Flyback transformer with Intrinsic Safety
I have no experience designing for Intrinsic Safety (IS), but need to do that now. I have read thru IEC 60079-11, which seems to be the relevant standard for my purposes.
The board I need to design will be an "associated apparatus" in IS terms. That means the board won't be in a hazardous location, but it will connect to things that will be. In this case, it connects to sensors that are essentially variable resistances, from about 75 Ω to 35 kΩ. The job of the board I need to design is to measure those resistances.
I am looking for feedback whether my strategy of addressing IS is valid, and anything else I should consider.
Here is a block diagram of what I'm planning:
This whole section is isolated by the flyback converter, although in the end this isolated ground will be tied to the chassis in one specific location. A sensors will be connected to P1 and P2, and will be in a hazardous location, although what is shown here will not be in a hazardous location.
As I understand it, as long as R1 and R2 are of the right type, properly derated, and some minimum spacing is maintained, they can be assumed to only fail open, not shorted. I believe I can do pretty much anything I want in the black box, other than include any circuit that could make a higher voltage. For example, I don't have to care about maximum capacitance or inductance for the particular voltage. For purposes of evaluating IS compliance, the left ends of R1 and R2 will be assumed to be connected to the maximum voltage anywhere in the black box, which will be the clamped power voltage fed to it. Please let me know if there is anything wrong with this logic.
The real question is whether my approach to guaranteeing (for IS purposes) the clamped voltage will not exceed some maximum is valid.
Here is a basic schematic of what I'm considering for the flyback converter and voltage clamp:
The transformer is a Coilcraft POE30P-12L, intended for flyback converters from power over ethernet. The primary is rated for 300 mA, and has inductance of 279 µH.
I'm trying to prove the maximum output current of the transformer, regardless of what might go wrong on the primary side. Power can only be transferred by switching the input, so a shorted or open switch just results in no power.
It seems the theoretical maximum output current is at infinite switching frequency. As infinite input voltage is approached, the duty cycle approaches 0. The worst case should therefore be the input current reflected by the turns ratio, coming out of the secondary continuously.
Let's say F1 is rated for 300 mA, so for IS purposes is assumed to allow 1.7x of that, or 510 mA. The transformer has a turns ratio of 1:0.7 for each of the two secondaries. The same magnetic field caused by 510 mA of input current would therefore require (510 ma)/0.7 = 729 mA of secondary current. It doesn't really matter that both secondaries are in parallel. 729 mA output, no matter how distributed between the two secondaries, results in the same ampere-turns as 510 mA thru the primary.
Let's say that D2-D4 are 6.0 V zeners. For IS purposes, these must be derated by 50%, so we assume they conduct at 9.0 V. (9.0 V)(729 mA) = 6.56 W. Therefore each zener needs to be rated for 6.6 W or more. The 6.56 W doesn't need to be derated again, because it already incorporates the 50% extra rating due to assuming 50% higher voltage.
I can then claim that the output of the clamp is limited to 9.0 V for IS purposes, and that this is therefore the worst case voltage that can be assumed on the left ends of R1 and R2.
Did I get all that right? In particular, is the logic of the maximum output current from the flyback transformer convincing for IS purposes? Is it valid to ignore the input voltage to the transformer, since the current is assumed to not exceed the fuse rating x 1.7? IEC 60079-11 doesn't seem to consider transformers in switching power supplies at all. Is there anything I am missing?
Response to comments
Having seen optocouplers with ATEX certification, not 100% sure you could use POE as an isolation. Is there a reliability calculation requirement?
The only thing I saw in the standard was a requirement for 1.5 kVAC isolation, which this particular POE transformer meets.
Likelihood of F1 not tripping when it should?
This is covered in the standard by derating the fuse to 1.7x its stated trip current. If I use a fuse the manufacturer rates at 300 mA, for example, then it is only considered to interrupt for IS purposes at (300 mA)⋅1.7 = 510 mA.