Ed. Note: This arti­cle was revised 25-Jul-17 to include infor­ma­tion on safe stand­still.

Safe Drive Control including STO

Motor dri­ves are every­where. From DC vari­able speed dri­ves and index­ing dri­ves, through AC Vari­able Fre­quen­cy dri­ves, ser­vo dri­ves and step­per motor dri­ves, the capa­bil­i­ties and the flex­i­bil­i­ty of these elec­tron­ic sys­tems has giv­en machine design­ers unprece­dent­ed capa­bil­i­ties when com­pared to basic relay or con­tac­tor-based motor starters. We now have the capa­bil­i­ty to con­trol mech­a­nisms using motors in ways that would have been hard to imag­ine at the begin­ning of the indus­tri­al rev­o­lu­tion. Along with these con­trol capa­bil­i­ties come safe­ty-relat­ed func­tions like Safe Torque Off (STO).

Since we are con­trol­ling machin­ery, safe­ty is always a con­cern. In the 1990’s when I start­ed design­ing machin­ery with motor dri­ves, deal­ing with safe­ty con­cerns usu­al­ly meant adding a suit­ably rat­ed con­tac­tor upstream of the dri­ve so that you could inter­rupt pow­er to the dri­ve in case some­thing went wrong. With ear­ly ser­vo dri­ves, inter­rupt­ing the sup­ply pow­er often meant los­ing posi­tion data or worse. Plac­ing con­tac­tors between the dri­ve and the motor solved this prob­lem, but inter­rupt­ing the sup­ply pow­er would some­times cause the dri­ve stage of the ser­vo con­troller to blow up if the switch-off hap­pened with the motor run­ning and under high load. Motor dri­ve man­u­fac­tur­ers respond­ed by pro­vid­ing con­tac­tors and oth­er com­po­nents built into their dri­ves, cre­at­ing a fea­ture called Safe Torque Off (STO).

STO describes a state where “The dri­ve is reli­ably torque-free” [2]. The func­tions dis­cussed in this arti­cle are described in detail in IEC 61800–5-2 [3]. The func­tions are also list­ed in [10, Table 5.2]. Note that only Safe Torque Off and Safe Stop 1 can be used for emer­gency stop func­tions. Safe Torque Off, Safe Stop 1 and Safe Stop 2 can be used for safe­ty-relat­ed stop func­tions ini­ti­at­ed by a safe­guard­ing device. This dis­tinc­tion, between emer­gency stop func­tions and safe­guard­ing func­tions, is an impor­tant one.

If you have been a read­er of this blog for a while, you may recall that I have dis­cussed stop cat­e­gories before. This arti­cle expands on those con­cepts with the focus on motor dri­ves and their stop­ping func­tions specif­i­cal­ly. I’ve also talked about Emer­gency Stop exten­sive­ly. You might be inter­est­ed in read­ing more about the e-stop func­tion, start­ing with the post “Emer­gency Stop – What’s so con­fus­ing about that?”

Safe Torque Off (STO)

Accord­ing to Siemens, “The STO func­tion is the most com­mon and basic dri­ve-inte­grat­ed safe­ty func­tion. It ensures that no torque-gen­er­at­ing ener­gy can con­tin­ue to act upon a motor and pre­vents unin­ten­tion­al start­ing.” Risk assess­ment of the machin­ery can iden­ti­fy the need for an STO func­tion. The devices used for this appli­ca­tion are described in IEC 60204–1 in clause 5.4 [4]. The design fea­tures for pre­ven­tion of unex­pect­ed start­ing are cov­ered in more detail in EN 1037 [5] or ISO 14118 [6]. If you are inter­est­ed in these stan­dards, ISO 14118 is in the process of being revised. A new ver­sion should be avail­able with­in 12–18 months.

The STO func­tion oper­ates as shown in Fig.1. The blue line rep­re­sents the dri­ve speed/velocity, V, on the y-axis, with time, t, on the x-axis. The orange arrow and the dot­ted line show the ini­ti­a­tion of the stop­ping func­tion.

At the begin­ning of the stop­ping process (orange arrow and dot­ted line), the dri­ve gate puls­es are imme­di­ate­ly shut off, remov­ing torque from the motor (i.e., zero torque). The speed of the dri­ven equip­ment will drop at a rate deter­mined by the sys­tem fric­tion and iner­tia until stand­still is achieved. The zero torque con­di­tion is main­tained until the safe­ty func­tion per­mits restart­ing (area out­lined with yellow/black zebra stripe). Note that dri­ve stand­still may occur if the fric­tion and iner­tia of the sys­tem per­mit, but it is pos­si­ble that the dri­ven equip­ment may coast for some time. You may be able to move the dri­ven equip­ment by hand or grav­i­ty with the dri­ve in the STO mode.

STO is an uncon­trolled stop­ping mode [4, 3.56]:

uncon­trolled stop

stop­ping of machine motion by remov­ing elec­tri­cal pow­er to the machine actu­a­tors

NOTE This def­i­n­i­tion does not imply any oth­er state of oth­er (for exam­ple, non-elec­tri­cal) stop­ping devices, for exam­ple, mechan­i­cal or hydraulic brakes that are out­side the scope of this stan­dard.

The def­i­n­i­tion above is impor­tant. Uncon­trolled stops are the most com­mon form of stop­ping used in machines of all types and is required as a basic func­tion for all machines. There are var­i­ous ways of achiev­ing STO, includ­ing the use of a dis­con­nect­ing device, emer­gency stop sys­tems, and gate inter­lock­ing sys­tems that remove pow­er from machine actu­a­tors.

The embod­i­ment of the uncon­trolled stop con­cept is Stop Cat­e­go­ry 0 [4, 9.2.2]:

stop cat­e­go­ry 0 — stop­ping by imme­di­ate removal of pow­er to the machine actu­a­tors (i.e., and uncon­trolled stop, see 3.56)

Stop cat­e­go­ry 0 is only appro­pri­ate where the machin­ery has lit­tle iner­tia, or where mechan­i­cal fric­tion is high enough that the stop­ping time is short. It may also be used in cas­es where the machin­ery has very high iner­tia, but only for nor­mal stop­ping when coast­ing time is not a fac­tor, not for safe­ty stop­ping func­tions where the time to a no-motion state is crit­i­cal.

There are a few oth­er stop­ping modes that are often con­fused with STO:

• Safe Stop 1
• Safe Stop 2
• Safe Oper­at­ing Stop
• Safe Stand­still

Let’s explore the dif­fer­ences.

Safe Stop 1 (SS1)

If a defined stop­ping time is need­ed, a con­trolled stop­ping func­tion will be required fol­lowed by entry into STO. This stop­ping func­tion is called “Safe Stop 1” (SS1).

SS1 is direct­ly relat­ed to Stop Cat­e­go­ry 1 [4, 9.2.2]. As described in [4], Stop Cat­e­go­ry 1 func­tions as fol­lows:

stop cat­e­go­ry 1 — a con­trolled stop (see 3.11) with pow­er avail­able to the machine actu­a­tors to achieve the stop and then removal of pow­er when the stop is achieved;

A “con­trolled stop” is defined in [4, 3.11]:

con­trolled stop

stop­ping of machine motion with elec­tri­cal pow­er to the machine actu­a­tor main­tained dur­ing the stop­ping process

Once the con­trolled stop is com­plet­ed, i.e., machine motion has stopped, the dri­ve may then be placed into STO (or cat­e­go­ry 0 stop). The stop­ping process is shown in Fig. 2 [7].

The stop­ping process starts where the orange arrow and dot­ted line are shown. As com­pared to Fig. 1 where the decel­er­a­tion curve is gen­tle and expo­nen­tial, the active stop­ping peri­od in Fig. 2 is a lin­ear curve from oper­at­ing speed to zero speed. At the blue dot­ted line, the dri­ve enters and stays in STO. The yellow/black zebra striped area of the curve out­lines the com­plete stop­ping func­tion. This stop­ping method is typ­i­cal of many types of machin­ery, par­tic­u­lar­ly those with ser­vo-dri­ven mech­a­nisms.

Safe Stop 2 (SS2)

In some cas­es, the risk assess­ment may show that remov­ing pow­er com­plete­ly from a mech­a­nism will increase the risk. An exam­ple might be a ver­ti­cal axis where the motor dri­ve is used to main­tain the posi­tion of the tool­ing. Remov­ing pow­er from the dri­ve with the tool raised would result in the tool­ing crash­ing to the bot­tom of the axis in an uncon­trolled way. Not the desired way to achieve any type of stop!

There are var­i­ous to pre­vent this kind of occur­rence, but I’m going to lim­it the dis­cus­sion here to the Safe Stop 2 func­tion.

Let’s start with the def­i­n­i­tion [4, 3.11]:

con­trolled stop

stop­ping of machine motion with elec­tri­cal pow­er to the machine actu­a­tor main­tained dur­ing the stop­ping process

Wait! The def­i­n­i­tion of a con­trolled stop is exact­ly the same as a stop cat­e­go­ry 1, so what is the dif­fer­ence? For that we need to look to [4, 9.2.2]:

stop cat­e­go­ry 2 — a con­trolled stop with pow­er left avail­able to the machine actu­a­tors.

Emer­gency Stop func­tions can­not use Stop Cat­e­go­ry 2 [4, 9.2.5.4.2]. If you have tool­ing where Stop Cat­e­go­ry 2 is the most appro­pri­ate stop­ping func­tion under nor­mal con­di­tions, you will have to add an anoth­er means to pre­vent the axis from falling dur­ing the emer­gency stop. The addi­tion­al means could be a spring-set brake that is held released by the emer­gency stop sys­tem and is applied when the e-stop sys­tem removes pow­er from the tool­ing. There are many ways to achieve auto­mat­ic load-hold­ing besides brakes, but remem­ber, what­ev­er you choose it must be effec­tive in pow­er loss con­di­tions.

As shown in Fig. 3, the oper­a­tion of Safe Stop 2 dif­fers from Safe Stop 1 in that, instead of enter­ing into STO when motion stops, the sys­tem enters Safe Oper­at­ing Stop (SOS) [8], not STO. SOS is a Stop Cat­e­go­ry 2 func­tion. Full torque remains avail­able from the motor to hold the tool­ing in posi­tion. Safe stand­still is mon­i­tored by the dri­ve or oth­er means.

Depend­ing on the ISO 13849–1 PL_r, or the IEC 62061 SIL_r need­ed for the appli­ca­tion, the dri­ve may not have high enough reli­a­bil­i­ty on its own. In this case, a sec­ond chan­nel may be required to ensure that safe stand­still mon­i­tor­ing is ade­quate­ly reli­able. This can be achieved by adding anoth­er means of stand­still detec­tion, like a sec­ond encoder, or a stand­still mon­i­tor­ing device. An exam­ple cir­cuit dia­gram show­ing this type of mon­i­tor­ing can be found in Fig. 4 [10, Fig. 8.37], show­ing a safe­ty PLC and dri­ve used to pro­vide an “inch­ing” or “jog” func­tion.

In Fig. 4, the encoders are labelled G1 and G2. Both encoders are con­nect­ed to the safe­ty PLC to pro­vide two-chan­nel feed­back required for Cat­e­go­ry 3 archi­tec­ture. G1 is also con­nect­ed to the motor dri­ve for posi­tion and veloc­i­ty feed­back as need­ed for the appli­ca­tion. Note that this par­tic­u­lar dri­ve also has a con­tac­tor upstream, Q1, to pro­vide one chan­nel of the two required for Cat­e­go­ry 3. The sec­ond chan­nel would be pro­vid­ed by the pulse block­ing input on the dri­ve. For more on how this cir­cuit func­tions and how the func­tion­al safe­ty analy­sis is com­plet­ed, see [10].

Safe Operating Stop (SOS)

Dur­ing a safe oper­at­ing stop (SOS), the motor is brought to a spe­cif­ic posi­tion and held there by the dri­ve. Full torque is avail­able to keep the tool­ing in posi­tion. The stop is mon­i­tored safe­ly by the dri­ve. The func­tion is shown in Fig­ure 4 [9].

In Fig. 5, the y-axis, s, rep­re­sents the posi­tion of the tool­ing, NOT the veloc­i­ty, while the x-axis rep­re­sents time, t. The start of the posi­tion hold­ing func­tion is shown by the orange arrow and dashed line. The peri­od fol­low­ing the green dashed line is the SOS peri­od.

SOS can­not be used for the emer­gency stop func­tion. Under cer­tain con­di­tions it may be used when guard inter­locks are opened, i.e., the guard door on a CNC lathe is opened so that the oper­a­tor can place a new work­piece.

There a quite a few addi­tion­al “safe” dri­ve func­tions. For more on these func­tions and how to imple­ment them, see [2] and appli­ca­tion data from your favourite dri­ve man­u­fac­tur­er. Ref­er­ence is also pro­vid­ed in [9, Table 5.2].

Safe Standstill

Safe stand­still is a con­di­tion where motion has stopped and is being mon­i­tored by a safe­ty-rat­ed device whose out­put sig­nals are used to con­trol the release of guard lock­ing devices. Safe stand­still is not the same as zero-speed because zero-speed can be achieved with­out the use of safe­ty-rat­ed con­trol com­po­nents and design, while safe stand­still requires both suit­able com­po­nents and design.

There are var­i­ous ways to achieve safe stand­still. Here are three approach­es [12]:

1. Rota­tion sen­sors
   Sen­sors includ­ing prox­im­i­ty sen­sors, resolvers, and encoders can be used to mon­i­tor the motion of the dri­ve com­po­nents. A safe stand­still mon­i­tor­ing device is used to when stand­still has occurred.  When a machine has an unsta­ble rest posi­tion, a prox­im­i­ty sen­sor should be used to ensure the machine is in a safe con­di­tion before the guard lock­ing devices are released.
2. Back EMF mon­i­tor­ing
   Back elec­tro­mo­tive force or Back EMF is the volt­age cre­at­ed in an elec­tric motor due to the rota­tion of the arma­ture in the mag­net­ic field in the motor. This volt­age oppos­es the applied volt­age and is approx­i­mate­ly pro­por­tion­al to the rota­tion­al speed of the motor. Back EMF remains after the sup­ply volt­age has been removed, allow­ing mon­i­tor­ing devices to indi­rect­ly mea­sure motor speed and stand­still.
3. Fail­safe timer
   Fail­safe timers are time delay relays designed for use in safe­ty func­tions. Fail­safe timers can be used when the stop­ping per­for­mance of the machin­ery is con­sis­tent and known.
   Fol­low­ing removal of pow­er from the dri­ve motor, the time delay starts. At the end of the time delay, the relay releas­es the guard lock­ing devices.
   Reg­u­lar time delay relays can­not be used for this pur­pose, only fail-safe relays designed to be used in safe­ty func­tions can be used, along with suit­able safe­ty sys­tems design tech­niques like ISO 13849 or IEC 62061.

Conclusions

As you can see, there are sig­nif­i­cant dif­fer­ences between STO, SS1, SS2, SOS and Safe Stand­still. While these func­tions may be used togeth­er to achieve a par­tic­u­lar safe­ty func­tion, some are func­tions of the imple­men­ta­tion of the motor dri­ve, e.g., STO. Some are a func­tion of the design of the motor dri­ve itself, e.g., STO, SS1, SS2, and SOS, or the design of con­trols exter­nal to the motor dri­ve, e.g., safe stand­still. The sim­i­lar­i­ties between these var­i­ous func­tions can make it easy to con­fuse them. Care needs to be tak­en to ensure that the cor­rect tech­ni­cal approach is used when real­is­ing the safe­ty func­tion required by the risk assess­ment.

Ref­er­ences

[1]    “Vari­able Fre­quen­cy Dri­ves — Indus­tri­al Wiki — ode­sie by Tech Trans­fer”, Myodesie.com, 2017. [Online]. Avail­able: https://www.myodesie.com/wiki/index/returnEntry/id/3040. [Accessed: 19- Jun- 2017].

[2] “Safe Torque Off (STO) — Safe­ty Inte­grat­ed — Siemens”, Industry.siemens.com, 2017. [Online]. Avail­able: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/pages/safe-torque-off.aspx. [Accessed: 19- Jun- 2017].

[3]      Adjustable speed elec­tri­cal pow­er dri­ve sys­tems — Part 5–2: Safe­ty require­ments — Func­tion­al. IEC Stan­dard 61800–5-2. 2nd Ed. 2016.

[4]     Safe­ty of machin­ery — Elec­tri­cal equip­ment of machines — Part 1: Gen­er­al require­ments. IEC Stan­dard 60204–1. 2006.

[5]     Safe­ty of machin­ery — Pre­ven­tion of unex­pect­ed start-up. EN Stan­dard 1037+A1. 2008.

[6]     Safe­ty of machin­ery — Pre­ven­tion of unex­pect­ed start-up. ISO Stan­dard 14118. 2000.

[7]     “Safe Stop 1 (SS1) — Safe­ty Inte­grat­ed — Siemens”, Industry.siemens.com, 2017. [Online]. Avail­able: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/Pages/safe-stop1.aspx. [Accessed: 19- Jun- 2017].

[8]     “Safe Stop 2 (SS2) — Safe­ty Inte­grat­ed — Siemens”, Industry.siemens.com, 2017. [Online]. Avail­able: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/Pages/safe-stop2.aspx. [Accessed: 19- Jun- 2017].

[9]     “Safe Oper­at­ing Stop (SOS) — Safe­ty Inte­grat­ed — Siemens”, Industry.siemens.com, 2017. [Online]. Avail­able: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/Pages/safe-operating-stop.aspx. [Accessed: 19- Jun- 2017].

[10]     M. Hauke, M. Schae­fer, R. Apfeld, T. Boe­mer, M. Huelke, T. Borows­ki, K. Bülles­bach, M. Dor­ra, H. Foer­mer-Schae­fer, W. Grigule­witsch, K. Heimann, B. Köh­ler, M. Krauß, W. Küh­lem, O. Lohmaier, K. Mef­fert, J. Pil­ger, G. Reuß, U. Schus­ter, T. Seifen and H. Zil­li­gen, “Func­tion­al safe­ty of machine controls–Application of EN ISO 13849–Report 2/2008e”, BGIA – Insti­tute for Occu­pa­tion­al Safe­ty and Health of the Ger­man Social Acci­dent Insur­ance, Sankt Augustin, 2017.

[11]     “Glos­sary”, Schmersalusa.com, 2017. [Online]. Avail­able: http://www.schmersalusa.com/service/glossary/#c3616. [Accessed: 10- Jan-2018].

[12]     Schm­er­sal Tech Briefs: Safe Speed & Stand­still Mon­i­tor­ing. Schm­er­sal USA, 2017.

Acknowledgements

Spe­cial thanks go out to two of my reg­u­lar read­ers for sug­gest­ing this post: Matt Ernst and con­trols­girl, who com­ments fre­quent­ly. Thanks for the ideas and the ques­tions that sparked this post!