Functional Safety and STO in Elevator Drives

Figure 1: STO functionality

Latest codes allow SIL 3-rated devices to replace motor contactors.

What is safety? Merriam-Webster puts it this way: “Safety is the condition of being safe from undergoing or causing hurt, injury or loss.” In the elevator industry, safety concerns everyone. It is the driving force behind the code that defines how elevators are built and maintained in the modern world. Functional safety requires equipment to operate properly in response to inputs and relies both on inputs signaling the equipment correctly and the equipment responding in a safe manner. For the variable-frequency drives (VFDs) used in elevator controllers, this entails the VFD seeing the inputs coming from the controller system and then responding appropriately and safely. Functional safety means that when random, systematic or common-cause failures occur, the safety system does its job without malfunction, preventing injury, contamination or loss. When a system is functionally safe, the devices that make up the system should be able to shut down in a predetermined safe state.

As VFDs have become increasingly complex and capable, more safety functions have been incorporated directly into them. Breakthroughs in microprocessor technology and other technology have allowed for much more advanced safety functionality in the drive. Depending on the configuration, this can allow the elevator controller to offload some of the safety responsibility of the system to the drive. Some VFDs have a Safety Integrity Level (SIL) rating, such as a version of KEB America’s F5 drive that can be a SIL 3-rated device.

The codes that municipalities use to evaluate the safety of elevators under their jurisdictions are frequently changing to keep up with current technology and the state of the industry. With the change to the elevator safety code ASME A17.1-2010 (or EN 81-2014, depending on jurisdiction), two separate methods must be used to inhibit the flow of alternating current (AC) to an AC motor. Under these new codes, a SIL 3-rated device, such as the KEB F5 drive, can be used as one of the means, instead of a motor contactor, which was the traditional method. KEB recommends contacting the appropriate AHJs, as well as the OEM of the elevator controller, before making any changes. Safety-critical elements must only be handled by authorized and trained personnel.

In the elevator industry, KEB manufactures VFDs running AC motors, either induction motors (asynchronous) or permanent- magnet motors (synchronous). Asynchronous motors require a three-phase rotating field generated by an inverter to produce torque. Synchronous motors also require a three-phase rotating field to run. The inverter uses insulated-gate bipolar transistors (IGBTs) to output pulse-width modulation (PWM) to create this rotating field. In the event that an IGBT in the drive fails, a DC field is applied to the motor. This means that, for an asynchronous motor, no rotational field is generated, and the motor shaft will not rotate.

For a synchronous motor, a DC field will also be applied, and the motor will align to the DC field, if able. This alignment may cause rotation up to one-half of a pole-pair rotation. For example, a 20-pole motor has 10 pole pairs, meaning that the motor aligning to a DC field could rotate up to 1/20th of a revolution. Whether the motor actually rotates after application of the DC field depends on external factors, such as the brake and mechanical loading.

The safety function Safe Torque Off (STO) is a common drive-integrated safety function used in many industrial drive applications. In elevators, STO ensures that the motor cannot be unintentionally started. STO also stops torque generation if the function is activated while the motor is running. On the KEB drive, the STO function prevents the inverter from outputting PWM when the unit is disabled, keeping the motor from moving when the inverter is disabled. If the STO function is activated, the drive immediately stops PWM, preventing torque from being generated on the motor. In Europe, EN 81-2014 has direct language relating to STO as an alternative to the motor contactor.

The North American code, A17.1-2010, is not as specific but does allow the use of a SIL-rated device. KEB has worked with third-party organization Liftinstituut to certify implementation of the STO function in the place of a motor contactor, in compliance with the relevant elevator standards.

The KEB F5 with STO functionality relies on the controller using force-guided relays to control the inputs STO1 and STO2. The enable input, ST, also relies on force-guided relays. This configuration allows the system to meet the intent of A17. Figure 1 shows an example of how the STO function uses opto-couplers to control the PWM output of the drive. Each STO input controls one of the opto- couplers. If any of these inputs are not active at any point, the drive will have no torque at the output. This allows for the separate means of shutting off power to the motor, as required by the code.

As technology continues to advance, elevator systems will continue to become more complex, with increasing dependence on microprocessors and devices designed to handle safety functions. Using a drive with functional safety features like STO will become common as the industry evolves and the code is updated to keep up with innovation. The KEB F5 with STO allows a controller to take advantage of this rising wave of technology.

Related Tags


Elevator World | November 2018 Cover