A machine can be automated using electronic motor drives and other actuators connected together via a communication network. Control and monitoring signals pass across the network, which simplifies the machine's wiring. The electronic motor drives include motors, such as servo motors, control electronics and related electronic and electro-mechanical components, such as feedback devices, mechanical brakes, network interfaces, diagnostic devices, and the like. Overall co-ordination of the machine is typically achieved by running a control program on a master controller, which sends commands to the electronic motor drives and other actuators and similarly receives position and status information from said drives and actuators. For ease of explanation, the electronic motor drives and other actuators will be referred to herein as slave devices.
In addition to wiring conveying commands and status information between the master controller and all slave devices, it is desirable to have a separate hard-wired connection to reliably ensure no power flows to the motors to enable a state known as the Safe Torque Off (STO) state. A so-called hybrid cable, with separate signal wires for the command and status information and the STO signaling, is typically employed so that a single cable bundle is provided from the master controller to the slave device. Of course, the hybrid cable can include power wires for powering the slave devices, as well as other signal wires to support other functions.
The use of hybrid cables implies that there must be an access point in the machine to combine the network, STO signal, and other signals into the hybrid cable. The term STO access point will be used herein to refer to this access point. Since the network must pass through the STO access point, the access point includes any necessary network functions, such as a network repeater, network hub or network switch.
FIG. 1 illustrates a typical decentralized drive arrangement in which an STO access point 110 is coupled to a plurality of slave devices 150A-150C. STO access point 110 also incorporates at least one network interface 115, which allows connection to the master controller 100 and other network devices. STO access point 110 has at least one hybrid port 130A, which is directly coupled via hybrid cable 105A to slave device 150A. Slave device 150A is coupled via hybrid cable 105B to slave device 150B, which in turn is coupled via hybrid cable 105C to slave device 150C. This connection arrangement of slave devices 150A-150C is commonly referred to as a daisy-chain. STO access point 110 also includes an STO input port 190A for receiving an STO command 160A and an STO diagnostic port 180A for outputting an STO diagnostic signal 170A based on information received from the slave devices 150A-150C. In conformance with modern automation practice, command signals are sent downstream from the master controller 100 to the STO access point 110, which combines them on separate signal wires of the hybrid cable 105A for transmission to slave devices 150A-150C. Similarly, feedback signals are returned from each slave device, which are received by STO access point 110. STO access point removes the STO diagnostic information from the dedicated STO wires and passes the other feedback signals to master controller 100.
Although FIG. 1 shows a single Safe Torque Off command signal 160A being presented to the STO port 190A of the STO access point 110 and a single diagnostic signal 170A being transmitted from STO diagnostic port 180A, it will be recognized that to achieve the very highest levels of safety integrity a second, independent, Safe Torque Off command signal and associated diagnostic signal may be implemented.
FIG. 2 is a block diagram of the control signal communication in a conventional decentralized drive arrangement. The network physical layer is of the type where signals are relayed from one slave device to the next adjacent slave device by first receiving the signals from the wires attached to one network port and then re-transmitting the signals to the other network port, an example of such a network physical layer is 100BASE-TX (IEEE 802.3u 1995). Thus, although FIG. 2 and subsequent Figures separately illustrate the upstream and downstream twisted pairs, these twisted pairs will be part of the same wiring set that terminates at a common connector at a common network port. The structure of the network link between any two slave devices is the same, regardless of the function of the slave devices. Each link has a downstream half and an upstream half. In FIG. 2, the downstream half comprises a transmitter circuit 202A, a transmitting isolating transformer 204A, a twisted pair of conductors 206A inside the hybrid cable (any of 105A-105C), a receiving isolating transformer 222A and a receiver circuit 224A. Similarly, in FIG. 2 the upstream half comprises a transmitter circuit 202B, a transmitting isolating transformer 204B, a twisted pair of conductors 206B inside the cable (any of 105A-105C), a receiving isolating transformer 222B and a receiver circuit 224B.
Each link of the network carries the control signal information only as far as the adjacent slave device. In order to allow the information to reach further slave devices, each slave device contains a digital repeater circuit that forwards the network message to the next link. Thus, as illustrated in FIG. 2, slave device 150A includes digital circuit 226B, which forwards the network message from the receiver circuit 224A to transmitter circuit 202C. Similarly, digital circuit 226B forwards network messages received from downstream slave devices by receiver circuit 224D, to transmitter circuit 202B for transmission to STO access point 110.
There may be times when it is necessary to service the machine while it is powered up, and in a machine where any of the slave devices are capable of causing injury, the servicing personnel will require assurance that the motor drive portion of the slave device cannot operate. This assurance is typically provided using a technique referred to as Safe Torque Off (STO, see IEC 61800-5-2). As will be recognized by those skilled in the art, Safe Torque Off represents a demonstrable safety integrity level that the slave motor drive cannot operate, and this safety integrity level is typically certified by governmental authorities or certification entities.
As illustrated in FIG. 2, Safe Torque Off signaling is typically achieved using a separate pair of wires dedicated for this purpose. Specifically, based on STO command 160A, dedicated wires 290 and 291 carry a voltage from Safe Torque Off port 190A in STO access point 110 to the slave devices 150A-150C in the daisy chain. It will be recognized that STO command 160A is typically a DC voltage provided by an external power supply. When no voltage is carried over the dedicated wires then each slave device places itself into the Safe Torque Off state in which the motors are disabled. To enable the motor drives in the daisy chain of slave devices 150A to 150C, a potential must be applied between wires 290 and 291, usual industry practice is to use 24V DC for this purpose.
To reach the highest levels of safety integrity it is necessary to monitor the STO circuit at each slave device and thereby verify that no slave device is enabled. In the language of functional safety this is known as providing Diagnostic Coverage. The usual implementation is to provide a dedicated pair of wires for the STO diagnostic signal (e.g. 272 and 273 in FIG. 2). Where slave devices are connected together so as to share a single STO control line (for example 150A, 150B and 150C in FIG. 1), they can also share a single STO diagnostic signal because if the STO signal issuing from the STO access point 110 is unenergized then all of the slave devices should be disabled (i.e., be in the Safe Torque Off state), and if any of the slaves remains enabled a dangerous condition exists, thus the STO diagnostic signal can be wire-ORed, i.e., logically ORed.