HMI / I/O Systems / Industrial Computers / Industrial Ethernet / Intrinsic Safety

HMIs on tablets, smart phones need to comply with intrinsic safety standards

How to keep devices safe in hazardous areas

By Jim Montague

Going out in bad weather? You may need a sweater or coat. Working in a harsh or hazardous environment? You and your co-workers will need the right protective and safety gear.

The same goes for tools and accessories, especially all the human-machine interfaces (HMI) on tablet PCs and smart phones that are flooding onto plant floors and field applications—sometimes authorized, but often unauthorized due to their sheer prevalence on the consumer side. Despite their numbers, they too must comply with the same intrinsic safety (IS) and other standards as earlier electronic handhelds, limit operating voltages, and get sheathed in just as much rubber and plastic.

Of course, today's increasingly chip-based, Ethernet-aided and wireless systems mean users don't need to go into hazardous areas as often as in the past, and can monitor and manage applications from safer distances. However, there are still many times when technicians and operators must routinely journey out to pipelines and tanks, up to columns, or out in the field to other equipment—even of they can interact with many process applications and equipment via a tablet PC and wireless link when they get there.

"It depends on each facility's policies and specific level of the hazardous area whether tablet PCs, smart phones and other devices can be brought in," says Jeff Morton, sales manager at Cross Co.'s Process Control Integration Group in Knoxville, Tenn. The group is a certified member of the Control System Integrators Association (CSIA). "We see a lot of interest in remote, wireless operator panels implemented as thin clients or virtual clients in food and beverage and chemical applications, as we don't work in oil and gas. Usually, iPads are employed in non-hazardous areas, but we did have one client that needed a tablet PC in a Class I, Div. 2, non-explosive area, so its operators could walk in and start a pump for its chemical extrusion process. This is a volatile environment and the user previously had a pushbutton in an appropriate panel. Instead of yelling back and forth, we brought in an industrially hardened tablet PC with Class I, Div 2 certification."

Armor up interfaces

Because the most obvious way to protect interfaces that must go into hazardous areas is shielding them, many suppliers have been putting them in purpose-built cases or manufacturing them with built-in protections that comply with IS and other standrds.

For instance, RAG Deutsche Steinkohle AG in Herne, Germany, operates six anthracite coal mines, and recently replaced its hardwired, non-portable voice, data and video communications with a wireless, computer-based system that includes Bluetooth headsets, wireless LAN access points (AP) and cameras, and i.roc Ci70-Ex handheld PCs with barcode modules from ecom instruments GmbH, a division of Pepperl+Fuchs. The i.rocs run RAG's proprietary software, so the mines' above-ground staff can send requested data such as technical documents to below-ground APs that relay them to the IP65-rated handhelds, which are certified for use in potentially explosive mining environments (Figure 1).

RAG reports that immediately available data and advice via the i-rocs and its computer-based communications greatly enhance mine operations and maintenance, which make its products more competitive internationally. Also, the company is saving on downtime and damage because its engineering experts no longer need to be onsite to instruct miners, but can instead save time by guiding them through inspection and repair tasks remotely from above ground.

"Handhelds have been used in IS areas for a long time, but now they're making a logical progression into more hazardous settings, and developers like Imtech are embedding Android apps in them, while suppliers like Pepperl+Fuchs' ecom are adding location-aware capabilities and Bluetooth," says Grant LeSueur, senior director for control and safety software at Schneider Electric. "These GPS-based technologies can also help with cybersecurity because they can be set to only allow data access with a location-based prerequisite."

Device-level and I/O shielding

Beyond armoring interfaces brought into IS and hazardous areas, several end users and system integrators are taking a closer look at better protecting I/O and device-level components in IS and hazardous areas, especially as they gain new networking connections.

For example, to maximize capacity at its 3-million-cubic-meter Kalmaz underground natural gas storage facility in Hajigabul, the State Oil Co. of the Azerbaijan Republic recently updated the core instrumentation and controls of its surface applications with help from Inkoel, an automation engineering contractor in Baku, Azerbaijan. These above-ground processes include two-stage separation of solids and condensate, gas flow measurement at wells, gas compression, pre-heating and pressure control and drying and treatment (Figure 2).

SOCAR and Inkoel implemented PlantPAx process automation system (PAS) from Rockwell Automation for about 1,000 I/O points handling monitoring, control and gas-flow calculations. This client-server architecture includes Operator Work System (OWS); Process Automation Supervisory Server (PASS); EtherNet/IP networking; Prosoft Technology's in-rack MVI56-AFC gas and liquid flow computer for running dedicated gas flow and calculation algorithms following ISO-5167 measurement standards; and 522 Endress+Hauser overload-resistant pressure and differential pressure/temperature smart transmitters.

MVI56-AFC calculates flow rates, accumulated volumes, accumulated mass and accumulated energy for up to 16-meter runs, provides data directly to PlantPAx, and transfers results back to processor memory for control, or sends them to servers or the OWS supervisory layer. To make the gas storage application's I/O consistent and intrinsically safe, SOCAR and Inkoel implemented Ex Interface relay modules, enabling IS signals circuits that are electrically isolated from the overall system, while its process values are accurately transmitted to the process control system.

Likewise, Manoel Feliciano da Silva, technical advisor at Petrobras, reports it's developed a mud-gas separator for its under-balanced drilling (UBD) method, which uses hydrodynamic pressure of the drilling mud and fluids in the well bore that's lower than the well formation. Because surface pressure is lower than well pressure, UBD applications can bring hydrocarbons to the surface at controlled rates, and eliminate or reduce the need for fracturing after a well is completed, which allows it to reach full production sooner.

However, UBD requires specialized surface equipment for continuous separation of the mud and hydrocarbons, so Petrobras also developed its Aleph HMI/SCADA application based on LabVIEW software from National Instruments. "A microcomputer runs the LabVIEW application, drivers for integration with other PLCs, and screens for operator control of the UBD operation," explains da Silva. "Aleph and LabVIEW provide process diagram visualization, separator measurements, and real-time control loops for the continuous separation. The data acquisition system measures: drill bit position through an electromagnetic measurement while drilling (EM MWD) function; gas and liquid flow rates; liquid height and pressure in the separator; downhole pressure measurements; and control valve positions through IS sensors and 4-20 mA transmitters."

LabVIEW also provides connectivity to the drilling control PLC through an RS-232 serial drive and connectivity to a remote system through a DataSocket server. This system meets all design requirements including: safety with IS sensors and a separate UBD control PLC; flexible software and modular hardware for additional I/O; integration via open protocols and LabVIEW software with a range of connectivity; and ease-of-use with LabVIEW graphical development environment

"By deploying UBD technology based on NI LabVIEW, we save between $500,000 and $2 million, depending on the size of the well and the cost of a fracturing job," adds da Silva.

Hazards shift; so does safety

Just as advancing technologies and capabilities are pushing HMIs into more challenging settings, similar forces are altering many hazardous environments, and impacting choices about the right safety levels for solutions that should be deployed in them.

"Many manufacturers support bring your own device (BYOD) for maintenance and other tasks, and some hazardous areas could support BYOD. However, we're not seeing it because our customer’s approach is to limit access to hazardous areas altogether. Recently, customers have limited access even further by leveraging technology to access hazardous areas remotely from safe areas." says John Tertin, sales and marketing director at ESE Inc., a CISA-certified system integrator in Marshfield, Wis. "We deploy rugged HMIs, but not usually due to class requirements."

Nonetheless, Tertin reports there's more attention to overall process safety in the past two years, and ESE's approach and available technical responses have shifted, too. "Previously, we'd use several safety monitoring relays going back to a central controller, but as more attention has been given to process safety and both the number and complexity of safety circuits have grown, we've transitioned to safety PLCs and distributed safety I/O, such as Rockwell Automation's Point Guard I/O, which let the safety circuits signal via Ethernet and allow visibility down to individual points. Even in complex safety circuits, engineers can determine the exact device that caused a safety trip and where it is located. Safety I/O is also very economical and cost-effective to design and implement compared to the complexity of using safety control relays for larger systems."

Tertin adds that users want visibility into their processes, but they also want to see into them without having to go into hazardous areas. "We're not trying to replace clipboards with iPads. We're trying to skip that step entirely, and not go into hazardous locations and stand in front of equipment unless we have to," he explains. "Not only do our customers want to limit people in class/div areas, but they also want to limit the number of components in them, too. While we do use IS power supplies, I/O and field devices, we still prefer to install them outside of rated areas and wire them in via sealed conduits to further reduce risk.

"Field components must be in hazardous areas, but using sealed rigid conduit and terminating them in a safe area allows us add another layer of safety and security by keeping their controls and support devices outside of the rated area. For example, a flowmeter in a hazardous setting needs to be IS, but the IS I/O and power supply that it is terminated to can be outside and removed from a hazardous setting. The devices are then wired through sealed conduit, further limiting exposure."

Protection with virtualization

Once the prejudice begins to dissipate that only hardware can offer protection, developers and users report that software, servers, networks and other forms of digitalization and virtualization can also improve safety, too—though their simpler, combined solutions are often in a box as well.

"We see plenty of manufacturers making thin clients that are hazardous-rated, mini-PCs with Ethernet, power, screens and keyboards. However, virtual components make IS panels even easier to design and build," says Will Aja, customer operations VP at Panacea Technologies Inc., a CSIA-member system integrator in Montgomeryville, Pa. "We recently did a pharma industry project for a chemical system with panels in a hazardous area, which needed to modernize its HMIs from physical touchscreens to panels with hazardous-rated touchscreens on the front. So, we went virtual with ACP Thin Manager software on a couple of Class I, Div. 2 screens in the hazardous area."

Aja explains that protection in a situation like this traditionally requires costly IS barriers or nitrogen purging/ventilation. However, "virtualizing" is far less expensive because it distributes some formerly non-distributed HMI components, and uses standard display libraries and a common server architecture to serve screens to thin clients.

"With virtualization, we can pull out everything that was causing problems—in this case, terminal blocks, controls and a nitrogen purge panel—so all that's left in the hazardous area is a Class I. Div. 2 box housing the HMI, touchscreen and thin client, running software, such as Rockwell Automation's FactoryTalk (FT) View SE," explains Aja. "Also, instead of dealing with HMIs that are islands and patchworks of visualization with all kinds of different programming, we're taking anywhere from 11 to 50 separate screens, finding commonalities, and pushing them into one project with a uniform HMI library. This can mean huge gains as a result of stocking fewer displays; eliminating parts by using one type of thin client and touchscreen; and decoupling the hardware and software layers.

"As a result, instead of being stuck in the usual two- and three-year obsolescence cycles for hardware and traditional software, we just replace the commodity tablet PCs, smart phones or other interfaces serving our screens as needed. These devices can be intrinsically safe if required, but future plants aren't going to have as many HMIs in the field. Instead, they'll have engineering stations that will interact with IS tablets, and use geo-fencing that will only allow users to securely control the boiler or other equipment when they're close to it."