internal fault that
jeopardizes the ability of the control system to maintain safe
operation.
The non-operational minimum airflow sensor (Root Cause
#4) may have been detected had section 6.6.5.2.1.1 - (14) of
NFPA 85 been followed carefully. This section reads: A
complete functional check of the interlocks has been made after
an overhaul or modification of the interlock system. If a
thorough functional check had been performed during many of
the system upgrades over the years, the absence of the sensor
functionality may have been detected before the special
requirements leading to the incident were met. Similar language
requiring functional checks can be found in sections
4.6.2.3.2.4* - (J), 6.4.2.2.2, 6.4.2.2.3, and 6.6.5.2.1.1 - (14).

REFERENCES
1. NFPA 85: Boiler and Combustion System Hazards
Code. Natioanl Fire Protection Association, Quincy,
MA.
2. ASME Pressure Vessel Code, Section VII
3. American Boiler Manufacturers Association (ABMA)
– Multiple Burner Boilers Combustion Control
Guidelines, Forward. 2001
4. American National Standard Institute (ANSI) and
Instrumentation Systems and Automation Society
(ISA) –77.41.01-2005, Forward. 2005
5. Guidelines for Investigating Chemical Process
Incidents, 2nd edition, AIChE Center for Chemical
Process Safety, p. 179 (2003).
6. Fecke M, Morrison DR, Martens J, Cowells J. “A
guide to developing and implementing safety
checklists: Plant steam utilities.” American Institute
of Chemical Engineers, 2010 Spring National
Meeting, 25th Center for Chemical Process Safety
International Conference, San Antonio, TX, March
22–24, 2010.
7. Guidelines for Hazard Evaluation Procedures, 3rd
Edition, Center for Chemical Process Safety, New
York (2008)

4 Copyright © 2010 by ASME

View publication stats

ANNEX A

BOILER FUEL / AIR FLOW DIAGRAM

5 Copyright © 2010 by ASME