[HH] CO detectors self-destruct

Tom Metro tmetro+hhacking at gmail.com
Mon Apr 17 13:33:29 EDT 2017 

Federico Lucifredi wrote:
> This excess life span I detected in use leads me to think the sensor
> chemistry decays even when warehoused and not in powered use.

Sure, that makes perfect sense given what we know about the sensors. The
author of the teardown you referenced speculated that the limited
lifespan was due to evaporation of the liquid and accumulation of
contaminants in the activated carbon filter.


> I think the lifespan runs from the date of manufacturing, and exceed
> the warranty by an unknown amount...

Yes, I assumed as much. As with any engineering parameter, the system
should be designed with sufficient margin in excess of what is needed.
And with a life safety device, even greater margins.

But the issue at hand - with respect to having all your alarms die at
once - is not the actual life of the sensor, but the duration of the EOL
timer.


> ...it is at least an extra year...

We're talking an analog device whose lifespan is going to be partly
dependent on environmental conditions (higher temperature causing more
rapid evaporation; higher concentration of contaminants clogging the
carbon faster), so it is going to be a statistical curve. The
manufacturer might be aiming for 99.9% sensor survival at rated lifespan
+ N years. N probably varies by manufacturer and the risk level they're
willing to take.

Quite possible a CO sensor might work adequately for another 5 to 10
years after the programmed EOL, if the manufacturers engineering margins
were high and environmental conditions favorable.


> This leads to unit warehousing, and the sensor must still deliver its
> full warranty life to the customer once deployed.

Agreed. You'd think then that they'd have "best sold/used by" dates on
the product packaging, otherwise a unit kept in storage for 5 years runs
a high risk of sensor failure, and if the micro can't detect that, the
detector could fail to alarm in a life threatening condition and be a
liability for the manufacturer.

Maybe alarm manufacturers have special contracts with their distributors
and retailers that prevent the sale of old units?


> For example, the first set I had in my home were warranted 7 years,
> but lasted 8 before the annoy-a-tron triggered and forced me to
> replace all units.

This part I don't really understand. The EOL alarm should be purely time
based, so ether the EOL alarm is not set to 7 years, or the unit wasn't
powered that entire time, or the unit suffers from significant clock drift.

Given these devices use cheap micro controllers without a real time
clock, and possibly don't even use a crystal oscillator for the MCU
clock, clock drift is a real possibility. An RC oscillator could easily
be off by 10%, which is getting in the neighborhood of adding a year to
a 7 year timer.

That could explain why my Kidde alarms haven't EOLed.


>> I suppose I could always delay activating subsequent units by a month.
> 
> I do not believe this will work.

The First Alert unit with the built-in battery comes powered off. It has
a switch on the back to "activate it." The switch has a mechanical
interlock, such that you have to snap off a bit of plastic to deactivate
it, and once done, it can't be activated again.

Presumably they do this to start the EOL clock running and to minimize
cutting in to the 10-year battery life. Given the mechanical interlock,
they've clearly gone to some expense to accommodate this, so it must be
advantageous.

I'm guessing the mechanical interlock exists so 1. a user can't
intentionally or inadvertently silence an alarm by turning the unit off,
and 2. you don't end up running across a product that might have been
powered for a few years, shelved for several, and then deployed again,
such that the EOL timer trips years later than it should. But you could
argue #2 is no worse than having a product sitting in a warehouse for years.

Might it have been cheaper for the manufacturer to skip the switch and
interlock, sell the unit already activated, add a "use by" date, and
just derate the lifespan by a few years?

I'm kind of surprised they didn't use the technique of wedging a bit of
plastic film between a set of spring contacts, which the user pulls out
on activation, as commonly used by products sold with batteries. Much
cheaper. Can't be "unactivated." That they didn't suggests they had a
strong requirement to be able to deactivate units.

Not clear to me why you would ever want to deactivate one of these.
Perhaps to silence a defective unit, given you can't remove the battery
without disassembly.

 -Tom

More information about the Hardwarehacking mailing list