For many years, there have been
gas safety systems in gas ovens. These safety systems act to stop the
flow of gas if for any reason a flame is not present, also known as flame
safeguarding. In several, but not all, European and Asian countries,
these safety systems also extend to gas cooktops. In the U.S., Australia,
and other countries, however, such safety systems are not mandatory on
cooktops, and in the event of flame failure, gas continues to flow. The
main reason for what seems to be a lack of safety is that a cooktop is
considered to be an attended appliance, not an automatic appliance like
an oven. However, as consumers demand more and more features and flexibility
in their products, this assumption is becoming less and less true.
With an increased interest in safety, it is almost inevitable that
standards authorities and approvals agencies will start to follow the
lead of European counterparts and mandate similar requirements.
and Flame Safeguards
The most common flame safeguard for cooktops and ovens uses a thermocouple
placed in the flame of each individual burner. The burner flame heats
the thermocouple, which then produces a voltage/current that is sufficient
to hold open a small gas valve. These two parts are sometimes incorporated
into a single part referred to as a thermovalve. If for any reason
the flame is lost, for example, due to failure of the gas supply or
blow out, the thermocouple cools and the valve is closed. There are
many variants of this type of product, and they are generally called
flame failure devices (FFDs).
are considered safety shutdown devices and require user intervention
to relight the gas unless some form of automatic re-ignition is fitted.
The most common manual ignition method is piezo ignition, in which
the user presses an igniter button while holding down a second button,
which overrides the safety interlock and permits gas flow. This method
is safe because the user must be present to light the gas and presumably
will detect a hazard such as unburnt gas before attempting ignition.
Electronic flame safeguards operate similarly; they must sense flame
failure and shutdown the gas usually via a gas solenoid. Just as there
is a minimum reaction time for the thermocouple when unburnt gas flow
is permitted, the electronic safeguard must shutdown within a minimum
time known as the safety time. The safety time can be
easily tailored to suit the flow rate of the burner and is sized
to release a volume of unburnt gas that will not lead to an explosion
hazard. The advantage of electronic safeguards is that the igniter
circuit (usually a spark coil) is controlled by the safeguard and operates
for the duration of the safety time. To keep the cost down, the igniter
can be built into the safeguard.
Gas cooktops, however, do not traditionally use flame safeguards.
They use electronic igniters or re-igniters, as shown in Figure 1.
The circuit monitors the flame and the burner switch input, and its
function is to ignite the gas when the burner is turned on or if the
flame is extinguished for any reason. In this case, there is no safety
time because there is no means of directly controlling the gas, and
trial for ignition may proceed indefinitely. The safety system relies
on the monitoring presence of an operator, who presumably will switch
off the burner switch if anything goes wrong. Figure 1 shows a typical
low-cost cooktop igniter, which uses the flame rectification effect
to detect flame by sensing the d.c. flame current. The burner electrode
sparks across to the burner top to ignite the gas and acts as a flame
sense point for the flame amplifier. If a burner switch is on and no
flame is detected at the corresponding burner, the ignition control
energizes the igniter coil. The only form of flame safety is that there
is an immediate ignition source if the flame fails. The functional
requirements for the circuit are simple—the ignition control requires
little intelligence and can be a few transistors and passive components.
Next, let’s examine how a flame safeguard could be implemented on
a gas cooktop. Figure 2 shows the essential elements of a flame safeguard
for a cooker, and, as was the case with the simple igniter circuit,
there are multiple burner switch inputs and flame detection. However,
there are more complex tasks to perform than in the simple igniter
circuit, so a microprocessor has been introduced to control ignition
and gas valve timing. In this case, the system does not rely on operator
intervention to shut down the gas; therefore, an increased level of
intrinsic safety is required. The microprocessor does more than just
monitor the flame signal and shut down the gas if the safety time is
exceeded. For example, it must verify the integrity of the flame amplifiers
by checking for false flame output at start up.
The microprocessor must also verify other safety critical functions
and components and lockout from further operation if there is ignition
failure or some other safety critical failure. (While the lockout indication
is not mandatory, it’s a good method for warning the operator.) Clearing
the lockout requires manual intervention like resetting the burner
switch. In this way, the safety system includes the operator under
failure conditions, and the watchdog is part of the system safety monitoring.
The watchdog is a redundant circuit that independently shuts down the
gas in the event that the microprocessor fails. There may also be software
watchdogs and self-checks resident in the processor code that shut
down the gas in the event of a failure.
with European Gas Standards
The European standard for gas-burning appliances, EN298, sets specific
requirements for flame safeguard systems and provides a reasonable
basis for design. The standard mandates specific safety checks, i.e.,
the flame check, in which a false flame check verifies that the flame
signal is off prior to energizing the gas valve and, thus, verifies
that the flame amplifier can detect a flame out. Checks can also be
at shutdown or conducted as background checks. One of the virtues of
EN298 is that it is intended for approval of microprocessor-based flame
safeguards. Earlier gas standards were based on use of discrete components
or purely electromechanical systems.
Clause 10 of EN298 sets specific design requirements for “complex
electronics,” i.e., microprocessors. This clause discusses fault tolerance
and avoidance and provides a basis for design. The fault tolerance
requirements are different from U.S. regulations for gas controls in
that there is a requirement for an independent secondary safeguard
rather than reliance on the microprocessor and its safety software.
This may add cost, but it increases the level of safety.
In addition, similar to the latest ANSI gas standards, a second order
Failure Mode Effects Analysis (FMEA) must be conducted, which makes
the design more complex. Most FMEA is first order, meaning that only
one fault needs to be considered. Second order means a second fault
must be considered in combination with the first.
3 shows the principle of second order FMEA. A fault must be detected
within one heat cycle, i.e., one on/off cycle of the burner. The FMEA
is a daunting task for the designer; however, from the customer’s point
of view, it means a safer system. The second order of faults leads
to better self-checks and a higher level of redundancy and fault tolerance.
If the design is done properly, it will not reduce reliability or availability.
One way to design gas controls is using a modular approach, where trusted
blocks of circuitry and code are reused from previous designs where
possible. Design time and risk are reduced and meet requirement criteria.
The modular approach also reduces the amount of time spent on FMEA.
If modules have appropriate schematic boundaries, they can be analyzed
as stand-alone entities so the module FMEA can be reused and speed
EN298 also specifies qualification criteria, including immunity tests.
The cooktop control must be immune to interference, or fail to a safe
state in which the gas valve de-energizes when subjected to a range
of interference sources. The standard sets severity levels for Electromagnetic
Compatibility (EMC) immunity compliance. (Compliance will depend on
the destination country for the appliance.) The immunity tests are
applied to the mains supply input and any external wiring. The tests
are IEC 61000-4 series; these consist of a Voltage Surge test of 0.5
to 2KV, an Electrical Fast Transient (EFT) of up to 1KV at 5KHz repetition
rate, Supply Brown Out Dips and Interruptions, Conducted interference
up to 10 Vrms at 150K–80MHz, Conducted Radiated, and Induced Radiated
There is also an Electrostatic Discharge (ESD) test, which would
be applied to the electronic control and its interfaces to prove immunity
to ESD damage during installation and handling, for example. The tests
give the user a high level of confidence that the system will either
continue working or fail safe under high levels of electrical interference.
This is an important safety factor, as the potential for Electromagnetic
Interference (EMI) is ever increasing with the number of mobile phones
and RF-based equipment appearing in the environment. The effects of
EMI on a microprocessor can be unpredictable, and the possibility of
a safety hazard cannot be ruled out.
It is also worth noting that one of the worst sources of electrical
noise may lie within the control itself. As previously mentioned, spark
ignition is popular because of its low cost. In cooktops, there are
always a number of long HV leads supplying spark voltage to the burner
top electrodes. The ignition noise consists of low duty cycle, high-energy
fast transients that radiate into the cooktop wiring and controls (any
wiring or controls in the immediate vicinity will suffer high levels
of EMI). Noise will also be coupled directly into electronic controls
and indirectly via wiring, i.e., radiated conducted. The usual effect
of noise on the microprocessor is a processor restart. If the amplitude
is big enough, this should lead to safety shutdown and gas valve closure.
In practice, this would be a real nuisance for a cooktop. Spark immunity
and immunity problems, in general, are usually resolved by good PCB
layout and grounding practice.
The standard requires a cycle test of 250,000 start up cycles, and
25,000 of these are at temperature extremes. This is a more demanding
test than other standards and gives a mandatory level of life test
qualification for the product. Long-term temperature cycling tests
are a valuable tool for proving design and component selection, along
with upper and lower supply extremes at environmental extremes. It
is worth mentioning that this can apply to FMEA as well—a failure mode
that cannot be resolved by theory or inspection will inevitably be
Software design requirements are also specified in Clause 10. Although
the requirement for secondary safeguarding reduces the critical safety
aspects of the software, it should not reduce the care taken in writing
the code. It should still incorporate the memory self tests, software
watchdogs, and fault avoidance techniques that apply to safety critical
code. It must be structured and readable and should be developed with
formal reviews and documentation.
In addition, as with any software project, the requirements must
be correct and defined as early as possible. The FMEA will drive some
of the safety software requirements because the software detects some
of the faults, which means that FMEA must be considered prior to writing
the code. It should also be kept in mind that because code is complex,
it must be easily understood in order to be reliably verified; otherwise,
correct operation cannot be assured.
Laynes is senior design engineer, Tytronics
Pty Ltd, Australia.