Safety with marine boilers

Marine boiler plants require adequate control systems to raise steam, maintain design
conditions for steady steaming, secure the boiler units and detect promptly malfunctions and
failures. The automatic control arrangement on a shipboard boiler is divided into two parts:

Safety system that controls that all values are within the predetermined limits and give
automatic alarm if some of them are not, and also initiate an automatic burner trip in
case of a dangerous situation.
Continuously control of the different parameters for water level control, steam
pressure control, fuel oil pressure control, fuel oil temperature control, blowdown
control, superheat temperature control etc.

The combustion control system maintains constant steam pressure by controlling the flow of
air and oil to the burner. The more advanced combustion controls transmit the air and oil
loading simultaneously but with a slight lag between air and oil, so that with an increased
boiler load, the air will lead the oil, and on a decrease in the boiler load the oil will lead the
air. Such an arrangement makes it possible to minimize the emission of smoke during
maneuvering. All the classification societies have special requirement for marine applications
due to the environment and the fact that one can't escape from an accident nor get service
when the ship is sailing at sea. Things just have to work.

Is an automatic controlled boiler an explosion risk?

An easy way to find out if your boiler control system lights up the first burner safely.
Safely shut off the fuel supply to the burner before the test.

Power up the boiler control system.

Start the burner.
Start a stopwatch when the combustion air damper has reached its maximum position.
Stop the stopwatch when the combustion air damper begins to close again, and note
the purge time. The air in the furnace should be changed at least five times during the
prepurge period.
Find the furnace volume and the fan capacity from the documentations and calculate
the purge time needed. The time must never be less than fifteen seconds even if your
calculation says so.
5. Start the stopwatch again when the automatic fuel oil shutoff valves open.
6. Stop the stopwatch when the fuel oil shutoff valves close and you get a flame failure
or misfiring alarm, and note the trail-for-ignition time. If the time you get is more than
fifteen seconds, then you must not ignite the burner ever, until the time has been
adjusted. Five seconds is a relevant trail-for-ignition time, but different classification
societies specify different maximum time. Get the correct maximum time from the
rules of the actual classification society.

N.B. This shut off delay is only allowed during trail-for-ignition. When you got at
flame failure during normal firing the fuel oil valves must shut off instantly.
Some further checks to improve the safety
1. The fuel oil flow during light-up must not exceed 20% of the full load flow, but in
burners with limited turndown ratio the burners minimum load has to be accepted.
2. A corrupt flow transmitter signal may cause sever problems therefore:
When purging the furnace with air prior to light-up the position of the
combustion air damper should be confirmed by means of a limit switch rather
than relying only on the air flow transmitter's signal.
At burner light-up the position of the fuel oil control valve and the combustion
air damper should be confirmed by means of limit switches rather than relying
only on the flow transmitters' signals. You should of course use the
transmitters' signals, but they ought to be confirmed to be reasonable by means
of limit switches.
3. Direct the light from a flashlight onto the flame scanner sensors, when the burner is
off, to confirm that the auto-check-function works correctly and you get an alarm. If
you get any other action, such as opening of the fuel valves, then your system needs a
thorough improvement.
4. Using the igniter during the post-purge of the last burner's lance (or a single burner's
lance) has some disadvantages. Upon reset of the system, after a flame failure, the
igniter will start firing before the furnace has been properly purged with air, which will
cause impending risk of furnace explosions. Consider the following:
A well-tried method is to purge the fuel line and the burner-lance slowly to let
the fuel continue to burn, without igniter support, until the lance is empty.
Not purging the burner-lance at all is an other method, but it requires a standby heating of the tubing and the lance to keep the fuel sufficiently heated to be
What ever you do, secure that the igniter not under any circumstances starts
before the furnace has been properly purged with air.
Back to the question in the headline, is an automatic controlled boiler an explosion risk?
In automatic mode and properly adjusted:
In manual mode, skillfully operated:
In automatic mode and not properly
In manual mode, not skillfully operated:


Fail-safe systems
Any predictable failure must result in a safe situation.
How to make a control loop fail-safe
Example: A simple control loop for pressure control of a steam boiler with one oil fired

Control Valve An electro-pneumatic Control Valve for the fuel oil to the burner
should close upon control air failure as well as missing current signal.
Pressure Transmitter The Pressure transmitter has normally a direct output signal,
that is, the signal increases on raising pressure. Normally the current signal will never
be lower than 4 mA, but if it does, the Controller should immediately close the burners
fuel oil control valve
Controller Any internal fault in the Controller must initiate closing of the fuel oil
control valve.
How to make a relay fail-safe

A relay is almost fail-safe since it is very likely to brake the circuit

when it is malfunctioning. However, using two relays will increase
the reliability considerably. This can be done in different ways. One
method is to wire the relays, A and B, as shown on the picture.
The system cannot be reset unless the pressure switch (PS) makes and
both relays work correctly, but the circuit between terminal 1 and 2
will break when PS breaks even if only one relay works rightly.

How to make a computerized control system fail-safe

An output from a computer will become either high or low when it fails. There are some
methods using the computer to check its own outputs. Feeding back an outputs signal to an
input will enable the computer to check if the output is what it is supposed to be, but the
system as a whole will not be fail-safe. The CPU or any other vital part might break down and
then the check of the outputs is out of order.
The only way to make a computer system fail-safe is to use an other computer to check all the
functions. It is, of course, possible to check all the functions by means of hard wiring and
relays, but who wants to do that?