Switch ELECTRICALLY SAFE between 3 resistive loads (16 A each) on a 16 A line

Question

How to switch 3 resistive consumers (heaters), each having a current consumption of nearly 16 A alternate & ELECTRICALLY SAFELY (German standards)?
So that only one of them heats at a time and the 16 A of the supply line will not exceed.

Suggestion No. 1 (parallel with circuit breaker):

3 electrical contactors (25 A) connected in parallel, are switched on and off by a microprocessor using a relay. The program (which will not be discussed in detail here) ensures that only one contactor activates a consumer and switches the others off.

Problem: A bug or a crash could result in the circuit not working properly and thus possibly switching on 2 or 3 contactors, increasing the load to 32 A or even 36 A.
In this case, in order to have an electrically safe system, is it sufficient to put a 16 A circuit breaker in the supply line of the contactors to ensure a separation? What cross-section should the wiring have for this?

Suggestion No. 2 (changeover switch in stages): 1 changeover contactor, switches between consumer 1 and another 25 A changeover contactor. Consumer 2 is connected to this and another 25 A changeover contactor. Consumer 3 is connected to this. The microprocessor switches the contactors so that either consumer 1, 2, or 3 is active. A big click concert begins.

Advantage: Because they are all changeover contactors, even if there is a bug or the microprocessor/program crashes, it is guaranteed that the current only ever flows to one consumer and can therefore never rise above 16 A.

Is it necessary to design an electrically safe system according to suggestion 2, or is a circuit breaker in the upstream according to suggestion 1 sufficient to make it safe?

Answer 1

Suggestion #3 - hardware logic drives the contactors so that only a maximum of one switch is driven, regardless of the code sent to it by the MCU. For instance, use a 74HC138 or 139 to decode 2 binary bits into the four states of drive none, drive A, drive B, and drive C.

The 138/139 decoders offer a further benefit which can improve the safety of the whole thing, drive the enable pin with the output of a monostable, whose default state is off. Have the mono continuously re-triggered by a watchdog in the MCU program. If the program crashes, the retrigger stops, and all contactors open.

Note that this only addresses the electronics aspects of the problem. All the 'power' aspects, so adherence to local electrical regulations, proper fusing of conductors, handling the possibility of contact welding, has to be dealt with as well.

Answer 2

Let’s consider parallel contactors as in suggestion 1, but prevent them from being activated concurrently. This can be easily done using auxiliary contacts to implement a priority encoder: the first contractor in the priority chain removes coil power from the contactors downstream.

I would also add a secondary auxiliary contact on each contactor so that the microprocessor can do a self-test and verify that the priority encoder works properly and prevents concurrent activation.

If the self-test fails, the firmware indicates an error to the user and halts.

This scheme would protect from any single failure: as long as the microprocessor and the relays are OK, the priority encoder can fail and this will be detected, and the power will be removed from all the coils. Conversely, if the microprocessor, relay drivers, or relays fail during normal operation, the priority encoder will prevent parallel activation of the heaters.

You can also consider using safety (mechanically linked) auxiliary contacts for the contactors. That way the firmware could detect if any of the main contacts have welded shut.

It all really depends on what the acceptable risk level is.

When using a breaker to break the circuit as in suggestion #1, the breaker should be coordinated with the smallest possible breaker for the circuit in the breaker panel. This coordination may prove to be impossible. I would consider it an unacceptable failure mode to have the upstream breaker tripped, just due to the hassle and potential dangers of a customer “rectifying” the problem by resetting the breaker. Thus coordination is needed, and if not possible then the built-in breaker “protection” won’t work.

In well-designed firmware, the possibility of a failure should be low enough that a single-use fuse would be better than a breaker. The opening of that fuse would be due to contacts having welded on one of the contactors.

Hopefully you can now appreciate the benefits of the changeover contactors in suggestion 2. A safety normally-closed auxiliary contact chain on those contactors could be used to disable the system if any power contacts have welded shut.

This brings another issue: what are the risks of running the wrong heater? This would affect how much you need to protect against activation of the wrong heater.

Answer 3

Interlocking electromagnetic contactors in electrical systems is a technique used to prevent two or more of them from being energized at the same time.

Three 2-pole 16 A contactors, with (2 NO + 2 NC) auxiliary contacts, would be required for this application.

Here's the control circuit, showing the interlocks and the NO contacts of the processor output relays.

The heater power circuit is as shown below.

The 2 - pole contactors facilitate dual-redundancy in the case of contact malfunction.

Notwithstanding the interlocks, should two or three heaters get energised at the same time, the wiring would be protected by the fuses or circuit breakers.