Safety is a critical concern in Mobile Robots. Serious injury to person and/or expensive material damage can occur if the robot and its load run out of control. Laser range finders, remote controls and other systems can be used to tell the robot to stop. The challenge is to make the robot always respond to the stop command. This is where Safe Torque Off – or STO – comes in.
STO is a safety mechanism for motor drives that reliably brings the motor to a no-torque state. STO is typically used for the prevention of an unexpected startup (EN 1037) of machinery or for an emergency stop, fulfilling stop category 0 (EN 60204-1).
STO has the immediate effect that the drive cannot supply any torque-generating energy. STO can be used wherever the drive will be brought to a standstill in a sufficiently short time by the load torque or friction or where coasting down of the drive is not relevant to safety. In a Mobile Robot application, STO will stop motion in case of emergency, and prevent restart until it is safe to do so.
From this simple description, one can assume that STO is as simple as disconnecting power to the drive and motors. And indeed, STO can be achieved using a contactor that will cut the power to the motor controller, for example. However, using a contactor adds cost and components that can eventually go wrong.
STO must operate according to Safety Category 3 Performance Definition. To achieve Safety Category 3, according to EN ISO 13849-1, the controller must meet a list of several requirements. Of this list, the most challenging is that the STO must function even in the case of a single fault in any part of the system.
So, in the case of our earlier example, a single contactor cannot be use. At a minimum, two contactors are needed in series, so that energy can be cut from the motor in case one of the two contactors gets stuck.
Embedding STO in a Controller
All drive manufacturers are free to invent any method they wish if it meets the safety requirements. The most common implementation – and the one used by Roboteq, is to add a circuit that will cut off the power to MOSFET drivers. Without power, the drivers are not able to turn on any of the MOSFET’g gate.
Two switches in series are necessary to ensure that the power does get cut even if one of the switches is permanently ON because of failure.
Each of the switches is driven by a separate input, commonly labeled STO1 and STO2. In this manner, too, if one external or internal circuit is damaged and the respective STO command is stuck at the “ON” level, the other can still safely disconnect the power to the drivers.
The MCU monitors the STO input lines and the voltage to the MOSFET drivers. It is important to notice, however, that the STO circuit works independently of the controller’s MCU. It is therefore totally immune to any hardware malfunction.
The Safety Standard also requires that the drive be able to detect a failure in the STO circuit, and this can be quite challenging. Consider the example below.
STO1 and STO2 are active and both switches are On. But switch 1 is damaged and will remain ON even if the STO1 command is off. The drive appears to be operating normally. However, it is no longer as safe because it would not turn off if STO1 only is deactivated. It will still stop because STO1 and STO2 will be off. But if there is another fault in the system and should the STO2 command wire be stuck to a high voltage, the controller will not stop.
To alleviate these sort of problems, the controller incorporates additional circuitry for detecting and reporting that the STO circuit is fully functional.
The controller design is such that MCU can force either of both STO inputs to the OFF state. The MCU will use this capability to briefly turn off the MOSFET driver supply and verify that the driver supply voltage does in fact drops. This check is performed every time the controller is powered ON, as well as at periodic intervals.
Note that the MCU is not physically capable to force the STO inputs to the ON state. If it was, this could cause the STO circuit to cease protecting, in case the MCU is accidentally setting the outputs to 1 due to software of hardware malfunction.
Being a safety critical function that absolutely has to work in all situations, STO must be certified by a regulatory organization such as TUV. There, the examiner will simulate the failure of all critical components to verify that the drive can still safely be stopped.
STO is gradually being introduces in all Roboteq controllers, starting with the KBL1660. STO is scheduled to be available in all our products in 2019.