Adding a 24V safety relay for the heaters, any thoughts?
-
For the record on my system I'm on an 'intermediate solution' comprising of driving a 4 way arduino relay board from PS_ON. Convenient because flyback diodes are in place and it is all mounted, but the flyback diode isn't a complicated thing and I have driven bare relays with a general purpose diode across the coil before now. Despite my preference for AC side switching this is on DC side, but each relay is man enough to kill my bed or hotend. I have two in series for the hot end and the other two in series for the heatbed.
It's not ideal, but that in combination with a surge protector and plug in earth leakage circuit breaker is a good start.
Moving forward I'd rather use guided contact relays but they are pricey. Likewise I do want a suitable thermal fuse &/or crowbar setup. I did want to take a closer look at the PS_ON trigger circuit as that appears a weakness, or simply move to discount it as a safety device. It too is a MOSFET and I think if it failed short it would permanently be saying "all's well" to the safety relay.
-
Here is a thought - probably a crazy one as are many of my ramblings these days. How about fitting a second thermistor if you are able, then wiring the heater through two outputs in series. Define the second heater/thermistor as something else, say a chamber heater, and set it's control temperature to be say 10 Deg C higher than the normal hot end temperature. Then if one MOSFET failed in the permanently on state, the second would take over control. You'd need to disable fault detection on the second heater because in normal operation, it will never reach the set temperature. Of course it's not completely fail safe - nothing is, but it would give double the protection of a single MOSFET failure. I haven't thought this through so feel free to dismiss this post as the deranged ramblings of an old man.
-
@deckingman second thermistors have been supported by Marlin for some time, and I believe have been recently supported by RRF. If there is a discrepancy of more than a set amount I believe that triggers a fault.
-
@DocTrucker That's interesting. But not quite what I meant. I was thinking more of using two MOSFET outputs in series. So rather than triggering a fault the second one would take over control. Like I said, I haven't thought it through and maybe some conditional gcode would be needed.
-
@deckingman ok, on second read I see that. That's moving more toward a nuclear style of safety system where there are three detection channels and you need faults reported on two channels before an action is taken, which may then be replacing a section of the control system in a manner potentially similar to what you say. The issue is how would you switch reliably and how to ensure that both MOSFETs aren't vulnerable to the same external failure. I did toy with the idea of running a 12V heater at 24V with limited duty to aid detecting 100% duty, but the margins are tighter than you'd expect.
Regards my comment on redundant thermistors I believe they aren't supported directly in RRF, but you set up a second virtual heater wich still raises faults if it goes over temperature. Similar end result but it takes longer to detwct the fault.
-
...currently I'd say a stock setup would end in a dangerous state with one failure.
I want to setup a robust system that would take at least three failures to be in a dangerous state.
I would say a triple safety system is overkill for my printers and recovery from a safety fault state shouldn't be needed. I don't do builds longer than 12hrs at the moment, but even with longer builds I'd probably only go so far as UPS to keep the printer running, and try to ensure it fails to a safe state wherever possible.
Trouble with going much further than that is you very quickly head into needing error checking memory and such like which becomes very complex. Sort of systems you tend to only see on satalites and long term service systems.
-
@DocTrucker Maybe the second safety system should be completely independent of the Duet? Say something like an arduino with it's own sensors?
I guess the dual thermistor idea would only catch the scenario of one thermistor failing or falling out. If a mosfet failed and the heater was fully on, both thermistor would still read the same, albeit higher, temperature.
-
For now I settled on the following:
- Duet2 powered by a separate 5V supply.
- 230VAC to the 24V main supply and heated bed switched by a brand-name mechanical relay from Duet's PS_ON pin.
If one of the MOSFET's or heated bed SSR fails during printing, the Duet will notice and act. The same is true for the thermistors; if these produce unexpected values Duet will notice and react.
The main weak point is the software. AFAIK the Duet RRF software won't deactivate PS_ON when it is not printing and a sensor/heater anomaly is detected, and it lacks a chargepump signal to indicate it's internal health status. If those two issues are addressed, I think the system is safe enough without additional thermal fuses. Much safer than your TV set or vacuum cleaner anyway.
My issue with thermal fuses: For the bed they are fairly easy to add, but for the heaters (main source of danger...) I have not yet found a clean solution. A 'micro' fuse already posesses a 15mm long/4mm diameter body or so, they are hard to get above 250C trip temperature, and mounting them to a regular E3D v6 block and not losing the possibility to use standard silicone socks is not easy either.
-
@deckingman I'm part way to that way of thinking based on my previous comments on not trusting PS_ON as a safety device. That said I see no harm in allowing it to trigger a safety stop. We did a similar thing with the Metal AM machine I worked on, didn't let the computer or PLC to control the safetys, but allowed them to contribute and trigger an e-stop if they saw conditions that warrented a safety stop.
-
@DaBit said in Adding a 24V safety relay for the heaters, any thoughts?:
Much safer than your TV set or vacuum cleaner anyway.
Printers tend to run for longer, so thats in favour of the TV and vacuum.
My issue with thermal fuses: For the bed they are fairly easy to add, but for the heaters (main source of danger...) I have not yet found a clean solution.
You don't have to use 250°C on the heater block. 50-100°C or whatever the normal ambient would suggest on the heatsink mount should also work?
-
@DaBit said in Adding a 24V safety relay for the heaters, any thoughts?:
AFAIK the Duet RRF software won't deactivate PS_ON when it is not printing and a sensor/heater anomaly is detected
This seems to be a safety concern. Any reason why duet3d doesn't have this feature?
for the heaters (main source of danger...) I have not yet found a clean solution. A 'micro' fuse already posesses a 15mm long/4mm diameter body or so, they are hard to get above 250C trip temperature, and mounting them to a regular E3D v6 block and not losing the possibility to use standard silicone socks is not easy either.
I think what we need are nozzle heaters with builtin protection. Leading companies such as E3S and Prusa could pave the way and China will follow. This will be a drop in replacement that can fit in any existing printer and will sell like hot cakes.
-
@zapta said in Adding a 24V safety relay for the heaters, any thoughts?:
Leading companies such as E3D and Prusa
I was indeed genuinely surprised to see the Hemera didn't have this either in the heater cartridge or part of the heatsink.
-
I do wonder if the lack of obvious protective measures is down a little to tryin to maintain the CE certification as IT Equipment rather than under the machinery directive.
-
@zapta said in Adding a 24V safety relay for the heaters, any thoughts?:
@DaBit said in Adding a 24V safety relay for the heaters, any thoughts?:
AFAIK the Duet RRF software won't deactivate PS_ON when it is not printing and a sensor/heater anomaly is detected
This seems to be a safety concern. Any reason why duet3d doesn't have this feature?
It will deactive it, but after 600s (default value) if the fault isn't cleared.
-
@dragonn are you sure it will drop PS_ON while the printer is Idle? I was under the impression it was still only while printing.
Work around is to ensure your warmup and cool down script is in in the build gcode itself and the M80/M81 is in there. Personally I prefer to let my machine sit for while warming up, but once my zprobe and probe offset is nailed down a bit better I think it will be ther way to go.
-
Isn't it fun to have strong opinions on the internet? Here are mine:
(1) Trusting firmware for safety, if not designed from the very beginning around total shutdown driven by a hardware watchdog (charge pump, etc), is not safe.
(2) Physical/physics based systems, such as temperature based fuses, can be safe when inserted at the right points in a larger system.
And if you have (2), what was the point of (1) again? Oh, yeah, to protect any one-shot devices in (2). That's how you should think of (1)... not safety, just a convenience. Only (2) can yield safety.
To be clear: Relays are useless, and possibly worse than useless, by given a false sense that they accomplish something.
-
@Danal Just to play Devil's advocate, one could make a case to say that the more components there are and the more complex the wiring, the less safe the piece of equipment becomes. For example fitting a thermal fuse to a mains heated bed could in itself be construed as a safety hazard. If it carries mains voltage then potentially if it fails or if a wire to it gets chaffed, same part of the printer which might not be properly grounded could then become "live". But at least you would pass through the pearly gates comfortable in the knowledge that your house didn't burn down.
(To be clear, if you miss the smiley this wasn't intended as a serious post - just feeling a bit mischievous).
-
@Danal said in Adding a 24V safety relay for the heaters, any thoughts?:
Isn't it fun to have strong opinions on the internet? Here are mine:
And here is mine "Perfect is the enemy of good".
Take heat block thermal fuses for example, they are difficult to install so instead we can gain some protection with software based runaway logic.
Perfection and 'all or nothing' approach in engineering often lead to paralysis or sub optimal designs compare to more practical approach that is driven by cost/benefit analysis.
YMMV.
-
Valid points.
On complexity: Agreed. At the same time, that is a large part of my resistance to relays and dual ssrs and... often the proposed solutions are layer after layer of complexity. Which peaks reliability and then goes downhill.
On Perfect v Good: Agreed. Very much agreed. I just don't see firmware (that's not backed by silicon) as good (enough). Which is why I have "fireballs" on top of my printers. (Common in Europe, seem uncommon in the US... they are 2 kilos of the same powder that's in a small fire extinguisher, with a tiny bit of black powder to blow it around if the ball itself burns. Physics.) Of course, I'm not going to turn off any of the firmware monitors...
-
@deckingman said in Adding a 24V safety relay for the heaters, any thoughts?:
fitting a thermal fuse to a mains heated bed could in itself be construed as a safety hazard.
If you do not ground all metal parts in the neighbourhood of a mains powered device, you get all the risks on a silver tablet, even without the fuse.
However, complexity is a concern, that’s right. While a thermal fuse adds little to it, other safety measures may increase it considerably. Nevertheless, they can help… as long as they follow @Danal’s law #2 – In other words: if you monitor a system, don’t rely on data or functionality of the system you want to observe.
@zapta True, you can over-engineer a system, which is then less than perfect. But to rely on the values from the thermistor in your hot end is not „good“, to stay with your terms. As it is already part of the internal safety management of the Duet, you don’t add security at all - you just duplicate the efforts the firmware already takes to prevent a thermal disaster.
So, my „strong opinion“ : employ a second thermistor for a circuity which is completely independent from the Duet. Still not perfect, but better than not-good.