Last month, I published on creepage and clearance, which is well described in the IEC 60079 series of standards; see here. Over the last month, I have continued to read about explosion proofing and intrinsic safety in particular (relevant standard IEC 60079-11:2023).
The blog title says that there are things that functional safety people can let from our intrinsic safety cousins, so let’s start with fault exclusions.
IEC 61508-2:2010 talks about fault exclusions and excluding faults but gives little detail.
Figure 1 An example from IEC 61508-2:2010 on where fault exclusions are used
IEC 60079-11 discusses infallibility and gives some great examples with specific values and properties. Infallible means to me that it can never fail that it can be depended upon. That the specific fault covered by the infallibility claim can be excluded. In other words, it’s a fault exclusion by another name.
Figure 2 Definition of an infallible connection from IEC 60079-11:2023
Let’s start with digital isolators. The main purpose of using a digital isolator is to separate one circuit from another electrically. Therefore, a key concern is a failure across the isolation barrier.
Note - Digital isolators are close to my heart because they are produced by Analog Devices as faster, smaller and in some cases more integrated opto-coupler replacements, see here.
The 2023 revision of IEC 60079-11 gives full recognition to digital isolators to reliably separate one intrinsically safe circuit from another or an intrinsically safe circuit from a non-intrinsically safe circuit. If your infallible separation claim is met, you no longer need to worry about that failure mode.
Figure 3 Infallible separation from IEC 60079-11:2023
To claim the fault exclusion, the digital isolator would need to meet the requirements of the standards that apply to digital isolators, which are IEC 60747-17 or its predecessor, DIN VD 0884-11. Anyone familiar with the functional safety of variable speed drives standard IEC 61800-5-2:2016 will see a similar fault exclusion is available for what is called galvanic isolators in that standard. I believe it has been agreed to add the same text to the new ISO 13849-2 version.
Connectors, whether on the input of a module or between PCB in a module, always seem to be a weak point for functional safety. We see the fault exclusion from intrinsic safety shown below. Depending on how likely an explosive gas mixture is present, you need two or three connectors, either of which, on their own, can carry the entire current. If so, you don’t have to worry about the connection going open circuit (this is a big problem for intrinsic safety, where you might get a spark as the connection is broken).
Figure 4 An excerpt from the text covering a fault exclusion for connectors from IEC 60079-11:2023
For PCB tracks, the guidance in the figure below is very clear. You need redundant PCB tracks or one track of sufficient depth and width, similar to the vias in a more-layer PCB.
Wouldn’t it be interesting to get the same thing for an integrated circuit metal connection and the vias? The design rules and design rule checkers enforce this for integrated circuit designs, but can you claim infallibility?
Figure 5 Guidance on the use of redundant PCB tracks and vias
I covered creepage and clearance in my last blog; see here. But for your convenience, here is an extract from IEC 60079-11:2023. If you meet the requirements from the table, you don’t have to consider shorts between circuits, integrated circuit pins or traces on your PCB. Suitable coatings or casting compounds reduce the required separation but still allow the infallibility claim.
Figure 6 An extract from IEC 60079-11:2023
All of the above are related to fault exclusions, but IEC 60079-11:2023 contains a lot of other material. For instance, the below specifies the derating required for a semiconductor device and its temperature rating. I think it's what IEC 61508 would like to say, but it doesn’t.
Figure 7 a note from IEC 60079-11:2023 7.1
To make this calculation, you need the component's datasheet to specify the maximum junction temperature, the theta JA of the package, and the maximum ambient temperature of the integrated circuit's micro-environment in its application.
Allowed power < 2/3*(max allowed junction temperature – max ambient) / ThejaJA
This also shows the value of having components specified to 125’C even if your application only needs 60’C ambient. For a previous blog in my safety matters series on de-rating, see here.
Figure 8 Thermal resistance and max junction temperature from an ADI datasheet
Some from IEC 60079-11 that we functional safety people might want to ignore are intrinsic safety’s rejection of software and, indeed, programmable components, including, for instance, the humble DigiPOT, which are considered programmable components in IEC 60079-11, as clarified by a recent interpretation sheet.
Figure 9 Dislike of programmable components and by implication software from IEC 60079-11:2023
So be it if they can achieve their aims without this complexity. Explosion proofing perhaps does not require the capabilities that these components would bring. Perhaps it’s just more conservative than functional safety. Given the intrinsic safety standards are conservative and given that a lot of process control facilities need both functional safety and intrinsic safety acceptance of the intrinsic safety infallibility claims as fault exclusion claims should not be controversial.
So, in summary, even if you don’t do any intrinsic safety work, I would advise you to read IEC 60079-11:2023 if you can. It contains some useful material and insights that are applicable outside of its intended domain.
Check back next month on the second Tuesday of the month for the next blog in this series. Until then, I hope to post “mini-blogs” on the other Tuesdays in the month directly from my LinkedIn. Please follow me on LinkedIn if interested.
For previous blogs in this series, see here.
For the full suite of ADI blogs on the EngineerZone platform, see here
For the full range of ADI products, see here