Safe Torque Off (STO)

The Safe Torque Off (STO) is a functional safety system that prevents motor torque in an emergency event while Denali NET remains connected to the power supply. When STO is activated, the power stage is disabled by hardware and the drive power transistors are disconnected, no matter what control or firmware does. The motor shaft will slow down until it stops under inertia and frictional forces. Although not common, in the event of a failure of the power stage during an STO situation, the maximum expected motor movement with torque can be up to 180º electrical degrees. The system must be designed to avoid any hazard in this situation.

If the STO inputs are not energized, the transistors of the power stage are turned off and an STO fault is notified. In order to activate the power stage, and therefore allow the motor operation, the two STO inputs must be energized (high level, typically 5V). STO inputs should not be confused with a digital input configured as enable input, because enable input is firmware controlled and does not guarantee intrinsic safety as it can be reconfigured by a user.

In order to ensure redundancy and safety, the Denali NET includes 2 separate STO inputs that must be activated or deactivated simultaneously (maximum 1.4 s mismatch). A difference of state between \STOA and \STOB inputs will be interpreted as an abnormal situation after 1.4 s the drive will be latched in a fault state. A power supply reset is necessary to remove this STO abnormal error.

Since Denali NET is a pluggable module intended for being integrated on an electronic interface board, it requires some external electronic components to fulfill the safety requirements:

External overvoltage protection (or equivalent) is required to limit STO input voltage.
Input current limiter to avoid system destruction in case of internal fault. The current limit can be implemented with a resistor in series.
Input low-state must be guaranteed by means of a pull-down resistor or equivalent (active output). Otherwise, safety function fault tolerance and reaction times, won't be fulfilled.

Safety Function Specifications

Safety Function Specification	Value
Standards compliance	Targeted standards (certification pending): EN 61800-5-2:2017 EN 61508:2010 EN ISO 13849-1:2015
Safety function	Safe Torque Off (STO)
Safety relevant parameters according to IEC 61508:2010 (certification pending)	Safety integrity level	SIL3
	PFH	< 10^-7 1/h
	SFF	> 99 % (High)
Safety relevant parameters according to EN ISO 13849-1:2015 (certification pending)	PL	e
	Category	3
	DC	99% High
	MTTFd	≥ 100 years (High)
Safety Function Reaction Time	t < 5.1 ms The Safety Function Reaction time is measured as the time since one of the STO inputs (STOA or STOB) goes below 0.8 V and the STO function actuates (power transistors deactivated).
Fault Reaction Time	t < 5.2 ms The worst-case fault reaction time is on the event of an Abnormal STO.
High-demand mode	The EUC (Equipment Under Control) is considered as a high-demand or continuous demand mode system.
Mission Time	The mission time of the EUC is of 20 years.
Diagnostic Time Interval	In order to guarantee the correct operation of the safety functions, the user has to check the STO function regularly, performing an STO External Diagnostic Test (see further information below). The diagnostic test interval is defined as a minimum of 1 activation per 3 months.

Integration Requirements

Integration Requirement	Value
STO Interface electrical characteristics	Input pins	\STOA and \STOB
	Number of independent channels	2
	Type of Inputs	Digital inputs with ESD protection. Maximum nominal Voltage 7V. Maximum voltage in case of an external overvoltage fault 26.4 V.
	Mandatory External Requirements	Input current limit (in case of internal short-circuit) = 50 mA Resistive pull-down of maximum 7.5 kΩ or equivalent (active output with 660 µA min current sink capability). Overvoltage protection on \STO signals, limiting to 26.4V in case of external fault.
	Maximum input LOW level (VIL)	0.8 V (below this value the STO is ACTIVE, no torque can be applied to the motor)
	Minimum Input HIGH level (VIH)	2.8 V (above this value the STO input is inactive, torque can be applied to the motor)
	Maximum absolute ratings	7 V max nominal voltage; 26.4 V maximum failure voltage
	Input current (externally limited)	50 mA
	ESD capability	IEC 61000-4-2 (ESD) ± 15 kV (air), ± 8 kV (contact)
STO Interface timing characteristics	STO activation time (Safety function Reaction Time)	t < 5.1 ms
	STO deactivation time	t < 2 ms
	Minimum, non-detected STO short pulse	t < 400 µs The Safety controller can transmit short pulses to STOx inputs for diagnostics purposes. These pulses will be ignored by the safety circuit and will not stop the power stage but can be read from firmware for system diagnostics, see: Drive protections Register 0x51A.
	Abnormal STO diagnostic time	≤ 5.2 ms (Activation STO)
	Abnormal STO latching time	1.4 s ~ 3.4 s (Latching state, permanent activation of STO until power reset)
	Power supply diagnostic time	3.3 V over-voltage 200 ns
Logic Supply Voltage Range	5 V ± 2% (range from 4.9 V to 5.1 V; maximum failure voltage 26.4 V). During the overvoltage fault system becomes unoperational, but safety function is maintained.
Power Supply Voltage Range ¹	48 V SELV (range from 8 V to 60 V; maximum failure voltage 60 V)
Motor Type	STO safety function is only considered when the drive is controlling three-phase permanent magnet synchronous rotating motors. STO does not apply to DC brush motors.
Uncontrolled Motor Movement	Uncontrolled Motor Movement In the event of a failure in the power stage, the motor shaft may rotate up to 180º electrical degrees. It is responsibility of the customer to prevent any hazards related to this unexpected motor movement.
Environmental Conditions for STO	Pollution degree	Pollution degree 2 with an IP54 enclosure installation.
	Over-voltage category	II
	Altitude	< 2000 m above sea level.
Temperature range for STO ²	Operating Temperature	-20 ºC to 85 ºC
Temperature range for STO ²	Storage Temperature	-40 ºC to 100 ºC
Diagnostics	Internal power supply voltage monitors. Differences between STOA and STOB cause abnormal fault. After 1.4 s a hardware latching condition disables the drive until power cycling. Status of STOA, STOB, STO_REPORT, ABNORMAL_FAULT, and SUPPLY_FAULT can be read from the communications. STO firmware notification A STO stop is notified to the motion controller and creates a fault that can be read externally from any communication interface, however, STO operation is totally independent and decoupled from control or firmware.
EMC	The interface board must meet the following EMC standards: IEC 61800-3:2017 IEC 61000-6-2:2016 To fulfill the EMC requirements the use of the following elements is required: Input EMI filter. Recommended: Cosel NBC-10-472 or equivalent. Motor phases ferrite cable core. Recommended : 28B0773-050 or equivalent. Properly grounded aluminum enclosure. See grounding recommendations for further information.
Environmental	The interface board must meet the following environmental standards: IEC 60068-2-1:2007 IEC 60068-2-2:2007 IEC 60068-2-38:2009 IEC 60068-2-78:2012 IEC 60068-2-6:2007 IEC 60068-2-27:2008

1: Although the drive can operate in a wider range of voltages as can be seen in Product Description, the system cannot be considered safe outside this range.

2: The drive can operate outside this temperature range as indicated in the Product Description, however, the system cannot be considered safe as the system reliability and safety margins would not meet the standards.

STO External Diagnostic Test

The operation of the STO diagnostic circuits must be verified at least once per 3 months. The following procedure details a method to verify the correct operation of the STO diagnostic circuits. Note that it is responsibility of the customer to prevent any hazards related to motor movement during this proof test.

The procedure requires the Denali NET to be connected to a brushless motor.

Procedure Step	Action
1	Power on the Denali NET with STOA = low, STOB = low.
2	Try to perform a "Motor Enable" (using Motionlab 3 or network commands).
3	Verify that the power stage is not enabled by software (a fault should appear) or by hardware (checking the Motor phases voltage with a multimeter).
4	Provide STOA = high, STOB = low. Remain in this state more than 3.4 seconds.
5	Try to perform a "Motor Enable" (using Motionlab 3 or network commands).
6	Verify that the power stage is not enabled by software (a fault should appear) or by hardware (checking the Motor phases voltage with a multimeter).
7	Provide STOA = high, STOB = high.
9	Try to perform a "Motor Enable" (using Motionlab 3 or network commands).
10	Verify that the power stage is not enabled by software (a fault should appear) or by hardware (checking the Motor phases voltage with a multimeter).
11	Shut-down Denali NET supply and remain in this state for more than 10 seconds.
12	Power on the Denali NET with STOA= low, STOB = high. Remain in this state more than 3.4 seconds.
13	Try to perform a "Motor Enable" (using Motionlab 3 or network commands).
14	Verify that the power stage is not enabled by software (a fault should appear) or by hardware (checking the Motor phases voltage with a multimeter).
15	Provide STOA = high, STOB = high.
17	Try to perform a "Motor Enable" (using Motionlab 3 or network commands).
18	Verify that the power stage is not enabled by software (a fault should appear) or by hardware (checking the Motor phases voltage with a multimeter).
19	Shut-down Denali NET supply and remain in this state for more than 10 seconds.
20	Power on the Denali NET with STOA= high, STOB = high.
21	Try to perform a "Motor Enable" (using Motionlab 3 or network commands).
22	Verify that the power stage can be enabled, allowing motor rotation. Do it by software (system should enter in motor enable state) or by hardware (checking the Motor phases voltage with a multimeter).

STO Operation States

The truth table of the STO inputs is shown next indicating the different states of the system:

Mode	State	STOA status / level		STOB status / level		Power stage status	STO report bit status	STO abnormal fault	State description
Normal operation	STO Enabled (No torque to the motor)	0	< 0.8 V	0	< 0.8 V	OFF	0	0	The system logic is powered, but the STO function is activated. Therefore, no torque can be applied to the motor. STO trip is reported to the MCU and to the safety circuitry. This is intended safe torque off with dual-channel operation.
Normal operation	Torque enabled (STO inactive)	1	> 2.8 V	1	> 2.8 V	Can be enabled	1	0	The STO function is deactivated, and torque can be provided to the motor. The motor can run under firmware control. This is the normal operation state.
Abnormal operation	Abnormal STO	0	< 0.8 V	1	> 2.8 V	OFF	0	1	If any issue is detected on the dual-channel STO function (their state is different for a long period of time), an abnormal fault is active can be reported. This state avoids the application of torque to the motor. If this persists for > 1.4 s ~ 3.4 s the STO will lock in FAULT state. To reset this fault a power cycle is needed.
	Abnormal STO	1	> 2.8 V	0	< 0.8 V	OFF	0	1
	Abnormal STO Latched	x	-	x	-	OFF	NOR (STOA, STOB)	1	After >1.4 s ~ 3.4 s of abnormal STO active, the driver will stay in this state until the power supply cycle.
	Abnormal Supply	x	x	x	x	OFF	x	x	If a voltage out of the limits is detected on the internal logic voltages, the system is conducted to a safe state, similar to power-off. Only if the safe logic voltages are recovered (usually after reparation or restart), the system can return to any other state.

STO Inputs External Requirements

The following diagram summarizes the external requirements for the STO inputs.

Typical Interface Circuit

The following diagram shows a suggested circuit interface for the STO inputs.

STOA and STOB signals should always change at the same time with a maximum of 1.4 s mismatch. This is necessary to have 2 channel redundancy and allow diagnostics, as a mismatch will cause an abnormal fault.