An intrinsically safe (IS) control system is designed to reduce the possibility of ignition from components and circuits when used in an explosive or flammable atmosphere. IEC 60079, NEC articles 500-506 and ATEX Directive 2014/34/EU are but a few of the national and international standards that define intrinsically safe components, circuits and systems. The required result of an intrinsically safe electrical control system is to remove any possible source of ignition within the atmosphere.
Before starting an intrinsically safe design, the engineer must identify and classify the specific nature of the area being considered hazardous. In North America, NFPA defines the areas using classes, divisions and zones. European classifications use a zone and group classification as defined by IEC 60079. In addition to national standards, local standards, industry practices, company policies and insurance requirements may also need to be considered and observed.
After the operational environment is understood, system design can proceed. Intrinsic safety can only be achieved using a whole system approach. It is not enough to simply pick devices rated to be intrinsically safe for the environment where they are employed. Each circuit must be analyzed to determine the amount of available energy released during the occurrence of a fault. An excellent primer on intrinsically safe circuits may be found here.
Most intrinsically safe control systems have a safe area and a hazardous area. The safe area is a separate room or a specially constructed enclosure that is not exposed to the hazardous atmosphere. The safe area contains the logic control devices, power supplies, incoming power and interfaces with other equipment. The hazardous area contains the sensors, actuators and devices used in the manufacturing process. The two areas are separated by an intrinsically safe barrier designed to limit the voltage and current supplied from the safe area to the hazardous area equipment. Between the safe area barrier and the hazardous area, a sealing method is employed to separate the two atmospheres.
Circuit design begins with the equipment selection. Devices used in the hazardous area must be approved for use in the class or zone where they are installed. In addition to operating the device within the manufacturer’s specifications, the equipment must also withstand the chemicals present in the environment. Purchasing the devices from well-known companies and distributors minimizes the risk of getting counterfeit products and provides access to technical assistance when needed.
The goal in an intrinsically safe design is to limit the amount of electrical power to levels smaller than required to allow a spark and to prevent surface temperatures that can cause combustion to occur. Traditionally, each device is connected to the barrier with an individual set of power and signal wires or cable. Multi-conductor cables are acceptable, but cable length and capacitance are a factor in circuit design. Most cable manufacturers offer wire and cable products that meet international safety standards and document the products as such.
Conventional fieldbus systems such as DeviceNet, Ethernet/IP and Modbus can’t be used in an intrinsically safe system because the amount of power required to drive the communication system alone exceeds the allowable energy per IS circuit. However, Rockwell Automation's ControlNet Ex is a fieldbus option for use in a variety of hazardous areas. Standard fieldbus systems can still be used, but the remote I/O modules must be placed in a safe-zone area such as a purged enclosure or explosion-proof enclosure. IS barriers would then be placed in the circuit before the signals enter and exit the enclosure. Foundation Fieldbus describes three bus models that may be used in some hazardous areas. Several manufacturers offer products adhering to these models and may reduce total installation costs.
Intrinsically safe barriers are designed to not only limit the energy supplied to an external field device but also to fail in a safe mode if a fault occurs. The barrier is constructed with three basic functions:
- a fusing component that opens the circuit in the event of a fault condition
- a resistive component that limits the amount of current under normal operational conditions
- a voltage clamping component—Zener diode—that limits the voltage supplied to the connected device.
The barrier devices may have one or more channels incorporated into a single module, but the actual I/O points are separated on the hazardous-area side. Optional functions may include automatic or manual resetting features and status monitoring (safe area) features.
Programmable logic controllers are the most commonly used control method in a modern system. However, pneumatic logic is a solution that is entirely intrinsically safe and may offer a degree of safety that cannot be achieved using electrical devices. The advantage of pneumatic logic is the energy used and stored is a nonflammable and non-explosive gas. If no amount of oxygen is allowed in the operating atmosphere, pneumatic logic can use nitrogen or some other inert gas. Pneumatic logic components are typically miniaturized three- and four-way air valves. The interconnections between the valves create all the standard logic gates, timers and counters used in a control scheme.
The disadvantages of pneumatic logic are many:
- Proper design requires a different expertise than many controls engineers possess.
- Reading and understanding pneumatic logic diagrams can be challenging.
- A pneumatic system requires more maintenance than electronic systems.
- A pneumatic system exhibits a decline in performance over time.
- Malfunctions can be hard to troubleshoot.
Safety should always be a major consideration in any control design especially if the field devices are to be operated in a hazardous atmosphere. Safety and electrical design standards are constantly evolving. Use the latest applicable regulations in any design.
About the author