Intrisic Safety in the Digital Age

In Which We Sort Through the Complexities of Building Intrinsically Safe Fieldbus and Ethernet Networks in Hazardous Plant Areas

Share Print Related RSS

By Paul Miller

As old timers say, “new” is not always “better.” Consider for a moment, the transition from pneumatics to analog electronic to digital technology. Sure, we’ve realized important benefits from digital automation technology, which – among other things – provides the basis for today’s plant asset management strategies. However, when it comes to preventing explosions in hazardous classified plant areas, analog electronics represented a step backwards from pneumatics and digital technology introduces further cost and complexity.

Pneumatic instrumentation used compressed air to transmit the process variable measurements from field devices and then translate them into the appropriate control action. No electricity means no sparks or arcs. This eliminates one of the legs of the fuel/oxygen/ignition triangle, all three of which are required to initiate a dangerous explosive situation. That’s one of the reasons why, even in the “digital age,” if you look hard enough, you’ll still see pneumatic instrumentation puffing away in plants around the world.

Intrinsic Safety (IS) is one of the concepts developed to enable electronic instrumentation to be safely used in plant areas classified as “hazardous” due either to actual or potential presence of explosive gases or dust.

While pneumatics avoided the issue of electricity altogether, IS concepts limit the amount of electrical and other energy allowed to enter hazardous plant areas, thus eliminating the possibility of igniting explosions. This is typically done by using either zener diode or galvanic isolated barriers. Zener barriers are passive devices that require appropriate IS grounding. Isolated barriers do not require additional grounding.

With the straightforward, point-to-point wiring used with conventional 4-20 mA analog field communications, this doesn’t present any huge problems (although it does add cost and complexity, and the barriers themselves tend to take up a lot of valuable plant real estate). However, one of the major benefits of digital field instrumentation and communications is the ability to drop multiple instruments on the same wire. By limiting the amount of electrical current you can deliver to a fieldbus segment for intrinsic safety reasons, you also restrict the number of devices you can install on that segment. In many cases, this has made fieldbus cost-prohibitive.

“Intrinsic safety is an excellent technique for protecting electronic instrumentation in hazardous locations, and intrinsic safety provides the highest level of explosion protection for electronics,” says Mike O’Neil, director of the Moore-Hawke Division of Moore Industries. “As the uptake of fieldbus becomes the norm rather than the exception, there are many users who are demanding similar protection for their fieldbus networks. However, there are significant conflicts between the technique of intrinsic safety and multiple-device, multi-drop networks.”

Confusion Reigns

One of the reasons for the slower than anticipated acceptance of fieldbus is general confusion over how hazardous plant areas are classified and specific confusion over how you implement and verify digital devices and communications networks in these types of environments.

According to Chuck Carter, director of the fieldbus training center at Lee College in Baytown, Texas, “The whole topic of what is happening in the IS world vis-à-vis fieldbus appears to be in a state of flux, with confusion reigning supreme. On top of that, everyone seems to have a unique set of circumstances regarding their facilities’ IS requirements and applications. Clearly, the industry must settle on one method for classifying and using IS, or this issue will remain in a state of flux for the foreseeable future, and that serves no one’s interest in the long run.”

The Entity approach for fieldbus in hazardous plant areas was used successfully for the ethylene dichloride cracking furnace process at the Shin-Etsu manufacturing facility in Rotterdam, The Netherlands.
(Courtesy of MTL)
While there is a gradual trend toward global standardization (or at least harmonization) of both the actual hazardous area classifications and how devices and systems are tested and certified to ensure safe operation in hazardous environments, regional differences still exist.

In North America, hazardous areas are identified by “classes,” “divisions” and “groups.” These indicate the type of flammable material (gases, dust or fibers), whether the presence of the flammable material is normal or abnormal, and the specific type of gas or dust, respectively.

In Europe and most other countries outside of North America, hazardous plant areas are classified using “zones,” “groups” and “protection types.” Zones define the probability that the flammable material will be present; groups classify the flammable nature of the material; and protection types indicate the level of safety required for the device.

For a variety of reasons – some logical, some not so logical – the major approaches used to help ensure safe operation in hazardous environments also evolved differently in North America and Europe.

In North America, the “explosion proof” approach initially gained wide acceptance in refineries, petrochemical plants and other industrial facilities with hazardous environments. This approach uses specially designed and constructed, NEMA-rated electrical conduit and equipment enclosures to isolate electronics from the hazardous gases or dust and physically contain any initial explosions that might inadvertently occur. This prevents secondary explosions from occurring outside of the enclosures. Not only are these heavy duty, explosion proof enclosures very expensive to purchase and install, but also they preclude the possibility of doing any “live work” on the equipment contained within.

As Ian Pinkney, technical authority for BP Southern North Sea, Aberdeen, Scotland, says, “BP investigated explosion-proof enclosures as an alternative to IS and rejected that option because the enclosures are expensive, heavy and difficult to work on. We also found that maintenance of equipment under power is much more difficult with explosion-proof enclosures. When maintenance is required, our procedures require us to get a permit issued and to declassify the area to assure it is not hazardous before work can begin. When this is not possible, the equipment and possibly the entire process has to be shut down before maintenance can be performed, and shut downs are obviously something we really want to avoid.” (See www.controlglobal.com/articles/2007/367.html for more on the BP North Sea operation.)

According to MooreHawke’s, O’Neill, “Explosion-proof enclosures typically have multiple bolts around their periphery, all of which must be removed when opening the cabinet. When servicing anything inside the cabinet, power must be cut to the enclosure, thus powering down all equipment inside. This may mean shutting down an entire process unit just to replace a fuse.”

In Europe, the Intrinsic Safety approach gained widespread acceptance in above-ground refineries and chemical plants as a less-expensive-to-implement-and-maintain solution than the explosion-proof approach. This followed initial applications in underground coalmines, where several fatal and highly publicized coal-dust explosions emphasized the need for specialized procedures in hazardous environments. In recent years,  IS concepts have also become more popular in North America, due largely to generally lower installation and maintenance costs and the freedom perform “live work,” as needed, without having to obtain work permits to do so.

The general idea behind IS is to use special barriers (known as “associated apparatus” in IS-speak) to limit the amount of energy available within hazardous plant areas to a level that is insufficient to generate arcs, sparks, heat or other conditions that could cause flammable gases or dust to ignite. On the surface, this sounds very simple. But things get complicated pretty quickly when you consider all the different permeations of and interactions between the various field devices (“apparatus”), associated apparatus, wiring and terminations typically involved and all the things that could potentially go wrong.

Closely related to IS, is the “nonincendive” approach. Both approaches limit the amount of energy present in hazardous environments to minimize the risk of explosion. The main difference is that, with IS, you have to consider the possibility of faults and thus be even more conservative about the amount of energy allowed into the hazardous area. The more restrictive IS approach is used for environments where the presence of potentially explosive gases or dust is the norm (Division I in North America), while the nonincendive approach is restricted for use in environments where the presence of potentially explosive gases or dust is the exception (Division II). 

Pepperl+Fuchs fieldbus segment protectors and valve couplers installed in a nonincendive (extra safety) classified area in a European chemical plant.
(Courtesty of Pepperl+Fuchs)
In the past, leaky valves and piping flanges meant that “Div I” areas requiring intrinsically safe standards were not uncommon. Today, however, more stringent environmental regulations mean that, in actual practice, true Div I areas are uncommon in modern process plants. Thus, unless a plant has decided to standardize on Div I to simplify things, Div II nonincendive approaches are typically used.

Enter Entity

Initially, each and every possible combination of field devices and barriers needed to be evaluated and approved together as an intrinsically safe system and documented with formal control drawings before it could be used in hazardous plant areas―an extremely limiting approach. Over time, the Entity parameter concept was developed. With Entity, field devices and barriers (“apparatus” and “associated apparatus”) are approved separately by an official approval organization, uch as Factory Mutual, CSA or CENELEC. Users then can combine intrinsically safe and associated apparatus as long as specific parameters for voltage, current and capacitance are correctly matched and the equipment is installed in an approved manner. The good news is that this approach provides users with much greater flexibility. The bad news is that it typically requires engineers to perform complicated, time-consuming calculations.

According to Robert Schosker, intrinsic safety product manager at Pepperl+Fuchs in Twinsburg, Ohio, “Entity isn’t really all that hard to handle. The challenge is to be able to match Entity parameters so that you have a truly intrinsically safe system that works properly.”

The Shin-Etsu manufacturing facility in Rotterdam, The Netherlands, successfully used the Entity approach for its ethylene dichloride cracking furnace process. Here, 35 segments and 275 fieldbus instruments were installed and integrated with a Honeywell Experion DCS using MTL-Relcom power supplies. For the field wiring, Shin-Etsu chose nonincendive-certified MTL wiring hubs to connect individual spur wiring to the trunk cables. The wiring hubs and field devices were matched for safety using Entity parameters for nonincendive plant environments.

If not ideal, the Entity approach works well enough for conventional, analog instrumentation using point-to-point wiring techniques. However, due to the very conservative power restrictions built into the Entity parameter approach, it is far from an ideal solution for fieldbus, where many of the initial cost savings come from the ability to drop multiple instruments off the same wire.

According to O’Neill, “It quickly became apparent to most prospective end users that intrinsic safety barriers were a very expensive solution for fieldbus. Because of the current-limiting resistor, most barriers could only provide 80mA to the fieldbus segment, meaning that a conventional IS segment could only support four fieldbus instruments, each taking a nominal 20mA. Foundation fieldbus protocol supports up to 32 devices on a segment, and most end users want segments capable of driving at least 12 to 16 instruments. With a barrier system only able to support four devices, choosing intrinsic safety as the site protection concept looked like a horrendous expense, requiring four times as many interface devices, four times as much wiring, plus extra cabinet space, etc., just to put fieldbus instruments in hazardous areas.”

According to Bernd Schuessler, business development manager at Pepperl+Fuchs, “Over the past several years, fieldbus technology has been rapidly adopted in many process industries. However, end users have been unsatisfied with the traditional solutions for fieldbus applications in hazardous locations applications because they could not enjoy the same benefits in terms of power, cable length and number of devices per segment in hazardous location applications compared to general-purpose applications due to energy limitations on the trunk.”

These limitations have led MTL, Pepperl+Fuchs, Moore-Hawke and other major European and North American vendors in this space to come up with new IS approaches for fieldbus, each which overcomes the Entity limitations to a greater or lesser extent.

These include the fieldbus intrinsically safe concept (FISCO), the hybrid (or high-powered trunk) concept, a split-architecture approach and a new (and as of yet, unproven) dynamic arc recognition technology (DART) barrier approach.

Make a Big FISCO

The fieldbus intrinsically safe concept (FISCO) was developed by the Physikalisch-Technische (PTB) in Germany in the 1990s as a solution to providing more power over a fieldbus into a hazardous locations. The initial objective was to help to encourage the acceptance of Profibus in European refineries and chemical plants. The technology was also subsequently adopted for Foundation fieldbus. This was not difficult, since both share a common physical layer.

FISCO power supplies located in safe areas incorporate active current-limiting circuitry that allows more power to be delivered to fieldbus segments located in hazardous environments. Since the fieldbus segment is made intrinsically safe by placing the barrier at the boundary between safe and hazardous area, the trunk is “live-workable.” 

Check out Moore's I.S. Segment Comparison

This diagram illustrates the different fieldbus segments that can be created using the ENTITY, FISCO, Split-Architecture, and Hybrid (High-Power Trunk) approaches to Intrinsic Safety. (Diagram courtesy of Moore-Hawke)

A new set of FISCO IS parameters based on established boundary values was also developed. These allow any FISCO-certified instruments to be combined freely with a FISCO power supply without having to perform the full set of Entity calculations as long as special FISCO cables and terminations are also used. With FISCO, up to five Foundation fieldbus devices (or up to eight Profibus devices) can be installed on a single fieldbus segment, although with significantly reduced trunk and spur lengths. 

A less restrictive FISCO approach―FNICO (Fieldbus Nonincendive Concept)―was also developed for use in nonincendive hazardous plant areas in which flammable gases or dust are not normally present. Here, less stringent, “increased safety” (as opposed to “intrinsically safe”) power restrictions increase both the number of fieldbus devices per segment and the allowable spur lengths.

While FISCO (both IS and nonincendive flavors) offers some clear advantages over the more conventional Entity approach, it also has its drawbacks.

According to Pepperl+Fuch’s, Schosker, “FISCO power supplies have more active circuitry than conventional IS barriers to allow more power to be put out into the hazardous area without impacting safety. However, FISCO increases the technical requirements in the field devices and reduces the flexibility on the network.”

According to MooreHawke’s O’Neill, “FISCO products are less reliable than conventional safety barriers simply because the FISCO power supply is such a complex design.”

Pepperl+Fuch’s Schuessler summarizes the limitations as follows, “Although FISCO offers some additional power compared to the Entity approach, users still cannot enjoy the same benefits they get when using fieldbus in a general-purpose configuration. The overall cable length is theoretically limited to 1,000 meters, spurs are limited to 50 meters, and the current and voltage levels are still very low, which results in significantly shorter cable runs than the theoretical maximums…FISCO power conditioners also do not offer redundancy, nor they offer any online physical layer diagnostics.”

Nevertheless, FISCO has been gaining a degree of acceptance in fieldbus applications around the world.

At the Shell Petroleum Development Corporation’s Bonny Island Terminal Project in Nigeria, a new development comprising 24 oil storage tanks, MTL’s FISCO power supplies integrate the fieldbus segments with a Yokogawa CENTUM DCS. MTL short-circuit-protected wiring hubs are used to create IS trunk and spurs that can be “live-worked” without gas clearance procedures. Non-FISCO, ENTITY-certified IS devices are also connected to the FISCO segments.

Carbowill Spoika has employed the FNICO approach in the Zone 2 hazardous area at the company’s CO2 production plant in Wloclawek, Poland. Here, FNICO power supplies from MTL provide power to all 21 fieldbus segments. Since the entire network―both trunk and spurs―is energy-limited, technicians at the Carbowill CO2 plant can work on any part of the fieldbus segment in the hazardous area while energized, without having to obtain a gas clearance work permit. The fieldbus segments connect to fieldbus interface cards on Carbowill’s Emerson DeltaV DCS.

Who Are You Calling a Hybrid?

Pepperl+Fuchs has developed a hybrid approach that combines nonincendive techniques for the fieldbus trunk with intrinsically safe techniques for the fieldbus spurs. Pepperl+Fuchs calls this hybrid approach the “high-power trunk” concept. The hybrid approach uses nonincendive energy limits for the fieldbus trunk (where allowed) to enable more power to be available for fieldbus devices. Only the spur connections to fieldbus instruments located in IS locations are limited to IS levels. This is accomplished using short circuit-protected junction boxes with built-in barriers. Pepperl+Fuchs calls these “segment protectors” for nonincendive applications and “field barriers” for intrinsically safe applications.

According to Schuessler, the high-power trunk concept, “…allows end users to get the maximum number of devices on a segment, while also being able to achieve maximum cable length. Depending on the applications, the protection (energy limitation) is done in the field, inside the junction box. By not limiting the energy on the trunk, the high power trunk concept offers the same advantages seen in general-purpose applications in hazardous location applications.”  Of course, this also means that the hybrid approach cannot be used in applications requiring an intrinsically safe trunk.

While this approach allows the fieldbus spurs to be worked on while energized without a hot work permit, this is not the case for the trunk. However, according to Schuessler, “Fieldbus users do not normally perform live maintenance on a fieldbus trunk cable because of the high risk of losing an entire segment due to a single short on the trunk cable.”

With this hybrid approach, users are free to select between instruments with either Entity or FISCO hazardous area certifications. Options are also available for users to implement power redundancy and online physical layer diagnostics not available with the FISCO approach.

Moore-Hawke’s O’Neill sees a problem with the hybrid approach, “The high power trunk looks like a great idea; unlimited segment current delivered by mechanically protected cable to field barriers which generate IS power for devices. However, the design is constrained between the maximum practical fieldbus conditioner voltage (28V) and the need to deliver 16V or so to the field barrier. It doesn't matter if the HPT can supply 1A since that 12V differential will disappear in just 12 Ohms of fieldbus cable (240 m). Nothing escapes Ohm's law!”

Let’s split the difference

Moore-Hawke has developed its own alternative approach, which the company calls, “split-architecture.”

With this design approach, the current-limiting resistor is split into two parts; one in the barrier, which is located in the non-hazardous, “safe” area, and the other in the field device coupler. This configuration enables a large current to flow in the trunk, which is then further reduced by in the resistor in the device coupler (one per spur) to allow connection to conventionally approved devices. According to Moore-Hawke, commercially available systems can demonstrate segment capabilities of at least 350mA and full compatibility with common IS device approvals. This would appear to eliminate the major issue associated with implementing fieldbus networks in hazardous locations: the number of instruments you can install per segment. 

Furthermore, according to O’Neil, “Since these systems are conventionally designed using diodes for voltage limiting and resistors for current limiting, there are no limitations on segment length or spur cables.

At the recent Fieldbus Foundation General Assembly in Antwerp, Miodrag Pramenko from Serbia Gas explained why his company selected a split-architecture system for the re-instrumentation of the Banatski Dvor underground gas storage facility, “We wanted to use intrinsic safety to maximize our security, but we needed a cost-effective and efficient way of achieving this. Our systems integrator (WIG, Belgrade) were experienced in systems design with a split-architecture solution which met all these needs.”

Boehringer Ingelheim Chemicals, a bulk active pharmaceutical ingredient manufacturing facility located in Petersburg, Va., also implemented the Moore-Hawke split-architecture  IS approach for a recently installed automated solvent distribution system.  Here, in addition to maximizing the number of devices allowed per segment, it was important to be able support long segment lengths. This would allow primary and final control elements physically located on different floors of the facility to be connected on the same fieldbus segment. Boehringer Ingelheim also wanted an intrinsically safe system that would allow technicians to troubleshoot and work on the system without requiring a hot work permit or having to shut down the process.

As with FISCO, the split-architecture approach uses worst case Entity parameters to significantly reduce the time and effort required to determine the intrinsic safety of a fieldbus system. According to O’Neill, “Having current-limiting resistors per individual spur in the split-architecture system means that each spur is a separate circuit for the purposes of intrinsic safety, and since the worst-case length of that spur is also known, it is very easy to demonstrate the worst-case spur cable plus fieldbus device is safe, and that no segment can be worse. A single page of calculation will suffice for the whole plant.”

And Now for Something Really Dynamic…

In April 2008 at the Interkama industry trade show in Hannover, Germany, Pepperl+Fuchs announced a new technology now in development in Europe that shows great promise for eliminating many of the previous power limitations relative to installing fieldbus devices in hazardous plant locations. In fact, Pepperl+Fuchs is claiming that the new technology, called “dynamic arc recognition and termination,” or “DART,” will even allow higher-powered devices to be used in the hazardous areas. Examples include industrial PCs, LED lighting systems, high-power sensors, analyzers and solenoid valves.

According to Pepperl+Fuchs, DART detects the characteristic voltage change caused by a spark and quickly turns off the circuit before the spark’s temperature is sufficient for ignition. For fieldbus instrumentation, DART should be able to provide up to eight watts of power per segment, even inside explosion hazardous plant areas. According to a Pepperl+Fuchs news release issued at Interkama, “DART concepts are proven and patented. And the market will start to see products in 2010. Leading experts consider this technology as the beginning of a totally new era in process automation.”  To this end, the company is looking for suitable partners to develop new products and applications. “We are interested in a constructive dialog with product managers all over the world,” stated Michael Kessler, director of the Pepperl+Fuchs Components and Technologies business unit.

User Interest is Growing

According to Lee College’s Chuck Carter, end-user interest in FISCO and other approaches for implementing fieldbus in hazardous environments is growing. “In regard to fieldbus, I have to admit I was one who was somewhat dubious about whether or not FISCO and the other IS approaches would survive, much less flourish. This was largely because of the cool reception I would get whenever I brought up the topic in our industrial fieldbus courses. This has changed over the last year, and I find more and more of the attendees are paying great attention to that portion of the course and anxious to get more information that might apply to their own unique situations.”

According to Bruce Bradley, PE, a project engineer for Boehringer Ingelheim Chemicals, “Implementing Foundation fieldbus coupled with hazardous area classifications may approach information overload. But believe it or not, with today’s technology and product offerings, fieldbus is simpler than any time before to implement.”

Share Print Reprints Permissions

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments