STO (Safe Torque Off)
Safe Torque Off description for drive option Functional Safety 1.
STO is suited for SIL 2 according to IEC 62061 and PLd / Cat.3 according to ISO 13849-1. STO is a type A subsystem according to IEC 61508.
STO turns off the drive output stage that powers the motor. STO function corresponds to an uncontrolled stop according to IEC 60204-1, category 0.
Important Notes
|
The safety properties given in this documentation refers to the device AKD2G with functional safety option 1. The user has to determine the safety properties of the safety chain. |
Serious injury could result when a suspended load is not properly blocked. The drive cannot hold a vertical load when STO is active.
|
Activation
The digital STO inputs (channel A and B) must be connected to the output of a safety device, which at least meets the requirements of PLd, Cat. 3 according to ISO 13849. Technical data of the safe inputs (see "Technical Data").
If one of the STO inputs goes open-circuit or 0 V, then power supply to the motor stops within 3.5 ms. The motor will lose all torque and coast to a stop.
If the drive detects that the two STO inputs are in a different state for longer than 100 ms, then a simultaneity fault F9005 occurs (see "Fault Reaction / Failure Messages").
Review the enclosure and wiring instructions (see "Enclosure, wiring"). |
Wiring example STO single axis, SIL2/PLd, Emergency Stop
Note: AXIS#.SAFE.STO.REPORTFAULT should be set to 1 if STO is activated by a switch.
Wiring example STO dual axis, SIL2/PLd, Safety Control
Restart
Example for Axis 1.
AXIS1.SAFE.STO. |
AXIS1.SAFE.STO. |
|
---|---|---|
Example 1: |
Message W9000 Restart:
|
Restart:
|
Example 2: |
Messages W9000 and F9000 Restart:
|
Restart:
|
Example 3: |
Message F9005 Restart:
|
Message F9005 Restart:
|
Timing
Example for axis 1.
Timing |
max |
Remarks |
---|---|---|
t1 |
STO channel A enabled (0 V) |
|
t1 to t2 |
2 ms |
STO enable delay (response time) |
t2 |
STO active |
|
t3 |
STO channel B enabled (0 V) |
|
t1 to t3 |
100 ms |
accepted delay between dual channel edges |
t4 |
STO channel B disabled (+24 V) |
|
t5 |
STO channel A disabled (+24 V) |
|
t4 to t5 |
100 ms |
accepted delay between dual channel edges |
t5 to t6 |
2 ms |
STO release delay |
t6 |
STO release |
|
t6 to t7 |
Zero if AXIS#.SAFE.STO.REPORTFAULT=0 |
|
t7 |
Power section released. |
Safety Diagnostic view in WorkBench
The WorkBench view "Safety Diagnostic" shows the current status on the safe inputs (AXIS#.SAFE.STO.A / AXIS#.SAFE.STO.B) and the logical status of the STO function for every axis.
Fault Reaction / Failure Messages
With the dual-channel control of the STO (SIL2/PLd Cat.3) safety function, the switch-off paths STO-A-A# and STO-B-A# are switched separately by two outputs of a safety controller.
W9000 and F9000 are conditioned by the value of AXIS#.SAFE.STO.REPORTFAULT.
AXIS#.SAFE.STO.REPORTFAULT set to 1 (default)
STO-A-A# |
STO-B-A# |
ENABLE |
Drive |
Motor |
Safe State |
---|---|---|---|---|---|
0 V |
0 V |
0 V |
W9000 |
No |
Yes |
0 V |
0 V |
+24 V |
F9000 |
No |
Yes |
+24 V |
+24 V |
0 V |
- |
No |
No |
+24 V |
+24 V |
+24 V |
- |
Yes |
No |
+24 V |
0 V |
0 V |
F9005* |
No |
Yes |
+24 V |
0 V |
+24 V |
F9005* |
No |
Yes |
0 V |
+24 V |
0 V |
F9005* |
No |
Yes |
0 V |
+24 V |
+24 V |
F9005* |
No |
Yes |
* different status of STO-A/B for more than 100 ms
A#: A1 for axis 1 or A2 for axis 2.
AXIS#.SAFE.STO.REPORTFAULT set to 0
STO-A-A# |
STO-B-A# |
ENABLE |
Drive |
Motor |
Safe State |
---|---|---|---|---|---|
0 V |
0 V |
0 V |
W9000 |
No |
Yes |
0 V |
0 V |
+24 V |
W9000 |
No |
Yes |
+24 V |
+24 V |
0 V |
- |
No |
No |
+24 V |
+24 V |
+24 V |
- |
Yes |
No |
+24 V |
0 V |
0 V |
F9005* |
No |
Yes |
+24 V |
0 V |
+24 V |
F9005* |
No |
Yes |
0 V |
+24 V |
0 V |
F9005* |
No |
Yes |
0 V |
+24 V |
+24 V |
F9005* |
No |
Yes |
* different status of STO-A/B for more than 100 ms
A#: A1 for axis 1 or A2 for axis 2.