Automated industrial systems have field devices that monitor, control, and operate an industrial process. The field devices communicate with a control processor through a trunk circuit that transmits DC voltage through a power conditioner to power the field devices and transmits AC voltage data signals (which can include operating commands) superimposed on the DC voltage bi-directionally between the control processor and the field devices.
The field devices can be distributed throughout the industrial plant, and the data transmittal rates allow essentially real-time control of the process. Field devices each attach to the trunk circuit via a spur or drop circuit. The trunk circuit transmits DC voltage to the spur circuit, and carries the AC data signals to and from the spur circuit.
Standardized power and communication protocols have been developed for distributed control systems. For example, the Foundation Fieldbus protocol is an all-digital, serial, two-way communication system that sends DC power and AC signals over a twisted two-wire trunk circuit and enables the control processor to communicate with and control a number of field devices. Other known distributed control systems include the Profibus PA and Ethernet-based control systems.
Field devices may be located in hazardous areas of the plant that present the risk of fire. Hazardous areas are identified by class as to the nature of the risk. Flammable gases are in Class 1 areas, combustible dusts are in Class 2 areas, and ignitable fibers and flyings are in Class 3 areas. Class 0 is a safe area without fire risk.
Hazardous areas are further identified by division and zone as to the level of fire risk. Division 1 identifies areas in which the fire risk is a continuous presence (Zone 0) or in which the fire risk is present only during normal operations (Zone 1). Division 2 identifies hazardous areas in which the fire risk is not expected (Zone 2), but if the risk does occur it is present for only a short period of time.
Distributed control systems having field devices located in hazardous areas may be intrinsically safe. Intrinsically safe control systems are designed so that the energy released during an electrical fault is insufficient to cause ignition within the hazardous area. Conventionally the voltages and currents in the entire control system are reduced to limit the energy release to below the ignition point.
A problem with an intrinsically safe control system is that the limited power available in the system may be insufficient to operate all the field devices in the system, including those in safe areas.
Other control system approaches have been developed that provide sufficient power to operate all field devices, while still providing intrinsic safety for field devices in hazardous areas.
In the entity approach, safety barriers are provided when transitioning from a safe area to an intrinsically safe area. The barrier provides a limited number of spurs that extend into the hazardous area, and limits the amount of energy available to the spurs.
To achieve energy limitation for the hazardous area, both voltage and current must be limited in accordance with intrinsic safety standards. The level to which the voltage and current must be limited is dependent upon which hazardous area the spur is to be connected into. Further, for Division 1 (Zone 0, Zone 1) intrinsic safety, barriers commonly provide galvanic isolation; for Division 2 (Zone 2) intrinsic safety, barriers are not isolated.
For Division 2 (Zone 2) entity systems, the conventional approach is to achieve the voltage limitation at the power conditioner that is supplying energy to the trunk circuit, and the current limitation is provided for in a device coupler. A device coupler enables a device segment consisting of one or more spurs to be attached to the trunk circuit in a modular manner.
Several problems, however, have been identified with this conventional approach:
(a) because the intrinsic safety concept begins at the power conditioner, all equipment connected to the trunk circuit must be limited in accordance with intrinsic safety standards;
(b) intrinsically safe terminals must be physically separated from all non-intrinsically safe terminals. This requirement typically must be observed for all trunk connections, including the power conditioner and any other equipment attached to the trunk circuit;
(c) intrinsically safe signals are not to be carried in the same cable as non-intrinsically safe signals. Trunk circuits are often included as part of multi-core cabling, limiting the use of the other cabling lines; and
(d) the lower the output voltage of a power conditioner, the shorter the maximum length of the trunk circuit. Device loading on the segment and cable resistance per unit length limit the maximum trunk circuit length. For example, the maximum voltage of a Fieldbus intrinsically safe power conditioner is typically set to 24 volts because the majority of intrinsically safe field devices are limited to a maximum input voltage of 24 volts. The maximum length of a trunk circuit is significantly shortened as compared to a trunk circuit operating at a higher maximum voltage under normal segment loading conditions.
Thus there is a need for an improved intrinsic safety approach for Division 2 (Zone 2) entity systems that enables the control system to provide sufficient power to operate all field devices while still providing intrinsic safety for those field devices in hazardous areas.