| 3) Installation &
Inspection of IS apparatus - An introduction
The topic links on this page include:
3.1 General
The long term continued safety of an intrinsically
safe system depends on adequate inspection and maintenance.
The relevant IEC standard is IEC 60079-17, which
deals comprehensively with all methods of protection. Where installations
are required to comply with the European 'user' Directive 1999/92/EC
a documented inspection procedure becomes a part of the required
risk analysis.
Any work on
a hazardous plant needs to take into account overall plant
safety. Consequently it is necessary to comply with the safety
practices of the particular installation (for example work
permits), even though the risk of ignition from the intrinsically
safe circuits is minimal, and gas clearance certificates are
not necessary. In some ways this is even more important in
the pre-commissioning stage.
If there are
significant changes in the plant operation, which for example
modify the area classification then the safety analysis must
be reviewed, the documentation modified, and possibly the
inspection procedure changed and/or repeated.
The procedure places the onus for ensuring that
the equipment used is suitable for its location on the creator of
the installation drawing. The nature of an inspection depends on
how well the installation drawing, which changes the system design
drawing into a drawing specific to a particular installation, has
been carried out.
If the documentation is inadequate then any inspection
can only be carried out by someone with detailed knowledge of the
plant and exceptional expertise in hazardous area practice. Because
such a person rarely exists, this analysis assumes that the documentation
is adequate, and uses Figure 3.1 to illustrate the process.
If the person doing an inspection does not understand
some aspect of the drawing, or believes it could be wrong, then
they should be encouraged to question the document. IEC 60079-17
requires the identification of 'a technical person with executive
function' to be responsible for inspection related matters in each
installation. This person should be known to the technician doing
the inspection, and should be available and able to answer questions.
The installation drawing should take into account
what can be checked on the installation. For example, quoting permissible
capacitance and inductance for a cable is not useful, because although
it is possible to check these parameters, it is not easy to do so.
Stating an acceptable type and length is much more useful.
The use of information available from ‘intelligent’
instruments can considerably reduce the routine inspection considered
necessary on an intrinsically safe system. The use of this intelligence
to reduce the inspection requirement is recognised in IEC60079-17
clause 5.3.1 but not discussed in detail.
The ability to identify a specific field instrument
from the safe area, without having to go and read the label on the
instrument, is a significant advantage. Almost all of the digital,
“intelligent” instruments (HART, Foundation Fieldbus,
etc) enable the serial number of an instrument to be read remotely.
The computer record can then be used to confirm that it is the specified
instrument, thus ensuring it satisfies all the requirements of the
particular installation.
This type of check can be done at frequent intervals
without interfering with operational requirements. The inspection
of an instrument is then reduced to looking for mechanical damage
or excessive corrosion which is comparatively easy and significantly
less tedious.
A remote check that the instrument is functioning
correctly does not necessarily ensure that it is still safe but
it does confirm that it has not been significantly damaged and is
probably still safe. This does imply that any malfunction should
be quickly corrected or the defective equipment removed or at least
made safe. A frequent check on functionality is a significant factor
in further reducing the risk associated with any hazardous area
apparatus.
How far this type of automatic inspection can
simplify the inspection procedure is a decision for the end-user.
But it is arguably a more reliable technique than manual inspection
and simplifies the recording of the process. A relatively simple
computer system can give ready access to the relevant installation
and system drawings, which may be required if further investigation
is thought to be necessary.
Some users may consider it desirable to do an
occasional thorough spot check as reassurance that the system is
functioning but this is a counsel of perfection. These techniques,
combined with the availability of certificates and manuals on manufacturers’
websites, can lead to safer installations and a reduction in the
bureaucratic load created by safety legislation.
Return
to top
3.2 Initial inspection
An initial inspection to ensure that the installation
complies with the installation drawing is critical.
Click on the circuits
and apparatus in the diagram for additional information
Figure 3.1 - Typical installation
drawing for IS system
Where an adequate drawing such as Figure 3.1
exists, the initial inspection should ensure that the actual installation
conforms to the drawing.
Usually this
involves checking each individual loop stage by stage, which
involves a good deal of opening enclosures and clambering
over structures. Where the technician involved is suitably
qualified this inspection can be combined with the operational
checks. However some organisations separate the two requirements,
preferring 'independent' safety inspections. This separation
of functions is not conducive to shortening start up times.
Frequently the initial inspection demonstrates
the inadequacy of plant labelling, and the opportunity to improve
this feature should not be missed.
Return
to top
3.3 Periodic inspections
The objective of periodic inspections is to ensure
the system has not appreciably deteriorated and has not been modified
in an unauthorised way.
The required
frequency of periodic inspections is influenced by many factors,
such as the immediate environment, the presence of corrosive
atmospheres and the susceptibility to mechanical damage. A
usual starting point is to consider a three-year cycle, inspecting
a third of the apparatus every year. If the inspection shows
widespread deterioration then the inspection period should
be shortened and remedial action taken.
Establishing
that the intended apparatus is still in place is relatively
easy providing that the apparatus has a unique identity. Usually
the manufacturers type number is adequate. Much has been written
about checking the marking on the labels but except, as an
intellectual exercise there is little point. Providing that
the inspector is convinced that the apparatus is the intended
apparatus then he has fulfilled his function. He should be
encouraged to ask questions if he is unhappy about the apparatus
or if the circumstances of use have changed but fundamentally
it is not reasonable to expect a detailed analysis of every
loop.
It is usually
worth creating separate drawings of such things as interface
cabinets and junction boxes so that they can be readily checked
for any sign of unauthorised modification. Similarly preparing
short lists of field equipment grouped in a particular area
with their essential points of inspection can shorten the
time required.
Most modern
(smart) instruments can be identified from the safe area computer.
It is relatively simple for the computer to check that the
field instrument is unchanged and raise a flag if it is changed.
This can be done frequently. The periodic inspection for that
apparatus is then reduced to checking for deterioration.
There is a strong link between the need for periodic
inspections for operational and safety reasons and it is usual to
combine the requirements. For example, the short piece of field
wiring used for the final connection to the instrument is often
prone to mechanical damage and consequently is usually included
in the inspection procedure even though its open or short-circuit
failure would not create an incendive spark.
The check for mechanical deterioration is usually
a quick check for corrosion, impact damage, efficiency of seals,
security of mounting and adequacy of cable glands. Some judgement
on the need for repair or replacement is required, and the need
for operational reliability usually determines the necessary action.
There is however no substitute for a well-trained
technician with the right attitude.
Return
to top
3.4 Testing of apparatus
Sometimes it is suggested that apparatus should
be removed for periodic testing.
In practice, if an intrinsically safe loop is
functional then it is very unlikely to have failed in a dangerous
mode. Components critical to safety are derated, so the probability
of external circumstances causing them to fail without causing a
malfunction is small.
There is a bigger risk that a mistake could be
made during the removal and replacement of the apparatus being tested.
The argument for not interfering with a system, which has survived
the initial inspection and is still functional, is very powerful.
A particular case sometimes cited is regarding
shunt-diode safety barriers. Failure rate statistics can always
be questioned, but the undetected failure rate to danger of a barrier
(i.e. the shunt diodes not failing to an open circuit condition),
can be readily demonstrated to be in better than 10–10/annum.
With this probability of failure they should remain untouched forever.
If they are removed for any other reason a simple continuity check
has some merit.
If a malfunction does occur, there is a risk
that safety components could also have been damaged and power to
the system should be removed as a precaution. A repair should be
carried out as quickly as possible. Apparatus or wiring, which remains
damaged or is not in use for a considerable time, should be removed
from the hazardous area as it represents an unnecessary risk.
Return
to top
3.5 Testing of earth
connections
It is always difficult to balance the traditional
methods of testing earth connections with the need to ensure that
an unacceptable risk to the plant is not introduced. Injecting significant
voltages and currents into ill-defined circuits is not compatible
with avoiding unnecessary risks.
In almost all intrinsically safe installations
cable screens contribute to system safety and need to be earthed.
In some apparatus such as shunt diode safety barriers and apparatus
using a particular type of transformer, the earth connection is
an important part of the method of protection.
Where surge protection against induced voltages
(usually from lightning) is introduced then this introduces a further
complication.
The design of the earthing system needs to be
done with some care and provision made to enable the system to be
tested safely. This is frequently done by providing duplicate leads.
The subject is considered in detail in the section
on earthing and it is not possible to adequately summarise the process.
If you believe in testing earths by injecting
a significant current then think very hard about the possible paths
that the current will use to come back to its point of origin.
If you are confident that the path is well defined
and safe - then there is no point in testing it!
Return
to top
3.6 Testing insulation
Insulation testing is usually carried
out using a high voltage (500V or more), which is not compatible
with the intrinsic safety concept. (The ignition capable capacitance
corresponding to 500Vrms in IIC is 160pF, which is the capacitance
of approximately 1m of cable).
Where insulation testing is considered essential,
it should be carried out using a suitably certified instrument.
This instrument will apply a low voltage only (less than 6V) and
have a low current capability (less than 10mA). However, bear in
mind that it is difficult to ensure that there is no flammable gas
at all points along an instrument circuit during the period of test.
If high voltages are applied, care should be
taken to ensure that the connected equipment can not be damaged
by the testing. For example, it may be necessary to disconnect any
surge suppression devices that are connected in the circuit. It
will also be necessary to take care to discharge any charge that
may have accumulated in the equipment during testing.
Intrinsically safe circuits are usually fully
floating or earthed at one point. The reason for this is that if
a circuit is earthed at more than one point, the differential potential
between the two points will cause an undefined current to flow through
an unknown inductance. On a well-bonded plant the voltages are low
and the resultant current may not be incendive, but it is still
unknown, could possibly be incendive and is therefore not desirable.
Many intrinsically safe circuits that use shunt-diode
safety barriers are designed to 'fail-safe' in the presence of an
earth fault, and consequently there is no need to test the insulation.
Some circuits, but not many, are provided with earth leakage detection
systems and these do not need testing. Fully isolated circuits would
require two separate faults to earth points some distance apart
before the circuit could possibly be dangerous. The probability
is that two such faults would also create an operational failure
and consequently routine insulation testing of these circuits is
not considered necessary.
There are a few remaining circuits that are not
covered by the above, but the level of voltage and current necessary
to cause an earth fault to be incendive (arguably greater than 9V
and 100mA) would almost always causes an operational failure. Consequently,
routine insulation testing of a functioning circuit on a well-bonded
plant is not necessary or desirable.
The overall conclusion is that routine insulation
testing of intrinsically safe circuits, which are functional, is
not necessary. The emphasis on 'functioning circuits' does however
reinforce the argument for rapid repair of non-functional circuits
discussed elsewhere.
Theoretically, just removing the power from a
circuit with multiple earth connections does not make it safe if
significant differences in plant potential exist. If insulation
testing is thought to be desirable for other reasons it should be
carried out with care using a suitably approved tester. Where apparatus
has to be disconnected during the testing process then special care
is required to ensure that the reconnection is correct, since this
is an obvious risk. This usually involves at least a functional
check.
Return
to top
3.7 Reference to
apparatus certificates
Occasionally it will be thought desirable to
refer to the certificate of a piece of apparatus. Sometimes a copy
is available but the preferred technique is to check on the web
for the latest version. Most manufacturers and some certification
authorities make their certificates available by this means. For
example, MTL certificates are available on the web-site http://www.mtl-inst.com/
and IEC Ex certificates are available on web-site http://www.iec.ch/
The use of the web ensures that the most recent version of the certificate
is available and that the certificate is complete.
Return
to top
Historical note:
|
Here is a little cartoon, created about 25 years ago, giving
a tongue-in-cheek impression of how a service engineer in
the year 2000 was likely to be equipped, based on all the
rules and regulations that were being discussed at that time.
Click on the cartoon image for a larger, more readable version. |
|
