Redundant relays for failsafe operation (controls)

[iroc86]

This is kind of a simple question, but I thought there might some tricks and tips for the application. I am building a controls system for hobby/home use and would like to disable a "Signal B" when a "Signal A" is present. The voltages are 24 VAC. I figure the easiest way to do this is with a relay, per Figure 1 below. Nothing really that special.

However, it's critical that Signals A and B are never both enabled at the same time. Is it appropriate to wire another relay in series with the first relay to provide redundancy as shown in Figure 2? Switch timing and make/break sequencing is not important for this application; it's the steady-state situation that matters.

I've seen multiple-contact relays before, but those are internally wired in parallel to ensure a circuit is closed if a relay fails, not open as in my case. I've also read about safety relays, but those seem to be for hazard monitoring and maintaining controlled operation, not necessarily for providing redundancy.

Are relays in series suitable for my application? Is there a better way to do this?

[rstofer]

You could also route 'A' through the normally open contact such that the output is 'A' or 'B' depending on the state of 'A'.  'A' goes to the normally open contact, 'B' goes to the normally closed contact and the output is from the center.

[iroc86]

Thanks for the reply, rstofer. Your approach would definitely be more "explicit" in terms of which signal is being output, but unfortunately I don't think it'd work in my configuration. The signal lines from the controller to the device are 1-to-1, so I can't use a shared output. The layout is like this:

[rstofer]

Wouldn't it work with a double pole relay?

[wraper]

Is it appropriate to wire another relay in series with the first relay to provide redundancy as shown in Figure 2?

No. Because it does nothing to prevent a failure if problem happens in control electronics.

[Gyro]

Safety relays (force guided or force disconnect relays?) that won't allow one pair of contacts to close unless another pair have opened. It's probably the only way to guarantee no simultaneous contact that isn't susceptible to drive electronics failure.

[iroc86]

Wouldn't it work with a double pole relay?

I think that would work better. Is this what you were envisioning? If the relay failed either open or closed, A and B would be isolated one way or the other.

No. Because it does nothing to prevent a failure if problem happens in control electronics.

Yeah, that's true. I'd say that control electronics failure is probably outside the scope of my question; I was primarily concerned with mechanical failure of the relay. I think the DPDT arrangement above might be a reasonable compromise, though.

Safety relays (force guided or force disconnect relays?) that won't allow one pair of contacts to close unless another pair have opened. It's probably the only way to guarantee no simultaneous contact that isn't susceptible to drive electronics failure.

I'll have to look into that; thanks for the tip. In my application, it's not catastrophic if A or B are enabled independently of one another, either switching from "B to A" or "A to B." They just can't be active at the same time. With the DPDT relay, I think this would be okay: if A failed on either the control or relay side, B would still be connected, but that's no problem regardless of what the controller thinks is happening (it has a mode where it'll happily run A and B simultaneously, so it probably wouldn't even know/care--but the downstream equipment would be saved).

[Gyro]

I can't quite work the full truth table from your OP, but it sounds as if it's more symmetrical than your diagrams indicate (coil always driven by A). As I understand it, B can't be present when A is... and therefore A can't be present when B is? Is the default situation neither A nor B?

In that case, why not have two relays, one driven by A, gating B, and one driven by B, gating A? That would require a double fault situation to fail.

The only limitation I can think of is both A and B becoming active simultaneously, or at least within the relay maximum switching time spec. when there would be a brief pass-through of both signals. The only other variant I can think of is the second relay being switched by A after the first relay's contact (the first relay being DP, switching both A and B).

[Zero999]

I can't quite work the full truth table from your OP, but it sounds as if it's more symmetrical than your diagrams indicate (coil always driven by A). As I understand it, B can't be present when A is... and therefore A can't be present when B is? Is the default situation neither A nor B?

In that case, why not have two relays, one driven by A, gating B, and one driven by B, gating A? That would require a double fault situation to fail.

The only limitation I can think of is both A and B becoming active simultaneously, or at least within the relay maximum switching time spec. when there would be a brief pass-through of both signals. The only other variant I can think of is the second relay being switched by A after the first relay's contact (the first relay being DP, switching both A and B).

That's what I did in a similar situation. I used a pair of contactors to reverse the phases of a 400VAC mains motor. If both contactors were energised simultaneously, it would short circuit the mains, probably taking out several breakers and damaging the contactors. Each contactor had a normally closed auxiliary contact, which I connected in series with the opposite coil, so operating one contactor, would prevent the other from activating. It's true that it's possible for both contactors to momentarily turn on, if both coils were powered simultaneously, but the control circuitry was designed so this should never happen. The lock-out was purely an extra layer of safety.

[rstofer]

Wouldn't it work with a double pole relay?

I think that would work better. Is this what you were envisioning? If the relay failed either open or closed, A and B would be isolated one way or the other.

Yes, as you sketched it.  'A' either exists or it doesn't.  If it does exist, it is the source.  If it doesn't exist 'B" is the source whether it exists or not.

[Neomys Sapiens]

As you have noted, safety relays (also known as Emergency Stop relays or -blocks) are not merely for providing redundancy. But in your title, you also use the term 'failsafe operation'. Herein lies a contradiction, as redundancy does not provide failsafe operation.
To make a relay combination failsafe, it is necessary to monitor both the pull-in and the drop-out of the relay. This is done by a special circuit of relays, in which the constituting relays (3) are also assumed to have forcibly guided contacts.
So do you need failsafe operation?

[iroc86]

Here's a little more detail on the circuit and application. This should better explain how the logic works.

This is for an HVAC thermostat. I have a "dual-fuel" package furnace, which has three stages of heating: 1) heat pump (Output Y1), 2) low-fire gas (Output W1), 3) high-fire gas (Output W2). The system is designed so that additional stages kick in if the heating load exceeds the capacity of the current mode of operation. The thermostat has an algorithm to determine when to move to a higher stage, but it can be roughly simplified as a timer:

Y1 on
(wait 10 minutes)
Y1 + W1 on
(wait 10 minutes)
Y1 + W1 + W2 on

When the thermostat is calling for the highest heating capacity, outputs Y1, W1, and W2 are all turned on. The issue is that the heat pump (Y1) and furnace (W1/W2) should not operate at the same time, or else the evaporator coil will be damaged (there is an exception here--during defrost--but that's a special mode of operation and is handled by the controller inside the furnace, not the thermostat). The thermostat works this way because most "auxiliary heat" applications rely on electrical heating elements, which can operate simultaneously with the heat pump. Special dual fuel thermostats do exist, but I am not using one here because this is a commercial-grade thermostat and has other features that I want. (I won't rant about how it's supposed to have dual fuel functionality, but the manual apparently has a misprint in its parameter tables... )

There are some slight complications to the logic, as the thermostat doesn't always follow the progression shown above. If the outside temperature is too cold, Y1 will never operate (furnace defaults to gas only). If the outside temperature is too warm, W1 and/or W2 will never operate (furnace defaults to heat pump only). The only rule is that W2 always follows W1; it's never operated on its own. So, the issue becomes turning off Y1 when W1 is present.

As for redundancy vs. failsafe, I would say that I probably need fail-safing before redundancy. If I used the single relay approach from Figure 1 in my first post, and the relay failed closed, then both Y1 (B) and W1 (A) would be enabled at the same time and the furnace would probably burn up. I figured that by adding a second relay (redundancy), I'd have a statistical advantage in terms of failure. Of course, there'd be no way to know that there was a problem unless both relays failed closed, causing the same catastrophic failure, and that's not exactly failsafe... just odds.

EDIT: I forgot to mention why the make/break sequencing isn't important here. The controller inside the furnace has built-in delays after it receives a heating or cooling call from the thermostat. This is usually on the order of a few seconds, and there are other prerequisites that need to happen before the furnace reaches steady-state operation (draft inducer motor, gas valve, ignitor, etc.). Having a few milliseconds of overlap between state changes isn't an issue.

[Neomys Sapiens]

IF you come to the conclusion that you need failsafe operation, this is the circuit to implement it.
Just replace SN1/SN2 with your control condition. It needs 3 sets of contacts internally, so if you have relays with 4 form C, you get one usable set of contacts, whereas 6 form C give you three. There is a circuit that makes do with two relays, but they need advanced and delayed contacts, which are rare.

[iroc86]

Thanks for the schematic, Neomys. Just to be sure I'm understanding it correctly, K2 is the grouping of three relays A, B, and C? Looking at the numbering scheme, it seems like the relays are as follows:

K2A: 3 Form A, 1 Form B
K2B: 2 Form A, 2 Form B
K2C: 2 Form A, 2 Form B

Of course, one could also use the 4 Form C as you mentioned. This looks like maybe an excerpt from an industrial controls schematic. Could you share the application/equipment it was used on? Was this a discrete circuit or the functional diagram of an off-the-shelf safety relay?

I have been thinking about my situation a little more and I'm beginning to wonder if a single force guided relay would be the simplest approach. If the relay failed, or a contact got welded shut, the relay would fail in one of two states (either "heat pump" or "furnace" mode). I could also use an extra set of contacts with a little bit of boolean logic to send a signal back to the thermostat that the relay has failed. The thermostat has a configurable fault input, so this error would show up on the display panel.

[Neomys Sapiens]

It is a standard circuit to implement an emergency stop function for industrial equipment.
It is the discrete equivalent of a 'PNOZ' or other integrated safety relay and fully permissible for the same function. Some user companies prefer this solution as it can be build with standard contactors. As there is no 'PNOZ' build to military/aerospace standards, I have used the same circuit built with 6 form C hermetic relays for the emergency stop of a ground robotic platform.
K2a checks that K2b/K2c had been off before they can be on again, so if one of them 'hangs', the circuit will not reactivate. The switches shown as SN1/SN2 are typically the emergency stop buttons, which have their NO contacts brought seperately to the PLC for indication of the point where it was actuated.
The combination of contacts as shown on the right side is then wired, for example, into the output supply line of a PLC.

I do share your assessment regarding your application. A single relay with force guided contacts and the signal into the thermostat is probably the right solution as long as the condition which you named 'catastrophical' does not endanger life and/or health directly or cause major damage.

[Zero999]

I must point out that PNOZ is a trademark of Pilz, a popular German manufacturer of safety relays, PLCs and other safety critical hardware from guard switches to light curtains. Other brands are available. Those in the US will probably be more familiar with Allen Bradley.

[iroc86]

Thanks for the explanation and clarification, Neomys and Zero. I think the full-blown safety circuit is probably a bit overkill for this application, so I'll try the force guided relay instead. "Catastrophic failure" here is mostly an equipment issue, not safety. The furnace has temperature sensors and other monitoring systems to detect an over-temp condition and shut everything down. The unit is also located outside, so that's a side benefit.

FWIW, I took apart the thermostat to see how the other outputs are wired. It's nothing special at all: a bunch of 3 V latching relays (TX2-LT-3V-TH) to switch the 24 VAC outputs on and off. There doesn't appear to be any sort of hardware failsafe solution. (There seem to be capacitors across the relay contacts, though. The reference designator is "B," so I'm not sure what that's all about. Arc suppression?)

Here's a schematic of what I've come up with. I haven't worked out all of the component values yet, so it's just representative. It was difficult to find a relatively inexpensive 4-circuit force guided relay with a 24 VAC coil, so I went with a DC coil. The AC inputs are optocoupled to keep the AC and DC circuits isolated. The fault detector compares the "coil request" signal to the "relay latch" state through W1 and W1', respectively. If either of these two conditions are not identical (0/0 or 1/1), then a second relay is activated to connect digital input DI at the thermostat and trigger a fault on the indicator panel. The force guided relay will ensure that Y1+G and W1+W2 are the only pairs of inputs that are permitted at any given time.

[Neomys Sapiens]

This does indeed provide an adequate levelof protection. Although you might need to introduce a delay to the detecting action in order to avoid it triggering every time K1 is in transition.

Are you sure that the components with reference designator 'B' are capacitors? Could be integrated R-Cs or varistors (VDRs).

[iroc86]

That's a good point about the timing. I did some testing with the thermostat, and it appears to wait 1-2 seconds before triggering the fault indicator, so it might have some delay built in. (This digital input is intended for things like window switches and occupancy sensors, so a slower trigger would be reasonable.) To be safe, I can add some empty R and C pads on my PCB and populate them if a delay is necessary.

I'm actually not sure about the "B"-designated components being capacitors. I just assumed based on appearance and location--ceramic package, large 1812 footprint, and placement across the relay contacts. An RC snubber would make more sense than a cap, though...