How to do fail safe power switch?

[Carlo]

I'm working on a traffic control device where lives could be on stake
when our device fails. I have to switch 230Vac for a 20W lamp such
that I can ensure the current flow will be broken when the logic says
so. How to accomplish this?

I have studied the following options, but no definite solution found.
1) Relay. Not fail safe because of possible contact welding.

2) Fail Safe Relay. How to use these? As far as I can tell they are
not really fail safe, but you get a control signal which tells you the
contact is working correctly. Using additional circuitry this control
signal can be used to control another power switch (which might fail
for the same reason).

3) Solid state relay. Most designs are not fail safe and create a
closed circuit on failure. The only fail safe device I found is the
Omron G3MC. According to my supplier this device is out of production.
My national Omron office is doing a system upgrade and can't access
their computers....

Are there other options for a fail safe power switch that I am
overlooking? Other fail safe Solid State relays?

 

[Guy Macon]

I'm working on a traffic control device where lives could be on stake
when our device fails. I have to switch 230Vac for a 20W lamp such
that I can ensure the current flow will be broken when the logic says
so. How to accomplish this?

----- RELAY ----- RELAY-----
| |
| |
-----| |-------LAMP-------
| |
| |
----- RELAY ----- RELAY-----


Drive all four relays from the same control signal.
If any relay fails open or closed, it still works.

What are you going to do about the problem of the
20W lamp being several orders of magnitude less
reliable than even a single relay?

 

[Frithiof Andreas Jensen]

How to accomplish this?

You cannot accomplish this! There is a probability of failure, you can lower
it at greater and greater expense, but it will never go away (or planes
would not chrash!)

Are there other options for a fail safe power switch that I am
overlooking? Other fail safe Solid State relays?

Specify "Fail Safe" - When I did railway equipment way back "Fail Safe"
meant that:

1: When equipment fails, the design ensures that it fails into a safe state.
2: No Single Failure would lead to an unsafe state.
3: No Single Failure would go undetected.

In your case, you would assume that the relay may fail open or weld close.
Connecting two relays in series and driving them from two independent*
control channels will ensure that you meet requirement "2". To meet "1" and
"3" you need to measure the voltage on the output of each relay - and
possibly the current through the bulb too - so that the correct operation
can be verified at all times.

THEN you need PROCEDURES that describes what action needs to be taken by
people on different scenarios. F.ex. if the RED & GREEN is on at the same
time, the train driver will obey the RED, that sort of things, volumes &
volumes of it

*what "independent" means is also a good question, does that include power
supplies and design of controller equipment?

 

[Ken Smith]

I'm working on a traffic control device where lives could be on stake
when our device fails. I have to switch 230Vac for a 20W lamp such
that I can ensure the current flow will be broken when the logic says
so. How to accomplish this?

Add a second relay that has its contacts close just after the other
opens. Connect its contacts across the lamp. If the first relay fails to
open, the second creates a dead short and blows the fuse on the system
shutting it down.

It may also burn down the building in the process if someone puts a penny
in the fuse box because it keeps blowing.

 

[John Fields]

I'm working on a traffic control device where lives could be on stake
when our device fails. I have to switch 230Vac for a 20W lamp such
that I can ensure the current flow will be broken when the logic says
so. How to accomplish this?

I have studied the following options, but no definite solution found.
1) Relay. Not fail safe because of possible contact welding.

2) Fail Safe Relay. How to use these? As far as I can tell they are
not really fail safe, but you get a control signal which tells you the
contact is working correctly. Using additional circuitry this control
signal can be used to control another power switch (which might fail
for the same reason).

3) Solid state relay. Most designs are not fail safe and create a
closed circuit on failure. The only fail safe device I found is the
Omron G3MC. According to my supplier this device is out of production.
My national Omron office is doing a system upgrade and can't access
their computers....

Are there other options for a fail safe power switch that I am
overlooking? Other fail safe Solid State relays?

---
NOTHING is failsafe.

The best you can do is to come up with a design which is most likely
to fail in the way you'd like for it to, then to determine the
probability of the likelihood of _that_ failure mode occurring.

I would think that an even more fundamental problem is that, as Guy
Macon noted, you're planning on using an incandescent lamp.

Why not blow that off and use LEDs?

 

[John Popelish]

NOTHING is failsafe.

(snip)

Nothing is failure proof. Failsafe means that if it fails, it fails
in a safe mode. If there is no possible safe mode for failure, then
failsafe is not applicable it the problem.

 

[Carlo]

I realise I should have specified better what I meant with the term
'fail safe'. What I meant is that in case of a failure to the switch
we want the system to go to a state where there is no current flowing
through the lamp.

The system already has a detection circuit for lamp failures so a lamp
brown out has been covered. An actuator (switch) failure in open state
would be detected by the same detection circuit. The only other
(theoretical) failure would be a lamp staying active because of an
actuator failure in closed circuit state. General public will know
that a failing lamp is an abnormal situation, a green light means
'shut down brain and ride as fast as possible'. This is the situation
that I was trying to solve.

Easiest would be to find some switch that on failure would be
garuanteed to stay in the open circuit state. Any ideas here?

I'm not enthousiastic about setups involving multiple relays in series
and/or parallel because of the additional costs and the more
(mechanical) parts there are included, the larger the chance of a
failure occuring. Although this is a commercial product, we don't want
to have to sell a yearly maintenance contract.

 

[Tim Shoppa]

What are you going to do about the problem of the
20W lamp being several orders of magnitude less
reliable than even a single relay?

In my many years in electronics, I've never seen a lamp fail "on"
even after power was removed .

Tim.

 

[John Fields]

(snip)

Nothing is failure proof. Failsafe means that if it fails, it fails
in a safe mode. If there is no possible safe mode for failure, then
failsafe is not applicable it the problem.

---
Agreed, but... The assumption is that if something fails, the ways in
which it can fail can be predicted with absolute certainty and then
appropriate actions taken by other things whose failure modes can also
be predicted with absolute certainty to guarantee that a predicted end
will occur. Tricky...

 

[Paul Hovnanian P.E.]

You cannot accomplish this! There is a probability of failure, you can lower
it at greater and greater expense, but it will never go away (or planes
would not chrash!)


Specify "Fail Safe" - When I did railway equipment way back "Fail Safe"
meant that:

1: When equipment fails, the design ensures that it fails into a safe state.
2: No Single Failure would lead to an unsafe state.
3: No Single Failure would go undetected.

In your case, you would assume that the relay may fail open or weld close.
Connecting two relays in series and driving them from two independent*
control channels will ensure that you meet requirement "2". To meet "1" and
"3" you need to measure the voltage on the output of each relay - and
possibly the current through the bulb too - so that the correct operation
can be verified at all times.

This assumes that someone will be around to monitor the system for
alarms
or abnormal conditions.

THEN you need PROCEDURES that describes what action needs to be taken by
people on different scenarios. F.ex. if the RED & GREEN is on at the same
time, the train driver will obey the RED, that sort of things, volumes &
volumes of it

It depends on whether you need error detection or recovery as well. Many
systems can get by with two independent channels if it is acceptable to
stop and scratch ones head in the event of a discrepancy. Autopilots are
one example where it is not sufficient to just detect the single
failure. A third channel is required so that two good ones can overrule
one bad one and keep flying.

 

[Ben Bradley]

I realise I should have specified better what I meant with the term
'fail safe'.

I recall a movie of that name...

What I meant is that in case of a failure to the switch
we want the system to go to a state where there is no current flowing
through the lamp.

The system already has a detection circuit for lamp failures so a lamp
brown out has been covered. An actuator (switch) failure in open state
would be detected by the same detection circuit. The only other
(theoretical) failure would be a lamp staying active because of an
actuator failure in closed circuit state. General public will know
that a failing lamp is an abnormal situation, a green light means
'shut down brain and ride as fast as possible'. This is the situation
that I was trying to solve.

Easiest would be to find some switch that on failure would be
garuanteed to stay in the open circuit state. Any ideas here?

I'm not enthousiastic about setups involving multiple relays in series
and/or parallel because of the additional costs and the more
(mechanical) parts there are included, the larger the chance of a
failure occuring. Although this is a commercial product, we don't want
to have to sell a yearly maintenance contract.

If I had any involvement with this design I'd get an Engineer
involved - the kind that has Engineer on his busines card and who has
a PE license, and whatever design is decided, have the Engineer sign
off on it, if not do the whole design.

I hesitate to comment on any design suggested in this thread, or on
the very idea of asking this question on Usenet.

 

[Guy Macon]

The system already has a detection circuit for lamp failures so a lamp
brown out has been covered. An actuator (switch) failure in open state
would be detected by the same detection circuit. The only other
(theoretical) failure would be a lamp staying active because of an
actuator failure in closed circuit state. General public will know
that a failing lamp is an abnormal situation, a green light means
'shut down brain and ride as fast as possible'. This is the situation
that I was trying to solve.

Three seperate control signals driving three relays in series.

 

[John Popelish]

---
Agreed, but... The assumption is that if something fails, the ways in
which it can fail can be predicted with absolute certainty and then
appropriate actions taken by other things whose failure modes can also
be predicted with absolute certainty to guarantee that a predicted end
will occur. Tricky...

And thus, design engineers get higher salaries than advertising executives.
No. Wait a minute.
Oh, never mind!

 

[Tim Shoppa]

The system already has a detection circuit for lamp failures so a lamp
brown out has been covered.

Lamps do fail both "open" and "shorted". Usually shorted blows a fuse
or trips a breaker somewhere...

Tim.

 

[Paul Hovnanian P.E.]

Three seperate control signals driving three relays in series.

The problem here is that eventually, all three relay contacts may get
welded shut (or a relay spring breaks or something). Since, without
error detection, any one contact getting stuck shut is a passive failure
and its reasonable to assume all three units are exposed to the same
conditions leading to this failure, eventually they could all fail this
way.

Probabilities might be such that a fail open is much more likely than a
fail shut. But one can step through the fault tree and calculate the
eventual probability that the light will fail 'on'. Of course, even with
a supervisory system, there's a probability that the combination of
failures leading to this state can occur before the dispatcher can send
the repair guy out to fix the thing.

 

[Carlo]

Lamps do fail both "open" and "shorted".

Thanks, but I've realised that and it's covered.

My real concern, and why I started this topic, is possible failure of
the switch in a closed state. I do know how to protect this with
another detection circuit, but I have the feeling there must be an
easier way to accomplish this.

So, here again my original question: Is there a switch that will fail
open?

 

[DaveC]

So, here again my original question: Is there a switch that will fail
open?

Immutable facts:
If a device can open, it will fail a percentage of the time in the open
position.

If a device can close, it will fail a percentage of the time in the closed
position.

Therefore:
You cannot have a device that provides a mode without the possibility that it
will fail in that mode.

The only choices I see are (as already suggested by others):
1) provide redundant devices (ie, relays) that will allow the circuit to
continue to function safely when a component fails. (Not foolproof: multiple
devices could fail simultaneously.)

and/or:

2) provide oversight logic that will detect/report the failure and shut down
the circuit or put it into a safe mode (ie, 4-way red flash). (Not foolproof:
logic could fail simultaneously.)

I don't see any other options (not that they don't exist...)

Good luck,

 

[John Fields]

Thanks, but I've realised that and it's covered.

My real concern, and why I started this topic, is possible failure of
the switch in a closed state. I do know how to protect this with
another detection circuit, but I have the feeling there must be an
easier way to accomplish this.

So, here again my original question: Is there a switch that will fail
open?

 

[Fred Bloggs]

Thanks, but I've realised that and it's covered.

My real concern, and why I started this topic, is possible failure of
the switch in a closed state. I do know how to protect this with
another detection circuit, but I have the feeling there must be an
easier way to accomplish this.

So, here again my original question: Is there a switch that will fail
open?

It is possible to create a "macro"-relay with arbitrarily low
probability of failure in the stuck closed state by using core ordinary
relay logic like so- but you would still want a failsafe master relay,
that is only operated when failure is detected, to switch off prime
power to the lamps through faulty control logic paths:

View in a fixed-width font such as Courier.




RLY#1 RLY#2
+------+ +------+
| a | | a |
| o--|-----|-o |
|c / | | \ c |
LINE>-----|-o | | o--|-----> LOAD
| | | |
| o--|-----|-o |
| b | | b |
| | | |
| | | |
| | | |
| /\/\ | | /\/\ |
+------+ +------+
| | | |
| | | |
| | | |

coil 1 coil 2



If LOAD off,toggle coil #1 state to turn on LOAD

If LOAD on,toggle coil #2 state to turn off LOAD

 

[Andrew VK3BFA]

Well, my "bottom of the barrel" suggestion is - monitor the "green"
lamp current, if on for more than a pre-determined time, then fail to
all lights flashing amber - this seems to confuse most drivers in a
satisfactory manner.. Or dont worry about it and let Darwinian natural
selection weed out the gene pool a bit......

73 de VK3BFA Andrew