Is there such a thing as a fail-safe, low-power relay?

Question

Background

Let's say I have a device. I can't give details, but, like many heat-producing devices, it's intended to be used for a limited period of time, but if left on indefinitely can be very dangerous. Let's also assume that:

• The device needs mains power.
• The device needs to be safe (at least so far as turning itself off) for unattended use.
• Using a mechanical timer is not an option. (Maybe as a backup, but not as the primary timer.)

I really want some sort of fail-safe timing mechanism. That rules out most traditional digital timers, and even some mechanical timers. What I'm thinking I'd like to do is use a capacitor to power some sort of NO-relay in a way that makes it as close to impossible as I can manage for the power to stay connected for longer than some period of time. (Basically, using an RC circuit as the timer; the idea being to charge the cap(s), physically disconnect the power supply from the RC circuit, and then drive the relays off the stored charge.)

Question

I'm somewhat familiar with solenoid relays, which would be good due to physically interrupting the circuit; however, IIUC there is some possibility these can weld shut. I'm less familiar with the failure modes of solid-state relays.

Is there a device that can run off of very low current that can switch at least 100 W that could be suitable for such an application? Am I being overly paranoid about using a solenoid relay?

Notes

• By "low current"... generally, the lower the better, but let's say ~1 W or less. ~10-100 mW would be better, but 1 mW is probably overkill.
• Hazard level: one or a few very angry (or deceased) people, but well short or Fukushima.
• I don't have specific regulatory requirements, but I'm also not inclined to cut corners.
• This is for a personal/DIY project (or I probably wouldn't need to ask here); I don't have a huge budget to be contracting support agencies or purchasing very expensive components. (Note: $1k is "very expensive", $10 isn't.)
• I don't need precise timing. ±50% would be a bit excessive, but ±25% would be very acceptable, and ±1% would be bordering on overkill. Initial operation time is "a few minutes", though eventually I may want to be able to go up to ~8-12 hours.
• I don't expect to be dealing with anything higher than US mains (~120V), and probably everything will be running DC.

Answer 1

Fail safes usually include redundant devices configured properly. For instance if you absolutely have to shut off something, this would be two switches in series, so that if one failed to open, the other could have a chance.

Welding shut can happen if a relay is used outside its specification. For AC applications there are some circuits that only open the relays when the current goes through zero, to reduce the chance of arcs. (zero crossing switching). 100 W really is low power though, so the chances of things like this happening with properly made circuits is really low. There is also the practice of arc-suppression circuits, which is a RC circuit connected to the relay contacts.

If you want very low current, then I would not use a mechanical relay. triac circuits come to mind. Or MOSFETs for lowest current requirement of the controlling circuit. I don't really get why you want to save on the milli-amps when you're using several amps on the heater though... 100W can for example be 8.33 A @ 12 V .. Not too much for a big mosfet with a heat-sink.

Simplest route is a relay. Use two in series if you're concerned about reliability. look up the proper way to shunt back-emf and how to have low 'keep-on' currents. NOW most relays are rated at a certain number of operations. from a few thousand to hundreds of thousands. So this might be an issue if you will be switching at a high rate, or over many years.

Use a zero-crossing detector to gate the switching signal (just the simple rectifier based circuit) if on AC.

Most reliable timing circuit that will always 'go low' is of course just a RC timing constant. It will not be accurate, but it will never fail to reach a value that is logical 0. Just to stay super safe, there should be a logical OR between TWO RC timing circuits ;) or a majority voter between three RC timing circuits ;) ;) ;) There is quite many things you can do to get theoretically better 'safety'.

Of course it is all up to you how big safety factor you need. But if lives are at stake, you really should be looking for people who did this before, and talk to them.

Answer 2

Your question is definitely missing some details. Like what you consider to be "very low current".

When it comes to designing safety circuitry, then the failure modes are important. But this is the failure modes of all components and not just the final effector.

So you've hypothesised that you will have a capacitor which will charge up over time and result in the turn off of the device. Consider your 'computation' elements... a resistor, and a capacitor. What are the common failure modes of these devices. Hint: resistors typically fail to 'open', and capacitors typically fail to a 0 capacitance state, but if exposed to over-voltage can fail to a 'short'. We've just looked at two of your proposed timer devices, and both fail in a manner that you could consider to be 'dangerous'. Hence you may want to consider alternatives.

There are organisations (like Exida etc) that specialise in performing such Failure Mode and Effects Analysis (FMEA). They also have available some documentation which can be useful in performing your own FMEAs.

A solid-state relay will typically just be a combination of an Opto-Triac, and a Triac (if using a low enough output current it may just be an Opto-Triac). Triacs have a bit of a propensity to self trigger. So they would generally not be recommended as a safe control device. The means to reduce the self-triggering are appropriate snubber designs (which are impacted by common failure modes of resistors and capacitors), and Triac design. Most SSRs will not advertise what Triacs they use, hence you will not be able to perform a sufficiently low level FMEA to determine if you can use these or not.

My suggestion is to use several layers of protection.

1. Have some basic means of turning the device off after perhaps a user configurable time (I assume this is part of normal functionality).
2. Have some additional means of turning the device off after some upper limit (the safety time)
3. Have some means of turning the device off if it gets too hot.

The third one is particularly important.

It would also be worth investigating other similar devices for what kind of safety features they provide. If your device can be oriented in ways that might increase the risk of heating, then perhaps you could detect them and shut the system down. This is what portable heaters etc generally have (a tip sensor, so if they fall over they turn off).

To get back around to your end control device. If you are switching AC voltages, then relays that are rated to switch the highest expected (fault) current plus some margin is the general 'rule'. So if you have a 5A fuse, then your relay should be rated at something like 7.5A.. this ensures that even if the fuse is still somewhat within its thermal curve, your relay can safely open. If you are switching DC voltage only, then it becomes easier to consider MOSFETs and less mechanical devices (sure you can do this for AC also.. but it's typically not worth the pain).