Safety Critical Circuit

[TQ18]

Hi!

I am in the process of replacing the control circuitry on a piece of test equipment which releases a large weight (over 500KG) down a slope and collides it with a solid object. Obviously this is a potentially dangerous situation and as such there are a number of safety measures in place which need to remain once the system is run by an Arduino. I have put together the attached schematic and would like feedback on it.

The safety switch is attached to a gate which must be closed in order for the rig to "fire" (ie release the load), a red and green LED display the state of this gate, in addition to this the Arduino must have "armed" the rig by pulling one of it's pins high (shown as "Arduino Out" on the schematic), an additional red and green LED shows whether the rig is ready to be fired, assuming it is the fire button will then release the load down the slope. The load is released by pneumatic rams controlled by a 12V solenoid (shown on the schematic as "LOAD").

If anyone could point out any obvious errors and provide general feedback on the design of the circuit it would be much appreciated, in additional any pointers on working out the specs required for the components would help (I need to work out the resistance of R1, R2, R3, R4, R5 and R6, the transistor spec for Q1, Q2 and Q3, what diodes to use for D1 and D2 and what sort of MOSFET would be appropriate to drive the solenoid).

Thanks in advance.

[weedpharma]

The circuit is not fail safe. It is possible to fire the MOSFET if the Arduino pin is open.

The circuit should not be able to do anything unless all conditions of safety are met and all connections are made.

The safety switch should prevent the MOSFET from turning on under all circumstances. Preferably in series with the gate, and have a  1k R from the gate to gnd.

Base R should be around 10k so LED would not light.

Review the circuit and look at any way the MOSFET can turn on if any wire is broken or component damaged. The current circuit is not something I would rely on.

Weedpharma

[Archibald]

Surely it's advisable to also have a purely mechanical interlock so the weight cannot go down the slope unless the gate is fully closed and locked.

[syntaxterror]

I think this may be one of the times the conditions of use need mentioning, in case you are unaware.

They state:
"Officine Arduino Srl products are not authorized for use in safety-critical applications where a failure of the Officine Arduino Srl product would reasonably be expected to cause severe personal injury or death."

[TQ18]

The ultimate safety feature is the fire button; it is essential that the only way the rig will fire is with this depressed, everything else is an additional, nice to have safety feature. There is only one operator and they are a well trained test engineer who knows how the equipment works and why. The worst thing any failure should be able to do is to enable to fire button when it shouldn't be enabled, there should be no way for the rig to fire without he button depressed.

[dlloyd]

Something to consider for improved safety (fire circuit not shown):

[raschemmel]

If the safety switch is supposed to function as a DISABLE switch , it should connect the gate of the mosfet to GND when it is closed, not the other way around as you have it.
The only SAFE (N-CHANNEL) mosfet is a mosfet with it's gate SHORTED to GND (since that guarantees that it cannot be turned on) . That's how the "SAFETY" switch should be wired. (a simple jumper to GND when closed)

LOGIC LEVEL MOSFET

ARMING SWITCH

[TQ18]

Latest effort attached.

I've tried to make things simpler by putting all the indicator LEDs etc... on 12V instead of 5V with just the Arduino now running at 5V.

Just so I am clear the circuit is shown in the position it would be in when the safety gate is closed and the rig is ready to fire (assuming the arduino has "armed" its pin).

Safety LED is red when rig will not fire due to safety switch, green when safety switch is not preventing firing, ready LED is green to indicate rig is ready to fire (ie safety switch and arduino pin are in correct state), red if either the safety switch or arduino pin are in wrong state.

[raschemmel]

Just so I am clear the circuit is shown in the position it would be in when the safety gate is closed and the rig is ready to fire (assuming the arduino has "armed" its pin).

What you are trying to say may be correct, but the way you are saying it is not.


Just to be clear , the term "Safety" on control panels, implies the hardware is DISABLED, NOT READY TO FIRE, (ie: Safety switch OPEN, (not closed). When you put a handgun (or rifle)  "Safety" in ON position, the weapon will not fire.


If your switch is an SPST, you can use the term CLOSED. If the switch is an SPDT, you cannot use the term "closed" because the switch has two positions. You must therefore identify the switch position using the label of the functions for the two positions. Unfortunately, your schematic has no labels for the contacts of the safety switch. The only way we can identify it is the current path for Q1 base through the GREEN safety led would be "Safety OFF", because the unit is ready to fire. The other position would be "Safety ON" because the unit will not fire. Your understanding of the terminology is backwards.



The above statement should read:

Just so I am clear the circuit is shown in the position it would be in when the safety gate SWITCH is closed OFF and the rig is ready to fire (assuming the arduino has "armed" its pin)

FYI,
Your use of the term "gate" with respect to this circuit is inappropriate. In electronics,
a "gate" is a signal that is used as an Enable signal for some other signal.

[TQ18]

What you are trying to say may be correct, but the way you are saying it is not.


Just to be clear , the term "Safety" on control panels, implies the hardware is DISABLED, NOT READY TO FIRE, (ie: Safety switch OPEN, (not closed). When you put a handgun (or rifle)  "Safety" in ON position, the weapon will not fire.


If your switch is an SPST, you can use the term CLOSED. If the switch is an SPDT, you cannot use the term "closed" because the switch has two positions. You must therefore identify the switch position using the label of the functions for the two positions. Unfortunately, your schematic has no labels for the contacts of the safety switch. The only way we can identify it is the current path for Q1 base through the GREEN safety led would be "Safety OFF", because the unit is ready to fire. The other position would be "Safety ON" because the unit will not fire. Your understanding of the terminology is backwards.



The above statement should read:

FYI,
Your use of the term "gate" with respect to this circuit is inappropriate. In electronics,
a "gate" is a signal that is used as an Enable signal for some other signal.

Understood, the switch in question is attached to a physical "gate" which you would walk through to get close to the rig in question. I hope what I was trying to say is now clear.

[raschemmel]

In that case, the correct electronics term for that circuit is "Gate INTERLOCK".

Safety Interlock Switches
Our Safety Interlock Switches are a means of safeguarding that monitors the position of a guard or gate. You can use them to shut off power, control personnel access and prevent a machine from starting when the guard is open.  

SAFETY INTERLOCK SWITCH

INTERLOCK

An interlock is a device used to prevent undesired states in a state machine, which in a general sense can include any electrical, electronic, or mechanical device or system. In most applications an interlock is used to help prevent a machine from harming its operator or damaging itself by stopping the machine when tripped. Household microwave ovens are equipped with interlock switches which disable the magnetron if the door is opened. Similarly household washing machines will interrupt the spin cycle when the lid is open. Interlocks also serve as important safety devices in industrial settings, where they protect employees from devices such as robots, presses, and hammers. While interlocks can be something as sophisticated as curtains of infrared beams and photodetectors, they are often just switches.

Just so I am clear the circuit is shown in the position it would be in when the safety gate Guard is closed and the rig is ready to fire (assuming the arduino has "armed" its pin)

[DVDdoug]

I'm thinking something mechanical like an elevator safety mechanism.   At least philosophically  similar to an elevator mechanism.     Something "rests" in the safe position and has to be enabled to allow movement.   Something like a spring that has to be held-back in order for the thing to move...   If you loose power or anything isn't just-right it locks-up.

[arduinoaleman]

Huge machines in factories (like presses) use two switches that have to be pressed at the same time. They are physically at two different sites, so you cannot press the two switches with one hand at the same time. This makes sure that none of your hands can be within the press.

What it your Arduino is faulty? Just use a second switch behind the Arduino that passes on your Arduinos signal.

In your case you would have 3 switches then (green/red LED control in your circuit - and the 2 switches that control your device).

[raschemmel]

Huge machines in factories (like presses) use two switches that have to be pressed at the same time. They are physically at two different sites, so you cannot press the two switches with one hand at the same time. This makes sure that none of your hands can be within the press.

Nuclear missle launchers use two keys, but so what ? Where do you draw the line ? If the gate is closed and his thumb is on the Fire button, is it really possible for him to be in the path of the falling object released when he presses the fire button ?

[TQ18]

Nuclear missle launchers use two keys, but so what ? Where do you draw the line ? If the gate is closed and his thumb is on the Fire button, is it really possible for him to be in the path of the falling object released when he presses the fire button ?

Exactly.

The safety interlock and physical position of the fire button are enough to allow the safe use of the machine, the arduino adds an additional layer of safety by performing a countdown and then only arming the rig for a small amount of time to allow it to be fired once.

I would love any feedback on my second draft circuit having taken into account the points mentioned on this thread; I think it is now much safer.