rogertee:
The pressure switch also has a high limit and thermostat in series to disable the heater these 3 components can be replaced using two temperature sensors in a comparison config using software i.e if one sensor is hotter it is a pressure problem if both are hot then an overheat. when both are equal they are compared to the setpoint and heat up the water. A 4 channel relay shield needed for high/low speed of pump,heater and overheat. If more than one pump is used it will require additional relays.
although the logic of the two temperature sensors is good in theory, it is not suitable at all for a safety system at all !
lets look at the most fundamental safety aspects of hot tub safety, ie what can go wrong....
- heater element rupture
when heating elements fail , they will either go open circuit, or rupture, obviously rupture is the main problem as the live circuit would then become exposed to the water.
the thee main design features of the hot tub heating system are, the stainless steel tube in which it is mounted, this is solidly tied to ground, so if a rupture accrues, the current flows the shortest path to earth, which is the small space between the heater and the side wall of the tube, if this happens the second major safety feature cuts in the RCD of GFI breaker , this detects the current imbalance and shuts off the power .
the third feature of this type of heater design , is to stop the heating element from rupturing in the first place, this normally happens when a hot spot forms on the element, this is achieved, by disbursing the heat away as quickly as possible via the flow of water, hence the pressure switch.
- software failure.
if your arduino were to crash , or there was an error in your code, or even the output of the micro failed and the signal to the relay was not turned off , the tub would just get hotter and hotter , this is why the thermal cut out and flow switch are normally on a separate , pure hardware circuit.
- heater control failure.
lets look at the two types here, relays, well these can fail, the coil can go open circuit and they will not trigger, in this application probably not a problem as the heater will not come on, the failure we have to look out for is the contacts welding together and the relay not releasing , in real life this happens.. the coating of the contacts wears away and with a nice heavy load they arc and weld, so your relay and heater are not going to turn off no matter what your arduino does, again we are in a boiling hot tub situation
Solid state relays when these fail they normally fail short, this is what Omron say in their documentation....
"Safety Concept
The SSR is an optimum relay for high-frequency switching and
highspeed switching, but misuse or mishandling of the SSR may
damage the elements and cause other problems. The SSR
consists of semiconductor elements, and will break down if these
elements are damaged by surge voltage or overcurrent. Most
faults associated with the elements are short-circuit
malfunctions, whereby the load cannot be turned OFF."
again one very hot tub...
so to keep safe the best solution is to keep both a hardware and software safety systems separate, and its not hard to do....
two relays, a pressure switch in series with an over temp cut out which enables the first double pole relay , will protect against low flow and over temp on a hardware level, the second relay, taking power from the first, can be used to control the tub temp, obviously your little cpu will have software over temp protection , but if this fails or the relay jams then the second hardware circuit will take over.
And please don't take this post the wrong way,I don't mean to pull your idea down, in actual fact its an innovative way to detect the flow, but I don't think it should used as any part of a safety system.