An electrical drive system has an electronic control device, a number of electric motors (at least one) and an electronic control unit for each electric motor. The electronic control device is clocked with a sequence of setpoint values by a higher-order control device (e.g. a programmable logic controller or a numerical control). The setpoint values are generally setpoint position, speed or torque values.
The setpoint values are received within the electronic control device by a central processing unit of the electronic control device. On the basis of the setpoint values, the central processing unit of the electronic control device determines setpoint current values and transmits the setpoint current values to a central processing unit of the drive unit via an output interface of the electronic control device and an input interface of the electronic drive unit.
In the drive unit, its central processing unit receives the setpoint current values and determines, on the basis of the setpoint current values, control signals for a number of circuit breakers (at least one) and outputs the control signals to the circuit breakers. The circuit breakers are generally integral parts of the drive unit. In this case the circuit breakers are controlled directly by the central processing unit. It is conceivable for the circuit breakers not to be integral parts of the drive unit, in which case the central processing unit outputs the control signals to the circuit breakers via an output interface.
Although monitoring of the electric motor by the electronic control device of the drive system is possible in principle, the procedure described above only guarantees de-energization of the electric motor if all the relevant components (control device, drive unit, circuit breakers) are operating properly. If, on the other hand, one of said components fails, de-energization of the electric motor is no longer guaranteed.
In order to be able to ensure safe de-energization, safety regulations (IEC 61508, for example) require that each individual fault is reliably detected and the power supply of the electric motor is safely disconnected upon detection of an individual fault. For this purpose two mutually independent disconnection devices are required which are controlled by two mutually independent units.
Reliable detection of individual faults can be ensured, for example, by all the signal paths and all the signal processing components being of redundant (i.e. at least two-channel) design. Drive systems of this kind are generally known. With these drive systems, monitoring is realized by central processing units which are embodied as relatively powerful processors.
It is possible for the central processing unit of the electronic control device to be one of the central processing units which implement monitoring.
It is also already known that consecutive components viewed in the signal flow direction can monitor one another. For example, a higher-order and a lower-order controller can monitor one another. In this case, central processing units implemented as relatively powerful processors are required in the higher-order controller and in the lower-order controller for mutual monitoring.
The central processing unit of the electronic drive unit is relatively low-power. During normal operation it only needs to be able to determine and output the control signals for the circuit breakers on the basis of the setpoint current values. The central processing unit of the electronic drive unit is generally unable to undertake the necessary monitoring of its superordinate electronic control device.
Although it is of course conceivable to provide the electronic drive unit with a sufficiently powerful central processing unit, this would increase the costs of the electronic drive unit. This path is not therefore taken in the prior art.
In the field of programmable logic controllers, reliable program processing with a single processor is already known. This method generally employs what is termed coded programming. Coded programming as such is well known.
With coded programming, a user program is created in plain text in the usual way. On the basis of the user program, a translation program generates a control program which has a payload part and a supplementary part. The payload part has the functionality assigned thereto by the user program. The supplementary part is designed such that it contains the same input variables as the payload part, but its outputs (or at least one of the outputs) being the nth multiple of the corresponding output of the payload part, where n is a suitably determined prime number.
The output signal of the supplementary part corresponds to checking information which, in itself or in conjunction with at least one other signal transmitted to the at least one drive unit in monitoring mode, is indicative of whether the programmable logic controller is operating properly, because the output signal generated by means of the supplementary part can only assume quite specific values. If these values are not assumed, this indicates a programmable logic controller malfunction.
In the prior art, the programmable logic controller transmits the checking information to another module. This other module checks whether it is receiving the checking information and whether the checking information is correct. If it does not receive the checking information or the checking information is incorrect, a fault response is initiated; in particular an installation controlled by the programmable logic controller is placed in a safe state.
DE 103 21 465 A1 discloses an electronic control device of an electrical drive system, which device has a central processing unit. The central processing unit is designed such that in normal mode it receives a sequence of setpoint position or speed values from a control device of a higher order than the electronic control device, determines setpoint current values on the basis of the received setpoint values and corresponding actual values and transmits the setpoint current values to a drive unit subordinate to the electronic control device. The electronic control device additionally monitors itself, the higher-order control device and a position sensor for correct operation. In the event of a malfunction being detected, the electronic control device transmits a disconnection signal to the electronic drive unit so that the electronic drive unit interrupts an electrical power supply of the electric motor. The electronic control device finally generates checking information which in itself or in conjunction with other information transmitted to the higher-order control device is indicative as to whether the electronic control device is operating properly. It transmits the checking information to the higher-order control device.
DE 103 21 465 A1 also discloses the corresponding electronic drive unit and its operation. The electronic drive unit receives the sequence of setpoint current values and determines, on the basis of the setpoint current values, control signals for a number of circuit breakers by means of which the electric motor is to be connected to the power supply according to the setpoint current values. The electronic drive unit outputs the control signals to the circuit breakers. The electronic drive unit also checks whether a disconnection signal is being transmitted thereto by the electronic control device or the higher-order control device. In the event of a disconnection signal being transmitted, the electronic drive unit interrupts the power supply of the electric motor.
EP 0 658 832 A2 discloses an electrical drive system comprising a higher-order electronic control device, a lower-order electronic drive unit and an electric motor. Present inside the higher-order electronic control device is a setpoint value generator which determines a sequence of setpoint position values and prescribes them as the setpoint values for a position controller within the electronic control device. The position controller determines setpoint speed values on the basis of the setpoint position values and corresponding actual position values and transmits the setpoint speed values to the drive unit. The electronic control device checks whether the electric motor is being moved within a permissible travel range. If it leaves the permissible travel range, the electronic control device triggers a first disconnection device so that electric motor is disconnected from its power supply. The same response is initiated if a position determined by the electronic control device and a position determined by the electronic drive unit deviate significantly from one another or the electronic control device detects a malfunction in itself or a drive unit malfunction.
In the case of EP 0 658 832 A2, the drive unit executes the corresponding functions. In particular, it receives the setpoint speed values from the electronic control device, also receives actual speed values and determines setpoint current values which it specifies for a current controller disposed inside the drive unit. On the basis of the setpoint current values, the current controller determines control signals for a number of circuit breakers by means of which an electric motor is to be connected to a power supply according to the setpoint current values. The control signals are specified for the circuit breakers. In addition, the electronic drive unit—viewed in mirror image—initiates the same checks and check responses as the electronic control device.