1

I am designing a charge pump that will enable a relay when the charge pump is energized (inspired from this answer). The relay is part of an emergency stop system and the charge pump is used to check that a MCU is running ok.

I am having trouble calculating the values of the components needed for the circuit to work. How can I calculate the values for the resistors and capacitors? What is the design process to follow?

Here is my circuit:

Safety charge pump

winny
  • 13,064
  • 6
  • 46
  • 63
Sam
  • 25
  • 3
  • 1
    A "safety" charge pump? What exactly are your safety considerations here? That will change the answer. Also, you should have an antiparallel diode for your relay coil. – Hearth Jun 09 '23 at 15:46
  • 1
    And why not find a FET that's rated for 3.3 V drive? The Diodes DMG1012 seems perfectly adequate for this task, as does the cheaper Rohm RE1C002. Both are cheaper than onsemi's BSS138. – Hearth Jun 09 '23 at 15:57
  • Thanks for the comments ! I do have a flyback diode for the relay on the actual circuit. I will look into the 2 components you suggested, thank you. – Sam Jun 09 '23 at 16:20
  • The two key specifications for calculating the Rs and Cs are 1) What delay do you want from starting the squarewave drive to the relay pulling in and 2) What delay do you want from stopping the drive to the relay dropping out? Do bear in mind that both specs can only be realised approximately with such a crude circuit. – Neil_UK Jun 09 '23 at 16:24
  • 1
    You might want to look at commercial solutions. Silicon vendors are happy to sell you various supervisory circuits, some with watchdog timers incorporated. Be careful how you drive the WDT (do not use an interrupt, at least not in a naïve manner). – Spehro Pefhany Jun 09 '23 at 16:49
  • R2 is most likely superfluous and you might want two or more capacitors in series for C1 in case it fails short circuit (which is likely for a std hi-k ceramic cap) or choose a film cap. The other two devices that may fail causing an unsafe situation is the relay and M1. Have a spare set of contacts on the relay fed back to the microcontroller so it can test and detect a failure. Remember tolerate one failure but detect all failures. – Kartman Jun 10 '23 at 11:17

1 Answers1

0

R1C2 is the time constant for the relay dropping out, so make this long compared to the drive cycle time, 3.3V * ((C1/C2)-1.4)V is approximately the voltage increment on C2 for each pulse from the micro, assuming the micro can supply enough current so make C2 maybe 10 times C1 so that the micro has to work for it a bit to get the relay to pull in, you don't want a single pulse to do it.

Maximum gate voltage will occur when R1 is averaging the same current as C1 is producing in D2, and figure that as dQ/dt = (3.3V - 1.4V) * C1 * Frequency providing the micro pin is stiff enough to supply the charge at the operating frequency.

Or just Spice the thing, not above doing that after doing the hand calc to make sure I have it right!

Fault detection is important, so feedback from the relay to the micro, and have the software start up and not continue unless that relay indicates open, then start the charge pump and not continue unless the relay closes, basically you stop everything if the relay is not in the expected state after 100ms. This tests the charge pump and confirms that the relay contacts are not welded. I would then stop the charge pump with the drive pin high and confirm the relay opens again (testing R1,C1,M1), but I am paranoid.

Panasonic do a relay intended for grid tie inverters that has an aux contact that is designed to be mechanically guaranteed to only close if the main contacts are open that is good for this sort of thing. Normal relays can weld one contact and sometimes still have another one switch, keyword is 'Force guided contacts".

Safety is very much a system level thing, and while this sort of stuff can help, ensuring you ALWAYS fail safe is tricky and is why explicitly 'SAFETY RATED' controllers and dual channel safety relays (and appropriate switch gear) exist from manufacturers like Pilz, they are worth the money because they are what inspectors expect to see and they have the insurance and reputation.

Do not be shy about deliberately making the system eat a fuse to ensure shutdown if a problem is detected, did that on a traffic signal design once years ago, had a relay across each green channel hard wired such that is there were ever conflicting greens it would blow the lamp supply fuse. Only ever heard about it activating twice, both times because of a damaged cable to one of the signals shorting two lamps together which I consider to be working as intended.

Dan Mills
  • 17,266
  • 1
  • 20
  • 38