Arrangement and method for a safe turn off

Abstract

A safety circuit coupled between a first direct current (DC) circuit and a second DC circuit, wherein the first DC circuit supplies power to the second DC circuit. The safety circuit comprises a first series connection between positive poles of the first and second DC circuits (the first series connection comprising a first diode, a second diode and a first controllable switch), a second series connection between negative poles of the first and second DC circuits (the second series connection comprising a third diode, a fourth diode and a second controllable switch), a first energy storage device (coupled between the positive pole of the second DC circuit and the first terminal of the second controllable switch), and a second energy storage device (coupled between the negative pole of the second DC circuit and the first terminal of the first controllable switch). The safety circuit further comprises a first feedback circuit for indicating an active state of the first controllable switch and a second feedback circuit for indicating an active state of the second controllable switch.

Claims

1. A safety circuit coupled between a first direct current (DC) circuit and a second DC circuit, wherein the first DC circuit supplies power to the second DC circuit, the safety circuit comprising: a first series connection between positive poles of the first and second DC circuits, the first series connection comprising a first diode with an anode coupled to the first DC circuit and a cathode coupled to a first terminal of a first controllable switch, and a second diode with an anode coupled to a second terminal of the first controllable switch and a cathode coupled to the second DC circuit, a second series connection between negative poles of the first and second DC circuits, the second series connection comprising a third diode with an anode coupled to the second DC circuit and a cathode coupled to a second terminal of a second controllable switch, and a fourth diode with an anode coupled to a first terminal of the second controllable switch and a cathode coupled to the first DC circuit, a first energy storage device, coupled between the positive pole of the second DC circuit and the first terminal of the second controllable switch, a second energy storage device, coupled between the negative pole of the second DC circuit and the first terminal of the first controllable switch, a first feedback circuit providing a first feedback signal for indicating an active state of the first controllable switch, and a second feedback circuit providing a second feedback signal for indicating an active state of the second controllable switch.

2. The safety circuit as claimed in claim 1, wherein the first energy storage device is dimensioned to maintain the voltage level of the second DC circuit above a predefined safety limit during opening of the first switch for a predefined test pulse period.

3. The safety circuit as claimed in claim 1, wherein the second energy storage device is dimensioned to maintain the voltage level of the second DC circuit above a predefined safety limit during opening of the second controllable switch for a predefined test pulse period.

4. The safety circuit according to claim 1, wherein said first and second energy storage devices are capacitors.

5. The safety circuit according to claim 1, wherein: the first feedback circuit is connected between the second terminal of the first switch and the first terminal of the second switch, and the second feedback circuit is connected between the first terminal of the first switch and the second terminal of the second switch.

6. The safety circuit according to claim 5, wherein: the first feedback circuit comprises a series connection of a first resistor and a sender of a first signal transmitter, and the second feedback circuit comprises a series connection of a second resistor and a sender of a second signal transmitter.

7. The safety circuit according to claim 6, wherein first and second optocouplers are used as the first and second signal transmitters respectively, wherein each optocoupler includes a photodiode working as a sender and is coupled such that the forward direction of the photodiode is towards the second switch.

8. A safe turn off arrangement, comprising a safety circuit according to claim 1, and a control device supervising the functional safety of a power electronics device, wherein the control device is arranged to control the operation of the controllable switches in the safety circuit, to receive the feedback signals from the safety circuit, to compare control signals of the controllable switches and the feedback signals and to use the comparison results as indicators of the functionality of safety-critical components.

9. A power electronics device comprising a safety circuit according to claim 1, wherein the second DC circuit supplies power to gate driver units, which gate driver units control the operation of controllable power electronic switches used to form an output voltage of the power electronics device.

10. A method of operating a safety circuit as claimed claim 1, the method comprising: operating in a normal mode in which both the first and second controllable switches are closed, opening one of the first and second controllable switches and, if the corresponding feedback signal remains in an active state, determining that the safety circuit is faulty.

11. The method as claimed in claim 10, further comprising: opening the other of the first and second controllable switches and, if the corresponding feedback signal remains in an active state, determining that the safety circuit is faulty.

12. The method as claimed in claim 10, wherein the relevant controllable switch is opened for a predefined period during which the voltage of the second DC circuit does not fall below a predefined minimum operation level.

13. The method as claimed in claim 10, further comprising opening both the first and second controllable switches in a safe turn off mode.

14. The safety circuit as claimed in claim 2, wherein the second energy storage device is dimensioned to maintain the voltage level of the second DC circuit above a predefined safety limit during opening of the second controllable switch for a predefined test pulse period.

15. The safety circuit according to claim 2, wherein said first and second energy storage devices are capacitors.

16. The safety circuit according to claim 3, wherein said first and second energy storage devices are capacitors.

17. The safety circuit according to claim 2, wherein: the first feedback circuit is connected between the second terminal of the first switch and the first terminal of the second switch, and the second feedback circuit is connected between the first terminal of the first switch and the second terminal of the second switch.

18. The safety circuit according to claim 3, wherein: the first feedback circuit is connected between the second terminal of the first switch and the first terminal of the second switch, and the second feedback circuit is connected between the first terminal of the first switch and the second terminal of the second switch.

19. The safety circuit according to claim 4, wherein: the first feedback circuit is connected between the second terminal of the first switch and the first terminal of the second switch, and the second feedback circuit is connected between the first terminal of the first switch and the second terminal of the second switch.

20. The safe turn off arrangement, comprising a safety circuit according to claim 2, and a control device supervising the functional safety of a power electronics device, wherein the control device is arranged to control the operation of the controllable switches in the safety circuit, to receive the feedback signals from the safety circuit, to compare control signals of the controllable switches and the feedback signals and to use the comparison results as indicators of the functionality of safety-critical components.

21. The power electronics device of claim 9, wherein the power electronics device is a frequency converter.

Description

BRIEF DESCRIPTION OF DRAWINGS

(1) Below the invention is explained more detailed by using examples with references to the enclosed figures, wherein

(2) FIG. 1 presents a main circuit of a frequency converter drive,

(3) FIG. 2 presents an auxiliary voltage arrangement,

(4) FIG. 3 presents a safety circuit,

(5) FIG. 4 illustrates operation of the safety circuit,

(6) FIG. 5 presents a flow chart showing an exemplary testing algorithm for the safety circuit, and

(7) FIG. 6 presents an auxiliary voltage arrangement including a safety circuit.

DETAILED DESCRIPTION

(8) FIG. 1 presents a simplified main circuit diagram of a variable speed motor drive as an example of a power electronic device wherein a functional safety circuitry according to the present invention is applicable. In the figure, a frequency converter FC is used to control the shaft rotating speed of an AC motor M. The frequency converter FC in this example comprises a rectifier REC, rectifying the three-phase supply voltage U.sub.L into a constant DC-link voltage filtered by a capacitor C.sub.DC, and a three-phase inverter unit INU, creating a three-phase adjustable output voltage U.sub.M for supplying the motor M. INU consists of controllable power semiconductor switches, normally IGBTs (not presented), and free-wheeling diodes (not presented). The frequency converter FC comprises also a control unit CU and an auxiliary voltage power supply POW, which converts an input voltage from the DC-link into several lower level output DC-voltages for e.g. the control unit CU and the gate driver unit of INU (not presented).

(9) In a STO situation the rotation of a motor shaft, induced by the output voltage of the frequency converter, should be prevented. This target can be met by ensuring that all controllable power semiconductor switches of INU stay in an off-state.

(10) FIG. 2 presents a simplified example of a control and auxiliary voltage supply system in a frequency converter. The first auxiliary power supply POW.sub.1 converts the DC-link voltage U.sub.DC into a first lower voltage U.sub.CU for the control unit CU and into a second lower voltage U.sub.GD for the gate driver unit GD. Inside the gate driver unit GD a second auxiliary voltage power supply POW.sub.2 converts the U.sub.GD voltage into isolated auxiliary voltages for each gate driver GD.sub.1, GD.sub.2, . . . which form the control signals of the inverter controllable power semiconductor switches (only V.sub.1 presented) according to the control signals V_.sub.G received from the control unit CU.

(11) FIG. 3 presents an example of a safety circuit SC according to the present invention. The circuit SC is located between a first auxiliary voltage power supply POW.sub.1, having an output DC voltage U.sub.GD1 with a positive pole U.sub.GD1+ and a negative pole U.sub.GD1−, and a second auxiliary power supply POW.sub.2, having input DC voltage U.sub.GD2 with a positive pole U.sub.GD2+ and a negative pole U.sub.GD2−. The safety circuit comprises the following: A series connection of a first diode D.sub.1, a first switch S.sub.1 and a second diode D.sub.2 between U.sub.GD1+ and U.sub.GD2+ such that the forward direction of both diodes are connected towards U.sub.GD2+, A series connection of a third diode D.sub.3, a second switch S.sub.2 and a fourth diode D.sub.4 between U.sub.GD1− and U.sub.GD2− such that the forward direction of both diodes are connected towards U.sub.GD1−, A first energy storage device, advantageously a capacitor C.sub.1, connected between U.sub.GD2+ and the anode terminal of D.sub.4, A second energy storage device, advantageously a capacitor C.sub.2, connected between the cathode terminal of D.sub.1 and U.sub.GD2−, A first feedback circuit comprising a series connection of a resistor R.sub.1 and a light emitting photodiode of an optocoupler H.sub.1, connected between the anode terminals of D.sub.2 and D.sub.4 such that the forward direction of the optocoupler light emitting diode is connected towards S.sub.2, and A second feedback circuit comprising a series connection of a resistor R.sub.2 and a light emitting photodiode of an optocoupler H.sub.2, connected between the cathode terminals of D.sub.1 and D.sub.3 such that the forward direction of the optocoupler light emitting diode is connected towards S.sub.2.

(12) FIG. 4 illustrates operation of the safety circuit presented in FIG. 3. The purpose of the curves is just to illustrate operating principles, they are not drawn to scale relative to each other. Signals S and H indicate the operation of switches S.sub.1, S.sub.2 and operating states of the feedback signals H.sub.1, H.sub.2, such that a high state means a close-state of a switch and an active state of the feedback signal.

(13) In normal operating situation, before time instant t.sub.1, both switches S1, S2 are in close-state which means that U.sub.GD1+ is connected to U.sub.GD2+ via diodes D.sub.1, D.sub.2, and U.sub.GD1− is connected to U.sub.GD2− via diodes D.sub.3, D.sub.4. Thus the input voltage U.sub.GD2 of POW.sub.2 is close to the output voltage U.sub.GD1 of POW.sub.1. Further, with both switches S1, S2 in the close-state, current flows through both the optocouplers H.sub.1, H.sub.2, thereby indicating the normal functionality of the safety circuit SC.

(14) At time instant t.sub.1 the switch S.sub.1 turns to open-state. Since current cannot flow to the optocoupler H1 from either the first auxiliary power supply POW1 (due to the open switch S1) or the second auxiliary power supply POW2 (due to the blocking diode D2), the feedback signal of H.sub.1, indicating the operating state of S.sub.1, turns into a non-active state. In S.sub.1 open state, U.sub.GD1+ is not any more connected to U.sub.GD2+, but due to the energy charged in C.sub.1 before t.sub.1 its voltage u.sub.C1 and also the voltage U.sub.GD2 decreases at a limited rate. S.sub.1 is turned back to close-state at time instant t.sub.2 before U.sub.GD2 has reached the minimum operating voltage limit U.sub.LIM of POW.sub.2. Thus POW.sub.2 can continue its normal operation also during time period t.sub.1-t.sub.2, and at the same time the feedback signal H.sub.1 indicates that the switch S.sub.1 is operative.

(15) A similar operating condition test described above with respect to S.sub.1 is made for S.sub.2 during the time period t.sub.3-t.sub.4. Similar to C.sub.1 above, during the test the energy of capacitor C.sub.2 prevents the voltage U.sub.GD2 from falling below the limit U.sub.LIM. As shown in FIG. 4, at time instant t.sub.3 the switch S.sub.2 turns to open-state. Since current cannot flow from the optocoupler H2 to either the first auxiliary power supply POW1 (due to the open switch S2) or the second auxiliary power supply POW2 (due to the blocking diode D3), the feedback signal of H.sub.2, indicating the operating state of S.sub.2, turns into a non-active state. In S.sub.2 open state U.sub.GD1+ is not any more connected to U.sub.GD2+, but due to the energy charged in C.sub.2 before t.sub.3, its voltage u.sub.C2 and also the voltage U.sub.GD2 decreases at a limited rate. S.sub.2 is turned back to close-state at time instant t.sub.4 before u.sub.GD2 has reached the minimum operating voltage limit U.sub.LIM of POW.sub.2. Thus POW.sub.2 can continue its normal operation also during time period t.sub.3-t.sub.4, and at the same time the feedback signal H.sub.2 indicates that the switch S.sub.1 is operative.

(16) At time instant t.sub.5 both switches S.sub.1, S.sub.2 are turned to open-state, as a consequence of a STO command. Now the open switches prevent direct connections between U.sub.GD1 and U.sub.GD2 via diodes D.sub.1-D.sub.4, and the open switches prevent also the full charged capacitors C.sub.1, C.sub.2 to supply energy to POW.sub.2. Thus the voltage u.sub.GD2 falls immediately to 0, which means that if POW.sub.2 is not any more capable to supply auxiliary voltages for the gate drivers in an arrangement like presented in FIG. 2. Missing auxiliary voltage prevents the gate drivers to generate turn-on pulses for the main circuit controllable power semiconductor switches, which is the target in a safe turn-off situation. Noteworthy is also that in case of a switch component failure, i.e. S.sub.1 or S.sub.2 stuck in close-state, the condition of a safe turn-off will be met, but with a delay due to the stored energy of C.sub.1 or C.sub.2.

(17) FIG. 5 is a flow chart showing an exemplary testing algorithm for the safety circuit. The flow chart starts in a normal operation mode of the safety circuit (in which the switches S.sub.1, S.sub.2 are closed and the optocouplers H.sub.1, H.sub.2 are in an active state. Next, the first switch S.sub.1 is opened and it is determined whether the optocoupler H.sub.1 changes to an inactive state. If so, the algorithm proceeds to the next step, otherwise the algorithm terminates with a fault being reported. At the next step, the first switch S.sub.1 is closed and the second switch S.sub.2 is opened and it is determined whether the optocoupler H.sub.2 changes state. If so, the algorithm terminates with an indicates that the circuit is working normally; if not, the algorithm terminates with a fault being reported.

(18) FIG. 6 presents an otherwise similar simplified example of a control and auxiliary voltage supply system in a frequency converter as presented in FIG. 2, but with an added safety circuit SC. In this example the first auxiliary voltage U.sub.GD1 is wired via a safety circuit SC, corresponding to the circuit of FIG. 3, in order to form the final auxiliary voltage U.sub.GD2 for the gate driver unit GD. The control unit CU forms the control signals S_.sub.C for the switches (S.sub.1, S.sub.2 in FIG. 3), receives the feedback signals S_.sub.F, indicating the operating states of the switches, and performs the logical operations needed to meet the functional safety requirements. The feedback signals S_.sub.F may include the output of optocoupler phototransistors.

(19) The phototransistor parts of the above-mentioned optocouplers H.sub.1 and H.sub.2 are shown only in highly schematic form in FIG. 6. Advantageously the phototransistors are connected to a safety logic (which may form part of the control unit CU and may be separate to the control unit CU) belonging to a safety arrangement according to the present invention, in which arrangement the functionality of the safety-critical components are monitored continuously by comparing the operating instructions of switches S.sub.1, S.sub.2, and corresponding feedback signals from optocouplers H.sub.1, H.sub.2. Note that above an optocoupler is used just as an example of an advantageous component, also other commercial signal transmitting devices with isolation between the sender (corresponding a photodiode above) and the receiver (corresponding a phototransistor above) exist.

(20) The specific examples provided in the description above are not exhaustive unless otherwise explicitly stated, nor should they be construed as limiting the scope and/or the applicability of the accompanied claims. The features recited in the accompanied dependent claims are mutually freely combinable unless otherwise explicitly stated. The verbs “to comprise” and “to include” are used in this document as open limitations that neither exclude nor require the existence of also un-recited features. Furthermore, it is to be understood that the use of “a” or “an”, i.e. a singular form, throughout this document does not exclude a plurality.