As applications for electronic instrumentation proliferate, an increasing number of applications require equipment safe enough to operate in hazardous environments. Chemical plants, refineries, oil/gas wells, coal, and textile operations are all examples of potentially explosive environments that use electronic instrumentation. In order to operate safely in such environments, instrumentation must be made explosion proof.
Companies that supply apparatus to these markets must integrate protection into the design. It falls to the electronic designer to consider available safety measures and implement them with minimum cost and impact on proper circuit operation. This is a daunting task from a design standpoint, made even more difficult by the number of hazardous environment standards that must be met to satisfy global or domestic markets. Although the various standards are moving slowly to harmonization, in some cases they still contradict themselves and each other.
This article discusses the essential requirements of safety standards, and methodologies for meeting these requirements. In particular, the LT4356 series of overvoltage/overcurrent protection devices offers an efficient and elegant means of creating protection barriers in electronic apparatus. To fully understand the requirements and solutions, one must become moderately acquainted with the standards themselves, and the agencies that enforce them.
Intrinsic Safety and the Classification of Hazardous Environments
Simply put, in a hazardous environment, the designer’s task is to prevent an ignition source from meeting an explosive atmosphere. There are several techniques for achieving this end, and this article focuses on a design discipline referred to as intrinsically safe (IS) design. Figure 1 depicts the ignition triangle, illustrating that a fuel, an oxidizer and an ignition source must all be present for an explosion to occur. Several techniques simply prevent an existing ignition source from contacting an explosive atmosphere, while Intrinsically Safe design actually eliminates the ignition source. The principal protection techniques are listed in Table 1.
|‘p’||Separation: Gas||Pressurization||Equipment Rooms|
|‘o’||Separation: Liquid||Oil Fill||Transformers|
|‘q’||Separation: Semi-Solid||Sand Fill||Instrumentation|
|‘e’||Construction||Increased Safety||Lighting, Motors|
|‘i’||Electrical Design||Intrinsic Safety||Instrumentation|
Separation techniques are well suited for many applications but require special sealing methods and substances, often creating a permanent barrier, making repair or service impossible. Construction techniques are mechanical approaches, and again require special materials.
Only the Intrinsic Safety technique allows normal instrument fabrication methods and materials and requires no exotic construction or packaging. Additionally, IS circuits may be serviced with power present, and are generally the lowest cost approach to gaining certification. Further, only IS certified equipment is allowed in ATEX Zone 0 areas (Directive 94/9/EC ATEX “Atmosphères Explosibles”). This is true because the instrument design ensures that there is not enough electrical (spark) or thermal energy present to serve as an ignition source. Specifically, an Intrinsically Safe circuit is one in which any spark or any thermal effect produced in the conditions specified in the principal Standard (IEC 60079-2006), which includes normal operation and specified fault conditions, is not capable of causing ignition of a given explosive gas atmosphere.
Several bodies oversee compliance to standards and issue certifications to manufacturers. In North America FM, UL and CSA govern IEC-79 series standard certification, while ATEX standard compliance in the European Union is certified principally by DEMKO. The level of protection required depends on the environment in which the instrument will operate. International Standards and Codes of Practice classify environments according to the risk of explosion. The type and the volatility of the gas/vapor/dust present and the likelihood of its presence determine such risk. Depending on the jurisdiction, the classification system is by Class/Division (North America) or Zone (EU). These systems are generally compatible, and for the purposes of this article, we concentrate on the Class/Division system as many countries have adopted IEC79 series Standards, the most fully utilized and harmonized of all standards extant.
When electrical equipment and flammable materials are present simultaneously, both the equipment and explosive atmospheres must be classified. The level of protection provided must be the same or better than that required by the standards for use in such environment. The environment, or “plant,” is classified according to the type (Class and Group) and probability of presence (Division) of the explosive atmosphere. The equipment is classified according to the maximum surface temperature (Temperature Code) of any component of the equipment exposed to the hazardous atmosphere, and by the maximum amount of energy (Apparatus Group) it can produce or release in a spark event. It is important to understand that there is no relationship between the surface temperature and the spark ignition energy necessary to ignite a given gas. These limits are summarized in Table 2.
|Apparatus Group||Representative Gas|
|Temperature Code||Maximum Surface Temperature °C (40°C Ambient)|
The Role of Electronic Design in Intrinsic Safety
An IS circuit is defined in Standard IEC79-11 as:
“A circuit in which any spark or thermal effect produced in the condition specified in this International Standard, which include normal operation and specified fault conditions, is not capable of causing ignition in a given explosive gas atmosphere.”
Thus, a circuit must contain safety components that prevent spark or heat energy of a sufficient level to cause an explosion under fault conditions. It is the responsibility of the circuit designer to incorporate these protective components into the design while still maintaining proper circuit operation. This is seldom an easy task.
Any device designed for use in hazardous environments may be categorized as either a simple or non-simple apparatus. Without going into detail, a simple apparatus requires no agency certification if it contains passive components, does not generate or store significant energy greater than 1.5V, 100mA, and 25mW. Examples of simple apparatus are resistors, diodes, LEDs, photocells, thermocouples, switches, terminal blocks and the like. For obvious reasons we will not dwell on this class of equipment.
A non-simple IS apparatus, with which electronic instrument designers are concerned, are categorized as either “Ex ib,” which may have one countable fault, and “Ex ia,” which may have two countable faults. Countable faults refer to arbitrary faults imposed by the examiner to analyze efficacy of protection against thermal and spark ignition faults. A non-countable fault occurs not from component failures, but from circuit spacing issues such as creepage/clearance, improper component voltage/current/power rating or component construction. It is the designer’s job to ensure that his component selection and circuit layout do not contain any non-countable faults or he may fail certification from these alone.
During the compliance examination the assessor is allowed to fail one (Ex ib) or two (Ex ia) protective components and explore the implications for safety of these failures. If these failures do not degrade the circuit’s safety features, the apparatus is awarded a hazardous location certification. Referring to Table 2, a certification to Class I, Division 1, Group IIC, T6 allows operation in any hazardous environment, including ATEX Zone 0 areas. Clearly, Ex ia is the most difficult certification to obtain, and the manufacturer should determine that he must have this level of protection before incurring the cost of doing so. Most applications require only Class I/Div 1 or 2 (Zone 1) certification.
The Barrier Concept
A barrier that limits power/voltage/current to safe levels for the particular environment must moderate any power or signaling flow between a hazardous location and a non-hazardous location. Such a barrier is termed an Associated Apparatus in the Standards. It is important to realize that an IS barrier, containing protective components, resides in the non-hazardous area and supplies power to the IS certified apparatus in the hazardous area, including Simple Apparatus. Both pieces of equipment must comply with IS rules. That is to say that for an Ex ia certification, both units must be approved to suffer double faults while maintaining safety from ignition as Figure 2 illustrates. Proper or merchantable operation of the apparatus is irrelevant to the examiner, as long as it is safe.
The concept of a barrier is a powerful tool in gaining compliance. It is clear that the non-hazardous area barrier in Figure 2 must limit the total power available to the IS apparatus in the hazardous area. However, multiple barriers may also exist within the hazardous area apparatus. Internal barriers may be used to further limit power to sub-circuits within the equipment to prevent application of multiple countable faults.
In the broadest terms, protective components are either series type or shunt type. A current-limiting resistor is the most common series protective device, while a voltage-limiting Zener diode is the most common shunt protective device. When used in combinations to limit power, protective devices are referred to as barriers. Barriers in which true galvanic isolation is maintained are referred to as “isolators.” Examples of isolators are transformers, capacitive couplers and optical couplers. Isolators however will not provide DC power or transfer DC signals and are not germane to this discussion. We will not delve into the use of resistors or diodes to isolate energy-storing components to provide spark ignition protection, but this is provided for in the Standards and is a different concept from galvanic isolators.
Safety Components and Barrier Design
Barriers can be categorized as either passive or active according to the components used to design them. Passive barriers have the advantage of conceptual simplicity, ease of design and ready availability in the market. However, the protected field apparatus must suffer the voltage burden imposed by the barrier and still function properly. Passive barriers are energy inefficient and bulky. If any significant power must be transferred to the field device beyond a few milliwatts, the safety components become very large.
Active barriers have a tremendous advantage in efficiency and component size, but are generally more difficult to design and may be more expensive to produce. Additionally, these are typically custom designs that are not easily reused. The most serious disadvantage of active barriers is not conceptual, but bureaucratic. The examiners who analyze the barrier design are completely familiar with common passive designs, and may require actual spark testing (at your expense) before approving active designs. However, as we will see, the LT4356 series surge stopper IC can be used to design an active barrier whose parameters can be easily altered to quickly provide custom barriers. Since the fundamental circuit topology won’t be changing much, once such an active design is approved, it will be more readily approved when only component value changes are made. If the IS instrument supplier is performing even a few IS barrier designs, significant savings are realized in energy efficiency, barrier size and cost.
A passive design for associated apparatus, the barrier, that supplies DC power to the field apparatus utilizes three venerable passive devices to implement protection: fuses, resistors and Zener diodes. Safety factors of 1.5 or 1.7 are applied to these device parameters. Furthermore, for double-fault protection at ‘ia’ protection level, multiply redundant components are necessary. Figure 3 shows the most common type of passive barrier design as an example.
Only the Zener diodes can limit open circuit voltage and only the resistor and fuse can limit current. Fuses are not considered as a spark-ignition energy limit device because of its slow reaction time. In each case, the devices dissipate power and must be properly rated. The Zeners actually do sink some reverse leakage current even though they are not fully on.
The examiner assumes the Zener voltage knee to occur at the high end of its tolerance, usually 5%. The Zener must be rated at 1.5 times the maximum power of the barrier, the resistors must be rated at 1.5 times the maximum power and the fuse is presumed to pass 1.7 times its rated current. The resistor is presumed to be at the low end of its tolerance range. All active and passive devices must also have an absolute maximum breakdown voltage specification that is 1.5 times the maximum operating voltage they will encounter in normal or fault conditions. These presumptions are imposed not to frustrate the electronic designer, but to arrive at a worst-case barrier performance, always erring on the side of safety.
The barrier is assumed to pass a maximum power of VOC • ISC = PMAX/2 when the field apparatus impedance is equal to the barrier source impedance, the point of maximum power transfer. For this analysis the resistor value is assumed to be (R – %tolerance) and VOC at (Vz + %tolerance). Any component in the field apparatus must be able to tolerate PMAX/2 unless protected at lower values by secondary means. If we assume that the field apparatus is nothing more than an LED, the LED must be able to dissipate PMAX/2 without exceeding the apparatus Surface Temperature code, such as 85°C for a T6 rated product.
In practical barrier designs, protective component redundancy is necessary for compliance, especially for Zener diodes. Two Zeners in parallel are required for Ex ib rated equipment, and three parallel Zeners for Ex ia protection level. Note that the Zener power dissipation rating depends on the fuse clearing. If the fuse were not present, proof must be supplied that the Zener can dissipate the full barrier power indefinitely without failing or exceeding the temperature rating of the apparatus. In addition, the IEC79 Standard requires that all fuses not contained in approved holders must be encapsulated. Further requirements exist for the protective resistor: it must be “infallible.” If two resistors are used in series, each resistor must be of a high enough value as to limit current if one of them fails short. If two resistors are used in parallel, each must be specified to dissipate the maximum fault power if one resistor fails open. An infallible resistor is one of metal film, ceramic glazed wire-wound, or thick film SMD type with a conformal coating, all with suitable creepage/clearance spacing to avoid a non-countable fault. The infallible resistor is considered to fail only to an open circuit. The examiner may take this as one countable fault, but unless it reveals failures downstream of the resistor, it does not inform the analysis.
Despite their simplicity, passive barriers exact a high price in power loss and size. Maximum power is transferred to field apparatus only when its input impedance is equal to the resistance of the current limiting resistor in the barrier, and this is only half of the power supplied to the barrier. If more than a few milliwatts are required in the field apparatus, the barrier resistor may become physically large. Such resistors are understandably expensive, have a limited value range and are difficult to source and mount. If a fuse is not included in the design, the Zener diodes likewise become bulky and expensive. The fact that the fuse must be encapsulated (Paragraph 7.3) usually dictates that the entire barrier is encapsulated, making it impossible to service as well as messy and more expensive to manufacture.
Determining Maximum Safe Field Apparatus Power Limits
The actual power that may be transferred to a field apparatus through the associated apparatus barrier is determined entirely by the level of certification the instrument supplier is seeking. This in turn is determined entirely by the environment it will encounter.
The Class and Division rating desired is easily determined. However, the flammable gas/dust type is what determines the Apparatus Group and T code. The fact that hydrogen has a relatively high ignition temperature (560°C) and very low spark ignition energy (20μJ) demonstrates that careful thought must given to these parameters before seeking certification testing. Here we confine our discussions to Class I locations, gasses and vapors in surface operations, Group II. To determine how much power can be available at the output of a barrier, and still be safely faulted open or shorted, we utilize the empirically determined gas ignition curves published in the standards. These curves indicate the maximum voltage and current allowable for a given gas group.
There are three charts published in the standards, one for resistive, inductive and capacitive circuits. Figure 4 shows the curve for a simple resistive circuit. For sake of discussion, we assume that we are dealing with the worst environment for spark ignition, acetylene, Group IIA. Referring to Figure 4, at 20VOC it appears that up to 400mA ISC is allowed without danger of ignition. Additionally, this power must not permit a corresponding surface temperature rise high enough to thermally ignite the gas in normal or fault conditions.
Some authorities recommend derating the voltage VOC by 10% and the current ISC by 33%. This is stated in the standards (IEC 60079-11, 10.1.4.2) under safety factors. The calculated value of the current limiting series resistor is simply VOC/ISC = 20/0.4 = 5Ω. The power the resistor must dissipate is VOC • ISC or (ISC)2/R or (VOC)2/R, whichever is highest during circuit operation or fault. Simple calculations show that even small amounts of power may require rather physically large current-limiting resistors. A final note: the Standards state that from empirical and analytical data, a T4 (135°C) temperature code is automatically awarded to any circuit using 1.3 watts or less.
Using the LT4356 Surge Stopper as an Intrinsic Safety Barrier
The LT4356 series of overvoltage/overcurrent limiters are excellent choices for designing active protective barriers with minimum parts count and wasted power. Recognizing this fact, Linear Technology offers the IC in a 16-lead SO package with pin spacing sufficient to avoid penalizing the design with a non-countable fault when encapsulated. For voltages up to 10V, some Standards require a 1.5mm (59.1mil) creepage spacing, and 2.0mm (78.7 mil) for up to 30V. Before the 2006 79 series Standard, the IC must be encapsulated to meet these requirements because of the 50 mil (1.2mm) lead spacing of the 16-lead SO package, but encapsulation has the added advantage of raising the thermal limits on any associated components in the circuit.
However, the latest version of the harmonized Standard, IEC60079-11 (5th edition 2006-07) dramatically reduces these creepage requirements on printed circuit boards when the apparatus is enclosed in such a way as to meet ingress protection standards. These standards, known as IP levels, prevent ingress of dust or moisture, thereby guaranteeing a pollution degree of 2 or less. The idea is that the cleaner and drier the circuit board stays, the lower the board’s CTI (Comparative Tracking Index) and the less likely leakage current will occur. Annex F of 79-11 therefore allows only 0.2mm creepage all the way up to 50V for Class I environments. Since most instrumentation is enclosed anyway, it behooves the designer to use an enclosure with a high IP rating, such as IP67 or IP68 to avoid encapsulation requirements. Unless encapsulation is necessary to meet thermal limits, its cost and associated problems are best avoided.
Figure 5 is a simplified block diagram of the LT4356 IC. The LT4356 monitors both current and voltage continually and turns off the series pass MOSFET quickly if a fault occurs. Both current and voltage limits are set by external components, so limits may be changed easily. The current shunt resistor and the voltage feedback resistors should be made infallible to achieve certification. Usually the feedback resistors can be made arbitrarily large so that a MOSFET fault that shorts input power directly to the feedback resistors cannot cause significant power dissipation.
Nevertheless, two cautionary notes are in order. The first is that active devices (controllable semiconductors) can be used in Ex ib situations for power limitation (thermal ignition) but not for spark ignition protection. See paragraphs 7.5.2 and 7.5.3 in the Standards. Some interpretations may allow active barrier use in Zone 0, but only in triplicate form. The second caution is that, as with any IS barrier, even for Ex ib (single fault) applications, barrier failure usually results in non-countable thermal fault failure downstream of the barrier. Therefore, redundancy is required in case one of the barriers fails.
The LT4356 provides for two series pass transistors, typically for reverse polarity protection. Protection against polarity reversal is required “where this could occur.” A single diode is deemed acceptable to satisfy this requirement, but two pass transistors offer better protection from countable faults without a significant voltage drop.
For Ex ib environments, the examiner can use his single countable fault to internally short all the pins on the IC to analyze resultant failures. While properly rated redundant Zeners could be positioned at the output of the LT4356 to provide a voltage limit, at any appreciable power level the cost and difficulty of specifying these Zeners makes it more cost effective to simply duplicate the entire barrier. Note that for Ex ia applications, either triplicate barriers, or two barriers with a series infallible resistor are required to meet the double-fault analysis rule.
From here on, we assume that spacing and thermal rise, component ratings, PCB tack width and redundancy rules are followed and the circuit cannot be failed with either countable or non-countable faults. The remaining question is that of spark ignition energy. For this purpose, the LT4356 may not prove useful, depending on the application.
The LT4356 reacts to both current and voltage faults by turning off the pass transistor(s). However, since it does not shut down instantaneously, some amount of energy squirts through the barrier. In the standards this is termed the let-through energy, and is usually assessed using oscilloscope measurements and/or an actual spark ignition test in a chamber. If this energy is enough to ignite the subject gas, the barrier has failed certification. Acceptable let-through energy is summarized in Table 3.
|Apparatus Group Classification||Let-Through Energy|
|Class I Group IIC = Ethylene||20μJ|
|Class I Group IIB = Hydrogen||80μJ|
|Class I Group IIA = Acetylene||160μJ|
|Class I Group I = Methane||226μJ|
Bench tests reveal that the LT4356 is much more than adequate for even Ex ia thermal ignition applications. Bench testing was done using a modified LT4356 evaluation board DC1018A. The schematic for the setup appears in Figure 7. The feedback resistors were selected for an IS-specific 9.9V voltage limit and the current sense resistor value was changed to allow a 300mA current limit. Both overvoltage and overcurrent limit performance were tested. The voltage limit was evaluated by a step change in input from zero to 15V. The current limit was evaluated by applying a direct short to the output ground through a low RDS(ON) MOSFET driven by a 5V square wave.
The IC series offers a number of fault recovery options using fault timers that may be exploited by the designer of IS apparatus, depending on the application, but these are not discussed here. The automatic fault reset enabled on the evaluation board is left enabled for testing.
Figure 8 shows a scope trace of the voltage clamping action when the evaluation board is powered up with a 15V supply and a 9.9V clamp limit. The action of the fault reset timer is obvious.
More importantly, Figure 9 shows the current fault action. It shows that when the short circuit is applied, by turning on the load MOSFET, voltage is clamped to ground in less than 6μs. Channel 1 is the trigger pulse and Channel 2 is the barrier output voltage. Although not shown, the current is also declining, though not as rapidly as voltage. The slew rate of the current is dependent on the power supply source impedance, the circuit inductance and the MOSFET gate capacitance, among other variables. In general, as small a MOSFET die size as possible should be used, and it may be necessary to use a low value resistor in series with the barrier output to stay below the spark ignition thresholds.
To properly calculate the let-through energy, the power profile must be derived from both current and voltage curves and then integrated over time. Spark ignition testing is only done on connections that may be broken without opening the instrument enclosure. That is, cables or connectors to devices outside and beyond the barrier itself. The examiner may cut the cable or disconnect connectors to measure spark ignition potential. Within the enclosure, only thermal ignition potential must be assessed.
Any supplier wishing to sell equipment into markets and environments that may be explosive must follow design rules that make their operation in such environments nonincendive. That is, they must not be capable of providing either thermal or spark ignition sources. Several standard methods exist for providing such protection, but for electronic instrumentation, the preferred and least costly approach is usually Intrinsic Safety. The International Standards that govern electrical devices in explosive atmospheres are convoluted and in many cases vague as to the design methods necessary to achieve compliance. In today’s safety conscious world, both governments and markets demand that the apparatus be certified to compliance with the standards. Certification is done by a number of regulatory bodies known as Nationally Recognized Test Laboratories, and a thorough and detailed analysis process is performed before certification is awarded.
Obtaining certification of instrumentation for IS environments is greatly eased by proper protective barrier design. While passive barriers are simple to design, they exact heavy penalties in size and cost when more than a few milliwatts are needed for proper operation. Active barriers can achieve safe operation while delivering several watts of energy, but the design rules are more complex.
Integrated circuits such as the LT4356 make active barrier designs considerably easier to certify if basic rules are followed. The superb response times of the LT4356 series voltage/current clamps are key to meeting regulatory requirements for limiting power that could cause thermal ignition. Careful design, and possibly additional fast clamps may be needed if the LT4356 is to be used to limit spark ignition also.
This article does not cover all of the details necessary for a compliant barrier design and thorough study of the applicable standards is still required of an IS designer. Nevertheless, certification-ready active barriers are now very accessible, giving designers and their companies an unprecedented opportunity to expand into heretofore, relatively closed markets.