Fire safety question

D

Derek Potter

Guest
I need some information about the current approach to safety of new
equipment with regard to fire hazards created by a fault. I appreciate
there are generic standards covering the ejection of molten metal and
so on, but I am wondering about the application of the "single
component failure" concept in situations where a failure could
overload a semiconductor with the possible, though unlikely, result
that it ignites or ignites an adjacent part. I'm not asking about
*techniques* to avoid hazard, I'm asking about what is legally
required. Trick question - I'm not asking for legal advice, just
information concerning best current practice. I'm posting from the UK
but I suspect the regs will be substantially the same in all of Europe
and the US.

My particular concern is a small transistor driving an external alarm.
The power supply has a fuse but as it feeds several circuits, it
doesn't provide much protection for the external alarm circuit. I am
considering an active current limit in the supply but I still have
some reservations as to whether this meets the letter of the law. For
example, one scenario involves two events as follows:

1 The current limit fails spontaneously, but as this is not
monitored, the defect remains undetected, waiting for the second event
to happen...
2 Someone fiddles with the external wiring and causes a short.

The result is that the driver overheats, catches fire and there is
hell to pay. Now, it is perfectly true that this involves two
independent "failures" so at first sight would meet the "single
component failure" criterion. However, I suspect that a fault that is
never detected (and just lies there waiting for a chance to create a
hazard) may not count. Likewise, a fault that could be caused by Uncle
Fred with his screwdriver is hardly a spontaneous component failure.
So overall, would such a system meet the "due care" criterion?

I have severe doubts as to whether much equipment is designed with
this degree of concern but it would be goot to be ahead of the field -
without incurring too much cost.

Also, if this isn't the best newsgroup could someone point me in the
right direction? Most electronics groups seem to be full of people
selling stuff.

TIA.
 
"Derek Potter" <dpatspothyphenonhyphensolutionsdotcodotuk@thats.all> wrote
in message news:3ques15r859309d1ea5b856dnrrk9bmn8s@4ax.com...
I need some information about the current approach to safety of new
equipment with regard to fire hazards created by a fault. I appreciate
there are generic standards covering the ejection of molten metal and
so on, but I am wondering about the application of the "single
component failure" concept in situations where a failure could
overload a semiconductor with the possible, though unlikely, result
that it ignites or ignites an adjacent part. I'm not asking about
*techniques* to avoid hazard, I'm asking about what is legally
required. Trick question - I'm not asking for legal advice, just
information concerning best current practice. I'm posting from the UK
but I suspect the regs will be substantially the same in all of Europe
and the US.

My particular concern is a small transistor driving an external alarm.
The power supply has a fuse but as it feeds several circuits, it
doesn't provide much protection for the external alarm circuit. I am
considering an active current limit in the supply but I still have
some reservations as to whether this meets the letter of the law. For
example, one scenario involves two events as follows:

1 The current limit fails spontaneously, but as this is not
monitored, the defect remains undetected, waiting for the second event
to happen...
2 Someone fiddles with the external wiring and causes a short.

The result is that the driver overheats, catches fire and there is
hell to pay. Now, it is perfectly true that this involves two
independent "failures" so at first sight would meet the "single
component failure" criterion. However, I suspect that a fault that is
never detected (and just lies there waiting for a chance to create a
hazard) may not count. Likewise, a fault that could be caused by Uncle
Fred with his screwdriver is hardly a spontaneous component failure.
So overall, would such a system meet the "due care" criterion?

I have severe doubts as to whether much equipment is designed with
this degree of concern but it would be goot to be ahead of the field -
without incurring too much cost.

Also, if this isn't the best newsgroup could someone point me in the
right direction? Most electronics groups seem to be full of people
selling stuff.

TIA.
Click to expand...
Derek

If you are in the UK, you are under EU requirements and you should be
studying the appropriate IEC specs for the type of equipment you are
designing. Just as a personal opinion - if there is an output that when
shorted will cause a fire, then there should be some type of protection for
the output.


>
 
"Derek Potter" <dpatspothyphenonhyphensolutionsdotcodotuk@thats.all> wrote
in message news:dr0ls1dentin9a1edgcfabs9kl0i19eaog@4ax.com...
On Sat, 14 Jan 2006 15:44:06 GMT, "Dan Hollands"
dhollan3@rochester.rr.com> wrote:


"Derek Potter" <dpatspothyphenonhyphensolutionsdotcodotuk@thats.all> wrote
in message news:mrrhs1heq0vhnar2g5cgibqj8fffppg0ok@4ax.com...
On Fri, 13 Jan 2006 13:47:07 GMT, "Dan Hollands"
dhollan3@rochester.rr.com> wrote:


"Derek Potter" <dpatspothyphenonhyphensolutionsdotcodotuk@thats.all
wrote
in message news:3ques15r859309d1ea5b856dnrrk9bmn8s@4ax.com...
I need some information about the current approach to safety of new
equipment with regard to fire hazards created by a fault. I appreciate
there are generic standards covering the ejection of molten metal and
so on, but I am wondering about the application of the "single
component failure" concept in situations where a failure could
overload a semiconductor with the possible, though unlikely, result
that it ignites or ignites an adjacent part. I'm not asking about
*techniques* to avoid hazard, I'm asking about what is legally
required. Trick question - I'm not asking for legal advice, just
information concerning best current practice. I'm posting from the UK
but I suspect the regs will be substantially the same in all of Europe
and the US.

My particular concern is a small transistor driving an external alarm.
The power supply has a fuse but as it feeds several circuits, it
doesn't provide much protection for the external alarm circuit. I am
considering an active current limit in the supply but I still have
some reservations as to whether this meets the letter of the law. For
example, one scenario involves two events as follows:

1 The current limit fails spontaneously, but as this is not
monitored, the defect remains undetected, waiting for the second event
to happen...
2 Someone fiddles with the external wiring and causes a short.

The result is that the driver overheats, catches fire and there is
hell to pay. Now, it is perfectly true that this involves two
independent "failures" so at first sight would meet the "single
component failure" criterion. However, I suspect that a fault that is
never detected (and just lies there waiting for a chance to create a
hazard) may not count. Likewise, a fault that could be caused by Uncle
Fred with his screwdriver is hardly a spontaneous component failure.
So overall, would such a system meet the "due care" criterion?

I have severe doubts as to whether much equipment is designed with
this degree of concern but it would be goot to be ahead of the field -
without incurring too much cost.

Also, if this isn't the best newsgroup could someone point me in the
right direction? Most electronics groups seem to be full of people
selling stuff.

TIA.

Derek

If you are in the UK, you are under EU requirements and you should be
studying the appropriate IEC specs for the type of equipment you are
designing. Just as a personal opinion - if there is an output that when
shorted will cause a fire, then there should be some type of protection
for
the output.

Indeed so, but my question goes a bit further as I already have
protection in the shape of a foldback regulator. It's failure of this
protection that I'm asking about. This is unlikely to cause an
immediately hazardous condition, but, obviously, if the protection
fails, the circuit is then left susceptible to any other fault. In
this case it could be a fairly rare external event. The failure of the
protection device may not be detected without yet more circuitry to
monitor the foldback operation of the regulator! Am I being too fussy?
Do most commercial and consumer devices go this far?

Generally equipment design for general use is only concerned with a single
failure criteria. In my experience adding more circuitry increases the
complexity to the point the failure and problems are more likely. The
problem with all redundant circuits is the need to test them to insure
that
all of the redundant circuits are working. Statistical methods may be used
to determine how often the redundant circuits must be checked to achieve a
certain confidance level the system will operate properly when required.
In
your case I would see no need for extra circuitry

Execeptions are things like Safety Shutdown systems, Intrinsically Safe
Equipment to insures that sparks or hot spots don't trigger an explosion
in
explosive atmospheres and control systems in nuclear power plants.

Agreed completely and I tend to think, like you, that having a little
foldback regulator to guard against the occasional shorted load is
probably enough. The question hinges on what comprises a "single
component failure" since an external short in unprotected wiring
accessible to "Uncle Fred" is not exactly a component failure.
Likewise failure of the current limit doesn't create a fault in itself
but, as it's not going to be monitored, this doesn't quite settle the
matter - it leaves the system in a vulnerable state to an external
short.

I suppose, in a nutshell, the question comes down to whether
protection circuits are relevant to "due care" if an undetectable
failure in the protection leaves the system just as vulnerable as if
the protection were not there.

On another tack, I may work around this by fitting a fire-resistant
sleeve over the transistor. It can burn as much as it likes then, but
I was hoping to avoid the trouble.
Click to expand...
Derek

It is almost impossible to make a prduct completely fail proof. All you can
do by adding more components is decrease the likely hood of a problem. If
the accidental shorting of external connections can cause a fire then it is
prudent to add protection such as your current limit circuit. That is all
you need to do. A problem will only occur if 2 unlikely events occur. If you
added another current limit circuit a problem would only occur if 3 unlikely
events occured. That is above and beyond what is required for normal use
products.

Dan
 
On Sun, 15 Jan 2006 20:00:31 GMT, "Dan Hollands"
<dhollan3@rochester.rr.com> wrote:

"Derek Potter" <dpatspothyphenonhyphensolutionsdotcodotuk@thats.all> wrote
in message news:dr0ls1dentin9a1edgcfabs9kl0i19eaog@4ax.com...
On Sat, 14 Jan 2006 15:44:06 GMT, "Dan Hollands"
dhollan3@rochester.rr.com> wrote:


"Derek Potter" <dpatspothyphenonhyphensolutionsdotcodotuk@thats.all> wrote
in message news:mrrhs1heq0vhnar2g5cgibqj8fffppg0ok@4ax.com...
On Fri, 13 Jan 2006 13:47:07 GMT, "Dan Hollands"
dhollan3@rochester.rr.com> wrote:


"Derek Potter" <dpatspothyphenonhyphensolutionsdotcodotuk@thats.all
wrote
in message news:3ques15r859309d1ea5b856dnrrk9bmn8s@4ax.com...
I need some information about the current approach to safety of new
equipment with regard to fire hazards created by a fault. I appreciate
there are generic standards covering the ejection of molten metal and
so on, but I am wondering about the application of the "single
component failure" concept in situations where a failure could
overload a semiconductor with the possible, though unlikely, result
that it ignites or ignites an adjacent part. I'm not asking about
*techniques* to avoid hazard, I'm asking about what is legally
required. Trick question - I'm not asking for legal advice, just
information concerning best current practice. I'm posting from the UK
but I suspect the regs will be substantially the same in all of Europe
and the US.

My particular concern is a small transistor driving an external alarm.
The power supply has a fuse but as it feeds several circuits, it
doesn't provide much protection for the external alarm circuit. I am
considering an active current limit in the supply but I still have
some reservations as to whether this meets the letter of the law. For
example, one scenario involves two events as follows:

1 The current limit fails spontaneously, but as this is not
monitored, the defect remains undetected, waiting for the second event
to happen...
2 Someone fiddles with the external wiring and causes a short.

The result is that the driver overheats, catches fire and there is
hell to pay. Now, it is perfectly true that this involves two
independent "failures" so at first sight would meet the "single
component failure" criterion. However, I suspect that a fault that is
never detected (and just lies there waiting for a chance to create a
hazard) may not count. Likewise, a fault that could be caused by Uncle
Fred with his screwdriver is hardly a spontaneous component failure.
So overall, would such a system meet the "due care" criterion?

I have severe doubts as to whether much equipment is designed with
this degree of concern but it would be goot to be ahead of the field -
without incurring too much cost.

Also, if this isn't the best newsgroup could someone point me in the
right direction? Most electronics groups seem to be full of people
selling stuff.

TIA.

Derek

If you are in the UK, you are under EU requirements and you should be
studying the appropriate IEC specs for the type of equipment you are
designing. Just as a personal opinion - if there is an output that when
shorted will cause a fire, then there should be some type of protection
for
the output.

Indeed so, but my question goes a bit further as I already have
protection in the shape of a foldback regulator. It's failure of this
protection that I'm asking about. This is unlikely to cause an
immediately hazardous condition, but, obviously, if the protection
fails, the circuit is then left susceptible to any other fault. In
this case it could be a fairly rare external event. The failure of the
protection device may not be detected without yet more circuitry to
monitor the foldback operation of the regulator! Am I being too fussy?
Do most commercial and consumer devices go this far?

Generally equipment design for general use is only concerned with a single
failure criteria. In my experience adding more circuitry increases the
complexity to the point the failure and problems are more likely. The
problem with all redundant circuits is the need to test them to insure
that
all of the redundant circuits are working. Statistical methods may be used
to determine how often the redundant circuits must be checked to achieve a
certain confidance level the system will operate properly when required.
In
your case I would see no need for extra circuitry

Execeptions are things like Safety Shutdown systems, Intrinsically Safe
Equipment to insures that sparks or hot spots don't trigger an explosion
in
explosive atmospheres and control systems in nuclear power plants.

Agreed completely and I tend to think, like you, that having a little
foldback regulator to guard against the occasional shorted load is
probably enough. The question hinges on what comprises a "single
component failure" since an external short in unprotected wiring
accessible to "Uncle Fred" is not exactly a component failure.
Likewise failure of the current limit doesn't create a fault in itself
but, as it's not going to be monitored, this doesn't quite settle the
matter - it leaves the system in a vulnerable state to an external
short.

I suppose, in a nutshell, the question comes down to whether
protection circuits are relevant to "due care" if an undetectable
failure in the protection leaves the system just as vulnerable as if
the protection were not there.

On another tack, I may work around this by fitting a fire-resistant
sleeve over the transistor. It can burn as much as it likes then, but
I was hoping to avoid the trouble.


Derek

It is almost impossible to make a prduct completely fail proof. All you can
do by adding more components is decrease the likely hood of a problem. If
the accidental shorting of external connections can cause a fire then it is
prudent to add protection such as your current limit circuit. That is all
you need to do. A problem will only occur if 2 unlikely events occur. If you
added another current limit circuit a problem would only occur if 3 unlikely
events occured. That is above and beyond what is required for normal use
products.
Click to expand...
That's good. I shall drag you into court if we get prosecuted :)

Seriously, I felt I was being unduly fussy but it's good to get some
comments from other designers - especially if they support the
common-sense view.

Next topic - EMC and the need for compliant testing...
 
After a long response, some useful numbers. 12 volts at 120 mA is a
significant difference from, for example, a telephone wire. Telephone
wire can have 100 volts. If just a consumer product operating at 12
volts, then a regulator or current limited transistor switch may be
more than sufficient - depending in maximum source current and how much
PC board damage is acceptable. Some use Polyswitch from Raychem (now
Tyco) in series for backup protection; as noted earlier.

Polyswitch, for example, is often unacceptable for phone line (low
power) applications because of 60+ volts. Phone lines meet the
criteria in an earlier post that did not provide numbers - which is why
hedging on a Polyswitch recommendation was necessary.

What are failure criteria? If 12 volts rises to say 16, will that
cause a component to short circuit, then resulting in a short circuit
and (maybe) fire? Some 12 volt loads can withstand 30+ volts for short
periods. Others cannot. If used in automotive functions, then most
regulators will not meet the load dump criteria. Criteria typically
not found in computer 12 volt applications.

120 mA normal load implies a single point failure could consume
significant power (amperes?). In which case a second device (ie
Polyswitch) would provide good backup protection. This same protection
is use on computer keyboard and mouse ports. At low voltages and
currents, fuses have not been a preferred solution for maybe 20 years
now.

Nothing above could be recommended with an earlier post that provided
no numbers. Even 12 volts verses 60 volts would change the
recommendation. Again, replies will only be as good as the numbers
provided.

Derek Potter wrote:
...
FWIIW ,the small transistor circuit in question is a BS160 FET driving
a 12V load at 120mA but subject to possible short circuits as said.
The system fuse is 1A but fuses do not blow instantly so, with the
fairly high "on" resistance of the FET (rising as it heats up) there
is the distinct possibility of the TO92 device dissipating many watts
before failing. The electronic protection comprises a foldback
regulator and is perfectly adequate unless, of course it fails first,
leaving the circuit unprotected without any indication of the latent
problem.
Click to expand...
 
On 15 Jan 2006 23:39:48 -0800, "w_tom" <w_tom1@usa.net> wrote:

After a long response, some useful numbers. 12 volts at 120 mA is a
significant difference from, for example, a telephone wire. Telephone
wire can have 100 volts. If just a consumer product operating at 12
volts, then a regulator or current limited transistor switch may be
more than sufficient - depending in maximum source current and how much
PC board damage is acceptable. Some use Polyswitch from Raychem (now
Tyco) in series for backup protection; as noted earlier.

Polyswitch, for example, is often unacceptable for phone line (low
power) applications because of 60+ volts. Phone lines meet the
criteria in an earlier post that did not provide numbers - which is why
hedging on a Polyswitch recommendation was necessary.

What are failure criteria? If 12 volts rises to say 16, will that
cause a component to short circuit, then resulting in a short circuit
and (maybe) fire? Some 12 volt loads can withstand 30+ volts for short
periods. Others cannot. If used in automotive functions, then most
regulators will not meet the load dump criteria. Criteria typically
not found in computer 12 volt applications.

120 mA normal load implies a single point failure could consume
significant power (amperes?). In which case a second device (ie
Polyswitch) would provide good backup protection. This same protection
is use on computer keyboard and mouse ports. At low voltages and
currents, fuses have not been a preferred solution for maybe 20 years
now.

Nothing above could be recommended with an earlier post that provided
no numbers. Even 12 volts verses 60 volts would change the
recommendation. Again, replies will only be as good as the numbers
provided.

Derek Potter wrote:
...
FWIIW ,the small transistor circuit in question is a BS160 FET driving
a 12V load at 120mA but subject to possible short circuits as said.
The system fuse is 1A but fuses do not blow instantly so, with the
fairly high "on" resistance of the FET (rising as it heats up) there
is the distinct possibility of the TO92 device dissipating many watts
before failing. The electronic protection comprises a foldback
regulator and is perfectly adequate unless, of course it fails first,
leaving the circuit unprotected without any indication of the latent
problem.
Click to expand...
The long response was an attempt to clarify the fact that I was asking
about best practice and the interpretation of the "single component
failure" concept, not asking for circuit recommendations.

Incidentally, Polyswitches may be rated at 60V but other readily
available PTCs go to 265V. However, when you say "In which case a
second device (ie Polyswitch) would provide good backup protection"
you are not making it clear whether your recommendation is to use an
active current limit *and* a Polyswitch, or just have a Polyswitch in
series with the load in case there's a short. The former sounds like
overkill but is the only possible design approach given a Draconian
interpretation of "single component failure" as the external load and
the unmonitored current limit don't count. The other is merely
substituting a Polyswitch for the regulator and is subject to the same
failure scenario that I was asking about.
 
The keyboard and mouse are connected to a 'tens of amp' power supply
with only a Polyswitch for protection. In that application, a burned
PC trace is acceptable. In a machine that handled dangerous materials,
we used a small regulator AND a Polyswitch, in series, because
consequences of failure there were catastrophic. Only two layers of
protection because voltage could never exceed a regulator's maximum
input voltage.

Note the difference between both solutions. Details of upstream
power source and downstream consequences of failure must be considered.

In one appliance, a manufacturer used a circuit breaker in series
with Polyswitch. But the designer did not quite understand how
failures occur. He put two 60 volt Polyswitches in series thinking
that was equivalent to one 120 volt Polyswitch. When the circuit
breaker failed to trip, those Polyswitch devices also failed causing a
house fire. An example provided as background insight.

Never used (therefore studied) those higher voltage Polyswitches; so
I am hesitant to recommend them. Numbers for incoming voltages and
currents that can damage the regulator/transistor/Polyswitch and the
downstream consequences of a failure are necessary to better answer
your question. Again, a Polyswitch alone is sufficient for keyboard
power because consequences of a Polyswitch failure are not
catastrophic.

Derek Potter wrote:
...
Incidentally, Polyswitches may be rated at 60V but other readily
available PTCs go to 265V. However, when you say "In which case a
second device (ie Polyswitch) would provide good backup protection"
you are not making it clear whether your recommendation is to use an
active current limit *and* a Polyswitch, or just have a Polyswitch in
series with the load in case there's a short. The former sounds like
overkill but is the only possible design approach given a Draconian
interpretation of "single component failure" as the external load and
the unmonitored current limit don't count. The other is merely
substituting a Polyswitch for the regulator and is subject to the same
failure scenario that I was asking about.
Click to expand...
 
You must log in or register to reply here.

Welcome to EDABoard.com

Sponsor

Back
Top