AC Drive China Forum
Forum » General Discussion » Safe-Torque-Off Usage
Topics: Safe-Torque-Off Usage on General Discussion
#1
Start by
Brian
09-03-2013 10:38 PM

Safe-Torque-Off Usage

I have seen resistance to integrators using the STO feature that is now available on many drives. I believe it is just because it is something new, and they don't want to try something new. Personally, I encourage people to use it, and don't see why they wouldn't. Any other thoughts on this?
09-03-2013 10:39 PM
Top #2
Barry
09-03-2013 10:39 PM
Changing prints, training and testing costs money.

In my experience STO use is driven by customer and OSHA requirements. If it is not specified it won't be done.

It is also a liability risk when you use a safety scheme that is not yet an industry standard.

Calculating what is the best method to bring a motor to a stop is very application specific. The math is often hard for integrators who don't have the inertial data or required rate of deceleration available.
09-03-2013 10:39 PM
Top #3
Bob
09-03-2013 10:39 PM
Brian, as is common in North America we are slower to adopt "EN" European Norms. There may be confusion or conflicts with "Lock out, Tag out" procedures and OSHA regulations as well as company standards that will make it difficult to use in our industries.
09-04-2013 10:47 PM
Top #4
John
09-04-2013 10:47 PM
Correct me if I'm wrong, and I'm sure there are plenty who will, but the whole ideology behind STO was to allow a drive to form part of a category III safety installation without the need for dual isolation.

So if you don't have such an installation then you don't need STO.

Now I have seen only a handful of installations where STO is being used - none of which involve category III safety requirements.

I'm sure it must have been developed with the OEM market in mind??
09-04-2013 10:48 PM
Top #5
Chris
09-04-2013 10:48 PM
STO does not remove all power from the motor side; all it does is "scramble" the signal so that no torque is produced. Therefore STO does NOT eliminate the need for additional safety-related relays in the motion system.

STO requires absolutely clean power to the STO contacts. Any disturbance on the line will effectively disable the relay: this is unreliable at best, unusable at worst.

A large number of applications - particularly for 250+ HP operations - simply cannot be safe with an unpowered coastdown approach. With STO, there's no chance for a powered deceleration.

Also - the general consensus is that drives with STO are more costly (i.e. additional "features") than drives without ... and the cost for external safety relays, etc is still lower than the delta on the drives cost.
09-04-2013 10:48 PM
Top #6
Brian
09-04-2013 10:48 PM
STO by itself is almost never a solution. As I understand it, STO should be able to eliminate some contactors. It most situations, the drive will need to ramp to a stop before the STO is activated. This is no different than traditional methods of using contactors. If anyone thinks that opening up the line power to a drive is a better solution than using the STO function, then they have never seen how much energy is still in the DC bus when line power is removed.
09-04-2013 10:49 PM
Top #7
Barry
09-04-2013 10:49 PM
Hitachi turns off switching of the IGBTs removing power to the motor.

If the power going to either of the STO inputs is removed the inverter will power off, IEC 60204-1 Cat 0, "power off, coast to stop". So dirty power or cut wire will disable drive. If power to both inputs is removed it disables drive and sends a confirming output.

The application determines the e-stop. Coast to stop, ramp then power off, ramp then DC injection, coast and mechanical brake, redundant contacts, run away screaming....

The cost of VFD's have been going down while the functions and software are getting better. This is mainly due to more efficient IGBTs that reduce heat sink size. The Hitachi with safe stop costs slightly less than the VFD it replaced.

If you need Cat 0 safe stop you will probably have a safety relay monitor and the VFD will be one of the devices.

Any system can be bypassed by a sufficiently motivated person, of which there are many.
09-04-2013 10:49 PM
Top #8
Bob
09-04-2013 10:49 PM
Safe torque-off (STO)
With the safe torque-off function the drive will not provide a rotational field within, thereby preventing the motor from generating a torque on the shaft. This function is used for prevention of an unexpected start-up and other stopping related functions. This function corresponds to an uncontrolled stop in accordance with stop category 0 of IEC 60204-1.
09-09-2013 09:45 PM
Top #9
Robert
09-09-2013 09:45 PM
We're in the process of implementing STO in our PWM amps due to a customer request. The basic principle is to remove power to the output stage using 2 separate sources, one for the high side and one for the low side drivers into the h-bridge. The theory is that in the event of a single failure in the STO circuit, the motor will not be capable of producing torque. That's much different than not being powered. The motor can still receive power, since one side of the bridge could still be on (in the event of that single failure, ie shorted output), but there will be no "torque" producing current flowing. That's the key. STO still requires external safety interlocks to remove power from the motor, AND the motor will COAST to a stop when the STO is activated. Picture an air bearing spindle at 20krpm. It takes a long time to coast to a stop.
09-09-2013 09:45 PM
Top #10
Bob
09-09-2013 09:45 PM
There are additional standards that control those functions to be considered, see link previously provided.
Safe stop 1 (SS1)
Safe brake control (SBC)
Safely limited speed (SLS)

Again all IEC standards and different ways to control stopping, safety than we have considered or implemented previously.

Safety functions for variable speed drives are described in the IEC 61800-5-2 standard.
09-09-2013 09:46 PM
Top #11
John
09-09-2013 09:46 PM
Going by the comments above it seems that there is STO and then there is STO.

My understanding is that STO was brought about to allow conformance with category III safety installations without requiring dual isolation. To achieve this it must be a direct connection from the input to the inverter stage. It cannot be a software controlled input. This was the design specification behind Danfoss' STO - to allow the drive to be part of a category III safety installation.

So if other manufactures do something different and just 'scramble' the signal, then I doubt this would comply with category III safety. Presumably their STO means something else.
09-09-2013 09:46 PM
Top #12
Brian
09-09-2013 09:46 PM
Each drive model will state what standards their STO complies with. I don't see any reason why the STO feature offered on drives can't be used to comply with a category 3 system. STO off means that the motor cannot start or run. It doesn't always mean there is no voltage at the motor leads.
09-09-2013 09:47 PM
Top #13
James
09-09-2013 09:47 PM
I love STO or hardwired base-block. The beauty of it, from a maintenance standpoint, is it allows a technician to "lock out" a motor and leave the drive powered. This allows work to be performed in the are of the motor while parameters are modified or faults checked, and can save unnecessary homing routines.
Nothing annoys me like a drive fault causing an E-stop which removes power from the drive. I see equipment like that constantly, and immediately modify it. (After jumping the appropriate hurdles, of course.)
09-09-2013 09:47 PM
Top #14
Bob
09-09-2013 09:47 PM
I believe we have come up with a solution that answers all the above we offer a Drive fully features and also the same drive with SI card so this fits all requirements and if the unit is not needed to be in a SIL 3 area or integrated into this circuit you can get a fully feature Gefran ADV200 with full integrated PLC no SI. Problem sorted, the feedback you get from engineers on site is that they still prefer an isolator locked off before they start work.Personal I love to have SI fitted it means that the Drive can be left live while you work on the motor and transmission.
09-09-2013 09:47 PM
Top #15
Jan
09-09-2013 09:47 PM
STO boils down to using the driver of the output stage as the relay that removes power to the motor. Whether this can be used for powering down a system depends on the application. The kinetic energy in the system has to go somewhere. In a low loss system, dissipation can be too slow. As this is a safety feature, I wonder about:
1. Is it OK to rely on programmable logic to perform this?
2. What if the driver or output power switch is faulty (short in H-bridge)?
3. Does this scheme have any inherent redundancy?
09-11-2013 09:34 PM
Top #16
Adam
09-11-2013 09:34 PM
We love STO here in Australia, and it has become an industry accepted solution very quickly. The STO itself (as others have said) only reduces the need for safety contactors, not a safety monitoring device, like a safety relay. And if we are to keep the standards in mind, the VFD should be in the same panel as the safety monitoring device. The next step for drive manufacturers is really to integrate the monitoring function into the VFD, and improve safe fieldbus connectivity. Some manufacturers are already there with this technology and I think we are now seeing real market demand for the next phase of integrated safety functions for VFDs.
09-11-2013 09:35 PM
Top #17
Jan
09-11-2013 09:35 PM
I hate to say this, but I do not see a strong benefit of STO. The problem with turning off rotating motors is that there are 2 sources of residual energy (assuming main power is cut): the kinetic energy and the energy stored in bus capacitors. Now I understand that STO is not going to magically make those dissapear. But having STO just disable the output H-bridge, well that does not really solve much from a system level perpsective. I do not see any strict redunancy here and it is a self-claimed uncontrolled stop. How does this differ from the enable/disable input from all commercial drives? How is hardcoded firmware that disables PWM signals upon disable any different from an STO? I apologize in advance to the STO advocates and would like to better understand the actual rational.
09-11-2013 09:36 PM
Top #18
Mark
09-11-2013 09:36 PM
Jan, we need to make a clear differentiation between a safe stop relay and the STO. The STO does not monitor if the motor has stopped turning, only that it is no longer being driven by the drive. The safe stop relay does this and will be required as well if this poses a safety threat also e.g. PSWZ from Pilz. The DC bus voltage will still need to discharge through the "charging" circuit. With the H-bridge contact removed this no longer poses a threat downstream of the inverter. Many inverters now have separate logic supplies so the DC bus does not need charging and the logic circuit can be interrogated. The STO means that the mains power can stay on whilst you do maintenance downstream of the inverter and that it won't be started remotely via software as it will be locked out on a safety circuit (the STO card)
09-11-2013 09:37 PM
Top #19
Robert
09-11-2013 09:37 PM
The requirement for STO is that it prevents a torque producing current in the motor (in other words, disables commutation). This does NOT mean the bus is disconnected or that there's no power to the motor. In fact, there can be power to the motor if one of the output shorts to B+. In this case the motor will move and lock to a pole position. The way STO is implemented in most drives is input opto power (low voltage) to the opto isolators driving the high and low side H-bridge stages is removed, disabling the output transistors from switching (even if the DSP is outputting PWM signals) since there's no longer any gate drive. Bus power is still on the H-bridge inputs.
Reply to Thread