STO for elevator drives

Removing the motor power contactors using the KEB F5 STO

Download this document in PDF format

Introduction

Purpose of this guide

The goal of this document is to help KEB customers and users understand how a KEB F5 drive with STO hardware can replace the motor contactor(s) traditionally required by the ASME A17.1 and EN81-1 standards.

 

Scope of this guide

The scope of this document relates to the KEB F5 series of drive only. The 3rd party safety review was based on the implementation of the KEB F5 STO product only. Other series of KEB drives or those manufactured by other vendors would require a separate analysis in order to guarantee compliance. The independent 3rd party safety review was based on the most current code revisions available at the time of analysis, ASME A17.1 2010 and EN81-1:1998+A3:2009. The implementation of the KEB STO may satisfy previous versions of the code but it is the responsibility of the controller manufacture to investigate.

 

Validity and liability

The control scheme suggestions contained within this document are by no means the only valid solution. They are provided as one possible method of meeting current regulations and standards while using well known controller schemes. The ultimate system liability falls on the machine or controller manufacturer. Safety-critical elements must be handled only by authorized and trained employees. This includes system safety analysis, implementation and testing.

 

Background

The product family COMBIVERT F5 with safety function Safe Torque Off (STO) has been developed for the use in safety-oriented applications. With the recent changes in both the ASME A17 and EN81-1 lift standards, it is now possible to utilize STO rated drives and eliminate large, previously mandatory, motor power contactors. When correctly applied, the F5 with STO meets ASME A17.1-2010 and EN81-1:1998+A3:2009 standards. This document has been reviewed and certified to meet these standards by an independent certification organization.

Induction motors (asynchronous) require a three phase rotating field generated by the inverter before any shaft-rotating torque is possible. Field generation can only occur if the inverter’s insulated-gate-bipolar-transistors (IGBTs) are controlled in a pulse-width-modulated (PWM) switching pattern. The STO circuitry prevents PWM generation when the inverter is disabled. If one or more IGBT fails, a DC field is applied to the motor; no rotational field is generated and the motor shaft will not rotate.

Permanent magnet motors (synchronous) also require a three phase rotating field generated by the inverter. If one or more IGBT fails, a DC field is applied to the motor; however, due to the permanent magnets, the rotor will align to the DC field. The motor shaft rotation is up to one half of a pole-pair rotation. Example: a four pole motor has two pole-pairs, meaning the motor shaft may rotate up to ¼ of a revolution. Another example: a twelve pole motor has six pole-pairs and therefore, could rotate up to 1/12 of a revolution. Once the rotor has aligned to the field, no further rotation can occur. Whether or not the motor actually aligns to the field is dependent on several factors such as the physical brake state, overall brake sizing, and counter balancing.

 

Safe Torque Off Methodology

The COMBIVERT with integrated safety function meets the following function according to IEC 61800-5-2: “Safe torque off” (Safe Torque Off – STO)

The safety-related disconnection according to STO, is created by a two-channel opto-coupler barrier. The supply of the opto-couplers, which are responsible for the commutation of the connected motor, occurs via transformation coupling of the input voltage. This ensures that during input voltage loss, no supply of the opto-couplers is possible. If the opto-couplers are no longer supplied, no IGBT can be controlled and thus, no rotational energy can be supplied to the motor. The two channels are designed such that input STO1 prevents the voltage supply (VTRO) of the upper opto-couplers of the inverter bridge and input STO2 prevents the voltage supply (VTRU) of the lower opto-couplers of the inverter bridge. Therefore, loss of either STO1 or STO2 will cause the loss of rotational energy. Additionally, a traditional drive enable (ST) input controls the application specific integrated circuit (ASIC) enable channel.

 

Figure 1 – STO functionality

 

Installation Requirements

Safety-related products can and must only be installed by authorized and trained personnel. Incorrect wiring could defeat certain functionality. Check the safety functions and error responses and generate an acceptance report after installation. Periodic functionality testing should also be performed and documented. Refer to the KEB F5 STO documentation (part number 00F5NESK000) for additional information.

Safety Proving / Functionality Testing

After installation, several functional safety tests must be performed. Each test should be performed with the car running in inspection. Refer to Figure 2 for terminal strip locations.

Test 1

While the car is running in inspection, remove the STO1+ signal from the F5 X2B terminal strip. This should cause the drive to cut rotational energy to the motor and drop both DRIVE READY and RELEASE BRAKE signals. The brake should engage and the lift control should report an error.

Test 2

While the car is running in inspection, remove the STO2- signal from the F5 X2B terminal strip. This should cause the drive to cut rotational energy to the motor and drop both DRIVE READY and RELEASE BRAKE signals. The brake should engage and the lift control should report an error.

Test 3 (For ASME Installations)

While the car is running in inspection, remove the ST signal from the F5 X2A terminal strip. This should cause the drive to cut rotational energy to the motor and drop both DRIVE READY and RELEASE BRAKE signals. The brake should engage and the lift control should report an error.

 

Figure 2 – F5K STO terminal strip locations

 

ASME A17.1-2010

Example Control Scheme to Meet ASME A17.1-2010

Figure 3 demonstrates a possible control scheme that meets ASME A17.1-2010 standards. It addresses sections: 2.26.8.2, 2.26.9.6.1, 2.26.9.6.2 and 2.26.9.6.4, which cover a static inverter and AC motors driven through a DC power source.

 

Figure 3 – Example control scheme to meet ASME A17.1-2010

 

Enable Circuit

Section 2.26.9.6.1 requires two separate methods to inhibit flow of alternating current to the AC motor. Under section 2.26.9.6.1.b, the SIL3 rated KEB inverter can be used instead of a motor contactor.

Relay STO1 completes the source path of the +24 VDC, supplying the upper DC opto-coupler (VTRO), which supplies the gate drive power for the upper IGBTs. Relay STO2 completes the return path of the +24 VDC, supplying the lower DC opto-coupler (VTRU), which supplies the gate drive power for the lower IGBTs. Loss of either STO1 or STO2 renders the inverter’s output non-sinusoidal and the AC motor without rotational shaft torque.

The second means of removing the alternating current is through the inverter’s ST terminal, which controls the application specific integrated circuit (ASIC) enable. This input is typically tied to a DRIVE_RUN command (24 VDC) by the elevator control. It is not to be connected directly to the elevator control’s safety chain directly.

The inverter output DRIVE READY is true only when STO1, STO2 and ST are all true and can be used in controller schemes that wait for drive ready before giving a speed command.

Brake Circuit

Section 2.26.9.6.2 requires that relays STO1 and STO2, which are used to meet section 2.26.9.6.1.b, also cause power to be removed from the brake circuit. Normally open (NO) contacts from both STO1 and STO2 are wired in series with the BRK_PICK signal. Section 2.26.8.2 requires two independent methods of removing power to the brake circuit; one device being a contactor or SIL 3 rated. BRK_PICK, therefore, must be a contactor. On loss of STO1, STO2 or BRK_PICK, the brake supply voltage will be removed and the spring actuated brake will engage.

Contactor Proving

Section 2.26.9.6.4 requires that all contactors used to control the brake must be verified released before another floor call can begin. Normally closed (NC) contacts from STO1, STO2 and BRK_PICK must be verified by the lift control before another sequence can begin. Section 2.26.3 requires these monitoring contacts be force-guided.

 

EN81-1:1998+A3:2009

Example Control Scheme to Meet EN81-1:1998+A3:2009

Figure 4 demonstrates a possible control scheme that meets EN81-1:1998+A3:2009 standards. It addresses sections: 12.4.2.3.1, 12.7.3, 14.1.1 and Annex H, which cover AC motors supplied by static elements. The scheme meets the intent of 12.7.3.a, which requires two independent contactors interrupting the current to the motor; the intent being to have two independent methods of removing rotational energy to the motor.

 

Figure 4 – Example control scheme to meet EN81-1:1998+A3:2009

 

Enable Circuit

Section 12.7.3.a requires two independent contactors to remove current from the motor. Under the intent of 12.7.3.a and examination under 14.1.1/Annex H, the SIL3 rated KEB inverter can be used instead of two motor contactors.

Relay STO1 completes the source path of the +24 VDC, supplying the upper DC opto-coupler (VTRO), which supplies the gate drive power for the upper IGBTs. Relay STO2 completes the return path of the +24 VDC, supplying the lower DC opto-coupler (VTRU), which supplies the gate drive power for the lower IGBTs. Loss of either STO1 or STO2 renders the inverter’s output non-sinusoidal and the AC motor without rotational shaft torque.

The inverter’s ST terminal, which controls the application specific integrated circuit (ASIC) enable, is also required by the inverter as part of the enable sequence. This input is typically tied to a DRIVE_RUN command (24 VDC) by the lift control. It is not to be connected directly to the lift control’s safety chain.

The inverter output DRIVE READY is true only when STO1, STO2 and ST are all true and can be used in controller schemes that wait for drive ready before giving a speed command.

Brake Circuit

Section 12.4.2.3.1 requires the interruption of the brake current by two independent devices. Normally open (NO) contacts from both STO1 and STO2 are wired in series with the BRK_RELEASE signal. On loss of STO1, STO2 or BRK_RELEASE, the brake supply voltage will be removed and the spring actuated brake will engage. For hydraulic brake systems, BRK_RELEASE is replaced by VALVE_RELEASE.

Contactor Proving

Section 12.4.2.3.1 requires that all contactors used to control the brake must be verified released before another floor call can begin. Normally closed (NC) contacts from STO1, STO2 and BRK_RELEASE must be verified by the lift control before another sequence can begin.

 

Declaration of Compliance – ASME A17.1-2010 / EN81-1:1998+A3:2009

Declaration of Conformity – STO Circuit

Contact
  • This field is for validation purposes and should be left unchanged.