Electronics > Projects, Designs, and Technical Stuff

"Proving" safe voltage (detecting a very small % of a high voltage)

<< < (7/7)

tooki:

--- Quote from: PCB.Wiz on February 24, 2024, 09:18:20 pm ---
--- Quote from: tooki on February 24, 2024, 10:55:37 am ---.... already ordered a high voltage power supply with a maximum voltage far higher than they need: 40kV DC.
... so a safe-to-touch output voltage of 50V DC, for example, would mean an analog output of just 20mV -- and I can't be sure if that output would even operate if the power supply's mains input is turned
*I did lash together a quick comparator circuit as a test, but all I had laying around was an LM339, whose input offset is too big for comparing 20mV to 0V. Even with hysteresis it flutters around.

--- End quote ---
What voltage do they actually expect to use ?

--- End quote ---
That's actually a bit of a big question mark -- the reaction apparently needs a particular electric field strength, not a particular voltage. Early tests with a totally different reactor design used plates just a mm or two apart, and of course that arced over with just a few hundreds of volts. The current design has the electrodes around 5mm apart IIRC, with the ability to add a spacer of nearly arbitrary size to increase the spacing if needed. I expect a working voltage of 1 to a few kilovolts.


--- Quote from: PCB.Wiz on February 24, 2024, 09:18:20 pm ---If you already have voltmeters, you must already have dividers down to sane levels.
You can sense directly across your analog meter driver, or add your own HV divider if you want fully isolated safety check.

--- End quote ---
Sorta. The PSU has its own digital voltmeter, using an internal divider. The analog one I am adding is using an ammeter (a 100μA one, specifically) with a 400Mohm resistor (4x 100Mohm in series) to limit the current. So I'm not actually actively creating a voltage divider as such.

tooki:

--- Quote from: Someone on February 25, 2024, 12:12:14 am ---
--- Quote from: tooki on February 24, 2024, 10:55:37 am ---So how would one go about detecting that the voltage is 0-50V when the maximum is 40kV?

Or is there some entirely different way of sensing this, especially something entirely passive?
--- End quote ---
A super low current sense that is snappy with a 1:500 range.... well that solves half the problem. 50V - 25kV working range just needs a series stack of them. For the other side I'd like to see a shorting relay across the user accessible parts but that's probably too expensive.

--- End quote ---
I'll check this out when I have a chance! Thanks!

Nominal Animal:
There are electrostatic field detectors ('electrostatic sensor', see e.g. SMC IZD10-510), and high-voltage DC detectors, sold commercially; dunno if any are suitable here.

I too want to emphasize using all available information for a safe/unsafe indicator.  That is, I'd like the safe light to only be lit when both the supply says it is off, and the high-voltage dc detector says there is no high voltage present.  Don't leave it to the humans to check them separately.

tooki:

--- Quote from: max_torque on February 26, 2024, 05:06:02 pm ----1) The "Problem" you have here is nothing to do with sorting out a suitable circuit and EVERYTHING to do with ensuring your working practices meet all necessary HSE requirements (depending on where you are working, country wise)

0) Having set up several test facilites that use hazardous voltages, the most difficult bit is to ensure your risk assessment and mitigation are fully documented and a suitable work instruction / procedure is created, ratified and signed off (by the CEO if necessary as the buck  ultimately stops with them these days)


What i can suggest is however:


1) a mechanical disconnect or crow bar for the HV circuit.  Ie opening the door of the test chamber will actually mechanically short the HV Supply to zero within a length of time deeamed to be sensible depending on the access level to live conductors within the chamber

2) if your safety circuit reqiures external power, say a seperate 24v supply to operate, make the precence of this power MANDITORY for the HV to exist. For example a N/C relay that should the 24v power be lost, shorts the DC link to zero volts as per 1) above

3) NEVER indicate a "safe" state unless you can 100% ensure this state.  Normally i would use an orange and red beacon.  When the test chamber is unpowered, neither will be lit. Applying power to the chamber which could therefore allow the HV supply to start (under fault conditions) lights the orange beacon to say "this chamber is potentially live).. When you enable the HV supply, just light the RED beacon, which should have a suitable delay period for turning off, ie it lights as soon as the HV supply goes live, but takes say 5min to go out when the HV supply is disabled.

4) you may be able to validate the probability of the HV being present by simply measuring the input power to the HV supply itself, especially in the case of having passive discharge resistance that is NOT decoupled from the HV bus, ie the supply is expected to always drive this load

5) the most dangerous case is stored charge, either during normal operation or from un-expected failure states.  When working with HV, all capacitances (inc parasitic ones) should have robust methods to ensure that should then become charged they will self discharge.  Knowing what the time period for this discharge could be allows you to proceduralise the way you terminate and remove DUTs from the test chamber.

6) for all my test chambers, i put all instrumentation in the chamber, and use, where possible, a single cross boundary isolation point to move data out and power in. For example, use a suitably rated ethernet isolator (probably have to be optical fibre type @40kV)  to 'remote desktop' in to a PC based DAQ system in the chamber. Here, in the case of gross fault or miswire, you may well damage equipment, but operators should be always protected.  At these voltages, suitable fused and crow bar voltage limitation to PE is going to be required. ie your primary instrumentation should be specificed to deal with the maximum WORKING voltage of the DUT, but should that voltage get through your functional isolation / insulation, a second layer of voltage limitation is in place to either clamp the voltage to below a safe value or to blow a fuse and achieve the same effect on any external inetrface. Here, because the power you are working with is very low, this really shouldn't be very hard ie a some redundant 30v TVS diodes should easily be able to hard short the HV to ground without themselves going bang first.

7) i highly recomend you use a suitable commercial PROING UNIT (ie martendale tester etc) to ensure that you have a final line of defense for all operatives that is commercially proven and established.  Before ANY condutor is touched, this unit is required (by a written and witnessed procedure) to be used to "PROVE DEAD".  There are legal ramifications of this step in most countries set by the relevant HSE.


8) if your power supply can be set to 40kV then you need to design your safety case for this rating, unless you can absolutely and robustly limit the output voltage, note a software limit would not be considered suitable on it's own for this limitation

--- End quote ---
Thanks for this, quite helpful.

Regarding specific points (numbers <1 added in quoted text above):
-1) As a research/development device at a research institution (public research university), we don't have to meet quite the same requirements as a device that would be offered for sale, according to the safety officer.

0) Luckily, I am not responsible for that document -- that will ultimately be the responsibility of the research group lead. But I will certainly contribute, and I'll have my old boss (electronics tech at another department, who has done HV stuff and HV/high-ish energy stuff, including for external transfer that required documentation/self-certification) look at it too, since he's been advising us on this project.

1) I proposed a mechanical crowbar, but the consensus was that this is overkill, given the other safety provisions. Between the PSU's internal discharge circuit and the secondary one I'll be installing myself, by the time one has opened the fume hood door (which will open the interlock) and then opened the device cabinet door (which also opens the interlock), the charge should be discharged to ~0V. Actually exposing the HV electrode is a matter of minutes of disassembly. So it should be inherently safe insofar as reaching the HV electrode breaches the interlock twice, and the discharge circuits have ample time to do their job before one actually exposes the electrode.

2) I'll be using a safety relay (probably Phoenix Contact) with monitored contacts, and indeed, without power it won't close.

3) This is exactly why I was reluctant to provide a "dummy light". After discussing this issue, and the technical difficulty of actually providing anything approaching 100% certainty, we are not going to provide one.

The power supply manufacturer could add a "HV out ON" output as a custom modification, but at exorbitant cost, and it would only mirror the state of the output button on the PSU itself, which is within sight of the device itself. So not especially useful. Anything else would require actively monitoring the voltage inside the device, which seems fraught with opportunities to fail to actually "prove dead".

4) Eh, not likely. Since it will likely end up running at far below the maximum voltage, and because the steady-state output current should never exceed the 100uA of the discharge/analog meter circuit, the change in input power is likely small.

5) The parasitic capacitance of the 3m cable is around 150pF/m , so according to my math, at 40kV through 400Mohm, this should discharge to under 300mV in 2 seconds.

40kV×(e^−(2s/(400Mohm×(3×141pF)))) = 294mV

The PSU's built-in discharge circuit is specified to discharge to <1% Vout within 1 second. The manufacturer has verified that this circuit will also discharge external loads. Since 1% of 40kV is still 400V, 1 second isn't enough, but since reaching the electrode is a matter of minutes, not seconds, this should be ample to discharge the internal capacitance.

So my thinking (and my old boss, who reviewed this, agrees) is that between these two circuits, a) there's always a discharge circuit present, even if the cable should be disconnected or severed, and b) in normal operation the two discharge circuits provide generous ability to discharge.

6) In this case, the output of the system is a gas, which flows through plastic tubing to some type of analyzer (probably a gas chromatograph, but don't hold me to this). (The inputs are also gases, created by a setup adjacent to the device, within the same fume hood).  There is no DUT as such, but rather just two reagents in vapor form, with the hope that under the influence of the electric field, they react into the desired reaction product. (I wish I could tell you more but that's literally all I know about the chemistry.)

In essence, we are using the fume hood as the test chamber, and within that, the device itself is a Faraday cage (all aluminum exterior, except for the polycarbonate door), and within the Faraday cage, the HV electrode is housed within the reactor, which is made of PEEK plastic with generous clearance and creepage distances. Opening the reactor (which shouldn't be needed in normal operation) requires unscrewing the lower half, which is basically a screw press (the pressure being needed to maintain tight dimensional tolerances).

7) I will look into this.

8) That's exactly why I have said from the beginning of this project that even though it's exceedingly unlikely that it will ever operate at or near 40kV, the entire safety design has to be designed around it because there's no way to actually prevent someone from setting the voltage that high. The PSU lets you select between the front panel knob or an analog control input, but the switch to select this is... on the front panel. Restricting access to the front panel is not an option because the only way to turn on the HV output is via the front panel button, there is no remote input for that. The PSU was not ordered with the serial port option, so I haven't investigated what possibilities it would have provided, but I would never rely on software configuration alone anyway, just as you say.

tooki:

--- Quote from: Nominal Animal on March 06, 2024, 08:58:14 pm ---There are electrostatic field detectors ('electrostatic sensor', see e.g. SMC IZD10-510), and high-voltage DC detectors, sold commercially; dunno if any are suitable here.

--- End quote ---
I'll check that out!


--- Quote from: Nominal Animal on March 06, 2024, 08:58:14 pm ---I too want to emphasize using all available information for a safe/unsafe indicator.  That is, I'd like the safe light to only be lit when both the supply says it is off, and the high-voltage dc detector says there is no high voltage present.  Don't leave it to the humans to check them separately.

--- End quote ---
As mentioned above, after discussion with the safety officer and project lead, we will not implement the indicator after all -- a half-assed "safe" indicator is worse than none at all.

But if we do revisit the idea, that is definitely how I'd want it to behave.



So, folks, for the moment, the issue is resolved. I really appreciate the replies, however. Thank you!!

Navigation

[0] Message Index

[*] Previous page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod