| Author |
Message |
|
|
 Posted: May 23, 2012 - 08:33 AM |
|
Joined: May 23, 2012
Posts: 6
|
|
My application requirements are as under;
• This circuit is going to integrate with Boiler Control System .
• In Boiler Control System safety is main concern, and this product must satisfied UL 1998 standard.
• In my current design we are operating the relay with the help of 2 microcontroller, means if something goes wrong with any of the microcontroller, or both microcontroller or system at that time relay should not connect .
• Now I am planning to develop new lost cost design to operate the relay by using only one microcontroller.
• This new design must be redundant in every aspect of UL 1998, for that i am looking for product which can fit in our requirement.
• From my background research i came to know that Charge Pump Relay Drive concept might help in our design, but I am not hundred percent sure that this charge pump concept helps or not and if you any new idea of concept most welcome.
• If you have any other suggestion or question related with this, please do not hesitate to ask me.
• One more thing I am not stick with any specific operating voltage relay, I can use any type and operating voltage relay as far as solution is concern.
|
|
|
| |
|
|
|
|
|
|
Posted: May 23, 2012 - 09:17 AM |
|
Joined: Dec 30, 2004
Posts: 8774
Location: Melbourne,Australia
|
|
I do not know of UL1998, but for safety critical systems the usual requirement is to tolerate one failure but be able to detect it.
The charge pump relay drive is a common technique for redundancy but you still need to be able to test if this is working. This usually consists of a couple of diodes and a capacitor feeding a transistor or mosfet. The microcontroller has to toggle the port pin in order to have the relay stay activated. If the microcontroller fails with the port pin either high,low or open, the relay will not stay energised. What happens if the transistor fails in this circuit? So you need to be able to check to see this circuit is operating. I would have that operate one relay and another relay driven via a transistor or mosfet from the microcontroller. The contacts for the relays would be in series for the boiler control - thus both the charge pump drive must be working and the direct drive must be working in order to run the boiler. Then you need to be able to test the temperature sensor or whatever the input is. For a thermistor you could have an analog circuit to detect for short or open circuit and this couples into one of the relay circuits. Then the microcontroller needs to be able to test this circuit by apply known voltages/currents or whatever to ensure the protection circuit actually works. In one design I did, I sensed current in a motor circuit using a ACS712 sensor. To test the sensor, I used a mosfet and a resistor to apply a known test current. The microcontroller checked to see the reading was within a certain tolerance, released the load, tested to see the reading was no current then progressed on with other testing. What you should end up with is the microcontroller be able to test the basic operation of the circuit and report any errors. The microcontroller software should also be rigourously checked for design, implementation and operation. Techniques like state machines can be formally proved, so that can make the testing and documentation much easier. minimise the use of interrupts and adopt a coding standard like MISRA where you can get tools to do further automated code checks.
Here's a good article:
https://engineering.purdue.edu/ece477/H ... ty_ref.pdf |
|
|
| |
|
|
|
|
|
|
Posted: May 23, 2012 - 09:31 AM |
|
Joined: Dec 30, 2004
Posts: 8774
Location: Melbourne,Australia
|
|
I just did a Google for UL1998. Seems its similar to EN61508.
Found this powerpoint presentation as well:
www.ewh.ieee.org/soc/pes/switchgear/... ... safety.ppt
I'm always suspicious of using two microcontrollers for redundancy - you really want different means of detecting faults. if you can have simple analog circuits to provide failsafe coupled with a microcontroller, then it can make the formal proofs a lot easier. |
|
|
| |
|
|
|
|
|
|
Posted: May 23, 2012 - 09:39 AM |
|
Joined: May 23, 2012
Posts: 6
|
|
Thanks for prompt response,i have gone through the document which you have recently shared, i have following question, please have a look on that
1) For this safety whwich one is best suitable option by using discreate components or using integrated circuit?
2) As of now my main focus is to design a relay drive circuit which can utilize in boiler control system.
3) can you please share reference design or application note?
4) I found few ICS from ATMEL but i am confused wheather it serves in my application or not, its U6808B, U6813B, ATA6842. can you guide me those ICs helps in my application or not? |
|
|
| |
|
|
|
|
|
|
Posted: May 23, 2012 - 09:45 AM |
|
Joined: May 23, 2012
Posts: 6
|
|
Actually that two microcontroller is old design, now i would like to perform that task by using one microcontroller.
Can you share refrence analog circuit which you are talking about?
Which one is the best concept to achieve UL 1998 certification for this application? |
|
|
| |
|
|
|
|
|
|
Posted: May 23, 2012 - 02:47 PM |
|
Joined: Dec 30, 2004
Posts: 8774
Location: Melbourne,Australia
|
|
You assume that i know what you boiller controller does. Whilstvi have experience in safety critical systems, i've not done a boiller controller. I assumed it has some sort of temperature sensor, so one could most likely use an analog circuit to detect failure. If you want me to guess, then I'll use my crystal ball to divine a solution. If you want some advice, then you'll have to give me some information to work from. If you want me to design a solution for you, then you'll have to pay me- I assume you're getting paid for this as getting a compliant device is goingto involve a significant amount of effort and money.
As to which concept is best for your solution, that is up to you to decide. As i said above, i've have got no idea of what your boiler controller does apart from turn a boiler on and off and it must fail safe. You havent to us what sort of boiler you're wanting to control - it could range from a kettle to a haggard old woman or somewhere inbetween these two extremes. |
|
|
| |
|
|
|
|
|
|
Posted: May 24, 2012 - 07:56 AM |
|
Joined: May 23, 2012
Posts: 6
|
|
| I appreciate your thoughts, but i am looking for only concept, i am confused between discreate component or ICs with my application |
|
|
| |
|
|
|
|
|
|
Posted: May 24, 2012 - 08:55 AM |
|
Joined: Dec 30, 2004
Posts: 8774
Location: Melbourne,Australia
|
|
Discrete components will usually have known failure modes whereas with an ic, how do you know how it will fail?
I had a batch of boards where the relay driver ic was slowly failing. Not only did the driver mosfet go leaky and eventually would hold the relay on, it leached 24VDC back into the 5V rail. Luckily the diagnostic would detect the failed relay driver. I designed the circuit so that critical relays were on different driver ics as well as the fallback to the charge pump drive.
The things you need to consider:
1. the likelyhood of failure
2. the failure mode
3. detection of the failure
for example, a resistor. What is the likelyhood of failure? You can demonstrate mathematically the load on the resistor, so make the resistor rating much larger than it needs to be. UL has some rules regarding this. Eg, if the resistor disipates 1W in normal operation, make it a 10W device so it is unlikely to fail by overload.
How does a resistor fail? Normally open circuit if grossly overloaded.
How to detect this failure? That depends on the circuit! |
|
|
| |
|
|
|
|
|
|
Posted: May 25, 2012 - 12:27 PM |
|
Joined: May 23, 2012
Posts: 6
|
|
you mean to say for optimum safety better to go with Charge Pump Circuit Design instead of fail safe relay relay drive IC?
Actually i tried to identify Charge Pump Relay Drive circuit on internet, but it shows only Charge Pump ICs only, Those ICs are simply voltage doubler, invert or voltage tripler type of. it has no connection with what exactly i am looking for. |
|
|
| |
|
|
|
|
|
|
Posted: May 25, 2012 - 01:44 PM |
|
Joined: Dec 11, 2007
Posts: 6849
Location: Cleveland, OH
|
|
|
Quote:
Boiler Control System safety is main concern
Quote:
current design we are operating the relay with the help of 2 microcontroller
Quote:
I am planning to develop new lost cost design to operate the relay by using only one microcontroller
Quote:
If you have any other suggestion or question related with this, please do not hesitate to ask me
OK, I'll ask.
Kartman has done a nice job discussing some of the concepts in fail safe redundancy design.
I think, however, you need to look at the "Big Picture", the overall operation of the system. Arguably the order of failure from most likely to fail to least likely to fail in this system is: Sensor, Relay, Power Supply, micro.
With a TWO micro system the setup is likely something as shown below. A failure of either Sensor/Micro/Relay/Power supply system will not prevent the other Sensor/Micro/Relay/Power supply system from independantly shutting down the boiler.
In this (albeit simplistic) system, a single component failure won't let the boiler explode. If one of the Sensors or one of the Relays fails, for example, the other 1/2 of the system is still able to shut down the boiler, if need be.
Your new, low cost, one micro system may lose the simplicity and reliability of the dual redundancy system currently in place.
Note that self test, autodetection, and reporting of system failure, etc., aren't shown in the simple block diagram, but constitute the next tier in the overall design of such a system. The system complexity increases significantly, also, if one needs to keep running the system in spite of conflicting input and system status reporting from any one syb-system.
The bottom line, of course, is that if SAFETY is truely one's first concern, then shaving a few dollars off the cost is frequently foolish. The old say: "Pay now, or pay later" certainly applies.
JC |
|
|
| |
|
|
|
|
|
|
Posted: May 25, 2012 - 01:56 PM |
|
Joined: Jul 02, 2005
Posts: 5945
Location: Melbourne, Australia
|
|
Hi Jay,
Are you assuming that in your diagram, each of the relays must be energised to close ... so if either micro's drive fails relay opens and shuts everything down.
Cheers,
Ross |
_________________
Ross McKenzie
ValuSoft
Melbourne Australia
|
| |
|
|
|
|
|
|
Posted: May 25, 2012 - 02:40 PM |
|
Joined: Dec 11, 2007
Posts: 6849
Location: Cleveland, OH
|
|
Hi Ross,
The above is the 50,000 foot few of the system, without going into details. I provided it to highlight the concept of two, independant, serial systems to safeguard the system.
In this case the assumption is that boiler over temp or over pressure, resulting in explosion, is what is being protected.
It also assumes a single component failure model for the failure mode.
If the goal is to keep the system functioning in spite of a single component failure then the system complexity increases, (significantly). Then the question becomes is there a human monitoring the system, time to human intervention, is there a "manual bypass, (manual control)" capability, can one have the system operate solely on the functional subsystem while swapping out the failed subsystem, etc.?
The ability to autodetect and work in spite of an error makes for a very complex system. Often the "solution" is to simply disable the system, e.g. anti-lock brakes become standard brakes, artificial horizon is flagged inoperative and the pilot uses the "back-up" instrument, internal defibrillator has fired > X times in < Y minutes, it goes into standby mode until one of a half dozen reset criteria occur, etc.
The bottom line is that fail safe systems are complex. When the OP states I'm going to take this system, where safety is the number one concern, and remove half of its brain to make it cheaper, one has to look closely at why the redundancy was built into the system to begin with.
JC |
|
|
| |
|
|
|
|
|
|
Posted: May 25, 2012 - 02:57 PM |
|
Joined: Dec 30, 2004
Posts: 8774
Location: Melbourne,Australia
|
|
| Something else to toss into the mix- in terms of reliability, we want the unit to fail safe. As well, we want the unit to not fail! Consider the average home hot water service- if it is electric, it has a simple bimetal thermostat with a blow off valve if things go wrong. There might even be a thermal fuse as well. The safety is based on reliability - these two devices can be shown to have an extremely low failure rate, thus the likelyhood of both items failing and a dangerous situation occuring is extremely remote. |
|
|
| |
|
|
|
|
|
|
Posted: May 29, 2012 - 09:53 AM |
|
Joined: May 23, 2012
Posts: 6
|
|
Thanks everyone,
Actually i appreciate your suggestion, but i think we are going in wrong direction, actually i do have a boiler control system product right now,In my current boiler control system i am operating the relay with the help of 2 microcontroller to achive UL 1998 standard, and now i would like to develop a relay control circuit with the help of only one microcontroller(other passive components or integrated circuits are acceptable)to achive UL 1998 standard. In sort i am intersted to design a new relay control part and for that i am looking for a soultion.
Thanks |
|
|
| |
|
|
|
|
|
|
Posted: May 29, 2012 - 02:44 PM |
|
Joined: Dec 30, 2004
Posts: 8774
Location: Melbourne,Australia
|
|
| I understand what you're saying but you're assuming we know what your boiler controller does. I've outlined the basics, so where do you want us to go? You have to define the criteria. Note that even if we showed you a compliant circuit, it would still be up to you to do all the documentation. The challenge isnt in the circuit itself but making sure you tick all the boxes necessary for compliance. The first step is to read all the required standards - no simple task and standards cost money. The next step is to extract the required parts of the standards that apply to your project. Formulate the requirements and reliability numbers. Propose a design that meets these requirements. Do a FMEA to verify the design. Perform testing to validate the design. For CE you make a declaration, for UL you probably have to use a test house. All a lot of paperwork and money. So whilst i could suggest a compliant circuit, it isn't going to be a shortcut for your task. |
|
|
| |
|
|
|
|
|
|
Posted: May 29, 2012 - 06:49 PM |
|
Joined: Sep 12, 2009
Posts: 2403
Location: Sacramento, CA
|
|
|
Kartman wrote:
I just did a Google for UL1998. Seems its similar to EN61508.
Found this powerpoint presentation as well:
www.ewh.ieee.org/soc/pes/switchgear/... ... safety.ppt
FWIW for others trying to access this link, the link would not work for me directly, but by googling "ulsoftwaresafety.ppt" I was able to follow the hit and open the ppt. |
|
|
| |
|
|
|
|
|
FAQ
Search
Register
Log in to check your private messages
Log in
Maximize
RSS
