If you are a functional safety person and you have never heard of countable and non-countable faults, don’t panic. These are terms from intrinsic safety; hopefully, as a functional safety professional, you will still find this blog engaging and perhaps thought-provoking.
Firstly, what is intrinsic safety? Intrinsic safety is part of explosion proofing and is covered by the standard IEC 60079-11:2023. Circuits designed to this standard prevent an explosion by limiting the power available in the circuit so that it is below the level necessary to ignite the worst-case mixture of whatever gas may be present at a location. In contrast to functional safety, the goal is elimination rather than reducing the probability to an acceptable level.
IEC 60079-11 uses a very different approach to faults compared to IEC 61508 and mandates a very specific fault model. As shown below, an analysis according to IEC 61508 is not sufficient.
Figure 1: An extract from IEC 60079-11:2023
One of the first things about intrinsic safety is that circuits don’t depend on complex technology. It specifically excludes reliance on software and any kind of complicated integrated circuit that reads from memory. Unfortunately, as clarified in a recent interpretation sheet, this excludes ADI’s family of digital potentiometers, which, although very simple chips, read their set values from memory potentially programmed by an end-user, which is not allowed.
Instead, intrinsic safety depends on components such as:
- Resistors to limit current
- Clamping diodes to limit voltages
- Diodes to prevent reverse current flow
- Fuses to prevent current from flowing for long enough to damage clamp diodes
Other components, such as semiconductors to limit current, are allowed, provided they meet specific conditions, for instance, see the very cute LT3092.
Components on which intrinsic safety depends are said to have two fault types. Countable and non-countable with the definitions shown below:
Figure 2: Definitions for two fault types from IEC 60079-0:2017
When I first saw these definitions, they were not very useful. I will now attempt to explain them using resistors to illustrate the issues.
But first, a detour to show why countable and non-countable are so important. Functional safety according to IEC 61508 has SIL (safety integrity level) to indicate the level of safety achieved with HFT (hardware fault tolerance) as one means to increase that SIL. Intrinsic safety indicates the level of protection achieved against the explosion risk using 3 levels:
EX ia – tolerant with up to 2 countable faults and an infinity of uncountable faults
Ex ib – tolerant with 1 countable fault and an infinity of uncountable faults
Ex ic – tolerant under normal operation
In effect, the level of safety achieved depends on the intrinsic safety interpretation of HFT.
This is expressed more formally in the standard as:
Figure 3: Conditions of spark ignition assessment from IEC 60079-11:2023
Now, returning to resistors, the failure modes to be considered are listed below:
Figure 4: Failure modes of resistors from IEC 60079-11:2023
Now let’s apply the above failure modes to a resistor used in a barrier. The main focus of intrinsic safety as a protection method is limiting voltage, current, power, and surface temperatures. A barrier is something to limit the voltage and currents which can flow into a circuit. It would typically be placed in the safe area (where no gas is present) to limit the energy flow into zones where gas may be present. Below, the parallel diodes limit the voltage, the fuse protects the diodes from long-lasting high currents, and the resistor limits the current.
Figure 5: A diode safety barrier showing open circuit voltage and short circuit current
The first obvious question is why, for protection level Ex ia, you don’t need to consider a short circuit of the resistor. This is because of the construction requirements mentioned in the standard, including the use of derating, that the resistors can only be film-type, wire-wound, or printed (but for printed, must be covered in encapsulation). They are then deemed not to fail shorted (like a fault exclusion from functional safety standards).
The next obvious question involves why you don’t need to consider variation within the specified resistor tolerance since if using the resistor to limit current you will already have accounted for the worst-case tolerance in your calculations i.e. you limit the current based on the minimum resistance value rather than the nominal, that is 99 ohms for a 100 ohm nominal +/-1% resistor. The construction requirements then mean that this tolerance should never be exceeded.
Even though you still need to consider open circuit as a countable fault, in this case, failing open circuit is a safe failure, and the output current will go to zero. For other uses of a resistor where failing open is not a safe failure, you may need two or more resistors in parallel.
If the resistor doesn’t meet the required construction requirements, then all failure modes of the resistor become non-countable faults, and you need to analyze your circuit with the worst-case combination of those faults and up to two countable faults.
Figure 6: Warning from IEC 60079-11:2023 7.4.1 for if you don't meet the resistor construction requirements.
Note - I have omitted some of the finer details of the standard in this overview. Sometimes, for instance, two diodes in parallel are considered infallible, and you don’t need three diodes even for Ex ia.
While you must analyze the circuit for an infinity of countable faults, it is worth remembering that for a given scenario, the fault is fixed, i.e., if the resistor is failing open, it stays failing open for that fault scenario. Faults cannot be variable over time, going from short to open and back to short.
Hopefully, you have enjoyed this trip, which has taken me outside my normal functional safety comfort zone. Given that intrinsic safety is crucial for process industries, including oil and gas, it is not surprising that many instruments, such as pressure transmitters and temperature transmitters, need to be certified for both intrinsic safety and functional safety. One standard that links the two types of safety is IEC 60079-42, but that will be discussed in a future blog.
Check back next month on the second Tuesday of the month for the next blog in this series. Until then, I hope to post “mini blogs” on the other Tuesdays in the month directly from my LinkedIn account. Please follow me on LinkedIn if interested.
For previous blogs in this series, see here.
For the full suite of ADI blogs on the EngineerZone platform, see here.
For the full range of ADI products, see here.