Safety Critical MOSFET driving

[Cassus]

Hello,

I am working on a home alarm system project, more precisely the smoke generator (FUMICUBE 100) triggering system.
it is basically pyrotechnic device to which you apply around of 1A during a short amount of time (around 5ms) to trigger it. Once triggered it produces a dense smoke that will make your place pitch black and impossible to navigate.

This is safety critical because it is annoying to clean up, expensive to replace and can also lead to dangerous accidents if it is triggered while any of my family member is in the house.

I have a basic schematic in mind, just a high side N channel MOSFET driven by a high side switch controller as followed:



but I would like to add something to prevent the mosfet to be triggered in case of a glitch. I would like to ad for example another mosfet to drive the gate to the ground by default so I would need to
put a pin high before even being able to command the main mosfet.

I'm more of a coding guy so I am aware that my solution might sound ridiculous or unfeasible but that's why I am here

Bye

Cassus

[EtaPhi]

I would use /SHDN input of LTC1981 to prevent false triggering and nothing else.
In my humble opinion, LTC1981 should be enabled only to fire smoke generator, so as to keep current consumption as low as possible.
If LTC1981 is in low consumption mode, Q2 gate can't be driven high enough to allow current to flow, even if there is a glitch, because Q2 gate must be higher than VBATT + Vgsth to start conducting.

[David Hess]

One method is to control the MOSFET with a charge pump so that an AC output from the output pin is required to turn it on.  This way a stuck at 0 or stuck at 1 condition cannot turn the MOSFET on.  The step up from this is to use two MOSFETs in series and two separate AC outputs so that a MOSFET shorting does not activate the load either.

[Doctorandus_P]

It seems your gadget will trigger immediately if the battery is connected in reverse.

I would add a TVS here and there. MOSfet's are quite robust and reliable as long as they are safe-guarded form over voltages. Especially the gate is sensitive. It may get damaged by ESD with you not even noticing and that puts a lot of responsibility in the production process. Simple old fashioned BJT's are still more robust then MOSfet's I think.

The next subject is probably the software that controls your gadget.
I/O ports do get flipped by things like cosmic rays. It's infrequent enough to not care much for consumer stuff, but for safety critical stuff it's a different matter.
Designing in real safety is a quite involved and complicated process.

[T3sl4co1l]

I can think of at least three, strong, reasons why not to do this.

Is this truly non negotiable?

Tim

[NiHaoMike]

Add a mechanical relay as an interlock.

[james_s]

Add a mechanical relay as an interlock.

This is how x-ray machines work, at least the type that uses an iron transformer controls exposures by the number of mains cycles. They have a triac based switch on one line to the HV transformer that controls the actual exposure and a mechanical relay on the other line. Both must activate simultaneously to power up the xray generator and the timer has a safety circuit that first confirms that the mechanical relay is open and that the triac is also open before closing the relay and allowing an exposure to take place by turning on the triac for the desired number of cycles.

[jonpaul]

The pyrotechnic smoke gen (or chemical alarm) is an old idea, many versions existed back to 1970s.


Besides danger of false trigger, the smoke is toxic and can cause long or short term lung and other health damage.

In most states in USA such a "set trap" is illégal, thus IF it works and IF it deploys, expect the commie lawyers to sue you, and expect police investigation.

Finally the very broad US laws can define such a device as under the rubric of ver severe BATF law, as a pyrotechnic, or explosive.

The OP should get very good legal advice and explore a several M$ liability insurance policy.

As always, it the risk worth the benefit?

Bon Chance! \

Jon

[james_s]

The OP is apparently in Belgium and thus I think the USA laws are irrelevant. Personally I think it sounds like a rather interesting idea, if I didn't have pets I would consider something similar, laws be damned. If a person enters my home illegally I should not be responsible for whatever happens to them, and I find it rather ridiculous that people can and do get in trouble for the consequences of a criminal breaking into their house and finding a way of hurting themselves.

[mindcrime]

The OP is apparently in Belgium and thus I think the USA laws are irrelevant. Personally I think it sounds like a rather interesting idea, if I didn't have pets I would consider something similar, laws be damned. If a person enters my home illegally I should not be responsible for whatever happens to them, and I find it rather ridiculous that people can and do get in trouble for the consequences of a criminal breaking into their house and finding a way of hurting themselves.

FWIW, I mostly agree with you in general, but I think those laws are based on the premise that there are legitimate reasons why someone might enter your home while you're away, trigger the "trap", and be killed or injured needlessly. As a former firefighter, the first one that comes to mind for me would be, well, firefighters. If your house catches on fire, and the first firefighter through the front door catches a shotgun blast to the face... well... pretty much nobody (outside of your radical Timothy McVeigh types, I suppose) wants that.

[james_s]

FWIW, I mostly agree with you in general, but I think those laws are based on the premise that there are legitimate reasons why someone might enter your home while you're away, trigger the "trap", and be killed or injured needlessly. As a former firefighter, the first one that comes to mind for me would be, well, firefighters. If your house catches on fire, and the first firefighter through the front door catches a shotgun blast to the face... well... pretty much nobody (outside of your radical Timothy McVeigh types, I suppose) wants that.

That is a good point about first responders. I'm not suggesting that it ought to be perfectly acceptable to set up lethal boobytraps, but there have been cases that have gone way too far in the other direction, like people breaking in to steal something, hurting themselves without there being any kind of deliberate boobytrap and then suing the homeowner. In the case of a device that produces copious amounts of stinky smoke that seems like a reasonable compromise, a nasty surprise but unlikely to be lethal.

[sigma_xi]

One method is to control the MOSFET with a charge pump so that an AC output from the output pin is required to turn it on.  This way a stuck at 0 or stuck at 1 condition cannot turn the MOSFET on.  The step up from this is to use two MOSFETs in series and two separate AC outputs so that a MOSFET shorting does not activate the load either.

Good idea. I once saw the charge pump solution (as one part of the safety concept) in a safety-critical ECU design. In addition one might add safety switches to the supply rails of the main switch (i.e. do not connect VBATT directly to the high side switch). This and proper software that measures critical signals at all time to confirm that there is no error should provide a decent amount of safety.

However, I do agree with the others that the whole project is questionable and probably illegal.

[mindcrime]

FWIW, I mostly agree with you in general, but I think those laws are based on the premise that there are legitimate reasons why someone might enter your home while you're away, trigger the "trap", and be killed or injured needlessly. As a former firefighter, the first one that comes to mind for me would be, well, firefighters. If your house catches on fire, and the first firefighter through the front door catches a shotgun blast to the face... well... pretty much nobody (outside of your radical Timothy McVeigh types, I suppose) wants that.

That is a good point about first responders. I'm not suggesting that it ought to be perfectly acceptable to set up lethal boobytraps, but there have been cases that have gone way too far in the other direction, like people breaking in to steal something, hurting themselves without there being any kind of deliberate boobytrap and then suing the homeowner. In the case of a device that produces copious amounts of stinky smoke that seems like a reasonable compromise, a nasty surprise but unlikely to be lethal.

No disagreement from me on that point!

[Cassus]

thanks for your replies

First, don't worry it is perfectly legal where I live. The smoke generators are intended for that use ( domestic use) and are implemented as standard in many home alarms systems. They are certified non toxic and they are in not tear gases, they are just here to make the room pitch black . That's the same smoke they uses in clubs.


T3sl4co1l : what are the reasons you are thinking about ? I am curious.
this was a quick schematic, I'm still in the process of gathering infos so your ideas are very welcome.


Doctorandus_P: The direct connection to Vbatt was just to simplify but thanks for the ideas. the firmware part won't be an issue, I'm just struggling with the hardware.

[Cassus]

what do you mean by that ?

are you talking about the use of a smoke generator or my schematic specifically ?

What are those reasons by the way ?

[Terry Bites]

The single fault that will stop the MOSFET turning off is a short circuit failure of the MOSFET its self.
So you need downstream protection. Perhaps a contactor that trips if the drive and the expected output voltage or current are not in agreement?

[MadScientist]

One method is to control the MOSFET with a charge pump so that an AC output from the output pin is required to turn it on.  This way a stuck at 0 or stuck at 1 condition cannot turn the MOSFET on.  The step up from this is to use two MOSFETs in series and two separate AC outputs so that a MOSFET shorting does not activate the load either.

Good idea. I once saw the charge pump solution (as one part of the safety concept) in a safety-critical ECU design. In addition one might add safety switches to the supply rails of the main switch (i.e. do not connect VBATT directly to the high side switch). This and proper software that measures critical signals at all time to confirm that there is no error should provide a decent amount of safety.

However, I do agree with the others that the whole project is questionable and probably illegal.

Legal in many EU countries and the uk.

[james_s]

The single fault that will stop the MOSFET turning off is a short circuit failure of the MOSFET its self.
So you need downstream protection. Perhaps a contactor that trips if the drive and the expected output voltage or current are not in agreement?

You don't really need to worry about it not turning off, you need to make sure that it does not turn on uncommanded. Having a mechanical relay in series solves both problems though, check that the mosfet is switched off (by monitoring voltage at that node) then close the relay, then switch the mosfet on, then switch the mosfet off, then open the relay. The mosfet does the switching, the relay is the safety backup.

[nctnico]

The OP is apparently in Belgium and thus I think the USA laws are irrelevant. Personally I think it sounds like a rather interesting idea, if I didn't have pets I would consider something similar, laws be damned. If a person enters my home illegally I should not be responsible for whatever happens to them, and I find it rather ridiculous that people can and do get in trouble for the consequences of a criminal breaking into their house and finding a way of hurting themselves.

You can buy these machines off-the-shelve. The ones I know use a non-toxic variant of glycol (which is also used in theatre / disco smoke machines). The energy required to vaporise the liquid comes from a puddle of molten metal so the device still works if the perbs cut the power before entering. There are regulations though for placing these machines so the smoke fills the room towards the exit.

https://bandit.be/en/

[james_s]

Reminds me of playing with a fog machine my friend got when we were teenagers. Being the smartass I was, I set an object on the button while my friends were out on the porch smoking and then I wandered out there to watch. Pretty soon there was fog pouring out the partially open bedroom window and then by the time they finished and turned around to go back inside the whole place was filled with fog so dense you couldn't see your hand in front of your face. The fluorescent light in the hallway was on but all that was visible was a dim glow from somewhere up above.

[T3sl4co1l]

The circuit is a half-wave voltage doubler.  Often you see this for generating doubled or negative voltages (just add a 555), or a bootstrap supply (a supply slightly above or below another voltage that may be high or varying, so that it's not practical or even possible to just attach a regulator to it, you'd need a whole SMPS).
https://electronics.stackexchange.com/questions/473411/charge-pump-based-gate-drive-supply

Tim

[sigma_xi]

The one I mentioned was just a simple boost converter
https://commons.wikimedia.org/wiki/File:Boost_converter.svg
with a load resistor and a Zener diode at the output to limit the gate voltage of the MOSFET. The gate is connected to UA+.

[ejeffrey]

That is a good point about first responders. I'm not suggesting that it ought to be perfectly acceptable to set up lethal boobytraps, but there have been cases that have gone way too far in the other direction, like people breaking in to steal something, hurting themselves without there being any kind of deliberate boobytrap and then suing the homeowner.

At least in the US this is basically an urban legend that people keep repeating so they can feel smug and/or self righteous.  Anyone can sue anyone for anything at any time, but that doesn't mean there is merit to the case.  It turns out that your supposition of how it should be is actually the law in the US.  You can't set up lethal booby traps, but you are not generally liable for accidental injuries to a trespasser on your property. There is some nuance, especially if the danger is outside where someone (especially children) might accidentally or unknowingly enter your property, but the idea of a burglar _successfully_ suing someone because they tripped down the stairs is a complete myth.