Method and apparatus for the safe limitation of motor torque in a three-phase drive

Abstract

A torque-limiting safety circuit servo drive for AC permanent magnet motors including a three-phase inverter bridge, a first current sensor in series with a first motor phase, a second current sensor in series with a second motor phase, a third current sensor in series with the DC bus, and a drive control circuit that controls the six pulse-width modulated gate drive signals for the three-phase inverter bridge. The drive circuit has first and second safety channel STO inputs whereby either channel can shut down the three-phase inverter bridge, emits a signal set to represent the switching state of the three-phase inverter bridge, and modifies the switching pattern of the PWM to ensure the dwell times of PWM is sufficiently long to allow a valid measurement of phase current using the bus current sensor. First and second safety processors controls the first and second safety channel STO inputs, respectively.

Claims

1. A torque-limiting safety circuit servo drive for an AC permanent magnet motor, comprising: a three-phase inverter bridge fed from a DC bus; a drive control circuit for providing pulse-width modulated gate drive signals to the three-phase inverter bridge, the drive control circuit having a first safety channel safe-torque-off input and a second safety channel safe-torque-off input; a first safety processor controlling the first safety channel safe-torque-off input of the drive control circuit based upon a first estimate of a motor current vector; a second safety processor controlling the second safety channel safe-torque-off input of the drive control circuit based upon a second estimate of the motor current vector; a first current sensor detecting current in a first motor phase; a second current sensor detecting current in a second motor phase; and a third current sensor detecting current in a DC bus; wherein the drive control circuit is configured to emit a signal set representing a switching state of the three-phase inverter bridge; wherein the drive control circuit is configured to shut down the three-phase inverter bridge responsive to input from either of the first safety processor or the second safety processor; and wherein the drive control circuit is configured to modify the switching pattern of the pulse-width modulation, providing lengthy pulse-width modulation dwell time to conduct accurate measurement of phase current using the third current sensor.

2. The torque-limiting safety circuit servo drive according to claim 1, further comprising a current vector re-constructor circuit configured to construct an estimated current vector based on the signal set representing the switching state of the three-phase inverter bridge and a signal set representing a DC link current from the third current sensor.

3. The torque-limiting safety circuit servo drive according to claim 2, wherein the current vector re-constructor circuit is configured to emit a signal set representing the estimated current vector and an error indication, wherein the error indication confirms the accuracy of the current vector estimate.

4. The torque-limiting safety circuit servo drive according to claim 2, wherein current vector distortion is reduced using the two most recent phase current measurements to reconstruct current from the third current sensor using an identity i.sub.u+i.sub.v+i.sub.w=0.

5. The torque-limiting safety circuit servo drive according to claim 1, further comprising a rotor position sensor sub-system configured to supply a first rotor position measurement to the first safety processor and a second rotor position measurement to the second safety processor, wherein the first rotor position measurement is independent of the second rotor position measurement.

6. The torque-limiting safety circuit servo drive according to claim 2, wherein the current vector re-constructor and the second safety processor are combined in a single physical device.

7. The torque-limiting safety circuit servo drive according to claim 2, wherein the first safety processor and the drive circuit are combined in a field programmable gate array.

8. A torque-limiting safety circuit servo drive for an AC permanent magnet motor comprising: a three-phase inverter bridge; a first current sensor detecting current in a first motor phase; a second current sensor detecting current in a second motor phase; a third current sensor detecting current in a DC bus; a drive control circuit providing pulse-width-modulated gate drive signals to the three-phase inverter bridge, the drive control circuit having a first safety channel safe-torque-off input and a second safety channel safe-torque-off input, the drive control circuit adapted to emit a signal set representing a switching state of the three-phase inverter bridge to modify a pulse-width-modulated switching pattern; a first safety processor controlling the first safety channel safe-torque-off input of the drive control circuit; a second safety processor controlling the second safety channel safe-torque-off input of the drive control circuit; a first current vector calculator and error detector configured to detect a discrepancy based on a signal from the third current sensor and the signal set representing a switching state of the three-phase inverter bridge, said signals compared against the first and second current sensor signals and provide a fault signal to the first safety processor based on the discrepancy; and a second current vector calculator and error detector configured to detect a discrepancy based on a signal from the third current sensor and the signal set representing a switching state of the three-phase inverter bridge, said signals compared against the first and second current sensor signals and provide a fault signal to the second safety processor based on said discrepancy; wherein the drive control circuit is adapted to shut down the three-phase inverter bridge responsive to input from either of the first safety processor or the second safety processor.

9. The torque-limiting safety circuit servo drive according to claim 8, wherein the drive circuit and the safety processor are a single device.

10. The torque-limiting safety circuit servo drive according to claim 8, wherein the drive control circuit is configured to modify the switching pattern of the pulse-width modulation, thereby providing lengthy pulse-width modulation dwell time to conduct accurate measurement of phase current using the third current sensor.

11. The torque-limiting safety circuit servo drive according to claim 8, further comprising a rotor position sensor sub-system configured to supply a first rotor position measurement to the first safety processor and a second rotor position measurement to the second safety processor, wherein the first rotor position measurement is independent of the second rotor position measurement.

12. A torque-limiting safety circuit servo drive for an AC permanent magnet motor, comprising: a three-phase inverter bridge fed from a DC bus; a drive control circuit for providing pulse-width modulated gate drive signals to the three-phase inverter bridge, the drive control circuit having a first safety channel safe-torque-off input and a second safety channel safe-torque-off input; a first safety processor controlling the first safety channel safe-torque-off input of the drive control circuit based upon a first estimate of a motor current vector; a second safety processor controlling the second safety channel safe-torque-off input of the drive control circuit based upon a second estimate of the motor current vector; a first current sensor detecting current in a first motor phase; a second current sensor detecting current in a second motor phase; a third current sensor detecting current in a DC bus; a rotor position sensor sub-system configured to supply a first rotor position measurement to the first safety processor; and a second rotor position measurement to the second safety processor; wherein the drive control circuit is configured to emit a signal set representing a switching state of the three-phase inverter bridge; wherein the drive control circuit is configured to shut down the three-phase inverter bridge responsive to input from either of the first safety processor or the second safety processor, and wherein the first rotor position measurement is independent of the second rotor position measurement.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) The features and advantage of the invention are apparent from the following description taken in conjunction with the accompanying drawings in which:

(2) FIG. 1 is a schematic illustration of an AC servo motor power stage and motor showing a current sensor placed in series with the emitter of each of the low side IGBTs in accordance with the prior art.

(3) FIG. 2 is a schematic illustration of an AC servo motor power stage and motor showing a first typical set of possible positions for sensing current; all three motor phases are explicitly sensed in accordance with the prior art.

(4) FIG. 3 is a schematic illustration of an AC servo motor power stage and motor showing a second typical set of possible positions for sensing current; two motor phases are explicitly sensed and there is a low-side DC link current sensor in accordance with the prior art.

(5) FIG. 4 is a schematic illustration of an AC servo motor power stage and motor showing a possible set of positions for sensing current with duplication to implement safely limited torque in accordance with the prior art.

(6) FIG. 5 shows a formula for calculating the current vector from two phase current measurements in accordance with the prior art.

(7) FIG. 6 is a table showing the relationship between the state of the inverter bridge and current flowing in the DC link in accordance with the prior art.

(8) FIG. 7 shows a formula for calculating the current vector from three phase current measurements in accordance with the prior art.

(9) FIG. 8 is a schematic illustration of a first and a third embodiment in accordance with the invention.

(10) FIG. 9 is a schematic illustration of a second and a fourth embodiment in accordance with the invention.

(11) FIG. 10 shows a map of preferred embodiments of the invention against features.

DETAILED DESCRIPTION OF THE INVENTION

(12) This invention makes a two-channel measurement of the current vector using the arrangement of current sensors in FIG. 3. The first safety channel will be termed safety channel A and the second safety channel will be termed safety channel B. The safety sub-system uses the phase current measurements from sensors 307 and 308 to form the current vector for safety channel A using the well-known Clarke transformation from LEONHARD equation (10.4 a) in combination with Kirchoff s current law identity i.sub.u+i.sub.v+i.sub.w≡0 as shown in FIG. 5.

(13) The current vector for safety channel B is derived from the bus current sensor 306 but here the measurements of the phase currents are discontinuous and are multiplexed through sensor 306 by the inverter bridge 301. This uses the technique of BOYS. For example when IGBTs 321, 332 and 333 are all ON and the remaining IGBTs 322, 323 and 331 are all OFF then the current in sensor 306 is the U phase current with positive polarity. The eight possible states of inverter bridge 301 are shown in FIG. 6 and it will be seen that states 000.sub.2 and 111.sub.2, namely all low side IGBTs are ON and all high-side IGBTs are ON respectively, apply no net voltage between the motor phases, these two states are therefore termed zero states and the remaining six states are termed active states.

(14) The most common scheme of pulse width modulation in servo drives is for the switching frequency to be fixed and for one phase to switch at a time, therefore the inverter bridge 301 will dwell twice at each of the states shown in FIG. 6 during a PWM cycle. The states are represented as binary numbers. For example, inverter bridge 301 will start at zero state 000.sub.2 and then switch to either 001.sub.2 or 010.sub.2 or 100.sub.2 and then to 011.sub.2 or 110.sub.2 or 101.sub.2 and then to zero state 111.sub.2, in the second half of the cycle inverter bridge 301 switches to 011.sub.2 or 110.sub.2 or 101.sub.2 and then 001.sub.2 or 010.sub.2 or 100.sub.2 before returning to the initial zero state 000.sub.2. Regardless of the exact sequence of states it will be seen that the inverter bridge 301 will dwell at each of the eight states during a PWM cycle and therefore that a measurement of each of the three phase currents is available twice per switching cycle.

(15) In the first preferred embodiment of this invention, the safety sub-system creates the current vector measurement for safety channel B using the phase current measurements according to the table of FIG. 6 using the formula of FIG. 7 as derived from LEONHARD page 151.

(16) The current vector measurement for safety channel B according to FIG. 7 requires sampling and storing in a respective memory or logic register to be performed for each phase current measurement as they become available through the states of FIG. 6 so that the second measurement of the current vector can be re-constructed from these sequential measurements of the phase currents.

(17) The elements of the safety sub-system that are required to implement SLT according to the first embodiment are depicted in FIG. 8. 806-X corresponds to the input section of the current sensor 806 and 806-Y corresponds to the output section of the same sensor. The same input-output nomenclature is applied to current sensors 807 and 808.

(18) The current vector re-constructor circuit 849 is supplied with two input signals; the bus current signal from sensor 806 and a set of signals 846 that represent the state of the inverter bridge 801. The set of signals 851 that controls the IGBT bridge 801 can also serve as set of signals 846 that represent the state of the inverter bridge 801. The current vector re-constructor circuit 849 uses the formula of FIG. 7 and the relationships of FIG. 6 to create a pair of signals 850 that represents the current vector measurement for safety channel B and a signal 858 that indicates that the re-constructed current vector is valid. The current vector re-constructor circuit 849 uses sampling and storing, i.e. sample and hold action but implemented using digital circuitry, for each phase current measurement as they become available through the states of FIG. 6.

(19) Element 844 implements the drive control circuit, this includes commutation, current loop closure, PWM generation and a switching power supply for the control circuit however FIG. 8 does not further illustrate these elements in order to present a clear view of the distinctive aspects of the invention.

(20) There is a safety processor 842 and 843 for each of the two safety channels A and B. This fulfils the architectural requirements of ‘Basic subsystem architecture D’ in IEC 62061 or ‘Category 3 or 4’ in ISO 13849; the torque is evaluated independently on each safety channel and compared against limit values to implement SLT. The calculation of the motor torque requires each safety processor 842, 843 to rotate the current vector measurement into the frame of reference of the rotor as per LEONHARD equation (14.4) and for this reason each safety processor 842, 843 is also supplied with an independent measurement 840 and 841 of the rotor position. Signals 840 and 841 are equivalently provided either from two, independent position sensors or alternatively from a safe position sensor having two independent outputs; in both cases the position sensor is aligned with the rotor flux vector during manufacture. There is also cross-checking between the safety processors 842 and 843 using intercommunication signal set 848.

(21) The cross-checking compares the position measurements 840 and 841 for the two channels and also compares the computed torque values for the two channels; a discrepancy beyond a prescribed limit is considered to be a fault and the STO signals 845 and 847 will be de-energized thereby shutting down the drive 844.

(22) The cross-checking also compares the computed torque values for the two channels and again a discrepancy beyond a prescribed limit is considered to be a fault and the STO signals 845 and 847 will be de-energized thereby shutting down the drive 844.

(23) The channel A safety processor 842 receives data from the current sensors 807 and 808 and the channel A rotor position measurement 840. It can optionally, in order to achieve greater diagnostic coverage, also receive data from the B channel's re-constructed current vector 850 and valid signal 858. The channel A safety processor 842 has an output 845, labelled STO_A, that can shut-down the PWM via the drive control circuit 844.

(24) The channel B safety processor 843 receives the channel B re-constructed current vector and the channel B rotor position measurement 841. It can optionally, for greater diagnostic coverage, also receive data from the channel A current sensors 807 and 808. The channel B safety processor 843 has an output 847, labelled STO_B, that can shut-down the PWM via the drive control circuit 844.

(25) One practical realization of the current vector re-constructor circuit 849 would be as a microcontroller, an example of suitable microcontroller is the STM32F031K6T7 which has 16 kB of flash memory, 4 k bytes of SRAM, a built-in 48 MHz clock generator, serial ports and a 12-bit ADC: such a device can implement the re-constructor 849 as a single chip for only $1. An FPGA realization of the current vector re-constructor circuit 849 is alternatively possible and might be preferred—especially where it can be combined with an FPGA implementation of the drive control circuit 844.

(26) Safety standards such as IEC 62061 require that the two safety channels and drive control circuit 844 are separated by protective barriers so that the failure of one these three sub-circuits will not compromise functional safety, that is at least one of the safety channels will remain operational. For the sake of clarity, the protective barriers are not illustrated in FIG. 8 but the protective barriers will be present in the pathway of signals 845, 847, 848, 849 and also 850 and 858 where these signals reach the channel A safety processor 842. The protective barriers can be implemented as impedances, opto-isolators, digital isolators and even as moat of unused gates within a logic device. Therefore the implementation of FIG. 8 can be varied to combine say the current re-constructor 849 with the channel B safety processor 843, and/or to combine the channel A safety processor 842 with the drive circuit in an FPGA.

(27) The current measurements derived from sensor 806-X using the relationships of FIG. 6 are not simultaneous, thus when a measurement of say the U phase current is made it will be stale by the time that the measurement of the V phase current is made. This combination of fresh and stale current measurements in the current vector re-constructor circuit 849 will distort the estimate 850 of the current vector used by safety channel B and consequently when the safety sub-system monitors the difference between the current vectors of the A and B channels it will be necessary to accommodate this distortion as an expected discrepancy, thereby limiting the smallest torque threshold that can be reliably detected. A reduction in the distortion can be obtained by using the two most recent phase current measurements to reconstruct the third current using by making use of the identity i.sub.u+i.sub.v+i.sub.w≡0 but some distortion of safety channel B current vector remains.

(28) The requirement for a two-channel measurement in a 1oo2 safety system is fulfilled in the first preferred embodiment using a duplicate set of independent measurements. However it is possible, in a safety system that fails to an inoperative, safe state, to interpret the requirement for two channels not as two, duplicate sets of measurements but rather as a first set of a measurements in combination with a second set of measurements that, although not usable in their own right, independently indicate the validity of the first measurements. This latter approach is used in the second preferred embodiment of this invention as shown in FIG. 9. The second preferred embodiment eliminates the problem of distortion in the reconstructed current vector 850 of FIG. 8. Rather than assemble a second current vector to compare with the first current vector, the second preferred embodiment instead compares the phase currents from the two sources whenever the data from sensor 906-Y is fresh and therefore accurate.

(29) The measurement from the U phase current sensor at 907-Y can be compared with the measurement from bus current sensor at 906-Y in states 100.sub.2 and 011.sub.2. In the latter state the current sensed current from 906-Y must be inverted.

(30) The measurement from the V phase current sensor at 908-Y can be compared with the measurement from bus current sensor at 906-Y in states 010.sub.2 and 101.sub.2. In the latter state the current sensed current from 906-Y must be inverted.

(31) The measurements from the U phase current sensors at 907-Y from the V phase current sensor at 908-Y are added together (−i.sub.w=i.sub.u+i.sub.v) before comparing with the measurement from bus current sensor at 906-Y in states 110.sub.2 and 001.sub.2. In the latter state the current sensed current from 906-Y must be inverted.

(32) The above three actions eliminate the problem of the distortion of safety channel B current vector found in the first embodiment by dispensing with safety channel B current vector altogether.

(33) The implementation of SLT in FIG. 9 retains the same general structure and many of the elements of FIG. 8. The reference numerals of FIG. 9 are consistent with those of FIG. 8, thus for example the drive control circuit in 944 in FIG. 9 is the same as the control circuit in 844 in FIG. 8. The description of FIG. 9 will therefore concentrate only on those elements that are different from FIG. 8.

(34) Safety channel A is equipped with a current vector calculator 952 whose inputs are the inverter bridge state 946, a measurement of the DC link current 906-Y, a measurement of the U phase current 907-Y and a measurement of the V phase current 908-Y. The current vector calculator 952 uses input signals 907-Y and the 908-Y to compute the stator current vector output 954. Shortly after each change of inverter bridge state 946, the current vector calculator 952 digitizes and measures the bus current signal from sensor 906-Y and the U and V phase currents from sensors 907-Y and 908-Y, the W phase current is also computed from +i.sub.w=−i.sub.u−i.sub.v. In the case of inverter bridge states 000.sub.2 and 111.sub.2—namely the zero states—no further action is taken but for all other states the instantaneous value of the bus current signal from sensor 906-Y is checked by the current vector calculator 952 against the corresponding instantaneous value of phase current according to FIG. 6. The current vector calculator 952 declares a fault at output 956 when the two estimates of phase currents diverge by more than a prescribed limit.

(35) Safety channel B is likewise is equipped with a current vector calculator 953 whose inputs, outputs and operation are the same as the channel A current vector calculator 952.

(36) Each safety processor 942 and 943 computes the motor torque from the phase current measurements 954 and 955 in combination with the respective position measurement 940 and 941 for the respective safety channel. Note that this calculation can take place at any time, it will be valid regardless of switching state of the inverter bridge 901.

(37) Each safety processor 942 and 943 is also notified of errors in the current measurement via signals 956 and 957. If either safety processor 942 and 943 detects a discrepancy from the other processor or that the torque has exceeded the prescribed threshold of the SLT safety function, or that there has been an error in the current measurement, then either safety processor 942 and 943 can shut-down the output drive control circuit 944 using their respective STO control signals 945 and 947.

(38) Both the first and second embodiments combine a two-channel measurement of rotor position with a two-channel measurement of the current vector to obtain a two-channel measurement of torque. The torque measurement can be a positive torque or a negative torque and this has the advantage that the computed torque can be compared against independent positive and negative limit values in order to implement SLT. This is of practical value; consider a machine where a gravity loaded axis is monitored using SLT to avoid crushing an operator's limb, in this machine the downward direction torque threshold would be low whereas the upward torque threshold must be higher to allow the machine to retract in the vertical direction.

(39) However there is also a class of applications where the polarity of the torque is unimportant, an example would be the turntable axis of a robot; here a crushing hazard can be protected against using symmetrical torque thresholds because there is no need to retract against a gravitational load. If the polarity of the applied torque is unimportant then the first and second preferred embodiments can be simplified and this leads to the third and fourth preferred embodiments.

(40) The third preferred embodiment the same as the first preferred embodiment as illustrated in FIG. 8 but with the removal of safety channel A rotor position measurement 840 and safety channel B rotor position measurement 841; it is so similar to FIG. 8 that no further diagram is given. Each safety processor 842 and 843, rather than computing torque, instead computes the magnitude of the channel A current vector and the magnitude of the channel B current vector and compares the two magnitudes against the SLT limit values. The motor torque is proportional to the sine of the angle between the rotor flux vector and the current vector, the worst case is that the angle is ninety degrees and that the sine is unity thereby yielding the maximum torque. For all other angles the resultant torque will be a lesser value and therefore simply using the magnitude of the current vector will over-estimate the motor current; an over-estimate will trigger SLT at too low a torque value but note that this is a safe condition.

(41) It is advantageous to create a product that implements both the first and third preferred embodiments in a unified design; this would allow the user the option of connecting to a safety rated encoder if he requires signed limitation of the torque according to the first embodiment or alternatively of connection to a standard encoder if unsigned limitation of the torque according to the third embodiment is sufficient. The hardware of FIG. 8 can implement either the first or the third preferred embodiments, it requires configuration to select the appropriate algorithm.

(42) Similarly, the fourth preferred embodiment is the same as the second preferred embodiment as illustrated in FIG. 9 but with the removal of safety channel A rotor position measurement 940 and safety channel B rotor position measurement 941; it is so similar to FIG. 9 that no further diagram is given. Each safety processor 942 and 943, rather than computing torque, instead computes the magnitude of the channel A current vector and the magnitude of the channel B current vector and compares the two magnitudes against the SLT limit values.

(43) It is advantageous to create a product that implements both the second and fourth preferred embodiments in a unified design; this would allow the user the option of connecting to a safety rated encoder if he requires signed limitation of the torque according to the first embodiment or alternatively of connection to a standard encoder if unsigned limitation of the torque according to the third embodiment is sufficient. The hardware of FIG. 9 can implement either the second or the fourth preferred embodiments, it requires configuration to select the appropriate algorithm.

(44) To summarize, all four preferred embodiments use the measurement of the bus current in the various inverter bridge states either to create a measurement of the current vector for the channel B or else to confirm that the measurement of the current vector from two sensors in series with the motor phases are correct. There are numerous possible variations on the hardware implementation and it would indeed be possible to implement all four embodiments in a single design; this would allow SLT to be implemented with or without safe position feedback. All four preferred embodiments use a set of current sensors that is already present in many servo drive designs. A map of preferred embodiment against feature is provided in FIG. 10.

(45) All four preferred embodiments require deducing the phase current from the bus current and the inverter bridge state. There are two abnormal conditions wherein a timely measurement of each phase current will not be available at a rate of twice per PWM switching cycle from the bus current sensor 306 or 806 or 906.

(46) The first abnormal condition is when the servo drive is on but is applying no net voltage, the inverter bridge 301 will cycle between the zero states 000.sub.2 and 111.sub.2 wherein it can be seen from FIG. 6 that no current measurements are available from sensor 306. A variant of this first abnormal condition is when the net output voltage is so low that, although the inverter sequences through all states, the dwell time in the states other than 000.sub.2 and 111.sub.2 is too short to allow a useful measurement of the respective phase current.

(47) The dwell time must be long enough to allow transient effects, such as the impulse current flowing into stray capacitances and diode recovery currents, to decay. Therefore a practical minimum dwell time is on the order of 5 μs and in the first abnormal condition this may not be fulfilled. To overcome this problem, the drive circuit 844 or 944 is algorithmically altered to artificially prolong the dwell times that are present or to insert current measuring states of adequate dwell times that would otherwise be absent when the required dwell times have not occurred naturally through closed-loop control. The term ‘prolongation’ will cover both cases. This prolongation can be performed entirely in logic gates or by using software. These artificial dwell times will cause little disturbance to the torque loop and their impact can optionally be reduced by adding them as complementary state pairs one shortly after the other; for example inverter state 100.sub.2 followed shortly afterwards by inverter state 011.sub.2 will balance the net applied voltage of the disturbance and therefore lessen the resulting torque perturbation. In the case of the second and fourth embodiments the rate of the comparison between the two sources of current measurement, i.e. the rate of diagnosis, is not required to be very frequent, let us say every 120 ms, and therefore the artificial dwell times are only required at intervals of 40 ms, one phase at a time, to confirm the correct operation of both phase current sensors 807/907 and 808/908.

(48) The second abnormal condition occurs at high rotary speeds when the servo drive has insufficient bus voltage to fully control the phase currents; under these circumstances the PWM saturates and the drive is in what is called quasi-squarewave operation, the inverter bridge 301 will progress through a sequence such as 101.sub.2.fwdarw.100.sub.2.fwdarw.110.sub.2.fwdarw.010.sub.2.fwdarw.011.sub.2.fwdarw.001.sub.2 and then repeat but at the fundamental frequency of the current rather than at the PWM switching frequency, e.g. 100 Hz rather than 16 kHz. In this second abnormal condition a measurement of current is available for all three currents but at a rate much less than twice the PWM switching frequency. However this rate of 100 Hz is frequent enough to check the two current measurements in the case of the second and fourth embodiments, whereas the first and third embodiments will require artificial dwell times to be inserted. In summary all four embodiments can operate despite this second abnormal condition.

(49) In the first and third preferred embodiments the drive circuit 844 is responsible for ensuring that the dwell times of the IGBT inverter state 846 are long enough to allow valid current measurements to be made. The current vector re-constructor circuit 849 will indicate 858 when the re-constructed current vector 850 is invalid as a result of insufficiently long dwell times 846 and thereby cause safety processor 842 and optionally safety processor 843 to put the drive in STO using signals STO_B 847 and optionally STO_A 845. This division of responsibilities allows the drive control circuit 844 to be wholly non-safe, that is designed and maintained without the constraints of safe processes, whereas the current re-constructor circuit 949 is part of the safety system.

(50) Similarly, in the second and fourth preferred embodiments the drive circuit 944 is responsible for ensuring that the dwell times of the IGBT inverter state 946 are long enough to allow valid current measurements to be made. The current vector calculator and fault detector circuits 952 and 953 will respectively indicate 956 and 957 when either re-constructed current vector 954 or 955 is invalid as a result of insufficiently long dwell times 946 and thereby cause either or both safety processors 942 and 943 to put the drive in STO using signals STO_A 945 and/or STO_B 947. This division of responsibilities allows the drive control circuit 944 to be wholly non-safe, that is designed and maintained without the constraints of safe processes, whereas the current vector calculator circuits 952 and 953 are part of the safety system.

(51) The two safety processors 842/942 and 843/943 are typically implemented as micro-controllers. However the term ‘safety processor’ is technologically neutral and could alternatively be implemented using FPGA gates or as FPGA soft processors. The two safety processors 842/942 and 843/943 could be combined into a dual lock-step safety processor or into a triple mode redundant safety processor without changing the essential concept of the invention. The current re-constructor 849 and B channel safety processor 843 could be combined into a single device. Similarly the drive control circuit 844 could be combined into a single device with either safety processor for safety channel A 842 or the safety processor for safety channel B 843. Implementations of FIG. 8 using one or more FPGAs are also possible.

(52) This specification has avoided excessive generalizations in order to aid understanding but this should not be interpreted restrictively. There are many minor variations that do not change the essentials of the invention, including but not limited to sensing the high side bus current rather than the low side bus current 106, sensing the V 108 and W 108 phase currents rather than the U 107 and V 108 phase currents. The exact partitioning of functionality between the channel B current vector calculator 952/849 and the channel B safety processor 843/943 can be varied to suit the availability of components and the location of isolation barriers. Similar remarks apply to A channel elements, moreover there is no normative requirement for the two safety channels A and B to be symmetrical. Signal paths 954, 955, 956, 957 can be transmitted via black channels and with or without isolation. Further redundant measurements of the current vector are possible using an additional bus current sensor and/or phase current sensors. It will be understood by those of ordinary skill in the art that various changes may be made and equivalents may be substituted for elements without departing form the scope of the invention. In addition, many modifications may be made to adapt a particular feature of material to the teachings of the invention without departing from the scope thereof. Therefore, it is intended that the invention not be limited to the particular embodiments disclosed, but that the invention will include all embodiments falling within the scope of the claims.

LIST OF REFERENCE NUMERALS

(53) The last two digits of the reference numerals are consistent between the figures and therefore a condensed list is shown. 101, 201, 301, 401, 801, 901: Three-phase Inverter bridge. 102, 202, 302, 402, 802, 902: Main power rail, positive. 103, 203, 303, 403, 803, 903: Main power rail, negative. 104, 204, 304, 404, 804, 904: Permanent magnet AC servomotor. 160: Current sensor in series with source of the low-side IGBT of the U phase. 161: Current sensor in series with source of the low-side IGBT of the V phase. 162: Current sensor in series with source of the low-side IGBT of the W phase. 306, 406, 806, 906: Low-side DC link current sensor, between negative power rail and the Inverter bridge. In FIG. 8 and FIG. 9 the −X portion shows input section and the −Y section shows output section. 207, 307, 407, 807, 907: Current sensor in series with the U phase of the motor. In FIG. 8 and FIG. 9 the −X portion shows input section and the −Y section shows output section. 208, 308, 408, 808, 908: Current sensor in series with the V phase of the motor. In FIG. 8 and FIG. 9 the −X portion shows input section and the −Y section shows output section. 209: Current sensor in series with the W phase of the motor. 121, 221, 321, 421, 821, 921: High-side IGBT and diode, U phase. 122, 222, 322, 422, 822, 922: High-side IGBT and diode, V phase. 123, 223, 323, 423, 823, 923: High-side IGBT and diode, W phase. 131, 231, 331, 431, 831, 931: Low-side IGBT and diode, U phase. 132, 232, 332, 432, 832, 932: Low-side IGBT and diode, V phase. 133, 233, 333, 433, 833, 933: Low-side IGBT and diode, W phase. 410: Duplicate current sensor in series with the V phase of the motor for second channel of torque measurement. 411: Current sensor in series with the W phase of the motor for second channel of torque measurement. 840, 940: Rotor position signal for safety channel A. 841, 941: Rotor position signal for safety channel B. 842, 942: Safety processor for safety channel A. 843, 943: Safety processor for safety channel B. 844, 944: Servo drive control circuit: servo drive functions not related to safety, closes torque and optionally velocity and position loops, commutates motors and other functions. 845, 945: Safe torque-off signal from safety channel A safety processor. De-energization causes the drive circuit to disable the inverter bridge. 846, 946: Signal set from the drive control circuit that represents the state of the inverter bridge. 847, 947: Safe torque-off signal from safety channel B safety processor. De-energization causes the drive circuit to disable the inverter bridge. 848, 948: Signal set for communication between the A and B channel safety processors. 849: Sub-circuit that reconstructs the motor current vector from the DC link current. 850: Signal set of the re-constructed current vector. 851, 951: Set of signals to control the Inverter bridge. 858: Signal indicating that the re-constructed current vector is valid. 952: Safety channel A current vector calculator and measurement fault detector circuit. 953: Safety channel B current vector calculator and measurement fault detector circuit. 954: Safety channel A current vector signal set. 955: Safety channel B current vector signal set. 956: Safety channel A current measurement fault signal. 957: Safety channel B current measurement fault signal.