Drive circuits are used to drive motors for use in many different applications. There is a need in such applications to provide a means for disabling the motor in the case of an emergency or such like. For example, if a motor connected to a piece of machinery could cause harm to its operator if it continues operation then there is a need to ensure that it stops when instructed to do so. In particular, it is important to ensure that the control system has fail safe functionality included to ensure that the machine stops operation responsive to an initial instruction to stop.
Two key safety standards exist that need to be complied with:
BS EN 61800-5-2:2007 Adjustable speed electrical power drive systems—Safety requirements; and
BS EN ISO 13849-1:2008 Safety of machinery—Safety related parts of control systems.
BS EN 61800-5-2 defines the means for disabling the motor driven machinery as Safe Torque Off. It is defined in the Standard BS EN 61800-5-2 as:
Power, that can cause rotation (or motion in the case of a linear motor), is not applied to the motor. The PDS(SR) will not provide energy to the motor which can generate torque (or force in the case of a linear motor). Where PDS(SR)=adjustable speed electrical power drive systems suitable for use in safety related applications.
A common way in which these standards are complied with is by providing a safe torque off (STO) functionality arranged to prevent control signals reaching the switching devices that generate torque producing current in the motor to thereby provide torque. In order to comply with these standards it is necessary for the STO function to achieve a high degree of safety integrity. Hence, the STO function has to have a fail safe means built in to its own functionality.
All modern alternating current motor drive systems use an inverter to generate the controlled alternating voltage to be applied to the motor.
In order to maintain torque in the motor, continual active and co-ordinated switching in the required sequence of the corresponding power semiconductors is needed. Should erroneous conduction of one or more of the power semiconductor devices of the inverter occur, this does not result in sustained torque in the motor. For a motor with a smooth (non-salient) rotor, no torque is produced by any failure of a power semiconductor device of the inverter. For a motor with permanent magnets and/or saliency, a pair of short circuit power semiconductor devices in the inverter could cause a brief alignment torque whereby the motor partially rotates, however, the current would increase rapidly until interrupted by a protection device (for example a fuse) or destructive failure of at least one of the power semiconductor devices.
As a further example, in power grid-connected power generating inverter applications, the same principles apply when the inverter drives a transformer rather than a motor. Erroneous conduction of power semiconductor devices of the inverter cannot produce an alternating flux in the transformer, and therefore cannot produce a sustained output from the transformer secondary coil. In other words, a fault in the inverter power device results in direct current, which cannot be transferred through the transformer because the transformer relies upon alternating current for its operation.
In order for safe and reliable control of such an inverter, an interface is required between the inverter control input terminals which typically use logic signals such as 24V d.c. and the power semiconductors of the inverter that maintains the required low probability of dangerous failure of the inverter.
Electromechanical relays have been used to provide the necessary electrical isolation and electrical level conversion for such an interface. However, relays possess relatively high probabilities of failure in the dangerous direction and have a relatively short time before mechanical wearout. This results in pairs of relays being used accompanied by monitoring to detect fault conditions.
Recently, generation of the power semiconductor control signals for operating the inverter is typically carried out by complex digital electronic circuits and programmable digital processors. Such an arrangement does not provide the required low probability of dangerous failure as most digital circuits can fail with equal probability into either of the available logic states. Further, the complexity of the digital circuits and functions is such that it is difficult to reliably and confidently demonstrate a sufficiently low probability of dangerous failure under all combinations of conditions and sequences of conditions that the circuit may be subjected to during operation. For example, it may be difficult to predict how the circuit reacts under changeable temperature conditions together with each and every possible sequence of combinations of logic levels on each and every pin of the various devices of the circuit.
If complex digital electronic circuits and programmable circuits are to be employed in safety critical functions, typically, at least two independent channels together with diagnostic and cross-checking functions to detect faults or errors are used. These systems allow the disabling of an inverter by way of a channel that is not affected by a particular fault that has been detected. As can be seen, even in such systems, means for disabling the inverter which do not rely on the complex circuits needs to be provided in order to achieve the required low probability of dangerous failure.
It is therefore desirable to have a fail-safe interface, in particular, to an inverter, which employs simple electronic components with well-defined failure modes. In such an interface, it is desired that a very high fraction of component faults, and combinations of component faults, result in a safe failure. In other words, a failure where the inverter is not provided with the required waveform, and hence a motor connected to the inverter is not driven.