14 June 2011
HazardEx readers will be familiar with the developments in standards and certification regimes for electrical equipment, which Ron Sinclair writes about regularly. Much less has been written about mechanical standards for Ex equipment in recent times but some fairly fundamental differences in view were evident at the recent meetings in Stockholm of the project teams producing what will become in time ISO 80079-36 and -37.
As chair of the BSI mirror committee FSH/23, I would welcome views on these issues, from a wider range of interests than are represented at FSH/23 meetings. As you will know, the ATEX equipment directive applies to both mechanical equipment and electrical equipment, where the mechanical equipment is intended for use in a potentially explosive atmosphere, and has the potential to act as an ignition source. The different parts of EN 13463 form a set of harmonised standards, which set out how mechanical equipment can reach the requirements for ATEX category 2 and 3 equipment.
ISO 80079-37, will set out requirements for equipment that meets ATEX category 2 requirements, (protection level Gb) using one of the types of protection b,c or k.
Under ATEX, mechanical equipment for either category 3 or 2 does not require any assessment of the equipment by an independent test house. The manufacturer is free to apply the standard in the way using his own interpretation. That will result in some variation, for example, in the rigour with which the analysis of the hazards is completed, but the ATEX directive allows this, and there has been no suggestion that this self- certification procedure should change. These EN Standards written with self- certification in mind contain some goal setting requirements, rather than detailed tests or measurements, and this makes it more likely that the standard can be applied sensibly to a very broad range of mechanical equipment.
At IEC level, there is an increasing use of the IECEx scheme, whereby test houses from around the world issue certificates, and self- police the quality of the work between different laboratories by peer view. At the recent PT team meeting, the view was pressed from the USA representative, that the standards should be written to allow, or even encourage the issue of IECEx certificates for mechanical equipment. Such certificates would not be recognised for ATEX category 3 and 2 mechanical equipment, and European notified bodies should not issue them, using their European NB status. So the question arises, whether either users or manufacturers would welcome the availability of third party certified mechanical Ex equipment, possibly backed up by an IEC Ex certificate? Clearly there would be a cost involved, but this may be balanced by increased ability to sell equipment around the world. Would it be likely that expensive modification would be needed, perhaps with little gain in safety, for many manufacturers? Is there any demand from users? Your views would be welcome on this question.
Separately from this, some sharp divergence of view was evident in respect of the equipment that could be constructed using the type b protection concept, ‘control of ignition sources’.
As I originally understood this, it allowed the manufacturer of some item of mechanical equipment to fit a device/means of detecting that the equipment was developing a fault that could create an ignition source, and either warn the user, or automatically take action would which control the risk. At a simple level, this could be a belt speed monitor on a conveyor belt, if the belt speed dropped, it would indicate slippage in the drive, and the risk of overheating at the drive drum. The conveyor might trip automatically in this case. A simple electrical relay would be provided, to be incorporated into the power supply to the drive motor. Alternatively, a pressure sensor might monitor the oil pressure in coolant system of a reactor with a stirrer and mechanical seal. Low oil pressure indicates a fault, and after a period of time overheating leading to an ignition risk is possible. In this case, the reactor may have no more than a warning light on the control panel, as an automatic stop might not be safe. In these basic cases, there is no need for the protection system to pass through or form any part of some more complex control system. No programmable electronic system need be involved, and the sensor is linked directly to the actuator. Where this is the case, there seems general agreement that we do not need any sophisticated analysis of the system, as would be needed for a SIL rated control loop. The existing EN standard quite deliberately avoids linking this type of protection to a stated SIL level.
However, within the IEC PT there was pressure to extend this simple concept. It was argued that almost all equipment that had condition monitoring sensors was now linked into a plant wide control system, with an output that was not simply safe/unsafe. Moreover, the expectation was that the equipment user should be allowed to adjust any set point (perhaps within limits). There could be a need to balance the risk of unwanted shut downs caused by the condition sensor, with the risk of increasing temperature, where there is often no sharp dividing line between what is safe and what is unsafe. The temperature limit might depend on the chemicals in the process, and the equipment manufacturer has no control over this.
If this extension of the protection concept is adopted, it becomes more difficult to specify the extent of the responsibility of the equipment manufacturer, and hence more difficult for anyone to claim compliance with the standard, whether or not this is supported by an IECEx certificate. Can the equipment manufacturer simply supply equipment with some sensor, and nothing else as hardware, leave the user to incorporate it into the existing plant controls according to instructions provided, and claim compliance with the standard? Has the manufactuer any liability if the set points are adjusted in a way contrary to instructions?
The next level of complexity arises when the basic equipment with a space for a sensor is placed on the market by one manufacturer, and another manufacturer provides for it the control system, including the sensors and actuators. This is the normal situation with plant protected against a dust explosion by a suppression system. The whole suppression system with its PLC is supplied as a single package. The suppression system in this case is not ATEX equipment, but it in Europe it needs certification as a ‘protective system’
If a packaged sensor/actuator/control system was supplied designed to prevent an ignition source becoming active, should the standard allow this to claim compliance, when fitted to some identified item of equipment? Effectively this is what Pyroban do with lift trucks, they sell the conversion, but do not make the original truck. Leaving aside the issue of whether gas detection is acceptable as a protection concept, should the 80079-37 standard be written to allow either the truck maker or converter to claim compliance? If so, who should do the ignition hazard assessment, and who should specify the set points defining the safety limits, or determine what action is required in response to a signal from the actuator that an unsafe condition is developing?
Is this sort of divided responsibility compatible with a 3rd party certification scheme?
Before we go much further, we need views about what the market actually wants. Assessing this for new work areas is not one of IECs strong points.
Comments and views should be sent to firstname.lastname@example.org