Patent Application
20150295524
This application claims priority under 35 U.S.C. §119 to European Patent Application No. 14164178.7 filed in Europe on Apr. 10, 2014, the entire content of which is hereby incorporated by reference in its entirety.
The present disclosure relates to electrical motor drives, for example, to procedures in electrical motor drives in connection with machine safety.
Certain safety regulations and standards govern electrical motor drives in various applications. An example of such a standard is IEC 61800-5-2 which defines Safe Torque Off-function (STO). STO brings the motor of the electrical drive to a no-torque state each time the function activates. STO can be used as an actuating procedure both in stopping of the motor (for example, over heat protection, over speed protection or emergency stop of the motor) or in preventing undesired starting of the motor.
STO function can be implemented as a single channel or redundant architecture of two or more channels. The redundancy should be implemented in such a way that a single fault in the system does not disable the STO procedure from removing the torque from the motor. The redundancy helps in obtaining a higher level safety approval for the STO.
A more advanced STO procedure is shown in
In the example of
Further, in the example of
Both of the systems of
A method is disclosed of producing a safe torque off procedure of an electrical drive including a control unit and one or more power units having controllable semiconductor switches, the method comprising: detecting a signal in the control unit indicating a requirement to stop the drive; generating, based on the detected signal, at least one safety-approved signal which when received in a power unit initiates shutting-down of the power unit; feeding the generated at least one safety-approved signal to one or more power units; and initiating the shutting down of the one or more power units upon receipt of the at least one safety-approved signal, the at least one safety-approved signal initiating at least two different shut-down procedures of the one or more power units at different time instants.
An arrangement for producing a safe torque off procedure of an electrical drive including a control unit and one or more power units having controllable semiconductor switches, wherein the arrangement comprises: means for detecting a signal in a control unit indicating a requirement to stop an electrical drive; means for generating, based on the detected signal, at least one safety-approved signal which when received in a power unit will initiate shutting-down of the power unit; means for feeding the at least one safety-approved signal to one or more power units; and means for initiating the shutting down of the one or more power units upon receipt of the at least one safety-approved signal, wherein the at least one safety-approved signal will initiate at least two different shut-down procedures of the one or more power units at different time instants.
In the following the disclosure will be described in greater detail by exemplary embodiments with reference to the accompanying drawings, in which:
Exemplary embodiments of the disclosure are based on producing one or more safety-approved signals in the control unit of a motor drive. The one or more safety-approved signals are fed to the power unit, and upon receipt of the signals, the power unit initiates shut-down of the power unit in such a manner, that two different shut-down procedures are used. Further, these procedures are used at different time instants.
According to exemplary embodiments of the disclosure, the shut-down procedure applied first is a normal stop-procedure in which the power unit is shut down in a controlled manner. The second shut down procedure is then a procedure leading to removing torque from the motor and ensuring that torque is not produced. Thus the procedure fulfils the requirements for a STO function.
In an exemplary embodiment of the disclosure, a signal commanding a normal stop procedure is produced in the control unit and fed as non-safety-approved signal to the power unit(s), while in another exemplary embodiment of the disclosure, a stop-signal is produced in the power unit(s) from the safety-approved signal(s) fed from the control unit.
An advantage of the exemplary embodiment of the disclosure is that the STO-procedure does not lead to a situation in which the power module is shut-down abruptly. This can ensure that the components of the power module are not damaged due to sudden removal of control. Further, as the one or more signals from the control unit are safety-approved, the same STO-functionality can be applied to different drive topologies without the need of re-design and approval procedures.
According to a method of an exemplary embodiment of the disclosure, a safe torque off (STO) procedure can be produced. The procedure is implemented in an electrical drive including a control unit and one or more power units. The disclosure can also be implemented in a drive with combined control and power units. In normal use of the electrical drive the control unit sends control information to the one or more power units. The control information can include reference values for current to be outputted from the power unit or torque to be produced by the electrical motor of the drive, for example. The control unit can further process different calculations relating to the control, such as different calculations relating to control of the motor.
The power unit includes controllable semiconductor switches which can be controlled according the control information sent by the control unit. The power unit can be, for example, an inverter which powers a motor connected to the output of the power unit in a desired manner. The electrical drive can also include multiple power units which can all be controlled by a control unit. The outputs of the multiple power units can be connected in parallel for driving a common load. The multiple of power units can also be separate systems each having their own load. As the STO procedure relates to setting a motor to a no-torque state, the power unit with semiconductor switches can be a device that is able to control a motor.
The control unit and the power unit can be connected to each other with any suitable communications connection that enable communication between the units. Such communications connections include, but are not limited to, galvanic connections, fibre links, communications buses and wireless communication.
According to an exemplary embodiment of the method according to the disclosure, a signal initiating the drive to become in a no-torque state is detected in the control unit. Multiple of signal paths from safety related sensors or the like can be led to the control unit depending on the application. Each of these paths or signals is monitored and once any one of the signals activates the motor should be made torqueless.
The detected signal originates for example from a safety related logic device that monitors a sensor. Such a sensor can be a presence sensor indicating that a person is present in a dangerous area or a sensor indicating that a safety related mechanical door or hatch is opened, for example. An example of other possible source of the signal is from emergency stop button. Any of the signals initiate that the motor in of the system should be brought to a state in which the motor is not able to produce torque.
Further, according to an exemplary embodiment of the method according to the disclosure, on the basis of the detected signal at least one safety-approved signal is generated in the control unit. This signal initiates the shutting-down of the power unit once received in the power unit.
The safety approved signal referred above is a signal that fulfils the requirements set for the STO-procedure. Such a signal can be led via any connection that has been safety-approved or fulfils the requirements for such approval. The signal can be a signal in any communications link, for example, galvanic, fibre optic, wireless, etc., that is established between safety-approved devices.
According to an exemplary embodiment, the safety approved signal is a signal between safety-approved elements. Such elements can be, for example, partly safety-approved field-programmable gate arrays (FPGA). Thus the control unit and the power units include a safely-approved device where a safety-approved link can be established between the control unit and the power units.
Safety-approved FPGAs can be programmed using safety approved tools and measures, including safety-approved software for implementing safety-related functions and operations. A safety device utilizing such FPGAs can obtain safety-approval and the safe block in the FPGA can be frozen once approved such that the non-safe block of the FPGA can be programmed without requiring getting a re-approval for the safe side.
When the standard communication between the control unit and the power unit(s) is between the communication interfaces of FPGAs, for example, the STO-command does not require any other communication connection. The STO-command can be, for example, encrypted in the safe-side of the FPGA and sent via standard communications channel in a so called “black channel.” Black channel refers to communication in which regardless of the communications protocol used in standard communication, the critical communication is coded in a specific way and a set communication protocol is used. The communication in black channel is also safety-approved in the sense of the STO-functionality. When using black channel with encrypted signalling, the receiving power module decrypts the signal in the safety approved block of the unit, such as in FPGA.
The generated at least one safety-approved signal is fed to the one or more power units. As the power unit receives the at least one safety-approved signal, the shutting down of the power unit is started. According to exemplary embodiments of the method according to the disclosure, the signal initiates at least two different shut-down procedures of the power unit that received the signal. Further, the at least two procedures for shutting-down the power unit can be performed at different time instants.
The first of the shut-down procedures that is applied at each of the power units can be a controlled shut-down procedure. The controlled shut-down procedure turns the power semiconductors of the power unit to an OFF-state and stops the modulation according to a set procedure. In a two-level inverter the procedure can be quite simple to implement by cutting the gate pulses to the power semiconductors at different time instants. In parallel-connected two-level inverters feeding a common load or in multilevel inverters the procedure can be more complicated and individual power components can be required to be shut-down in certain order. As power units can contain a Stop-procedure that is followed in normal stopping of the device, this Stop procedure is used as a first procedure for shutting down the power unit when the safety-approved signal indicating transition to no-torque state is received.
The second of the shut-down procedures initiated by the signal indicating the no-torque state is a procedure with which the power unit is made incapable of producing torque in the sense of STO-requirements. Once this second procedure is started, the power unit is already stopped with the normal stop procedure.
The second procedure, for example, cuts the supply voltages of the gate drivers of the power semiconductors of the power unit or cuts the modulation pulses from the power semiconductors. This second procedure is any known procedure that fulfils the STO-requirement.
The order of the shut-down procedures implemented as the normal Stop-procedure can be carried out in less than 50 microseconds and several milliseconds can be used to implement the torque-free state. As the time required for the normal stop-procedure can be known, it is desirable to set a time delay for the second procedure such that the second procedure is started only after the first procedure has ended. However, the delay should not be so long that the no-torque state is achieved later than required.
As the normal shut-down procedure has ended prior to disabling the power unit, the power components of the power unit, such as inverter, are not damaged due to STO-command. This can further improve the safety aspect as there is no danger of sudden break or even explosion of components due to high currents and voltages that are not controlled.
According to an exemplary embodiment of the disclosure, the two shut-down procedures that can be implemented in the power unit are both such procedures that lead to a safety-approved no-torque state. In such an embodiment the torque-free state is obtained by any two known procedures that lead to STO-state. These procedures can be, for example removing the gate pulses or auxiliary voltages. As mentioned above, in two-level inverters the risk of component failure is small, and therefore the Stop-signal is not necessarily required.
In the following the disclosure is described in connection with embodiments of the
In the embodiment of
The signal lines STO1, STO2 can be fed to a FPGA circuit 32, and more specifically to a safety approved block 33 of the FPGA circuit. In the FPGA circuit the signals can be fed to a logic AND function such that the signals from signal lines STO1, STO2 can be combined to a single signal STO12 as the output of the AND circuit. Signal STO12 changes its state as soon as one or both of the signals STO1 or STO2 change their states.
In
Once the STO12 and stop (or disable) signals can be received in power unit 34, the power unit is shut down. The shut-down is performed by sending a Stop signal from the safety block 35 of the FPGA 36 and implementing a controlled stop of the device. Further, the safety block 35 produces signals STO1′ and STO2′ from the STO12 signal. These produced signals can be used for producing the torque free state as required by the STO procedure. In an exemplary embodiment of the disclosure, the generation of the STO1′ and STO2′ signals can be delayed such that before implementing the required operations, the power unit, such as inverter, is already stopped in controlled manner.
As with the Stop signal, the change of Enable signal to disable state performs a controlled stop of the power unit. The enable signal is used in a motor drive for allowing the operation of the drive. Thus the enable signal allows the drive to be started and to continue the operation of the drive, for example, producing torque to the motor.
It should be noted, that Stop or Enable can be used to bring the power unit to a no-torque state. However, such a no-torque state is not safety-approved in the sense of machine safety.
The exemplary embodiment of
The embodiment of
In the above examples two STO signals can be fed to the FPGA of the control unit. The two signals can be given as examples and the number of STO-signals is not limited and the number is dependent on the use of the device.
Further, as a part of the requirement of the STO-functionality, the one or more power units communicate diagnostic data on state of the torque free operation state back to the control unit in similar manner as the control unit communicates to the power units. A pre-determined check message is also sent between the units as a part of the secure communication. If this message is not received by the units, then the operation of the power units can be stopped and STO-functionality is applied automatically.
STO12 and Stop signals can be fed to the safety blocks 54 of the power units. Upon receipt of the signals the power units can be switched off first by normal controlled stop procedure and after that with a procedure that leads to a torque free state.
The arrangement of the disclosure implements the method of the disclosure in such a manner that a simple structure is obtained. The method can be implemented in various types of drive systems requiring the use safe torque off-functionality. The implementation of the method in an arrangement leads to a structure in which the type of the power unit can be any known power unit suitable to be used in a drive system. The safety approved signal is led in a safety approved signal path to a safety approved part of the power unit. In the power unit the signal initiates a pre-determined and controlled stop operation and furthermore produces a second means for ensuring a no-torque state in the sense of the safety related regulations.
In the above, specific examples can be described in connection with the drawings. The disclosure is not limited to the examples and the different specific structures presented therein. For example, FPGA circuits can be presented as implementing the safety blocks. However, other suitable circuits or circuit structures can also be used.
Thus, it will be appreciated by those skilled in the art that the present invention can be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The presently disclosed embodiments are therefore considered in all respects to be illustrative and not restricted. The scope of the invention is indicated by the appended claims rather than the foregoing description and all changes that come within the meaning and range and equivalence thereof are intended to be embraced therein.
| Number | Date | Country | Kind |
|---|---|---|---|
| 14164178.7 | Apr 2014 | EP | regional |
