I think if you intend to sell into the Euro market that may not be the case= .. ... On 6/3/17, rubenjonsson@bredband.net wrote: > They can try to tell that to their European authorized representative > when they ask for the CE mark and DOC. > > I actually don't think leaving makes much difference for manufacturers > developing and producing in Britain. You still need rules for product > safety and using something that is not compliant to the rest of Europe > would not make sense. However, you will no longer be able to influence > those rules. > > /Ruben > > On Sat, 3 Jun 2017 13:23:26 +0100, David C Brown > wrote: >> I am in Britain and we will be out of the EU in less than two years. >> Then >> we will be able to ignore all these annoying rules. Or so the proponent= s >> of leaving would have us believe. :-( >> >> >> __________________________________________ >> David C Brown >> 43 Bings Road >> Whaley Bridge >> High Peak Phone: 01663 733236 >> Derbyshire eMail: dcb.home@gmail.com >> SK23 7ND web: www.bings-knowle.co.uk/dcb >> >> >> >> >> *Sent from my etch-a-sketch* >> >> On 3 June 2017 at 13:06, wrote: >> >>> Yes, I am in Sweden. >>> >>> /Ruben >>> >>> On Sat, 3 Jun 2017 13:02:43 +0100, David C Brown >>> wrote: >>> > Ruben >>> > >>> > By Europe do you mean European Union? >>> > >>> > __________________________________________ >>> > David C Brown >>> > 43 Bings Road >>> > Whaley Bridge >>> > High Peak Phone: 01663 733236 >>> > Derbyshire eMail: dcb.home@gmail.com >>> > SK23 7ND web: www.bings-knowle.co.uk/dcb >>> > >>> > >>> > >>> > >>> > *Sent from my etch-a-sketch* >>> > >>> > On 3 June 2017 at 12:27, wrote: >>> > >>> >> As far as I know, every country or region has safety requirements fo= r >>> >> potentially dangerous products. You should look into that for every >>> >> country/region where your product is going to be sold/used. Usually >>> >> harmonized standards are used to demonstrate compliance with the >>> >> requirement. >>> >> >>> >> I am in Europe and I need to do what the law says regarding product >>> >> safety and that is to have the product CE marked. This means that I >>> >> have >>> >> to follow the applicable eu directives for the product in question. >>> >> Every directive has a set of essential requirements which I have to >>> >> show >>> >> that my product complies to. The easiest way to do that (but not the >>> >> only way) is to build the product so that it fulfills all >>> >> requirements >>> >> in one or several harmonized standards for that directive, suitable >>> >> for >>> >> that product. >>> >> >>> >> Right now I am working on medical electrical devices which have to b= e >>> >> compliant to the MDD directive (soon to become the MDR directive). >>> >> The >>> >> base standard for this is the (IEC) EN 60601-1 Ed. 3.1. It sets up >>> >> requirements for basic safety and essential performance for >>> >> electrical >>> >> medical devices. It is accompanied with collateral standards >>> >> regarding >>> >> EMC, software, usability, alarms, home healthcare environment and >>> >> more, >>> >> which may or may not be applicable to the device in question. On top >>> >> of >>> >> that there are particular standards with specific requirements for >>> >> certain types of medical devices. >>> >> >>> >> These standards states rules for technical requirements regarding >>> >> electric safety (isolation, creepage, clearance, pollution degree, >>> >> overvoltage category, dielectric withstand, accessible parts, test >>> >> finger, leakage currents...), fault modes, mechanical strength, >>> >> environmental (temperature, humidity, ingress protection, atmospheri= c >>> >> pressure), transportation and packaging, usability, marking, >>> >> accessories >>> >> and a hundred or so more. >>> >> >>> >> The base standard also requires me to do a thorough risk evaluation >>> >> for >>> >> the device, including software and accompanying documents (manuals, >>> >> installation instructions, electronic documents, training material, >>> >> technical documents...). This risk evaluation must show that all >>> >> risks >>> >> from identified hazards are at an acceptable level, reduced as far a= s >>> >> possible. Unacceptable risks could also be ok if I can show that the >>> >> risk is balanced against the benefit of the device. Since I am in >>> >> Europe >>> >> and doing medical devices, the risk management process must be done >>> >> in >>> >> accordance with EN ISO 14971:2012. >>> >> >>> >> When I have designed the device and have had it tested and inspected >>> >> at >>> >> a third party testhouse (notified body) who have passed it in their >>> >> test >>> >> report I have shown that I can design the medical device according t= o >>> >> the MDD directive and its essential requirements. This states that >>> >> the >>> >> medical device is considered safe enough to be used in the European >>> >> market. >>> >> >>> >> In order to be able to build and sell the device (making it availabl= e >>> >> to the European market) I also have to have an approved and certifie= d >>> >> quality management system set up for my company. This shows that I >>> >> can >>> >> build the product to be exactly like the tested and certified >>> >> specimen. >>> >> The quality management system must have procedures for design and >>> >> development (including software development and changes), >>> >> documentation, >>> >> manufacturing, personnel, building and environment, complaints, >>> >> servicing and more. The quality system will be periodically >>> >> audited/inspected by a notified body. >>> >> >>> >> Now, this was an example for medical electrical devices which is one >>> >> of >>> >> the product types that has the most stringent requirements regarding >>> >> safety for a designer and manufacturer. >>> >> >>> >> Another directive with high requirements is the ATEX directive which >>> >> regulates products used in environment with explosive atmosphere (ga= s >>> >> or >>> >> dust). >>> >> >>> >> Then there are other directives, such as the LVD (low voltage >>> >> directive), which may not require a quality management system or eve= n >>> >> certification of the product by a third party (you can do it >>> >> yourself). >>> >> The LVD directive have a basic standard for household appliances (IE= C >>> >> 60335-1) which covers general requirements for electric safety, >>> >> mechanical strength, endurance and more for household and similar >>> >> appliances. It has a particular standard for battery chargers which = I >>> >> think would apply for your product on the European market: IEC >>> >> 60335-2-29 Household and similar electrical appliances - Safety - >>> >> Part >>> >> 2-29: Particular requirements for battery chargers. Note that even >>> >> though the standard says "household appliances" it also says that >>> >> product which may be a source of danger to the public, such as >>> >> battery >>> >> chargers intended for use in garages, shops, light industry and on >>> >> farms, are within the scope of this standard. >>> >> >>> >> I don't mean to scare you away but you should really work against th= e >>> >> safety requirements that already are laid out for many types of >>> >> products >>> >> already. Note also that the standards does not say exactly how you >>> >> should build your product (what methods exactly to use), it rather >>> >> says >>> >> what you must do in more general terms. >>> >> >>> >> /Ruben >>> >> >>> >> On Sat, 03 Jun 2017 19:50:23 +1200, Brent Brown >>> >> wrote: >>> >> > Thanks Byron, I think I have a better picture of things now. >>> >> > Agreed, >>> >> > it could well be made sufficently safe as you describe it. >>> >> > I forget exactly if you've stated already that there will be a 2 >>> >> > pole >>> >> > isolating contactor/relay between charger terminals and charging >>> >> > circuit, but seems likely. >>> >> > If so, I like the idea of a discrete window comparator on the >>> >> > battery >>> >> > side. This enables the relay (say via transistor optocoupler, >>> >> > logical >>> >> > AND with micro relay engage signal) when in correct range & >>> >> > polarity, >>> >> > say 30-60VDC. The battery remains disconnected from the charger >>> >> > until >>> >> > the conditions are correct. It perhaps handles full charge >>> >> > disconnect >>> >> > too, or at least does so at a threshold slightly above where the >>> >> > micro >>> >> > would stop it... in case the micro fails to do so. Need to make >>> >> > this >>> >> > circuit tolerant to full AC mains voltage on either terminal, to >>> >> > cover >>> >> > any conceivable fault scenario. >>> >> > Expanding on that... the battery side circuitry may also have a >>> >> > micro >>> >> > and communicate with the charger side micro to establish when it i= s >>> >> > safe to close the contacts. Could be a safety improvement. >>> >> > Additionally current monitoring could be added, perhaps forcing a >>> >> > drop out of the relay and requiring a battery disconnect to reset. >>> >> > Key though would be keeping the micro out of the basic safety >>> >> > functions, ie. micro failure could cause a failure to connect, but >>> >> > never a failure to disconnect. >>> >> > Perhaps add a hardware timer to dropout charging if micro fails to >>> >> > terminate charge within a certain timeframe. >>> >> > On a different note, one catch with using a series cap to lower th= e >>> >> > voltage is high freq transients... which now have a low impedance >>> >> > path >>> >> > through to the load. Not impossible to work through, just somethin= g >>> >> > that needs considering. >>> >> > >>> >> > >>> >> > >>> >> > >>> >> > >>> >> > >>> >> > >>> >> > >>> >> > >>> >> > -------- Original message -------- >>> >> > From: Byron Jeff >>> >> > Date: 6/3/17 4:49 PM (GMT+12:00) >>> >> > To: "Microcontroller discussion list - Public." >>> >> > Subject: Re: [EE] Fail-safe Safety-Critical Systems Design >>> >> > >>> >> > Brent, >>> >> > >>> >> > I am not turning a blind eye to the inherent dangers of >>> >> > non-isolated >>> >> > equipment. Simiarly I also understand both the terrible power >>> >> > factor >>> and >>> >> > inefficiencies of such a setup. I have my reasons and I'll take on >>> your >>> >> > points one by one below. >>> >> > >>> >> > On Sat, Jun 03, 2017 at 11:43:36AM +1200, Brent Brown wrote: >>> >> >> On 2 Jun 2017 at 15:51, Byron Jeff wrote: >>> >> >> >>> >> >> > One example of what the developer describes as a "relatively >>> >> >> > safe" >>> >> circuit is >>> >> >> > described here: >>> >> >> > >>> >> >> > https://www.youtube.com/watch?v=3DphK_nC4E_jA >>> >> >> > >>> >> >> > with a schematic here: >>> >> >> > >>> >> >> > http://i1063.photobucket.com/albums/t507/lookingfordbn/ >>> >> SNV32249_zps217163f0.jpg >>> >> >> >>> >> >> I take his "relatively safe" or "fairly safe" comments tongue in >>> cheek, >>> >> and suggest >>> >> >> thats what he means by the use of quote marks. That charger >>> >> >> circuit >>> I'd >>> >> consider >>> >> >> one of the least desirable topologies to choose in terms of >>> >> >> safety. >>> >> There is no >>> >> >> isolation between input and output. There are no active measures >>> >> >> to >>> >> control voltage >>> >> >> or current. It is prone to one single point of failure casuing a >>> >> significant hazard (the >>> >> >> series cap failing short circuit - which I'd expect to be a commo= n >>> >> failure method). >>> >> > >>> >> > No isolation is a clear issue. In the given circuit, he addresses >>> >> > the >>> >> > safety of the issue by preventing the connector from being >>> >> > energized >>> if >>> >> > it's above a certain voltage. That's the "relatively safe" part >>> >> > that >>> the >>> >> > designer is referring to. In addition my plan is to double insulat= e >>> the >>> >> > device just as double insulated tools do. So even though there is >>> >> > live >>> >> wire >>> >> > circuitry, it'll be encased so that it's completely inaccessible. >>> >> > >>> >> > Active measures for voltage control are in my functional >>> specification. >>> >> > Monitoring the terminal voltage and cutting off the charger at >>> complete >>> >> > charge are my goals. For safety I'm trying to figure out the >>> >> > absolute >>> >> > failsafe to force de-energization of the charger when the terminal >>> >> voltage >>> >> > exceed a certain value. >>> >> > >>> >> > As for the single point of failure, both the cap itself (a motor >>> >> > run >>> >> > capacitor) and the fuse both serve as failsafes. Run capacitors >>> >> > bulge >>> out >>> >> > when they short and overheat. This separates the connection >>> >> > creating >>> an >>> >> > open. In addition the fuse will overheat and blow de-energizing th= e >>> >> > charger. >>> >> > >>> >> >> >>> >> >> > Another example that uses a coil as a reactive element is the >>> >> >> > Bonn >>> >> charger: >>> >> >> > >>> >> >> > http://www.evalbum.com/tech/bonn_charger.html >>> >> >> >>> >> >> Likewise, that one relies on a single passive component (this tim= e >>> >> >> an >>> >> inductor not a >>> >> >> capacitor) to somewhat reduce voltage and current when everything >>> >> >> is >>> >> working as >>> >> >> expected. Dangerous. >>> >> > >>> >> > I wasn't planning on using this circuit. As to why, I'll discuss >>> below. >>> >> The >>> >> > point of the circuit is that is has both fusing and GFCI circuitry >>> >> > to >>> >> > lessen the possibility of overload or shocking hazard. >>> >> > >>> >> >> >>> >> >> > These two are the best examples that I can find with at least >>> >> >> > some >>> >> minimal >>> >> >> > safety features added. But in both cases I still do no feel tha= t >>> it's >>> >> >> > enough for my application. The two requirements I'd like to >>> >> >> > design >>> >> into my >>> >> >> > circuit are now: >>> >> >> >>> >> >> I'd say they have less than minimal safety features... choosing a >>> >> better topology in >>> >> >> the first place gains you a large improvement in saftey. Safer >>> examples >>> >> would likely >>> >> >> be more conventional designs: tranformer based, or switchmode >>> isolated >>> >> DC/DC >>> >> >> converter. >>> >> > >>> >> > And here is the brick wall for me. Magnetics of all types to me ar= e >>> >> > a >>> >> toxic >>> >> > combination of incomprehensibility, extraordinary weight, and >>> exhorbitant >>> >> > cost. Since the last two are fairly obvious in nature, I'll focus >>> >> > on >>> the >>> >> > first. >>> >> > >>> >> > Magnetics of all types are vastly different than any other type of >>> >> > electronic component because the concept of common of the shelf >>> doesn't >>> >> > really exist. Unlike other passive and active devices such as >>> resistors, >>> >> > capacitors, diodes, and transistors, with magnetics the expectatio= n >>> >> > is >>> >> that >>> >> > you must roll your own in order to develop a part. How many folks >>> would >>> >> dip >>> >> > their own resistors or wrap their own capacitors? The consequence >>> >> > of >>> this >>> >> > is that there is virtually no information on how to use obtainable >>> >> > magnetics in repurposed designs such as this one. >>> >> > >>> >> > It isn't the fact that I don't understand the concepts. Essentiall= y >>> >> > I >>> >> need >>> >> > to develop a 350ish watt supply in the mid 50V range to supply the >>> >> > 7A >>> or >>> >> so >>> >> > I would get from using 2x80uF run capacitors. I also understand th= e >>> basic >>> >> > formulation of rectifying the AC to a high voltage DC bus for powe= r >>> >> factor >>> >> > correction, then chopping that DC through a full bridge DC/DC >>> converter >>> >> > circuit at a higher frequency to shrink the transformer. >>> >> > >>> >> > All the magnetics would be the same as a PC power supply. We all >>> >> > have >>> >> junk >>> >> > PC power supplies. But I've searched endlessly on how to pull the >>> >> magnetics >>> >> > out of one and repurpose it for something like this. I never found >>> >> anything >>> >> > of value because all such discussions do forward engineering from >>> >> > the >>> >> > specifications as opposed to backwards engineering from the >>> >> > available >>> >> > parts. In defining a buck converter, there are three parameters: >>> >> switching >>> >> > frequency, current ripple, and inductance. Every design document >>> >> > out >>> >> there >>> >> > takes the first two and computes the third. Nothing I've ever foun= d >>> >> takes a >>> >> > fixed inductance and required current and figure out what >>> >> > frequencies >>> >> will >>> >> > possibly work. Then of course even if you do that, there's no >>> guarantee >>> >> > that the magnetics will stay cool enough at the frequency to >>> >> > operate >>> >> > properly. >>> >> > >>> >> > In a lot of ways magnetics are black magic that requires juggling >>> >> > and >>> >> > tuning an exact mix of inductance, core material, wiring, and >>> frequency >>> >> to >>> >> > get anything to operate properly. >>> >> > >>> >> > So while the non isolated designs I put forth have their inherent >>> >> > safety risks, >>> >> > their function is easily characterized: the run capacitor function= s >>> as a >>> >> > reactive element with an equivalent resistance of 1/(2*pi*f*c) whe= n >>> AC is >>> >> > put across it. So for my 80 uF run caps it acts as a 33 ohm series >>> >> resistor >>> >> > at 60 HZ AC giving about 3.6 amps of available current with a 120V >>> RMS AC >>> >> > input. So back to the magnetics tests: >>> >> > >>> >> > Incomprehensible? No. >>> >> > Heavy? No >>> >> > Expensive? My run caps were $5 each >>> >> > >>> >> > The only downside is the fact that the circuit is not isolated so >>> live AC >>> >> > potential could exist at the battery terminals. This is the risk >>> >> > that >>> I'm >>> >> > attempting to mitigate. >>> >> > >>> >> >> >>> >> >> > Same with the EVSE, which is designed to only engage power when >>> >> >> > a >>> >> proper >>> >> >> > connection has been established. The J1772 pilot signal is a >>> >> >> > study >>> in >>> >> >> > simplicity and elegance. With a single pilot line and little >>> >> >> > more >>> >> than a >>> >> >> > handful of diodes, resistors, and switches, it is possible to >>> >> virtually >>> >> >> > guarantee that the EVSE is properly connected to the target >>> >> >> > before >>> >> power is >>> >> >> > applied. And with the live mains circuit I'm planning to use, >>> >> >> > this >>> >> >> > connection is essential for safety critical operation. >>> >> >> >>> >> >> Yes, agreed, simple and elegant. I have one in my garage ;-) >>> Mitsubishi >>> >> Outlander >>> >> >> PHEV. You know all this, but, the fancy charger box with J1772 >>> >> >> talks >>> >> the car and >>> >> >> tells it "I am an EVSE box connected to an AC power outlet and, i= f >>> you >>> >> accept my >>> >> >> terms and conditions, you can draw up to xxA through me". It has = a >>> GFCI >>> >> in there >>> >> >> too, but essentially the whole box is just a relay that switches >>> >> >> the >>> AC >>> >> mains on or off >>> >> >> to the car. The battery charging circuitry is within the car. >>> >> > >>> >> > I'm well aware. My project for this battery is an electric riding >>> mower. >>> >> > There's no need to have the charger on the vehicle. So I'm going t= o >>> box >>> >> the >>> >> > EVSE circuitry and the charger circuitry together with just a >>> >> > charging >>> >> > cable from there to the battery for the mower. >>> >> > >>> >> >> >>> >> >> > So I'm just looking for some thoughts on reasonably reliable >>> >> >> > design >>> >> >> > techniques to back up a microcontroller based system so that >>> >> >> > even >>> if >>> >> the >>> >> >> > primary circuit goes south, the safety requirements are still >>> >> >> > met. >>> >> >> >>> >> >> Sorry, I've only given thoughts so far on two designs I think are >>> >> >> not >>> >> safe. I guess I'm >>> >> >> saying that if the primary circuit in itself remains sufficiently >>> >> "safe" under typical >>> >> >> failure conditions, then it will be of lesser importance what >>> >> >> happens >>> >> if/when your >>> >> >> micro fails. >>> >> > >>> >> > The micro will be controlling some of the issues of the original >>> >> circuits. >>> >> > So if it fails, then issues such as overcharging will be back on >>> >> > the >>> >> table. >>> >> > >>> >> > I'm still looking for suggestions for absolutely failsafes in the >>> >> instance >>> >> > that the primary control systems fail to do their jobs. >>> >> > >>> >> > BAJ >>> >> > >>> >> >> >>> >> >> Brent >>> >> >> >>> >> >> >>> >> >> -- >>> >> >> http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive >>> >> >> View/change your membership options at >>> >> >> http://mailman.mit.edu/mailman/listinfo/piclist >>> >> > >>> >> > -- >>> >> > Byron A. Jeff >>> >> > Associate Professor: Department of Computer Science and Informatio= n >>> >> > Technology >>> >> > College of Information and Mathematical Sciences >>> >> > Clayton State University >>> >> > http://faculty.clayton.edu/bjeff >>> >> > -- >>> >> > http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive >>> >> > View/change your membership options at >>> >> > http://mailman.mit.edu/mailman/listinfo/piclist >>> >> >>> >> -- >>> >> http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive >>> >> View/change your membership options at >>> >> http://mailman.mit.edu/mailman/listinfo/piclist >>> >> >>> >>> -- >>> http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive >>> View/change your membership options at >>> http://mailman.mit.edu/mailman/listinfo/piclist >>> > > -- > http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive > View/change your membership options at > http://mailman.mit.edu/mailman/listinfo/piclist > -- http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist .