Device Protection in the Danger Zone

March 12, 2013
Intrinsic Safety Systems Are Emerging Slowly as an Alternative to Explosion-Proof Solutions in North America. It's Time to Be Clear About How It Works
About the Author
Ian Verhappen is a contributor and blogger for Control and Control Design. He has 25+ years experience in instrumentation, controls and automation. You can email him at [email protected] or check out his Google+ profile.

We celebrated our 15th anniversary last year by republishing some of the more timeless content we'd produced over the years. They were really well received, so we'll do it again this year from time to time. Here's an article from September 2005 that explains intrinsic safety (IS) as it was beginning to receive more consideration in North America. In an accompanying sidebar, the author updates us on a few noteworthy events that have developed since then.

Intrinsic safety still is not widely understood in North America. Until recently, explosion-proof practices were commonly used in areas classified as requiring protection.

The need for that protection is based on the likelihood of a potentially flammable atmosphere being present, which, in turn, determines the class in the North American area classification system.

The experience of North American industrial machine builders that sell into hazardous environment markets overwhelmingly has been based on explosion-proof methods.

(Safety Is Intrinsic)

Instrument manufacturers for industries with these environments, typically hydrocarbon processing-related industries such as refining and chemicals, design their instruments to be both explosion-proof and intrinsically safe (IS). This allows manufacturers to sell the same device anywhere in the world, regardless of the area classification and protection system used by the facility.

Regardless of the method used to prevent fires or explosions in a facility, all methods are designed to remove one of the sides of the "fire triangle" shown in Figure 1.

Break Up the Team
Figure 1: At least one side of the well-known "fire triangle" must be removed to prevent fires or explosions.Explosion-proof and intrinsic safety systems remove (more correctly, manage) or limit the energy level released to the environment. Encapsulation and potting, on the other hand, keep oxygen away from the energy source.

Each gas has its own range of concentrations over which its stoichiometric ratio allows it to burn. Outside this range, combustion, and hence an explosion, will not occur. The extreme example of this: If a device is placed in a 100% methane environment, it will not burn or explode because there is no oxygen present to complete the reaction.

Similarly, every gas has a different temperature at which it ignites. The concept of divisions is based on the type of gas present, while the "T" or temperature rating is based on gas ignition temperatures.

All these chemical factors must be kept in mind when selecting equipment to be used to prevent explosions.

Prevent or Disperse Explosions?
As indicated, both explosion-proof enclosures and intrinsic safety prevent explosions by limiting the amount of energy in the explosive environment. An explosion-proof enclosure uses its mass and design to disperse the energy to a low level before it escapes the enclosure. Intrinsic safety systems are designed to prevent the energy level in the hazardous area from being above the explosive-limit conditions.

It is important to realize that intrinsic safety is a system. All the components of the system need to be considered in the design, including not only the IS device used to limit the energy available to the hazardous area, but cable and remote devices as well. Passive devices that do not store energy, such as terminal blocks, normally are not an issue and need not be considered. The capacitance of a cable, which is used when calculating the energy stored in a cable, is considerably affected by the presence of a screen or shield. It is important to use the correct capacitance value for the cable type installed.

IS devices, the key components in intrinsic safety systems, are available in two distinct formats: safety barriers and galvanic isolators.

Simplified Safety Barriers
Figure 2: In this simplified schematic of a safety barrier, resistors limit the current and zener diodes restrict voltage available at terminals in the hazardous area.Safety barriers use zener diodes and current-limiting resistors to limit the current and voltage available at the hazardous area terminals. A fuse, if used in the barrier, restricts the fault power; the zeners restrict the voltage; and the resistor restricts the current. Figure 2 is a simplified schematic of a safety barrier. The excess energy from a barrier is routed to ground, normally through a low-impedance bus bar.

On the other hand, a galvanic isolator (Figure 3), as the name implies, breaks any direct connection between the safe and hazardous area circuits by interposing a layer of insulation between the two areas. The power transfer to the field — important to maintain loop-powered devices  — normally is via some form of transformer, while the return signal from the device in the hazardous area is transmitted across the hazardous area/safe boundary via an optocoupler, transformer or relay.

The final power limitation to the hazardous area is accomplished with a diode and resistor network similar to that of the safety barrier. Because galvanic isolators have different methods of forwarding the return signal to the safe area, they must be matched to the application.

Positively Galvanic
Figure 3: Galvanic isolators break any direct connection between the safe and hazardous area circuits by interposing a layer of insulation between the two areas.Because a galvanic isolator removes any direct connection between the hazardous and safe areas, safety barriers require a good path to ground. That makes the factory ground system the predominant potential source for signal noise, with the result that proper grounding or earthing techniques must be followed. The two main reasons for grounding instrument systems are to minimize interference while providing a signal reference, and to segregate and define the fault path requirements for safe dispersion of excess energy. Rapid energy dissipation is required to prevent a fire or explosion.

The standard industry practice of grounding instrument circuits at only one point is critical to the success of intrinsically safe circuits. In addition, the IS circuits should be isolated to withstand a 500 V insulation test. However, the use of galvanic isolators as an interface reduces the criticality of a well-designed and functioning ground grid with minimal potentials across the plant. Therefore, if some remote apparatus requires a separate power supply — i.e., they are not loop-powered, four-wire devices — then the preferred solution to maintain an IS circuit is galvanic isolators at either end of the cable.

It is worth noting the isolators form the boundaries between the two safe areas and the single hazardous area. The safe area at the control system end often is a rack room or unclassified area, while the safe area at the remote device end may have to be created through the use of either explosion-proof or purged housings.

Most industrial instrumentation cables include a ground wire as part of the wires within the overall insulated product. Many cables also include a screen or shield to limit the effects of nearby cables. It is especially important to use individually shielded conductors for any type of fieldbus installation.

Screens or shields normally are terminated in junction boxes without bonding them to the structure. The shields then are connected through the terminal to the home-run cable and the host system and its associated ground point. For the same reason, unused conductors in a cable should be terminated in a terminal so that, if used in the future, they already are connected, and to ensure they are not an inadvertent source of a spark, short circuit or ground loop.

When screens/shields are used to guard against pickup of high frequencies, they usually are earthed at a number of points to prevent the screen from presenting a tuned aerial to the high frequency. For IS circuits with this problem, the acceptable solution is to include 1,000 pF capacitors to ground at convenient points such as junction boxes. This effectively detunes the screen, but does not provide a path for the low-frequency currents, which can cause interference problems to flow off the screen or shield.

(The Intrinsic Safety Alternative)

Ground the Buses
Most new installations and many existing transmitters use smart devices capable of some form of digital communication. This can be as simple as the HART protocol that is superimposed on the 4–20 mA signal, or a full fieldbus solution such as Foundation fieldbus or Profibus. Any circuit that has a fieldbus signal must use galvanic isolation. This is because the grounding required by safety barriers will route the signal itself to ground as well. Those isolators have to be designed to operate at the specific frequency transmitted. That follows from the discussion above about each isolator type being matched to its service and the frequency "tuning."

The ISA-50, IEC 61158 standard-based fieldbuses also must adhere to the energy limitations as dictated above. That is why intrinsically safe Foundation fieldbus networks normally are restricted to approximately four devices per network. Since the original justification, at least to project managers and others focused on the upfront or construction costs of a project, invariably included easily identified ways to at least break even, the reduction in wiring was an obvious target. Fieldbus devices typically consume about 20 mA. So if a segment can support 80 mA, the result is that IS circuits significantly reduce the benefits of networking by reducing the number of devices on a network from 8–12 devices down to 4–6 devices.

True to form, industrial connector suppliers found several innovative ways around this problem. The most common, and the one incorporated into existing standards, is the Fieldbus Intrinsically Safe Concept (FISCO), based on work by Physikalisch-Technischen Bundesanstalt. It demonstrates that if the inductance and capacitance per unit length of field cables are within defined limits, then the risk of spark ignition does not increase with total length. The safe operating levels of the power supplies with electronic current limiting also were established, which allowed the use of higher currents on the network, typically 130 mA.

The result is that 6–8 devices now can be installed on a FISCO network. Other benefits of FISCO systems:

• The system can be created by any combination of apparatus that are certified as FISCO apparatus.

• No analysis of the input capacitance and input inductance parameters is necessary.

• The documentation requirement is reduced to a list of apparatus used.

The key is the devices must be FISCO-approved and, at present, there are few of those, although many manufacturers now are obtaining this certification.

A number of manufacturers also are making field-based barriers. These allow running a higher current level to the field on the home-run cables to an active field-mounted box. This box contains the circuitry to reduce the energy on each individual spur from the field barrier/junction box connecting the device to the balance of the network.

Another more recent innovation that is proceeding toward a vote by the IEC 60079-27 committee is the Fieldbus Nonincendive Concept (FNICO). FNICO is applicable only in Zone 2 (Div. 2) areas, and takes advantage of the fact that since the potential for a hazard to exist is reduced by being present only in abnormal circumstances, the use of Type 'n' protection can be applied.

Because FNICO requires only a safety factor of 1.1, vs. the 1.5 safety factor for IS and FISCO systems, it can provide more energy to the network, typically 180 mA. Figure 4 shows the power supply design limits for various area classifications. This additional energy works out to allow a FNICO system to more than double the number of devices on an IS network, yet it provides the same flexibility to work on a live system.

Figure 4: Permitted Output of Power Supplies
Because FNICO only requires a safety factor of 1.1, vs. the 1.5 safety factor for IS and FISCO systems, it can provide more energy to the network, typically 180 mA. This additional energy allows a FNICO system to more than double the number of devices on an IS network.

FNICO networks also have the benefits of FISCO, relative to documentation and calculation requirements, while not requiring any special certification beyond the IS approvals already required by most instruments.

IEC standards suggest that live working is permitted in Zone 2 installations if it can be demonstrated that an incendive spark or hot spot cannot be caused by the activity. This implies that working on a live instrument or circuit is possible with a gas clearance/hot work permit.

Instrument circuits, however, run the risk that a fault injected at one point might create a hazard at another interconnected piece of equipment. For example, in a temperature-sensing loop, a signal injected at the thermocouple head could manifest as an unsafe energy level at the transmitter, local indicator or computer interface. So the gas test associated with the hot work permit is required at all three locations.

The majority of new installations are at least considering the use of digital communications protocols in the design. Despite being around for almost 10 years, fieldbus systems still are relatively new, and manufacturers continue to develop innovative ways to provide the maximum flexibility and return on a facility investment.

IS Update 2013
There have been a number of changes in the intrinsic safety (IS) arena since this article was published in 2005, and most of those changes are involved with IEC 61158 networks and IS equivalent offerings.

The most significant change to the IEC 60079-11 standards is replacement of the FNICO standard with the FISCO ic rating. FNICO installations are "grandfathered" and the new rating is effectively equivalent, but is incorporated in a single document.

One of the "knocks" against FISCO was that it wasn't possible to purchase redundant power supplies, which could result in a single point of failure and hence restricted its adoption. With advances in electronics that enable rapid switching of circuits within the time period of a single message packet, MTL developed and released a Redundant FISCO product.

Also relying on fast circuitry, Pepperl+Fuchs and PTB developed dynamic arc recognition and termination (DART) as an IS equivalent circuit able to provide benefits of IS without the energy restrictions with which it is commonly associated.
Another technology that supports the IS Entity concept while allowing higher levels of energy in the complete system is the MooreHawke RouteMaster split architecture model that effectively splits the resistive network managing the energy levels in the system between both ends of the cable.   

—Ian Verhappen