Safe Torque Off, or STO, is a drive-based safety function that stops the drive from providing power to the motor, without interrupting power to the drive. Activating the STO function produces an uncontrolled stop, meaning the motor coasts to a stop based on the system’s inertia and friction. The STO function also prevents an unexpected start of the motor – useful during maintenance or troubleshooting activities – by preventing the drive from sending power to the motor.
There are two standards that govern machine safety: EN/IEC 62061 and EN/ISO 13849-1. The EN/IEC 62061 standard uses the Safety Integrity Level (SIL) rating system, with a numeric score from 1 to 4, to indicate the Probability of Dangerous Failure per Hour (PFHD) and the Risk Reduction Factor (RRF). Under EN/IEC 62061, SIL3 is the highest rating that applies to machine systems.
The EN/ISO 13849-1 standard uses the Performance Level (PL) rating system, with an alphabetic score from a to e, to indicate the level of functional safety. PL ratings take into account the system’s architecture, its Mean Time to Dangerous Failure (MTTFd), Diagnostic Coverage (DC), and Common Cause Failures (CCF).
For a more in-depth explanation of functional safety standards EN/IEC 62061 and EN/ISO 13849-1, see this article.
The safe torque off function is implemented via hardware and overrides all software functions or activities. In order to meet SIL3/PLe conformity, the STO function must be controlled by two STO inputs (typically denoted STOA and STOB, or STO1 and STO2) on different channels. A fault in one channel must not affect the other channel’s ability to prevent the drive from sending power to the motor. The status of the two STO inputs, and the resulting behavior from the drive, is commonly shown in a “truth table,” such as the one below.
In short, if both STO inputs are powered, the STO function is on standby and the drive will operate normally. If one or both of the STO inputs loses power, the STO function is activated and no power is delivered to the motor. In order to enable the drive again, the fault must be cleared and both STO inputs must be powered.