Brief Guide to Intrinsic Safety

Brief Guide to the Intrinsic Safety Design & Certification Process

Introduction

The aim of this article is to give a brief overview of what to expect when designing and certifying a product using the principle of Intrinsic Safety.

There are three main parts to the process:

  • Design
  • Type Examination
  • Quality System

Design

Unlike other hazardous area protection concepts, the intrinsic safety protection concept works by ensuring that the design is not capable of producing high temperatures or high energy sparks that can cause an ignition. Because of this, such equipment does not normally need any extra external protection, such as an explosion proof enclosure as they are, in and of themselves, “intrinsically” safe.

The standards used are the IEC 60079-11 and IEC 60079-0 standards.

Intrinsically safe designs are primarily assessed via calculation, relying on the information published in component datasheets. Assessments are carried out at the component level. This means that complex sub-assemblies, such as LCD and radio modules either need to be implemented directly into the equipment by the designer, or extra information about their internals needs to be sought, either from the manufacturer or via testing/examination.

Assessments are carried out assuming that worst case faults are present in the device. The 60079-11 standard outlines how different components should be assumed to fail, depending on whether it is a safety or non-safety component. Typical scenarios that are assessed include:

  • Non-safety components would fail in such a way that the available power is dissipated in one component with the highest thermal resistance. The worst case surface temperature would then be calculated and compared to the limit.
  • Non-safety components would fail in such a way that all of the capacitance present in the circuit is connected in parallel. Therefore the total capacitance present would be determined and compared to the limit.

The design process consists of three main stages:

  • Power limitation
  • Safe power usage
  • Separation/isolation
  • PCB + Assembly assessment

Power Limitation

The voltage, current and power coming from the equipment power source needs to be limited. This is done using what are referred to as “barrier circuits”. These are typically simple circuits that use passive components and discrete semiconductors in order to limit the power supply voltage (e.g. using parallel zeners) and current (e.g. using resistors and fuses).

Safe Power Usage

Based on the voltage, current and power, the safe limits can be determined. The downstream circuit can then be assessed to see whether it remains within those limits during a fault.

Separation and Isolation

Where a downstream circuit cannot operate within the safety limits, it can be necessary to split the circuit into multiple sub-circuits, each powered by its own, lower power barrier, with its own independent safety limits. This makes it easier to fit the design with the limits. Because the sub-circuits often need to communicate with each other, those signals need to either pass through their own barriers or be isolated from one another in order to prevent the main sub-circuit barriers from being bypassed.

PCB and Assembly Assessment

As well as assessing the circuit, the actual physical implementation on the PCB and the full equipment assembly need to be checked. This is mainly about making sure that there is enough separation between different sub-circuits, e.g. via PCB track spacing, wire insulation thickness and mechanical fixing of parts. In addition, tracks, wiring and connectors need to be sufficiently rated so as to handle fault currents without heating up above the limits.

Type Examination

Once the design is finalised, it is submitted, along with the documentation, to the notified body for evaluation. The notified body will study the design and determine whether or not it is compliant. Because most designs can be assessed by calculation, the notified body often never needs to see a physical prototype and the certification can be completed via assessment of the equipment documentation alone.

In cases where assessment is not enough to determine compliance, physical testing may be required on parts of the design.

Once the evaluation is completed, the notified body will issue a type certificate, indicating that the design is compliant.

Quality System

The type certification only proves that the design is safe, not the individual manufactured units. In order for the manufactured units to also be safe, they need to be manufactured according to the certified design. This is the job of the quality system. This essentially boils down to traceability and verification:

  • Traceability of documentation: the ATEX related aspects of the design need to be documented as part of the type certification process. This includes the schematic, BOM and any ATEX related manufacturing instructions. You will need to have a document management system in place such that all documents are traceable (document number, version, date etc).
  • Traceability and verification during manufacture: safety critical components needs to be traced from purchase all the way up to which serial number board they are populated on. 100% of all safety critical parts need to be verified (correct part, installed correct, separation distances need to be checked etc).
  • Traceability during product lifetime: every finished product needs to have a serial number. From that serial number you should be able to trace which customer the product was sent you, returns, repairs etc.

The quality system is built on the following components:

  • ISO 9001: well known quality standard. The ATEX quality requirements build on this, so the company needs to be ISO 9001 certified.
  • 80079-34: This is the standard that deals with the quality system. There are several aspects that are common to all protection concepts, as well as the intrinsic safety-specific aspects in section A.4.
  • QAN/QAR: Quality assurance notification/Quality assurance review. These are basically time-limited quality certificates (for IECEx and ATEX respectively) that confirm that you comply with the standard. The quality system is subject to an audit by the notified body regularly (between 12-18 months) and renewed subject to a successful review.

In order to simplify the manufacturing process, it is possible to subcontract the manufacturing to a company that already complies with 80079-34 and has an active QAN/QAR in place. As the certificate owner, you still need to implement the quality system requirements and have an active QAN/QAR, but by using a certified manufacturer, the manufacturing requirements can be handled by them.

Timescales

For the design phase, timescales will vary from customer to customer, but in our experience,  it takes customers an average of 4 months to go from a completed non-ATEX product/prototype to a compliant design that is ready for submission for certification. Most of this duration is determined by the customer themselves as their engineering teams work to try and balance both the ATEX as well as the functional requirements of their product.

HelmPCB Intrinsic Safety Pre-assessment and Consultancy Service

At HelmPCB, we can assist you with the design and type certification phases of the process, drawing on more than a decade and half of experience both designing intrinsically safe products as well as assisting customers with theirs.

For more information, please take a look at our ATEX/IECEx Intrinsic Safety Pre-assessment service.