1. Field of the Invention
This invention is directed toward braking systems for an electric motor, and in particular, to embodiments of a controller for an electro-mechanical brake that provides fail-safe control and reduced power consumption when compared to prior art systems.
2. Description of the Related Art
Rotating shafts in general and, in particular, the output shaft of a servo motor, may be fitted with an electromechanically operated brake. The optional brake permits the motor shaft to be held stationary when the motor coil is de-energized. Such a brake may also be used to bring a rotating shaft to a standstill. Electromechanically operated brakes may also be used in linear motion machines. Electromechanical brakes can greatly enhance operator safety. Thus, standards for such equipment have been adopted and include design criteria that call for high levels of performance.
Examples of industrial standards for safety of machinery include International Standard IEC 62061, entitled “Safety of machinery—Functional safety of safety-related electrical, electronic and programmable electronic control systems,” Edition 1.1 2012 November, published by the International Electrotechnical Commission (IEC) of Geneva Switzerland; as well as International Standard ISO 13849-1, entitled “Safety of machinery—Safety-related parts of control systems—Part 1: General principles for design,” Second edition, 2006 Nov. 1, published by the ISO (the International Organization for Standardization); and also International Standard ISO 13849-2, entitled “Safety of machinery—Safety-related parts of control systems—Part 2: Validation,” Second edition, 2012 Oct. 15, published by the ISO (the International Organization for Standardization). These standards are incorporated by reference herein in their entirety.
In summary, “functional safety,” as described therein, generally refers to overall safety of a system or piece of equipment that depends on the system or equipment operating correctly in response to its inputs, including the safe management of likely operator errors, hardware failures and environmental changes. The objective of functional safety is to provide freedom from unacceptable risk of physical injury or of damage to the health of people either directly or indirectly (through damage to property or to the environment). The standards for functional safety related to electrical, electronic and programmable electronic control systems have been widely adopted. Among other things, requirements are included to demonstrate safety against injury through control of the brake in a fail-safe manner, generally referred to as “Safe Brake Control.”
In order to provide some context, the practice and terminology of functional safety will be briefly reviewed. The term “process sub-system” generally refers to that part of a drive not related to functional safety. “Safe Torque Off”, or simply “STO,” generally refers to a safety control function that prevents the generation of torque in a motor-drive sub-system. “Risk” generally refers to a combination of the probability of occurrence of harm and the severity of that harm. For a variable designation of N, “Hardware Fault Tolerance,” or simply “HFT,” generally means that N+1 faults could cause a loss of the safety-related control function. “Safe Failure Fraction,” or simply “SFF,” generally refers to a fraction of the overall failure rate of a sub-system that does not result in a dangerous failure. “Probability of dangerous Failure per Hour,” or simply “PFHD,” generally refers to the average probability of a dangerous failure per hour of a safety related system or sub-system to perform the specified safety function. “Safety Integrity Level,” or simply “SIL,” generally refers to the probability of a safety control system or sub-system satisfactorily performing the required safety-related control functions under all stated conditions. IEC62061 defines three levels of SIL: SIL1 which has a PFHD in the range ≥10−6 to <10−5; SIL2 which has a PFHD in the range ≥10−7 to <10−6; and SIL3 which has a PFHD in the range ≥10−8 to <10−7 and is also the most stringent level of SIL. Note that in addition to these PFHD requirements, each SIL also has “architectural requirements” as set out in Table 5 of IEC62061. SIL3 can be achieved with an SFF in the range 90%-<99% and HFT=1 or alternatively with a less demanding SFF in the range 60%-<90% but a more demanding HFT=2.
A first step in designing a safety system is to evaluate the risks. A second step is to determine what Safety-Related Control Function is required to mitigate each respective risk. A third step is to determine what the required SIL is for each respective Safety-Related Control Function. As an example, consider a factory using six-axis robots. The robots can cause serious injury and the production area (generally in front of the robots) must be guarded with a light curtain. When a person intrudes into the protected area, the light curtain sends a signal to a safety PLC which in turns sends a signal to the six drives in the robot which place themselves in the STO state and applies the brake safely to each respective motor. The light curtain, safety PLC and six drives form what is termed a “safety chain.” That is, the overall safety function is dependent on each sub-system in the safety chain. Following the procedures described in IEC62061, it may be determined that SIL3 is required for this function. What this implies is that every sub-system in the safety chain must perform to the SIL3 criteria and that the overall safety chain itself must have a net PFHD in the SIL3 range of ≥10−8 to <10−7. The net PFHD of the safety chain is the sum of the PFHD for each sub-system in the safety chain. For example, if the light curtain, safety PLC and all six drives each have a PFHD of 1.25×10−8 then the net PFHD of the safety chain is 8×1.25×10−8=10−7 which is just at the edge of the PFHD range for SIL3. From this illustration, it can be seen that there is significant benefit to the user in buying safety-related sub-systems that offer PFHD values that are much smaller than the upper limit mandated by the SIL.
When the coil of an electromechanical brake is energized, that is to say when the brake is released and the motor is permitted move freely, there is power dissipation in the coil arising from power loss. For example, if the brake coil is driven from 24V DC and the coil current is 2 A, it follows that there is a power loss of 48 W. Recent improvements in the construction of servo motors have allowed the mechanical dimensions to be reduced for a given power rating and this has the side-effect that losses from the brake reduce the motor force rating proportionately more than before. There is also, in general, a desire to be energy efficient and save power where possible. Therefore, there is now a requirement to provide a Safe Brake Control circuit that is also power-saving.
The prior art of brake control will be briefly reviewed. A prior art control circuit (100) for a brake is shown in FIG. 1. Generally, the brake includes an electro-mechanical assembly fitted to the motor, the mechanical construction of which is not illustrated herein. Generally, the brake includes a shoe held against a braking surface by a spring and an electric solenoid that pushes back against the spring and thus releases the brake. A brake coil (101) is a part of the brake. A switch (102) and a diode (103) are included in drive electronics. Two wires connect the brake coil (101) to the drive. In operation, the brake coil (101) is energized through switch (102) which is connected to voltage supply (104), in this case a supply of +24V DC. The switch (102) can be a normally open contact pair in a relay or alternatively a high-side semiconductor switch may be used. The diode (103) may be referred to as a “free-wheeling diode” and is provided in order to protect the switch (102) against excessive voltages when the switch (102) is opened. Under this condition, the current freewheels as indicated by the arrow. The prior art control circuit (100) of FIG. 1 can form part of a safe brake control, provided that additional measures are taken. For example, the switch (102) must be of a particularly reliable construction and a means must be provided to monitor that the contact has been opened. If these measures are in place, then Safe Brake Control meeting SIL2 criteria set forth in IEC62061 can be achieved. Note that in these figures, the brake is shown as being energized from 24V because this is the standard control voltage used in industrial control systems but other control voltages may be used.
The inductance of the brake coil (101), which is the wound portion of the electric solenoid of the brake, may be several millihenries, and therefore the time taken for the current to decay when circulating through diode (103) may be hundreds of milliseconds, thereby delaying the application of the brake. This delay may reduce the effectiveness of the brake in fulfilling a safety function. Attempts to reduce this delay have been made with other prior art designs.
Another prior art control circuit (100) designed for reducing this delay is illustrated in FIG. 2. The application of the brake in the circuit of FIG. 2 is faster than that of FIG. 1 because when switch (102) opens the current free-wheels as shown through diode (103) and Zener diode (201) which is used to absorb a portion of the energy stored as current in the inductance of the brake coil (101), thereby causing the current in the brake (101) to decay faster.
If the highest safety level of SIL3 according to IEC62061 is required, then the brake control must work despite a single a fault being present. The typical prior art solution achieves this by use of two switches connected in series. An example of prior art control circuit (100) designed in this manner for SIL3 performance is depicted in FIG. 3. Even if switch (102) fails closed the safety-related control sub-system in the drive will also open switch (301) and thereby apply the brake. Similarly if switch (301) fails closed then switch (102) can still be opened and thus apply the brake. This embodiment of prior art control circuit (100) also offers protection from the wire of the positive pole (106) of the brake coil (101) being shorted to +24V or the wire to the negative pole (107) of the brake coil (101) being shorted to ground.
Achieving SIL3 will also require the safety sub-system to detect and report faults, for example by monitoring the voltage at each end of the brake coil (101) and comparing this voltage against the expected value when operating switches (102) and (301). In the terminology of functional safety, this is known as having “diagnostic coverage.” It is feasible to add diagnostic coverage to the circuit of FIG. 3 by, for example. monitoring the voltage across each switch (102) and (301) or by monitoring the voltages at each end of the brake coil (101).
One drawback with the prior art control circuit (100) of FIG. 3 is that energy is returned to the 24V rail when the brake coil is de-energized. The removal of energy from the brake coil (101) will be rapid but other apparatus connected to 24V may malfunction when the 24V supply rail is driven higher during de-energization. In particular, some 24V power supplies feature an over-voltage crowbar which can be triggered during such an event thereby inadvertently shutting down the control system. Therefore, prior art control circuit (100) of FIG. 3 is not generally suitable for industrial control systems.
A further inadequacy in the prior art designs is that of the lack of brake coil power saving. A brake coil rated for 24V DC operation will release the brake and allow motion if the applied voltage is 24V within some margin stated by the manufacturer, such as ±10%. The minimum voltage to release the brake is commonly referred to as the “pick” voltage. However, having first been released, the brake can be held in that state by applying a lower voltage to the brake coil (101) (referred to as the “hold-off voltage”), for example 17V. Since power loss in the brake coil (101) is proportional to the square of the applied voltage, then the reduction in power loss compared with using the 24V is 1−(17/24)2≈50%.
One technique for achieving this power saving is with an embodiment of a prior art control circuit (100) such as that of FIG. 4. In order to open the brake, switch (401) initially connects switch (102) to 24V (104). After a delay, on the order of seconds, switch (401) changes over to the pole connected to the 17V rail (402). Note that in the embodiment of FIG. 4, the prior art control circuit (100) retains Zener diode (201) (as used in the embodiment of FIG. 2). Therefore, this embodiment also features rapid demagnetization of the brake coil (101). 17V is a conservative estimate for the hold-off voltage that will work with almost any brake. If a better hold-off voltage for the particular brake is known, then further savings can be made by using that hold-off voltage. In some embodiments, this may be as low as 12V. Generally, it is desirable to make the voltage used in the power saving state be adjustable.
As yet another technique, rather than switching between two voltages as shown in FIG. 4, an alternative means for reducing the voltage applied to the brake in the hold-off phase would be to pulse-width modulate switch (102) in FIG. 1 or switch (102) and/or switch (301) in FIG. 3. Specifically, if switch (102) in FIG. 1 were pulse-width modulated with a duty cycle of 70% then an average of 17V would appear across the brake coil (101). However, direct pulse-width modulation (PWM) of the voltage across the brake coil (101) has two serious disadvantages. The first disadvantage is the difficulty and expense of suppressing the consequent switching noise to the level required by regulations on electromagnetic compatibility (EMC). A second disadvantage is that PWM cannot practically be applied to switch (102) in the fast demagnetization circuit of FIG. 2 because of the substantial steady-state losses that would arise in Zener diode (201).
A further requirement or complication to consider is that a drive that includes Safe Brake Control must have two input ports for applying the brake. The process sub-system portion of the drive must be able to apply the brake in order to hold the shaft of the motor stationary when the servo amplifier is not holding the shaft by closed loop control and additionally the safety sub-system must be able to apply the brake whenever an unsafe condition has been detected—over-riding the process system when necessary. The requirement for two control ports has not been considered in FIGS. 1-4.
As one can surmise, an ideal brake control circuit must perform to a number of criteria. The ideal brake control circuit must provide an input port through which the process system in the drive can release the brake using 24V. The circuit must subsequently hold the brake off with an adjustable hold-off voltage, and be capable of applying the brake rapidly by demagnetizing the brake coil quickly. The ideal brake control circuit must also provide at least one further control port through which the safety sub-system in the drive can independently apply the brake, over-riding the process sub-system if necessary and be able to detect faults in the safety-related parts of the brake control circuit. Further, there is also the ever present need to accomplish these goals at the minimum cost and using the minimum board area.