Adding a 24V safety relay for the heaters, any thoughts?
-
http://www.ia.omron.com/product/cautions/18/safety_precautions.html
"OMRON constantly strives to improve quality and reliability. SSRs, however, use semiconductors, and semiconductors may commonly malfunction or fail. Short-circuit failures represent the main failure mode and can result in an inability to shut OFF the load. Therefore, for fail-safe operation of control circuits that use SSRs, do not use circuits that shut OFF the load power supply only with an SSR, but rather also use circuits with a contactor or breaker that shuts off the load when the SSR fails. In particular, it may not be possible to ensure safety if the SSRs are used outside the rated ranges. Therefore, always use the SSRs within the ratings."
-
@zapta said in Adding a 24V safety relay for the heaters, any thoughts?:
I will need to find a high current thermal fuse for the bed.
Depending om the characteristics of the upstream fuse you might not need a lot of current capacity for the crowbar, as long as a potentially short lived dead short will trip it; alternatively you could use a fet/triac/scr or a relay to beef up the ampacity of the crowbar circuit.
-
@bearer I like the idea of the crowbar circuits and have thought of using them before. I need to read up a little more. You could always use one of the fan switches to drive the gate on a very chucky mosfet for that purpose.
Running 3 P3Steel with Duet 2. Duet 3 on the shelf looking for a suitable machine. One first generation Duet in a Logo/Turtle style robot!
-
@zapta said in Adding a 24V safety relay for the heaters, any thoughts?:
… but my goal is to add protection against mosfet short.
What is the effect of a shorted mosfet? It’s like a PWM of 100% - which is just perfect to drive a heater to higher temperatures. Well, the firmware controls the mosfet and, due to the tuning procedure, „knows“ what readings it should get from the associated thermistor. If these readings don’t match the expectations, the firmware throws an error and switches the mosfet off. If the chip happens to be dysfunctional, you are out of luck: the mosfet has no backup device on board.
The sub-system has multiple components, for instance, it relies on the thermistor to work. I, at least, won’t bet my life on this. With the mosfet, high currents are involved: what damage can be induced to other components of the board? That’s why I state that you can’t rely on the system any more if a single error is detected - it can proliferate.
As a safeguard, we need a second, independent system which will not be affected by a potential failure of the controller or parts thereof. Sure, a thermal fuse won’t protect your mosfet, but it helps to prevent a thermal disaster - even in case that the mosfet survives, but the thermistor fails instead.
-
@DocTrucker said in Adding a 24V safety relay for the heaters, any thoughts?:
You could always use one of the fan switches to drive the gate on a very chucky mosfet for that purpose.
sure, but you're still depending on logic then. if you use a thermal fuse, rated a little higher than the previous failsafe to drive a gate or similar you've got an autonomous solution.
(edit: but to simplify this I switched to a mains powered heater and as such the readily available 10A thermal fuses are sufficient to directly cut the power if needed)
-
I do love this subject. It is one of those areas where a great design is never noticed, but a bad design is, especially so if it is intrusive to the user.
The down side of this subject is that it can very easily become very shouty and argumentative. For the sake of all of us making our machines better when reading this thread assume no comments are personal digs!
It can often be hard to share differing opinions without upsetting people.
-
It can often be hard to share differing opinions without upsetting people.
hope I didn't do that. Finally, it's a good thing to push safety of our devices further, and I surely appreciate that @zapta shares his thoughts with us.
-
@bearer an oddity being switching to mains voltage to make something safer, but yes in that case it makes sense.
I have a little less confidence in thermal fuses than current fuses and thermal switches that can be tested. With a resetting thermal switch I can test its trigger point. Once triggered the inline fuse and PSU can detect the short. With a thermal fuse I am relying on the manufacturer's spec sheet. That said it is probably just a case of studying the specified tollerances better.
Running 3 P3Steel with Duet 2. Duet 3 on the shelf looking for a suitable machine. One first generation Duet in a Logo/Turtle style robot!
-
@infiniteloop no you didn't no one has so far as I can see. It was mainly to cover my posts as I seem to have a habbit of winding people up when I don't mean to do so on forums!
Edit: especially when discussing safety stuff.
-
@DocTrucker said in Adding a 24V safety relay for the heaters, any thoughts?:
I have a little less confidence in thermal fuses than current fuses and thermal switches that can be tested.
Most thermal switches are backed by thermal fuse of higher rating in case the switch fails, they have a limited number of cycle. The thermal fuse is backed by physics and the manufacturers specifications, even the name brand ones aren't prohibitively expensive.
(That being said, a bi metallic switch should not be worn out in a fail safe application on a printer, but they're more bulky, especially the manually resettable ones)
-
For the record on my system I'm on an 'intermediate solution' comprising of driving a 4 way arduino relay board from PS_ON. Convenient because flyback diodes are in place and it is all mounted, but the flyback diode isn't a complicated thing and I have driven bare relays with a general purpose diode across the coil before now. Despite my preference for AC side switching this is on DC side, but each relay is man enough to kill my bed or hotend. I have two in series for the hot end and the other two in series for the heatbed.
It's not ideal, but that in combination with a surge protector and plug in earth leakage circuit breaker is a good start.
Moving forward I'd rather use guided contact relays but they are pricey. Likewise I do want a suitable thermal fuse &/or crowbar setup. I did want to take a closer look at the PS_ON trigger circuit as that appears a weakness, or simply move to discount it as a safety device. It too is a MOSFET and I think if it failed short it would permanently be saying "all's well" to the safety relay.
-
Here is a thought - probably a crazy one as are many of my ramblings these days. How about fitting a second thermistor if you are able, then wiring the heater through two outputs in series. Define the second heater/thermistor as something else, say a chamber heater, and set it's control temperature to be say 10 Deg C higher than the normal hot end temperature. Then if one MOSFET failed in the permanently on state, the second would take over control. You'd need to disable fault detection on the second heater because in normal operation, it will never reach the set temperature. Of course it's not completely fail safe - nothing is, but it would give double the protection of a single MOSFET failure. I haven't thought this through so feel free to dismiss this post as the deranged ramblings of an old man.
-
@deckingman second thermistors have been supported by Marlin for some time, and I believe have been recently supported by RRF. If there is a discrepancy of more than a set amount I believe that triggers a fault.
-
@DocTrucker That's interesting. But not quite what I meant. I was thinking more of using two MOSFET outputs in series. So rather than triggering a fault the second one would take over control. Like I said, I haven't thought it through and maybe some conditional gcode would be needed.
-
@deckingman ok, on second read I see that. That's moving more toward a nuclear style of safety system where there are three detection channels and you need faults reported on two channels before an action is taken, which may then be replacing a section of the control system in a manner potentially similar to what you say. The issue is how would you switch reliably and how to ensure that both MOSFETs aren't vulnerable to the same external failure. I did toy with the idea of running a 12V heater at 24V with limited duty to aid detecting 100% duty, but the margins are tighter than you'd expect.
Regards my comment on redundant thermistors I believe they aren't supported directly in RRF, but you set up a second virtual heater wich still raises faults if it goes over temperature. Similar end result but it takes longer to detwct the fault.
-
...currently I'd say a stock setup would end in a dangerous state with one failure.
I want to setup a robust system that would take at least three failures to be in a dangerous state.
I would say a triple safety system is overkill for my printers and recovery from a safety fault state shouldn't be needed. I don't do builds longer than 12hrs at the moment, but even with longer builds I'd probably only go so far as UPS to keep the printer running, and try to ensure it fails to a safe state wherever possible.
Trouble with going much further than that is you very quickly head into needing error checking memory and such like which becomes very complex. Sort of systems you tend to only see on satalites and long term service systems.
-
@DocTrucker Maybe the second safety system should be completely independent of the Duet? Say something like an arduino with it's own sensors?
I guess the dual thermistor idea would only catch the scenario of one thermistor failing or falling out. If a mosfet failed and the heater was fully on, both thermistor would still read the same, albeit higher, temperature.
-
For now I settled on the following:
- Duet2 powered by a separate 5V supply.
- 230VAC to the 24V main supply and heated bed switched by a brand-name mechanical relay from Duet's PS_ON pin.
If one of the MOSFET's or heated bed SSR fails during printing, the Duet will notice and act. The same is true for the thermistors; if these produce unexpected values Duet will notice and react.
The main weak point is the software. AFAIK the Duet RRF software won't deactivate PS_ON when it is not printing and a sensor/heater anomaly is detected, and it lacks a chargepump signal to indicate it's internal health status. If those two issues are addressed, I think the system is safe enough without additional thermal fuses. Much safer than your TV set or vacuum cleaner anyway.
My issue with thermal fuses: For the bed they are fairly easy to add, but for the heaters (main source of danger...) I have not yet found a clean solution. A 'micro' fuse already posesses a 15mm long/4mm diameter body or so, they are hard to get above 250C trip temperature, and mounting them to a regular E3D v6 block and not losing the possibility to use standard silicone socks is not easy either.
-
@deckingman I'm part way to that way of thinking based on my previous comments on not trusting PS_ON as a safety device. That said I see no harm in allowing it to trigger a safety stop. We did a similar thing with the Metal AM machine I worked on, didn't let the computer or PLC to control the safetys, but allowed them to contribute and trigger an e-stop if they saw conditions that warrented a safety stop.
-
@DaBit said in Adding a 24V safety relay for the heaters, any thoughts?:
Much safer than your TV set or vacuum cleaner anyway.
Printers tend to run for longer, so thats in favour of the TV and vacuum.
My issue with thermal fuses: For the bed they are fairly easy to add, but for the heaters (main source of danger...) I have not yet found a clean solution.
You don't have to use 250°C on the heater block. 50-100°C or whatever the normal ambient would suggest on the heatsink mount should also work?
