Ed. Note: This article was revised 25-Jul-17 to include information on safe standstill.
Safe Drive Control including STO
Since we are controlling machinery, safety is always a concern. In the 1990’s when I started designing machinery with motor drives, dealing with safety concerns usually meant adding a suitably rated contactor upstream of the drive so that you could interrupt power to the drive in case something went wrong. With early servo drives, interrupting the supply power often meant losing position data or worse. Placing contactors between the drive and the motor solved this problem, but interrupting the supply power would sometimes cause the drive stage of the servo controller to blow up if the switch-off happened with the motor running and under high load. Motor drive manufacturers responded by providing contactors and other components built into their drives, creating a feature called Safe Torque Off (STO).
STO describes a state where “The drive is reliably torque-free” [2]. The functions discussed in this article are described in detail in IEC 61800–5-2 [3]. The functions are also listed in [10, Table 5.2]. Note that only Safe Torque Off and Safe Stop 1 can be used for emergency stop functions. Safe Torque Off, Safe Stop 1 and Safe Stop 2 can be used for safety-related stop functions initiated by a safeguarding device. This distinction, between emergency stop functions and safeguarding functions, is an important one.
If you have been a reader of this blog for a while, you may recall that I have discussed stop categories before. This article expands on those concepts with the focus on motor drives and their stopping functions specifically. I’ve also talked about Emergency Stop extensively. You might be interested in reading more about the e-stop function, starting with the post “Emergency Stop – What’s so confusing about that?”
Safe Torque Off (STO)
According to Siemens, “The STO function is the most common and basic drive-integrated safety function. It ensures that no torque-generating energy can continue to act upon a motor and prevents unintentional starting.” Risk assessment of the machinery can identify the need for an STO function. The devices used for this application are described in IEC 60204–1 in clause 5.4 [4]. The design features for prevention of unexpected starting are covered in more detail in EN 1037 [5] or ISO 14118 [6]. If you are interested in these standards, ISO 14118 is in the process of being revised. A new version should be available within 12–18 months.
The STO function operates as shown in Fig.1. The blue line represents the drive speed/velocity, V, on the y-axis, with time, t, on the x-axis. The orange arrow and the dotted line show the initiation of the stopping function.
STO is an uncontrolled stopping mode [4, 3.56]:
- uncontrolled stop
- stopping of machine motion by removing electrical power to the machine actuators
- NOTE This definition does not imply any other state of other (for example, non-electrical) stopping devices, for example, mechanical or hydraulic brakes that are outside the scope of this standard.
The definition above is important. Uncontrolled stops are the most common form of stopping used in machines of all types and is required as a basic function for all machines. There are various ways of achieving STO, including the use of a disconnecting device, emergency stop systems, and gate interlocking systems that remove power from machine actuators.
The embodiment of the uncontrolled stop concept is Stop Category 0 [4, 9.2.2]:
stop category 0 — stopping by immediate removal of power to the machine actuators (i.e., and uncontrolled stop, see 3.56)
Stop category 0 is only appropriate where the machinery has little inertia, or where mechanical friction is high enough that the stopping time is short. It may also be used in cases where the machinery has very high inertia, but only for normal stopping when coasting time is not a factor, not for safety stopping functions where the time to a no-motion state is critical.
There are a few other stopping modes that are often confused with STO:
- Safe Stop 1
- Safe Stop 2
- Safe Operating Stop
- Safe Standstill
Let’s explore the differences.
Safe Stop 1 (SS1)
If a defined stopping time is needed, a controlled stopping function will be required followed by entry into STO. This stopping function is called “Safe Stop 1” (SS1).
SS1 is directly related to Stop Category 1 [4, 9.2.2]. As described in [4], Stop Category 1 functions as follows:
stop category 1 — a controlled stop (see 3.11) with power available to the machine actuators to achieve the stop and then removal of power when the stop is achieved;
A “controlled stop” is defined in [4, 3.11]:
- controlled stop
- stopping of machine motion with electrical power to the machine actuator maintained during the stopping process
Once the controlled stop is completed, i.e., machine motion has stopped, the drive may then be placed into STO (or category 0 stop). The stopping process is shown in Fig. 2 [7].
The stopping process starts where the orange arrow and dotted line are shown. As compared to Fig. 1 where the deceleration curve is gentle and exponential, the active stopping period in Fig. 2 is a linear curve from operating speed to zero speed. At the blue dotted line, the drive enters and stays in STO. The yellow/black zebra striped area of the curve outlines the complete stopping function. This stopping method is typical of many types of machinery, particularly those with servo-driven mechanisms.
Safe Stop 2 (SS2)
In some cases, the risk assessment may show that removing power completely from a mechanism will increase the risk. An example might be a vertical axis where the motor drive is used to maintain the position of the tooling. Removing power from the drive with the tool raised would result in the tooling crashing to the bottom of the axis in an uncontrolled way. Not the desired way to achieve any type of stop!
There are various to prevent this kind of occurrence, but I’m going to limit the discussion here to the Safe Stop 2 function.
Let’s start with the definition [4, 3.11]:
- controlled stop
- stopping of machine motion with electrical power to the machine actuator maintained during the stopping process
Wait! The definition of a controlled stop is exactly the same as a stop category 1, so what is the difference? For that we need to look to [4, 9.2.2]:
stop category 2 — a controlled stop with power left available to the machine actuators.
Emergency Stop functions cannot use Stop Category 2 [4, 9.2.5.4.2]. If you have tooling where Stop Category 2 is the most appropriate stopping function under normal conditions, you will have to add an another means to prevent the axis from falling during the emergency stop. The additional means could be a spring-set brake that is held released by the emergency stop system and is applied when the e-stop system removes power from the tooling. There are many ways to achieve automatic load-holding besides brakes, but remember, whatever you choose it must be effective in power loss conditions.
As shown in Fig. 3, the operation of Safe Stop 2 differs from Safe Stop 1 in that, instead of entering into STO when motion stops, the system enters Safe Operating Stop (SOS) [8], not STO. SOS is a Stop Category 2 function. Full torque remains available from the motor to hold the tooling in position. Safe standstill is monitored by the drive or other means.
Depending on the ISO 13849–1 PLr, or the IEC 62061 SILr needed for the application, the drive may not have high enough reliability on its own. In this case, a second channel may be required to ensure that safe standstill monitoring is adequately reliable. This can be achieved by adding another means of standstill detection, like a second encoder, or a standstill monitoring device. An example circuit diagram showing this type of monitoring can be found in Fig. 4 [10, Fig. 8.37], showing a safety PLC and drive used to provide an “inching” or “jog” function.
Safe Operating Stop (SOS)
During a safe operating stop (SOS), the motor is brought to a specific position and held there by the drive. Full torque is available to keep the tooling in position. The stop is monitored safely by the drive. The function is shown in Figure 4 [9].
In Fig. 5, the y-axis, s, represents the position of the tooling, NOT the velocity, while the x-axis represents time, t. The start of the position holding function is shown by the orange arrow and dashed line. The period following the green dashed line is the SOS period.
SOS cannot be used for the emergency stop function. Under certain conditions it may be used when guard interlocks are opened, i.e., the guard door on a CNC lathe is opened so that the operator can place a new workpiece.
There a quite a few additional “safe” drive functions. For more on these functions and how to implement them, see [2] and application data from your favourite drive manufacturer. Reference is also provided in [9, Table 5.2].
Safe Standstill
Safe standstill is a condition where motion has stopped and is being monitored by a safety-rated device whose output signals are used to control the release of guard locking devices. Safe standstill is not the same as zero-speed because zero-speed can be achieved without the use of safety-rated control components and design, while safe standstill requires both suitable components and design.
There are various ways to achieve safe standstill. Here are three approaches [12]:
- Rotation sensors
Sensors including proximity sensors, resolvers, and encoders can be used to monitor the motion of the drive components. A safe standstill monitoring device is used to when standstill has occurred. When a machine has an unstable rest position, a proximity sensor should be used to ensure the machine is in a safe condition before the guard locking devices are released. - Back EMF monitoring
Back electromotive force or Back EMF is the voltage created in an electric motor due to the rotation of the armature in the magnetic field in the motor. This voltage opposes the applied voltage and is approximately proportional to the rotational speed of the motor. Back EMF remains after the supply voltage has been removed, allowing monitoring devices to indirectly measure motor speed and standstill. - Failsafe timer
Failsafe timers are time delay relays designed for use in safety functions. Failsafe timers can be used when the stopping performance of the machinery is consistent and known.
Following removal of power from the drive motor, the time delay starts. At the end of the time delay, the relay releases the guard locking devices.
Regular time delay relays cannot be used for this purpose, only fail-safe relays designed to be used in safety functions can be used, along with suitable safety systems design techniques like ISO 13849 or IEC 62061.
Conclusions
As you can see, there are significant differences between STO, SS1, SS2, SOS and Safe Standstill. While these functions may be used together to achieve a particular safety function, some are functions of the implementation of the motor drive, e.g., STO. Some are a function of the design of the motor drive itself, e.g., STO, SS1, SS2, and SOS, or the design of controls external to the motor drive, e.g., safe standstill. The similarities between these various functions can make it easy to confuse them. Care needs to be taken to ensure that the correct technical approach is used when realising the safety function required by the risk assessment.
References
[1] “Variable Frequency Drives — Industrial Wiki — odesie by Tech Transfer”, Myodesie.com, 2017. [Online]. Available: https://www.myodesie.com/wiki/index/returnEntry/id/3040. [Accessed: 19- Jun- 2017].
[2] “Safe Torque Off (STO) — Safety Integrated — Siemens”, Industry.siemens.com, 2017. [Online]. Available: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/pages/safe-torque-off.aspx. [Accessed: 19- Jun- 2017].
[5] Safety of machinery — Prevention of unexpected start-up. EN Standard 1037+A1. 2008.
[6] Safety of machinery — Prevention of unexpected start-up. ISO Standard 14118. 2000.
[7] “Safe Stop 1 (SS1) — Safety Integrated — Siemens”, Industry.siemens.com, 2017. [Online]. Available: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/Pages/safe-stop1.aspx. [Accessed: 19- Jun- 2017].
[8] “Safe Stop 2 (SS2) — Safety Integrated — Siemens”, Industry.siemens.com, 2017. [Online]. Available: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/Pages/safe-stop2.aspx. [Accessed: 19- Jun- 2017].
[9] “Safe Operating Stop (SOS) — Safety Integrated — Siemens”, Industry.siemens.com, 2017. [Online]. Available: http://www.industry.siemens.com/topics/global/en/safety-integrated/machine-safety/product-portfolio/drive-technology/safety-functions/Pages/safe-operating-stop.aspx. [Accessed: 19- Jun- 2017].
[10] M. Hauke, M. Schaefer, R. Apfeld, T. Boemer, M. Huelke, T. Borowski, K. Büllesbach, M. Dorra, H. Foermer-Schaefer, W. Grigulewitsch, K. Heimann, B. Köhler, M. Krauß, W. Kühlem, O. Lohmaier, K. Meffert, J. Pilger, G. Reuß, U. Schuster, T. Seifen and H. Zilligen, “Functional safety of machine controls–Application of EN ISO 13849–Report 2/2008e”, BGIA – Institute for Occupational Safety and Health of the German Social Accident Insurance, Sankt Augustin, 2017.
[11] “Glossary”, Schmersalusa.com, 2017. [Online]. Available: http://www.schmersalusa.com/service/glossary/#c3616. [Accessed: 10- Jan-2018].
[12] Schmersal Tech Briefs: Safe Speed & Standstill Monitoring. Schmersal USA, 2017.
Acknowledgements
Special thanks go out to two of my regular readers for suggesting this post: Matt Ernst and controlsgirl, who comments frequently. Thanks for the ideas and the questions that sparked this post!
