ISA Transactions 32 (1993) 381-386 Elsevier
Intrinsic safety revisited in the chemical process industries of the 90's E.A. C o m e l l o Exxon Chemical Company, Baytown, TX, USA
In the early '70s, with the advent of electronic instrumentation, the chemical process industries (CPI) were forced to look at methods of compliance with hazardous area classification for the new electrical control loops. There was an obvious economic desire to move away from classic explosion-proof enclosures, rigid conduit and poured gas-tight seals. Non-incendiary, energy-limited and intrinsically safe were three methods championed as providing safety, economy in construction and on-line hot work without the need for gas testing. These new safety technologies were challenging concepts for certifying authorities such as FM, UL, CSA, BASEEFA, etc., who had historically looked at devices alone and not at entire control loops. Many CPI production sites and their control system suppliers extensively espoused the new safety and economy these technologies promised. This paper will explore field experience, discuss an energy-limiting device (ELTM) and a case study of a barrier-related incident. Finally, it will explore the question, "If we were to build a plant today, how would we build it so as to best achieve a safe, economic and workable instrumentation and control system installation?"
E l e c t r i c a l s p a r k ignition o f h a z a r d o u s gasses b e c a m e i n t e n s e l y s t u d i e d following a 1913 explosion in a W e l s h coal m i n e r e s u l t i n g in 439 m i n e r s b e i n g lost. It was f o u n d t h a t break-flash, largely d u e to e n e r g y s t o r e d in t h e inductive s o l e n o i d o f t h e m i n e signaling bell, could, in fact, ignite f l a m m a b l e m i x t u r e s of m e t h a n e a n d air. E n e r g y r e s t r i c t i n g t e c h n i q u e s w e r e soon d e v e l o p e d and, by 1917, s t a n d a r d s , tests a n d c e r t i f i c a t i o n w e r e in p l a c e in British mines. W i t h t h e a d v e n t o f z e n e r d i o d e s a n d resistors t h a t c o u l d not fail to short-circuit, passive safety b a r r i e r s b e c a m e available a n d intrinsic safety bec a m e practical. H o w e v e r , only t h e E u r o p e a n s esp o u s e d t h e p r i n c i p l e in t h e 1960s as a l t e r n a t e s to e x p l o s i o n - p r o o f designs. In t h e U.S. a n d C a n a d a w e saw o u r first intrinsically safe systems in 1965, using a c o m m o n , w e l l - r e g u l a t e d 2 4 V D C p o w e r s u p p l y for all
f i e l d - m o u n t e d e q u i p m e n t , c o u p l e d with wirew o u n d resistors in e a c h field circuit to limit fault currents; t h e s e w e r e c e r t i f i e d by F M a n d CSA. This t e c h n i q u e c o n v e r t e d t h e 4 - 2 0 M A signals into v o l t a g e signals on a c o m m o n g r o u n d , m a k i n g it p r a c t i c a l to p r o v i d e c o m m o n D C b a c k u p supplies. F r o m this b e g i n n i n g , intrinsically safe techniques a n d intrinsic safety b e c a m e p r a c t i c a l a n d w i d e s p r e a d in E u r o p e a n d N o r t h A m e r i c a with p r o m i s e s o f r e d u c e d cost, g r e a t e r safety a n d eliminating t h e n e e d for c u m b e r s o m e , e x p l o s i o n - p r o o f housings, o r o t h e r h a z a r d c o m p l i a n c e techniques. C e n t r a l i z e d c o n t r o l rooms, c o m p u t e r s , a n d t h e n e w e l e c t r o n i c s in t h e i n s t r u m e n t a t i o n c o n v e r g e d with a w i d e r a n g e of passive z e n e r d i o d e intrinsic safety b a r r i e r s m a k i n g t h e c o n c e p t o f intrinsically safe p e t r o c h e m i c a l p l a n t i n s t r u m e n t a t i o n p r a c t i cal.
H a z a r d o u s area classification Correspondence to: Mr. E. AI Comello, The Bahrain Petroleum Co., Reliability Engineering Department, Bahrain Refinery, Bahrain.
A c c o r d i n g to t h e N a t i o n a l E l e c t r i c a l C o d e ( N E C ) , articles 5 0 0 - 5 0 3 a r e t h e basic r e f e r e n c e s
0019-0578/93/$06.00 © 1993 - Elsevier Science Publishers B.V. All rights reserved
E.A. Comello / Intrinsic safety revisited
for installation of electrical equipment in hazardous areas in accordance with the nature and degree of hazard. These NEC articles are used as basis for other NFPA, ISA, and API recommended practices. The nature and degree of hazard in a particular location is specified by designation of Class, Group, and Division. Class and Group involve laws of physics (physical properties and characteristics) while Division is based on environmental and physical plant conditions and probabilities. Some common techniques for complying with the electrical area classification are: explosion-proof housings (contain and quench the explosion); purging/pressurization/ventilation (displace hazard with clean air); encapsulation/immersion (impede contact between source of ignition and explosive mixtures); - non-incendiary systems (normal operation will not ignite hazardous atmosphere); - intrinsically safe systems (incapable of releasing sufficient electrical energy under normal or abnormal conditions to cause ignition of a specified hazardous atmosphere); alternate technologies (pneumatics, hydraulics, approved fiber optics, etc.).
to define only the actual class and group) since this technique (intrinsically safe) is for worst-case hazardous locations. This is very significant, since it gives latitude to the designer to treat area classification of Division 1 and Division 2 the same. That is, it is not necessary to treat locations which are always, intermittently or frequently hazardous (Division 1) differently from locations that are hazardous only if equipment fails or there is some other unexpected occurrence to cause a hazardous condition (Division 2).
The promises of intrinsic safety
NEC definition of approved intrinsically safe NEC paragraph 500-1 states: " E q u i p m e n t and associated wiring approved as intrinsically safe shall be permitted in any hazardous (classified) location for which it is approved, the provisions of articles 500 through 517 shall not be considered applicable to such installations. Means shall be provided to prevent passage of gasses and vapors. Intrinsically safe equipment and wiring shall not be capable of releasing sufficient electrical or thermal energy under normal or abnormal conditions to cause ignition of a specific hazardous atmospheric mixture in its most easily ignited concentration. Abnormal conditions shall include accidental damage to any field-installed wiring, failure of electrical components, applications of overvoltage, adjustment and maintenance operations and other similar conditions".
Consideration of division is not necessary in the application of intrinsic safety (it is important
Intrinsic safety (IS) offers numerous advantages over other methods of hazardous area classification compliance and with the proliferation of electronic signals, it seems like a natural in the chemical process industries. The advantages of IS systems include: (1) Calibration and maintenance can be performed without removing power to the apparatus in the hazardous location. (2) Safety permits ( " H o t " work permits) are not required. (3) Sealing of IS apparatus and field wiring equipment in the hazardous location is not necessary. (4) Ordinary wiring practices may be used. (5) Only general-purpose housings are required for measurement and control instrumentation. (6) Shutdown time is reduced during repair or replacement (hot work). (7) Improper re-installation of field enclosures does not degrade protection. (8) Energy is limited by reliable passive devices consisting of fuses, non-shorting resistors and zener diodes (maintenance free, reliable). In the early '70s, instrument engineers in .the chemical process industry were considering these advantages. Implementation of an intrinsically safe circuit simply required the insertion of a passive barrier in the wiring between high- energy sources and the load installed in a potentially hazardous environment. Often engineers saw the passive barrier as just another terminal block,
E.A. ComeUo / Intrinsic safety revisited
only that it had input and output terminals. The barrier clearly provided a demarcation between the "safe" area and the " h a z a r d o u s " area. Hundreds upon hundreds of these new safety devices appeared, row upon row, in the terminal rooms of North America and Europe. These were the days when overclassification was common and large, outdoor, well-ventilated tracts of land designated for process facilities were often classified whether they needed to be or not. A petrochemical plant often would have an entire process plot plan assigned with the designated hazardous area classification, often very conservatively. There were three prime reasons for this broad-brush approach to area classification: firstly, the plant or project team did not want the hassle of getting the specialists back in the event of an expansion (so they pre-invested in area classification extent); secondly, they had little history of the conditions that would be encountered during operation, i.e., frequency, concentration, upsets, etc., and since the market was waiting for the products, cost was simply transferred to the product; and thirdly, the economics of hazardous area compliance with passive barriers was considered to be neutral in grass root plants for the initial installation. The advantages were seen as greater safety and on-line maintenance in the longer term. We should note that in the early '70s many instrument engineers had little experience with electronics. They were either new in the job or had spent a great deal of their careers with pneumatic instrumentation hardware (orifice meters, thermocouples and control valves). So this simple robust approach promised greater safety and other advantages in the first wave of growthdriven electronification and computerization of the process instrumentation and control elements in our industry. But' with the introduction of intrinsic safety in instrumentation, almost no change took place in electrical power systems, since they were required to supply large electrical energies. Enclosures with many bolts, conduits, seals, and pressurization were not eliminated, and hot work practices were and still are commonplace for electrical installations.
T h e
After 10 years of experience with the design and maintenance of intrinsically safe instrument systems, the instrument engineers in our industry had gained lots of practical field experience. The following is a summary: Barriers are not generic (many, many types). - Barriers add significant loop resistance and, at times, limit the available voltage at the field device. - Certain instruments are adversely affected by the barrier's I / O characteristics, i.e., RTDs, TCs (leakage c u r r e n t s / t e m p e r a t u r e effects). Barrier selection and application is a complex subject. -The economies associated with general-purpose wiring could not be realized since it involved cable trays and wireways with appropriate supports which tended to be as expensive as conduit, or more in the smaller sizes. (Open Class II wiring was not suitable because of the lack of mechanical protection.) - Cheaper enclosures for field devices ( N E M A 4) never materialized, hence the IS certified field devices cost more. - Some barriers became collector's items. Cost of barriers in small quantities was significant and did not drop along with the drop in cost of electronics. - The entity approach which allowed intrinsically safe designs to be based on electrical paramet e r s - i n d u c t a n c e and c a p a c i t a n c e - - h e l p e d but it still involved parameters that were hard to quantify. - Small ground faults could be " m i r r o r e d " to the control systems. (See, for example, Fig. 1.) It became harder and harder to maintain the systems' intrinsic safety integrity. With the advent of smart transmitters, conventional barriers no longer were adequate and sophisticated repeater barriers were required; these barriers approached the cost of the smart transmitter and required highly regulated power supplies. With the upcoming emergence of Fieldbus and its new digital communications protocol, it is
E~4. Comello / Intrinsic safety reuisited
likely that the passive barriers may not be compatible. - Because of the numerous types of barriers in a given plant and their similarity, installing the wrong barrier, potentially impacting safety, has occurred. (Difficult to test for IS. Instrument works fine.) Maintenance and inspection of barrier systems has been forgotten at times (corrosion, ground resistance). Substitution (replacement) of non-IS compatible field equipment has been known to happen. Most contractors' instrument engineers are inexperienced in IS installation design. Non-IS wiring practices and signals can corrupt the integrity of the system (spares used for non-IS purposes). Repairs/substitutions, especially in-house, to modules etc. can impact on the IS system integrity. - Accidental short circuits or power supply surges -
can blow the fuse and render the barrier inoperable (discard). - Zener barriers increase the terminal room foot print and installation costs. absolute equipotential ground system is required at all times and hazardous location devices must be isolated from field ground or they cannot be used (some exemptions for thermocouples). Because of IS power limitations and reluctance to use "specials" (low-power, specially designed devices) in the severe environments of the chemical process industry, alarm and shutdown circuits still tend to be designed using conventional techniques, i.e., 120V AC alarm and shutdown systems. - The typical low-level signals ( T / C s ) in the chemical process industry are typical non-IS. - Other general concerns about adequate separation of wiring, lightning effects, limitation of 250 V AC RMS in the safe location associated equipment, four-wire field devices, etc. -
~ +24 VDC
~ 0.5mA "MIRRORING" BARRIER
Fig. 1. Loop ground fault "mirrored" into control system.
CONTROL SYSTEM INPUT
E.A. Comello / Intrinsic safety revisited
In light of these findings, it would be fair to revisit the current situation in the chemical process industry reflecting the writer's experiences in the refining/petrochemical/plastics manufacturing industries. One would find that active and galvanic barriers have been employed since they have advantages over the typical passive barrier, for example: no need of isopotential ground system because of galvanic separation; use of DIN mounting, plug-in cards that can be removed without depowering and without disturbing field wiring; - i m p r o v e d / d i r e c t interfacing to simple and low-level sensors; - compatible with non-isolated field elements; smaller foot print. As mentioned before, plants exposed to intrinsic safety in the '70s and '80s did so primarily for the 4-20 MA I / O signal regimen. Critical alarm shutdowns and thermocouple installations were designed in accordance with the requirements of the electrical area classification. These plants continue to follow IS design practices in order to maintain the system integrity. The use of portable IS equipment has grown enormously and many test devices and other electrical equipment are commonly found in the haz-
ardous area. It is curious to note in Ernest C. Magisons' book, Electrical Instruments in Hazardous Locations, while speaking about portable IS test equipment, "As a general rule, this author feels that no test equipment should be used anywhere on the Division 1 side of a barrier unless a 'Hot' permit has been obtained to ensure that the Division 1 location is not hazardous" [2, p. 253]. In major petrochemical installations, extensive modernization (of instrumentation) took place in the early '80s. Instrument engineers reassessed the whole aspect of electrical safety in electrically hazardous areas. They reasoned that, by its very nature, intrinsic safety was designed for utilization in Division 1 and therefore implicitly acceptable for Division 2. However, when one carefully investigated the almost exclusively outdoor wellventilated areas where processing equipment was found, one would find that an overwhelming majority of the hazardous area classification was in fact Division 2. There was a strong desire to achieve both electrical safety and the ability to conduct work without need for a " H o t " work permit. It was reasoned that in order for an energylimited circuit in Division 2 to be unsafe and constitute an ignition hazard, two faults must occur simultaneously (Division 2 areas are defined such that the presence of a hazardous con-
180 OHM POWER SUPPLY 22.5 -28 VDC
CONTROL SYSTEM INPUT
~-~ ENERGY LIMITING ELEMENT 25 OHM
TO EQUIPOTENTIAL GROUND BUS
TERMINATION STRIP (TYPICAL) I MAX WORST CASE =
EMAX R MAX
Fig. 2. Energy limiting termination module (ELTM).
E.A. Comello / Intrinsic safety revisited
dition in the area in and of itself constitutes a fault). One large petrochemical organization began work on an "Energy Limiting Termination Module" (ELTM). This device was based on a strategically placed resistor incapable of failing in short circuits. In addition, a surge protection device to mitigate lightning-induced transients was employed (Fig. 2). The design concept was submitted to Factory Mutual who supported the conclusion that circuits utilizing this device were acceptable for Division 2 service with note of the following: (1) Under normal conditions the source of energy conveyed to the field emanates from the DC power bus with the maximum voltage limited to 29 V DC. (2) Abnormal electronic circuit conditions will quickly manifest themselves in the form of i n p u t / o u t p u t problems or in operation. (3) All equipment connected to the system, both control house as well as the field, shall have been previously approved for use (by a recognized approval agency) in intrinsically safe or non-incendiary systems. (4) The user considers effects of inductance and capacitance in field wiring. Since the E L T M provides code conformance for energy-limiting circuits, wiring for ordinary locations is permitted in Division 2 Hazardous Areas as specified by the exception to NEC Article 501-4(b); "Exception: wiring which under normal conditions cannot release sufficient energy to ignite a specific ignitable atmospheric mixture by opening, shorting or grounding, shall be permitted using any of the methods suitable for wiring in ordinary locations." Writer's note. The reader is cautioned that the foregoing discussion is simplistic to respect proprietary considerations, but is based on actual successful, approved working installations. The reader is advised to seek expert advice and appropriate certification by recognized entities if he should employ similar concepts in h i s / h e r plant, in hazardous (classified) locations.
of the 90s
It is the author's opinion that design considerations for major expansions or grass roots facilities of the '90s in our industry would likely address instrument installations in hazardous locations as follows: - more rigorous/precise definition of location and extent of hazardous areas (less overkill) in outdoor, well-ventilated areas; - utilize intrinsic safety for all instrumentation Division 1 areas; - utilize non-incendiary techniques for instrumentation in Division 2 areas; - increasingly employ active IS barriers to take advantage of their galvanic separation characteristics; - watch closely and try to anticipate the impact of the new Fieldbus standard (ISA SP50) and its impact on existing and new chemical processing plants and their instrumentation systems. In closing, it is hoped this paper will foster discussion in the area of safety and the long-term preservation of that safety integrity. One does not walk away from an engineered safety concept. Even in the '90s we require discipline to properly design and inspect installations and to do preventive maintenance. (Check the safety grounds.)
 National Electrical Code (NEC), ANSI/NFPA 70, National Fire Protection Association, Boston, MA, USA. [21 Ernest C. Magison, Electrical Instruments in Hazardous Locations, Instrument Society of America, Research Triangle Prk, NC, USA, 3rd edn., 1980.  A User's Guide to Safety Barriers, Application Note AN9007, Measurement Technology Ltd., Luton, England, November 1988.  Introduction to Intrinsic Safety, Elcon Instruments, Inc., Maryland, USA, May 1990.  The Intrinsic Safety Primer, R. Stahl, Inc., Massachusetts, USA, October 1991.