I am in Britain and we will be out of the EU in less than two years. Then we will be able to ignore all these annoying rules. Or so the proponents of leaving would have us believe. :-( __________________________________________ David C Brown 43 Bings Road Whaley Bridge High Peak Phone: 01663 733236 Derbyshire eMail: dcb.home@gmail.com SK23 7ND web: www.bings-knowle.co.uk/dcb *Sent from my etch-a-sketch* On 3 June 2017 at 13:06, wrote: > Yes, I am in Sweden. > > /Ruben > > On Sat, 3 Jun 2017 13:02:43 +0100, David C Brown > wrote: > > Ruben > > > > By Europe do you mean European Union? > > > > __________________________________________ > > David C Brown > > 43 Bings Road > > Whaley Bridge > > High Peak Phone: 01663 733236 > > Derbyshire eMail: dcb.home@gmail.com > > SK23 7ND web: www.bings-knowle.co.uk/dcb > > > > > > > > > > *Sent from my etch-a-sketch* > > > > On 3 June 2017 at 12:27, wrote: > > > >> As far as I know, every country or region has safety requirements for > >> potentially dangerous products. You should look into that for every > >> country/region where your product is going to be sold/used. Usually > >> harmonized standards are used to demonstrate compliance with the > >> requirement. > >> > >> I am in Europe and I need to do what the law says regarding product > >> safety and that is to have the product CE marked. This means that I ha= ve > >> to follow the applicable eu directives for the product in question. > >> Every directive has a set of essential requirements which I have to sh= ow > >> that my product complies to. The easiest way to do that (but not the > >> only way) is to build the product so that it fulfills all requirements > >> in one or several harmonized standards for that directive, suitable fo= r > >> that product. > >> > >> Right now I am working on medical electrical devices which have to be > >> compliant to the MDD directive (soon to become the MDR directive). The > >> base standard for this is the (IEC) EN 60601-1 Ed. 3.1. It sets up > >> requirements for basic safety and essential performance for electrical > >> medical devices. It is accompanied with collateral standards regarding > >> EMC, software, usability, alarms, home healthcare environment and more= , > >> which may or may not be applicable to the device in question. On top o= f > >> that there are particular standards with specific requirements for > >> certain types of medical devices. > >> > >> These standards states rules for technical requirements regarding > >> electric safety (isolation, creepage, clearance, pollution degree, > >> overvoltage category, dielectric withstand, accessible parts, test > >> finger, leakage currents...), fault modes, mechanical strength, > >> environmental (temperature, humidity, ingress protection, atmospheric > >> pressure), transportation and packaging, usability, marking, accessori= es > >> and a hundred or so more. > >> > >> The base standard also requires me to do a thorough risk evaluation fo= r > >> the device, including software and accompanying documents (manuals, > >> installation instructions, electronic documents, training material, > >> technical documents...). This risk evaluation must show that all risks > >> from identified hazards are at an acceptable level, reduced as far as > >> possible. Unacceptable risks could also be ok if I can show that the > >> risk is balanced against the benefit of the device. Since I am in Euro= pe > >> and doing medical devices, the risk management process must be done in > >> accordance with EN ISO 14971:2012. > >> > >> When I have designed the device and have had it tested and inspected a= t > >> a third party testhouse (notified body) who have passed it in their te= st > >> report I have shown that I can design the medical device according to > >> the MDD directive and its essential requirements. This states that the > >> medical device is considered safe enough to be used in the European > >> market. > >> > >> In order to be able to build and sell the device (making it available > >> to the European market) I also have to have an approved and certified > >> quality management system set up for my company. This shows that I can > >> build the product to be exactly like the tested and certified specimen= .. > >> The quality management system must have procedures for design and > >> development (including software development and changes), documentatio= n, > >> manufacturing, personnel, building and environment, complaints, > >> servicing and more. The quality system will be periodically > >> audited/inspected by a notified body. > >> > >> Now, this was an example for medical electrical devices which is one o= f > >> the product types that has the most stringent requirements regarding > >> safety for a designer and manufacturer. > >> > >> Another directive with high requirements is the ATEX directive which > >> regulates products used in environment with explosive atmosphere (gas = or > >> dust). > >> > >> Then there are other directives, such as the LVD (low voltage > >> directive), which may not require a quality management system or even > >> certification of the product by a third party (you can do it yourself)= .. > >> The LVD directive have a basic standard for household appliances (IEC > >> 60335-1) which covers general requirements for electric safety, > >> mechanical strength, endurance and more for household and similar > >> appliances. It has a particular standard for battery chargers which I > >> think would apply for your product on the European market: IEC > >> 60335-2-29 Household and similar electrical appliances - Safety - Part > >> 2-29: Particular requirements for battery chargers. Note that even > >> though the standard says "household appliances" it also says that > >> product which may be a source of danger to the public, such as battery > >> chargers intended for use in garages, shops, light industry and on > >> farms, are within the scope of this standard. > >> > >> I don't mean to scare you away but you should really work against the > >> safety requirements that already are laid out for many types of produc= ts > >> already. Note also that the standards does not say exactly how you > >> should build your product (what methods exactly to use), it rather say= s > >> what you must do in more general terms. > >> > >> /Ruben > >> > >> On Sat, 03 Jun 2017 19:50:23 +1200, Brent Brown > >> wrote: > >> > Thanks Byron, I think I have a better picture of things now. Agreed, > >> > it could well be made sufficently safe as you describe it. > >> > I forget exactly if you've stated already that there will be a 2 pol= e > >> > isolating contactor/relay between charger terminals and charging > >> > circuit, but seems likely. > >> > If so, I like the idea of a discrete window comparator on the batter= y > >> > side. This enables the relay (say via transistor optocoupler, logica= l > >> > AND with micro relay engage signal) when in correct range & polarity= , > >> > say 30-60VDC. The battery remains disconnected from the charger unti= l > >> > the conditions are correct. It perhaps handles full charge disconnec= t > >> > too, or at least does so at a threshold slightly above where the mic= ro > >> > would stop it... in case the micro fails to do so. Need to make this > >> > circuit tolerant to full AC mains voltage on either terminal, to cov= er > >> > any conceivable fault scenario. > >> > Expanding on that... the battery side circuitry may also have a micr= o > >> > and communicate with the charger side micro to establish when it is > >> > safe to close the contacts. Could be a safety improvement. > >> > Additionally current monitoring could be added, perhaps forcing a > >> > drop out of the relay and requiring a battery disconnect to reset. > >> > Key though would be keeping the micro out of the basic safety > >> > functions, ie. micro failure could cause a failure to connect, but > >> > never a failure to disconnect. > >> > Perhaps add a hardware timer to dropout charging if micro fails to > >> > terminate charge within a certain timeframe. > >> > On a different note, one catch with using a series cap to lower the > >> > voltage is high freq transients... which now have a low impedance pa= th > >> > through to the load. Not impossible to work through, just something > >> > that needs considering. > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >> > -------- Original message -------- > >> > From: Byron Jeff > >> > Date: 6/3/17 4:49 PM (GMT+12:00) > >> > To: "Microcontroller discussion list - Public." > >> > Subject: Re: [EE] Fail-safe Safety-Critical Systems Design > >> > > >> > Brent, > >> > > >> > I am not turning a blind eye to the inherent dangers of non-isolated > >> > equipment. Simiarly I also understand both the terrible power factor > and > >> > inefficiencies of such a setup. I have my reasons and I'll take on > your > >> > points one by one below. > >> > > >> > On Sat, Jun 03, 2017 at 11:43:36AM +1200, Brent Brown wrote: > >> >> On 2 Jun 2017 at 15:51, Byron Jeff wrote: > >> >> > >> >> > One example of what the developer describes as a "relatively safe= " > >> circuit is > >> >> > described here: > >> >> > > >> >> > https://www.youtube.com/watch?v=3DphK_nC4E_jA > >> >> > > >> >> > with a schematic here: > >> >> > > >> >> > http://i1063.photobucket.com/albums/t507/lookingfordbn/ > >> SNV32249_zps217163f0.jpg > >> >> > >> >> I take his "relatively safe" or "fairly safe" comments tongue in > cheek, > >> and suggest > >> >> thats what he means by the use of quote marks. That charger circuit > I'd > >> consider > >> >> one of the least desirable topologies to choose in terms of safety. > >> There is no > >> >> isolation between input and output. There are no active measures to > >> control voltage > >> >> or current. It is prone to one single point of failure casuing a > >> significant hazard (the > >> >> series cap failing short circuit - which I'd expect to be a common > >> failure method). > >> > > >> > No isolation is a clear issue. In the given circuit, he addresses th= e > >> > safety of the issue by preventing the connector from being energized > if > >> > it's above a certain voltage. That's the "relatively safe" part that > the > >> > designer is referring to. In addition my plan is to double insulate > the > >> > device just as double insulated tools do. So even though there is li= ve > >> wire > >> > circuitry, it'll be encased so that it's completely inaccessible. > >> > > >> > Active measures for voltage control are in my functional > specification. > >> > Monitoring the terminal voltage and cutting off the charger at > complete > >> > charge are my goals. For safety I'm trying to figure out the absolut= e > >> > failsafe to force de-energization of the charger when the terminal > >> voltage > >> > exceed a certain value. > >> > > >> > As for the single point of failure, both the cap itself (a motor run > >> > capacitor) and the fuse both serve as failsafes. Run capacitors bulg= e > out > >> > when they short and overheat. This separates the connection creating > an > >> > open. In addition the fuse will overheat and blow de-energizing the > >> > charger. > >> > > >> >> > >> >> > Another example that uses a coil as a reactive element is the Bon= n > >> charger: > >> >> > > >> >> > http://www.evalbum.com/tech/bonn_charger.html > >> >> > >> >> Likewise, that one relies on a single passive component (this time = an > >> inductor not a > >> >> capacitor) to somewhat reduce voltage and current when everything i= s > >> working as > >> >> expected. Dangerous. > >> > > >> > I wasn't planning on using this circuit. As to why, I'll discuss > below. > >> The > >> > point of the circuit is that is has both fusing and GFCI circuitry t= o > >> > lessen the possibility of overload or shocking hazard. > >> > > >> >> > >> >> > These two are the best examples that I can find with at least som= e > >> minimal > >> >> > safety features added. But in both cases I still do no feel that > it's > >> >> > enough for my application. The two requirements I'd like to desig= n > >> into my > >> >> > circuit are now: > >> >> > >> >> I'd say they have less than minimal safety features... choosing a > >> better topology in > >> >> the first place gains you a large improvement in saftey. Safer > examples > >> would likely > >> >> be more conventional designs: tranformer based, or switchmode > isolated > >> DC/DC > >> >> converter. > >> > > >> > And here is the brick wall for me. Magnetics of all types to me are = a > >> toxic > >> > combination of incomprehensibility, extraordinary weight, and > exhorbitant > >> > cost. Since the last two are fairly obvious in nature, I'll focus on > the > >> > first. > >> > > >> > Magnetics of all types are vastly different than any other type of > >> > electronic component because the concept of common of the shelf > doesn't > >> > really exist. Unlike other passive and active devices such as > resistors, > >> > capacitors, diodes, and transistors, with magnetics the expectation = is > >> that > >> > you must roll your own in order to develop a part. How many folks > would > >> dip > >> > their own resistors or wrap their own capacitors? The consequence of > this > >> > is that there is virtually no information on how to use obtainable > >> > magnetics in repurposed designs such as this one. > >> > > >> > It isn't the fact that I don't understand the concepts. Essentially = I > >> need > >> > to develop a 350ish watt supply in the mid 50V range to supply the 7= A > or > >> so > >> > I would get from using 2x80uF run capacitors. I also understand the > basic > >> > formulation of rectifying the AC to a high voltage DC bus for power > >> factor > >> > correction, then chopping that DC through a full bridge DC/DC > converter > >> > circuit at a higher frequency to shrink the transformer. > >> > > >> > All the magnetics would be the same as a PC power supply. We all hav= e > >> junk > >> > PC power supplies. But I've searched endlessly on how to pull the > >> magnetics > >> > out of one and repurpose it for something like this. I never found > >> anything > >> > of value because all such discussions do forward engineering from th= e > >> > specifications as opposed to backwards engineering from the availabl= e > >> > parts. In defining a buck converter, there are three parameters: > >> switching > >> > frequency, current ripple, and inductance. Every design document out > >> there > >> > takes the first two and computes the third. Nothing I've ever found > >> takes a > >> > fixed inductance and required current and figure out what frequencie= s > >> will > >> > possibly work. Then of course even if you do that, there's no > guarantee > >> > that the magnetics will stay cool enough at the frequency to operate > >> > properly. > >> > > >> > In a lot of ways magnetics are black magic that requires juggling an= d > >> > tuning an exact mix of inductance, core material, wiring, and > frequency > >> to > >> > get anything to operate properly. > >> > > >> > So while the non isolated designs I put forth have their inherent > >> > safety risks, > >> > their function is easily characterized: the run capacitor functions > as a > >> > reactive element with an equivalent resistance of 1/(2*pi*f*c) when > AC is > >> > put across it. So for my 80 uF run caps it acts as a 33 ohm series > >> resistor > >> > at 60 HZ AC giving about 3.6 amps of available current with a 120V > RMS AC > >> > input. So back to the magnetics tests: > >> > > >> > Incomprehensible? No. > >> > Heavy? No > >> > Expensive? My run caps were $5 each > >> > > >> > The only downside is the fact that the circuit is not isolated so > live AC > >> > potential could exist at the battery terminals. This is the risk tha= t > I'm > >> > attempting to mitigate. > >> > > >> >> > >> >> > Same with the EVSE, which is designed to only engage power when a > >> proper > >> >> > connection has been established. The J1772 pilot signal is a stud= y > in > >> >> > simplicity and elegance. With a single pilot line and little more > >> than a > >> >> > handful of diodes, resistors, and switches, it is possible to > >> virtually > >> >> > guarantee that the EVSE is properly connected to the target befor= e > >> power is > >> >> > applied. And with the live mains circuit I'm planning to use, thi= s > >> >> > connection is essential for safety critical operation. > >> >> > >> >> Yes, agreed, simple and elegant. I have one in my garage ;-) > Mitsubishi > >> Outlander > >> >> PHEV. You know all this, but, the fancy charger box with J1772 talk= s > >> the car and > >> >> tells it "I am an EVSE box connected to an AC power outlet and, if > you > >> accept my > >> >> terms and conditions, you can draw up to xxA through me". It has a > GFCI > >> in there > >> >> too, but essentially the whole box is just a relay that switches th= e > AC > >> mains on or off > >> >> to the car. The battery charging circuitry is within the car. > >> > > >> > I'm well aware. My project for this battery is an electric riding > mower. > >> > There's no need to have the charger on the vehicle. So I'm going to > box > >> the > >> > EVSE circuitry and the charger circuitry together with just a chargi= ng > >> > cable from there to the battery for the mower. > >> > > >> >> > >> >> > So I'm just looking for some thoughts on reasonably reliable desi= gn > >> >> > techniques to back up a microcontroller based system so that even > if > >> the > >> >> > primary circuit goes south, the safety requirements are still met= .. > >> >> > >> >> Sorry, I've only given thoughts so far on two designs I think are n= ot > >> safe. I guess I'm > >> >> saying that if the primary circuit in itself remains sufficiently > >> "safe" under typical > >> >> failure conditions, then it will be of lesser importance what happe= ns > >> if/when your > >> >> micro fails. > >> > > >> > The micro will be controlling some of the issues of the original > >> circuits. > >> > So if it fails, then issues such as overcharging will be back on the > >> table. > >> > > >> > I'm still looking for suggestions for absolutely failsafes in the > >> instance > >> > that the primary control systems fail to do their jobs. > >> > > >> > BAJ > >> > > >> >> > >> >> Brent > >> >> > >> >> > >> >> -- > >> >> http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive > >> >> View/change your membership options at > >> >> http://mailman.mit.edu/mailman/listinfo/piclist > >> > > >> > -- > >> > Byron A. Jeff > >> > Associate Professor: Department of Computer Science and Information > >> > Technology > >> > College of Information and Mathematical Sciences > >> > Clayton State University > >> > http://faculty.clayton.edu/bjeff > >> > -- > >> > http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive > >> > View/change your membership options at > >> > http://mailman.mit.edu/mailman/listinfo/piclist > >> > >> -- > >> http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive > >> View/change your membership options at > >> http://mailman.mit.edu/mailman/listinfo/piclist > >> > > -- > http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive > View/change your membership options at > http://mailman.mit.edu/mailman/listinfo/piclist > -- http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist .