Fail Safe backup heat and computer controls

[Nofossil]

Since I don't trust computers, I've spent a fair amount of time designing my system to 'fail safe' - that is, to be able to provide heat even if the controller fails. My current solution is WAY too complicated, and I've looked at this problem in light of my gradual progress towards a salable version of the NoFossil Control System (NFCS).

Here's what I'm thinking: Any system that has a computer involved should be designed so that backup heat works properly even if the computer fails or isn't connected. This could be accomplished via a passive relay box that connects thermostats to zone valves (or circulators) but allows the controller to override the box. I'll call this a 'Failsafe Control Box'.

In this scheme, the NFCS would have temperature sensors for each zone that it uses to decide when and where to send hot water. Thermostats would be simple / cheap units that would be set for very low temps and used ONLY for controlling the backup heat source.

The failsafe box would have 'force' relays controlled by the NFCS that could force heat to zones as desired independent of the thermostats. It would also have a relay to disable the demand signal that would normally go to the backup heat source. All relays would allow normal backup heat operation in their unpowered state.

Here's a schematic for a simple two zone plus indirect hot water example. This would require a box with six relays and connections for three zone valves, two thermostats, and aquastat, 24vac, and a connection to the demand contacts on the fossil boiler.

Anything in blue is controlled by the NFCS. Relay contacts are shown in their unpowered positions. There is an extra relay for the DHW so that the NFCS can tell when it's calling for heat.

Any thoughts?

 

[steam man]

I have read all the posts about various complicated control schemes othes have written and actually started to write up responses but held back and bit my tongue. Since you asked for thoughts I decided to join in. First, my back ground includes installs of combustion control and burner management systems for large marine plants. Everything is regulated by various agencies as far as safety and operation. That said, any control scheme has safety as its core. (I am not preaching at you nofossil-just thinking out loud). Generally, any control system should not be integrated so tightly that everything works or it all goes down. Ideally, if one section has a problem, it should not cascade and create problems for everything else. Anything that does fail should go to a fail safe mode. Every possible scenerio has to be looked at and studied-and you will probably never get them all. I totally agree with the idea that you should not depend on a computer. Using it for programing is ok. Important safety functions should be totally independent of the control systems, i.e. such as a basic relief valve wherever pressure could build. Redundancy for safety is never a bad idea. Reliabilty is another issue to think about.

I don't have time to study in detail your idea as I am just lighting off a plant right now. However, I think it is great to have everyone's ideas out for constructive criticism. I just think we are in a gray area as far as meeting codes and insurance issues for safety.

Mike

 

[Nofossil]

I don't have time to study in detail your idea as I am just lighting off a plant right now. However, I think it is great to have everyone's ideas out for constructive criticism. I just think we are in a gray area as far as meeting codes and insurance issues for safety.

Mike

Thanks for your input. Part of my reason for posting is to hopefully get a few other sets of eyes (and brains) to look at it and think about implications that I might have missed.

As far as I can decipher, this approach adds reliability without any safety related downside. I'll feel better after a few more people look at it.