Intrinsic Safety – separating fact from fiction
06 August 2020
How well do we understand Intrinsic Safety and how to achieve it? Roger Highton, Product Line Manager for MTL Process Connectivity Products at Eaton, separates the facts from the fiction.
(Click here to view article in digital edition)
Achieving intrinsic safety (IS) in industrial applications is an essential part of protecting people, plant and product from risk. Despite this, common misunderstandings about IS persist. The aim of this article is to summarise the basic principles that underly IS design and to debunk some of the most common areas of misunderstanding.
The presence of potentially flammable substances is a common occurrence in virtually any industry. Whether the environment is an offshore oil rig, a chemical plant, a flour mill, a water treatment works or a vehicle paint-shop, if flammable gases, dusts or vapours accumulate in sufficient concentration there is a risk of fire or explosion. Intrinsic safety is an electrical design approach that prevents explosions from occurring by ensuring that the energy transferred to a hazardous area is well below the energy required to initiate an explosion. This energy can take the form of an electrical spark, or a hot surface.
The major advantage of intrinsic safety is that it provides a solution to all the problems of hazardous areas (for equipment requiring limited power) and is the only technique which meets this criterion. In addition, the IS technique is universally accepted and is incorporated under all local legislation: including ATEX and OSHA.
Based on our experience, here are the five key assumptions that are made about IS – and why they are true or false.
Assumption #1 – Adding an IS interface will make my equipment intrinsically safe
This is a common myth, but a potentially dangerous one. Adding an IS interface (isolator or barrier) does not make any equipment intrinsically safe. Mitigation of explosion risk can only be achieved by installing equipment that has been specifically designed to meet IS requirements along with a suitable IS interface. Where intrinsically safe equipment is interconnected by wiring, the safety of each piece of equipment is affected by the performance of the other pieces of apparatus in the circuit. The IS technique relies on the system being correctly designed and intrinsic safety becomes a system concept. Other methods of explosion protection are also dependent on the system concept to some extent, but it is a fundamental requirement of intrinsic safety.
Assumption #2 – The safety description of the IS interface is compatible with the IS device, design complete!
On its own, assessing the safety description compatibility by checking that the voltage, current and power outputs (Uo, Io and Po) of the IS interface is less than the voltage, current and power inputs (Ui, Ii and Pi) of the IS device does not guarantee that components selected for IS environments will function effectively. The first step is to ensure that the device is fully compliant and meets the relevant safety requirements. The second step is all about the practicalities. Will the device function properly? For interfaces, this requires careful checking of operational parameters such as voltage and current.
To illustrate this point, let us consider an application for an analogue input with a 2-wire loop powered transmitter (see Figure 1). This will have a minimum operational voltage, typically 10.5V. The IS interface must be able to supply this voltage after subtracting the voltage drop in the cabling.
Let’s consider a passive barrier for this application, assessing the voltage drop across both channels of the barrier plus the voltage drop across the typical 250 ohms safe area load using Ohm’s Law. The calculation is as seen below:
As a result, we can see that the cable resistance could be 26 ohms, which – with a cable resistance of 50 ohms/km – could support 520m of cable. However, just a small drop (0.6V) in the power supply voltage would cause failure of the loop.
Isolating barriers and active barriers provide a guaranteed minimum voltage which, for a typical isolator used in this application, is a minimum of 16.5V at 20mA. So, with an available voltage drop for cabling of 16.5-10.5 = 6V, this solution provides a much greater operational margin.
Assumption #3 – Zener barriers and isolators are interchangeable
There are two types of IS interfaces widely adopted by users of intrinsic safety: IS Zener barriers and IS isolating barriers. An end user site will usually have elected to use one or the other, so it is recommended that they continue to use the same interface type. These interfaces have very different installation and maintenance requirements, so it is important to understand them.
Most IS Zener barriers are simple, versatile, loop powered interfaces that require a tightly controlled power source, with limited voltage available in both hazardous and safe area connections. They require a safety earth that is regularly tested as it is a fundamental requirement of the safety of this technique. IS isolators are more complex with a shorter Mean Time To Failure (MTTF). They are application specific, can be used with a wide range of power supplies, can provide higher voltage in both hazardous and safe area connections, and simplify regular inspection requirements.
Assumption #4 – It doesn’t matter what cabling you use if the equipment is certified IS
Figure 1 – This illustration shows an analogue input with a 2-wire loop powered transmitter.
Because cables have inductance and capacitance, and hence energy storage capabilities, they can affect system safety. Consequently, the system design imposes restrictions on the value for each of these parameters: but only rarely is there a serious limitation placed on the available cable.
As cable faults are taken into account during the system analysis, the type of cable in individual installations is not closely specified in the system standard. The choice is therefore determined by the need for reliable system operation. Where intrinsically safe systems are combined in a multi-core, then there are special requirements. These determine which additional faults have to be considered.
Intrinsic safety does not require mechanical protection of the cable with armour or conduit, permitting the use of conventional instrumentation cables and thus reducing costs. The cable parameter checks are straightforward, simply requiring that the capacitance and inductance of the cable and field devices is less than the capacitance and inductance allowed for the IS interface for the Gas Group in which the equipment is installed. Usual practice is to calculate the maximum cable length allowed for a particular installation, ensuring this is not exceeded when designing the cable runs.
Assumption #5 – Under Ex ic, the IS system rules are not as strict in Zone 2 as they are for Zone 1
This erroneous assumption arises from a misinterpretation of the Ex designations. Intrinsic safety utilises three levels of protection, ‘ia’, ‘ib’ and ‘ic’ which balance the probability of an explosive atmosphere being present against the probability of an ignition-capable situation occurring. The use of these levels of protection ensures that equipment suitable for each level of risk is available (normally ‘ia’ is used in Zone 0, ‘ib’ in Zone 1 and ‘ic’ in Zone 2). The Zone 2 designation indicates that the risk of an explosive is infrequent.
Until Ex ic was incorporated in the intrinsically safe standards, the designer had to assess the risk of different wiring options with minimal guidelines on installation. There are now clear guidelines on how intrinsically safe equipment should be installed and maintained in Zone 2 designated areas. One example is a requirement for segregation of an exposed IS conductor of at least 50mm from a non-IS circuit, which makes the requirements for layout of a marshalling panel clear.
Roger Highton, Eaton MTL
Misunderstandings about the nature and application of intrinsic safety continue in our industry, and we should take every opportunity to challenge and correct them.
The IS system designer must accept responsibility for the adequacy of the design and the safety implications of the use of the system in association with hazardous areas. The designer must therefore have an appropriate level of knowledge and training and should recognise the importance of getting the analysis right.
The analysis of simple systems is relatively easy and can be done by any competent professional engineer. Sourcing IS equipment from reputable manufacturers may provide further reassurance and expertise. For more complex systems – such as those using a combination of non-linear and linear sources of power where a greater degree of experience is required – it may be desirable to approach an ‘approved certification body’ to provide an analysis for such a system.
About the author:
Roger Highton is Product Line Manager for MTL Process Connectivity Products for Eaton. Roger has worked in the automation industry for more than 25 years, with a special interest in working with end users on the development and adoption of new connectivity and digitisation technology.
Contact Details and Archive...