SlideShare a Scribd company logo

A users guide to intrinsic safety

David Pires, profile picture
David Pires

This document provides an overview of intrinsic safety and why it is chosen for instrumentation systems in hazardous areas. It discusses that intrinsic safety (1) prevents explosions by ensuring low energy levels, (2) can be used in all zones as it is the only technique proven safe in Zone 0, and (3) permits live maintenance without gas clearance as fault conditions are considered in the design. Intrinsic safety works by restricting electrical energy to below ignition levels and uses three levels ('ia', 'ib', 'ic') that balance explosion risk against ignition risk for the zone.

TechnologyBusiness
1 of 20
Downloaded 95 times
1
2
3
4
Most read
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
AN9003 - A Users Guide to Intrinsic Safety Reasons for selecting the Intrinsically Safe Concept I-S_AN9003_MTL.indd 1 5/10/09 11:56:04 am
1.1 Introduction Intrinsic safety (IS) is a low-energy signalling technique that prevents explosions from occurring by ensuring that the energy transferred to a hazardous area is well below the energy required to initiate an explosion. The energy levels made available for signalling are small but useable and more than adequate for the majority of instrumentation systems. The two mechanisms being considered that could initiate an explosion are: • A spark • A hot surface 1.2 The advantages of intrinsic safety The major advantage of intrinsic safety is that it provides a solution to all the problems of hazardous areas (for equipment requiring limited power) and is the only technique which meets this criterion. The significant factors are as follows: a) The IS technique is accepted throughout the world. There is an increasing acceptance of international certificates issued under the IEC Ex scheme but this has some way to go. Intrinsic safety is an acceptable technique in all local legislation such as the ATEX Directives and OSHA. The relevant standards and code of practice give detailed guidance on the design and use of intrinsically safe equipment to a level which is not achieved by any of the other methods of protection. b) The same IS equipment usually satisfies the requirements for both dust and gas hazards. c) Appropriate intrinsically safe apparatus can be used in all zones. In particular, it is the only solution that has a satisfactory history of safety for Zone 0 instrumentation.The use of levels of protection (‘ia’, ‘ib’ and ‘ic’) ensures that equipment suitable for each level of risk is available (normally ‘ia’ is used in Zone 0,‘ib’ in Zone 1 and ‘ic’ in Zone 2). d) Intrinsically safe apparatus and systems are usually allocated a group IIC gas classification which ensures that the equipment is compatible with all gas/air mixtures. Occasionally, IIB systems are used, as this permits a higher power level to be used. (However, IIB systems are not compatible with acetylene, hydrogen and carbon disulfide.) e) A temperature classification of T4 (135°C) is normally achieved,which satisfies the requirement for all industrial gases except carbon disulfide (CS2 ) which, fortunately, is rarely used. f) Frequently, apparatus, and the system in which it is used, can be made‘ia IICT4’ at an acceptable cost.This removes concerns Why choose intrinsic safety ? about area classification, gas grouping and temperature classification in almost all circumstances and becomes the universal safe solution. g) The ‘simple apparatus’ concept allows many simple pieces of apparatus,such as switches,thermocouples,RTD’s and junction boxes to be used in intrinsically safe systems without the need for certification. This gives a significant amount of flexibility in the choice of these ancillaries. h) The intrinsic safety technique is the only technique that permits live maintenance within the hazardous area without the need to obtain ‘gas clearance’ certificates. This is particularly important for instrumentation, since fault-finding on de- energised equipment is difficult. i)The installation and maintenance requirements for intrinsically safe apparatus are well documented, and consistent regardless of level of protection. This reduces the amount of training required and decreases the possibility of dangerous mistakes. j) Intrinsic safety permits the use of conventional instrumentation cables, thus reducing costs. Cable capacitance and inductance is often perceived as a problem but, in fact, it is only a problem on cables longer than 400 metres, in systems installed in Zones 0 and 1, where IIC gases (hydrogen) are the source of risk. This is comparatively rare and, in most circumstances, cable parameters are not a problem. Figure 1.1 - Available power curves 1.
1.3 Available power Intrinsic safety is fundamentally a low energy technique and consequently the voltage, current and power available is restricted. Figure 1.1 is a simplified illustration of the available power in intrinsically safe circuits and attempts to demonstrate the type of electrical installation in which the intrinsically safe technique is applicable. The blue and green curves are the accepted design curves used to avoid spark ignition by resistive limited circuits in Group IIC and IIB gases. The ‘ic’ curves are less sensitive because they do not require the application of a safety factor in the same way as for ‘ia’ and ‘ib’ equipment. In general the maximum voltage available is set by cable capacitance (400 metres corresponds to 80nF which has a permissible voltage of 29V in ‘IIC ia’ circuits) and the maximum current by cable inductance (400 metres corresponds to 400µH which has a permissible current of 300 mA in IIC ia circuits). A frequently used limitation on power is the 1.3W, which easily permits a T4 (135°C) temperature classification. These limits are all shown in Figure 1.1. A simple approach is to say that if the apparatus can be operated from a source of power whose output parameters are within the (blue) hatched area then it can readily be made intrinsically safe to ‘ IIC ia T4’ standards. If the parameters exceed these limits to a limited degree then it can probably be made intrinsically safe to IIB or ‘ic’ requirements. The first choice,however,is always to choose‘IIC iaT4’ equipment, if it provides adequate power and is an economic choice, as this equipment can be used in all circumstances (except if carbon disulfide (CS2 ) is the hazardous gas, in which case there are other problems). In practice almost all low voltage instrumentation can be made ‘IIB ic T4’ as the limits are set by the least sensitive of the ignition curves in Figure 1.1 (typically 24V 500 mA). The ‘IIB ic’ specification does restrict application to Zone 2 and where the hazardous gas is not hydrogen, acetylene or carbon disulfide but is still applicable to a large range of installations. 1.4 Conclusion Intrinsic safety is the natural choice for all low voltage instrumentation problems. Adequate solutions exist which are compatible with all gases and area classifications. The technique prevents explosions rather than retains them which must be preferable, and the ‘live maintenance’ facility enables conventional instrument practice to be used. 2 3 “Appropriate intrinsically safe apparatus can be used in all zones” MTL4500 Installation.
2.1 Definition of Intrinsic Safety The definition of intrinsic safety used in the relevant IEC apparatus standard IEC 60079-11 is a ‘type of protection based on the restriction of electrical energy within apparatus and of interconnecting wiring exposed to the potentially explosive atmosphere to a level below that which can cause ignition by either sparking or heating effects’. This is a concise statement of intent to introduce a multi-faceted subject. 2.2 Typical intrinsically safe system Figure 2.1 illustrates a typical intrinsically safe (IS) system where the safe performance of each piece of apparatus is dependent on the integrity of all the equipment in the system. For example, the safety of the Temperature Transmitter (Tx) depends upon the amount of energy supplied by the IS Interface. In most process control applications, each piece of apparatus in a system is individually certified.A document that confirms the safety of the whole system is then produced using the information from the individual apparatus certificates, in accordance with the system standard IEC 60079-25.This system document also includes details of cable types and simple apparatus used in the system. It is important to recognise that where pieces of intrinsically safe apparatus are interconnected, it is the safety of the system that must be established. There are however some examples of apparatus which stand alone, such as mobile radios and portable gas detectors, where the system approach is not relevant. 2.3 Levels of protection Intrinsic safety utilises three levels of protection, ‘ia’, ‘ib’ and ‘ic’ which attempt to balance the probability of an explosive atmosphere being present against the probability of an ignition capable situation occurring. An Introduction to Intrinsic Safety ‘ia’ Thisoffersthehighestlevelofprotectionandisgenerallyconsidered as being adequately safe for use in the most hazardous locations (Zone 0) because the possibility of two ‘faults’ (see opposite) and a factor of safety of 1.5 is considered in the assessment of safety. ‘ib’ ‘ib’ apparatus, which is adequately safe with one fault and a factor of safety of 1.5 is considered safe for use in less frequently hazardous areas (Zone 1). ‘ic’ ‘ic’ apparatus which is assessed in ‘normal operation’ with a unity factor of safety is generally acceptable in infrequently hazardous areas (Zone 2). The ‘ic’ concept is relatively new (2005) and will replace the ‘energy-limited’ (nL) of the type ‘n’ standard IEC 60079-15 and possibly the ‘non-incendive’ concept of North American standards. It is usual for a system to be allocated a level of protection as a whole, depending on the level of protection of the apparatus in the system. However it is possible for different parts of a system to have different levels of protection where suitable segregation exists. This must be made clear in the system documentation. Figure 2.1 - Typical IS system 2.
Table2.1showsarepresentativegasforeachgroupandtheminimum energy required to ignite it.IIC is clearly the most sensitive.Apparatus can be designed to be acceptably safe in any of these groups. Usually apparatus is designed to be safe in IIC, because it can then be used in any gas atmosphere. Sometimes a IIB classification is used as this permits slightly higher powers to be available. Only very rarely however is apparatus designed for the IIA classification because this restricts its use to this group alone. Apparatus is usually assessed using the curves and tables included in the apparatus standard which lists acceptable levels of current and voltage. More complex circuits are checked with ‘spark test’ apparatus; normally the preserve of certifying authorities. 2.8 Temperature classification The second method of causing an explosion is normally considered to be ignition by a hot surface. When a gas is heated above its ignition temperature it may spontaneously ignite. The ignition temperature varies with the gas and is not correlated to ignition energy. Consequently, when selecting apparatus, both properties of the explosive gas have to be considered. Apparatus is classified into temperature (‘T’) classes depending on its maximum permitted surface temperature. Table 2.2 The ‘T’ classes The standard enables almost all apparatus, dissipating not more than 1.3W,tobeallocatedatemperatureclassificationofT4(135°C).Almost all intrinsically safe field mounted apparatus meets the requirements of T4 temperature classification, which permits its use in all industrial gas atmospheres except in those comprising carbon disulfide (CS2 ) and air. These require a T6 classification, which is difficult to achieve at high ambient temperatures. There are also toxicity problems associated with carbon disulfide. The other temperature that needs to be considered for each piece of apparatus is its ambient temperature rating,which does directly affect the safety of the apparatus in several ways. Apparatus normally mounted in the safe area but which affects the safety of the intrinsically safe system (such as the intrinsically safe interface in Figure 2.1) is called ‘associated apparatus’. Such apparatus does not need to be temperature classified but must be used within its specified ambient temperature range. 2.4 Faults If a fault can adversely affect the safety of the equipment it is called a ‘countable’ fault. The situation is further complicated because the apparatus standard permits some specially designed components to be regarded as infallible and some inadequately designed features to be failed in normal operation. Consequently there are faults that are not considered to happen, faults, which are counted, and faults, which are imposed but not counted. One of the major advantages of intrinsic safety is that ‘live maintenance’ on equipment is permitted without the necessity of obtaining ‘gas clearance’ certificates.A consequence of this is that during the safety analysis the possibility of open circuiting and short-circuiting any field wiring is regarded as normal operation. Fortunately understanding the apparatus standard and faults is only necessary for apparatus designers and certifying authorities. The apparatus certificates remove the necessity to consider faults, except for field wiring faults, in system design. 2.5 Simple apparatus In general, intrinsically safe apparatus is certified; usually by an independent body such as an Accredited Certification Body (ACB) under the IEC Ex scheme. Self-certification by the manufacturer of ‘ic’ equipment is also quite commonly accepted. The exception to the rule is‘simple apparatus’,which is considered not to appreciably affect the intrinsic safety of the system. This apparatus is exempted from the requirement for certification. The simple requirements are clearly specified in the apparatus standard. ‘Simple apparatus’ should always be readily demonstrable to be adequately safe.The usual examples are switches,thermocouples, RTD’s and junction boxes. 2.6 Cables Because cables have inductance and capacitance, and hence energy storage capabilities, they can affect system safety. Consequently the system design imposes restrictions on the amount of each of these parameters.A great deal has been written on this subject but only rarely is there a serious limitation placed on the available cable. As cable faults are taken into account during the system analysis, the type of cable in individual installations is not closely specified in the system standard. The choice is therefore determined by the need for reliable system operation. Where intrinsically safe systems are combined in a multi-core, then there are special requirements. These determine which additional faults have to be considered. 2.7 Gas classification The amount of energy required to ignite a particular gas/air mixture varies for each gas. Industrial gases capable of being ignited are divided, in the UK, into three classes, IIA, IIB and IIC. Typical Gas Gas Group Ignition energy Methane IIA 160µJ Ethylene IIB 80µJ Hydrogen IIC 20µJ Table 2.1: Typical gases, their classification & ignition energies T1 T2 T3 T4 T5 T6 450°C 300°C 200°C 135°C 100°C 80°C 4 5
2.9 Categories and equipment safety levels When the European Directive (ATEX) for apparatus for use in hazardous areas (94/9/EC) was created, it introduced the concept of categories, which was intended to clarify the Zone(s) in which apparatuscouldsafelybeused.Unfortunately,andfornothingmore than pedantic reasons, it was decided that a category 0 would not be used and the result was the confusing situation illustrated in Table 2.3, where the category and Zone numbers differ. More recently (2004) the IEC took up the concept of identifying the level of protection offered by a piece of apparatus and also paid a little more attention to risk analysis as a method of determining the acceptable use of equipment. The result was the creation of equipment protection levels (EPLs), which are similar to ATEX categories but have numbers that align with their normal Zones of use. In practice both categories and EPLs align with the levels of protection ‘ia’, ‘ib’ and ‘ic’ as indicated in Table 2.3 and, as far as intrinsic safety is concerned, they can largely be ignored, as the level of protection is already defined as ‘ia’, ‘ib’ or ‘ic’. They do however appear on apparatus marking and certificates and consequently need to be explained. 2.10 Summary Intrinsic safety offers an acceptable level of safety in all hazardous locations. Arguably it is safer and less prone to accidental errors than other methods of protection. This combined with its flexible use of available apparatus and the ability to do ‘live working’ means that it is the natural choice for instrumentation systems in hazardous areas. For example it is the only technique which is readily applicable to Zone 0 locations. The introduction of the ‘ic’ concept completes the picture. The essential requirements of an intrinsically safe system are: • The system must work. • The apparatus in the system must be ‘certified’ or ‘simple’. • The compatibility of the apparatus must be established. • The level of protection of the system established. • The temperature classification and ambient temperature rating of each piece of apparatus established. • The requirements of the cable established. Level of Protection Countable Faults ATEX Category IEC EPL Normal Zone of Use ia 2 1 0 0 ib 1 2 1 1 ic 0 3 2 2 Table 2.3 Relationships between different methods of assessing safety levels MTL4500/5500 backplane and DIN-rail mounted safety isolators.
3.1 General The long term continued safety of an intrinsically safe system depends on adequate inspection and maintenance. The relevant IEC standard is IEC 60079-17, which deals comprehensively with all methods of protection. Where installations are required to comply with the European ‘user’ Directive 1999/92/EC a documented inspection procedure becomes a part of the required risk analysis. Any work on a hazardous plant needs to take into account overall plant safety. Consequently it is necessary to comply with the safety practices of the particular installation (for example work permits), even though the risk of ignition from the intrinsically safe circuits is minimal, and gas clearance certificates are not necessary. In some ways this is even more important in the pre-commissioning stage. If there are significant changes in the plant operation, which for example modify the area classification then the safety analysis must be reviewed, the documentation modified, and possibly the inspection procedure changed and/or repeated. The procedure places the onus for ensuring that the equipment used is suitable for its location on the creator of the installation drawing. The nature of an inspection depends on how well the installation drawing, which changes the system design drawing into a drawing specific to a particular installation, has been carried out. If the documentation is inadequate then any inspection can only be carried out by someone with detailed knowledge of the plant and exceptional expertise in hazardous area practice. Because such a person rarely exists, this analysis assumes that the documentation is adequate, and uses Figure 3.1 to illustrate the process. If the person doing an inspection does not understand some aspect of the drawing, or believes it could be wrong, then they should be encouraged to question the document. IEC 60079-17 requires the Installation & Inspection of IS apparatus - An introduction identification of ‘a technical person with executive function’ to be responsible for inspection related matters in each installation.This person should be known to the technician doing the inspection, and should be available and able to answer questions. The installation drawing should take into account what can be checked on the installation. For example, quoting permissible capacitance and inductance for a cable is not useful, because although it is possible to check these parameters, it is not easy to do so. Stating an acceptable type and length is much more useful. The use of information available from ‘intelligent’ instruments can considerably reduce the routine inspection considered necessary on an intrinsically safe system. The use of this intelligence to reduce the inspection requirement is recognised in IEC60079-17 clause 5.3.1 but not discussed in detail. The ability to identify a specific field instrument from the safe area, without having to go and read the label on the instrument, is a significant advantage. Almost all of the digital, “intelligent” instruments(HART,FoundationFieldbus,etc)enabletheserialnumber of an instrument to be read remotely.The computer record can then be used to confirm that it is the specified instrument, thus ensuring it satisfies all the requirements of the particular installation. This type of check can be done at frequent intervals without interfering with operational requirements. The inspection of an instrument is then reduced to looking for mechanical damage or excessive corrosion which is comparatively easy and significantly less tedious. Figure 3.1 - Typical installation drawing for IS system 3. 6 7
3.1 General - continued A remote check that the instrument is functioning correctly does not necessarily ensure that it is still safe but it does confirm that it has not been significantly damaged and is probably still safe. This does imply that any malfunction should be quickly corrected or the defective equipment removed or at least made safe. A frequent check on functionality is a significant factor in further reducing the risk associated with any hazardous area apparatus. Howfarthistypeofautomaticinspectioncansimplifytheinspection procedure is a decision for the end-user. But it is arguably a more reliable technique than manual inspection and simplifies the recording of the process. A relatively simple computer system can give ready access to the relevant installation and system drawings, which may be required if further investigation is thought to be necessary. Some users may consider it desirable to do an occasional thorough spot check as reassurance that the system is functioning but this is a counsel of perfection. These techniques, combined with the availability of certificates and manuals on manufacturers’ web sites, can lead to safer installations and a reduction in the bureaucratic load created by safety legislation. 3.2 Initial inspection An initial inspection to ensure that the installation complies with the installation drawing is critical. Where an adequate drawing such as Figure 3.1 exists, the initial inspection should ensure that the actual installation conforms to the drawing. Usually this involves checking each individual loop stage by stage, which involves a good deal of opening enclosures and clambering over structures. Where the technician involved is suitably qualified this inspection can be combined with the operational checks. However some organisations separate the two requirements, preferring ‘independent’ safety inspections. This separation of functions is not conducive to shortening start up times. Frequently the initial inspection demonstrates the inadequacy of plant labelling, and the opportunity to improve this feature should not be missed. 3.3 Periodic inspections The objective of periodic inspections is to ensure the system has not appreciably deteriorated and has not been modified in an unauthorised way. The required frequency of periodic inspections is influenced by many factors,such as the immediate environment, the presence of corrosive atmospheres and the susceptibility to mechanical damage. A usual starting point is to consider a three- year cycle, inspecting a third of the apparatus every year. If the inspection shows widespread deterioration then the inspection period should be shortened and remedial action taken. Establishing that the intended apparatus is still in place is relatively easy providing that the apparatus has a unique identity. Usually the manufacturers type number is adequate. Much has been written about checking the marking on the labels but except, as an intellectual exercise there is little point. Providing that the inspector is convinced that the apparatus is the intended apparatus then he has fulfilled his function. He should be encouraged to ask questions if he is unhappy about the apparatus or if the circumstances of use have changed but fundamentally it is not reasonable to expect a detailed analysis of every loop. It is usually worth creating separate drawings of such things as interface cabinets and junction boxes so that they can be readily checkedforanysignofunauthorisedmodification.Similarlypreparing short lists of field equipment grouped in a particular area with their essential points of inspection can shorten the time required. Most modern (smart) instruments can be identified from the safe area computer. It is relatively simple for the computer to check that the field instrument is unchanged and raise a flag if it is changed. This can be done frequently. The periodic inspection for that apparatus is then reduced to checking for deterioration. There is a strong link between the need for periodic inspections for operational and safety reasons and it is usual to combine the requirements. For example, the short piece of field wiring used for the final connection to the instrument is often prone to mechanical damage and consequently is usually included in the inspection procedure even though its open or short-circuit failure would not create an incendive spark. The check for mechanical deterioration is usually a quick check for corrosion, impact damage, efficiency of seals, security of mounting and adequacy of cable glands. Some judgement on the need for repair or replacement is required, and the need for operational reliability usually determines the necessary action. There is however no substitute for a well-trained technician with the right attitude. 3.4 Testing of apparatus Sometimes it is suggested that apparatus should be removed for periodic testing. In practice, if an intrinsically safe loop is functional then it is very unlikely to have failed in a dangerous mode. Components critical to safety are derated, so the probability of external circumstances causing them to fail without causing a malfunction is small. There is a bigger risk that a mistake could be made during the removal and replacement of the apparatus being tested. The argument for not interfering with a system, which has survived the initial inspection and is still functional, is very powerful. A particular case sometimes cited is regarding shunt-diode safety barriers. Failure rate statistics can always be questioned, but the undetected failure rate to danger of a barrier (i.e. the shunt diodes not failing to an open circuit condition),can be readily demonstrated to be in better than 10-10 /annum. With this probability of failure they should remain untouched forever. If they are removed for any other reason a simple continuity check has some merit. If a malfunction does occur, there is a risk that safety components could also have been damaged and power to the system should be removed as a precaution. A repair should be carried out as quickly as possible. Apparatus or wiring which remains damaged or is not in use for a considerable time, should be removed from the hazardous area as it represents an unnecessary risk. 3.5 Testing of earth connections It is always difficult to balance the traditional methods of testing earth connections with the need to ensure that an unacceptable risk to the plant is not introduced. Injecting significant voltages and currents into ill-defined circuits is not compatible with avoiding unnecessary risks. In almost all intrinsically safe installations cable screens contribute to system safety and need to be earthed. In some apparatus such as shunt diode safety barriers and apparatus using a particular type of transformer, the earth connection is an important part of the method of protection. Where surge protection against induced voltages (usually from lightning) is introduced then this introduces a further complication. The design of the earthing system needs to be done with some care and provision made to enable the system to be tested safely.
This is frequently done by providing duplicate leads.The subject is considered in detail in the section on earthing and it is not possible to adequately summarise the process. If you believe in testing earths by injecting a significant current then think very hard about the possible paths that the current will use to come back to its point of origin. If you are confident that the path is well defined and safe - then there is no point in testing it! 3.6 Testing insulation Insulation testing is usually carried out using a high voltage (500V or more), which is not compatible with the intrinsic safety concept. (The ignition capable capacitance corresponding to 500V rms in IIC is 160pF. This is the capacitance of approximately 1m of cable). Where insulation testing is considered essential, it should be carried out using a suitably certified instrument. This instrument will apply a low voltage only (less than 6V) and have a low current capability (less than 10mA).However,bear in mind that it is difficult to ensure that there is no flammable gas at all points along an instrument circuit during the period of test. If high voltages are applied, care should be taken to ensure that the connected equipment can not be damaged by the testing. For example,it may be necessary to disconnect any surge suppression devices that are connected in the circuit. It will also be necessary to take care to discharge any charge that may have accumulated in the equipment during testing. Intrinsically safe circuits are usually fully floating or earthed at one point. The reason for this is that if a circuit is earthed at more than one point,the differential potential between the two points will cause an undefined current to flow through an unknown inductance. On a well-bonded plant the voltages are low and the resultant current may not be incendive, but it is still unknown, could possibly be incendive and is therefore not desirable. Many intrinsically safe circuits that use shunt-diode safety barriers are designed to ‘fail- safe’ in the presence of an earth fault, and consequently there is no need to test the insulation. Some circuits, but not many, are provided with earth leakage detection systems and these do not need testing. Fully isolated circuits would require two separate faults to earth points some distance apart before the circuit could possibly be dangerous. The probability is that two such faults would also create an operational failure and consequently routine insulation testing of these circuits is not considered necessary. There are a few remaining circuits that are not covered by the above, but the level of voltage and current necessary to cause an earth fault to be incendive (arguably greater than 9V and 100mA) would almost always causes an operational failure. Consequently, routine insulation testing of a functioning circuit on a well-bonded plant is not necessary or desirable. The overall conclusion is that routine insulation testing of intrinsically safe circuits, which are functional, is not necessary. The emphasis on ‘functioning circuits’ does however reinforce the argument for rapid repair of non-functional circuits discussed elsewhere. Theoretically, just removing the power from a circuit with multiple earth connections does not make it safe if significant differences in plant potential exist. If insulation testing is thought to be desirable for other reasons it should be carried out with care using a suitably approved tester. Where apparatus has to be disconnected during the testing process then special care is required to ensure that the reconnection is correct, since this is an obvious risk. This usually involves at least a functional check. 3.7 Reference to apparatus certificates Occasionally it will be thought desirable to refer to the certificate of a piece of apparatus. Sometimes a copy is available but the preferred technique is to check on the web for the latest version. Most manufacturers and some certification authorities make their certificates available by this means. For example, MTL certificates are available on the web-site http://www.mtl-inst.com/support and IEC Ex certificates are available on the web-site http://www.iecex.com The use of the web ensures that the most recent version of the certificate is available and that the certificate is complete. MTL7700 Series DIN-rail mounted safety barriers. 8 9
4.1 General Where intrinsically safe apparatus is interconnected by wiring, the safety of each piece of apparatus is affected by the performance of the other pieces of apparatus in the circuit.The safety technique relies on the system being correctly designed and intrinsic safety becomes a system concept. Other methods of protection are also dependent on the system concept to some extent, but it is a fundamental requirement of intrinsic safety. For example flameproof equipment is only adequately safe when provided with the correct electrical protection and a means of isolation, but this is not generally regarded as being as significant as ensuring that the apparatus within an intrinsically safe system is compatible. There are some pieces of intrinsically safe apparatus, usually portable equipment, that are used in isolation, for example torches and radios. The following analysis of intrinsically safe systems does not apply to these types of apparatus. In addition, some Fieldbus systems are constructed to the FISCO/FNICO standard IEC 60079-27, which introduces some simplification of the system rules. These requirements are discussed in MTL application note AN9026 but not in this document. This document concentrates on point-to-point wired systems, which are the predominant form of instrumentation. The relevant IEC system standard is IEC 60079-25, which interacts with the IEC code of practice IEC 60079-14 to provide comprehensive coverage of the subject. The system designer must accept responsibility for the adequacy of the design and the safety implications of the use of the system in association with hazardous areas. The designer must have an appropriate level of knowledge and training and the analysis should not be done without recognising the importance of getting it right. The analysis of simple systems is relatively easy and can be done by any competent professional engineer. However some of the more complex systems such as those using a combination of non-linear and linear sources of power require a greater degree of experience and it may be desirable to approach an ‘approved certification body’ to provide an analysis for such a system. 4.2 Compliance with ATEX Directives and DSEAR Unless they are considered to be ‘simple apparatus’ (see section 4.4), individual pieces of equipment are required to comply with the ATEX equipment directive (94/9/EC). However, the majority of intrinsically safe systems combine equipment from one or more suppliers and these systems become an ‘installation’ and do not need to be certified to the equipment directive. There might, however, be rare occasions when a manufacturer places a complete system on the market, in which case the system will have to comply with the equipment directive. The installations directive (1999/92/EC), and the DSEAR regulations, require a risk analysis (within their jurisdiction) of any installation that contains one or more hazardous areas and the system documentation becomes an essential part of that analysis. In almost all other parts of the world similar requirements exist either for legal or insurance reasons. Where no such requirements exist there is still the fundamental requirement to operate safely and to be able to demonstrate that all reasonable precautions have been taken. For these reasons the preparation of adequate system Design of intrinsically safe systems documentation is an essential part of the design of an intrinsically safe installation. The preparation of documentation for a new installation, to satisfy the installations directive and DSEAR, is usually relatively simple as all the equipment will comply with the apparatus directive or be simple apparatus and the necessary data will be readily available. A slightly more complex situation arises when it is thought desirable to incorporate existing equipment, which is not certified to the apparatus directive. For example, such a situation arises if it becomes necessary to replace a central processor and its related interfaces but not to replace the field devices. In these circumstances, provided the field devices are considered to have an adequate level of safety and their documentation contains the necessary information to enable a system document to be prepared, an acceptable system document can be created. To be considered as “adequately safe”, older equipment must achieve a level of safety of the same order as equipment that has recently acquired documents of conformity to the ATEX apparatus directive. In the particular case of intrinsically safe equipment there has been no fundamental change in the standards, which has thrown into doubt the safety of equipment conforming to any of the CENELEC based standards. Arguably, even equipment conforming to the older SFA 3012 and SFA 3004 standards that were used in the UK is probably adequately safe. NOTE: There is a problem regarding equipment spares that do not have documents of conformity to the ATEX apparatus directive, as they can no longer be supplied by the original manufacturer for use in association with hazardous areas. Only apparatus already in the possession of the end-user or ‘in the supply chain’ can be utilised. It seems prudent therefore to take this potential difficulty into account when considering the continued use of older equipment. 4.3 Simple systems The majority of intrinsically safe systems are simple systems that contain a single source of power in associated apparatus connected to a single piece of intrinsically safe apparatus out in the field. Such a system is discussed in detail in an appendix of IEC 60079-11. Here, we use the combination of a temperature transmitter and an intrinsically safe interface, shown in Figure 4.1, to illustrate the technique. The first step is to obtain the safety data of the two pieces of apparatus in the circuit. This data is best derived from a copy of the certificate, which should be available to the system designer. In particular, any special conditions of use should be taken into account in the system design. The information placed on the system drawing should be the result of a clearly justifiable analysis making it relatively simple to create the installation drawing from this reference drawing. NOTE: Copies of MTL Certificates are available from web site: http://www.mtl-inst.com/support Copies of IEC Ex Certificates are available from web site: http://www.iecex.com 4.
The compatibility of two pieces of apparatus should be established by comparing the data of each apparatus.The sequence is usually as follows. a) Compare the levels of protection. If they differ then the system takes the least sensitive level. For example if one device is ‘ia’ and the other ‘ib’ then the system becomes ‘ib’. A source of power that is certified ‘ib’ will have permitted output parameters for use in ‘ic’ circuits. If these higher values are used in the system design then the system becomes ‘ic’. b) Compare gas classifications. If they differ then the system takes the least sensitive classification.For example if one device is IIC and the other IIB then the system becomes IIB. It is usual for a source of power certified as IIC to have permissible output parameters (Lo, Co and Lo/Ro) for IIB and IIA gas groups. If these larger values are used then the parameters used determine the system gas group. c) Determine the temperature classification of the field mounted equipment. Apparatus may have different temperature classifications for different conditions of use (usually ambient temperature)andtherelevantoneshouldbeselectedandrecorded. It should be noted that it is the apparatus that gets temperature classified not the system. d) The permissible ambient temperature range of each piece of apparatus should be recorded. e) The voltage (Uo), current (Io) and power (Po) output parameters of the source of power should be compared with the input parameters (Ui, Ii and Pi) of the field device and the output parameters should not exceed the relevant input parameters. Occasionally the safety of the field device is completely specified by only one of these parameters (usually Ui). In these circumstances the unspecified parameters are not relevant. f) Determine the permitted cable parameters. The permitted cable capacitance (Cc) is derived by subtracting the input capacitance of the field device (Ci) from the permitted output capacitance of the source of power (Co), that is Cc = Co – Ci. The permitted cable inductance (Lc) is derived by subtracting the input inductance of the field device (Li) from the permitted output inductance of the source of power (Lo), that is Lc = Lo – Li. Determining the permitted L/R ratio of the cable (Lc/Rc) is very easy if the input inductance of the field device is negligible, i.e. if Li less than 1% of Lo. In this case, Lc/Rc is considered equal to Lo/Ro. However, if the inductance of the field device is more significant then the equation included in IEC 60072-26 can be used to calculate the permitted Lc /Rc. Fortunately this is not a frequently occurring requirement. Recentlytherehasbeenincreasingconcernabouttheinteraction of system inductance and capacitance increasing the risk of ignition capable sparks. Figure 4.1 - Simple system of interface and transmitter - Classification ia IIC - Cable parameters 80 nF, 3.0 mH, 55 µH/Ω isolated Temperature Transmitter Type: 365S (example) Pan Inc., Boston, USA Ex ia IIC T4 by FUML No. 983065 T amb = –40°Cto +80°C ‘B’ Terminals Ui: 30 V Ii: 120 mA Pi: 1 W Ci: 3 nF Li: 10 mH Notes: a) If cable ‘y’ becomes part of a multicore, then this multicore cable must be a Type ‘A’ or ‘B’, as specified in IEC 60079-14. b) Cable ‘y’ has capacitive limitation 80 nF in IIC; 647 nF in IIB Type MTL5541 - data MTL Ltd, Luton, UK [EEx ia] IIC by EECS No. BASeefa07ATEX010123 T amb = –20°C to +60°C Safety Parameters Um: 250 V Uo: 28V Io: 93mA Po: 651mW IIC Parameters Co: 83nF Lo: 4.2mH Lo/Ro: 56µH/Ω “The safety technique relies on the system being correctly designed and intrinsic safety becomes a system concept” 10 11
4.3 Simple systems - continued This concern is confined to fixed inductance and capacitance and not to the distributed parameters of a cable. Consequently on those rare occasions when BOTH the lumped inductance (the sum of Li of the source of power and the field device) and the lumped capacitance (the sum of Ci of the source of power and the field device) are greater than 1% of the respective output parameters of the source of power Lo and Co then the permissible output parameters are both to be divided by two. It should be stressed that this reduction in output parameters is only applicable on very rare occasions since it is unusual for field devices to have BOTH inductive and capacitive input parameters which are significantly large. Frequently the Li and Ci of a source of power are not quoted in the documentation and in these circumstances it can be assumed that they are negligible. There is no suggestion that it is considered necessary to go back and check the safety documentation on existing installations for this most recent requirement. However new analyses should take this remote possibility into account. To summarise, check that either the lumped capacitance or inductance is less than 1% of the respective output parameters. If it is, then the original calculation is valid. If BOTH parameters are greater than 1% of the output parameters then Co and Lo of the system should be reduced by a factor of two. If this reduction seems to be necessary then go back and check the information used, as this is an unusual situation. Where a source of power is certified ‘ia’ or ’ib’, the permitted output parameters Lo, Co and Lo/Ro are derived using a factor of safety of 1,5. When such a source of power is used in an ‘ic’ circuit then the permitted output parameters may be derived using a unity safety factor. This results in a significant change, which usually removes the necessity to consider cable parameters in detail. Accurate values can be ascertained using the methods and tables in the apparatus standard.An acceptable conservative technique is to multiply the Lo and Lo/Ro by two and the Co by three, which normally removes any concern about cable parameters. g) Check that the level of insulation from earth is acceptable, or that the system earthing requirements are satisfied. If these criteria are all satisfied the compatibility of the two pieces of apparatus will have been established. A convenient way of recording the analysis is to create a table.Table 4.1 is an example that uses values from the typical system drawing (see Figure 4.1) and compares the intrinsically safe interface and the temperature transmitter. 4.4 The use of simple apparatus in systems The apparatus standard (IEC 60079-11) distinguishes between complex apparatus, which normally requires some form of certification and ‘simple apparatus’ which is not required to be certified.This distinction is intended to permit the use of apparatus that does not significantly affect the intrinsic safety of a system, without the need for ‘third party’ certification. There is an implication that it is possible to demonstrate that simple apparatus is obviously safe without recourse to the detail application of the remainder of the standard. For example, if any current or voltage limiting components are necessary then the apparatus is not considered to be simple. In practice it is relatively easy to decide which components are simple apparatus at the system design stage. If the decision is not easy then the apparatus is not simple. NOTE: Although it is not considered essential that simple apparatus is certified by a third party, it is not unusual for simple apparatus that is used in significant quantities to be certified. This is reassuring to the end user and is a significant marketing advantage. In these circumstances the apparatus is marked as required by the apparatus standard, but can be used in the same way as other simple apparatus. The apparatus standard imposes limits of 1.5V, 100mA and 25mW on the values generated by simple apparatus, and it is accepted that simple apparatus can be added to an intrinsically safe system without the need to recalculate the safety of the system. It must be understood however, that any limitations on simple apparatus apply to the combination of all the pieces of simple apparatus in a system. For example, the use of one or two thermocouples in a system is permitted but a combination of a large number used in a single, average temperature circuit might not meet this criterion. Table 4.1 Simple system analysis Sequence step Parameter Interface Temperature transmitter System a) Level of protection ia ia ia b) Gas group IIC IIC IIC c) Temperature classification T4 d) Ambient temperature - 20°C to +60°C - 40°C to +80°C e) Parameter comparison Voltage Uo: 28V Ui: 30V Current Io: 93mA Ii: 120mA Power Po: 650mW Pi: 1W f) Cable parameters Capacitance Co: 83nF Ci: 3nF Cc: 80nF Inductance Lo: 3.05mH Li: 10µH Lc: 3mH L/R ratio Lo/Ro: 55µH/Ω Lc/Rc: 55µH/Ω g) Isolation isolated isolated isolated
The standard also allows capacitive and inductive components to be used in simple apparatus, provided that these components are included in the system evaluation. It is not usual to include inductors or capacitors of significant size,but the simple apparatus concept does permit the use of small radio-frequency (r.f.) decoupling components without undertaking a further analysis of the system. A useful rule-of-thumb is to ensure that the total capacitance and inductance added to the system is less than 1% of the respective output parameters of the source of power, in which case, their effect can be ignored. If BOTH the added capacitance and inductance, together with any other ‘lumped’ capacitance in the circuit are greater than 1% of the specified output parameters of the source of power then the permitted output parameters must be halved, as explained in Section 4.3. This is another very good reason for ensuring that the ‘energy storing’ components in simple apparatus are kept small. It is also necessary to temperature classify simple apparatus when it is intended for hazardous area. The apparatus standard allows a T6 temperature classification for switches, plugs, sockets and terminals used within their normal rating at an ambient temperature of not greater than 40°C. In practice, it is not easy to design a system that can be used with gases requiring a T6 (85°C) temperature classification and a T4 (135°C) classification is normally the level achieved. In reality, the only gas listed in the available documentation requiring a T6 temperature classification is carbon disulfide (CS2 ). Fortunately, the use of this gas in industry is becoming rare because of its toxicity. A T4 temperature classification is therefore adequate normally and a claim of T6 is predominantly a marketing ploy rather than a requirement. The temperature classification of other pieces of apparatus (with a surface area not less than 20mm2 ) normally relies on the input power being no greater than 1,3W when the maximum ambient temperature required is 40°C.The corresponding powers for higher ambient temperatures are 1,2W at 60°C and 1W at 80°C. If this rule is not applicable then the possible maximum surface temperature has to be measured or assessed. If for any reason it is not obvious that the maximum surface temperature is considerably lower than 135°C (say 100°C) then the apparatus is probably not simple. Simple apparatus is usually isolated from earth. However, the apparatus standard requires a 500V insulation test and if the simple apparatus cannot meet this then it introduces an earth on to the system and the system design must take this into account. Atypicalexampleofsimpleapparatusistheresistancethermometer (RTD) shown as the sensor in the typical system drawing. The RTD is a temperature sensitive resistor. It has negligible inductance (less than 4µH) because it is bifilar wound and negligible capacitance (less than 10pF). The matched power from the transmitter terminals is 2,5mW, which is considerably less than the 25mW considered negligible for simple apparatus. This low level of power ensures that the temperature classification of the RTD is determined by the temperature being measured. (A T6 temperature sensor measuring 450°C is a common advertising phenomenon.)The RTD does not meet the required 500V insulation test and consequently this sub-cicuit is considered to be earthed at this point.The installation is satisfactory because of the isolation in the temperature transmitter. The ignition energy of a gas decreases at elevated temperatures and consequently the very low fault voltage and power available to the RTD is a beneficial factor in ensuring the safety of any measurement of high temperatures. Figure 4.2 - RTD and transmitter sub-system - Classification ia IIC - Cable parameters 1000µF, 350mH - Earthed at RTD Note: ‘T’ class determined by maximum measured temperature. RTD Type: 350L (example) Peter Pty, Sydney, Australia Simple Apparatus to IEC 60079-11 Passive component to subclause 5.4a) Type: PS061 Maximum operating temperature 450°C Temperature classification determined by maximum measured temperature. Temperature Transmitter Type: 365S (example) Pan Inc., Boston, USA Ex ia IIC T4 by FUML No. 983065 Ambient temperature –40°C to +80°C Terminals ‘A’ Uo: 1.0 V Io: 10 mA Po: 2.5 mW Co: 1000µF Lo: 350 mH Note: If cable ‘x’ becomes part of a multicore, then this multicore cable must be a Type ‘A’ or ‘B’, as specified in IEC 60079-14. 12 13
4.5 The use of apparatus with ‘simple apparatus’ input description The other common use for the simple apparatus clause is to permit the use of certified apparatus with input parameters equivalent to simple apparatus, to be added to an existing intrinsically safe circuit with only a minor change in the documentation. The most frequent uses of this technique are for test equipment, indicators and trip amplifiers. A typical example of this type of application is the MTL 5314 trip amplifier which is frequently used to monitor the 4-20 mA signals from a transmitter as illustrated in Figure 4.3. The input terminals satisfy the requirements of simple apparatus and hence the insertion of this apparatus does not require that the safety analysis of the existing system is modified. The presence of the trip amplifier and the fact that it is regarded as simple apparatus is all that needs to be recorded. Where more than one piece of apparatus with simple apparatus output characteristics is included in a circuit then care should be taken to ensure that the permitted simple apparatus parameters are not exceeded. Advantage can sometimes be taken of the fact that the output voltage only appears under fault conditions and that it is permitted to apply the fault count to the system as a whole. For example if more than one piece of simple apparatus is connected in the circuit, then it can be argued that only one piece of apparatus is considered to fail at any one time, and hence only the most adverse set of output parameters needs to be considered. This type of argument is acceptable in ‘ib’ systems but needs to be carefully documented. For such an argument to be valid for ‘ia’ systems detailed knowledge of the derivation of the output parameters is required. This information is not usually readily available and hence the technique is not normally applicable to ‘ia’ systems. If it is known that the apparatus terminals are purely resistive in normal operation (as is frequently the case) then any number of these devices can be incorporated in an ‘ic’ system. Figure 4.3 MTL5314 used as monitor Simple Apparatus, Intrinsically Safe interface, Trip Amplifier MTL5314. The Trip Amplifier connects in series with the 4/20 mA transmitter circuit, giving alarm signals to the safe area via changeover relays. Using the Simple Apparatus (Non-energy Storing) rule the device may be connected in series with the hazardous side of the MTL5541. Certification & Safety Parameters Terminals 1 and 3 meet the Simple Apparatus rules having output parameters: Uo: 1.0V, Io: 88mA, Po: 22mW Certified [EEx ia] IIC by EECS No. BAS 98 ATEX 7136 Tamb –20°C to +60°C Um: 250 V
5.1 General The ability to do live maintenance on an intrinsically safe system is a major benefit of the technique. It is difficult to test an instrument system with the power removed, and difficult to obtain a meaningful ‘gas clearance certificate’ that covers the whole of the area affected by a system. Consequently live working is very desirable. There are however factors, other than gas ignition, that have to be considered whenever an instrument system is taken out of commission and consequently local safety practices such as ‘permits to work’ have still to be observed. 5.2 Permitted practices on the plant The design of intrinsically safe apparatus and systems ensures that the short circuit and open circuit of field wiring cannot cause ignition of a gas atmosphere.The concept of live maintenance uses this feature but does not extend to carrying out detailed repairs; for example, repairing printed circuit boards within the hazardous areas. In practice, the permissible actions are restricted by the available tools hence deciding what is permissible is not difficult. IEC 60079-17 restricts live ‘working’ to: i) disconnection of, and removal or replacement of electrical apparatus and cabling ii) adjustment of any controls which is necessary for the calibration of the electrical apparatus or system iii) removal and replacement of any plug in components or assemblies iv) use of any test instruments specified in the relevant documentation. Where test instruments are not specified in the relevant documentation, only those instruments, which do not affect the intrinsic safety of the circuit, may be used v) any other maintenance activity specifically permitted by the “relevant documentation” These requirements are in line with the normal practice of maintenance on field mounted equipment and hence create no problem. Work on associated safe area apparatus, such as the intrinsically safe interface is restricted in the same way,except that there is greater freedom to operate on the safe area terminals. Recently developed interfaces tend to operate from 24V supplies and there is no risk of electrocution. However it is not unusual for interfaces with relay outputs to be switching higher voltages, which may create a significant shock risk. Where this risk occurs, adequate warning labels are required and the relevant precautions should be taken during the maintenance process. There is no risk of a significant electric shock being received by a technician working on an intrinsically safe circuit. There is a hypothetical possibility but in practice this is not a real problem actions are permitted, they are frequently embodied in the apparatus certificate and manufacturer’s instruction. This information should be made available to the relevant technician on the work sheet, as he is not likely to have ready access to the certificate and/or instructions.The apparatus marking would carry the ubiquitous ‘X’ marking but this is almost universally applied and consequently largely ignored. Maintenance and Repair of Intrinsically Safe equipment 5.3 Permitted practice in the workshop The repair and testing of intrinsically safe and associated apparatus should only be carried out in favourable conditions and by adequately trained technicians.The IEC standard IEC 60079-19 provides some guidance on the approach to repair of intrinsically safe equipment. There are always practical and economic limitations on what is practicable. For example, shunt diode safety barriers are invariably encapsulated and not repairable. Isolating interfaces are usually in boxes that are difficult to open, coated in varnish and impossible to test in detail without specialist test equipment and knowledge of the circuit. In general replacement by an identical unit is preferred for both economic and safety reasons. Some repairs can be carried out without affecting the safety of equipment and, usually, it is obvious what limitations apply. For example, damage to enclosures does not usually directly affect the intrinsic safety of apparatus and consequently a repair which restores the enclosure to its original level of integrity (IP rating) is acceptable. The repair of printed circuit boards is sometimes considered but is usually impracticable. Removing components without damaging the board is difficult, repairing the coating on reassembly is messy and maintaining the original creepage and clearance distances may not be possible. A recent further complication is that if lead free solder has been used, the use of solder containing lead usually results in unsatisfactory joints. A record of any repairs should be maintained.The use of before and after photographs (stored digitally) frequently simplifies the process. 5.4 Testing of IS apparatus using non-certified test apparatus There are two circumstances under which non-certified test apparatusisusedtotestintrinsicallysafeandassociatedapparatus and systems. One is where apparatus is tested in the safe area, usually disconnected from the IS system, and, less frequently, when apparatus and the system is tested in the hazardous area using a gas clearance certificate. It is sometimes questioned whether connecting non-certified apparatus during such procedures can result in the intrinsic safety of the apparatus or system being impaired by damage to the safety components. In the past, testing has not required any special precautions to be taken to avoid this possibility. The current standard on inspection and maintenance IEC 60079-17 does not address this question, consequently the following is only a considered opinion and should be regarded as such. 5. 14 15
5.4 Testing of IS apparatus using non-certified test apparatus - continued A relevant point is that during the manufacturing of intrinsically safe products, the equipment used for both operational and safety testing relies on good engineering practice and regular inspection to achieve adequate safety. It is not subject to third party certification or any similar constraints.The apparatus design standards address some of the more obvious risks, such as the charging of batteries, but do not make any other recommendations to cover less frequently used facilities. The factors, which justify the use of conventional test equipment when working on intrinsically safe apparatus, are: a) Repair and maintenance should only be carried out by ‘skilled personnel’. Such personnel should be adequately trained to recognise whether a mistake could have caused damage, which might lead to a dangerous situation, and be capable of taking any necessary corrective action. b) Test equipment should be checked to ensure that it is operational before connecting it to the apparatus. Particular care should be taken to ensure that any variable controls, such as output voltage and current limits on power supplies, are set to the correct values before making the interconnection.The test equipment should be checked at the end of the test. Since the test equipment is only connected for a short time the probability of it failing in a way that can cause a potentially hazardous fault in that time is acceptably low. c) The apparatus should be functioning correctly and be free of mechanical damage at the end of the test or re-calibration. It is possible that a safety component failure will not affect operational capability but usually an operational failure will also occur. d) The more complex operations such as re-programming and downloading of apparatus memories are normally done using test rigs with specific plugs and sockets and hence the probability of incorrect connection is reduced. e) Test equipment that satisfies the personnel safety requirements of IEC 61010, is not likely to produce currents or voltages, which will damage safety components. For example a functioning oscilloscope with high impedance probes is extremely unlikely to cause a problem. There are some operations which do require special care, of which the most obvious is high voltage insulation testing. This should only be done when a special work instruction is available. In practice such tests are best avoided and if an insulation test is thought to be necessary it should be done at a low voltage. It is generally accepted that the testing, calibration and programming of intrinsically safe apparatus in a safe area,or under gas clearance conditions by a competent person using conventional high quality test equipment does not invalidate its intrinsic safety certification. 5.5 Re-use of intrinsically safe field devices The question is sometimes raised as to whether intrinsically safe apparatus which has been used in circuits which are not intrinsically safe, such as non-incendive or safe area circuits can subsequently be used in intrinsically safe circuits. The perceived problem is that use in the non-intrinsically safe circuits could cause damage, which is not self-revealing but would reduce the level of protection offered by the original certification.The relevant IEC standards do not give any guidance on this topic and hence the following text is only a considered opinion, which may not be universally accepted. The question normally arises because it is common practice on most petrochemical installations to purchase a single type of instrument, for example a pressure transmitter, for use in all locations on a plant. An intrinsically safe transmitter can then be used on a temporary installation in a safe area in a conventional safe area loop, and after some time be returned to the store as a spare instrument. From the store it could be used to replace a defective instrument in an intrinsically safe loop. It can be assumed that the replacing instrument is functional, and not mechanically damaged (the majority of instrument technicians would check this in the workshop before putting the instrument in the stores as a spare) and therefore the concern is that there is some fault which reduces the safety integrity but does not affect the operation of the instrument. Almost all faults from an external source would cause sufficient damage to the apparatus for it to malfunction, rather than cause the conservatively rated safety components to fail to danger without damaging any other components. This type of undetected failure is just possible but is sufficiently improbable to be ignored. In the particular case of a non-incendive installation then the selection of apparatus, and the installation code followed further reduce the probability of the IS apparatus being stressed. There are a number of circumstances where a very similar risk occurs, and the risk is considered acceptable. A very clear example is that the IEC standard on inspection and maintenance (IEC 60079-17), permits the use of non-certified test equipment under ‘gas clearance certificate’ conditions. Similar risks are accepted during fault-finding procedures in instrument workshops. There are also significant risks of such faults occurring during the repair proedures permitted by the same standard on repairing this type of apparatus. The test equipment used in the final stages of manufacturing of IS equipment is not designed to be fault tolerant and could produce undetected faults. These risks illustrate the point that where a risk is small it can be, and is, accepted. With the recent introduction of the ‘ic’ concept, this question becomes more relevant to intrinsically safe circuits; for example, the use of an ‘ia’ certified transmitter in an ‘ia’ system after it has been used in an ‘ic’ system may be questioned. The question of the transfer of apparatus from an ‘ib’ system to an ‘ia’ system has never been raised as far as is known. The conclusion is therefore that the safety status of a field device is not changed provided that the device is both functioning correctly and not mechanically damaged after being used in any type of circuit. If these two requirements are met, the field device can be used in an intrinsically safe circuit without further consideration. MTL4850 HART® Multiplexer.
6.1 General A number of finely divided materials can be ignited to create an explosion when they form a cloud in air. Almost all organic and food product dusts together with metallic dust can readily be ignited. Dust explosions are generally more difficult to initiate than gas/air explosions but can be devastating. The initial explosion frequently disturbs and entrains layered dust to create one or more secondary explosions, thus creating a rolling explosion and extensive damage. Dust explosions can be initiated by electrical sparks or by hot surfaces. There are numerous factors, which influence ignition energy and temperature of a particular material. For example the air to particle ratio, the particle size, humidity, and the melting temperature of the material. Note: For those requiring a comprehensive reference ‘Dust explosions in the process industries’ by Rolf. K. Eckhoff published by Butterworth Heinemann. ISBN 0 7506 3270 4 is recommended. The ignition energy of a dust/air mixture is high compared with that of a gas/air mixture. For example, some sensitive materials such as rubber, sulfur and fine wood dust require 1 to 10 mJ while less sensitive materials, such as coffee, require more than 500 mJ. There is some concern that some very finely divided particles, for example those associated with nano-technology, may have even lower ignition energies. Consequently, the decision has been made to use the IIB gas as the test mixture (ignition energy 80µJ) for intrinsicallysafeapparatusforuseindustatmospheres.Thisisavery conservative decision but presents very little operational difficulty. The current state of knowledge on the spark ignition characteristics of dusts and the difficulty of creating a satisfactory test apparatus for dust atmospheres justifies a cautious prudent decision. The major problem in dust atmospheres is the possibility of thermal ignition. There are two common mechanisms, one is the ignition of a dust cloud by a hot body and the other is the creation of smouldering in a layer of dust on a hot surface. The minimum ignition temperature of the majority of dusts lies between 300°C and 600°C. Some dusts do ignite at lower temperatures, for example finely divided sulfur has a minimum ignition temperature of 240°C. It is quite difficult to generate these temperatures in a dust cloud with the power levels permitted by a IIB gas classification and hence the probability of ignition of a dust cloud by intrinsically safe apparatus is quite low and not the major problem. Intrinsic Safety and Dust The principal difficulty is the possibility of causing smouldering within a dust layer, which when disturbed bursts into flames and initiates an explosion. The mechanism of causing smouldering is complex but can be simplified into keeping the dust below its‘glow temperature’. The majority of materials have a glow temperature, ranging from 250°C to 500°C, that is lower than the minimum ignition temperature of the corresponding dust cloud. There are also some flammable dust layers that have the fortunate characteristic of melting before attaining their theoretical glow temperature and consequently they do not create this ignition risk (for example polystyrene). 6.2 Intrinsically safe apparatus and dusts Intrinsically safe apparatus certified for use in hazardous gas atmospheres has been used to ensure safety in dust atmospheres for many years. Currently a great deal of activity is taking place to formalise the requirements for apparatus specifically for use in dusts.An apparatus standard IEC 61241-11 is now published.The ultimate intention is to amalgamate the dust and gas requirements within the relevant IEC standards but this will take a number of years (five?). Eventually there will be three levels of protection ‘iaD’, ‘ibD’, and ‘icD’ corresponding to the equivalent gas levels of protection (see Table 6.1).The intention is that ‘iaD’ equipment will achieve the ‘very high’ level of protection required by equipment designated as ‘EPL Da’ (where EPL means ‘Equipment Protection Level’ as defined in IEC60079-0). ‘ibD’ with a ‘high’ level of protection will achieve an ‘EPL Db’ and ‘icD’ with an ‘enhanced’ level of protection will be ‘EPL Dc’. Table 6.1 - Comparison of different levels of risk 6. Level of Countable Level of Equipment ATEX Normal protection faults risk Protection category zone of use Level - EPL iaD 2 very high Da 1 20 ibD 1 high Db 2 21 icD 0 considerable Dc 3 22 16 17
6.2 Intrinsically safe apparatus and dusts - continued Theriskofsparkignitionisavoidedbysatisfyingtherequirementsfor apparatus intended for use in IIB gases To avoid the risk of thermal ignition the preferred technique for apparatus, which is intended to be located in the hazardous area, is to exclude the dust by using an IP 6X enclosure or by encapsulation. This involves determining a maximum temperature rise of the exposed surface, which in the case of most intrinsically safe apparatus will be very small. The preference for a dust tight enclosure is because the ‘dust fraternity’ has implicit faith in this technique. It can be argued that the restriction of the available power is a more reliable technique as it is less prone to maintenance errors. There is an exemption to the enclosure rule for apparatus that is difficult to operate inside an enclosure, such as some sensors. In these circumstances the power level is restricted to avoid the possibility of temperature ignition (750mW at 400°C), In practice all intrinsically safe associated apparatus such as barriers and isolated interfaces, which are IIC or IIB certified for gases are suitable for use in intrinsically safe systems. It is has been common practice for several years for interfaces to be certified for both gas and dust applications. For example, the current MTL range of barriers (MTL7700) and isolators (MTL4500/5500) are certified for both gas and dust applications in accordance with the requirements of the ATEX Directive and FM standards. The design of intrinsically safe apparatus for use in dusts is the subject matter of Part 11 of IEC 61241 6.3 Risk analysis Analysing the risk associated with a flammable dust differs from the analysis of a gas risk largely because dust does not disperse in the same way as a gas, it has to be removed. A decision was made some years ago to only area classify dust clouds and to treat the possibility of a smouldering dust layer as a source of ignition. (a decision largely influenced by the ATEX Directives). The area classification of dust clouds follows the pattern of gas clouds. Zone 20 corresponds to Zone 0 (where the hazard is present continuously or for long periods) Zone 21 to Zone1 and Zone 22 to Zone 2 as the probability of the dust cloud being present reduces. Area classification of dusts is the subject matter of Part 10 of IEC 61241. If the combination of area classification and sources of ignition is pursued too diligently this can create some tortuous thinking. Fortunately, the application of a little pragmatic common sense solves most instrumentation problems. For example, if a temperature sensor is buried in a mound of grain for a considerable length of time,then it is reasonable to use a level of protection ‘iaD’ since deciding the area classification is difficult and if the grain is smouldering it will probably burst into flame when disturbed and could possibly explode. As it is not expensive to make the system ‘iaD’, this becomes the obvious solution. However if a temperature monitor is measuring temperature in a location where it is infrequently covered by dust and can be readily and frequently cleaned then a level of protection ‘icD’ is adequate. It might still be expedient to use ‘iaD’ equipment but it is not essential to do so. 6.4 Why use intrinsic safety? The principal reason for using intrinsic safety is because it is essentially a low power technique.Consequently,the risk of ignition is minimised, and adequate safety can be achieved with a level of confidence that is not always achieved by other techniques. It is difficult to assess the temperature rise, which can occur if equipment is immersed in a dust because of the many (frequently unpredictable) factors, which determine the temperature rise within the dust layer. The safest technique is therefore to restrict the available power to the lowest practical level. A major factor in favour of intrinsic safety is that the power level under fault conditions is controlled by the system design and does not rely on the less well-specified limitation of fault power. Intrinsic safety also has the advantage that the possibility of ignition from immersed or damaged wiring is minimised. It is desirable to be able to do ‘live maintenance’ on an instrument system, and the use of the intrinsically safe technique permits this without the necessity of special ‘dust free’ certificates.There is a need to clear layers of dust carefully and to avoid contamination of the interior of apparatus during maintenance but this is apparent to any trained technician. (There is no significant possibility of a person, in a dust cloud that can be ignited, surviving without breathing apparatus). To summarise, intrinsic safety is the preferred technique for instrumentation where dust is the hazard because: • the inherent safety of intrinsic safety gives the greatest assurance of safety and removes concern over overheating of equipment and cables • the installation rules are clearly specified and the system design ensures that all safety aspects are covered • live maintenance is permitted • equipment is available to solve the majority of problems
The principal reason for using intrinsic safety is because it is essentially a low power technique, consequently the risk of ignition is minimised. 18 19
AUSTRALIA MTL Instruments Pty Ltd, 9 /12 Billabong Street, Stafford, Queensland 4053 Australia Tel: + 61 1300 308 374 Fax: + 61 1300 308 463 E-mail: enquiries@mtlaus.com.au CANADA MTL Canada Safety Instrumentation #102, 4249 97 Street, Edmonton Alberta, T6E 5Y7 Tel: + 1 780 485 3132 Fax: + 1 780 485 3122 E-mail: cinfo@mtlnh.com CHINA MTL Instruments China Co. Ltd. Room 1002A, The Gateway No 10 Yabao Road, Chaoyang District, Beijing 100020 Tel: + 86 010 8562 5718/5720/5721 Fax: + 86 010 8562 5725 E-mail: bjsales@mtl-inst.cn FRANCE MTL Instruments sarl, Les Carrés du Parc 10 rue des Rosiéristes, 69410 Champagne au Mont d’Or Tel: + 33 (0)4 78 64 98 32 Fax: + 33 (0)4 78 35 79 41 E-mail: info@mtl-inst.fr GERMANY MTL Instruments GmbH, An der Gümpgesbrücke 17 D-41564 Kaarst Tel: + 49 (0)2131 718930 Fax: + 49 (0)2131 7189333 E-mail: info@mtl.de INDIA MTL India Pvt. Limited, No.36, Nehru Street Off Old Mahabalipuram Road Sholinganallur, Chennai - 600 119 Tel: + 91 (0) 44 24501660 /24501857 Fax: + 91 (0) 44 24501463 E-mail: sales@mtlindia.com ITALY MTL Italia srl, Via Cantù 11 I - 20092 Cinisello Balsamo MI Tel: + 39 02 61802011 Fax: + 39 02 61294560 E-mail: info@mtl-inst.it JAPAN MTL Instruments KK, MT Building 3F 2-7-5 Shiba Daimon, Minato-ku, Tokyo 105-0012 Tel: + 81 (0)3 6430 3128 Fax: + 81 (0)3 6430 3129 E-mail: sales@mtlkk.co.jp NETHERLANDS MTL Instruments BV, de Houtakker 36, 6681 CW Bemmel, Tel: + 31 (0) 481 450250 Fax: + 31 (0) 481 450260 E-mail: info@mtlbenelux.com SINGAPORE MTL Instruments Pte Ltd, 31 Ubi Road 1 #04-01 Aztech Building Singapore 408694 Tel: + 65 6 487 7887 Fax: + 65 6 487 7997 E-mail: sales@mtlsing.com.sg UNITED ARAB EMIRATES MTL Instruments, Villa No. 4, Sector 2-17 Street 6, PO Box 53234 Abu Dhabi, UAE Tel: + 971 2 446 6840 Fax: + 971 2 446 6841 E-mail: mtlgulf@mtl-inst.com UNITED KINGDOM MTL Instruments, Great Marlings, Butterfield, Luton Bedfordshire LU2 8DL Tel: + 44 (0)1582 723633 Fax: + 44 (0)1582 422283 E-mail: enquiry@mtl-inst.com USA Cooper Crouse-Hinds MTL Inc. 3413 N. Sam Houston Parkway W. Suite 210, Houston TX 77086 Tel: + 1 281-571-8065 Fax: + 1 281-571-8069 E-mail: csinfo@mtl-inst.com GLOBAL LOCATIONS www.mtl-inst.com enquiry@mtl-inst.com ZL-B-AN9003-EN-0809 I-S_AN9003_MTL.indd 20 5/10/09 12:01:31 pm

More Related Content

PPT
Intrinsic Safety
Living Online
 
PPT
Intrinsic Safety in a Nutshell by Pepperl+Fuchs
Kristen_Barbour_PF
 
PDF
Intrinsic safety
Sangeeta Phadke
 
PPTX
Intrinsic safety and flameproof apparatus in mines
Jayachandra Jitendra
 
PPT
Lunch And Learn Presentation
rlaverne
 
PPT
Exloc is hj
countycitizen
 
PPT
Hazardous location protection methods e book by pepperl+ fuchs
Kristen_Barbour_PF
 
PDF
Straightpoint ATEX & IECEx load monitoring products for hazardous areas
David Mullard
 
Intrinsic Safety
Living Online
 
Intrinsic Safety in a Nutshell by Pepperl+Fuchs
Kristen_Barbour_PF
 
Intrinsic safety
Sangeeta Phadke
 
Intrinsic safety and flameproof apparatus in mines
Jayachandra Jitendra
 
Lunch And Learn Presentation
rlaverne
 
Exloc is hj
countycitizen
 
Hazardous location protection methods e book by pepperl+ fuchs
Kristen_Barbour_PF
 
Straightpoint ATEX & IECEx load monitoring products for hazardous areas
David Mullard
 

What's hot (20)

PDF
Hazardous Area Location Guide - IEC NEC CEC & ATEX By Emerson Industrial
Thorne & Derrick International
 
PPT
Electrical Safety
vkmalik
 
PDF
Lightning kills we save human with perfect design
Mahesh Chandra Manav
 
PDF
Erico Eritech Lightning Protection - IEC62305 Earthing Design Guide
Thorne & Derrick International
 
PDF
Why Test Series - Arc Flash Evaluations CS-00158
Carolyn Dakis
 
PDF
Explosion Proof Solenoid Valves & Hazardous Areas
Thorne & Derrick UK
 
PDF
New Field Data on Lightning Protection Systems: What Engineers Need to Know
ERICO
 
PDF
Hazardous Area Zones & Explosion Protection - An Overview of Potentially Expl...
Thorne & Derrick International
 
PDF
Mitigating Arc Flash Hazards - A Simple Graphic Helps Visualize Five Distinct...
Schneider Electric
 
PPTX
Intrinsic Safety Training - 3 Day Course by Tonex
Bryan Len
 
PDF
ORBITAL ESE ACTIVE LIGHTNING ARRESTER
REIDIUS ELECTRIC COMPANY
 
PDF
Catalogue Aiditec Systems (EN)
AIDITEC SYSTEMS, S. L.
 
PPT
Key Elements of Australian Wiring Standards
Living Online
 
PDF
Presentation lightning protection system by jmv lps
Mahesh Chandra Manav
 
PDF
Asco Solenoid Valves Explosionproof Solenoid Valves - Technical Information
Thorne & Derrick UK
 
PDF
Early warning –disasater management presentation by jmv lps (1)
Mahesh Chandra Manav
 
PDF
Arc Flash Training
Arc Flash Training
 
PDF
Wolf LinkEx LL-440 Portable Fluorescent Leadlamp ATEX - Spec Sheet
Thorne & Derrick International
 
PPT
Practical Electrical Wiring Standards - National Rules for Electrical Install...
Living Online
 
PDF
Understanding the Role of Thermography in Energy Auditing: Current Practices...
Matthew Louis Mauriello
 
Hazardous Area Location Guide - IEC NEC CEC & ATEX By Emerson Industrial
Thorne & Derrick International
 
Electrical Safety
vkmalik
 
Lightning kills we save human with perfect design
Mahesh Chandra Manav
 
Erico Eritech Lightning Protection - IEC62305 Earthing Design Guide
Thorne & Derrick International
 
Why Test Series - Arc Flash Evaluations CS-00158
Carolyn Dakis
 
Explosion Proof Solenoid Valves & Hazardous Areas
Thorne & Derrick UK
 
New Field Data on Lightning Protection Systems: What Engineers Need to Know
ERICO
 
Hazardous Area Zones & Explosion Protection - An Overview of Potentially Expl...
Thorne & Derrick International
 
Mitigating Arc Flash Hazards - A Simple Graphic Helps Visualize Five Distinct...
Schneider Electric
 
Intrinsic Safety Training - 3 Day Course by Tonex
Bryan Len
 
ORBITAL ESE ACTIVE LIGHTNING ARRESTER
REIDIUS ELECTRIC COMPANY
 
Catalogue Aiditec Systems (EN)
AIDITEC SYSTEMS, S. L.
 
Key Elements of Australian Wiring Standards
Living Online
 
Presentation lightning protection system by jmv lps
Mahesh Chandra Manav
 
Asco Solenoid Valves Explosionproof Solenoid Valves - Technical Information
Thorne & Derrick UK
 
Early warning –disasater management presentation by jmv lps (1)
Mahesh Chandra Manav
 
Arc Flash Training
Arc Flash Training
 
Wolf LinkEx LL-440 Portable Fluorescent Leadlamp ATEX - Spec Sheet
Thorne & Derrick International
 
Practical Electrical Wiring Standards - National Rules for Electrical Install...
Living Online
 
Understanding the Role of Thermography in Energy Auditing: Current Practices...
Matthew Louis Mauriello
 
Ad

Similar to A users guide to intrinsic safety (20)

PDF
Ex ic Intrinsic Safety New Protection Level
Extech Safety Systems (Pty) Ltd
 
PDF
hazardous_areas issued for construction new
mohame6601
 
PDF
A Guide to Safe Electronic Weighing in Hazardous Locations
Power Specialties, Inc.
 
PDF
An Overview of Products Certfication Webinar
Sadatulla Zishan
 
PPT
Pepperl fuchs 2011 Emerson Global Users Exchange Intrinsically Safe CHARMS S...
Kristen_Barbour_PF
 
PDF
Safety for operators and machinery 2011
ifm electronic gmbh
 
PDF
How to Select an Intrinsically Safe Pressure Transducer
Setra Systems
 
PPTX
Concept of hazardous area classification.
HareshYadav4
 
PDF
E2S warning signals - intrinsically safe solutions
E2S Warning Signals
 
PPT
B2B_03_Monitoring_Special_Apps_R2.ppt
MarcoAntonio815113
 
PDF
Ex plakat ext-en_v06_web_neu
Borna Liravi
 
PDF
Signalling in hazardous areas
iFluidsEng
 
PDF
Signalling in Hazardous Areas
John Kingsley
 
PPTX
Weighing in a hazardous area (ATEX, IECEx, EAC Ex TR CU 012)
LAUMAS
 
PDF
Hazardous Area Equipment Certification - ATEX (Zone 1 Zone 2), IEC Ex, NEMA (...
Thorne & Derrick International
 
PDF
Hazloc overview
John Kingsley
 
PPTX
Intrinsic Safety Training Crash Course : Tonex Training
Bryan Len
 
PDF
Hazardous Area Classification
Gaurav Singh Rajput
 
PDF
Ansi isa rp12.6 (95)
Juan Carlos Pereira Guzman
 
PPT
Electrical maintenance in Hazardous area
BHAGWAN PRASAD
 
Ex ic Intrinsic Safety New Protection Level
Extech Safety Systems (Pty) Ltd
 
hazardous_areas issued for construction new
mohame6601
 
A Guide to Safe Electronic Weighing in Hazardous Locations
Power Specialties, Inc.
 
An Overview of Products Certfication Webinar
Sadatulla Zishan
 
Pepperl fuchs 2011 Emerson Global Users Exchange Intrinsically Safe CHARMS S...
Kristen_Barbour_PF
 
Safety for operators and machinery 2011
ifm electronic gmbh
 
How to Select an Intrinsically Safe Pressure Transducer
Setra Systems
 
Concept of hazardous area classification.
HareshYadav4
 
E2S warning signals - intrinsically safe solutions
E2S Warning Signals
 
B2B_03_Monitoring_Special_Apps_R2.ppt
MarcoAntonio815113
 
Ex plakat ext-en_v06_web_neu
Borna Liravi
 
Signalling in hazardous areas
iFluidsEng
 
Signalling in Hazardous Areas
John Kingsley
 
Weighing in a hazardous area (ATEX, IECEx, EAC Ex TR CU 012)
LAUMAS
 
Hazardous Area Equipment Certification - ATEX (Zone 1 Zone 2), IEC Ex, NEMA (...
Thorne & Derrick International
 
Hazloc overview
John Kingsley
 
Intrinsic Safety Training Crash Course : Tonex Training
Bryan Len
 
Hazardous Area Classification
Gaurav Singh Rajput
 
Ansi isa rp12.6 (95)
Juan Carlos Pereira Guzman
 
Electrical maintenance in Hazardous area
BHAGWAN PRASAD
 
Ad

More from David Pires (20)

PDF
Apresentacao-PwC-Expectativas-dos-gestores-para-2024.pdf
David Pires
 
PDF
ALMA - Certificate of Training
David Pires
 
PDF
IPS - Workshop Segurança Funcional - Certificado de Apresentação
David Pires
 
PPSX
Carros Classicos
David Pires
 
PPS
Best of Smithsonian Magazine 2014
David Pires
 
PPS
Metro de lisboa
David Pires
 
PPS
A velha frota colonial
David Pires
 
PPS
Aeroporto de Lisboa - Anos 50
David Pires
 
PPS
World diary 2014
David Pires
 
PPS
Carros em Portugal - 1970
David Pires
 
PPS
Pawla Kuczynskiego
David Pires
 
PPS
Alentejo revisitado
David Pires
 
PPS
Pictures from the 20th century
David Pires
 
PPS
As melhores fotos da Pixdaus
David Pires
 
PPS
Photo Reporter
David Pires
 
PPS
Art monuments
David Pires
 
PDF
Curso de Capacitacao Lorentz
David Pires
 
PPSX
World diary 2017
David Pires
 
PDF
Seminario E+H Industria Quimica e Petroquimica - Competitividade e Seguranca
David Pires
 
PDF
Certificado Workshop STAHL EX Industry 4.0
David Pires
 
Apresentacao-PwC-Expectativas-dos-gestores-para-2024.pdf
David Pires
 
ALMA - Certificate of Training
David Pires
 
IPS - Workshop Segurança Funcional - Certificado de Apresentação
David Pires
 
Carros Classicos
David Pires
 
Best of Smithsonian Magazine 2014
David Pires
 
Metro de lisboa
David Pires
 
A velha frota colonial
David Pires
 
Aeroporto de Lisboa - Anos 50
David Pires
 
World diary 2014
David Pires
 
Carros em Portugal - 1970
David Pires
 
Pawla Kuczynskiego
David Pires
 
Alentejo revisitado
David Pires
 
Pictures from the 20th century
David Pires
 
As melhores fotos da Pixdaus
David Pires
 
Photo Reporter
David Pires
 
Art monuments
David Pires
 
Curso de Capacitacao Lorentz
David Pires
 
World diary 2017
David Pires
 
Seminario E+H Industria Quimica e Petroquimica - Competitividade e Seguranca
David Pires
 
Certificado Workshop STAHL EX Industry 4.0
David Pires
 

Recently uploaded (20)

PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Zenith AI: Advanced Artificial Intelligence
Biz Preneurs
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 

A users guide to intrinsic safety

  • 1. AN9003 - A Users Guide to Intrinsic Safety Reasons for selecting the Intrinsically Safe Concept I-S_AN9003_MTL.indd 1 5/10/09 11:56:04 am
  • 2. 1.1 Introduction Intrinsic safety (IS) is a low-energy signalling technique that prevents explosions from occurring by ensuring that the energy transferred to a hazardous area is well below the energy required to initiate an explosion. The energy levels made available for signalling are small but useable and more than adequate for the majority of instrumentation systems. The two mechanisms being considered that could initiate an explosion are: • A spark • A hot surface 1.2 The advantages of intrinsic safety The major advantage of intrinsic safety is that it provides a solution to all the problems of hazardous areas (for equipment requiring limited power) and is the only technique which meets this criterion. The significant factors are as follows: a) The IS technique is accepted throughout the world. There is an increasing acceptance of international certificates issued under the IEC Ex scheme but this has some way to go. Intrinsic safety is an acceptable technique in all local legislation such as the ATEX Directives and OSHA. The relevant standards and code of practice give detailed guidance on the design and use of intrinsically safe equipment to a level which is not achieved by any of the other methods of protection. b) The same IS equipment usually satisfies the requirements for both dust and gas hazards. c) Appropriate intrinsically safe apparatus can be used in all zones. In particular, it is the only solution that has a satisfactory history of safety for Zone 0 instrumentation.The use of levels of protection (‘ia’, ‘ib’ and ‘ic’) ensures that equipment suitable for each level of risk is available (normally ‘ia’ is used in Zone 0,‘ib’ in Zone 1 and ‘ic’ in Zone 2). d) Intrinsically safe apparatus and systems are usually allocated a group IIC gas classification which ensures that the equipment is compatible with all gas/air mixtures. Occasionally, IIB systems are used, as this permits a higher power level to be used. (However, IIB systems are not compatible with acetylene, hydrogen and carbon disulfide.) e) A temperature classification of T4 (135°C) is normally achieved,which satisfies the requirement for all industrial gases except carbon disulfide (CS2 ) which, fortunately, is rarely used. f) Frequently, apparatus, and the system in which it is used, can be made‘ia IICT4’ at an acceptable cost.This removes concerns Why choose intrinsic safety ? about area classification, gas grouping and temperature classification in almost all circumstances and becomes the universal safe solution. g) The ‘simple apparatus’ concept allows many simple pieces of apparatus,such as switches,thermocouples,RTD’s and junction boxes to be used in intrinsically safe systems without the need for certification. This gives a significant amount of flexibility in the choice of these ancillaries. h) The intrinsic safety technique is the only technique that permits live maintenance within the hazardous area without the need to obtain ‘gas clearance’ certificates. This is particularly important for instrumentation, since fault-finding on de- energised equipment is difficult. i)The installation and maintenance requirements for intrinsically safe apparatus are well documented, and consistent regardless of level of protection. This reduces the amount of training required and decreases the possibility of dangerous mistakes. j) Intrinsic safety permits the use of conventional instrumentation cables, thus reducing costs. Cable capacitance and inductance is often perceived as a problem but, in fact, it is only a problem on cables longer than 400 metres, in systems installed in Zones 0 and 1, where IIC gases (hydrogen) are the source of risk. This is comparatively rare and, in most circumstances, cable parameters are not a problem. Figure 1.1 - Available power curves 1.
  • 3. 1.3 Available power Intrinsic safety is fundamentally a low energy technique and consequently the voltage, current and power available is restricted. Figure 1.1 is a simplified illustration of the available power in intrinsically safe circuits and attempts to demonstrate the type of electrical installation in which the intrinsically safe technique is applicable. The blue and green curves are the accepted design curves used to avoid spark ignition by resistive limited circuits in Group IIC and IIB gases. The ‘ic’ curves are less sensitive because they do not require the application of a safety factor in the same way as for ‘ia’ and ‘ib’ equipment. In general the maximum voltage available is set by cable capacitance (400 metres corresponds to 80nF which has a permissible voltage of 29V in ‘IIC ia’ circuits) and the maximum current by cable inductance (400 metres corresponds to 400µH which has a permissible current of 300 mA in IIC ia circuits). A frequently used limitation on power is the 1.3W, which easily permits a T4 (135°C) temperature classification. These limits are all shown in Figure 1.1. A simple approach is to say that if the apparatus can be operated from a source of power whose output parameters are within the (blue) hatched area then it can readily be made intrinsically safe to ‘ IIC ia T4’ standards. If the parameters exceed these limits to a limited degree then it can probably be made intrinsically safe to IIB or ‘ic’ requirements. The first choice,however,is always to choose‘IIC iaT4’ equipment, if it provides adequate power and is an economic choice, as this equipment can be used in all circumstances (except if carbon disulfide (CS2 ) is the hazardous gas, in which case there are other problems). In practice almost all low voltage instrumentation can be made ‘IIB ic T4’ as the limits are set by the least sensitive of the ignition curves in Figure 1.1 (typically 24V 500 mA). The ‘IIB ic’ specification does restrict application to Zone 2 and where the hazardous gas is not hydrogen, acetylene or carbon disulfide but is still applicable to a large range of installations. 1.4 Conclusion Intrinsic safety is the natural choice for all low voltage instrumentation problems. Adequate solutions exist which are compatible with all gases and area classifications. The technique prevents explosions rather than retains them which must be preferable, and the ‘live maintenance’ facility enables conventional instrument practice to be used. 2 3 “Appropriate intrinsically safe apparatus can be used in all zones” MTL4500 Installation.
  • 4. 2.1 Definition of Intrinsic Safety The definition of intrinsic safety used in the relevant IEC apparatus standard IEC 60079-11 is a ‘type of protection based on the restriction of electrical energy within apparatus and of interconnecting wiring exposed to the potentially explosive atmosphere to a level below that which can cause ignition by either sparking or heating effects’. This is a concise statement of intent to introduce a multi-faceted subject. 2.2 Typical intrinsically safe system Figure 2.1 illustrates a typical intrinsically safe (IS) system where the safe performance of each piece of apparatus is dependent on the integrity of all the equipment in the system. For example, the safety of the Temperature Transmitter (Tx) depends upon the amount of energy supplied by the IS Interface. In most process control applications, each piece of apparatus in a system is individually certified.A document that confirms the safety of the whole system is then produced using the information from the individual apparatus certificates, in accordance with the system standard IEC 60079-25.This system document also includes details of cable types and simple apparatus used in the system. It is important to recognise that where pieces of intrinsically safe apparatus are interconnected, it is the safety of the system that must be established. There are however some examples of apparatus which stand alone, such as mobile radios and portable gas detectors, where the system approach is not relevant. 2.3 Levels of protection Intrinsic safety utilises three levels of protection, ‘ia’, ‘ib’ and ‘ic’ which attempt to balance the probability of an explosive atmosphere being present against the probability of an ignition capable situation occurring. An Introduction to Intrinsic Safety ‘ia’ Thisoffersthehighestlevelofprotectionandisgenerallyconsidered as being adequately safe for use in the most hazardous locations (Zone 0) because the possibility of two ‘faults’ (see opposite) and a factor of safety of 1.5 is considered in the assessment of safety. ‘ib’ ‘ib’ apparatus, which is adequately safe with one fault and a factor of safety of 1.5 is considered safe for use in less frequently hazardous areas (Zone 1). ‘ic’ ‘ic’ apparatus which is assessed in ‘normal operation’ with a unity factor of safety is generally acceptable in infrequently hazardous areas (Zone 2). The ‘ic’ concept is relatively new (2005) and will replace the ‘energy-limited’ (nL) of the type ‘n’ standard IEC 60079-15 and possibly the ‘non-incendive’ concept of North American standards. It is usual for a system to be allocated a level of protection as a whole, depending on the level of protection of the apparatus in the system. However it is possible for different parts of a system to have different levels of protection where suitable segregation exists. This must be made clear in the system documentation. Figure 2.1 - Typical IS system 2.
  • 5. Table2.1showsarepresentativegasforeachgroupandtheminimum energy required to ignite it.IIC is clearly the most sensitive.Apparatus can be designed to be acceptably safe in any of these groups. Usually apparatus is designed to be safe in IIC, because it can then be used in any gas atmosphere. Sometimes a IIB classification is used as this permits slightly higher powers to be available. Only very rarely however is apparatus designed for the IIA classification because this restricts its use to this group alone. Apparatus is usually assessed using the curves and tables included in the apparatus standard which lists acceptable levels of current and voltage. More complex circuits are checked with ‘spark test’ apparatus; normally the preserve of certifying authorities. 2.8 Temperature classification The second method of causing an explosion is normally considered to be ignition by a hot surface. When a gas is heated above its ignition temperature it may spontaneously ignite. The ignition temperature varies with the gas and is not correlated to ignition energy. Consequently, when selecting apparatus, both properties of the explosive gas have to be considered. Apparatus is classified into temperature (‘T’) classes depending on its maximum permitted surface temperature. Table 2.2 The ‘T’ classes The standard enables almost all apparatus, dissipating not more than 1.3W,tobeallocatedatemperatureclassificationofT4(135°C).Almost all intrinsically safe field mounted apparatus meets the requirements of T4 temperature classification, which permits its use in all industrial gas atmospheres except in those comprising carbon disulfide (CS2 ) and air. These require a T6 classification, which is difficult to achieve at high ambient temperatures. There are also toxicity problems associated with carbon disulfide. The other temperature that needs to be considered for each piece of apparatus is its ambient temperature rating,which does directly affect the safety of the apparatus in several ways. Apparatus normally mounted in the safe area but which affects the safety of the intrinsically safe system (such as the intrinsically safe interface in Figure 2.1) is called ‘associated apparatus’. Such apparatus does not need to be temperature classified but must be used within its specified ambient temperature range. 2.4 Faults If a fault can adversely affect the safety of the equipment it is called a ‘countable’ fault. The situation is further complicated because the apparatus standard permits some specially designed components to be regarded as infallible and some inadequately designed features to be failed in normal operation. Consequently there are faults that are not considered to happen, faults, which are counted, and faults, which are imposed but not counted. One of the major advantages of intrinsic safety is that ‘live maintenance’ on equipment is permitted without the necessity of obtaining ‘gas clearance’ certificates.A consequence of this is that during the safety analysis the possibility of open circuiting and short-circuiting any field wiring is regarded as normal operation. Fortunately understanding the apparatus standard and faults is only necessary for apparatus designers and certifying authorities. The apparatus certificates remove the necessity to consider faults, except for field wiring faults, in system design. 2.5 Simple apparatus In general, intrinsically safe apparatus is certified; usually by an independent body such as an Accredited Certification Body (ACB) under the IEC Ex scheme. Self-certification by the manufacturer of ‘ic’ equipment is also quite commonly accepted. The exception to the rule is‘simple apparatus’,which is considered not to appreciably affect the intrinsic safety of the system. This apparatus is exempted from the requirement for certification. The simple requirements are clearly specified in the apparatus standard. ‘Simple apparatus’ should always be readily demonstrable to be adequately safe.The usual examples are switches,thermocouples, RTD’s and junction boxes. 2.6 Cables Because cables have inductance and capacitance, and hence energy storage capabilities, they can affect system safety. Consequently the system design imposes restrictions on the amount of each of these parameters.A great deal has been written on this subject but only rarely is there a serious limitation placed on the available cable. As cable faults are taken into account during the system analysis, the type of cable in individual installations is not closely specified in the system standard. The choice is therefore determined by the need for reliable system operation. Where intrinsically safe systems are combined in a multi-core, then there are special requirements. These determine which additional faults have to be considered. 2.7 Gas classification The amount of energy required to ignite a particular gas/air mixture varies for each gas. Industrial gases capable of being ignited are divided, in the UK, into three classes, IIA, IIB and IIC. Typical Gas Gas Group Ignition energy Methane IIA 160µJ Ethylene IIB 80µJ Hydrogen IIC 20µJ Table 2.1: Typical gases, their classification & ignition energies T1 T2 T3 T4 T5 T6 450°C 300°C 200°C 135°C 100°C 80°C 4 5
  • 6. 2.9 Categories and equipment safety levels When the European Directive (ATEX) for apparatus for use in hazardous areas (94/9/EC) was created, it introduced the concept of categories, which was intended to clarify the Zone(s) in which apparatuscouldsafelybeused.Unfortunately,andfornothingmore than pedantic reasons, it was decided that a category 0 would not be used and the result was the confusing situation illustrated in Table 2.3, where the category and Zone numbers differ. More recently (2004) the IEC took up the concept of identifying the level of protection offered by a piece of apparatus and also paid a little more attention to risk analysis as a method of determining the acceptable use of equipment. The result was the creation of equipment protection levels (EPLs), which are similar to ATEX categories but have numbers that align with their normal Zones of use. In practice both categories and EPLs align with the levels of protection ‘ia’, ‘ib’ and ‘ic’ as indicated in Table 2.3 and, as far as intrinsic safety is concerned, they can largely be ignored, as the level of protection is already defined as ‘ia’, ‘ib’ or ‘ic’. They do however appear on apparatus marking and certificates and consequently need to be explained. 2.10 Summary Intrinsic safety offers an acceptable level of safety in all hazardous locations. Arguably it is safer and less prone to accidental errors than other methods of protection. This combined with its flexible use of available apparatus and the ability to do ‘live working’ means that it is the natural choice for instrumentation systems in hazardous areas. For example it is the only technique which is readily applicable to Zone 0 locations. The introduction of the ‘ic’ concept completes the picture. The essential requirements of an intrinsically safe system are: • The system must work. • The apparatus in the system must be ‘certified’ or ‘simple’. • The compatibility of the apparatus must be established. • The level of protection of the system established. • The temperature classification and ambient temperature rating of each piece of apparatus established. • The requirements of the cable established. Level of Protection Countable Faults ATEX Category IEC EPL Normal Zone of Use ia 2 1 0 0 ib 1 2 1 1 ic 0 3 2 2 Table 2.3 Relationships between different methods of assessing safety levels MTL4500/5500 backplane and DIN-rail mounted safety isolators.
  • 7. 3.1 General The long term continued safety of an intrinsically safe system depends on adequate inspection and maintenance. The relevant IEC standard is IEC 60079-17, which deals comprehensively with all methods of protection. Where installations are required to comply with the European ‘user’ Directive 1999/92/EC a documented inspection procedure becomes a part of the required risk analysis. Any work on a hazardous plant needs to take into account overall plant safety. Consequently it is necessary to comply with the safety practices of the particular installation (for example work permits), even though the risk of ignition from the intrinsically safe circuits is minimal, and gas clearance certificates are not necessary. In some ways this is even more important in the pre-commissioning stage. If there are significant changes in the plant operation, which for example modify the area classification then the safety analysis must be reviewed, the documentation modified, and possibly the inspection procedure changed and/or repeated. The procedure places the onus for ensuring that the equipment used is suitable for its location on the creator of the installation drawing. The nature of an inspection depends on how well the installation drawing, which changes the system design drawing into a drawing specific to a particular installation, has been carried out. If the documentation is inadequate then any inspection can only be carried out by someone with detailed knowledge of the plant and exceptional expertise in hazardous area practice. Because such a person rarely exists, this analysis assumes that the documentation is adequate, and uses Figure 3.1 to illustrate the process. If the person doing an inspection does not understand some aspect of the drawing, or believes it could be wrong, then they should be encouraged to question the document. IEC 60079-17 requires the Installation & Inspection of IS apparatus - An introduction identification of ‘a technical person with executive function’ to be responsible for inspection related matters in each installation.This person should be known to the technician doing the inspection, and should be available and able to answer questions. The installation drawing should take into account what can be checked on the installation. For example, quoting permissible capacitance and inductance for a cable is not useful, because although it is possible to check these parameters, it is not easy to do so. Stating an acceptable type and length is much more useful. The use of information available from ‘intelligent’ instruments can considerably reduce the routine inspection considered necessary on an intrinsically safe system. The use of this intelligence to reduce the inspection requirement is recognised in IEC60079-17 clause 5.3.1 but not discussed in detail. The ability to identify a specific field instrument from the safe area, without having to go and read the label on the instrument, is a significant advantage. Almost all of the digital, “intelligent” instruments(HART,FoundationFieldbus,etc)enabletheserialnumber of an instrument to be read remotely.The computer record can then be used to confirm that it is the specified instrument, thus ensuring it satisfies all the requirements of the particular installation. This type of check can be done at frequent intervals without interfering with operational requirements. The inspection of an instrument is then reduced to looking for mechanical damage or excessive corrosion which is comparatively easy and significantly less tedious. Figure 3.1 - Typical installation drawing for IS system 3. 6 7
  • 8. 3.1 General - continued A remote check that the instrument is functioning correctly does not necessarily ensure that it is still safe but it does confirm that it has not been significantly damaged and is probably still safe. This does imply that any malfunction should be quickly corrected or the defective equipment removed or at least made safe. A frequent check on functionality is a significant factor in further reducing the risk associated with any hazardous area apparatus. Howfarthistypeofautomaticinspectioncansimplifytheinspection procedure is a decision for the end-user. But it is arguably a more reliable technique than manual inspection and simplifies the recording of the process. A relatively simple computer system can give ready access to the relevant installation and system drawings, which may be required if further investigation is thought to be necessary. Some users may consider it desirable to do an occasional thorough spot check as reassurance that the system is functioning but this is a counsel of perfection. These techniques, combined with the availability of certificates and manuals on manufacturers’ web sites, can lead to safer installations and a reduction in the bureaucratic load created by safety legislation. 3.2 Initial inspection An initial inspection to ensure that the installation complies with the installation drawing is critical. Where an adequate drawing such as Figure 3.1 exists, the initial inspection should ensure that the actual installation conforms to the drawing. Usually this involves checking each individual loop stage by stage, which involves a good deal of opening enclosures and clambering over structures. Where the technician involved is suitably qualified this inspection can be combined with the operational checks. However some organisations separate the two requirements, preferring ‘independent’ safety inspections. This separation of functions is not conducive to shortening start up times. Frequently the initial inspection demonstrates the inadequacy of plant labelling, and the opportunity to improve this feature should not be missed. 3.3 Periodic inspections The objective of periodic inspections is to ensure the system has not appreciably deteriorated and has not been modified in an unauthorised way. The required frequency of periodic inspections is influenced by many factors,such as the immediate environment, the presence of corrosive atmospheres and the susceptibility to mechanical damage. A usual starting point is to consider a three- year cycle, inspecting a third of the apparatus every year. If the inspection shows widespread deterioration then the inspection period should be shortened and remedial action taken. Establishing that the intended apparatus is still in place is relatively easy providing that the apparatus has a unique identity. Usually the manufacturers type number is adequate. Much has been written about checking the marking on the labels but except, as an intellectual exercise there is little point. Providing that the inspector is convinced that the apparatus is the intended apparatus then he has fulfilled his function. He should be encouraged to ask questions if he is unhappy about the apparatus or if the circumstances of use have changed but fundamentally it is not reasonable to expect a detailed analysis of every loop. It is usually worth creating separate drawings of such things as interface cabinets and junction boxes so that they can be readily checkedforanysignofunauthorisedmodification.Similarlypreparing short lists of field equipment grouped in a particular area with their essential points of inspection can shorten the time required. Most modern (smart) instruments can be identified from the safe area computer. It is relatively simple for the computer to check that the field instrument is unchanged and raise a flag if it is changed. This can be done frequently. The periodic inspection for that apparatus is then reduced to checking for deterioration. There is a strong link between the need for periodic inspections for operational and safety reasons and it is usual to combine the requirements. For example, the short piece of field wiring used for the final connection to the instrument is often prone to mechanical damage and consequently is usually included in the inspection procedure even though its open or short-circuit failure would not create an incendive spark. The check for mechanical deterioration is usually a quick check for corrosion, impact damage, efficiency of seals, security of mounting and adequacy of cable glands. Some judgement on the need for repair or replacement is required, and the need for operational reliability usually determines the necessary action. There is however no substitute for a well-trained technician with the right attitude. 3.4 Testing of apparatus Sometimes it is suggested that apparatus should be removed for periodic testing. In practice, if an intrinsically safe loop is functional then it is very unlikely to have failed in a dangerous mode. Components critical to safety are derated, so the probability of external circumstances causing them to fail without causing a malfunction is small. There is a bigger risk that a mistake could be made during the removal and replacement of the apparatus being tested. The argument for not interfering with a system, which has survived the initial inspection and is still functional, is very powerful. A particular case sometimes cited is regarding shunt-diode safety barriers. Failure rate statistics can always be questioned, but the undetected failure rate to danger of a barrier (i.e. the shunt diodes not failing to an open circuit condition),can be readily demonstrated to be in better than 10-10 /annum. With this probability of failure they should remain untouched forever. If they are removed for any other reason a simple continuity check has some merit. If a malfunction does occur, there is a risk that safety components could also have been damaged and power to the system should be removed as a precaution. A repair should be carried out as quickly as possible. Apparatus or wiring which remains damaged or is not in use for a considerable time, should be removed from the hazardous area as it represents an unnecessary risk. 3.5 Testing of earth connections It is always difficult to balance the traditional methods of testing earth connections with the need to ensure that an unacceptable risk to the plant is not introduced. Injecting significant voltages and currents into ill-defined circuits is not compatible with avoiding unnecessary risks. In almost all intrinsically safe installations cable screens contribute to system safety and need to be earthed. In some apparatus such as shunt diode safety barriers and apparatus using a particular type of transformer, the earth connection is an important part of the method of protection. Where surge protection against induced voltages (usually from lightning) is introduced then this introduces a further complication. The design of the earthing system needs to be done with some care and provision made to enable the system to be tested safely.
  • 9. This is frequently done by providing duplicate leads.The subject is considered in detail in the section on earthing and it is not possible to adequately summarise the process. If you believe in testing earths by injecting a significant current then think very hard about the possible paths that the current will use to come back to its point of origin. If you are confident that the path is well defined and safe - then there is no point in testing it! 3.6 Testing insulation Insulation testing is usually carried out using a high voltage (500V or more), which is not compatible with the intrinsic safety concept. (The ignition capable capacitance corresponding to 500V rms in IIC is 160pF. This is the capacitance of approximately 1m of cable). Where insulation testing is considered essential, it should be carried out using a suitably certified instrument. This instrument will apply a low voltage only (less than 6V) and have a low current capability (less than 10mA).However,bear in mind that it is difficult to ensure that there is no flammable gas at all points along an instrument circuit during the period of test. If high voltages are applied, care should be taken to ensure that the connected equipment can not be damaged by the testing. For example,it may be necessary to disconnect any surge suppression devices that are connected in the circuit. It will also be necessary to take care to discharge any charge that may have accumulated in the equipment during testing. Intrinsically safe circuits are usually fully floating or earthed at one point. The reason for this is that if a circuit is earthed at more than one point,the differential potential between the two points will cause an undefined current to flow through an unknown inductance. On a well-bonded plant the voltages are low and the resultant current may not be incendive, but it is still unknown, could possibly be incendive and is therefore not desirable. Many intrinsically safe circuits that use shunt-diode safety barriers are designed to ‘fail- safe’ in the presence of an earth fault, and consequently there is no need to test the insulation. Some circuits, but not many, are provided with earth leakage detection systems and these do not need testing. Fully isolated circuits would require two separate faults to earth points some distance apart before the circuit could possibly be dangerous. The probability is that two such faults would also create an operational failure and consequently routine insulation testing of these circuits is not considered necessary. There are a few remaining circuits that are not covered by the above, but the level of voltage and current necessary to cause an earth fault to be incendive (arguably greater than 9V and 100mA) would almost always causes an operational failure. Consequently, routine insulation testing of a functioning circuit on a well-bonded plant is not necessary or desirable. The overall conclusion is that routine insulation testing of intrinsically safe circuits, which are functional, is not necessary. The emphasis on ‘functioning circuits’ does however reinforce the argument for rapid repair of non-functional circuits discussed elsewhere. Theoretically, just removing the power from a circuit with multiple earth connections does not make it safe if significant differences in plant potential exist. If insulation testing is thought to be desirable for other reasons it should be carried out with care using a suitably approved tester. Where apparatus has to be disconnected during the testing process then special care is required to ensure that the reconnection is correct, since this is an obvious risk. This usually involves at least a functional check. 3.7 Reference to apparatus certificates Occasionally it will be thought desirable to refer to the certificate of a piece of apparatus. Sometimes a copy is available but the preferred technique is to check on the web for the latest version. Most manufacturers and some certification authorities make their certificates available by this means. For example, MTL certificates are available on the web-site http://www.mtl-inst.com/support and IEC Ex certificates are available on the web-site http://www.iecex.com The use of the web ensures that the most recent version of the certificate is available and that the certificate is complete. MTL7700 Series DIN-rail mounted safety barriers. 8 9
  • 10. 4.1 General Where intrinsically safe apparatus is interconnected by wiring, the safety of each piece of apparatus is affected by the performance of the other pieces of apparatus in the circuit.The safety technique relies on the system being correctly designed and intrinsic safety becomes a system concept. Other methods of protection are also dependent on the system concept to some extent, but it is a fundamental requirement of intrinsic safety. For example flameproof equipment is only adequately safe when provided with the correct electrical protection and a means of isolation, but this is not generally regarded as being as significant as ensuring that the apparatus within an intrinsically safe system is compatible. There are some pieces of intrinsically safe apparatus, usually portable equipment, that are used in isolation, for example torches and radios. The following analysis of intrinsically safe systems does not apply to these types of apparatus. In addition, some Fieldbus systems are constructed to the FISCO/FNICO standard IEC 60079-27, which introduces some simplification of the system rules. These requirements are discussed in MTL application note AN9026 but not in this document. This document concentrates on point-to-point wired systems, which are the predominant form of instrumentation. The relevant IEC system standard is IEC 60079-25, which interacts with the IEC code of practice IEC 60079-14 to provide comprehensive coverage of the subject. The system designer must accept responsibility for the adequacy of the design and the safety implications of the use of the system in association with hazardous areas. The designer must have an appropriate level of knowledge and training and the analysis should not be done without recognising the importance of getting it right. The analysis of simple systems is relatively easy and can be done by any competent professional engineer. However some of the more complex systems such as those using a combination of non-linear and linear sources of power require a greater degree of experience and it may be desirable to approach an ‘approved certification body’ to provide an analysis for such a system. 4.2 Compliance with ATEX Directives and DSEAR Unless they are considered to be ‘simple apparatus’ (see section 4.4), individual pieces of equipment are required to comply with the ATEX equipment directive (94/9/EC). However, the majority of intrinsically safe systems combine equipment from one or more suppliers and these systems become an ‘installation’ and do not need to be certified to the equipment directive. There might, however, be rare occasions when a manufacturer places a complete system on the market, in which case the system will have to comply with the equipment directive. The installations directive (1999/92/EC), and the DSEAR regulations, require a risk analysis (within their jurisdiction) of any installation that contains one or more hazardous areas and the system documentation becomes an essential part of that analysis. In almost all other parts of the world similar requirements exist either for legal or insurance reasons. Where no such requirements exist there is still the fundamental requirement to operate safely and to be able to demonstrate that all reasonable precautions have been taken. For these reasons the preparation of adequate system Design of intrinsically safe systems documentation is an essential part of the design of an intrinsically safe installation. The preparation of documentation for a new installation, to satisfy the installations directive and DSEAR, is usually relatively simple as all the equipment will comply with the apparatus directive or be simple apparatus and the necessary data will be readily available. A slightly more complex situation arises when it is thought desirable to incorporate existing equipment, which is not certified to the apparatus directive. For example, such a situation arises if it becomes necessary to replace a central processor and its related interfaces but not to replace the field devices. In these circumstances, provided the field devices are considered to have an adequate level of safety and their documentation contains the necessary information to enable a system document to be prepared, an acceptable system document can be created. To be considered as “adequately safe”, older equipment must achieve a level of safety of the same order as equipment that has recently acquired documents of conformity to the ATEX apparatus directive. In the particular case of intrinsically safe equipment there has been no fundamental change in the standards, which has thrown into doubt the safety of equipment conforming to any of the CENELEC based standards. Arguably, even equipment conforming to the older SFA 3012 and SFA 3004 standards that were used in the UK is probably adequately safe. NOTE: There is a problem regarding equipment spares that do not have documents of conformity to the ATEX apparatus directive, as they can no longer be supplied by the original manufacturer for use in association with hazardous areas. Only apparatus already in the possession of the end-user or ‘in the supply chain’ can be utilised. It seems prudent therefore to take this potential difficulty into account when considering the continued use of older equipment. 4.3 Simple systems The majority of intrinsically safe systems are simple systems that contain a single source of power in associated apparatus connected to a single piece of intrinsically safe apparatus out in the field. Such a system is discussed in detail in an appendix of IEC 60079-11. Here, we use the combination of a temperature transmitter and an intrinsically safe interface, shown in Figure 4.1, to illustrate the technique. The first step is to obtain the safety data of the two pieces of apparatus in the circuit. This data is best derived from a copy of the certificate, which should be available to the system designer. In particular, any special conditions of use should be taken into account in the system design. The information placed on the system drawing should be the result of a clearly justifiable analysis making it relatively simple to create the installation drawing from this reference drawing. NOTE: Copies of MTL Certificates are available from web site: http://www.mtl-inst.com/support Copies of IEC Ex Certificates are available from web site: http://www.iecex.com 4.
  • 11. The compatibility of two pieces of apparatus should be established by comparing the data of each apparatus.The sequence is usually as follows. a) Compare the levels of protection. If they differ then the system takes the least sensitive level. For example if one device is ‘ia’ and the other ‘ib’ then the system becomes ‘ib’. A source of power that is certified ‘ib’ will have permitted output parameters for use in ‘ic’ circuits. If these higher values are used in the system design then the system becomes ‘ic’. b) Compare gas classifications. If they differ then the system takes the least sensitive classification.For example if one device is IIC and the other IIB then the system becomes IIB. It is usual for a source of power certified as IIC to have permissible output parameters (Lo, Co and Lo/Ro) for IIB and IIA gas groups. If these larger values are used then the parameters used determine the system gas group. c) Determine the temperature classification of the field mounted equipment. Apparatus may have different temperature classifications for different conditions of use (usually ambient temperature)andtherelevantoneshouldbeselectedandrecorded. It should be noted that it is the apparatus that gets temperature classified not the system. d) The permissible ambient temperature range of each piece of apparatus should be recorded. e) The voltage (Uo), current (Io) and power (Po) output parameters of the source of power should be compared with the input parameters (Ui, Ii and Pi) of the field device and the output parameters should not exceed the relevant input parameters. Occasionally the safety of the field device is completely specified by only one of these parameters (usually Ui). In these circumstances the unspecified parameters are not relevant. f) Determine the permitted cable parameters. The permitted cable capacitance (Cc) is derived by subtracting the input capacitance of the field device (Ci) from the permitted output capacitance of the source of power (Co), that is Cc = Co – Ci. The permitted cable inductance (Lc) is derived by subtracting the input inductance of the field device (Li) from the permitted output inductance of the source of power (Lo), that is Lc = Lo – Li. Determining the permitted L/R ratio of the cable (Lc/Rc) is very easy if the input inductance of the field device is negligible, i.e. if Li less than 1% of Lo. In this case, Lc/Rc is considered equal to Lo/Ro. However, if the inductance of the field device is more significant then the equation included in IEC 60072-26 can be used to calculate the permitted Lc /Rc. Fortunately this is not a frequently occurring requirement. Recentlytherehasbeenincreasingconcernabouttheinteraction of system inductance and capacitance increasing the risk of ignition capable sparks. Figure 4.1 - Simple system of interface and transmitter - Classification ia IIC - Cable parameters 80 nF, 3.0 mH, 55 µH/Ω isolated Temperature Transmitter Type: 365S (example) Pan Inc., Boston, USA Ex ia IIC T4 by FUML No. 983065 T amb = –40°Cto +80°C ‘B’ Terminals Ui: 30 V Ii: 120 mA Pi: 1 W Ci: 3 nF Li: 10 mH Notes: a) If cable ‘y’ becomes part of a multicore, then this multicore cable must be a Type ‘A’ or ‘B’, as specified in IEC 60079-14. b) Cable ‘y’ has capacitive limitation 80 nF in IIC; 647 nF in IIB Type MTL5541 - data MTL Ltd, Luton, UK [EEx ia] IIC by EECS No. BASeefa07ATEX010123 T amb = –20°C to +60°C Safety Parameters Um: 250 V Uo: 28V Io: 93mA Po: 651mW IIC Parameters Co: 83nF Lo: 4.2mH Lo/Ro: 56µH/Ω “The safety technique relies on the system being correctly designed and intrinsic safety becomes a system concept” 10 11
  • 12. 4.3 Simple systems - continued This concern is confined to fixed inductance and capacitance and not to the distributed parameters of a cable. Consequently on those rare occasions when BOTH the lumped inductance (the sum of Li of the source of power and the field device) and the lumped capacitance (the sum of Ci of the source of power and the field device) are greater than 1% of the respective output parameters of the source of power Lo and Co then the permissible output parameters are both to be divided by two. It should be stressed that this reduction in output parameters is only applicable on very rare occasions since it is unusual for field devices to have BOTH inductive and capacitive input parameters which are significantly large. Frequently the Li and Ci of a source of power are not quoted in the documentation and in these circumstances it can be assumed that they are negligible. There is no suggestion that it is considered necessary to go back and check the safety documentation on existing installations for this most recent requirement. However new analyses should take this remote possibility into account. To summarise, check that either the lumped capacitance or inductance is less than 1% of the respective output parameters. If it is, then the original calculation is valid. If BOTH parameters are greater than 1% of the output parameters then Co and Lo of the system should be reduced by a factor of two. If this reduction seems to be necessary then go back and check the information used, as this is an unusual situation. Where a source of power is certified ‘ia’ or ’ib’, the permitted output parameters Lo, Co and Lo/Ro are derived using a factor of safety of 1,5. When such a source of power is used in an ‘ic’ circuit then the permitted output parameters may be derived using a unity safety factor. This results in a significant change, which usually removes the necessity to consider cable parameters in detail. Accurate values can be ascertained using the methods and tables in the apparatus standard.An acceptable conservative technique is to multiply the Lo and Lo/Ro by two and the Co by three, which normally removes any concern about cable parameters. g) Check that the level of insulation from earth is acceptable, or that the system earthing requirements are satisfied. If these criteria are all satisfied the compatibility of the two pieces of apparatus will have been established. A convenient way of recording the analysis is to create a table.Table 4.1 is an example that uses values from the typical system drawing (see Figure 4.1) and compares the intrinsically safe interface and the temperature transmitter. 4.4 The use of simple apparatus in systems The apparatus standard (IEC 60079-11) distinguishes between complex apparatus, which normally requires some form of certification and ‘simple apparatus’ which is not required to be certified.This distinction is intended to permit the use of apparatus that does not significantly affect the intrinsic safety of a system, without the need for ‘third party’ certification. There is an implication that it is possible to demonstrate that simple apparatus is obviously safe without recourse to the detail application of the remainder of the standard. For example, if any current or voltage limiting components are necessary then the apparatus is not considered to be simple. In practice it is relatively easy to decide which components are simple apparatus at the system design stage. If the decision is not easy then the apparatus is not simple. NOTE: Although it is not considered essential that simple apparatus is certified by a third party, it is not unusual for simple apparatus that is used in significant quantities to be certified. This is reassuring to the end user and is a significant marketing advantage. In these circumstances the apparatus is marked as required by the apparatus standard, but can be used in the same way as other simple apparatus. The apparatus standard imposes limits of 1.5V, 100mA and 25mW on the values generated by simple apparatus, and it is accepted that simple apparatus can be added to an intrinsically safe system without the need to recalculate the safety of the system. It must be understood however, that any limitations on simple apparatus apply to the combination of all the pieces of simple apparatus in a system. For example, the use of one or two thermocouples in a system is permitted but a combination of a large number used in a single, average temperature circuit might not meet this criterion. Table 4.1 Simple system analysis Sequence step Parameter Interface Temperature transmitter System a) Level of protection ia ia ia b) Gas group IIC IIC IIC c) Temperature classification T4 d) Ambient temperature - 20°C to +60°C - 40°C to +80°C e) Parameter comparison Voltage Uo: 28V Ui: 30V Current Io: 93mA Ii: 120mA Power Po: 650mW Pi: 1W f) Cable parameters Capacitance Co: 83nF Ci: 3nF Cc: 80nF Inductance Lo: 3.05mH Li: 10µH Lc: 3mH L/R ratio Lo/Ro: 55µH/Ω Lc/Rc: 55µH/Ω g) Isolation isolated isolated isolated
  • 13. The standard also allows capacitive and inductive components to be used in simple apparatus, provided that these components are included in the system evaluation. It is not usual to include inductors or capacitors of significant size,but the simple apparatus concept does permit the use of small radio-frequency (r.f.) decoupling components without undertaking a further analysis of the system. A useful rule-of-thumb is to ensure that the total capacitance and inductance added to the system is less than 1% of the respective output parameters of the source of power, in which case, their effect can be ignored. If BOTH the added capacitance and inductance, together with any other ‘lumped’ capacitance in the circuit are greater than 1% of the specified output parameters of the source of power then the permitted output parameters must be halved, as explained in Section 4.3. This is another very good reason for ensuring that the ‘energy storing’ components in simple apparatus are kept small. It is also necessary to temperature classify simple apparatus when it is intended for hazardous area. The apparatus standard allows a T6 temperature classification for switches, plugs, sockets and terminals used within their normal rating at an ambient temperature of not greater than 40°C. In practice, it is not easy to design a system that can be used with gases requiring a T6 (85°C) temperature classification and a T4 (135°C) classification is normally the level achieved. In reality, the only gas listed in the available documentation requiring a T6 temperature classification is carbon disulfide (CS2 ). Fortunately, the use of this gas in industry is becoming rare because of its toxicity. A T4 temperature classification is therefore adequate normally and a claim of T6 is predominantly a marketing ploy rather than a requirement. The temperature classification of other pieces of apparatus (with a surface area not less than 20mm2 ) normally relies on the input power being no greater than 1,3W when the maximum ambient temperature required is 40°C.The corresponding powers for higher ambient temperatures are 1,2W at 60°C and 1W at 80°C. If this rule is not applicable then the possible maximum surface temperature has to be measured or assessed. If for any reason it is not obvious that the maximum surface temperature is considerably lower than 135°C (say 100°C) then the apparatus is probably not simple. Simple apparatus is usually isolated from earth. However, the apparatus standard requires a 500V insulation test and if the simple apparatus cannot meet this then it introduces an earth on to the system and the system design must take this into account. Atypicalexampleofsimpleapparatusistheresistancethermometer (RTD) shown as the sensor in the typical system drawing. The RTD is a temperature sensitive resistor. It has negligible inductance (less than 4µH) because it is bifilar wound and negligible capacitance (less than 10pF). The matched power from the transmitter terminals is 2,5mW, which is considerably less than the 25mW considered negligible for simple apparatus. This low level of power ensures that the temperature classification of the RTD is determined by the temperature being measured. (A T6 temperature sensor measuring 450°C is a common advertising phenomenon.)The RTD does not meet the required 500V insulation test and consequently this sub-cicuit is considered to be earthed at this point.The installation is satisfactory because of the isolation in the temperature transmitter. The ignition energy of a gas decreases at elevated temperatures and consequently the very low fault voltage and power available to the RTD is a beneficial factor in ensuring the safety of any measurement of high temperatures. Figure 4.2 - RTD and transmitter sub-system - Classification ia IIC - Cable parameters 1000µF, 350mH - Earthed at RTD Note: ‘T’ class determined by maximum measured temperature. RTD Type: 350L (example) Peter Pty, Sydney, Australia Simple Apparatus to IEC 60079-11 Passive component to subclause 5.4a) Type: PS061 Maximum operating temperature 450°C Temperature classification determined by maximum measured temperature. Temperature Transmitter Type: 365S (example) Pan Inc., Boston, USA Ex ia IIC T4 by FUML No. 983065 Ambient temperature –40°C to +80°C Terminals ‘A’ Uo: 1.0 V Io: 10 mA Po: 2.5 mW Co: 1000µF Lo: 350 mH Note: If cable ‘x’ becomes part of a multicore, then this multicore cable must be a Type ‘A’ or ‘B’, as specified in IEC 60079-14. 12 13
  • 14. 4.5 The use of apparatus with ‘simple apparatus’ input description The other common use for the simple apparatus clause is to permit the use of certified apparatus with input parameters equivalent to simple apparatus, to be added to an existing intrinsically safe circuit with only a minor change in the documentation. The most frequent uses of this technique are for test equipment, indicators and trip amplifiers. A typical example of this type of application is the MTL 5314 trip amplifier which is frequently used to monitor the 4-20 mA signals from a transmitter as illustrated in Figure 4.3. The input terminals satisfy the requirements of simple apparatus and hence the insertion of this apparatus does not require that the safety analysis of the existing system is modified. The presence of the trip amplifier and the fact that it is regarded as simple apparatus is all that needs to be recorded. Where more than one piece of apparatus with simple apparatus output characteristics is included in a circuit then care should be taken to ensure that the permitted simple apparatus parameters are not exceeded. Advantage can sometimes be taken of the fact that the output voltage only appears under fault conditions and that it is permitted to apply the fault count to the system as a whole. For example if more than one piece of simple apparatus is connected in the circuit, then it can be argued that only one piece of apparatus is considered to fail at any one time, and hence only the most adverse set of output parameters needs to be considered. This type of argument is acceptable in ‘ib’ systems but needs to be carefully documented. For such an argument to be valid for ‘ia’ systems detailed knowledge of the derivation of the output parameters is required. This information is not usually readily available and hence the technique is not normally applicable to ‘ia’ systems. If it is known that the apparatus terminals are purely resistive in normal operation (as is frequently the case) then any number of these devices can be incorporated in an ‘ic’ system. Figure 4.3 MTL5314 used as monitor Simple Apparatus, Intrinsically Safe interface, Trip Amplifier MTL5314. The Trip Amplifier connects in series with the 4/20 mA transmitter circuit, giving alarm signals to the safe area via changeover relays. Using the Simple Apparatus (Non-energy Storing) rule the device may be connected in series with the hazardous side of the MTL5541. Certification & Safety Parameters Terminals 1 and 3 meet the Simple Apparatus rules having output parameters: Uo: 1.0V, Io: 88mA, Po: 22mW Certified [EEx ia] IIC by EECS No. BAS 98 ATEX 7136 Tamb –20°C to +60°C Um: 250 V
  • 15. 5.1 General The ability to do live maintenance on an intrinsically safe system is a major benefit of the technique. It is difficult to test an instrument system with the power removed, and difficult to obtain a meaningful ‘gas clearance certificate’ that covers the whole of the area affected by a system. Consequently live working is very desirable. There are however factors, other than gas ignition, that have to be considered whenever an instrument system is taken out of commission and consequently local safety practices such as ‘permits to work’ have still to be observed. 5.2 Permitted practices on the plant The design of intrinsically safe apparatus and systems ensures that the short circuit and open circuit of field wiring cannot cause ignition of a gas atmosphere.The concept of live maintenance uses this feature but does not extend to carrying out detailed repairs; for example, repairing printed circuit boards within the hazardous areas. In practice, the permissible actions are restricted by the available tools hence deciding what is permissible is not difficult. IEC 60079-17 restricts live ‘working’ to: i) disconnection of, and removal or replacement of electrical apparatus and cabling ii) adjustment of any controls which is necessary for the calibration of the electrical apparatus or system iii) removal and replacement of any plug in components or assemblies iv) use of any test instruments specified in the relevant documentation. Where test instruments are not specified in the relevant documentation, only those instruments, which do not affect the intrinsic safety of the circuit, may be used v) any other maintenance activity specifically permitted by the “relevant documentation” These requirements are in line with the normal practice of maintenance on field mounted equipment and hence create no problem. Work on associated safe area apparatus, such as the intrinsically safe interface is restricted in the same way,except that there is greater freedom to operate on the safe area terminals. Recently developed interfaces tend to operate from 24V supplies and there is no risk of electrocution. However it is not unusual for interfaces with relay outputs to be switching higher voltages, which may create a significant shock risk. Where this risk occurs, adequate warning labels are required and the relevant precautions should be taken during the maintenance process. There is no risk of a significant electric shock being received by a technician working on an intrinsically safe circuit. There is a hypothetical possibility but in practice this is not a real problem actions are permitted, they are frequently embodied in the apparatus certificate and manufacturer’s instruction. This information should be made available to the relevant technician on the work sheet, as he is not likely to have ready access to the certificate and/or instructions.The apparatus marking would carry the ubiquitous ‘X’ marking but this is almost universally applied and consequently largely ignored. Maintenance and Repair of Intrinsically Safe equipment 5.3 Permitted practice in the workshop The repair and testing of intrinsically safe and associated apparatus should only be carried out in favourable conditions and by adequately trained technicians.The IEC standard IEC 60079-19 provides some guidance on the approach to repair of intrinsically safe equipment. There are always practical and economic limitations on what is practicable. For example, shunt diode safety barriers are invariably encapsulated and not repairable. Isolating interfaces are usually in boxes that are difficult to open, coated in varnish and impossible to test in detail without specialist test equipment and knowledge of the circuit. In general replacement by an identical unit is preferred for both economic and safety reasons. Some repairs can be carried out without affecting the safety of equipment and, usually, it is obvious what limitations apply. For example, damage to enclosures does not usually directly affect the intrinsic safety of apparatus and consequently a repair which restores the enclosure to its original level of integrity (IP rating) is acceptable. The repair of printed circuit boards is sometimes considered but is usually impracticable. Removing components without damaging the board is difficult, repairing the coating on reassembly is messy and maintaining the original creepage and clearance distances may not be possible. A recent further complication is that if lead free solder has been used, the use of solder containing lead usually results in unsatisfactory joints. A record of any repairs should be maintained.The use of before and after photographs (stored digitally) frequently simplifies the process. 5.4 Testing of IS apparatus using non-certified test apparatus There are two circumstances under which non-certified test apparatusisusedtotestintrinsicallysafeandassociatedapparatus and systems. One is where apparatus is tested in the safe area, usually disconnected from the IS system, and, less frequently, when apparatus and the system is tested in the hazardous area using a gas clearance certificate. It is sometimes questioned whether connecting non-certified apparatus during such procedures can result in the intrinsic safety of the apparatus or system being impaired by damage to the safety components. In the past, testing has not required any special precautions to be taken to avoid this possibility. The current standard on inspection and maintenance IEC 60079-17 does not address this question, consequently the following is only a considered opinion and should be regarded as such. 5. 14 15
  • 16. 5.4 Testing of IS apparatus using non-certified test apparatus - continued A relevant point is that during the manufacturing of intrinsically safe products, the equipment used for both operational and safety testing relies on good engineering practice and regular inspection to achieve adequate safety. It is not subject to third party certification or any similar constraints.The apparatus design standards address some of the more obvious risks, such as the charging of batteries, but do not make any other recommendations to cover less frequently used facilities. The factors, which justify the use of conventional test equipment when working on intrinsically safe apparatus, are: a) Repair and maintenance should only be carried out by ‘skilled personnel’. Such personnel should be adequately trained to recognise whether a mistake could have caused damage, which might lead to a dangerous situation, and be capable of taking any necessary corrective action. b) Test equipment should be checked to ensure that it is operational before connecting it to the apparatus. Particular care should be taken to ensure that any variable controls, such as output voltage and current limits on power supplies, are set to the correct values before making the interconnection.The test equipment should be checked at the end of the test. Since the test equipment is only connected for a short time the probability of it failing in a way that can cause a potentially hazardous fault in that time is acceptably low. c) The apparatus should be functioning correctly and be free of mechanical damage at the end of the test or re-calibration. It is possible that a safety component failure will not affect operational capability but usually an operational failure will also occur. d) The more complex operations such as re-programming and downloading of apparatus memories are normally done using test rigs with specific plugs and sockets and hence the probability of incorrect connection is reduced. e) Test equipment that satisfies the personnel safety requirements of IEC 61010, is not likely to produce currents or voltages, which will damage safety components. For example a functioning oscilloscope with high impedance probes is extremely unlikely to cause a problem. There are some operations which do require special care, of which the most obvious is high voltage insulation testing. This should only be done when a special work instruction is available. In practice such tests are best avoided and if an insulation test is thought to be necessary it should be done at a low voltage. It is generally accepted that the testing, calibration and programming of intrinsically safe apparatus in a safe area,or under gas clearance conditions by a competent person using conventional high quality test equipment does not invalidate its intrinsic safety certification. 5.5 Re-use of intrinsically safe field devices The question is sometimes raised as to whether intrinsically safe apparatus which has been used in circuits which are not intrinsically safe, such as non-incendive or safe area circuits can subsequently be used in intrinsically safe circuits. The perceived problem is that use in the non-intrinsically safe circuits could cause damage, which is not self-revealing but would reduce the level of protection offered by the original certification.The relevant IEC standards do not give any guidance on this topic and hence the following text is only a considered opinion, which may not be universally accepted. The question normally arises because it is common practice on most petrochemical installations to purchase a single type of instrument, for example a pressure transmitter, for use in all locations on a plant. An intrinsically safe transmitter can then be used on a temporary installation in a safe area in a conventional safe area loop, and after some time be returned to the store as a spare instrument. From the store it could be used to replace a defective instrument in an intrinsically safe loop. It can be assumed that the replacing instrument is functional, and not mechanically damaged (the majority of instrument technicians would check this in the workshop before putting the instrument in the stores as a spare) and therefore the concern is that there is some fault which reduces the safety integrity but does not affect the operation of the instrument. Almost all faults from an external source would cause sufficient damage to the apparatus for it to malfunction, rather than cause the conservatively rated safety components to fail to danger without damaging any other components. This type of undetected failure is just possible but is sufficiently improbable to be ignored. In the particular case of a non-incendive installation then the selection of apparatus, and the installation code followed further reduce the probability of the IS apparatus being stressed. There are a number of circumstances where a very similar risk occurs, and the risk is considered acceptable. A very clear example is that the IEC standard on inspection and maintenance (IEC 60079-17), permits the use of non-certified test equipment under ‘gas clearance certificate’ conditions. Similar risks are accepted during fault-finding procedures in instrument workshops. There are also significant risks of such faults occurring during the repair proedures permitted by the same standard on repairing this type of apparatus. The test equipment used in the final stages of manufacturing of IS equipment is not designed to be fault tolerant and could produce undetected faults. These risks illustrate the point that where a risk is small it can be, and is, accepted. With the recent introduction of the ‘ic’ concept, this question becomes more relevant to intrinsically safe circuits; for example, the use of an ‘ia’ certified transmitter in an ‘ia’ system after it has been used in an ‘ic’ system may be questioned. The question of the transfer of apparatus from an ‘ib’ system to an ‘ia’ system has never been raised as far as is known. The conclusion is therefore that the safety status of a field device is not changed provided that the device is both functioning correctly and not mechanically damaged after being used in any type of circuit. If these two requirements are met, the field device can be used in an intrinsically safe circuit without further consideration. MTL4850 HART® Multiplexer.
  • 17. 6.1 General A number of finely divided materials can be ignited to create an explosion when they form a cloud in air. Almost all organic and food product dusts together with metallic dust can readily be ignited. Dust explosions are generally more difficult to initiate than gas/air explosions but can be devastating. The initial explosion frequently disturbs and entrains layered dust to create one or more secondary explosions, thus creating a rolling explosion and extensive damage. Dust explosions can be initiated by electrical sparks or by hot surfaces. There are numerous factors, which influence ignition energy and temperature of a particular material. For example the air to particle ratio, the particle size, humidity, and the melting temperature of the material. Note: For those requiring a comprehensive reference ‘Dust explosions in the process industries’ by Rolf. K. Eckhoff published by Butterworth Heinemann. ISBN 0 7506 3270 4 is recommended. The ignition energy of a dust/air mixture is high compared with that of a gas/air mixture. For example, some sensitive materials such as rubber, sulfur and fine wood dust require 1 to 10 mJ while less sensitive materials, such as coffee, require more than 500 mJ. There is some concern that some very finely divided particles, for example those associated with nano-technology, may have even lower ignition energies. Consequently, the decision has been made to use the IIB gas as the test mixture (ignition energy 80µJ) for intrinsicallysafeapparatusforuseindustatmospheres.Thisisavery conservative decision but presents very little operational difficulty. The current state of knowledge on the spark ignition characteristics of dusts and the difficulty of creating a satisfactory test apparatus for dust atmospheres justifies a cautious prudent decision. The major problem in dust atmospheres is the possibility of thermal ignition. There are two common mechanisms, one is the ignition of a dust cloud by a hot body and the other is the creation of smouldering in a layer of dust on a hot surface. The minimum ignition temperature of the majority of dusts lies between 300°C and 600°C. Some dusts do ignite at lower temperatures, for example finely divided sulfur has a minimum ignition temperature of 240°C. It is quite difficult to generate these temperatures in a dust cloud with the power levels permitted by a IIB gas classification and hence the probability of ignition of a dust cloud by intrinsically safe apparatus is quite low and not the major problem. Intrinsic Safety and Dust The principal difficulty is the possibility of causing smouldering within a dust layer, which when disturbed bursts into flames and initiates an explosion. The mechanism of causing smouldering is complex but can be simplified into keeping the dust below its‘glow temperature’. The majority of materials have a glow temperature, ranging from 250°C to 500°C, that is lower than the minimum ignition temperature of the corresponding dust cloud. There are also some flammable dust layers that have the fortunate characteristic of melting before attaining their theoretical glow temperature and consequently they do not create this ignition risk (for example polystyrene). 6.2 Intrinsically safe apparatus and dusts Intrinsically safe apparatus certified for use in hazardous gas atmospheres has been used to ensure safety in dust atmospheres for many years. Currently a great deal of activity is taking place to formalise the requirements for apparatus specifically for use in dusts.An apparatus standard IEC 61241-11 is now published.The ultimate intention is to amalgamate the dust and gas requirements within the relevant IEC standards but this will take a number of years (five?). Eventually there will be three levels of protection ‘iaD’, ‘ibD’, and ‘icD’ corresponding to the equivalent gas levels of protection (see Table 6.1).The intention is that ‘iaD’ equipment will achieve the ‘very high’ level of protection required by equipment designated as ‘EPL Da’ (where EPL means ‘Equipment Protection Level’ as defined in IEC60079-0). ‘ibD’ with a ‘high’ level of protection will achieve an ‘EPL Db’ and ‘icD’ with an ‘enhanced’ level of protection will be ‘EPL Dc’. Table 6.1 - Comparison of different levels of risk 6. Level of Countable Level of Equipment ATEX Normal protection faults risk Protection category zone of use Level - EPL iaD 2 very high Da 1 20 ibD 1 high Db 2 21 icD 0 considerable Dc 3 22 16 17
  • 18. 6.2 Intrinsically safe apparatus and dusts - continued Theriskofsparkignitionisavoidedbysatisfyingtherequirementsfor apparatus intended for use in IIB gases To avoid the risk of thermal ignition the preferred technique for apparatus, which is intended to be located in the hazardous area, is to exclude the dust by using an IP 6X enclosure or by encapsulation. This involves determining a maximum temperature rise of the exposed surface, which in the case of most intrinsically safe apparatus will be very small. The preference for a dust tight enclosure is because the ‘dust fraternity’ has implicit faith in this technique. It can be argued that the restriction of the available power is a more reliable technique as it is less prone to maintenance errors. There is an exemption to the enclosure rule for apparatus that is difficult to operate inside an enclosure, such as some sensors. In these circumstances the power level is restricted to avoid the possibility of temperature ignition (750mW at 400°C), In practice all intrinsically safe associated apparatus such as barriers and isolated interfaces, which are IIC or IIB certified for gases are suitable for use in intrinsically safe systems. It is has been common practice for several years for interfaces to be certified for both gas and dust applications. For example, the current MTL range of barriers (MTL7700) and isolators (MTL4500/5500) are certified for both gas and dust applications in accordance with the requirements of the ATEX Directive and FM standards. The design of intrinsically safe apparatus for use in dusts is the subject matter of Part 11 of IEC 61241 6.3 Risk analysis Analysing the risk associated with a flammable dust differs from the analysis of a gas risk largely because dust does not disperse in the same way as a gas, it has to be removed. A decision was made some years ago to only area classify dust clouds and to treat the possibility of a smouldering dust layer as a source of ignition. (a decision largely influenced by the ATEX Directives). The area classification of dust clouds follows the pattern of gas clouds. Zone 20 corresponds to Zone 0 (where the hazard is present continuously or for long periods) Zone 21 to Zone1 and Zone 22 to Zone 2 as the probability of the dust cloud being present reduces. Area classification of dusts is the subject matter of Part 10 of IEC 61241. If the combination of area classification and sources of ignition is pursued too diligently this can create some tortuous thinking. Fortunately, the application of a little pragmatic common sense solves most instrumentation problems. For example, if a temperature sensor is buried in a mound of grain for a considerable length of time,then it is reasonable to use a level of protection ‘iaD’ since deciding the area classification is difficult and if the grain is smouldering it will probably burst into flame when disturbed and could possibly explode. As it is not expensive to make the system ‘iaD’, this becomes the obvious solution. However if a temperature monitor is measuring temperature in a location where it is infrequently covered by dust and can be readily and frequently cleaned then a level of protection ‘icD’ is adequate. It might still be expedient to use ‘iaD’ equipment but it is not essential to do so. 6.4 Why use intrinsic safety? The principal reason for using intrinsic safety is because it is essentially a low power technique.Consequently,the risk of ignition is minimised, and adequate safety can be achieved with a level of confidence that is not always achieved by other techniques. It is difficult to assess the temperature rise, which can occur if equipment is immersed in a dust because of the many (frequently unpredictable) factors, which determine the temperature rise within the dust layer. The safest technique is therefore to restrict the available power to the lowest practical level. A major factor in favour of intrinsic safety is that the power level under fault conditions is controlled by the system design and does not rely on the less well-specified limitation of fault power. Intrinsic safety also has the advantage that the possibility of ignition from immersed or damaged wiring is minimised. It is desirable to be able to do ‘live maintenance’ on an instrument system, and the use of the intrinsically safe technique permits this without the necessity of special ‘dust free’ certificates.There is a need to clear layers of dust carefully and to avoid contamination of the interior of apparatus during maintenance but this is apparent to any trained technician. (There is no significant possibility of a person, in a dust cloud that can be ignited, surviving without breathing apparatus). To summarise, intrinsic safety is the preferred technique for instrumentation where dust is the hazard because: • the inherent safety of intrinsic safety gives the greatest assurance of safety and removes concern over overheating of equipment and cables • the installation rules are clearly specified and the system design ensures that all safety aspects are covered • live maintenance is permitted • equipment is available to solve the majority of problems
  • 19. The principal reason for using intrinsic safety is because it is essentially a low power technique, consequently the risk of ignition is minimised. 18 19
  • 20. AUSTRALIA MTL Instruments Pty Ltd, 9 /12 Billabong Street, Stafford, Queensland 4053 Australia Tel: + 61 1300 308 374 Fax: + 61 1300 308 463 E-mail: enquiries@mtlaus.com.au CANADA MTL Canada Safety Instrumentation #102, 4249 97 Street, Edmonton Alberta, T6E 5Y7 Tel: + 1 780 485 3132 Fax: + 1 780 485 3122 E-mail: cinfo@mtlnh.com CHINA MTL Instruments China Co. Ltd. Room 1002A, The Gateway No 10 Yabao Road, Chaoyang District, Beijing 100020 Tel: + 86 010 8562 5718/5720/5721 Fax: + 86 010 8562 5725 E-mail: bjsales@mtl-inst.cn FRANCE MTL Instruments sarl, Les Carrés du Parc 10 rue des Rosiéristes, 69410 Champagne au Mont d’Or Tel: + 33 (0)4 78 64 98 32 Fax: + 33 (0)4 78 35 79 41 E-mail: info@mtl-inst.fr GERMANY MTL Instruments GmbH, An der Gümpgesbrücke 17 D-41564 Kaarst Tel: + 49 (0)2131 718930 Fax: + 49 (0)2131 7189333 E-mail: info@mtl.de INDIA MTL India Pvt. Limited, No.36, Nehru Street Off Old Mahabalipuram Road Sholinganallur, Chennai - 600 119 Tel: + 91 (0) 44 24501660 /24501857 Fax: + 91 (0) 44 24501463 E-mail: sales@mtlindia.com ITALY MTL Italia srl, Via Cantù 11 I - 20092 Cinisello Balsamo MI Tel: + 39 02 61802011 Fax: + 39 02 61294560 E-mail: info@mtl-inst.it JAPAN MTL Instruments KK, MT Building 3F 2-7-5 Shiba Daimon, Minato-ku, Tokyo 105-0012 Tel: + 81 (0)3 6430 3128 Fax: + 81 (0)3 6430 3129 E-mail: sales@mtlkk.co.jp NETHERLANDS MTL Instruments BV, de Houtakker 36, 6681 CW Bemmel, Tel: + 31 (0) 481 450250 Fax: + 31 (0) 481 450260 E-mail: info@mtlbenelux.com SINGAPORE MTL Instruments Pte Ltd, 31 Ubi Road 1 #04-01 Aztech Building Singapore 408694 Tel: + 65 6 487 7887 Fax: + 65 6 487 7997 E-mail: sales@mtlsing.com.sg UNITED ARAB EMIRATES MTL Instruments, Villa No. 4, Sector 2-17 Street 6, PO Box 53234 Abu Dhabi, UAE Tel: + 971 2 446 6840 Fax: + 971 2 446 6841 E-mail: mtlgulf@mtl-inst.com UNITED KINGDOM MTL Instruments, Great Marlings, Butterfield, Luton Bedfordshire LU2 8DL Tel: + 44 (0)1582 723633 Fax: + 44 (0)1582 422283 E-mail: enquiry@mtl-inst.com USA Cooper Crouse-Hinds MTL Inc. 3413 N. Sam Houston Parkway W. Suite 210, Houston TX 77086 Tel: + 1 281-571-8065 Fax: + 1 281-571-8069 E-mail: csinfo@mtl-inst.com GLOBAL LOCATIONS www.mtl-inst.com enquiry@mtl-inst.com ZL-B-AN9003-EN-0809 I-S_AN9003_MTL.indd 20 5/10/09 12:01:31 pm