TIDUDS9B December 2017 – November 2022
Motor drives are used in a wide range of applications, such as computer numerical control (CNC), robotics, grinders, process control, and so forth. These applications often require drive-based safety functions to reduce the risk from unexpected and hazardous movement. The integrated safety functions within a drive can replace the time-consuming and expensive installation of external safety components like mains contactors or motor contacts. In addition, electronic switching times are significantly quicker than electromechanical devices, such as contactors or relays. The integrated safety functions reduce the risk of personal damage in hazard areas and reduce installation requirements.
The safe torque off (STO) function is one such functional safety provision. The STO can be requested or triggered in case of a system fault. The IEC 61800-5-2 defines STO as a function that prevents torque-producing power from supplying the motor. This safety sub-function corresponds to an uncontrolled stop according to stop category 0 of IEC 60204-1. The STO safety function is also useful where power removal is required to prevent an unexpected start-up.
This STO reference design implements a dual-channel architecture (1oo2) with a hardware fault tolerance of 1 (HFT = 1) according to IEC|EN 61800-5-2. As long as a logic 1 (+24-V DC) is present at both STO inputs, the motor is operational. If there is a logic 0 (0-V DC) at one or both of the STO inputs, the corresponding power supplies to the primary and the secondary side of the six isolated IGBT gate drivers are cut through load switches. Removing the supply voltage to the gate driver IC disables the insulated-gate bipolar transistors (IGBTs) and thus the torque-producing energy.
This reference design deals with the circuit-level implementation of the two isolated STO signals to turn off the VCC1 and VCC2 supply of the isolated gate drivers with CMOS input. Monitoring has been provided at various points for diagnostics and fault detection. A microcontroller (SIL 1 MCU) is assumed to run the diagnostics of the STO hardware by monitoring the STO inputs signals as well as the diagnostic feedback signals. The MCU and the related diagnostics software are not part of this reference design. A feedback of the drive state is provided with the STO_FB signal.
This design guide validates the functionality of the design specifications through data extracted from various test results.
This STO reference design hardware architecture (1oo2) was assessed by the TUEV SUED to be generally suitable for SIL 3 and PL e | Cat. 3. A TUEV report(6), a qualitative system FMEA and system description(7) are available to further help designers implement the STO subsystem.