STO — Safe Torque Off for Servo, Robot and Pump Drives
← Back to: Motor & Motion Control
This page brings together the complete Safe Torque Off chain in a motion drive — from dual-channel wiring, isolation and voting logic through self-test and hardware cut-off to certification targets and IC selection — so the drive can remove torque reliably, diagnose faults and support functional safety assessments.
What this page solves
Safe Torque Off (STO) is often listed as a feature on servo drives and power modules, but the implementation details are usually left to the motion-control designer. This page focuses on how to turn the STO pins, dual channels and comparators into a verifiable safety chain that truly removes torque in dangerous conditions instead of acting like a generic power-off signal.
The content concentrates on the electrical and IC-level partitioning between safety inputs, dual-channel voting, isolation barriers, gate-drive enable paths and the power stage. It clarifies which blocks should be implemented inside the drive, which belong to safety relays or a Safety PLC, and how STO interacts with other functions such as SS1, SS2, SLS or mechanical brakes without duplicating system-level safety guides.
The goal is to provide a practical reference for specifying, reviewing and sourcing STO-capable ICs and modules: where dual-channel comparators or safety gate drivers are required, what isolation and diagnostic hooks are needed, and how to check that the resulting STO chain is testable, monitorable and ready for integration into a certified motion-safety architecture.
- Clarifies the exact role of STO versus general stop modes and system-level safety functions.
- Maps the signal path from safety outputs to STO inputs, voters, gate drivers and the motor.
- Highlights IC roles for comparators, isolation components and gate-drive cut-off elements.
Role of STO in the motion control safety chain
In a complete motion-safety architecture, Safe Torque Off is the function that drives the power stage into a defined torque-free state whenever hazardous motion must be prevented. System-level safety functions such as SS1, SS2, SOS or SLS may perform controlled deceleration, monitoring or limitation, but their final protective action usually relies on STO to guarantee that the motor cannot generate additional torque.
The STO chain sits between the safety logic layer and the gate-drive or power module. Safety inputs such as emergency stops, guard switches and light curtains are processed by safety relays or a Safety PLC, which produce dual, independent safety outputs. These outputs feed isolated STO inputs on the drive, where dedicated comparators, voters and monitoring circuits decide whether gate drivers and power stages are allowed to energize the motor or must remain in a safe state.
STO therefore acts as the hardware boundary where functional control gives way to enforced safety. It must tolerate single faults, detect discrepancies between channels, survive EMC disturbances and expose self-test hooks so that the safety logic can periodically confirm that torque-inhibition is still effective. Correct partitioning between external safety devices and internal STO circuitry determines whether the overall chain can meet the required PL or SIL targets without redesign.
- Connects safety outputs from relays or a Safety PLC to the drive’s power stage.
- Implements dual-channel voting and monitoring around the STO inputs and comparators.
- Defines how gate-driver enable, DC-link paths or precharge circuits are forced into a safe state.
Dual-channel voting architecture
Dual-channel STO architectures rely on two independent safety paths that must both agree before torque is allowed. Safety outputs from a Safety PLC or safety relay are presented as two channels, typically STO_A and STO_B, which are processed in separate signal chains inside the drive. The voting logic then combines the channel state, usually in a two-out-of-two (2oo2) scheme, to decide whether the gate drivers and power stage are permitted to energize the motor.
In a robust STO design, each channel is equipped with its own input conditioning, isolation and comparator chain. The voter does not simply wire both channels together; it monitors each path, checks for agreement within a defined timing window and latches any discrepancy as a fault. This fault then drives the torque path into a safe state and is reported back to the safety logic so that the overall safety function can react and require a controlled reset before re-enabling STO.
The choice of 2oo2 voting inside the drive ensures that loss of one channel, a stuck-on output or a single comparator fault cannot silently keep torque enabled. At the same time, the architecture must balance diagnostic coverage, response time and availability: the drive should enter STO whenever the voter sees inconsistent or undefined states, and only leave the safe state after a validated reset sequence confirms that both channels are healthy again.
- Two fully separated STO channels feed independent comparator chains before entering the voter.
- The voter implements 2oo2 logic, discrepancy detection and fault latching for the STO function.
- Voter outputs drive gate-driver enables or equivalent torque paths and expose STO feedback signals.
Isolation & comparator IC options
The STO channels must bridge two very different domains: the 24 V safety outputs on the logic side and the noisy, high dv/dt environment inside the drive. Isolation and comparator ICs form the backbone of this interface. Isolation components protect against hazardous voltages and common-mode transients, while comparators translate the isolated signals into clean logic levels with defined thresholds, diagnostic behaviour and fail-safe defaults.
Several implementation approaches are used in practice. Traditional optocouplers provide a simple path from 24 V safety outputs into the drive, but require careful attention to CTR drift, dv/dt immunity and lifetime. Modern digital isolators offer faster, more repeatable timing and higher CMTI, and some safety-oriented gate drivers integrate isolation, comparators and fault latching in a single device. Window comparators or comparator ICs with built-in diagnostics help detect open circuits, shorts and mid-level faults that simple threshold circuits would miss.
Regardless of technology choice, the comparator stage should enforce clear high and low thresholds, bias any undefined input conditions toward a torque-off state and provide status outputs that the STO voter or higher-level safety logic can monitor. The resulting chain lets the drive recognise valid STO commands, flag wiring or component faults and maintain torque inhibition even if parts of the signal path degrade over time.
- Maps 24 V safety outputs through isolation into clean logic-level STO channel signals.
- Uses comparators or window comparators with defined thresholds and diagnostic behaviours.
- Supports fail-safe defaults so that loss of signal or undefined levels force torque off.
Self-test / diagnostic injection (pulse check)
A Safe Torque Off chain cannot be treated as reliable over the lifetime of a machine unless it is periodically tested. Self-test and diagnostic injection mechanisms, often called pulse checks, deliberately disturb the STO channels in a controlled way and verify that the expected reaction occurs: torque permission is withdrawn and a diagnostic flag is raised. The goal is to prove that the wiring, isolation components, comparators and voter still respond correctly to a simulated demand for torque-off.
Diagnostic injection can be implemented by briefly toggling one safety output channel, activating built-in test pins on comparators or safety gate drivers, or steering the input voltage of a window comparator into an out-of-range window. During each pulse check, the STO voter is expected to detect a channel discrepancy, assert the STO function, drive the gate path into a safe state and expose a fault status that can be observed by the safety logic. Failure to see this sequence indicates a latent fault and should prevent further torque-enabled operation until maintenance or repair has been performed.
Test frequency and timing must be aligned with the overall safety concept. Some applications allow a brief torque interruption during scheduled checks, while others require tests to run only during start-up or inside carefully defined safety windows. In all cases, the STO path must provide clear injection points and feedback signals so that the safety controller can script pulse checks, log results and enforce a reset procedure if any part of the chain fails to respond as designed.
- Defines where and how to inject controlled disturbances into STO channels for testing.
- Requires STO voters, comparators and isolation components to expose diagnostic hooks.
- Ensures that failures discovered by pulse checks lead to latched faults and safe states.
Hardware gating & gate drive cutoff methods
Once the STO voter has decided that torque must be removed, the decision has to be enforced at a hardware point where motor current can no longer be driven. Several cutoff strategies are used in motion drives. Gate-drive level STO disables the IGBT or MOSFET gates by pulling driver enable signals low and clamping gate outputs to a safe state. Supply-level cutoff removes the local gate driver supply so that gates cannot be driven even if logic signals are incorrect. DC-link or main path cutoff uses contactors or solid-state switches to disconnect the power source from the drive.
Gate-drive cutoff is typically the primary STO mechanism because it reacts quickly and does not require cycling the entire DC-link. Safety-oriented gate drivers support dedicated enable pins, undervoltage lockout, fault latching and defined turn-off behaviour, so that loss of the STO_OK signal immediately forces all power devices into a non-conducting state. For higher safety levels, this approach is often combined with supply switches that can remove the gate-driver supply and with main path devices that disconnect the DC-link or segment the bus when a serious fault occurs.
Each cutoff point has characteristic failure modes and response times. A welded DC-link contactor may still allow current flow even if gate drivers attempt to turn devices off, while a stuck-high gate-enable signal can undermine a single-layer STO implementation. A robust STO design therefore treats hardware gating as a layered concept, combining fast gate-drive shutdown with supply and, where practical, DC-link cutoff. The architecture must bias every layer toward a torque-free default state if power, logic or control signals are lost.
- Maps STO voter outputs into specific hardware points that block gate drive and motor current.
- Compares gate-level, supply-level and DC-link cutoff strategies and typical use cases.
- Encourages layered cutoff so that single faults cannot silently re-enable torque.
Certification targets & typical failure modes
The STO function is usually treated as a primary torque-removal safety function and is therefore assigned ambitious safety levels. Typical certification targets sit in the PL d to PL e range with Category 3 or Category 4 architectures, or SIL 2 to SIL 3 capable implementations under functional safety standards. The STO path must therefore behave as a well-defined safety function: trigger conditions, reaction, maximum response time and reset rules all need to be documented and aligned with the overall risk assessment.
Reaching these targets depends on more than simply providing an STO input. Dual-channel structures reduce the impact of single-point failures, diagnostic coverage turns potential dangerous faults into detected events and common-cause controls prevent both channels from failing in the same way. Self-test mechanisms and feedback paths allow dangerous failures to be detected within a bounded time. Hardware cutoff layers, from gate-drive disable to DC-link disconnection, add redundancy so that defects in one path cannot silently re-enable torque.
Along the STO signal chain several failure modes appear repeatedly: wiring open circuits and shorts that remove channel independence, isolation devices that age into stuck-on or stuck-off states, comparators whose thresholds drift, voting logic that no longer enforces 2oo2 behaviour and cutoff elements that weld or fail to open. Certification requires that these failure modes be understood, classified as safe or dangerous, and, where dangerous, either detected with sufficient coverage or mitigated by architectural measures.
- Defines STO safety levels in terms of PL, Category and SIL targets for the drive.
- Links dual-channel, diagnostic and cutoff layers to functional safety metrics.
- Highlights typical failure modes along the STO path and their safety impact.
Design checklist & IC mapping
A Safe Torque Off function is easiest to design and review when key questions are collected into a structured checklist and connected to concrete IC choices. The checklist side groups the STO design into safety targets, dual-channel structure, isolation and comparator thresholds, voter behaviour, self-test strategy, hardware cutoff layers and diagnostic feedback. The IC mapping side assigns suitable device classes to each block so that sourcing and architecture decisions stay aligned with the intended safety performance.
For each STO stage the design should confirm both architectural intent and device capability. Dual-channel inputs need wiring and PCB layouts that do not introduce hidden common-cause couplings. Isolation components must support the required working voltages and dv/dt with safety documentation available. Comparator and window stages should be configured so that open circuits, shorts and mid-level voltages fall into clearly defined fault windows. Voter logic and hardware gating elements must demonstrate fail-safe defaults and predictable behaviour under loss of power or loss of control signals.
Device selection then ties these requirements to specific IC roles: industrial input protection, high-CMTI isolators, precision or safety-oriented comparators, STO-capable gate drivers, high-side switches for driver supplies, contactor or solid-state DC-link switches and diagnostic I/O devices linking STO_OK and STO_FAULT back to the safety controller. Preference is usually given to components with safety manuals and FMEDA data so that functional safety calculations can reference manufacturer-provided failure-rate information.
- Clarify STO safety target level and response time requirements.
- Verify truly independent dual channels from safety outputs through the voter.
- Specify isolation, comparator and window thresholds for fault detectability.
- Define self-test injection points, test frequency and expected diagnostic feedback.
- Map STO voter outputs to gate-level, supply-level and DC-link hardware cutoff.
- Select ICs with appropriate safety documentation and diagnostic features.