Adding a 24V safety relay for the heaters, any thoughts?
-
Do not use SSRs as safety devices.
Go read Omrons data sheets - who supply to industry - and they will say the same thing. ...or at least they did last time I checked.
By using an SSR You are effectively trying to protect against damaging effects from a failure in a MOSFET controlled heater, with another MOSFET. Both of which are vulnerable to transient voltages which can come from various sources such as a dodgy microwave oven, lightining strike within a mile, static discharge, failing power supply, spike on the mains. It is highly likely that the event that gooses your Duet MOSFET will also kill the SSR. Net result being no improvement in safety.
Mechanical relays are more tollerant to brief spikes and noise issues, but don't like switching under load on a regular basis as it wears the contacts out. So mechanical relay linked to PS_ON can be thought of as your enabler, and the SSR/MOSFET as your down stream modulator.
Make sure your system needs to fail in at least two places (that are unlikely to be caused by the same event) before a dangerous situation can occur. So the Duet signalling the PS_ON relay on detection of fault is good and could detect a fault before a thermal fuse tripped. A thermal fuse in series with the heater is hard to beat but not always practical or reliable as maybe the case for the hotend, especially on a highly dynamic machine that uses a wide range of materials.
Regards where the relay sits depends a little on your compitance with mains. Where possible I'd put the relay on the AC side of the PSU, but that necessesitates for multiple PSUs to cover fans/duet and heaters. Being realistic a false trip is more likely than a real one and if it caused a blocked hotend it would be very frustrating.
Be warey of the default Duet setting for when the PS_ON is triggered. Last time I looked it did not offer protection while the system was idle. This has been a feature request for a long time. Likewise I think some timers defaulted to a default fault time before PS_ON is triggered that maybe longer than you are comfortable with.
Edit: AC side because AC is far kinder to relays than DC, but if needed you can get relays that will work on DC side. Make sure you have current fuses in place to blow comfortably before the load/current spec of the relay is exceeded.
-
http://www.ia.omron.com/product/cautions/18/safety_precautions.html
"OMRON constantly strives to improve quality and reliability. SSRs, however, use semiconductors, and semiconductors may commonly malfunction or fail. Short-circuit failures represent the main failure mode and can result in an inability to shut OFF the load. Therefore, for fail-safe operation of control circuits that use SSRs, do not use circuits that shut OFF the load power supply only with an SSR, but rather also use circuits with a contactor or breaker that shuts off the load when the SSR fails. In particular, it may not be possible to ensure safety if the SSRs are used outside the rated ranges. Therefore, always use the SSRs within the ratings."
-
@zapta said in Adding a 24V safety relay for the heaters, any thoughts?:
I will need to find a high current thermal fuse for the bed.
Depending om the characteristics of the upstream fuse you might not need a lot of current capacity for the crowbar, as long as a potentially short lived dead short will trip it; alternatively you could use a fet/triac/scr or a relay to beef up the ampacity of the crowbar circuit.
-
@bearer I like the idea of the crowbar circuits and have thought of using them before. I need to read up a little more. You could always use one of the fan switches to drive the gate on a very chucky mosfet for that purpose.
-
@zapta said in Adding a 24V safety relay for the heaters, any thoughts?:
… but my goal is to add protection against mosfet short.
What is the effect of a shorted mosfet? It’s like a PWM of 100% - which is just perfect to drive a heater to higher temperatures. Well, the firmware controls the mosfet and, due to the tuning procedure, „knows“ what readings it should get from the associated thermistor. If these readings don’t match the expectations, the firmware throws an error and switches the mosfet off. If the chip happens to be dysfunctional, you are out of luck: the mosfet has no backup device on board.
The sub-system has multiple components, for instance, it relies on the thermistor to work. I, at least, won’t bet my life on this. With the mosfet, high currents are involved: what damage can be induced to other components of the board? That’s why I state that you can’t rely on the system any more if a single error is detected - it can proliferate.
As a safeguard, we need a second, independent system which will not be affected by a potential failure of the controller or parts thereof. Sure, a thermal fuse won’t protect your mosfet, but it helps to prevent a thermal disaster - even in case that the mosfet survives, but the thermistor fails instead.
-
@DocTrucker said in Adding a 24V safety relay for the heaters, any thoughts?:
You could always use one of the fan switches to drive the gate on a very chucky mosfet for that purpose.
sure, but you're still depending on logic then. if you use a thermal fuse, rated a little higher than the previous failsafe to drive a gate or similar you've got an autonomous solution.
(edit: but to simplify this I switched to a mains powered heater and as such the readily available 10A thermal fuses are sufficient to directly cut the power if needed)
-
I do love this subject. It is one of those areas where a great design is never noticed, but a bad design is, especially so if it is intrusive to the user.
The down side of this subject is that it can very easily become very shouty and argumentative. For the sake of all of us making our machines better when reading this thread assume no comments are personal digs!
It can often be hard to share differing opinions without upsetting people.
-
It can often be hard to share differing opinions without upsetting people.
hope I didn't do that. Finally, it's a good thing to push safety of our devices further, and I surely appreciate that @zapta shares his thoughts with us.
-
@bearer an oddity being switching to mains voltage to make something safer, but yes in that case it makes sense.
I have a little less confidence in thermal fuses than current fuses and thermal switches that can be tested. With a resetting thermal switch I can test its trigger point. Once triggered the inline fuse and PSU can detect the short. With a thermal fuse I am relying on the manufacturer's spec sheet. That said it is probably just a case of studying the specified tollerances better.
-
@infiniteloop no you didn't no one has so far as I can see. It was mainly to cover my posts as I seem to have a habbit of winding people up when I don't mean to do so on forums!
Edit: especially when discussing safety stuff.
-
@DocTrucker said in Adding a 24V safety relay for the heaters, any thoughts?:
I have a little less confidence in thermal fuses than current fuses and thermal switches that can be tested.
Most thermal switches are backed by thermal fuse of higher rating in case the switch fails, they have a limited number of cycle. The thermal fuse is backed by physics and the manufacturers specifications, even the name brand ones aren't prohibitively expensive.
(That being said, a bi metallic switch should not be worn out in a fail safe application on a printer, but they're more bulky, especially the manually resettable ones)
-
For the record on my system I'm on an 'intermediate solution' comprising of driving a 4 way arduino relay board from PS_ON. Convenient because flyback diodes are in place and it is all mounted, but the flyback diode isn't a complicated thing and I have driven bare relays with a general purpose diode across the coil before now. Despite my preference for AC side switching this is on DC side, but each relay is man enough to kill my bed or hotend. I have two in series for the hot end and the other two in series for the heatbed.
It's not ideal, but that in combination with a surge protector and plug in earth leakage circuit breaker is a good start.
Moving forward I'd rather use guided contact relays but they are pricey. Likewise I do want a suitable thermal fuse &/or crowbar setup. I did want to take a closer look at the PS_ON trigger circuit as that appears a weakness, or simply move to discount it as a safety device. It too is a MOSFET and I think if it failed short it would permanently be saying "all's well" to the safety relay.
-
Here is a thought - probably a crazy one as are many of my ramblings these days. How about fitting a second thermistor if you are able, then wiring the heater through two outputs in series. Define the second heater/thermistor as something else, say a chamber heater, and set it's control temperature to be say 10 Deg C higher than the normal hot end temperature. Then if one MOSFET failed in the permanently on state, the second would take over control. You'd need to disable fault detection on the second heater because in normal operation, it will never reach the set temperature. Of course it's not completely fail safe - nothing is, but it would give double the protection of a single MOSFET failure. I haven't thought this through so feel free to dismiss this post as the deranged ramblings of an old man.
-
@deckingman second thermistors have been supported by Marlin for some time, and I believe have been recently supported by RRF. If there is a discrepancy of more than a set amount I believe that triggers a fault.
-
@DocTrucker That's interesting. But not quite what I meant. I was thinking more of using two MOSFET outputs in series. So rather than triggering a fault the second one would take over control. Like I said, I haven't thought it through and maybe some conditional gcode would be needed.
-
@deckingman ok, on second read I see that. That's moving more toward a nuclear style of safety system where there are three detection channels and you need faults reported on two channels before an action is taken, which may then be replacing a section of the control system in a manner potentially similar to what you say. The issue is how would you switch reliably and how to ensure that both MOSFETs aren't vulnerable to the same external failure. I did toy with the idea of running a 12V heater at 24V with limited duty to aid detecting 100% duty, but the margins are tighter than you'd expect.
Regards my comment on redundant thermistors I believe they aren't supported directly in RRF, but you set up a second virtual heater wich still raises faults if it goes over temperature. Similar end result but it takes longer to detwct the fault.
-
...currently I'd say a stock setup would end in a dangerous state with one failure.
I want to setup a robust system that would take at least three failures to be in a dangerous state.
I would say a triple safety system is overkill for my printers and recovery from a safety fault state shouldn't be needed. I don't do builds longer than 12hrs at the moment, but even with longer builds I'd probably only go so far as UPS to keep the printer running, and try to ensure it fails to a safe state wherever possible.
Trouble with going much further than that is you very quickly head into needing error checking memory and such like which becomes very complex. Sort of systems you tend to only see on satalites and long term service systems.
-
@DocTrucker Maybe the second safety system should be completely independent of the Duet? Say something like an arduino with it's own sensors?
I guess the dual thermistor idea would only catch the scenario of one thermistor failing or falling out. If a mosfet failed and the heater was fully on, both thermistor would still read the same, albeit higher, temperature.
-
For now I settled on the following:
- Duet2 powered by a separate 5V supply.
- 230VAC to the 24V main supply and heated bed switched by a brand-name mechanical relay from Duet's PS_ON pin.
If one of the MOSFET's or heated bed SSR fails during printing, the Duet will notice and act. The same is true for the thermistors; if these produce unexpected values Duet will notice and react.
The main weak point is the software. AFAIK the Duet RRF software won't deactivate PS_ON when it is not printing and a sensor/heater anomaly is detected, and it lacks a chargepump signal to indicate it's internal health status. If those two issues are addressed, I think the system is safe enough without additional thermal fuses. Much safer than your TV set or vacuum cleaner anyway.
My issue with thermal fuses: For the bed they are fairly easy to add, but for the heaters (main source of danger...) I have not yet found a clean solution. A 'micro' fuse already posesses a 15mm long/4mm diameter body or so, they are hard to get above 250C trip temperature, and mounting them to a regular E3D v6 block and not losing the possibility to use standard silicone socks is not easy either.
-
@deckingman I'm part way to that way of thinking based on my previous comments on not trusting PS_ON as a safety device. That said I see no harm in allowing it to trigger a safety stop. We did a similar thing with the Metal AM machine I worked on, didn't let the computer or PLC to control the safetys, but allowed them to contribute and trigger an e-stop if they saw conditions that warrented a safety stop.