123 Main Street, New York, NY 10001

Submit Your BOM

STO — Safe Torque Off for Servo, Robot and Pump Drives

STO — Safe Torque Off for Servo, Robot and Pump Drives

← Back to: Motor & Motion Control

This page brings together the complete Safe Torque Off chain in a motion drive — from dual-channel wiring, isolation and voting logic through self-test and hardware cut-off to certification targets and IC selection — so the drive can remove torque reliably, diagnose faults and support functional safety assessments.

What this page solves

Safe Torque Off (STO) is often listed as a feature on servo drives and power modules, but the implementation details are usually left to the motion-control designer. This page focuses on how to turn the STO pins, dual channels and comparators into a verifiable safety chain that truly removes torque in dangerous conditions instead of acting like a generic power-off signal.

The content concentrates on the electrical and IC-level partitioning between safety inputs, dual-channel voting, isolation barriers, gate-drive enable paths and the power stage. It clarifies which blocks should be implemented inside the drive, which belong to safety relays or a Safety PLC, and how STO interacts with other functions such as SS1, SS2, SLS or mechanical brakes without duplicating system-level safety guides.

The goal is to provide a practical reference for specifying, reviewing and sourcing STO-capable ICs and modules: where dual-channel comparators or safety gate drivers are required, what isolation and diagnostic hooks are needed, and how to check that the resulting STO chain is testable, monitorable and ready for integration into a certified motion-safety architecture.

  • Clarifies the exact role of STO versus general stop modes and system-level safety functions.
  • Maps the signal path from safety outputs to STO inputs, voters, gate drivers and the motor.
  • Highlights IC roles for comparators, isolation components and gate-drive cut-off elements.
STO focus inside the motion safety chain Block diagram showing the relationship between machine-level safety functions, safety logic and the STO execution layer inside a drive, highlighting where this page focuses. STO focus within motion safety architecture Machine-level safety functions Risk assessment · SS1 · SS2 · SOS · SLS · guard monitoring Safety logic layer Safety PLC · safety relay · door and E-stop logic Drive & STO execution layer STO pins · dual-channel voting · gate-drive disable Out of scope on this page Full PL/SIL calculations · mechanical brakes Detailed risk assessment and system-level safety design In scope on this page • Dual-channel STO signal paths • Comparator and voter IC roles • Isolation between safety logic and drive hardware • Gate-drive cut-off and torque removal paths Focus: STO execution inside the drive

Role of STO in the motion control safety chain

In a complete motion-safety architecture, Safe Torque Off is the function that drives the power stage into a defined torque-free state whenever hazardous motion must be prevented. System-level safety functions such as SS1, SS2, SOS or SLS may perform controlled deceleration, monitoring or limitation, but their final protective action usually relies on STO to guarantee that the motor cannot generate additional torque.

The STO chain sits between the safety logic layer and the gate-drive or power module. Safety inputs such as emergency stops, guard switches and light curtains are processed by safety relays or a Safety PLC, which produce dual, independent safety outputs. These outputs feed isolated STO inputs on the drive, where dedicated comparators, voters and monitoring circuits decide whether gate drivers and power stages are allowed to energize the motor or must remain in a safe state.

STO therefore acts as the hardware boundary where functional control gives way to enforced safety. It must tolerate single faults, detect discrepancies between channels, survive EMC disturbances and expose self-test hooks so that the safety logic can periodically confirm that torque-inhibition is still effective. Correct partitioning between external safety devices and internal STO circuitry determines whether the overall chain can meet the required PL or SIL targets without redesign.

  • Connects safety outputs from relays or a Safety PLC to the drive’s power stage.
  • Implements dual-channel voting and monitoring around the STO inputs and comparators.
  • Defines how gate-driver enable, DC-link paths or precharge circuits are forced into a safe state.
STO position between safety logic and power stage Block diagram showing safety inputs feeding a Safety PLC or safety relay, which drives dual STO channels into a drive, with internal voter and gate-driver paths leading to the motor. STO between safety logic and motor torque path Safety inputs E-stop · guard switch light curtain · enable Safety logic Safety PLC or dual-channel safety relay Drive with STO Control section FOC · PWM · motion profiles STO voter dual-channel inputs comparators · monitoring STO ch.1 STO ch.2 Gate-driver enable path IGBT / MOSFET drive · precharge interlocks Power stage inverter bridge · DC-link Motor STO blocks torque Summary: System-level functions decide when hazardous motion must stop. Safety logic aggregates signals and produces dual safety outputs. STO inside the drive converts these outputs into enforced gate-driver and power-stage states so that the motor cannot generate torque.

Dual-channel voting architecture

Dual-channel STO architectures rely on two independent safety paths that must both agree before torque is allowed. Safety outputs from a Safety PLC or safety relay are presented as two channels, typically STO_A and STO_B, which are processed in separate signal chains inside the drive. The voting logic then combines the channel state, usually in a two-out-of-two (2oo2) scheme, to decide whether the gate drivers and power stage are permitted to energize the motor.

In a robust STO design, each channel is equipped with its own input conditioning, isolation and comparator chain. The voter does not simply wire both channels together; it monitors each path, checks for agreement within a defined timing window and latches any discrepancy as a fault. This fault then drives the torque path into a safe state and is reported back to the safety logic so that the overall safety function can react and require a controlled reset before re-enabling STO.

The choice of 2oo2 voting inside the drive ensures that loss of one channel, a stuck-on output or a single comparator fault cannot silently keep torque enabled. At the same time, the architecture must balance diagnostic coverage, response time and availability: the drive should enter STO whenever the voter sees inconsistent or undefined states, and only leave the safe state after a validated reset sequence confirms that both channels are healthy again.

  • Two fully separated STO channels feed independent comparator chains before entering the voter.
  • The voter implements 2oo2 logic, discrepancy detection and fault latching for the STO function.
  • Voter outputs drive gate-driver enables or equivalent torque paths and expose STO feedback signals.
Dual-channel STO voting inside the drive Diagram showing two independent STO channels entering isolation and comparator blocks, a 2oo2 voter and gate-driver enable path that controls the motor power stage. Dual-channel STO voting architecture Safety outputs Safety PLC / safety relay STO_A, STO_B (24 V) Channel 1 Channel 2 Input conditioning 1 Input conditioning 2 Comparator 1 threshold + diagnostics Comparator 2 threshold + diagnostics STO voter 2oo2 logic · discrepancy fault latch · feedback STO_OK STO_FAULT Gate-driver enable torque permission Power stage inverter bridge · DC-link Motor Key idea: Both STO channels are processed independently and must agree before torque is enabled. Any discrepancy or undefined state forces the voter to withdraw permission and hold the drive in a safe torque-off state until a controlled reset is performed.

Isolation & comparator IC options

The STO channels must bridge two very different domains: the 24 V safety outputs on the logic side and the noisy, high dv/dt environment inside the drive. Isolation and comparator ICs form the backbone of this interface. Isolation components protect against hazardous voltages and common-mode transients, while comparators translate the isolated signals into clean logic levels with defined thresholds, diagnostic behaviour and fail-safe defaults.

Several implementation approaches are used in practice. Traditional optocouplers provide a simple path from 24 V safety outputs into the drive, but require careful attention to CTR drift, dv/dt immunity and lifetime. Modern digital isolators offer faster, more repeatable timing and higher CMTI, and some safety-oriented gate drivers integrate isolation, comparators and fault latching in a single device. Window comparators or comparator ICs with built-in diagnostics help detect open circuits, shorts and mid-level faults that simple threshold circuits would miss.

Regardless of technology choice, the comparator stage should enforce clear high and low thresholds, bias any undefined input conditions toward a torque-off state and provide status outputs that the STO voter or higher-level safety logic can monitor. The resulting chain lets the drive recognise valid STO commands, flag wiring or component faults and maintain torque inhibition even if parts of the signal path degrade over time.

  • Maps 24 V safety outputs through isolation into clean logic-level STO channel signals.
  • Uses comparators or window comparators with defined thresholds and diagnostic behaviours.
  • Supports fail-safe defaults so that loss of signal or undefined levels force torque off.
Isolated STO signal path with comparators Diagram showing two 24 V safety outputs feeding input conditioning, isolation blocks, comparators and the STO voter inside a drive, with a clear isolation barrier between safety and drive domains. Isolation and comparator chain for STO channels Safety domain Drive domain Safety outputs STO_A, STO_B · 24 V Safety PLC / safety relay Input conditioning 1 Input conditioning 2 Isolator 1 Isolator 2 optocoupler / digital isolator Comparator / window 1 thresholds + diagnostics Comparator / window 2 thresholds + diagnostics STO voter 2oo2 logic and fault latch Gate-driver Design focus: Isolation components must withstand system voltages and dv/dt, while comparators enforce clear thresholds and fail-safe behaviour. Together they create STO channel signals that remain trustworthy under wiring faults, ageing and EMC stress.

Self-test / diagnostic injection (pulse check)

A Safe Torque Off chain cannot be treated as reliable over the lifetime of a machine unless it is periodically tested. Self-test and diagnostic injection mechanisms, often called pulse checks, deliberately disturb the STO channels in a controlled way and verify that the expected reaction occurs: torque permission is withdrawn and a diagnostic flag is raised. The goal is to prove that the wiring, isolation components, comparators and voter still respond correctly to a simulated demand for torque-off.

Diagnostic injection can be implemented by briefly toggling one safety output channel, activating built-in test pins on comparators or safety gate drivers, or steering the input voltage of a window comparator into an out-of-range window. During each pulse check, the STO voter is expected to detect a channel discrepancy, assert the STO function, drive the gate path into a safe state and expose a fault status that can be observed by the safety logic. Failure to see this sequence indicates a latent fault and should prevent further torque-enabled operation until maintenance or repair has been performed.

Test frequency and timing must be aligned with the overall safety concept. Some applications allow a brief torque interruption during scheduled checks, while others require tests to run only during start-up or inside carefully defined safety windows. In all cases, the STO path must provide clear injection points and feedback signals so that the safety controller can script pulse checks, log results and enforce a reset procedure if any part of the chain fails to respond as designed.

  • Defines where and how to inject controlled disturbances into STO channels for testing.
  • Requires STO voters, comparators and isolation components to expose diagnostic hooks.
  • Ensures that failures discovered by pulse checks lead to latched faults and safe states.
STO pulse check and diagnostic flow Diagram showing a safety controller injecting test pulses into STO channels, the STO chain reacting through isolators, comparators and a voter, and diagnostic feedback returning to the safety controller. STO pulse check and diagnostic injection Safety controller Safety PLC or safety relay test sequence · pulse check STO_A STO_B test pulse Channel 1 path Channel 2 path Comparator 1 threshold · test input Comparator 2 threshold · test input STO voter and latch 2oo2 logic · discrepancy detect fault latch · status outputs STO_OK STO_FAULT diagnostic feedback to safety controller Pulse check concept: The safety controller injects a controlled disturbance into at least one STO channel and expects the drive to assert STO, latch a fault and report the event. This confirms that the STO path from outputs through isolators, comparators and the voter remains effective.

Hardware gating & gate drive cutoff methods

Once the STO voter has decided that torque must be removed, the decision has to be enforced at a hardware point where motor current can no longer be driven. Several cutoff strategies are used in motion drives. Gate-drive level STO disables the IGBT or MOSFET gates by pulling driver enable signals low and clamping gate outputs to a safe state. Supply-level cutoff removes the local gate driver supply so that gates cannot be driven even if logic signals are incorrect. DC-link or main path cutoff uses contactors or solid-state switches to disconnect the power source from the drive.

Gate-drive cutoff is typically the primary STO mechanism because it reacts quickly and does not require cycling the entire DC-link. Safety-oriented gate drivers support dedicated enable pins, undervoltage lockout, fault latching and defined turn-off behaviour, so that loss of the STO_OK signal immediately forces all power devices into a non-conducting state. For higher safety levels, this approach is often combined with supply switches that can remove the gate-driver supply and with main path devices that disconnect the DC-link or segment the bus when a serious fault occurs.

Each cutoff point has characteristic failure modes and response times. A welded DC-link contactor may still allow current flow even if gate drivers attempt to turn devices off, while a stuck-high gate-enable signal can undermine a single-layer STO implementation. A robust STO design therefore treats hardware gating as a layered concept, combining fast gate-drive shutdown with supply and, where practical, DC-link cutoff. The architecture must bias every layer toward a torque-free default state if power, logic or control signals are lost.

  • Maps STO voter outputs into specific hardware points that block gate drive and motor current.
  • Compares gate-level, supply-level and DC-link cutoff strategies and typical use cases.
  • Encourages layered cutoff so that single faults cannot silently re-enable torque.
STO-controlled hardware gating and torque cut-off paths Diagram showing STO voter outputs controlling gate-driver enable, gate-driver supply switches and DC-link cutoff devices, all feeding a power stage that drives the motor. Hardware gating and gate drive cutoff under STO STO voter 2oo2 logic · fault latch STO_OK STO_FAULT Gate-driver enable logic primary STO gating Gate driver IGBT / MOSFET gates Gate-driver supply switch redundant STO layer driver supply path Power stage inverter bridge Motor DC-link cutoff contactor / solid-state switch DC-link to drive main energy path can also be disconnected Layered cut-off: STO primarily disables gate drive so that power devices cannot conduct. For higher safety integrity, additional layers cut the gate-driver supply and, where appropriate, disconnect the DC-link. Each layer is biased toward a torque-free state if power, logic or control signals are lost.

Certification targets & typical failure modes

The STO function is usually treated as a primary torque-removal safety function and is therefore assigned ambitious safety levels. Typical certification targets sit in the PL d to PL e range with Category 3 or Category 4 architectures, or SIL 2 to SIL 3 capable implementations under functional safety standards. The STO path must therefore behave as a well-defined safety function: trigger conditions, reaction, maximum response time and reset rules all need to be documented and aligned with the overall risk assessment.

Reaching these targets depends on more than simply providing an STO input. Dual-channel structures reduce the impact of single-point failures, diagnostic coverage turns potential dangerous faults into detected events and common-cause controls prevent both channels from failing in the same way. Self-test mechanisms and feedback paths allow dangerous failures to be detected within a bounded time. Hardware cutoff layers, from gate-drive disable to DC-link disconnection, add redundancy so that defects in one path cannot silently re-enable torque.

Along the STO signal chain several failure modes appear repeatedly: wiring open circuits and shorts that remove channel independence, isolation devices that age into stuck-on or stuck-off states, comparators whose thresholds drift, voting logic that no longer enforces 2oo2 behaviour and cutoff elements that weld or fail to open. Certification requires that these failure modes be understood, classified as safe or dangerous, and, where dangerous, either detected with sufficient coverage or mitigated by architectural measures.

  • Defines STO safety levels in terms of PL, Category and SIL targets for the drive.
  • Links dual-channel, diagnostic and cutoff layers to functional safety metrics.
  • Highlights typical failure modes along the STO path and their safety impact.
STO safety goals, architecture layers and failure modes Diagram linking STO certification targets to architectural layers and typical failure modes along the wiring, isolation, comparator, voter, cutoff and feedback stages. STO safety targets and failure-mode overview Safety goal & targets STO as torque-removal safety function PL d–e, Cat.3–4 · SIL 2–3 capable defined trigger, reaction and reset STO architecture layers dual channels · isolation · comparators voter with 2oo2 logic · hardware cutoff self-test · diagnostic feedback PL / SIL metrics depend on these layers Functional safety metrics Category / structure · DC · MTTFd PFH / PFD for STO safety function driven by design, diagnostics and tests STO chain stages and typical failure modes Stage Typical failure Safety risk Mitigation Wiring open circuit · short to 24 V / GND · cross-short loss of channel independence window thresholds · line monitoring Isolation stuck-on / stuck-off · CTR drift · insulation breakdown STO command no longer followed safely safety-rated isolators · self-test Comparators drifted thresholds · window lost · output stuck faults seen as valid STO_OK window design · diagnostic outputs Voter 2oo2 logic lost · latch fails · internal short discrepancy not detected redundant logic · feedback monitoring Cutoff welded contactor · stuck enable · shorted supply switch torque path not interrupted layered cut-off · current/voltage checks Feedback broken STO_OK/FAULT feedback · test never runs dangerous faults remain undetected robust diagnostics · mandatory pulse checks

Design checklist & IC mapping

A Safe Torque Off function is easiest to design and review when key questions are collected into a structured checklist and connected to concrete IC choices. The checklist side groups the STO design into safety targets, dual-channel structure, isolation and comparator thresholds, voter behaviour, self-test strategy, hardware cutoff layers and diagnostic feedback. The IC mapping side assigns suitable device classes to each block so that sourcing and architecture decisions stay aligned with the intended safety performance.

For each STO stage the design should confirm both architectural intent and device capability. Dual-channel inputs need wiring and PCB layouts that do not introduce hidden common-cause couplings. Isolation components must support the required working voltages and dv/dt with safety documentation available. Comparator and window stages should be configured so that open circuits, shorts and mid-level voltages fall into clearly defined fault windows. Voter logic and hardware gating elements must demonstrate fail-safe defaults and predictable behaviour under loss of power or loss of control signals.

Device selection then ties these requirements to specific IC roles: industrial input protection, high-CMTI isolators, precision or safety-oriented comparators, STO-capable gate drivers, high-side switches for driver supplies, contactor or solid-state DC-link switches and diagnostic I/O devices linking STO_OK and STO_FAULT back to the safety controller. Preference is usually given to components with safety manuals and FMEDA data so that functional safety calculations can reference manufacturer-provided failure-rate information.

  • Clarify STO safety target level and response time requirements.
  • Verify truly independent dual channels from safety outputs through the voter.
  • Specify isolation, comparator and window thresholds for fault detectability.
  • Define self-test injection points, test frequency and expected diagnostic feedback.
  • Map STO voter outputs to gate-level, supply-level and DC-link hardware cutoff.
  • Select ICs with appropriate safety documentation and diagnostic features.
STO design checklist and IC building blocks Diagram pairing STO design checklist items with typical IC building blocks such as isolators, comparators, gate drivers, supply switches, DC-link devices and diagnostic I/O. STO design checklist and IC mapping Design checklist themes 1. Safety target & response time 2. Dual-channel interface & wiring 3. Isolation & comparator thresholds 4. Voter logic & fault latch 5. Self-test & diagnostic feedback 6. Hardware cutoff layers 7. Safety documentation & FMEDA data Typical IC building blocks • Industrial 24 V input protection • High-CMTI optocouplers / isolators • Precision / window comparators • STO-capable gate drivers • High-side switches for driver supplies • DC-link contactors / solid-state switches • Diagnostic I/O and feedback isolators Practical review prompts: • Do STO_A and STO_B remain independent from the safety controller outputs down to the voter inputs? • Are isolation, comparator and voter devices supported by safety manuals or FMEDA data where needed? • Is there a defined self-test that proves the STO path from outputs to torque cutoff on a regular basis? • Can STO_OK and STO_FAULT be traced back through diagnostic I/O to distinguish channel, voter and cutoff problems during commissioning and field maintenance?

Request a Quote

Accepted Formats

pdf, csv, xls, xlsx, zip

Attachment

Drag & drop files here or use the button below.

STO – Frequently asked questions

1. When should STO in the drive be used instead of relying only on an external safety relay or contactor chain?
In most motion systems, STO inside the drive is the first choice whenever the goal is torque removal without forcing a complete mains shutdown. External safety relays and contactors stay in the circuit as additional layers or to disconnect higher-level supplies, but the fast and clean torque cutoff usually comes from the drive’s STO function.
2. How can the required PL or SIL level for the STO function be chosen for different machine risk categories?
The STO level follows from the overall risk assessment, not from the drive data sheet. After identifying hazards and estimating severity, exposure and avoidance, a target such as PL d/Cat.3 or PL e/Cat.4, or SIL 2 or SIL 3, is assigned. The drive STO design and documentation then need to support that target without optimistic assumptions.
3. What is the practical difference between a single-channel STO input with diagnostics and a fully dual-channel 2oo2 STO architecture?
A single-channel STO input with diagnostics can detect some wiring problems but still leaves many single-point failures as dangerous. A dual-channel 2oo2 architecture treats each path as independent, detects discrepancies between channels and latches faults. The dual-channel approach is normally required for higher PL/SIL targets and for applications with severe mechanical hazards.
4. How should STO_A and STO_B be wired between the safety controller and the drive to avoid hidden common-cause faults and nuisance trips?
STO_A and STO_B should run in separate cores with clear labelling, consistent polarity and suitable shielding, and should not share fuses or connectors that could fail both at once. Input networks and comparators must be configured so that open circuits and shorts create a defined fault condition, not a random logic level that causes nuisance trips or unsafe enables.
5. How are voltage thresholds and window levels chosen on STO input comparators so that open circuits and shorts are reliably detected?
Thresholds are chosen so that the normal on and off states sit safely inside separate voltage windows, while open circuits, shorts to 24 V and shorts to ground land in a dedicated “fault” window. Series and pull resistors, along with comparator hysteresis, are tuned together so that environmental noise does not blur the distinction between valid and fault states.
6. How often should STO pulse checks or test injections be run, and how can the test schedule avoid disrupting normal production cycles?
Pulse checks should run often enough to keep diagnostic coverage aligned with the safety calculation, but not so often that they interrupt production unnecessarily. Start-up tests, scheduled checks during natural idle periods and tests on one axis at a time are common strategies. The test concept must be documented and linked to the stated PL or SIL target.
7. What kind of commissioning tests are needed to prove that STO actually removes torque within the required stopping time on a real machine?
Commissioning typically includes worst-case tests where the axis runs at defined speed and load while STO is triggered at a known point. Encoders, torque sensors or current profiles confirm that torque and motion decay within the specified time. These results, together with STO timing data from the drive, are stored as evidence in the safety file for the machine.
8. How should the hardware cutoff strategy be chosen between gate-enable only, gate-driver supply cutoff and DC-link disconnection for different power levels?
At lower power levels, gate-enable STO with a safety-oriented gate driver is often sufficient when combined with self-tests and feedback. As energy and risk increase, an additional layer that removes the driver supply and, in some designs, a DC-link contactor or solid-state switch is added so that welded devices or stuck enable signals cannot silently keep torque available.
9. Which failure modes, such as welded contactors, stuck-high enables or broken feedback lines, have to be explicitly covered in the STO safety case?
The STO safety case normally lists welded DC-link contactors, stuck-high gate enables, shorted driver supplies, failed isolation channels, comparators stuck in STO_OK and broken STO_OK or STO_FAULT feedback lines as explicit failure modes. For each one, the documentation explains whether it is detected, rendered safe by architecture or covered by periodic tests and maintenance procedures.
10. What criteria should be used when selecting isolators, comparators and gate drivers so that STO design is supported by safety manuals and FMEDA data?
Suitable devices for STO usually provide safety manuals, FIT rates and FMEDA data, along with clear descriptions of failure modes and diagnostic hooks. When comparing options, priority goes to isolators with appropriate insulation ratings, comparators with stable thresholds and gate drivers that include dedicated STO or enable pins, defined fail-safe behaviour and documented use cases in safety-related drives.
11. How can STO be added to an existing drive platform with limited PCB changes while still meeting dual-channel and diagnostic requirements?
When retrofitting an existing drive, the cleanest route is often to introduce a dedicated STO interface block that receives dual-channel signals, implements isolation, comparators and voting, and then drives the existing gate-enable and cutoff points. Diagnostic feedback, self-test capability and documented behaviour must be added at the same time so that the upgraded platform can be analysed as a complete STO chain.
12. How should STO be coordinated with other safety functions such as SS1, SS2 or safe brake control so that overall behaviour remains predictable and safe?
STO is usually treated as the torque-removal foundation that other safety functions build on. SS1 and SS2 use controlled deceleration or speed supervision before STO is applied, while safe brake control manages mechanical holding. The sequence, timing and interlocks between these functions are defined in the safety requirements so that every path to a stop ends with STO and a clear, torque-free state.
icnavigator

ICNavigator helps engineers find verified ICs, alternatives, and fast quotes.

Explore
Categories
  • Power Management
  • MCU
  • Automotive ICs
  • Sensors
  • Interface & Transceivers
  • Analog Front-End
Get in Touch
  • Email: hello@icnavigator.com
  • WeChat/WhatsApp: +86-xxxx

© 2025 ICNavigator. All rights reserved.