Fail-Safe Circuit Using Discrete Logic Chips

When controlling a device that can present a danger to people or property, it is important to include adequate safeguards, in both software and hardware.  I now have a Raspberry Pi controlling the heater and circulation pump on my hot tub because the existing controller failed.  If the heater is left turned on indefinitely or if it is turned on without the circulation pump running, then bad things can happen.  It could produce scalding hot water or even a possible steam explosion.  Therefore, I have built in multiple safeguards in both software and in hardware.

The system has two temperature probes:  one in the water and one directly on the outlet pipe from the heater.  If the software detects the heater temperature above a certain point it will enter a failure mode and turn the heater off.  The software also assures that the circulation pump runs whenever the heater is on.  The hardware interface uses discrete logic chips to add an additional layer of protection.  An “and gate” is used to prevent the heater relay from being enabled if the pump is not also enabled.

Another more complex circuit solves another problem.  The software or the computer hardware could fail, leaving the heater turned on indefinitely.  A “clock failure detection” circuit is used to handle this issue.  For the heater relay to remain turned on, a GPIO pin must be pulsed regularly.  If this “heartbeat” is not detected, then the failsafe circuit shown below will turn the relay off. 

555 in astable mode which produces a pulse every 2.079 seconds.

Here are the components used:

• A clock source, provided by a 555 chip configured in astable mode, produces a pulse approximately once every two seconds.  Many sources on-line describe how to use this very common chip.  My configuration is shown here.

• An AND Gate, which does exactly what its name implies.

• An inverter, which changes a hi signal to low and a low signal to high.

• Four D-flops, which can be thought of as a single bit memory device.  A D-flop will store the value on its data input line when the clock line is pulsed.  It can also be set to one or cleared to zero using the PRESET and CLEAR inputs.  These are active low, which means they should normally be kept high and briefly set to low to activate the preset or clear function.  The Q pin is the output.  An inverse of this is also provided but is not used in this circuit.

Here is the complete block diagram of the fail-safe circuit.

Fail-safe circuit

I used TTL (5V) chips because I have a stock of these from long ago. 

• 555 – Monostable/Astable timer
• 7404 – Inverter (six on one chip)
• 7408 – two input AND Gate (four on one chip)
• 7474 – D-Flop (two on one chip)

Today it may be more appropriate to use CMOS (3V) chips and equivalents to the TTL chips I used can easily be found.