One of the most important design criteria, if not the most important, is the safe operation of your machine or process.
Safety can be broken down into two focal points:
- safe for the humans that interact with the equipment
- safe for the components of the machine or process.
The primary focus must always be the safety of the individuals who interact with the equipment. Effective physical guarding combined with a reasonable and efficient way of interrupting the function of the equipment and restoring use thereafter are very important considerations in the design of a control system.
Traditionally, a control system would start with a master control relay to, as the name suggests, control the voltage that is supplied to the motive parts of the control system. The basic circuit would involve a normally open start button, a normally closed stop button and a tie-in contact to keep the master control relay engaged unless the stop button is pressed. To make the circuit safer, the stop button would be a maintained-contact button by using a mushroom button that must be pulled back out to re-engage the contacts.
Control systems became safer with the addition of an e-stop button—mushroom-shaped and maintained contacts. These buttons could also be shrouded in such a manner so that a padlock could be applied to the shroud, preventing the e-stop button from being reset, or pulled out. Separate from the cycle stop button, an e-stop button could be strategically located around the machine or process area to provide a quick, easy means of immediately stopping the controls, in case of emergency.
Safety circuits and hardware have evolved greatly since the early control systems. Terms such as “dual-channel” and “dual-redundancy” are commonplace today. These terms present the logical progression that, if one circuit or device is safe, then two circuits or devices is safer.
Safety systems have advanced dramatically over the past few years, in particular, to the point where the driven devices—variable-frequency and servo drives, for example—have safety circuits embedded in the design to prevent power on the input side from getting to the output side of the device.
Protection of the devices in a control circuit is the secondary focus of safety circuits. Early control-system designs incorporated devices such as thermal overloads or thermistors in the master control relay circuit so that a product jam or shorting motor winding would immediately drop the control circuit.
As technology has advanced, many control devices have built-in protection circuits that immediately stop the device and provide a relay contact to the main control system to notify of a device failure. Motor controllers are a good example of devices that incorporate this method of protection.
By protecting the controlled devices, the human element is also protected by reducing the possibility of a broken component challenging the integrity of the physical guarding. Fractions of a second can make all the difference between a belt part and a broken one, so protection in a variable-frequency drive or servo drive instead of a PLC or PAC—milliseconds later—can literally save a life.
Everything we have talked about so far deals with safety of the control circuit or controlled devices, but what if the environment itself is the unsafe part?
In petrochemical and processing, the product or by-product of the process can contain solids, liquids or gases that have low flashpoints. In the food-packaging industry, some of the most common of household baking items, such as corn starch or baking soda, are highly explosive if exposed to a spark.
This might seem like an obvious statement but control systems use electricity. Even if it is 24 Vdc, it is still enough to create a spark sufficient enough to ignite a combustible material. The approach to the design of control devices to be used in a hazardous environment so that the available energy, electrical and thermal, is too low to cause ignition is called intrinsic safety (IS).
Also read: Intrinsic safety comes with requirements
The National Electrical Code, Section 500, defines classes of hazardous locations as Class I (gases and vapors), Class II (dust) and Class III (fiber). Each class is further defined as Div. 1 (under normal operating conditions, including maintenance) and Div. 2 (accidental release or exposure due to unexpected rupture or breakdown).
In the industry, one might commonly see Class I, Div. 2, to describe an unexpected exposure of electrical energy to dust, for example.
Let’s talk about a few common control devices that would introduce risk in a hazardous environment. Many machines use limit switches or cam switches; a cam switch is a limit switch with a roller on the end that follows a lobed cam.
The construction of these mechanical switches requires a physical lever to pass through the body of the switch. No matter how well made, there is the possibility of a gas or fine powder getting into the inner workings of the switch and providing a catalyst to a source of ignition.
While not as common any more, many electric motors came with exposed windings to aid with cooling. This provided a path for the combustive material to get into the terminal block area of the motor.
Newer motors tend to be totally enclosed and fan-cooled to reduce this risk, but unless the body is completely dust-, liquid- and gas-tight, the combustive material can still get through to the motor.
For these reasons, devices used in a hazardous environment must be intrinsically safe. However, the use of intrinsically safe field devices does not make a control system intrinsically safe.
For this reason, the Occupational Health and Safety Association (OSHA) requires that the whole control system be designed to be intrinsically safe. It is not enough to use IS-rated devices.
The exception to this general rule is devices that use low power or are passive in nature. A good example of this would be thermocouples or resistance temperature detectors (RTDs).
Generally, the design of an IS system requires the use of low voltages and low temperatures, so as to not provide an environment that is conducive to the ignition of combustible materials.
While the common focus is on the field devices, the control cabinet itself might contribute the biggest risk of combustion. Inside that enclosure, one will find lots of miniature switches turning off and on, as well as plenty of devices that release energy—heat—as a result of normal function.
While not as obvious as combustible gases or liquids, dust is likely the most common source of combustible material. We are talking of particles as small as 500 microns in size.
OSHA 1910.399 states, “Combustible dusts that are electrically nonconductive include dusts produced in the handling and processing of grain and grain products, pulverized sugar and cocoa, dried egg and milk powders, pulverized spices, starch and pastes, potato and wood flour, oil meal from beans and seed, dried hay, and other organic materials which may produce combustible dusts when processed or handled. Dusts containing magnesium or aluminum are particularly hazardous.”
To avoid ignition, we generally talk about voltages under 29 V and current consumption under 300 mA. While PLCs and associated I/O modules can be selected to operate at 24 V or less, the presence of a VFD, for example, would imply voltages at well above the 29 V target.
As one can imagine, it would be pretty much impossible to make all of the components inside a control cabinet to be intrinsically safe, so what can we do to protect our control system from the risk of ignition? Well, the somewhat obvious answer would be to keep the microscopic dust particles out of the enclosure in the first place.
The conventional design methodology involves introducing elements to reduce the normal operating temperature inside a control cabinet or enclosure.
The easiest way to do this would be to provide a filtered inlet to draw in outside air and a fan to circulate that air throughout the enclosure before exhausting it back out of the enclosure.
This approach doesn’t work for a hazardous location because we would be drawing all those microscopic particles into the enclosure and exposing them to an environment that is highly conducive to the ignition of combustible particles. An air exchanger would have the same issue, and an air conditioner would be the best choice if it wasn’t for the fact that we are talking about particles that are 500 microns or less.
No matter how tight we make the seal on an enclosure, particles that small are bound to get into the enclosure. Just air convection alone would cause this to happen, as we would have cooler air outside the enclosure and warmer air inside.
The ultimate solution is to create an environment where there is greater air pressure inside the enclosure than outside. The introduction of clean, dry air to the inside and a means to exhaust air from inside the enclosure to outside ensures that airflow will always favor leaving the enclosure. This addresses the normal conditions of Div. 1, but what about if/when we have to open the enclosure to perform maintenance or troubleshooting? For this purpose, most positively charged cooling systems also include a purge system so that all the air can be exhausted from the enclosure before restoring operation.
A pressure sensor monitors the pressure differential between inside and outside of the enclosure and will not permit operation of the control system until the air has been sufficiently purged and a temperature sensor ensures that the temperature inside the enclosure is also kept to a minimum.
One last subject, the difference between explosion-proof and intrinsically safe, should be mentioned. A device that is explosion-proof is contained, so that it is capable of withstanding a gas or vapor explosion. An intrinsically safe device is designed so that it is not capable of causing an explosion in the first place.
It can be easy to overlook the presence of minute particles or vapors in the ambient conditions where our machine or process is intended to operate, but the consequences can be deadly. Please take precautions and ask the right questions to make sure that, where necessary, we are not only safe, but intrinsically safe.