5) Maintenance and Repair
of Intrinsically Safe equipment
The topic links on this page include:
5.1 General
The ability to do live maintenance on an intrinsically
safe system is a major benefit of the technique. It is difficult
to test an instrument system with the power removed, and difficult
to obtain a meaningful 'gas clearance certificate' that covers the
whole of the area affected by a system. Consequently live working
is very desirable. There are however factors, other than gas ignition,
that have to be considered whenever an instrument system is taken
out of commission and consequently local safety practices such as
'permits to work' have still to be observed.
Return
to top
5.2 Permitted
practices on the plant
The design of intrinsically safe apparatus and
systems ensures that the short circuit and open circuit of field
wiring cannot cause ignition of a gas atmosphere. The concept of
live maintenance uses this feature does not extend to carrying out
detailed repairs; for example, repairing printed circuit boards
within the hazardous areas. In practice the permissible actions
are restricted by the available tools hence deciding what is permissible
is not difficult.
IEC 60079-17 restricts live 'working' to:
i) disconnection of, and removal or replacement of electrical apparatus
and cabling;
ii) adjustment of any controls which is necessary for the calibration
of the electrical apparatus or system
iii) removal and replacement of any plug in components or assemblies;
iv) use of any test instruments specified in the relevant documentation.
Where test instruments are not specified in the relevant documentation,
only those instruments, which do not affect the intrinsic safety
of the circuit, may be used;
v) any other maintenance activity specifically permitted by the
relevant documentation"
These requirements are in line with the normal practice of maintenance
on field mounted equipment and hence create no problem. Work on
associated safe area apparatus, such as the intrinsically safe interface
is restricted in the same way, except that there is greater freedom
to operate on the safe area terminals. Recently developed interfaces
tend to operate from 24V supplies and there is no risk of electrocution.
However it is not unusual for interfaces with relay outputs to be
switching higher voltages which may create a significant shock risk.
Where this risk occurs, adequate warning labels are required and
the relevant precautions should be taken during the maintenance
process. There is no risk of a significant electric shock being
received by a technician working on an intrinsically safe circuit.
There is a hypothetical possibility but in practice this is not
a real problem.
Where special precautions have to be taken, or
specific unusual actions are permitted, they are frequently embodied
in the apparatus certificate and manufacturer's instruction. This
information should be made available to the relevant technician
on the work sheet, as he is not likely to have ready access to the
certificate and/or instructions. The apparatus marking would carry
the ubiquitous 'X' marking but this is almost universally applied
and consequently largely ignored.
Return
to top
5.3 Permitted
practice in the workshop
The repair and testing of intrinsically
safe and associated apparatus should only be carried out in
favourable conditions and by adequately trained technicians.
The IEC standard IEC 60079-19 provides some guidance on the
approach to repair of intrinsically safe equipment.
There are always practical and economic limitations
on what is practicable. For example, shunt diode safety barriers
are invariably encapsulated and not repairable. Isolating interfaces
are usually in boxes that are difficult to open, coated in varnish
and impossible to test in detail without specialist test equipment
and knowledge of the circuit. In general replacement by an identical
unit is preferred for both economic and safety reasons.
Some repairs can be carried out without affecting
the safety of equipment and, usually, it is obvious what limitations
apply. For example, damage to enclosures does not usually directly
affect the intrinsic safety of apparatus and consequently a repair
which restores the enclosure to its original level of integrity
(IP rating) is acceptable. The repair of printed circuit boards
is sometimes considered but is usually impracticable. Removing components
without damaging the board is difficult, repairing the coating on
reassembly is messy and maintaining the original creepage and clearance
distances may not be possible. A recent further complication is
that if lead free solder has been used, the use of solder containing
lead usually results in unsatisfactory joints.
A record of any repairs should be maintained.
The use of before and after photographs (stored digitally) frequently
simplifies the process.
Return
to top
5.4 Testing
of IS apparatus using non-certified test apparatus
There are two circumstances under which non-certified
test apparatus is used to test intrinsically safe and associated
apparatus and systems. One is where apparatus is tested in the safe
area, usually disconnected from the IS system, and, less frequently,
when apparatus and the system is tested in the hazardous area using
a gas clearance certificate.
It is sometimes questioned whether connecting
non-certified apparatus during such procedures can result
in the intrinsic safety of the apparatus or system being impaired
by damage to the safety components. In the past, testing has
not required any special precautions to be taken to avoid
this possibility. The current standard on inspection and maintenance
IEC 60079-17 does not address this question, consequently
the following is only a considered opinion and should be regarded
as such.
A relevant point is that during the manufacturing
of intrinsically safe products the equipment used for both
operational and safety testing relies on good engineering
practice and regular inspection to achieve adequate safety.
It is not subject to third party certification or any similar
constraints. The apparatus design standards address some of
the more obvious risks such as the charging of batteries,
but do not make any other recommendations to cover less frequently
used facilities.
The factors, which justify the use of conventional
test equipment when working on intrinsically safe apparatus, are:
a) Repair and maintenance should only be carried out by 'skilled
personnel'. Such personnel should be adequately trained to recognise
whether a mistake could have caused damage, which might lead to
a dangerous situation, and be capable of taking any necessary corrective
action.
b) Test equipment should be checked to ensure that it is operational
before connecting it to the apparatus. Particular care should be
taken to ensure that any variable controls, such as output voltage
and current limits on power supplies, are set to the correct values
before making the interconnection. The test equipment should be
checked at the end of the test. Since the test equipment is only
connected for a short time the probability of it failing in a way
that can cause a potentially hazardous fault in that time is acceptably
low.
c) The apparatus should be functioning correctly and be free of
mechanical damage at the end of the test or re-calibration. It is
possible that a safety component failure will not affect operational
capability but usually an operational failure will also occur.
d) The more complex operations such as re-programming and downloading
of apparatus memories are normally done using test rigs with specific
plugs and sockets and hence the probability of incorrect connection
is reduced.
e) Test equipment that satisfies the personnel safety requirements
of IEC 61010, is unlikely to produce currents or voltages that will
damage safety components. For example a functioning oscilloscope
with high impedance probes is extremely unlikely to cause a problem.
There are some operations which do require special
care, of which the most obvious is high voltage insulation testing.
This should only be done when a special work instruction is available.
In practice such tests are best avoided and if an insulation test
is thought to be necessary it should be done at a low voltage.
It is generally accepted that the testing, calibration
and programming of intrinsically safe apparatus in a safe area,
or under gas clearance conditions by a competent person using conventional
high quality test equipment does not invalidate its intrinsic safety
certification.
Return
to top
5.5 Re-use
of intrinsically safe field devices
The question is sometimes raised as to whether
intrinsically safe apparatus which has been used in circuits which
are not intrinsically safe, such as non-incendive or safe area circuits
can subsequently be used in intrinsically safe circuits. The perceived
problem is that use in the non-intrinsically safe circuits could
cause damage, which is not self-revealing but would reduce the level
of protection offered by the original certification. The relevant
IEC standards do not give any guidance on this topic and hence the
following text is only a considered opinion, which may not be universally
accepted.
The question normally arises because it
is common practice on most petrochemical installations to
purchase a single type of instrument, for example a pressure
transmitter, for use in all locations on a plant. An intrinsically
safe transmitter can then be used on a temporary installation
in a safe area in a conventional safe area loop, and after
some time be returned to the store as a spare instrument.
From the store it could be used to replace a defective instrument
in an intrinsically safe loop.
It can be assumed that the replacing instrument
is functional, and not mechanically damaged [the majority
of instrument technicians would check this in the workshop
before putting the instrument in the stores as a spare] and
therefore the concern is that there is some fault which reduces
the safety integrity but does not affect the operation of
the instrument. Almost all faults from an external source
would cause sufficient damage to the apparatus for it to malfunction,
rather than cause the conservatively rated safety components
to fail to danger without damaging any other components. This
type of undetected failure is just possible but is sufficiently
improbable to be ignored. In the particular case of a non-incendive
installation then the selection of apparatus, and the installation
code followed further reduce the probability of the IS apparatus
being stressed.
There are a number of circumstances where a very
similar risk occurs, and the risk is considered acceptable. A very
clear example is that the IEC standard on inspection and maintenance
(IEC 60079-17), permits the use of non-certified test equipment
under 'gas clearance certificate' conditions. Similar risks are
accepted during fault-finding procedures in instrument workshops.
There are also significant risks of such faults occurring during
the repair proedures permitted by the same standard on repairing
this type of apparatus. The test equipment used in the final stages
of manufacturing of IS equipment is not designed to be fault tolerant
and could produce undetected faults. These risks illustrate the
point that where a risk is small it can be, and is, accepted.With
the recent introduction of the 'ic' concept, this question becomes
more relevant to intrinsically safe circuits; for example, the use
of an 'ia' certified transmitter in an 'ia' system after it has
been used in an 'ic' system may be questioned. The question of the
transfer of apparatus from an 'ib' system to an 'ia' system has
never been raised as far as is known.
The conclusion is therefore that the safety status
of a field device is not changed provided that the device is both
functioning correctly and not mechanically damaged after being used
in any type of circuit. If these two requirements are met, the field
device can be used in an intrinsically safe circuit without further
consideration.
Return
to top
Historical note:
|
1970's instrument engineer
This cartoon, illustrates the way instrument engineers were
viewed by many of the people who were trying to create the
early standards.
Click on the cartoon image for a larger, more readable version. |
|
