UCSC Hotplate Study
Hotplate Failure Incident
On March 27, 2007 a Corning PC-420 hotplate was brought into the Biology instrument repair shop. The user’s note taped to the top read: “HEAT REMAINS ON WHEN TURNED OFF”.
From talks with the lab members it seems that the user walked into his lab bay and felt unusually warm, as if the building heat was cranked up. He rapidly located the heat source as the hotplate, which was turned off. We haven’t established how long it had been turned off or when the heating actually started.
In the shop the unit behaves consistently, without exception:
When turned on, the unit performs normally, regulating temperature and stir speed as set by the user. When the heat is turned off by rotating the heat control to the detent at 0 (called “off” in the manual), the hotplate begins to heat, and continues indefinitely without temperature regulation. The hot-top indicator does work and shows that the plate is too hot to touch. It should be noted here that the maximum temperature physically achievable by this unit is over 1000 degrees F.
Plugging the unit in cold with the heat and stir switches in the off position produces the same runaway heating behavior described above.
Inspection of the unit inside and out revealed no spill residues or damage. In fact it was a remarkably clean instrument. The circuit boards were in excellent shape on both sides, with no dirt, residue, heat damage, or discolored foil.
Heater control in laboratory hotplates has evolved with changes in electronics technology.
In older units, the heater control is a simple self-heating bimetal switch in series with the plate heater. Rotating the control knob adjusts tension on the switch contacts, which in turn sets the duty cycle (closed contact time). There is no temperature feedback from the plate, so temperature regulation is dependent on the duty cycle of the switch. When the unit is switched off a contact is opened, directly disconnecting the heater from the mains.
The next generation has power delivered to the plate heater via a triac, with an analog electronic control circuit utilizing feedback from a plate temperature sensor. A new failure mode that was introduced by triac control of the heater was the possibility of the triac failing as a short circuit while the unit was on. This is a well-known failure mode for triacs, although they can also fail open. This type of failure would result in loss of temperature regulation – the plate temperature would rise to whatever its physiclal limit is. However, as in the older units, switching the unit off does directly disconnect the heater from the mains.
The current generation also has power delivered to the plate heater via triac, but the control system is microcontroller based – the instrument’s behavior is determined by a program burned into silicon. The new failure modes introduced by this control strategy depend on how much control is handed off to the processor chip. In all units of this class that have been found in Sinsheimer labs, the processor has complete control of all functions, including removing power from the heater when the unit is switched off. The “power switch” does not disconnect the heater from the mains, it merely asserts a logic level (0V or 5V) at a pin on the processor chip. The processors in these units are running and capable of controlling hardware as long as the power cord is plugged in. This means that in the event of a firmware glitch, it is possible for the unit to heat the plate with the “power switch” turned off. We have now seen this occur (see Hotplate Failure Incident above).
Safety Analysis of Microprocessor-Controlled Units
The controller is a Motorola MC68H705PCA, socketed 28-pin DIP package.
Safety relay: Coil driven by NPN transistor, base current supplied by PA3 (controller pin 7).
Triac trigger: Optoisolated triac driver triggered by pulses from PA1 (controller pin 9).
Motor speed control: Optoisolated triac driver triggered by pulses from PA2 (controller pin 8).
Heat ON/Off switch: Logic state at PC2 (controller pin 20).
Optical tach pickup: Pulses to IRQ (controller pin 2).
60Hz sync for triac triggering: square wave derived from the line to PD7/TCAP (controller pin 25).
Plate temperature (thermocouple): Analog voltage to PC6/AD0 (controller pin 16).
Temperature setpoint (pot): Analog voltage to PC5/AD1 (controller pin 17).
Motor speed setpoint (pot): Analog voltage to PC4/AD2 (controller pin 18).
(+) There is a pilot light indicating when the unit is plugged in.
(+ -) A hot-top indicator light on the front panel warns the user that the plate is still hot after the unit has been switched off. This is the reason for keeping the control circuits powered up at all times. Ironically, implementing this safety feature led the designers to eliminate a much more crucial safety feature – a foolproof method of removing power from the heater circuit when the switch is off.
(+ -) A normally-open relay is wired in series with the triac and heater, so no power can be delivered unless the relay driver is energized. This was designed in to eliminate the shorted-triac danger, however the relay driver (a transistor switch) is under firmware control. There is no hard switch cutting relay coil power when the front panel “power switch” is off (HEAT pot in the detent position).
(-) If there is a glitch in program execution, the controller can close the safety relay and trigger the triac with the unit apparently switched off.
(-) The fact that the controller is mounted in a socket which hangs upside-down when the instrument is standing upright should make this unit prone to intermittent pin contact problems, especially with units used in coolers or cold rooms.
Corning PC-200 & PC220
The PC-220 is electrically identical to the PC-420 described above. It is physically smaller and the circuit board dimensions and layout are different.
The PC-200 does not have a stirrer but is otherwise identical to the PC-220.
The safety analysis of the PC-420 applies to these units in every detail.
This unit is the upgraded version of the PC-420 with a digital readout. It has all of the safety pitfalls of the PC-420 except that the new processor is a surface-mounted part (and component side of board faces up) making it less prone to intermittent contact problems.
Fisher Isotemp (cat # 11-600-49H, cat # 11-700-49H)
These units have the same safety pitfalls of the PC-420 with two additional problems:
- There is no pilot light to indicate whether or not the unit is plugged in.
- There is no safety relay in series with the triac and heater. If the triac shorts the temperature will
The case and packaging design of these units seems excellent, but they duplicate the control strategies of those listed above with the same potential for dangerous failure modes. As with the Fisher Isotemp, these units do not have the pilot light or safety relay. The controller is a surface mount part, possibly more robust than the socketed or through-hole sodered parts.
The current industry standard for hotplate design seems to put all functions under firmware control, and exclude any type of hard power cutoff that would be independent of the processor. The units listed above all have the “power-off” hot-top indicator feature that requires the control circuitry to be powered up at all times. Every one of them is capable of a processor failure leading to thermal runaway. It should be noted that the manuals are currently worded to suggest that the units remain plugged for the user to benefit from the hot-top indicator feature. Corning is currently working on modifying their manual.
It has not yet been determined for all units to what extent processor watchdogs are being utilized, and whether they would be hardware, software, internal, or external in these various units. It is safe to say that none of the Corning units have adequate watchdog protection.
UC Santa Cruz