Safe Torque Off
Safe Torque Off
Safe Torque OFF will be referred to as “STO” through the remainder of this section.
Responsibilities
The overall system designer is responsible for defining the requirements of the overall “Safety Control System” within which the drive will be incorporated; furthermore, the system designer is responsible for ensuring that the complete system is risk assessed and that the “Safety control System” requirements have been entirely met and that the function is fully verified, this must include confirmation testing of the “STO” function before drive commissioning.
The system designer shall determine the possible risks and hazards within the system by carrying out a thorough risk and hazard analysis, the outcome of the analysis should provide an estimate of the possible hazards, furthermore, determine the risk levels and identify any needs for risk reduction. The “STO” function should be evaluated to ensure it can sufficiently meet the risk level required.
What STO Provides
The purpose of the “STO “function is to provide a method of preventing the drive from creating torque in the motor in the absence of the “STO“ input signals (STO1 & STO2), this allows the drive to be incorporated into a complete safety control system where “STO“ requirements need to be fulfilled.1
The “STO“ function can typically eliminate the need for electro-mechanical contactors with cross-checking auxiliary contacts as per normally required to provide safety functions.2
The drive has the “STO “Function built-in as standard and complies with the definition of “Safe torque off“as defined by IEC 61800-5-2:2007.
The “STO “Function also corresponds to an uncontrolled stop in accordance with category 0 (Emergency Off), of IEC 60204-1. This means that the motor will coast to a stop when the “STO” function is activated, this method of stopping should be confirmed as being acceptable to the system the motor is driving.
The “STO“ function is recognised as a fail-safe method even in the case where the “STO“ signal is absent and a single fault within the drive has occurred, the drive has been proven in respect of this by meeting the following safety standards :
Safe Torque Off (STO) | IEC 61800-5-2:2016 | SIL 3 |
|---|---|---|
EN ISO 13849-1:2015 | PL “e” | |
EN 61508 (Part 1 to 7): 2010 | SIL 3 | |
EN 60204-1: 2006 & A1: 2009 | Cat 0 | |
EN 62061: 2005 & A2: 2015 | SIL CL 3 | |
Independent Approval | TBC |
Note : The values achieved above maybe jeopardised if the drive is installed outside of the Environmental limits detailed in section 18.1 “Environmental“.
What STO does not provide
Disconnect and ISOLATE the drive before attempting any work on it. The “STO“function does not prevent high voltages from being present at the drive power terminals.
1 Note: The “STO“function does not prevent the drive from an unexpected re-start. As soon as the “STO“ inputs receive the relevant signal it is possible (subject to parameter settings) to restart automatically, Based on this, the function should not be used for carrying out short-term non-electrical machinery operations (such as cleaning or maintenance work).
2Note: In some applications additional measures may be required to fulfil the systems safety function needs: the “STO“ function does not provide motor braking. In the case where motor braking is required a time delay safety relay and/or a mechanical brake arrangement or similar method should be adopted, consideration should be made over the required safety function when braking as the drive braking circuit alone cannot be relied upon as a fail-safe method.
|
When using Gearless (Permanent Magnet) motors and in the unlikely event of a multiple output power devices failing then the motor could effectively rotate the motor shaft by 180/p degrees (Where p denotes number of motor pole pairs).
“STO“ Operation
When the “STO” inputs are energised, the “STO” function is in a standby state, if the drive is then given a “Start signal/command” (as per the start source method selected in P1-02) then the drive will start and operate normally.
When the “STO” inputs are de-energised then the STO Function is activated and stops the drive (Motor will coast), the drive is now in “Safe Torque Off” mode.
To get the drive out of “Safe Torque Off” mode then any “Fault messages” need to be reset and the drive “STO” input needs to be re-energised.
The STO inputs are positive logic inputs only and are therefore not affected by the setting of parameter P1-43 (Positive/negative logic select).
“STO” Status and Monitoring
There are several methods for monitoring the status of the “STO” input, these are detailed below:
Drive Display
In Normal drive operation (Mains AC power, UPS Power or Battery Power), when the drives “STO” input is de-energised (“STO” Function activated) the drive will highlight this by displaying “InHibit”.
Note: If the drive is in a tripped condition then the relevant trip will be displayed and not “InHibit”).
Drive Status parameter
Parameter P0-04 can be viewed to see that STO input status as illustrated below :
Display value | 0 | 0 | |||
|---|---|---|---|---|---|
Function | STO Channel 1 | STO Channel 2 |
1 = Input Active
0 = Input InActive
Drive Output Relay and Digital Outputs
Relay 1 or the digital outputs can be used to monitor the status of the STO inputs by setting the function to 8.
For Relay 1 set P1-30 to 8.
For Digital Output 1 (DA1) set P1-15 to 8 and P1-14 to 0
For Digital Output 2 (DA2) set P1-22 to 8 and P1-21 to 0
For Digital Output 3 (DO3) set P1-28 to 8.
“STO” Fault Codes
Fault Code | Code Number | Description | Corrective Action |
|---|---|---|---|
Sto-F | 29 | A fault has been detected within either of the internal channels of the “STO” circuit. | Refer to your Invertek Sales Partner |
Sto-L | 101 | STO1/STO2 signals removed whilst drive running | - |
“STO” Function response time
The total response time is the time from a safety related event occurring to the components (sum of) within the system responding and becoming safe. (Stop Category 0 in accordance with IEC 60204-1)
The response time from the “STO” inputs being de-energised to the output of the drive being in a state that will not produce torque in the motor (“STO” active) is less than 20ms.
The response time from the “STO” inputs being de-energised to the “STO” monitoring status changing state is less than 20ms
The response time from the drive sensing a fault in the STO circuit to the drive displaying the fault on the display/Digital output showing drive not healthy is less than 20ms.
“STO“Electrical Installation
 |
The “STO” wiring shall be protected from inadvertent short circuits or tampering which could lead to failure of the “STO” input signal, further guidance is given in the diagrams below.
In addition to the wiring guidelines for the “STO” circuit below, section 9.6 “EMC compliant installation” should also be followed.
The drive should be wired as illustrated below; the 24Vdc signal source applied to the “STO 1 and STO 2” inputs can be either from the 24Vdc on the drive or from an External 24Vdc power supply (as per the diagram below).
Recommended “STO” wiring
Using External 24Vdc power Supply | |
|---|---|
| |
Using Drive on-board 24Vdc power Supply | |
|
Note: The Maximum cable length from Voltage source to the drive terminals should not exceed 25 metres.
External Power supply Specification.
Voltage Rating (Nominal) | 24Vdc |
|---|---|
STO Logic High | 18-30Vdc (Safe torque off in standby) |
Current Consumption (Maximum) | 100mA |
Safety Relay Specification.
The safety relay should be chosen so that at minimum it meets the safety standards in which the drive meets.
Standard Requirements | SIL3 or PLe or better (With Forcibly guided Contacts) |
|---|---|
Number of Output Contacts | 2 independent |
Switching Voltage Rating | 30Vdc |
Switching Current | 100mA |
Enabling the “STO” Function
The “STO” function is always enabled in the drive regardless of operating mode or parameter changes made by the user.
Testing the “STO” Function
Before commissioning the system the “STO” function should always be tested for correct operation, this should include the following tests:
With the motor at standstill, and a stop command given to the drive (as per the primary command source selected in P1-01):
De-energise the “STO” inputs (Drive will display “InHibit”).
Give a start command (as per the primary command source selected in P1-01) and check that the drive still displays “Inhibit” and that the operation is in line with section 16.1.5 Status and Monitoring
With the motor running normally (from the drive):
De-energise the “STO” inputs
Check that the drive displays “InHibit” and that the motor stops and that the operation is in line with the section 16.1.4 “STO“ Operation and section 16.1.5 “STO” Status and Monitoring.
“STO” Function Maintenance.
Periodic testing of the entire safety circuit within which the drive STO is integrated, is a mandatory requirement. The testing should be repeated every three months or less to ensure the integrity level of the safety circuit is maintained, furthermore the function should be integrity tested following any safety system modifications or maintenance work.
If drive fault messages are observed refer to section 22.1 Fault messages for further guidance.