-1) The "Problem" you have here is nothing to do with sorting out a suitable circuit and EVERYTHING to do with ensuring your working practices meet all necessary HSE requirements (depending on where you are working, country wise)
0) Having set up several test facilites that use hazardous voltages, the most difficult bit is to ensure your risk assessment and mitigation are fully documented and a suitable work instruction / procedure is created, ratified and signed off (by the CEO if necessary as the buck ultimately stops with them these days)
What i can suggest is however:
1) a mechanical disconnect or crow bar for the HV circuit. Ie opening the door of the test chamber will actually mechanically short the HV Supply to zero within a length of time deeamed to be sensible depending on the access level to live conductors within the chamber
2) if your safety circuit reqiures external power, say a seperate 24v supply to operate, make the precence of this power MANDITORY for the HV to exist. For example a N/C relay that should the 24v power be lost, shorts the DC link to zero volts as per 1) above
3) NEVER indicate a "safe" state unless you can 100% ensure this state. Normally i would use an orange and red beacon. When the test chamber is unpowered, neither will be lit. Applying power to the chamber which could therefore allow the HV supply to start (under fault conditions) lights the orange beacon to say "this chamber is potentially live).. When you enable the HV supply, just light the RED beacon, which should have a suitable delay period for turning off, ie it lights as soon as the HV supply goes live, but takes say 5min to go out when the HV supply is disabled.
4) you may be able to validate the probability of the HV being present by simply measuring the input power to the HV supply itself, especially in the case of having passive discharge resistance that is NOT decoupled from the HV bus, ie the supply is expected to always drive this load
5) the most dangerous case is stored charge, either during normal operation or from un-expected failure states. When working with HV, all capacitances (inc parasitic ones) should have robust methods to ensure that should then become charged they will self discharge. Knowing what the time period for this discharge could be allows you to proceduralise the way you terminate and remove DUTs from the test chamber.
6) for all my test chambers, i put all instrumentation in the chamber, and use, where possible, a single cross boundary isolation point to move data out and power in. For example, use a suitably rated ethernet isolator (probably have to be optical fibre type @40kV) to 'remote desktop' in to a PC based DAQ system in the chamber. Here, in the case of gross fault or miswire, you may well damage equipment, but operators should be always protected. At these voltages, suitable fused and crow bar voltage limitation to PE is going to be required. ie your primary instrumentation should be specificed to deal with the maximum WORKING voltage of the DUT, but should that voltage get through your functional isolation / insulation, a second layer of voltage limitation is in place to either clamp the voltage to below a safe value or to blow a fuse and achieve the same effect on any external inetrface. Here, because the power you are working with is very low, this really shouldn't be very hard ie a some redundant 30v TVS diodes should easily be able to hard short the HV to ground without themselves going bang first.
7) i highly recomend you use a suitable commercial PROING UNIT (ie martendale tester etc) to ensure that you have a final line of defense for all operatives that is commercially proven and established. Before ANY condutor is touched, this unit is required (by a written and witnessed procedure) to be used to "PROVE DEAD". There are legal ramifications of this step in most countries set by the relevant HSE.
if your power supply can be set to 40kV then you need to design your safety case for this rating, unless you can absolutely and robustly limit the output voltage, note a software limit would not be considered suitable on it's own for this limitation
Thanks for this, quite helpful.
Regarding specific points (numbers <1 added in quoted text above):
-1) As a research/development device at a research institution (public research university), we don't have to meet quite the same requirements as a device that would be offered for sale, according to the safety officer.
0) Luckily, I am not responsible for that document -- that will ultimately be the responsibility of the research group lead. But I will certainly contribute, and I'll have my old boss (electronics tech at another department, who has done HV stuff and HV/high-ish energy stuff, including for external transfer that required documentation/self-certification) look at it too, since he's been advising us on this project.
1) I proposed a mechanical crowbar, but the consensus was that this is overkill, given the other safety provisions. Between the PSU's internal discharge circuit and the secondary one I'll be installing myself, by the time one has opened the fume hood door (which will open the interlock) and then opened the device cabinet door (which also opens the interlock), the charge should be discharged to ~0V. Actually exposing the HV electrode is a matter of minutes of disassembly. So it should be inherently safe insofar as reaching the HV electrode breaches the interlock twice, and the discharge circuits have ample time to do their job before one actually exposes the electrode.
2) I'll be using a safety relay (probably Phoenix Contact) with monitored contacts, and indeed, without power it won't close.
3) This is exactly why I was reluctant to provide a "dummy light". After discussing this issue, and the technical difficulty of actually providing anything approaching 100% certainty, we are not going to provide one.
The power supply manufacturer could add a "HV out ON" output as a custom modification, but at exorbitant cost, and it would only mirror the state of the output button on the PSU itself, which is within sight of the device itself. So not especially useful. Anything else would require actively monitoring the voltage inside the device, which seems fraught with opportunities to fail to actually "prove dead".
4) Eh, not likely. Since it will likely end up running at far below the maximum voltage, and because the steady-state output current should never exceed the 100uA of the discharge/analog meter circuit, the change in input power is likely small.
5) The parasitic capacitance of the 3m cable is around 150pF/m , so according to my math, at 40kV through 400Mohm, this should discharge to under 300mV in 2 seconds.
40kV×(e^−(2s/(400Mohm×(3×141pF)))) = 294mV
The PSU's built-in discharge circuit is specified to discharge to <1% Vout within 1 second. The manufacturer has verified that this circuit will also discharge external loads. Since 1% of 40kV is still 400V, 1 second isn't enough, but since reaching the electrode is a matter of minutes, not seconds, this should be ample to discharge the internal capacitance.
So my thinking (and my old boss, who reviewed this, agrees) is that between these two circuits, a) there's always a discharge circuit present, even if the cable should be disconnected or severed, and b) in normal operation the two discharge circuits provide generous ability to discharge.
6) In this case, the output of the system is a gas, which flows through plastic tubing to some type of analyzer (probably a gas chromatograph, but don't hold me to this). (The inputs are also gases, created by a setup adjacent to the device, within the same fume hood). There is no DUT as such, but rather just two reagents in vapor form, with the hope that under the influence of the electric field, they react into the desired reaction product. (I wish I could tell you more but that's literally all I know about the chemistry.)
In essence, we are using the fume hood as the test chamber, and within that, the device itself is a Faraday cage (all aluminum exterior, except for the polycarbonate door), and within the Faraday cage, the HV electrode is housed within the reactor, which is made of PEEK plastic with generous clearance and creepage distances. Opening the reactor (which shouldn't be needed in normal operation) requires unscrewing the lower half, which is basically a screw press (the pressure being needed to maintain tight dimensional tolerances).
7) I will look into this.
8
) That's exactly why I have said from the beginning of this project that even though it's exceedingly unlikely that it will ever operate at or near 40kV, the entire safety design has to be designed around it because there's no way to actually prevent someone from setting the voltage that high. The PSU lets you select between the front panel knob or an analog control input, but the switch to select this is... on the front panel. Restricting access to the front panel is not an option because the only way to turn on the HV output is via the front panel button, there is no remote input for that. The PSU was not ordered with the serial port option, so I haven't investigated what possibilities it would have provided, but I would never rely on software configuration alone anyway, just as you say.