4) Design of intrinsically safe systems

The topics on this page include:

4.1 General  4.2 Compliance with ATEX Directives and DSEAR  4.3 Simple systems  4.4 The use of simple apparatus in systems  4.5 The use of apparatus with ‘simple apparatus’ input description

return to index page PDF of this page

4.1) General

Where intrinsically safe apparatus is interconnected by wiring, the safety of each piece of apparatus is affected by the performance of the other pieces of apparatus in the circuit. The safety technique relies on the system being correctly designed and intrinsic safety becomes a system concept. Other methods of protection are also dependent on the system concept to some extent, but it is a fundamental requirement of intrinsic safety.

For example flameproof equipment is only adequately safe when provided with the correct electrical protection and a means of isolation, but this is not generally regarded as being as significant as ensuring that the apparatus within an intrinsically safe system is compatible. There are some pieces of intrinsically safe apparatus, usually portable equipment, that are used in isolation, for example torches and radios. The following analysis of intrinsically safe systems does not apply to these types of apparatus.

In addition, some Fieldbus systems are constructed to the FISCO/FNICO standard IEC 60079-27, which introduces some simplification of the system rules. These requirements are discussed in MTL application note AN 9026 but not in this document. This document concentrates on point-to-point wired systems, which are the predominant form of instrumentation.

The relevant IEC system standard is IEC 60079-25, which interacts with the IEC code of practice IEC 60079-14 to provide comprehensive coverage of the subject.

The system designer must accept responsibility for the adequacy of the design and the safety implications of the use of the system in association with hazardous areas. The designer must have an appropriate level of knowledge and training and the analysis should not be done without recognising the importance of getting it right. The analysis of simple systems is relatively easy and can be done by any competent professional engineer. However some of the more complex systems such as those using a combination of non-linear and linear sources of power require a greater degree of experience and it may be desirable to approach an ‘approved certification body’ to provide an analysis for such a system.

Return to top

4.2) Compliance with ATEX Directives and DSEAR

Unless they are considered to be ‘simple apparatus’ (see section 4.4), individual pieces of equipment are required to comply with the ATEX equipment directive (94/9/EC). However, the majority of intrinsically safe systems combine equipment from one or more suppliers and these systems become an 'installation' and do not need to be certified to the equipment directive. There might, however, be rare occasions when a manufacturer places a complete system on the market, in which case the system will have to comply with the equipment directive.

The installations directive (1999/92/EC), and the DSEAR regulations, require a risk analysis (within their jurisdiction) of any installation that contains one or more hazardous areas and the system documentation becomes an essential part of that analysis. In almost all other parts of the world similar requirements exist either for legal or insurance reasons. Where no such requirements exist there is still the fundamental requirement to operate safely and to be able to demonstrate that all reasonable precautions have been taken. For these reasons the preparation of adequate system documentation is an essential part of the design of an intrinsically safe installation.

The preparation of documentation for a new installation, to satisfy the installations directive and DSEAR, is usually relatively simple as all the equipment will comply with the apparatus directive or be simple apparatus and the necessary data will be readily available. A slightly more complex situation arises when it is thought desirable to incorporate existing equipment, which is not certified to the apparatus directive.
For example, such a situation arises if it becomes necessary to replace a central processor and its related interfaces but not to replace the field devices. In these circumstances, provided the field devices are considered to have an adequate level of safety and their documentation contains the necessary information to enable a system document to be prepared, an acceptable system document can be created.

To be considered as “adequately safe”, older equipment must achieve a level of safety of the same order as equipment that has recently acquired documents of conformity to the ATEX apparatus directive. In the particular case of intrinsically safe equipment there has been no fundamental change in the standards, which has thrown into doubt the safety of equipment conforming to any of the CENELEC based standards. Arguably, even equipment conforming to the older SFA 3012 and SFA 3004 standards that were used in the UK is probably adequately safe.

NOTE: There is a problem regarding equipment spares that do not have documents of conformity to the ATEX apparatus directive, as they can no longer be supplied by the original manufacturer for use in association with hazardous areas. Only apparatus already in the possession of the end-user or ‘in the supply chain’ can be utilised. It seems prudent therefore to take this potential difficulty into account when considering the continued use of older equipment.

Return to top

4.3) Simple systems

The majority of intrinsically safe systems are simple systems that contain a single source of power in associated apparatus connected to a single piece of intrinsically safe apparatus out in the field. Such a system is discussed in detail in an appendix of IEC 60079-11.

Below, we use the combination of a temperature transmitter and an intrinsically safe interface shown in Figure 4.1 to illustrate the technique.

The first step is to obtain the safety data of the two pieces of apparatus in the circuit. This data is best derived from a copy of the certificate, which should be available to the system designer. In particular, any special conditions of use should be taken into account in the system design.

The information placed on the system drawing should be the result of a clearly justifiable analysis making it relatively simple to create the installation drawing from this reference drawing.

NOTE:
Copies of MTL Certificates are available from web site: http://194.203.250.243/mtlsupport.nsf
Copies of IEC Ex Certificates are available from web site: http://www.iecex.com

The compatibility of two pieces of apparatus should be established by comparing the data of each apparatus. The sequence is usually as follows.

• Compare the levels o f protection. If they differ then the system takes the least sensitive level. For example if one device is ‘ia’ and the other ‘ib’ then the system becomes ‘ib’. A source of power that is certified ‘ib’ will have permitted output parameters for use in ‘ic’ circuits. If these higher values are used in the system design then the system becomes ‘ic’.
• Compare gas classifications. If they differ then the system takes the least sensitive classification. For example if one device is IIC and the other IIB then the system becomes IIB. It is usual for a source of power certified as IIC to have permissible output parameters (Lo, Co and Lo/Ro) for IIB and IIA gas groups. If these larger values are used then the parameters used determine the system gas group.
• Determine the temperature classification of the field-mounted equipment. Apparatus may have different temperature classifications for different conditions of use (usually ambient temperature) and the relevant one should be selected and recorded. It should be noted that it is the apparatus that gets temperature classified not the system.
• The permissible ambient temperature range of each piece of apparatus should be recorded.
• The voltage (Uo), current (Io) and power (Po) output parameters of the source of power should be compared with the input parameters (Ui, Ii and Pi) of the field device and the output parameters should not exceed the relevant input parameters. Occasionally the safety of the field device is completely specified by only one of these parameters (usually Ui). In these circumstances the unspecified parameters are not relevant
• Determine the permitted cable parameters.
  The permitted cable capacitance (Cc) is derived by subtracting the input capacitance of the field device (Ci) from the permitted output capacitance of the source of power (Co), that is Cc = Co – Ci.
  
  The permitted cable inductance (Lc) is derived by subtracting the input inductance of the field device (Li) from the permitted output inductance of the source of power (Lo), that is Lc = Lo – Li.
  
  Determining the permitted L/R ratio of the cable (Lc/Rc) is very easy if the input inductance of the field device is negligible, i.e. if Li less than 1% of Lo. In this case, Lc/Rc is considered equal to Lo/Ro. However, if the inductance of the field device is more significant then the equation included in IEC 60072-26 can be used to calculate the permitted Lc /Rc. Fortunately this is not a frequently occurring requirement.
  
  Recently there has been increasing concern about the interaction of system inductance and capacitance increasing the risk of ignition capable sparks. This concern is confined to fixed inductance and capacitance and not to the distributed parameters of a cable. Consequently on those rare occasions when BOTH the lumped inductance (the sum of Li of the source of power and the field device) and the lumped capacitance (the sum of Ci of the source of power and the field device) are greater than 1% of the respective output parameters of the source of power Lo and Co then the permissible output parameters are both to be divided by two. It should be stressed that this reduction in output parameters is only applicable on very rare occasions since it is unusual for field devices to have BOTH inductive and capacitive input parameters which are significantly large.
  
  Frequently the Li and Ci of a source of power are not quoted in the documentation and in these circumstances it can be assumed that they are negligible. There is no suggestion that it is considered necessary to go back and check the safety documentation on existing installations for this most recent requirement. However new analyses should take this remote possibility into account.
  
  To summarise, check that either the lumped capacitance or inductance is less than 1% of the respective output parameters. If it is, then the original calculation is valid. If BOTH parameters are greater than 1% of the output parameters then Co and Lo of the system should be reduced by a factor of two. If this reduction seems to be necessary then go back and check the information used, as this is an unusual situation.
  
  Where a source of power is certified ‘ia’ or ’ib’, the permitted output parameters Lo, Co and Lo/Ro are derived using a factor of safety of 1,5. When such a source of power is used in an ‘ic’ circuit then the permitted output parameters may be derived using a unity safety factor. This results in a significant change, which usually removes the necessity to consider cable parameters in detail. Accurate values can be ascertained using the methods and tables in the apparatus standard. An acceptable conservative technique is to multiply the Lo and Lo/Ro by two and the Co by three, which normally removes any concern about cable parameters.
• Check that the level of insulation from earth is acceptable, or that the system earthing requirements are satisfied

If these criteria are all satisfied the compatibility of the two pieces of apparatus will have been established. A convenient way of recording the analysis is to create a table. The following is an example that uses values from the typical system drawing (see Figure 4.1) and compares the intrinsically safe interface and the temperature transmitter.

Table 4.1 Simple system analysis

Return to top

4.4 The use of simple apparatus in systems

The apparatus standard (IEC 60079-11) distinguishes between complex apparatus, which normally requires some form of certification and ‘simple apparatus’ which is not required to be certified. This distinction is intended to permit the use of apparatus that does not significantly affect the intrinsic safety of a system, without the need for ‘third party’ certification.

There is an implication that it is possible to demonstrate that simple apparatus is obviously safe without recourse to the detail application of the remainder of the standard. For example, if any current or voltage limiting components are necessary then the apparatus is not considered to be simple. In practice it is relatively easy to decide which components are simple apparatus at the system design stage. If the decision is not easy then the apparatus is not simple.

NOTE: Although it is not considered essential that simple apparatus is certified by a third party, it is not unusual for simple apparatus that is used in significant quantities to be certified. This is reassuring to the end user and is a significant marketing advantage. In these circumstances the apparatus is marked as required by the apparatus standard, but can be used in the same way as other simple apparatus.

The apparatus standard imposes limits of 1,5V, 100mA and 25mW on the values generated by simple apparatus; and it is accepted that simple apparatus can be added to an intrinsically safe system without the need to recalculate the safety of the system. It must be understood however, that any limitations on simple apparatus apply to the combination of all the pieces of simple apparatus in a system. For example, the use of one or two thermocouples in a system is permitted but a combination of a large number used in a single, average temperature circuit might not meet this criterion.

The standard also allows capacitive and inductive components to be used in simple apparatus, provided that these components are included in the system evaluation. It is not usual to include inductors or capacitors of significant size, but the simple apparatus concept does permit the use of small radio-frequency (r.f.) decoupling components without undertaking a further analysis of the system. A useful rule-of-thumb is to ensure that the total capacitance and inductance added to the system is less than 1% of the respective output parameters of the source of power, in which case, their effect can be ignored. If BOTH the added capacitance and inductance, together with any other ‘lumped’ capacitance in the circuit are greater than 1% of the specified output parameters of the source of power then the permitted output parameters must be halved as explained in section 4.2. This is another very good reason for ensuring that the ‘energy storing’ components in simple apparatus are kept small.

It is also necessary to temperature classify simple apparatus when it is intended for hazardous area. The apparatus standard allows a T6 temperature classification for switches, plugs, sockets and terminals used within their normal rating at an ambient temperature of not greater than 40°C.

In practice, it is not easy to design a system that can be used with gases requiring a T6 (85°C) temperature classification and a T4 (135°C) classification is normally the level achieved. In reality, the only gas listed in the available documentation requiring a T6 temperature classification is carbon disulfide (CS₂). Fortunately, the use of this gas in industry is becoming rare because of its toxicity. A T4 temperature classification is therefore adequate normally and a claim of T6 is predominantly a marketing ploy rather than a requirement.

The temperature classification of other pieces of apparatus (with a surface area not less than 20mm²) normally relies on the input power being no greater than 1,3W when the maximum ambient temperature required is 40°C. The corresponding powers for higher ambient temperatures are 1,2W at 60°C and 1W at 80°C. If this rule is not applicable then the possible maximum surface temperature has to be measured or assessed. If for any reason it is not obvious that the maximum surface temperature is considerably lower than 135°C (say 100°C) then the apparatus is probably not simple.

Simple apparatus is usually isolated from earth. However, the apparatus standard requires a 500V insulation test and if the simple apparatus cannot meet this then it introduces an earth on to the system and the system design must take this into account.

A typical example of simple apparatus is the resistance thermometer (RTD) shown as the sensor in the typical system drawing.

Figure 4.2 RTD and transmitter sub-system

- Classification ia IIC - Cable parameters 1000µF, 350mH - Earthed at RTD Note: 'T' class determined by maximum measured temperature. RTD  Type: 350L (example) Peter Pty, Sydney, Australia Simple Apparatus to IEC 60079-11 Passive component to subclause 5.4a) Type: PS061 Maximum operating temperature 450°C Temperature classification determined by maximum measured temperature. Insulation test 150V therefore, effectively grounded.

Temperature Transmitter Type: 365S (example) Pan Inc., Boston, USA Ex ia IIC T4 by FUML No. 983065 Ambient temperature –40°C to +80°C Terminals 'A' Uo: 1.0 V Io: 10 mA Po: 2.5 mW Co: 1000µF Lo: 350 mH Note: If cable 'x' becomes part of a multicore, then this multicore cable must be a Type 'A' or 'B', as specified in IEC 60079-14.

The RTD is a temperature sensitive resistor. It has negligible inductance (less than 4µH) because it is bifilar wound and negligible capacitance (less than 10pF). The matched power from the transmitter terminals is 2,5mW, which is considerably less than the 25mW considered negligible for simple apparatus. This low level of power ensures that the temperature classification of the RTD is determined by the temperature being measured. (A T6 temperature sensor measuring 450°C is a common advertising phenomenon.) The RTD does not meet the required 500V insulation test and consequently this sub-cicuit is considered to be earthed at this point. The installation is satisfactory because of the isolation in the temperature transmitter.

The ignition energy of a gas decreases at elevated temperatures and consequently the very low fault voltage and power available to the RTD is a beneficial factor in ensuring the safety of any measurement of high temperatures.

Return to top

4.5 The use of apparatus with ‘simple apparatus’ input description

The other common use for the simple apparatus clause is to permit the use of certified apparatus with input parameters equivalent to simple apparatus, to be added to an existing intrinsically safe circuit with only a minor change in the documentation. The most frequent uses of this technique are for test equipment, indicators and trip amplifiers.

A typical example of this type of application is the MTL 5314 trip amplifier which is frequently used to monitor the 4-20 mA signals from a transmitter as illustrated in Figure 4.3. The input terminals satisfy the requirements of simple apparatus and hence the insertion of this apparatus does not require that the safety analysis of the existing system is modified. The presence of the trip amplifier and the fact that it is regarded as simple apparatus is all that needs to be recorded.

Figure 4.3 MTL 5314 used as monitor

Simple Apparatus, Intrinsically Safe interface, Trip Amplifier MTL5314. The Trip Amplifier connects in series with the 4/20 mA transmitter circuit, giving alarm signals to the safe area via changeover relays. Using the Simple Apparatus (Non-energy Storing) rule the device may be connected in series with the hazardous side of the MTL5042. Certification & Safety Parameters Terminals 1 and 3 meet the Simple Apparatus rules having output parameters : Uo: 1.0V, Io: 88mA, Po: 22mW Certified [EEx ia] IIC by EECS No. BAS 98 ATEX 7136 Tamb -20°C to +60°C Um: 250 V

Where more than one piece of apparatus with simple apparatus output characteristics is included in a circuit then care should be taken to ensure that the permitted simple apparatus parameters are not exceeded. Advantage can sometimes be taken of the fact that the output voltage only appears under fault conditions and that it is permitted to apply the fault count to the system as a whole. For example if more than one piece of simple apparatus is connected in the circuit then it can be argued that only piece of apparatus is considered to fail at any one time, and hence only the most adverse set of output parameters needs to be considered. This type of argument is acceptable in ‘ib’ systems but needs to be carefully documented. For such an argument to be valid for ‘ia’ systems detailed knowledge of the derivation of the output parameters is required. This information is not usually readily available and hence the technique is not normally applicable to ‘ia’ systems. If it is known that the apparatus terminals are purely resistive in normal operation (as is frequently the case) then any number of these devices can be incorporated in an ‘ic’ system.

Return to top