| 2) An Introduction
to Intrinsic Safety
The topics on this page include:
2.1 Definition
of Intrinsic Safety
The definition of intrinsic safety used in the
relevant IEC apparatus standard IEC 60079-11 is a 'type of protection
based on the restriction of electrical energy within apparatus and
of interconnecting wiring exposed to the potentially explosive atmosphere
to a level below that which can cause ignition by either sparking
or heating effects'. This is a concise statement of intent to introduce
a multi-faceted subject.
Return
to top
2.2 Typical
intrinsically safe system
Click on the circuits
or uncertified apparatus in the diagram for more information
Figure 2.1
Figure 2.1 illustrates a typical intrinsically
safe (IS) system where the safe performance of each piece of
apparatus is dependent on the integrity of all the equipment in
the system. For example, the safety of the Temperature Transmitter
[Tx] depends upon the amount of energy supplied by the IS Interface.
In most process control applications, each piece
of apparatus in a system is individually certified. A document that
confirms the safety of the whole system is then produced using the
information from the individual apparatus certificates, in accordance
with the system standard IEC 60079-25. This system document
also includes details of cable types and simple apparatus used in
the system.
It is important to recognise that where pieces
of intrinsically safe apparatus are interconnected, it is the safety
of the system that must be established. There are however
some examples of apparatus which stand alone, such as mobile radios
and portable gas detectors, where the system approach is not relevant.
Return
to top
2.3 Levels
of protection
Intrinsic safety utilises three levels of protection,
'ia', 'ib' and 'ic' which attempt to balance the probability of
an explosive atmosphere being present against the probability of
an ignition capable situation occurring.
'ia'
This offers the highest level of protection and
is generally considered as being adequately safe for use in the
most hazardous locations [Zone 0] because the possibility of two
'faults' (see below) and a factor of safety of 1.5 is considered
in the assessment of safety.
'ib'
'ib' apparatus, which is adequately safe with
one fault and a factor of safety of 1.5 is considered safe for use
in less frequently hazardous areas [Zone 1].
'ic'
'ic' apparatus which is assessed in 'normal operation'
with a unity factor of safety is generally acceptable in infrequently
hazardous areas [Zone 2]. The 'ic' concept is relatively new (2005)
and will replace the 'energy-limited' [nL] of the type 'n' standard
IEC 60079-15 and possibly the 'non-incendive' concept of North American
standards.
It is usual for a system to be allocated a level
of protection as a whole, depending on the level of protection of
the apparatus in the system. However it is possible for different
parts of a system to have different levels of protection where suitable
segregation exists. This must be made clear in the system documentation.
Return
to top
2.4 Faults
If a fault can adversely affect the safety of
the equipment it is called a 'countable' fault.
The situation is further complicated because
the apparatus standard permits some specially designed components
to be regarded as infallible and some inadequately designed features
to be failed in normal operation. Consequently there are faults
that are not considered to happen, faults, which are counted, and
faults, which are imposed but not counted.
One of the major advantages of intrinsic safety
is that 'live maintenance' on equipment is permitted without the
necessity of obtaining 'gas clearance' certificates. A consequence
of this is that during the safety analysis the possibility of open
circuiting and short-circuiting any field wiring is regarded as
normal operation.
Fortunately understanding the apparatus standard
and faults is only necessary for apparatus designers and certifying
authorities. The apparatus certificates remove the necessity to
consider faults, except for field wiring faults, in system design.
Return
to top
2.5 Simple
apparatus
In general, intrinsically safe apparatus is
certified; usually by an independent body such as an Accredited
Certification Body [ACB] under the IEC Ex scheme. Self-certification
by the manufacturer of 'ic' equipment is also quite commonly accepted.
The exception to the rule is 'simple apparatus',
which is considered not to appreciably affect the intrinsic safety
of the system. This apparatus is exempted from the requirement for
certification. The simple requirements are clearly specified in
the apparatus standard.
'Simple apparatus' should always be readily demonstrable
to be adequately safe. The usual examples are switches, thermocouples,
RTDs and junction boxes.
Return
to top
2.6 Cables
Because cables have inductance and capacitance,
and hence energy storage capabilities, they can affect system safety.
Consequently the system design imposes restrictions on the amount
of each of these parameters. A great deal has been written on this
subject but only rarely is there a serious limitation placed on
the available cable.
As cable faults are taken into account during
the system analysis, the type of cable in individual installations
is not closely specified in the system standard. The choice is therefore
determined by the need for reliable system operation.
Where intrinsically safe systems are combined
in a multi-core, then there are special requirements. These determine
which additional faults have to be considered.
Return
to top
2.7 Gas classification
The amount of energy required to ignite a particular
gas/air mixture varies for each gas.
Industrial gases capable of being ignited are
divided, in the UK, into three classes, IIA, IIB and IIC
Table 2.1 Typical gases, their classification
and ignition energies
| Typical Gas |
Gas Group |
Ignition energy |
| Methane |
IIA |
160µJ |
| Ethylene |
IIB |
80µJ |
| Hydrogen |
IIC |
20µJ |
The table shows a representative gas for each
group and the minimum energy required to ignite it. IIC is clearly
the most sensitive.
Apparatus can be designed to be acceptably safe
in any of these groups. Usually apparatus is designed to be safe
in IIC, because it can then be used in any gas atmosphere. Sometimes
a IIB classification is used as this permits slightly higher powers
to be available. Only very rarely however is apparatus designed
for the IIA classification because this restricts its use to this
group alone.
Apparatus is usually assessed using the curves
and tables included in the apparatus standard which lists acceptable
levels of current and voltage. More complex circuits are checked
with 'spark test' apparatus; normally the preserve of certifying
authorities.
Return
to top
2.8 Temperature
classification
The second method of causing an explosion is
normally considered to be ignition by a hot surface. When a gas
is heated above its ignition temperature it may spontaneously ignite.
The ignition temperature varies with the gas and is not correlated
to ignition energy. Consequently, when selecting apparatus, both
properties of the explosive gas have to be considered.
Apparatus is classified into temperature ('T')
classes depending on its maximum permitted surface temperature.
Table 2.2 The 'T' classes
| T1 |
T2 |
T3 |
T4 |
T5 |
T6 |
| 450°C |
300°C |
200°C |
135°C |
100°C |
80°C |
The standard enables almost all apparatus dissipating
not more than 1.3W to be allocated a temperature classification
of T4 [135°C]. Almost all intrinsically safe field mounted apparatus
meets the requirements of T4 temperature classification, which permits
its use in all industrial gas atmospheres except in those comprising
carbon disulfide [CS2] and air. These require a T6 classification,
which is difficult to achieve at high ambient temperatures. There
are also toxicity problems associated with carbon disulfide.
The other temperature that needs to be considered
for each piece of apparatus is its ambient temperature rating, which
does directly affect the safety of the apparatus in several ways.
Apparatus normally mounted in the safe area but
which affects the safety of the intrinsically safe system (such
as the intrinsically safe interface in Figure 2.1) is called 'associated
apparatus'. Such apparatus does not need to be temperature classified
but must be used within its specified ambient temperature range.
Return
to top
2.9 Categories
and equipment safety levels
When the European Directive [ATEX] for apparatus
for use in hazardous areas [94/9/EC] was created, it introduced
the concept of categories, which was intended to clarify the Zone(s)
in which apparatus could safely be used. Unfortunately, and for
nothing more than pedantic reasons, it was decided that a category
0 would not be used and the result was the confusing situation illustrated
in Table 2.3, where the category and Zone numbers differ.
More recently [2004] the IEC took up the concept
of identifying the level of protection offered by a piece of apparatus
and also paid a little more attention to risk analysis as a method
of determining the acceptable use of equipment. The result was the
creation of equipment protection levels [EPLs], which are similar
to ATEX categories but have numbers that align with their normal
Zones of use.
In practice both categories and EPLs align with
the levels of protection 'ia', 'ib' and 'ic' as indicated in Table
2.1 and, as far as intrinsic safety is concerned, they can largely
be ignored, as the level of protection is already defined as 'ia',
'ib' or 'ic'. They do however appear on apparatus marking and certificates
and consequently need to be explained.
Table 2.3 Relationships between different
methods of assessing safety levels
| Level of Protection |
Countable Faults |
ATEX Category |
IEC EPL |
Normal Zone of Use |
| ia |
2 |
1 |
0 |
0 |
| ib |
1 |
2 |
1 |
1 |
| ic |
0 |
3 |
2 |
2 |
Return
to top
2.10 Summary
Intrinsic safety offers an acceptable level of
safety in all hazardous locations. Arguably it is safer and less
prone to accidental errors than other methods of protection. This
combined with its flexible use of available apparatus and the ability
to do 'live working' means that it is the natural choice for instrumentation
systems in hazardous areas. For example it is the only technique
which is readily applicable to Zone 0 locations. The introduction
of the 'ic' concept completes the picture.
The essential requirements of an intrinsically
safe system are:
- The system must work.
- The apparatus in the system must be 'certified'
or 'simple'
- The compatibility of the apparatus must be
established.
- The level of protection of the system established.
- The temperature classification and ambient
temperature rating of each piece of apparatus established.
- The requirements of the cable established.
Return
to top
Historical note:
|
Early work on intrinsic
safety was initiated following an explosion in a Welsh coalmine
in 1913. A possible cause was the bell-signalling system they
used, shown here with its modern technology parallels.
Click on the cartoon image for a larger, and more readable
version. |
|
