Last updated on September 3rd, 2022 at 04:24 pm

Safe Drive Control, including STO

Motor drives are everywhere, some with Safe Torque Off (STO) capabilities and many without. From DC variable speed drives and indexing drives, through AC Variable Frequency drives, servo drives and stepper motor drives, the capabilities and the flexibility of these electronic systems have given machine designers unprecedented capabilities when compared to basic relay or contactor-based motor starters. We now have the capability to control mechanisms using motors in ways that would have been hard to imagine at the beginning of the industrial revolution. Along with these control capabilities come safety-related functions like STO.

Safety is always a concern with industrial machinery. In the 1990s, when I started designing machinery with motor drives, dealing with safety concerns usually meant adding a suitably rated contactor upstream of the drive so that you could interrupt power to the drive in case something went wrong. With early servo drives, interrupting the supply power often meant losing position data. Placing contactors between the drive and the motor solved this problem, but interrupting the supply power would sometimes cause the drive stage of the servo controller to blow up if the switch-off happened with the motor running and under high load. Motor drive manufacturers responded by providing contactors and other components built into their drives, creating a feature called Safe Torque Off (STO).

STO describes a state where “the drive is reliably torque-free” [2]. The functions discussed in this article are described in detail in IEC 61800-5-2 [3]. The functions are also listed in [10, Table 5.2]. Only Safe Torque Off and Safe Stop 1 can be used for emergency stop functions. Safe Torque Off, Safe Stop 1 and Safe Stop 2 can be used for safety-related stop functions initiated by a safeguarding device. This distinction between emergency stop functions and safeguarding functions is an important one.

If you have been a reader of this blog for a while, you may recall that I have discussed stop categories before. This article expands on those concepts with a focus on motor drives and their stopping functions specifically. I’ve also talked about Emergency Stop extensively. You might be interested in reading more about the e-stop function, starting with the post “Emergency Stop — What’s so confusing about that?”

Safe Torque Off (STO)

According to Siemens, “The STO function is the most common and basic drive-integrated safety function. It ensures that no torque-generating energy can continue to act upon a motor and prevents unintentional starting.” Risk assessment of the machinery can identify the need for an STO function. The devices used for this application are described in IEC 60204-1 in clause 5.4 [4]. The design features for preventing unexpected starting are covered in more detail in EN 1037 [5] or ISO 14118 [6]. If you are interested in these standards, ISO 14118 is in the process of being revised. A new version should be available within 12-18 months.

The STO function operates as shown in Fig.1. The blue line represents the drive speed/velocity, V, on the y-axis, with time, t, on the x-axis. The orange arrow and the dotted line show the initiation of the stopping function.

At the beginning of the stopping process (orange arrow and dotted line), the drive gate pulses are immediately shut off, removing torque from the motor (i.e., zero torque). The speed of the driven equipment will drop at a rate determined by the system friction and inertia until a standstill is achieved. The zero torque condition is maintained until the safety function permits restarting (area outlined with yellow/black zebra stripe). Note that a drive standstill may occur if the friction and inertia of the system permit, but the driven equipment may coast for some time. You may be able to move the driven equipment by hand or gravity with the drive in the STO mode.

STO is an uncontrolled stopping mode [4, 3.56]:

uncontrolled stop

stopping of machine motion by removing electrical power to the machine actuators

NOTE This definition does not imply any other state of other (for example, non-electrical) stopping devices, for example, mechanical or hydraulic brakes that are outside the scope of this standard.

IEC 60204-1

The definition above is important. Uncontrolled stops are the most common form of stopping used in machines of all types and are required as a basic function for all machines. There are various ways of achieving STO, including a disconnecting device, emergency stop systems, and gate interlocking systems that remove power from machine actuators.

The embodiment of the uncontrolled stop concept is Stop Category 0 [4, 9.2.2]:

stop category 0 — stopping by immediate removal of power to the machine actuators (i.e., and uncontrolled stop, see 3.56)

IEC 60204-1

Stop category 0 is only appropriate where the machinery has little inertia or where mechanical friction is high enough that the stopping time is short. It may also be used in cases where the machinery has very high inertia, but only for normal stopping when coasting time is not a factor, not for safety stopping functions where the time to a no-motion state is critical.

There are a few other stopping modes that are often confused with STO:

• Safe Stop 1
• Safe Stop 2
• Safe Operating Stop
• Safe Standstill

Let’s explore the differences.

Safe Stop 1 (SS1)

A controlled stopping function will be required if a defined stopping time is needed, followed by entry into STO. This stopping function is called “Safe Stop 1” (SS1).

SS1 is directly related to Stop Category 1 [4, 9.2.2]. As described in [4], Stop Category 1 functions as follows:

stop category 1 — a controlled stop (see 3.11) with power available to the machine actuators to achieve the stop and then removal of power when the stop is achieved;

IEC 60204-1

A “controlled stop” is defined in [4, 3.11]:

controlled stop

stopping of machine motion with electrical power to the machine actuator maintained during the stopping process

IEC 60204-1

Once the controlled stop is completed, i.e., machine motion has stopped, the drive may then be placed into STO (or category 0 stop). The stopping process is shown in Fig. 2 [7].

The stopping process starts where the orange arrow and dotted line are shown. As compared to Fig. 1, where the deceleration curve is gentle and exponential, the active stopping period in Fig. 2 is a linear curve from operating speed to zero speed. At the blue dotted line, the drive enters and stays in STO. The yellow and black zebra-striped area shows the stopping function. This stopping method is typical of many types of machinery, particularly those with servo-driven mechanisms.

Safe Stop 2 (SS2)

In some cases, the risk assessment may show that removing power completely from a mechanism will increase the risk. An example might be a vertical axis where the motor drive is used to maintain the position of the tooling. Removing power from the drive with the tool raised would result in the tooling crashing to the bottom of the axis in an uncontrolled way. Not the desired way to achieve any type of stop!

There are various to prevent this kind of occurrence, but I’m going to limit the discussion here to the Safe Stop 2 function.

Let’s start with the definition [4, 3.11]:

controlled stop

stopping of machine motion with electrical power to the machine actuator maintained during the stopping process

IEC 60204-1

Wait! The definition of a controlled stop is identical to stop category 1, so what is the difference? For that, we need to look to [4, 9.2.2]:

stop category 2 — a controlled stop with power left available to the machine actuators.

IEC 60204-1

Emergency Stop functions cannot use Stop Category 2 [4, 9.2.5.4.2]. Suppose you have tooling where Stop Category 2 is the most appropriate stopping function under normal conditions. In that case, you will have to add another means to prevent the axis from falling during the emergency stop. The additional means could be a spring-set brake released by the emergency stop system and applied when the e-stop system removes power from the tooling and the brake. There are many ways to achieve automatic load-holding besides brakes, but remember, whatever you choose must be effective in power loss conditions. A failure to consider the possibility of a catastrophic loss of control when power is lost is one important failure mode that must be considered. I recommend using an FMEA to examine what happens when power is lost to a drive system so that the effects of power loss on a system using Stop Category 2 can be evaluated.

As shown in Fig. 3, Safe Stop 2 differs from Safe Stop 1 because the system enters Safe Operating Stop (SOS) [8], not STO, when the motion stops. SOS is a Stop Category 2 function. Full torque remains available from the motor to hold the tooling in position. Safe standstill is monitored by the drive or other means.

Depending on the ISO 13849-1 PL_r, or the IEC 62061 SIL_r needed for the application, the drive may not have high enough reliability. In this case, a second channel may be required to ensure that safe standstill monitoring is reliable. This can be achieved by adding another means of standstill detection, like a second encoder or a standstill monitoring device. An example circuit diagram showing this type of monitoring can be found in Fig. 4 [10, Fig. 8.37], showing a safety PLC and drive used to provide an “inching” or “jog” function.

In Fig. 4, the encoders are labelled G1 and G2. Both encoders are connected to the safety PLC to provide two-channel feedback required for Category 3 architecture. G1 is also connected to the motor drive for position and velocity feedback as needed for the application. Note that this drive also has a contactor upstream, Q1, to provide one channel of the two required for Category 3. The second channel would be provided by the Pulse Blocking input on the drive. For more on how this circuit functions and how the functional safety analysis is completed, see [10] and the 2019 version of the report [13].

Safe Operating Stop (SOS)

During a safe operating stop (SOS), the motor is brought to a specific position and held there by the drive. Full torque is available to keep the tooling in position. The stop is monitored safely by the drive. The function is shown in Figure 4 [9].

In Fig. 5, the y-axis, s, represents the position of the tooling, NOT the velocity, while the x-axis represents time, t. The start of the position holding function is shown by the orange arrow and dashed line. The period following the green dashed line is the SOS period.

SOS cannot be used for the emergency stop function. Under certain conditions, it may be used when guard interlocks are opened, i.e., the guard door on a CNC lathe is opened so the operator can place a new workpiece.

There a quite a few additional “safe” drive functions. See [2] and application data from your favourite drive manufacturer for more on these functions and how to implement them. Reference is also provided in [9, Table 5.2].

Safe Standstill

A safe standstill is a condition where motion has stopped and is being monitored by a safety-rated device whose output signals control the release of guard locking devices. A safe standstill is not the same as zero-speed because zero-speed can be achieved without using safety-rated control components and design. In contrast, a safe standstill requires both suitable components and design.

There are various ways to achieve a safe standstill. Here are three approaches [12]:

1. Rotation sensors
   Sensors can monitor the drive components’ motion, including proximity sensors, resolvers, and encoders. A safe standstill monitoring device is used when a standstill has occurred.  When a machine has an unstable rest position, a proximity sensor should be used to ensure the machine is safe before the guard locking devices are released.
2. Back EMF monitoring
   Back electromotive force or back-EMF is the voltage created in an electric motor due to the armature’s rotation in the motor’s magnetic field. This voltage opposes the applied voltage and is approximately proportional to the motor’s rotational speed. Back EMF remains after the supply voltage has been removed, allowing monitoring devices to indirectly measure motor speed and standstill.
3. Failsafe timer
   Failsafe timers are time delay relays designed for use in safety functions. Failsafe timers can be used when the stopping performance of the machinery is consistent and known.
   The time delay starts following the removal of power from the drive motor. The relay releases the guard locking devices at the end of the time delay.
   Regular time delay relays cannot be used for this purpose; only fail-safe relays designed for safety functions can be used, along with suitable safety systems design techniques like ISO 13849 or IEC 62061.

Conclusions

As you can see, there are significant differences between STO, SS1, SS2, SOS and Safe Standstill. While these functions may be used together to achieve a particular safety function, some are functions of the implementation of the motor drive, e.g., STO. Some are a function of the design of the motor drive, e.g., STO, SS1, SS2, and SOS, or the design of controls external to the motor drive, e.g., safe standstill. The similarities between these various safety functions can make it easy to confuse them. Care must be taken to ensure that the correct technical approach is used when realizing the safety function required by the risk assessment.

Ed. Notes:

Reference to IFA Report 2/2017e [13] added 2022-02-24.

Information on safe standstill added 2017-07-25.

---

References

[1]    “Variable Frequency Drives – Industrial Wiki – odesie by Tech Transfer”, Myodesie.com, 2017. [Online]. Available: https://www.myodesie.com/wiki/index/returnEntry/id/3040. [Accessed: 19-Jun-2017].

[2] “Safe Torque Off (STO) – Safety Integrated – Siemens”, Industry.siemens.com, 2017. [Online]. Available: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/pages/safe-torque-off.aspx. [Accessed: 19- Jun- 2017].

[3]      Adjustable speed electrical power drive systems – Part 5-2: Safety requirements – Functional, IEC 61800-5-2. 2nd Ed. International Electrotechnical Commission (IEC). 2016.

[4]     Safety of machinery — Electrical equipment of machines — Part 1: General requirements, IEC 60204-1. International Electrotechnical Commission (IEC). 2006.

[5]     Safety of machinery — Prevention of unexpected start-up, EN 1037+A1. European Committee for Standardization (CEN). 2008.

[6]     Safety of machinery — Prevention of unexpected start-up, ISO 14118. International Organization for Standardization (ISO). 2000.

[7]     “Safe Stop 1 (SS1) – Safety Integrated – Siemens”, Industry.siemens.com, 2017. [Online]. Available: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/Pages/safe-stop1.aspx. [Accessed: 19- Jun- 2017].

[8]     “Safe Stop 2 (SS2) – Safety Integrated – Siemens”, Industry.siemens.com, 2017. [Online]. Available: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/Pages/safe-stop2.aspx. [Accessed: 19- Jun- 2017].

[9]     “Safe Operating Stop (SOS) – Safety Integrated – Siemens”, Industry.siemens.com, 2017. [Online]. Available: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/Pages/safe-operating-stop.aspx. [Accessed: 19- Jun- 2017].

[10] M. Hauke, et al, “Functional safety of machine controls — Application of EN ISO 13849 — IFA Report 2/2008e”, German Social Accident Insurance (DGUV), Sankt Augustin, 2009.

[11]     “Glossary”, Schmersalusa.com, 2017. [Online]. Available: http://www.schmersalusa.com/service/glossary/. [Accessed: 10- Jan-2018].

[12]     Schmersal Tech Briefs: Safe Speed & Standstill Monitoring. Schmersal USA, 2017.

[13] M. Hauke, et al, “Functional safety of machine controls — Application of EN ISO 13849 — IFA Report 2/2017e”, German Social Accident Insurance (DGUV), Sankt Augustin, 2019.

Acknowledgements

Special thanks go out to two of my regular readers for suggesting this post: Matt Ernst and controlsgirl, who comment frequently. Thanks for the ideas and the questions that sparked this post!

© 2017 – 2022, Compliance inSight Consulting Inc.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.