DESIGN FEATURES L
IGNITION SOURCE
THERMAL OR
ELECTRIC
OXIDIZER
AIR OR
OXYGEN
FUEL
GAS, VAPOR
OR POWDER
COMBUSTION
Surge Stopper IC Simplifies Design of
Intrinsic Safety Barrier for Electronics
Destined for Hazardous Environments
by Murphy Pickard, Hach Co.
Introduction
As applications for electronic instrumentation proliferate, an increasing
number of applications require equipment safe enough to operate in
hazardous environments. Chemical
plants, refineries, oil/gas wells, coal,
and textile operations are all examples
of potentially explosive environments
that use electronic instrumentation.
In order to operate safely in such environments, instrumentation must be
made explosion proof.
Companies that supply apparatus to these markets must integrate
protection into the design. It falls to
the electronic designer to consider
available safety measures and implement them with minimum cost and
impact on proper circuit operation.
This is a daunting task from a design
standpoint, made even more difficult
by the number of hazardous environment standards that must be met to
satisfy global or domestic markets.
Although the various standards are
moving slowly to harmonization, in
some cases they still contradict themselves and each other.
This article discusses the essential
requirements of safety standards, and
methodologies for meeting these re-
Table 1. Established protection techniques
‘Ex’ Designation Technique Description Application
‘p’ Separation: Gas Pressurization Equipment Rooms
‘o’ Separation: Liquid Oil Fill Transformers
‘q’ Separation: Semi-Solid Sand Fill Instrumentation
‘m’ Separation: Solid Encapsulation Instrumentation
‘n’ Construction Nonincendive Switchgear
‘e’ Construction Increased Safety Lighting, Motors
‘d’ Containment Flameproof Pumps
‘i’ Electrical Design Intrinsic Safety Instrumentation
Figure 1. The ignition triangle
LT4356 series surge stopper
IC can be used to design
an active barrier with
parameters that can be
easily altered to quickly
produce custom barriers.
Since the fundamental
circuit topology won’t
be changing much, once
such an active design is
approved, it will be more
readily approved when only
component value changes
are made.
About the Author
Murphy Pickard is an Electronic
Engineer in the Flow & Sampling
Business Unit of Hach Company
(www.hach.com) of Loveland, CO.
If you have questions about this
article or intrinsic safety barrier design, feel free to contact
the author at 800-227-4224 or
mpickard@hach.com.
quirements. In particular, the LT4356
series of overvoltage/overcurrent protection devices offers an efficient and
elegant means of creating protection
barriers in electronic apparatus. To
fully understand the requirements
and solutions, one must become moderately acquainted with the standards
themselves, and the agencies that
enforce them.
Intrinsic Safety and the
Classification of Hazardous
Environments
Simply put, in a hazardous environment, the designer’s task is to prevent
an ignition source from meeting an
explosive atmosphere. There are several techniques for achieving this end,
and this article focuses on a design
discipline referred to as intrinsically
safe (IS) design. Figure 1 depicts the
ignition triangle, illustrating that a
fuel, an oxidizer and an ignition source
must all be present for an explosion to
occur. Several techniques simply prevent an existing ignition source from
contacting an explosive atmosphere,
while Intrinsically Safe design actually
eliminates the ignition source. The
principal protection techniques are
listed in Table 1.
Separation techniques are well
suited for many applications but
require special sealing methods and
Linear Technology Magazine • September 2009
9
L DESIGN FEATURES
substances, often creating a permanent barrier, making repair or service
impossible. Construction techniques
are mechanical approaches, and again
require special materials.
Only the Intrinsic Safety technique
allows normal instrument fabrication
methods and materials and requires
no exotic construction or packaging. Additionally, IS circuits may be
serviced with power present, and are
generally the lowest cost approach
to gaining certification. Further, only
IS certified equipment is allowed in
ATEX Zone 0 areas (Directive 94/9/
EC ATEX “Atmosphères Explosibles”).
This is true because the instrument
design ensures that there is not
enough electrical (spark) or thermal
energy present to serve as an ignition
source. Specifically, an Intrinsically
Safe circuit is one in which any spark
or any thermal effect produced in the
conditions specified in the principal
Standard (IEC 60079-2006), which
includes normal operation and specified fault conditions, is not capable of
causing ignition of a given explosive
gas atmosphere.
Several bodies oversee compliance
to standards and issue certifications
to manufacturers. In North America
FM, UL and CSA govern IEC-79 series
standard certification, while ATEX
standard compliance in the European
Union is certified principally by DEMKO. The level of protection required
depends on the environment in which
the instrument will operate. International Standards and Codes of Practice
classify environments according to
the risk of explosion. The type and
the volatility of the gas/vapor/dust
present and the likelihood of its presence determine such risk. Depending
on the jurisdiction, the classification
system is by Class/Division (North
America) or Zone (EU). These systems
are generally compatible, and for the
purposes of this article, we concentrate
on the Class/Division system as many
countries have adopted IEC79 series
Standards, the most fully utilized and
harmonized of all standards extant.
When electrical equipment and
flammable materials are present simultaneously, both the equipment and
Table 2. Hazardous environment classification systems
Class Hazard
I Gas/Vapor
II Dust
III Particles/Fibers/Filings
Division
(North America)
1 Likely
2 Unlikely 2 Unlikely
Gas Group Industry
I Underground
II Surface
Apparatus Group Representative Gas
IIA Propane
IIB Ethylene
IIC Hydrogen
Temperature Code Maximum Surface Temperature °C (40°C Ambient)
T1 450
T2 300
T3 200
T4 135
T5 100
T6 85
Presence
explosive atmospheres must be classified. The level of protection provided
must be the same or better than that
required by the standards for use in
such environment. The environment,
or “plant,” is classified according to the
type (Class and Group) and probability
of presence (Division) of the explosive
atmosphere. The equipment is classified according to the maximum surface
temperature (Temperature Code) of
any component of the equipment exposed to the hazardous atmosphere,
and by the maximum amount of energy
(Apparatus Group) it can produce or
release in a spark event. It is important
to understand that there is no relationship between the surface temperature
and the spark ignition energy necessary to ignite a given gas. These limits
Zone
(Europe)
0 Continually
1 Likely
Presence
The Role of Electronic Design
in Intrinsic Safety
An IS circuit is defined in Standard
IEC79-11 as:
“A circuit in which any spark or
thermal effect produced in the condition specified in this International
Standard, which include normal operation and specified fault conditions,
is not capable of causing ignition in a
given explosive gas atmosphere.”
Thus, a circuit must contain safety
components that prevent spark or heat
energy of a sufficient level to cause an
explosion under fault conditions. It
is the responsibility of the circuit designer to incorporate these protective
components into the design while still
maintaining proper circuit operation.
This is seldom an easy task.
are summarized in Table 2.
10
Linear Technology Magazine • September 2009
Any device designed for use in
R
V
OC
I
SC
INTRINSICALLY
SAFE
EQUIPMENT
HAZARDOUS AREA NON-HAZARDOUS AREA
APPROVED APPROVED
INTRINSIC
SAFETY
BARRIER
CONTROL
EQUIPMENT
ROOM
hazardous environments may be
categorized as either a simple or nonsimple apparatus. Without going into
detail, a simple apparatus requires no
agency certification if it contains passive components, does not generate or
store significant energy greater than
1.5V, 100mA, and 25mW. Examples of
simple apparatus are resistors, diodes,
LEDs, photocells, thermocouples,
switches, terminal blocks and the like.
For obvious reasons we will not dwell
on this class of equipment.
A non-simple IS apparatus, with
which electronic instrument designers are concerned, are categorized as
either “Ex ib,” which may have one
countable fault, and “Ex ia,” which may
have two countable faults. Countable
faults refer to arbitrary faults imposed
by the examiner to analyze efficacy of
protection against thermal and spark
ignition faults. A non-countable fault
occurs not from component failures,
but from circuit spacing issues such
as creepage/clearance, improper
component voltage/current/power
rating or component construction. It
is the designer’s job to ensure that
his component selection and circuit
layout do not contain any non-countable faults or he may fail certification
from these alone.
During the compliance examination
the assessor is allowed to fail one (Ex
ib) or two (Ex ia) protective components and explore the implications for
safety of these failures. If these failures
do not degrade the circuit’s safety
features, the apparatus is awarded
a hazardous location certification.
Referring to Table 2, a certification
to Class I, Division 1, Group IIC, T6
allows operation in any hazardous
environment, including ATEX Zone 0
Linear Technology Magazine • September 2009
Figure 2. Isolation/protective barrier location
areas. Clearly, Ex ia is the most difficult certification to obtain, and the
manufacturer should determine that
he must have this level of protection
before incurring the cost of doing so.
Most applications require only Class
I/Div 1 or 2 (Zone 1) certification.
The Barrier Concept
A barrier that limits power/voltage/
current to safe levels for the particular environment must moderate
any power or signaling flow between
a hazardous location and a nonhazardous location. Such a barrier
is termed an Associated Apparatus
in the Standards. It is important to
realize that an IS barrier, containing
protective components, resides in the
non-hazardous area and supplies
power to the IS certified apparatus in
the hazardous area, including Simple
Apparatus. Both pieces of equipment
must comply with IS rules. That is
to say that for an Ex ia certification,
both units must be approved to suffer
double faults while maintaining safety
from ignition as Figure 2 illustrates.
Proper or merchantable operation
of the apparatus is irrelevant to the
examiner, as long as it is safe.
The concept of a barrier is a powerful
tool in gaining compliance. It is clear
that the non-hazardous area barrier
in Figure 2 must limit the total power
available to the IS apparatus in the
hazardous area. However, multiple
barriers may also exist within the
Figure 3. Simple passive component barrier
DESIGN FEATURES L
hazardous area apparatus. Internal
barriers may be used to further limit
power to sub-circuits within the equipment to prevent application of multiple
countable faults.
In the broadest terms, protective
components are either series type or
shunt type. A current-limiting resistor
is the most common series protective
device, while a voltage-limiting Zener
diode is the most common shunt
protective device. When used in combinations to limit power, protective
devices are referred to as barriers.
Barriers in which true galvanic isolation is maintained are referred to as
“isolators.” Examples of isolators are
transformers, capacitive couplers and
optical couplers. Isolators however will
not provide DC power or transfer DC
signals and are not germane to this
discussion. We will not delve into the
use of resistors or diodes to isolate
energy-storing components to provide
spark ignition protection, but this is
provided for in the Standards and
is a different concept from galvanic
isolators.
Safety Components
and Barrier Design
Barriers can be categorized as either
passive or active according to the
components used to design them.
Passive barriers have the advantage
of conceptual simplicity, ease of
design and ready availability in the
market. However, the protected field
apparatus must suffer the voltage
burden imposed by the barrier and
still function properly. Passive barriers
are energy inefficient and bulky. If any
significant power must be transferred
to the field device beyond a few milliwatts, the safety components become
very large.
Active barriers have a tremendous
advantage in efficiency and component
size, but are generally more difficult to
design and may be more expensive to
produce. Additionally, these are typically custom designs that are not easily
reused. The most serious disadvantage
of active barriers is not conceptual,
but bureaucratic. The examiners
who analyze the barrier design are
completely familiar with common pas-
11
Loading...