Global Supplier Directory
Supplier Solutions
Whitepaper Library
Calendar of Events
Association Locator
Contents Pages
Market Research
Subscription Center

issue: October 2004 APPLIANCE Magazine

Ignition Systems
Electronic Safety Systems for Gas Cooking

 Printable format
 Email this Article

by Derek Laynes, senior design engineer, TytronicsPty Ltd, Australia

Designing gas cooktops according to European standards raises the level of difficulty for designers, but raises the bar for safety as well.

For many years, there have been gas safety systems in gas ovens. These safety systems act to stop the flow of gas if for any reason a flame is not present, also known as flame safeguarding. In several, but not all, European and Asian countries, these safety systems also extend to gas cooktops. In the U.S., Australia, and other countries, however, such safety systems are not mandatory on cooktops, and in the event of flame failure, gas continues to flow. The main reason for what seems to be a lack of safety is that a cooktop is considered to be an attended appliance, not an automatic appliance like an oven. However, as consumers demand more and more features and flexibility in their products, this assumption is becoming less and less true.

With an increased interest in safety, it is almost inevitable that standards authorities and approvals agencies will start to follow the lead of European counterparts and mandate similar requirements.

Igniters and Flame Safeguards

The most common flame safeguard for cooktops and ovens uses a thermocouple placed in the flame of each individual burner. The burner flame heats the thermocouple, which then produces a voltage/current that is sufficient to hold open a small gas valve. These two parts are sometimes incorporated into a single part referred to as a thermovalve. If for any reason the flame is lost, for example, due to failure of the gas supply or blow out, the thermocouple cools and the valve is closed. There are many variants of this type of product, and they are generally called flame failure devices (FFDs).

FFDs are considered safety shutdown devices and require user intervention to relight the gas unless some form of automatic re-ignition is fitted. The most common manual ignition method is piezo ignition, in which the user presses an igniter button while holding down a second button, which overrides the safety interlock and permits gas flow. This method is safe because the user must be present to light the gas and presumably will detect a hazard such as unburnt gas before attempting ignition.

Electronic flame safeguards operate similarly; they must sense flame failure and shutdown the gas usually via a gas solenoid. Just as there is a minimum reaction time for the thermocouple when unburnt gas flow is permitted, the electronic safeguard must shutdown within a minimum time known as the safety time. The safety time can be

easily tailored to suit the flow rate of the burner and is sized to release a volume of unburnt gas that will not lead to an explosion hazard. The advantage of electronic safeguards is that the igniter circuit (usually a spark coil) is controlled by the safeguard and operates for the duration of the safety time. To keep the cost down, the igniter can be built into the safeguard.

Gas cooktops, however, do not traditionally use flame safeguards. They use electronic igniters or re-igniters, as shown in Figure 1. The circuit monitors the flame and the burner switch input, and its function is to ignite the gas when the burner is turned on or if the flame is extinguished for any reason. In this case, there is no safety time because there is no means of directly controlling the gas, and trial for ignition may proceed indefinitely. The safety system relies on the monitoring presence of an operator, who presumably will switch off the burner switch if anything goes wrong. Figure 1 shows a typical low-cost cooktop igniter, which uses the flame rectification effect to detect flame by sensing the d.c. flame current. The burner electrode sparks across to the burner top to ignite the gas and acts as a flame sense point for the flame amplifier. If a burner switch is on and no flame is detected at the corresponding burner, the ignition control energizes the igniter coil. The only form of flame safety is that there is an immediate ignition source if the flame fails. The functional requirements for the circuit are simple—the ignition control requires little intelligence and can be a few transistors and passive components.

Next, let’s examine how a flame safeguard could be implemented on a gas cooktop. Figure 2 shows the essential elements of a flame safeguard for a cooker, and, as was the case with the simple igniter circuit, there are multiple burner switch inputs and flame detection. However, there are more complex tasks to perform than in the simple igniter circuit, so a microprocessor has been introduced to control ignition and gas valve timing. In this case, the system does not rely on operator intervention to shut down the gas; therefore, an increased level of intrinsic safety is required. The microprocessor does more than just monitor the flame signal and shut down the gas if the safety time is exceeded. For example, it must verify the integrity of the flame amplifiers by checking for false flame output at start up.

The microprocessor must also verify other safety critical functions and components and lockout from further operation if there is ignition failure or some other safety critical failure. (While the lockout indication is not mandatory, it’s a good method for warning the operator.) Clearing the lockout requires manual intervention like resetting the burner switch. In this way, the safety system includes the operator under failure conditions, and the watchdog is part of the system safety monitoring. The watchdog is a redundant circuit that independently shuts down the gas in the event that the microprocessor fails. There may also be software watchdogs and self-checks resident in the processor code that shut down the gas in the event of a failure.

Designing with European Gas Standards

The European standard for gas-burning appliances, EN298, sets specific requirements for flame safeguard systems and provides a reasonable basis for design. The standard mandates specific safety checks, i.e., the flame check, in which a false flame check verifies that the flame signal is off prior to energizing the gas valve and, thus, verifies that the flame amplifier can detect a flame out. Checks can also be at shutdown or conducted as background checks. One of the virtues of EN298 is that it is intended for approval of microprocessor-based flame safeguards. Earlier gas standards were based on use of discrete components or purely electromechanical systems.

Clause 10 of EN298 sets specific design requirements for “complex electronics,” i.e., microprocessors. This clause discusses fault tolerance and avoidance and provides a basis for design. The fault tolerance requirements are different from U.S. regulations for gas controls in that there is a requirement for an independent secondary safeguard rather than reliance on the microprocessor and its safety software. This may add cost, but it increases the level of safety.

In addition, similar to the latest ANSI gas standards, a second order Failure Mode Effects Analysis (FMEA) must be conducted, which makes the design more complex. Most FMEA is first order, meaning that only one fault needs to be considered. Second order means a second fault must be considered in combination with the first.

Figure 3 shows the principle of second order FMEA. A fault must be detected within one heat cycle, i.e., one on/off cycle of the burner. The FMEA is a daunting task for the designer; however, from the customer’s point of view, it means a safer system. The second order of faults leads to better self-checks and a higher level of redundancy and fault tolerance. If the design is done properly, it will not reduce reliability or availability. One way to design gas controls is using a modular approach, where trusted blocks of circuitry and code are reused from previous designs where possible. Design time and risk are reduced and meet requirement criteria. The modular approach also reduces the amount of time spent on FMEA. If modules have appropriate schematic boundaries, they can be analyzed as stand-alone entities so the module FMEA can be reused and speed the analysis.

EN298 also specifies qualification criteria, including immunity tests. The cooktop control must be immune to interference, or fail to a safe state in which the gas valve de-energizes when subjected to a range of interference sources. The standard sets severity levels for Electromagnetic Compatibility (EMC) immunity compliance. (Compliance will depend on the destination country for the appliance.) The immunity tests are applied to the mains supply input and any external wiring. The tests are IEC 61000-4 series; these consist of a Voltage Surge test of 0.5 to 2KV, an Electrical Fast Transient (EFT) of up to 1KV at 5KHz repetition rate, Supply Brown Out Dips and Interruptions, Conducted interference up to 10 Vrms at 150K–80MHz, Conducted Radiated, and Induced Radiated disturbances.

There is also an Electrostatic Discharge (ESD) test, which would be applied to the electronic control and its interfaces to prove immunity to ESD damage during installation and handling, for example. The tests give the user a high level of confidence that the system will either continue working or fail safe under high levels of electrical interference. This is an important safety factor, as the potential for Electromagnetic Interference (EMI) is ever increasing with the number of mobile phones and RF-based equipment appearing in the environment. The effects of EMI on a microprocessor can be unpredictable, and the possibility of a safety hazard cannot be ruled out.

It is also worth noting that one of the worst sources of electrical noise may lie within the control itself. As previously mentioned, spark ignition is popular because of its low cost. In cooktops, there are always a number of long HV leads supplying spark voltage to the burner top electrodes. The ignition noise consists of low duty cycle, high-energy fast transients that radiate into the cooktop wiring and controls (any wiring or controls in the immediate vicinity will suffer high levels of EMI). Noise will also be coupled directly into electronic controls and indirectly via wiring, i.e., radiated conducted. The usual effect of noise on the microprocessor is a processor restart. If the amplitude is big enough, this should lead to safety shutdown and gas valve closure. In practice, this would be a real nuisance for a cooktop. Spark immunity and immunity problems, in general, are usually resolved by good PCB layout and grounding practice.

The standard requires a cycle test of 250,000 start up cycles, and 25,000 of these are at temperature extremes. This is a more demanding test than other standards and gives a mandatory level of life test qualification for the product. Long-term temperature cycling tests are a valuable tool for proving design and component selection, along with upper and lower supply extremes at environmental extremes. It is worth mentioning that this can apply to FMEA as well—a failure mode that cannot be resolved by theory or inspection will inevitably be discovered.

Software design requirements are also specified in Clause 10. Although the requirement for secondary safeguarding reduces the critical safety aspects of the software, it should not reduce the care taken in writing the code. It should still incorporate the memory self tests, software watchdogs, and fault avoidance techniques that apply to safety critical code. It must be structured and readable and should be developed with formal reviews and documentation.

In addition, as with any software project, the requirements must be correct and defined as early as possible. The FMEA will drive some of the safety software requirements because the software detects some of the faults, which means that FMEA must be considered prior to writing the code. It should also be kept in mind that because code is complex, it must be easily understood in order to be reliably verified; otherwise, correct operation cannot be assured.

Derek Laynes is senior design engineer, Tytronics Pty Ltd, Australia.


Daily News


Oct 22, 2014: Middleby to add U-Line to residential appliance business

Oct 22, 2014: iRobot's 3Q exceeds expectations, driven by Home Robots growth

Oct 22, 2014: Whirlpool Canada named 2014 Energy Star Manufacturer of the Year

Oct 22, 2014: ACCA wants the HVAC manufacturers to develop open, universal communication protocols

Oct 22, 2014: IHA launches website to connect OEMs with consumers

More Daily News>>

RSS Feeds
Appliance Industry
Market Research


September 2014: Appliance Industry Focus: HVAC
June 2014: Appliance Magazine Market Insight: April 2014
May 2014: Appliance Magazine Market Insight: March 2014
April 2014: Appliance Magazine Market Insight: February 2014

Contact Us | About Us | Subscriptions | Advertising | Home
UBM Canon © 2014  

Please visit these other UBM Canon sites

UBM Canon Corporate | Design News | Test & Measurement World | Packaging Digest | EDN | Qmed | Plastics Today | Powder Bulk Solids | Canon Trade Shows