Part I of this article defined intrinsic safety and hazardous areas. Review it before continuing.
For programmable logic controllers (PLCs), the rack may have to be duplicated so that the logic is fail-safe. If duplicity is not used, then, as a minimum, safety hardware is used. However, most flammable areas of operations require two processors, which is not covered by safety hardware. Why? A safety PLC processor could fault, and devices in a hazardous area cannot withstand an unsafe failure. Thus, having a dual rack with automatic take-over keeps the area in compliance if and only if the processor was to fault and a secondary processor had to take over. Software and the rack must be exact duplicates for such systems to work.
Also, alarms need to be sorted in a hierarchy that will delegate shutdown in a way that protects people and equipment. Such alarms would be tested on commissioning and routinely to maintain hazardous location safety status.
Get your subscription to Control Design’s daily newsletter.
Human-machine interfaces (HMI) are critical for controlling a hazardous environment, though the HMI may be better off remote and shared indications in the area. HMI standards may be found with the Industrial Society of Automation (ISA), International Electrical Commission (IEC) and Engineering Equipment and Materials Users Association (EEMUA). ISA 18.2 and IEC 62682:2023 are aligned with EEMUA 191, which was recently updated for management of alarms in process industries.
For instance, if the HMI is in the physical area, it needs to be intrinsically safe, or ATEX-certified, free from being able to spark or ignite the environment it is in, and its ease-of-use is critical.
The whole idea should be based on simple control and alarm management. Some companies would still prefer a button shutdown, unless a shutdown procedure is preprogrammed for a manual shutdown emergency.
What should be kept in mind for alarming and shutdown procedures of intrinsic systems is simple cause and effect. Determining the effects of a cause will allow alarm management and determine how the system should respond. For instance, if a fuel-cell test unit indicates overheating or has a gas leak, then, straight away, it is indicated by a high temperature for overheating and by lower-than-normal pressure over time for a leak. Both responses would constitute turning on air flow at regulated cubic feet per meter (CFM) to evacuate the test area of gases and then shutting down fuel-cell test units until the activity is resolved, if the alarms cannot be reset.
Such indications can be set into flows based on monitoring and response. If these are documented in cause-and-effect tables, then writing the responses in the code or setting up test criteria on startup is easier. Manual call points should be installed, as well, so that manual shutdowns can be instigated if operators notice the condition beforehand.
The eye into the alarms is the HMI, and it is critical to program alarming in such a way that it can relate to a flow and instruct the operator on proper shutdowns. This includes showing the last step, current step and next step of the process, so that operations are clear and communications of process is direct.
The HMI is less dangerous than code changes; thus it should be intuitive and easy to navigate and use state indications agreed upon by the organization. If the system can be troubleshot from the HMI without exposing wiring or potential sparks in a hazardous environment, then the design could be considered successful. Otherwise, the same standards apply to the HMI as the PLC—intrinsically safe, enclosed and protected, certified to standards, coded with a thermal management for the environment being used and coordinated alarm deployment between the PLC and HMI.
As a secondary, there should be manual buttons that can instigate shutdown if the HMI hardware fails. Wireless HMIs could be an option, but wireless HMIs are small and may not present the screen options needed, and then also a secondary option is still needed for redundancy.
Remember, the idea of intrinsic safety is to prevent explosion or spark, or threat of contamination, explosion or spark. Think of intrinsic safety like being a lifeguard: it is easier to prevent a drowning than to rescue a life. If we design like lifeguards, to prevent, then we have a higher chance of avoidance of incident.
To review, hazardous areas include low-energy signaling, safety barriers, isolation of hazardous areas, certified equipment, redundant hardware systems, alarm management, shutdown procedures and testing, as well as documented engineering change processes for the implementation of machine upgrades or modifications. In nuclear facilities, it could take months to get something as simple as a button change. Safety first.
