Safe Torque Off (STO): IEC 61800-5-2 Compliance and Integration

Introduction

A packaging machine operator opens a safety guard to clear a jam. The servo motor should immediately stop producing torque—but what if a software fault prevents the stop command from executing? This is why hardware-based safety functions like Safe Torque Off (STO) exist. STO is not just a feature; it’s a functional safety requirement mandated by international standards for machinery that poses injury risk.

This post is for safety engineers, automation engineers, and controls integrators implementing STO in motor drive systems for industrial machinery. We’ll cover IEC 61800-5-2 compliance, SIL (Safety Integrity Level) and PLr (Performance Level required) ratings, dual-channel monitoring architecture, and integration with safety PLCs.

By the end, you’ll understand how to specify, wire, and validate STO circuits for compliance with machinery safety standards.

Theory

What is Safe Torque Off (STO)?

Safe Torque Off (STO) is a safety function defined in IEC 61800-5-2 that prevents a drive from supplying energy capable of generating torque. It achieves this by:

• Disabling the power stage (IGBTs or MOSFETs)
• Blocking gate drive signals
• Removing DC bus power (in some architectures)

STO does not provide braking—it simply removes torque. The motor coasts to a stop under inertia and friction.

STO vs. Other Safety Functions

Function	Description	Typical Use
STO (Safe Torque Off)	Removes torque immediately	Emergency stop, guard interlocks
SS1 (Safe Stop 1)	Controlled deceleration, then STO	Graceful shutdown
SS2 (Safe Stop 2)	Monitors standstill, can restart	Temporary stop with restart
SBC (Safe Brake Control)	Monitors external brake	Vertical axis holding

STO is the most fundamental and is required for nearly all safety-rated drives.

IEC 61800-5-2 Requirements

Key requirements for STO (per IEC 61800-5-2):

1. Dual-channel architecture: Two independent signal paths
2. Fault detection: Each channel monitors the other for discrepancies
3. Safety integrity level (SIL): Typically SIL 2 or SIL 3
4. Diagnostic coverage (DC): Percentage of dangerous faults detected
5. Proof test interval (PTI): Regular testing frequency

Performance Level (PLr) and SIL

Machinery safety uses two parallel standards:

• ISO 13849-1: Defines Performance Level (PL) from PL a to PL e
• IEC 61508: Defines Safety Integrity Level (SIL) from SIL 1 to SIL 4

Typical correspondence:

• PL d ≈ SIL 2: Most common for industrial machinery
• PL e ≈ SIL 3: High-risk applications (presses, robots)

Math

Probability of Dangerous Failure per Hour (PFHd)

SIL rating is determined by the average probability of dangerous failure per hour:

$$PF_{H_d} = \frac{\lambda_d}{2} \times T_1$$

where:

• $\lambda_d$ = dangerous failure rate (failures per hour)
• $T_1$ = proof test interval (hours)

SIL 2 requirement: $PF_{H_d} < 10^{-6} \text{ per hour}$

SIL 3 requirement: $PF_{H_d} < 10^{-7} \text{ per hour}$

Mean Time to Dangerous Failure (MTTFd)

For a single channel:

$$MTTF_d = \frac{1}{\lambda_d}$$

For dual-channel architecture with common cause failure rate $\beta$:

$$MTTF_{d, sys} = \frac{MTTF_{d1} \times MTTF_{d2}}{2(1 - \beta)(\lambda_{d1} + \lambda_{d2})}$$

Example: Two channels, each with $MTTF_d = 100$ years, $\beta = 5\%$ (good design):

$$MTTF_{d, sys} = \frac{100 \times 100}{2(1 - 0.05)(100 + 100)} = \frac{10000}{380} \approx 263 \text{ years}$$

This high MTTFd contributes to achieving SIL 2 or SIL 3.

Diagnostic Coverage (DC)

Diagnostic coverage quantifies fault detection effectiveness:

$$DC = \frac{\lambda_{dd}}{\lambda_{d}}$$

where:

• $\lambda_{dd}$ = detected dangerous failures
• $\lambda_d$ = total dangerous failures

Requirements:

• SIL 2: DC ≥ 60% (“medium” per IEC 61508)
• SIL 3: DC ≥ 90% (“high”)

Flow Diagrams

graph LR
    A[Safety PLC / Relay] --> B[STO Channel 1]
    A --> C[STO Channel 2]
    B --> D{Drive Logic}
    C --> D
    D --> E{Fault Check}
    E -->|Both Active?| F[Enable Gate Drives]
    E -->|Mismatch?| G[Safety Fault - Disable Outputs]
    F --> H[IGBT Power Stage]
    H --> I[Motor]
    G --> J[Fault LED / Alarm]
    
    style A fill:#ffe1e1
    style D fill:#e1f5ff
    style G fill:#ffe1e1
    style I fill:#e1ffe1

This diagram shows dual-channel STO architecture with cross-monitoring. If Channel 1 and Channel 2 signals don’t match, the drive enters a safe state.

Real Scenario Use

Integrating STO with a Safety PLC for a CNC Machine

System Components:

• Motor drive: Siemens SINAMICS S120 (STO SIL 3 certified)
• Safety PLC: Pilz PNOZ m1p (PL e)
• E-stop button: Dual-channel, monitored
• Safety door interlock: Schmersal AZM 300 (PL e)

Step 1: Wiring STO Inputs

The SINAMICS S120 has two STO inputs (STO A and STO B):

• STO A: Connected to Safety PLC Output 1
• STO B: Connected to Safety PLC Output 2

Both inputs must be 24V to enable the drive. If either drops to 0V, STO activates.

Step 2: Safety PLC Logic

Configure safety PLC program:

IF (E-stop_OK AND Safety_Door_Closed) THEN
    STO_Output_1 := TRUE
    STO_Output_2 := TRUE
ELSE
    STO_Output_1 := FALSE
    STO_Output_2 := FALSE
END_IF

Step 3: Drive Configuration

In SINAMICS STARTER software:

1. Enable safety functions (parameter p10010 = 1)
2. Set STO inputs to dual-channel mode (parameter p10001 = 1)
3. Set discrepancy time: 500 ms (p10004 = 500)
   • If channels disagree for >500ms → safety fault
4. Enable diagnostic messages (p10050 = 1)

Step 4: Validation Testing

Per ISO 13849-1, perform the following tests:

1. E-stop test: Press E-stop → Measure time to torque removal (< 50ms)
2. Single-channel test: Force one STO input low while other is high → Drive should fault within 500ms
3. Door interlock test: Open safety door → STO activates → Motor coasts to stop
4. Restart test: Close door, reset E-stop → STO releases → Motor can be re-enabled

Step 5: Documentation

Create a safety validation report including:

• P&ID with STO wiring diagram
• SIL/PL calculation worksheet
• Test results (date, pass/fail, signature)
• Maintenance schedule (annual proof test)

Common Pitfall: Using a single-channel relay to activate both STO inputs. This defeats dual-channel redundancy. Always use a safety-rated output module with cross-monitoring.

Related Reading

• VFD Commissioning: A Practical Checklist for Induction Motors — Covers drive parameter setup (including safety params)
• Encoder Noise Diagnosis: Grounding and Shielding Best Practices — Safety grounding is related to EMI grounding but functionally separate
• Coming soon: “Safe Limited Speed (SLS): Implementing Speed Monitoring per IEC 61800-5-2”

References

1. IEC 61800-5-2:2016 — Adjustable speed electrical power drive systems - Part 5-2: Safety requirements - Functional safety
2. IEC 61508:2010 — Functional safety of electrical/electronic/programmable electronic safety-related systems (Parts 1-7)
3. ISO 13849-1:2015 — Safety of machinery - Safety-related parts of control systems - Part 1: General principles for design
4. Pilz Application Note — “Safe Torque Off (STO) for Servo Drives: Implementation and Testing” (Document ID: EN_BA_0031)
5. VDMA 66413 — Functional Safety on Drive Systems (German Machinery Association standard)

Videos

• Pilz - Introduction to Safe Torque Off — Visual explanation of STO operation
• Siemens - Configuring Safety Functions in SINAMICS — Practical drive setup

Summary + Key Takeaways

• STO (Safe Torque Off) removes motor torque by disabling the drive’s power stage
• STO is hardware-based and independent of software control—critical for safety
• Dual-channel architecture with cross-monitoring is required for SIL 2 and SIL 3
• IEC 61800-5-2 defines safety functions for adjustable speed drives
• Performance Level (PLr) and SIL are parallel rating systems: PL d ≈ SIL 2, PL e ≈ SIL 3
• Always integrate STO with a safety PLC or safety-rated relay, not a standard PLC output
• Validation testing is mandatory: Test E-stop, single-channel faults, and restart sequences
• Document everything: SIL calculations, wiring diagrams, test results, maintenance schedule

Glossary

• STO (Safe Torque Off): Safety function that disables drive torque-producing capability
• SIL (Safety Integrity Level): Defined by IEC 61508, ranges from SIL 1 (lowest) to SIL 4 (highest)
• PLr (Performance Level required): Defined by ISO 13849-1, ranges from PL a to PL e
• Dual-channel: Two independent signal paths with cross-monitoring for fault detection
• PFHd: Probability of dangerous Failure per Hour—key metric for SIL rating
• MTTFd: Mean Time To dangerous Failure—reliability metric for safety components
• Diagnostic coverage (DC): Percentage of dangerous faults detected by diagnostic measures
• Common cause failure (β): Faults that affect both channels simultaneously (e.g., overvoltage)

FAQ

Q: Does STO apply the motor brake?
A: No—STO (Safe Torque Off) only removes electrical power to the motor’s power stage, preventing the drive from generating torque, but it does not engage any mechanical holding brake. The motor will coast to a stop based on load friction and inertia. For vertical axes (like hoists, lifts, or Z-axes on CNC machines) where gravity could cause dangerous motion during coast-down, you must use SBC (Safe Brake Control) in conjunction with STO to monitor and control an external electromechanical holding brake. SBC ensures the brake is properly engaged before releasing torque and monitors the brake’s feedback signals for faults. The brake itself must be spring-applied, electrically-released (fail-safe design) and sized to hold the maximum static load.

Q: Can I use a standard PLC output for STO inputs?
A: No—you must use a safety-rated output module from a certified safety PLC, safety relay module, or emergency stop circuit that meets the required SIL/PLr rating for your application. Standard PLC outputs lack the necessary dual-channel redundancy, cross-monitoring, and diagnostic capabilities required by IEC 61800-5-2 and ISO 13849-1. Each STO input on the drive is part of a two-channel architecture (STO A and STO B) that continuously monitors for channel discrepancies, stuck contacts, and wire faults. Using non-safety-rated outputs can result in undetected dangerous failures, voiding your safety certification and exposing workers to serious injury or death.

Q: What’s the difference between STO and SS1?
A: STO (Safe Torque Off) removes torque immediately without any controlled deceleration—the motor simply coasts to a stop. This is the fastest response but can be abrupt for high-inertia loads and doesn’t prevent coasting. SS1 (Safe Stop 1) performs a controlled, monitored deceleration ramp first, bringing the motor to zero speed using the drive’s normal braking function, and then activates STO once zero speed is confirmed. SS1 is safer and more controlled for loads with high inertia (like large rotating drums, centrifuges, or conveyor systems) where sudden torque removal could cause mechanical shock, product damage, or overrun. However, SS1 requires the drive’s control logic to remain functional during the stop, so it’s typically a lower safety category (SIL 1) compared to STO (SIL 2/3).

Q: How often must I test STO?
A: Per ISO 13849-1 and IEC 61508, proof test intervals depend on the calculated Mean Time To Dangerous Failure (MTTFd) and Diagnostic Coverage (DC) of your safety function, as well as your target SIL/PLr. Typical proof test intervals are 1-3 years for SIL 2 / PLr d applications and 6-12 months for SIL 3 / PLr e applications. The proof test should verify both channels operate correctly, discrepancy detection works, and response time meets specification. Some industries (e.g., automotive, aerospace) may have more stringent requirements. Always follow the machinery OEM’s recommended test procedures and intervals documented in the safety validation report. Modern drives often include self-test diagnostics that can extend proof test intervals by increasing diagnostic coverage.

Q: What happens if the drive detects an STO channel discrepancy?
A: The drive immediately enters a safe state by removing power to the motor (activating torque-off) and triggering a safety fault alarm, typically displayed as “STO Channel Fault,” “STO Discrepancy,” or similar on the HMI. The fault is latched and logged in the drive’s safety event history with a timestamp. The drive cannot be restarted until the fault is acknowledged, the root cause is diagnosed and corrected, and a deliberate reset sequence is performed (typically requiring both safety circuit reset and drive power cycling). Common causes include wiring faults (broken wire, loose terminal, ground fault), stuck safety relay contacts, noise-induced glitches, or actual component failures in the safety circuit. The discrepancy detection is a critical self-diagnostic feature required by IEC 61800-5-2 to achieve SIL 2/3 ratings.