Design for a "watchdog" circuit (review request)

[sparkydog]

So, I have this automation project that amounts to a glorified "smart switch". Basically, there's an MCU and some other stuff in a box with a bunch of relays sitting along a mains conduit that needs to control the downstream power. Where it gets a little interesting is that I need this to be as reliable as possible, particularly when it comes to ensuring that it turns off.

I'm feeling pretty okay in terms of signalling that it should turn off, and probably the several series relays won't all decide to weld at the same time... but I'd like to be really sure.

As the main relays are 1NC/5NO force-guided, it's fairly straight-forward to detect if they should be open but aren't. Acting on this, when I also want the whole shebang to be able to handle 20A (@120VAC), is a little trickier. I'd rather not pay $100+ for a shunt trip breaker, nor for the sort of braking resistor (also well into three-figure territory) I'd need to ensure reliable tripping of a normal breaker or fuse. However, I will have a dedicated GFCI upstream.

As earlier noted, there's an easily detected steady-state that occurs if a relay welds. However, since this same state is a transition state when the relay opens under normal operation, I couldn't just pass it straight into a STB anyway. (In fact, I'd probably want opto-isolation and a separate power supply if I went that route, which is even more argument against a STB.) Since I need to build a board for this anyway, for about $15 I can grab a more modest resistor (and heat sink, and etc.) and use that to create a deliberate ground fault, tripping the breaker that way. For signal filtering, an RC delay is reliable and sufficient. (This particular application isn't especially time-critical; a few seconds delay is unlikely to matter.)

Before getting into the specific design, is this approach at all reasonable?

Anyway, my current iteration of the schematic and PCB is attached. Some more specific questions:

• Is the fuse on the AC side (F1) overkill? (Alternatively, is there a way to replace it with a PTC that will allow the necessary current to flow long enough to trip the GFCI, but interrupt the circuit if the GFCI doesn't trip?)
• Is this a reasonable RC configuration, or should I be using more capacitance with less resistance? (Or vice versa?)
• Is this approach using copper pours reasonable, or should I be using only traces on the back? (Should I be using traces instead of a ground plane? It would be trivial to run a short ground trace for Q1, C1, R2, T2)
• Is the SA18CA (V_R = 24V, V_BR < 30V, V_C ≈ 39V) a reasonable choice given 0.55mm clearance? Do I need more clearance (hard) and/or a TVS that will limit the reverse voltage to something lower? Can I go with something that has a higher breakdown voltage and will kill the coil's magnetic field faster?
• On the outside chance this would activate and the breaker doesn't trip, is this going to turn into a fire-starter? (Is there an easy way to mitigate that, that isn't expensive and ideally takes very little board space?)
• Am I doing anything else that's stupid?

The AC traces are 2mm and are duplicated on both the front and back. The front/back pours connecting the HS and mounting hole are for thermal conductivity, as this is intended to be mounted in a metal case. They probably won't do much, but I figure they won't hurt. If I've done the math right, R1 should see ~120mA RMS (~15W), which should be more than enough to trip a GFCI. The "sense" lines all run through SSR "logic" back to a single +12V; any or all possible paths can be interrupted or continuous.

[m k]

Messaging through message board has two limits, too little and too much, you went over the latter.
It's not the amount of text, it's content, you packed too many things.
It's also understandable, but at some point you just must accept that messaging through message board is slow.

What is the most important in your case?
As reliable as possible seems to be close.

First bullet point includes fuse and GFCI, by design neither is for the circuit.

There are also laws and regulations how things must be done.
Like an emergency stop, it's still just a switch.
Many will also reject an MCU as a final safety decision maker.

[Ian.M]

You can't stay within code, and trip a GFCI by diverting current to ground.  (Use of the grounding conductor for circuit purposes was permitted for NEMA-10 outlet circuits until 1996, but is not permitted for new or refitted installations. Also NEMA-10 is depreciated.)

*IF* the GFCI was in the same enclosure, you could trip it by applying a load 'diagonally' from Line on its Output side to Neutral on its Input side or visa-versa.   You can get ceramic fusible power resistors with thermal trip times long enough for this application.

Is there any way to cut coil power to the 'bunch of relays'? 

[sparkydog]

m k, your message is nearly unreadable. Are you saying I should re-post as several threads, each focusing on only one of the bullet-point questions? "first bullet point includes fuse and GFCI, by design neither is for the circuit" is particularly opaque.

No, the MCU is not "a final safety decision maker" (where did that idea even come from?). Yes, the MCU controls an SSR that controls coil power for some of the relays. There are also multiple and independent backup components (one of which is purely mechanical) that will also interrupt coil power, each of which have completely separate means of power interruption. That's all what I am calling the "signal the thing to turn off" side. As I stated, I'm about as comfortable as I can be in that working (short of human monitoring, which unfortunately is not practical).

None of that is directly relevant to anything I'm asking here.

Is there any way to cut coil power to the 'bunch of relays'?

Yes; that's what the MCU and primary backups do. I'm unclear how what you're asking differs from the normal function of the device? This watchdog circuit only comes into play (i.e. sees voltage on SENSE) when I have cut power to the primary relay coils. If the relays are either open or energized, the SENSE signal from that board will be open-circuit.

You can't stay within code, and trip a GFCI by diverting current to ground.

*IF* the GFCI was in the same enclosure, you could trip it by applying a load 'diagonally' from Line on its Output side to Neutral on its Input side or visa-versa.

If just having this is a code violation, that's certainly not ideal, but if it only becomes a violation if it's actually used... well, this isn't the "off switch", it's the backup's backup. If the relay in this ever closes, the sky is falling, and at that point, adhering to code is notably lower on my list of priorities than "I need the power off".

If I'm understanding the second sentence correctly, though... you're saying if I had a second neutral that wasn't on the same GFCI, I could use that instead of earth? Can I just run that second wire from the panel? (For a couple reasons, I'd rather keep the breaker in the panel, but running another wire should be doable. Any thoughts how to label that on the PCB?)

Alternatively, I'm open to other ideas, but I'd really like to keep the cost under $50.

[redkitedesign]

So if I understand you correctly, you'd like to make a thingie that shuts off mains-power when some arbitrary "SENSE" signal carries power (presumably 12V 100mA-ish), and you'd like to do it under $50.

I would just put a decently oversized relais in the power line. Preferable wired for normally off, so you'd also need additional power to actually turn (keep) it on.

Trickery with the GFCI like you are proposing is wrong for several reasons:
- It's unintuitive for others who come into contact with your circuit
- It's as reliable as the GFCI+the circuit, whereas my proposal is as reliable as the single relais. Less parts can be more reliable for the same cost
- It's poses an additional danger if the GFCI fails: Not only does the watched circuit not turn off, but also your PE might become energized.
- It's also illegal.

If a GFCI is much cheaper than a relais with the same reliability, than use a seperate GFCI INSIDE your project. And leak the current from the protected side LIVE to unprotected side NEUTRAL. Same effect, without f**cking with ground.

[m k]

None of that is directly relevant to anything I'm asking here.

No, and you post as you like.
My reply was my take of why your question went to page 2 without answers.
Emergency switch and MCU were examples your text brought up in my head.

People who read don't know what you know, they also read what they like and answer accordingly, when they like.
Your job is to make a question they like so much that they answer how you like, at least once.

A simple and straight forward question is many times quite liked route.
More complex thing and people start guessing more what can go wrong and drop off if possibility is too high that they get unwanted recoil.

Your case seems to be something where safety is second, so to speak, and cost a primary thing, backup's backup is not changing that.
People are not very happily commenting these type of things.

[sparkydog]

redkitedesign, a GFCI is $65, plus redesigning (enlarging) my housing to accommodate it. What "decently oversized relay" do you have in mind? (If I'm going to trust anything rated for less than 30A @ 120VAC, I might as well ditch the watchdog entirely and just hope the primary relays never weld. Which really isn't my first choice; the whole point is that my understanding is that breakers are designed to, you know, break the current path even in seriously adverse conditions.)

You didn't exactly address my follow-up to Ian; can I, instead of having an additional GFCI, run an additional (upstream of the panel GFCI) neutral to the watchdog?

m k, safety is always a trade-off against cost. If it wasn't, someone prioritizing safety would hire someone else to do anything dangerous; e.g., I could hire someone — no, make that several someones — to stand around all day and monitor this system. That would provide a very high degree of safety, but it's clearly cost prohibitive. For the same reason, any electronics product uses components that are "good enough", with a level of redundancy (if any) that is "good enough".

[sparkydog]

Uh... one totally silly thing I just realized. As far as creating a continuous open circuit if the GFCI fails... GFCI's are supposed to trip fast, right? (Ahem. UL 943 specifies maximum trip time as (20 / I_F)^1.43 in seconds for I_F in milliamps, or ~77ms for the 120mA fault the watchdog is designed to create.)

That being the case, am I being totally silly not just slapping a 50mA fuse in F1? A slow-blow should survive ~1s (according to the data sheet, at least 400 ms and ~1s typical), which is about 5x as long as the GFCI should take to trip.

The loss of a $1.50 fuse seems quite acceptable given that, if F1 blows, I probably have ~$200 or more worth of other equipment that needs to be replaced.

[Ian.M]

Get a friend^* to contact your local electrical code enforcement officer for an opinion on whether or not it is permissible to run an auxiliary non-GFCI protected Neutral to allow you to trip an upstream GFCI on demand without dumping current into the Ground.  If they don't like the idea, you are S.O.L.

One thing you *could* do is use the same principle as Microwave oven door interlock switches, i.e. have your control gear  hard short switched Line to Neutral (both after the GFCI), downstream of a suitable fuse feeding your load, a short time delay after de-energising the circuit, and remove the short a short time delay before energising the circuit. If that fuse ever blows, both it and the 'crowbar' relay *MUST* be replaced.

* So the enquiry isn't linked to your name/address. 

[redkitedesign]

redkitedesign, a GFCI is $65, plus redesigning (enlarging) my housing to accommodate it. What "decently oversized relay" do you have in mind? (If I'm going to trust anything rated for less than 30A @ 120VAC, I might as well ditch the watchdog entirely and just hope the primary relays never weld. Which really isn't my first choice; the whole point is that my understanding is that breakers are designed to, you know, break the current path even in seriously adverse conditions.)

You didn't exactly address my follow-up to Ian; can I, instead of having an additional GFCI, run an additional (upstream of the panel GFCI) neutral to the watchdog?

The breakers in your house panel are intended to break when a reasonable unforeseeable, or not-reasonably mitigable situation arises. Never should you design something with the INTENTION to trigger a breaker in the house panel.

Safety is also predictability: You shouldn't use a breaker in the house panel as switch, you shouldn't run neutral without a live (or vice-versa!). Those are situations a buyer, electrician or fireman doesn't expect, cannot anticipate and therefor dangerous.

Whether your relays will weld (or otherwise fail dangerously) I cannot tell. You, as designer have to estimate the risk, and decide whether that risk is acceptable or not. And if it isn't, you'll have to decide whether a second relay (that might also weld, but not neccessarily at the same time) adds enough safety or whether you'll need to change the housing.

And if your thingie can work of a 100mA fuse, a simple crowbar (think thyristor!) that shorts behing that fuse is a perfect solution.

[m k]

safety is always a trade-off against cost.

Of course, but talking about it is problematic since communication is pretty much always incomplete and then people start assuming.
Like here human safety vs. machine safety.
If it's human safety then comments are don't do it stylish, but machine safety can be try this one stylish.

Nowadays a good example of predictability and human safety is grid tied inverter of solar energy.
There the harm can be even over the hill and far away.

[sparkydog]

One thing you *could* do is use the same principle as Microwave oven door interlock switches, i.e. have your control gear hard short switched Line to Neutral (both after the GFCI), downstream of a suitable fuse feeding your load, a short time delay after de-energising the circuit, and remove the short a short time delay before energising the circuit. If that fuse ever blows, both it and the 'crowbar' relay *MUST* be replaced.

That was sort of my original idea, but "suitable fuse" is 20A, and it should go without saying that having a very-low-resistance short on mains designed in makes me twitchy. How does one pick a relay for something like that? I mean, I guess it's a given you're going to melt the contacts, but this feels uncomfortably like a recipe for "how to start a fire". How, more generally, does one design a circuit to safely handle a dead short?

The breakers in your house panel are intended to break when a [...] not-reasonably mitigable situation arises.

I am confused, because I think you are describing exactly my situation. This thing is not meant to close the watchdog relay, ever. I repeat what I said earlier; if K1 needs to close, the sky is falling, a catastrophic failure of the systems that are supposed to shut things off has already happened, and I am in full-on panic mode looking for something, anything to cut the power. One of the alternatives I considered is pyrotechnics. The point at which this thing gets used is the point at which I'm willing to cut the power by (almost) any means necessary.

And if your thingie can work of a 100mA fuse, a simple crowbar (think thyristor!) that shorts behing that fuse is a perfect solution.

You definitely misunderstood. The 50mA fuse is on ground fault, the intent being it will survive long enough that the GFCI should trip, but that it will break "soon" (hopefully after a no more than several seconds) if the GFCI doesn't trip. That comment was in reply to my original question, "is there a way to replace [F1] that will allow the necessary current to flow long enough to trip the GFCI, but interrupt the circuit if the GFCI doesn't trip?". I was originally thinking of a PTC, but I don't trust being able to select one with the proper characteristics, and reusability is not a high priority. I'm not sure why it didn't occur to me that a regular, slow-blow fuse ought to be able to do that just fine.

The device as a whole is designed for up to 20A downstream. A 100mA fuse is certainly not going to suffice.

[redkitedesign]

Designing something that depends in any way on there being a GFCI or fuse upstream is dangerous and should not be done. Period.
If you put in a mechanism to create a 50mA leakage to Earth, that's intended. That relay and resistor did not evolve there organically.

A crowbar that shorts a 20A fuse is just as good as a crowbar that shorts a 50mA fuse. Just use a fuse that blows fast and your house breaker will be fine.

You'll need to accept however that you can either make something properly, which includes the proper safety measures in the design, and for which I'm happy to think along and share my thoughts with you, or you make some ugly kludge (for which I will remind myself never to come close by).

(On the other hand, serious relay manufacturers specify how long a relay will last without welding in certain applications. Choose appropriately, and your relay will not weld realistically, and the whole discussion is moot...)

[sparkydog]

redkitedesign, I'll ask again; so how does one design a circuit to safely carry... I don't even know how many amps (at least 40)? There's no practical way to current-limit that as far as I can tell (you'd need a braking resistor, and those are humongous and bonkers expensive).

[rstofer]

I posted a link in your other thread to a shunt trip circuit breaker which is intended to be opened by the application of a voltage to the coil mechanism.  Yes, the source can be downstream of the breaker.  These are usually very fast

https://www.homedepot.com/p/Siemens-20-Amp-1-Pole-10-kA-Type-QP-with-Shunt-Trip-Circuit-Breaker-Q12000S01/301895907

[rstofer]

redkitedesign, I'll ask again; so how does one design a circuit to safely carry... I don't even know how many amps (at least 40)? There's no practical way to current-limit that as far as I can tell (you'd need a braking resistor, and those are humongous and bonkers expensive).

If you are talking about the phase to ground fault current, it can be on the order of 5,000 to 10,000 amps at the service entrance  depending on utility transformer size, length/gauge of utility cable to the service panel.  It will be reduced by wiring between the service panel and end device.

[redkitedesign]

redkitedesign, I'll ask again; so how does one design a circuit to safely carry... I don't even know how many amps (at least 40)? There's no practical way to current-limit that as far as I can tell (you'd need a braking resistor, and those are humongous and bonkers expensive).

You put in a fuse. Say 20A. That works pretty good as a current limiter. You connect it to a 40A(?) circuit. That's also a current limit.
The current might be higher for a very short amount of time, but that's no problem. The fuse will reach its It2 value long before the wiring starts warming up. Just use a device for the crowbar that suitable for more than 20A. Say a 100A triac.

[sparkydog]

You connect [the crowbar] to a 40A(?) circuit.

Ah, you make it sound so easy! What does "a 40A circuit" look like that is a) safe, b) of a not-unreasonable physical size, and c) less expensive than a STB? The only answer I know to (a) is a braking resistor rated for ~5 kW, which gratuitously fails (b) and (c). (And is an almost-guaranteed fire-started if the fuse doesn't open! Granted, that is unlikely, but...)

I suppose a 5kW resistive heater is another option that is at least less likely to start a fire. About the same price, though, and even worse in size...

In this case, I feel no qualms setting a hard price cap, as I see little reason to prefer a crowbar over a STB.

[redkitedesign]

You're worrying too much. There is no need for a breaking resistor, just short the 20A fuse between live and neutral. The fuse will open. In the theoretical situation where the fuse wont blow, the breaker will blow.

Your crowbar circuit should be designed with some overkill for 20A. Your wiring upstream of the fuse should be designed for the upstream breaker.

There wont be 10kA currents, even though the mains transformer is specced to a 10kA short circuit current.
Physical reality ensures that the current will take time to rise, and the 20A fuse will reach its It2 value long before the current will be much more.

Wiring, connectors, PCB traces etc all can take huge currents for short times without issues. The only potentially tricky part is the crowbar switch, but there are plenty of semiconductor switches that can handle shorts peaks.

In practice, there might be a 100A peak, and you might develop 10V over the wiring. Yes, that translates to 1kW. But for less than a 1ms, so its only 1J. Wont start a fire, not even in an Australian summer bush.