123 Main Street, New York, NY 10001

Submit Your BOM

STO Safe Torque Off for Industrial Robot Drives

STO Safe Torque Off for Industrial Robot Drives

← Back to: Industrial Robotics

This page explains how to plan and implement Safe Torque Off in robot drives so torque is reliably removed when required, not just when main power is cut. It brings together system roles, wiring, self-tests, IC selection and layout/EMC practices so STO channels meet their SIL/PL targets without hidden single-point or common-cause failures.

What this page solves

This section clarifies when Safe Torque Off (STO) is required in industrial robot drives, instead of relying only on normal enable signals or an E-Stop that simply cuts power. It focuses on the drive and power-stage side, where torque must be removed in a controlled and verifiable way.

Readers are guided on what to look for in drive datasheets and functional safety manuals: dual-channel STO input structures, EDM feedback, declared PFHd and PL/SIL capability, and which safety functions are integrated in the drive versus delegated to an external safety PLC or safety relay.

The content also provides a checklist that links system-level safety decisions to circuit-level implementation. It traces the path from the safety controller through dual STO channels, isolation barriers and safe power removal, down to the gate driver and DC-link path that actually removes torque from the motor.

Safety PLC architecture, detailed risk assessment methods and motion-control algorithms are handled by other pages in this cluster. Here, the focus stays on the STO path inside the drive and how it interfaces with the rest of the robot safety system.

STO path from safety controller to robot drive and motor Block diagram showing a safety PLC or relay sending dual STO channels into an STO function block with isolation, which then disables the drive power stage and removes torque from the motor. STO in the drive safety path From safety controller decisions to torque removal Safety PLC / Safety Relay Decision & logic (covered on Safety PLC page) STO A STO B Dual STO channels Isolation STO Safe Torque Off • Dual enable voting • Threshold comparators • Self-test & EDM Focus of this page Robot Drive & Power Stage Torque removed (motor side execution) Safety decisions are made in the controller, and STO inside the drive guarantees verified torque removal.
STO sits between safety controller decisions and the drive power stage, turning dual STO channels into a verified, isolated removal of torque at the motor.

Where STO sits in the robot safety architecture

This section positions Safe Torque Off within a complete robot cell safety architecture. It shows how light curtains, safety interlock switches, E-Stop buttons, safety relays and safety PLCs work together, and where the STO function inside the drive fits in that chain.

STO is presented as a drive-side function that guarantees “no torque at the motor” when a safety stop is demanded. It is not an E-Stop button by itself and not a replacement for safety logic in the PLC. Instead, it is the final execution layer that translates a safety decision into a hardware-enforced torque removal.

The diagram and text distinguish STO from a simple zero-speed command, from opening the main contactor and from higher-level safety functions such as SS1, SS2 or SOS. Those advanced functions and safety logic structures belong to the safety controller and multi-axis drive topics, while this page concentrates on the STO role and its interface to the drive.

Detailed risk assessment methods, SIL/PL allocation and internal PLC structures are not covered here. They are handled on dedicated Safety PLC and system safety pages, to keep the STO discussion focused on the drive-level implementation.

STO position inside a robot cell safety chain Robot cell safety devices feed into a safety PLC or relay, which issues a safety stop command through dual STO channels. STO then disables the drive power stage and removes torque at the motor. STO inside the robot cell safety chain From field safety devices to torque removal at the motor Light curtain / safety scanners Guard doors / interlocks E-Stop push-buttons Other safety inputs (enable switches, PSDs, etc.) Safety PLC / Safety Relay Evaluates inputs, selects stop category, issues safety stop (detailed logic covered on Safety Controller pages) Main contactor / power removal STO Safe Torque Off in the drive Final torque removal at the motor Scope of this STO page Robot drive & motor Motor sees no torque
STO is the drive-side execution point in the robot safety chain, converting a safety stop decision from the controller into verified torque removal at the motor, alongside but distinct from main contactor power removal.

Typical STO implementation in a servo / drive

In a practical industrial robot drive, Safe Torque Off is not just a single input pin. It is a complete channel that runs from dual safety inputs through voting logic, isolation and drive-side execution, before finally reporting back to the safety controller. A typical STO implementation can be broken into five functional blocks: safety input interface, safety logic and comparators, isolation boundary, execution elements at the gate driver and power rails, and a feedback path such as EDM or safe-status outputs.

The safety input interface receives two independent STO channels from a safety PLC, safety relay or combined guard system. Each channel is treated as a separate signal path, with its own terminal, current limiting, surge protection and basic filtering. This separation at the connector and PCB level is critical; it prevents one component, wire or solder joint from becoming a single point of failure that defeats both STO inputs at once.

Behind the input interface, safety logic and comparators implement the core STO decision. Dual channels are interpreted with a voting scheme such as two-out-of-two, so both paths must be in a healthy “enable” state before the drive is allowed to produce torque. The logic monitors for disagreement, timing violations and stuck-on or stuck-off conditions. This function can be realized with a safety microcontroller, a dedicated safety logic IC or a safety gate driver that combines digital logic with analogue comparators and reference thresholds.

At the isolation boundary, digital isolators or optocouplers separate the safety domain from the power and gate-drive domain. These devices must withstand the creepage distances, surge levels and common-mode noise associated with the DC-link and motor phases. The STO path depends on this isolation barrier to keep drive-side faults from propagating into the safety logic while still transferring an unambiguous “allowed / not allowed” signal and a reliable diagnostic status in the opposite direction.

The execution block is where torque is actually removed. Common strategies include disabling gate driver outputs, cutting gate-driver or isolated DC-DC supply rails through eFuses or smart high-side switches, and opening controlled power paths that feed the inverter. In many designs these mechanisms are combined, so that the absence of PWM, the loss of drive supply and monitored reductions in DC-link or phase current all contribute to a verifiable “no torque” state at the motor shaft.

Finally, an EDM or safe-status feedback path reports STO execution to the safety controller. This status is typically isolated back into the safety domain and is monitored alongside other safety inputs. The robot cell safety concept relies on this return signal to confirm that torque has been removed where intended, rather than assuming that a logic command has been obeyed. Motor-control algorithms, FOC loops and velocity profiles sit on top of this structure and are treated as separate design topics.

Typical STO channel blocks in a robot drive Block diagram showing dual safety inputs feeding STO safety logic and comparators, passing through an isolation barrier to gate drivers and power switches, with EDM feedback returning to the safety controller. STO channel inside a robot drive From dual safety inputs to torque removal and EDM feedback Safety domain Drive / power domain Safety input interface Dual STO channels STO A STO B Filters, clamps, surge protection Safety logic & comparators 2oo2 voting, timeout, stuck-on detection Safety MCU / logic IC Isolation Digital isolator or optocouplers Execute STO Gate driver disable, supply cut-off Gate driver with STO eFuse / HS switch Motor sees no torque EDM / safe-status feedback Confirms that STO has been executed Returns status to safety PLC or relay A complete STO channel links dual inputs, safety logic, isolation, execution and EDM feedback to guarantee torque-free operation.
Typical STO implementation splits into safety inputs, safety logic and comparators, an isolation barrier, execution at gate drivers and power rails, and EDM feedback towards the safety controller.

Dual enable chains & voting

The concept of dual enable chains is central to the safety performance of STO. Two independent input channels, typically labelled STO_A and STO_B, are routed from the safety PLC or relay through separate connectors, components and PCB tracks into the drive. Each channel is treated as an independent path, with its own front-end and protection devices, so that a single hardware fault cannot silently defeat the entire torque-off function.

Inside the drive, the two channels are conditioned by input filters and then combined by a voting function. In many robot applications the STO decision uses a two-out-of-two scheme: both STO_A and STO_B must indicate “enable” before the drive is allowed to generate torque. If either channel detects an open circuit, a short to supply or ground, or an inconsistent state during a safety event, the voting block forces a safe output that disables the drive. This behaviour assumes that failure leads toward a safe state, not a hidden “always on” condition.

The voting and diagnostics logic may be implemented in a safety microcontroller, in a dedicated safety gate driver or in hardened discrete logic. Beyond simple AND gates, it typically monitors timing, detects illegal state combinations and supervises its own supply and internal watch-dog. Any internal fault should collapse the STO_OK signal that feeds the gate drivers and power switches, even if the external STO inputs appear healthy.

Input filtering and wiring scenarios must be analysed together with the voting scheme. Filters must reject noise and contact bounce without extending the overall safety reaction time beyond limits. At the same time, the design must consider realistic fault cases: one channel shorted to 24 V, the other shorted to 0 V, cross-short between STO_A and STO_B, or a channel that never toggles during service life. Diagnostic coverage depends on the ability to expose and detect these failures under test pulses and normal operation.

Safety PLCs often apply periodic test pulses to their outputs to reveal wiring and channel faults. The drive-side STO input structure must recognise these pulses, tolerate them without nuisance trips and still use them as opportunities to confirm that both channels are alive and independent. Detailed proof-test strategies and coverage calculations are discussed in a later section on self-test injection; this section concentrates on how dual enable chains and voting logic shape the architecture of the STO path.

Dual enable chains and STO voting logic Block diagram showing STO_A and STO_B passing through input filters to a voting and diagnostics block that generates an STO_OK signal for gate drivers and power switches. Dual STO channels and voting From STO_A / STO_B to a single STO_OK for the drive Safety PLC / relay outputs Dual STO channels STO A STO B Input filters RC, clamps, test-pulse Voting & diagnostics 2oo2 decision fault & timeout checks Safety MCU or gate-driver logic STO_OK Single enable for drive Gate drivers & power switches Execution layer for torque removal Test pulses & wiring diagnostics Periodic checks to reveal shorts, opens and cross-faults Dual enable chains stay physically separate and are combined by voting logic into a single STO_OK signal that drives torque-permission in the power stage.
Dual STO channels STO_A and STO_B are filtered, combined by 2oo2 voting and diagnostics, and reduced to one STO_OK signal that controls the drive’s gate drivers and power switches.

Isolated drive paths and safe power removal

Safe Torque Off in a robot drive does not end at a digital enable signal. The STO decision must cross an isolation barrier into the power domain and then be translated into concrete actions that remove torque. Those actions usually target the gate drivers, the isolated supplies that feed them and specific sections of the DC-link or phase supply. The structure of these isolated drive paths is a major factor in how robustly the drive satisfies functional safety requirements.

Isolation is normally achieved with digital isolators, optocouplers or gate drivers that include integrated isolation. The barrier separates the low-energy safety logic domain from the noisy, high-voltage power domain, while still passing a clear STO_OK signal and any diagnostic information. Device creepage, surge immunity and common-mode transient immunity must be adequate for the DC-link and motor voltages used in the robot cabinet, otherwise a power-side fault can corrupt the safety decision or hold a gate driver in an undefined state during a fault.

Once the STO_OK signal crosses the isolation boundary, the drive must implement safe power removal at several levels. The most immediate action is to disable gate driver outputs so that PWM patterns stop reaching the power transistors. In parallel, many architectures cut gate-driver or isolated DC-DC supply rails using eFuses or smart high-side switches, so that even if logic errors occur, the drivers cannot continue switching. At higher power levels, controlled branch switches on the DC-link or motor-side supply provide an additional means of eliminating energy flow into the inverter.

Functional safety standards emphasise “no torque at the motor shaft” rather than a generic “power off” condition because an indiscriminate power cut does not always guarantee a safe outcome. A robot may still hold a suspended load, contain hot tooling or depend on a controlled deceleration path. STO-oriented safe power removal therefore concentrates on disabling the drive’s ability to generate electromagnetic torque while allowing higher-level safety functions or motion controllers to handle deceleration and sequencing where required.

In many installations, a main contactor upstream of the drive is still mandatory as a final isolation and maintenance means. That contactor and its wiring belong to the safety relay and E-Stop concept and are addressed on dedicated pages. The STO path in the drive is designed to achieve a verified torque-free condition even when the main contactor remains closed, and to provide diagnostic information that supports decisions about when a full power isolation is necessary.

From a component perspective, the isolated drive paths around STO typically involve isolated gate drivers with STO or enable inputs, isolated DC-DC converters for gate supplies, eFuses or smart high-side switches for controlled supply removal, and current-sense stages combined with threshold comparators. These elements provide clear hook points for brand mapping and device selection, while keeping the function split between drive-level execution and system-level contactor control.

Isolated STO paths and safe power removal in a robot drive Diagram showing STO_OK crossing an isolation barrier and feeding multiple actions: gate driver disable, driver supply cut-off and DC-link branch switching, with an upstream main contactor shown as a higher-level safety element. Isolated STO paths and safe power removal How STO_OK controls gate drivers, supplies and DC-link energy Safety logic domain Drive / power domain Voting & STO logic Safety MCU / logic IC STO_OK Isolation Digital isolator or isolated driver STO_OK Gate driver PWM disable Isolated gate driver Driver supply cut-off eFuse / HS switch Isolated DC-DC feed DC-link / phase branch switch Controlled energy path Robot motor Torque removed by STO path Main contactor / system power isolation Higher-level safety STO_OK crosses an isolation barrier and drives several coordinated actions: disabling gate signals, removing driver supplies and opening energy paths so the motor can no longer generate torque.
Isolated STO paths transfer STO_OK into the drive’s power domain and coordinate gate-driver disable, supply cut-off and DC-link branch switching, while higher-level contactors provide system power isolation in separate safety functions.

Threshold comparators & diagnostics

A Safe Torque Off signal is only meaningful if torque and energy in the drive actually fall into a defined safe region. Threshold comparators and diagnostic functions provide the evidence that this has happened. They observe key voltages and currents around the inverter and gate drivers and compare those quantities to reference levels that represent safe conditions. The resulting status feeds back into the safety concept through EDM contacts, safe-status lines or digital interfaces.

Gate-driver supplies are one primary monitoring point. A comparator and voltage reference can be used to verify that driver VDD has dropped below a threshold where the power devices can no longer be switched. If STO logic indicates that the drive is disabled but the gate supply remains in its normal operating window, the comparator output flags a discrepancy that should be reported as a fault. Similar checks can be applied to isolated DC-DC rails feeding high-side drivers and level-shift circuits.

DC-link voltage and phase currents are additional targets for threshold-based supervision. A dedicated sensing path can confirm that the DC-link has decayed into a safe band within the specified time after an STO event. On the current side, shunt-based current-sense amplifiers or integrated sense FETs can feed comparators that check for unexpected current pulses when torque is supposed to be off. Persistent current after STO may indicate gate driver failure, device short circuits or unintended current paths that must be diagnosed before the robot is returned to service.

Comparator outputs are typically combined with reference voltages and timing windows to implement more nuanced diagnostics. For example, a design may allow a defined period for DC-link discharge or motor current decay, then treat any remaining activity as a fault. Comparators can be arranged to provide both real-time digital status and sampled values for a safety microcontroller to interpret. In every case, the thresholds and delays must be aligned with the safety limits used in the risk assessment for the robot application.

The resulting diagnostic information needs a clear path back to the safety controller. Safe-status signals can be isolated and routed to a safety PLC input, or translated into an EDM relay contact that mirrors the health of the STO execution path. In more integrated drives, a safety microcontroller aggregates comparator flags, timestamps events and reports them through a safety-rated communication channel to the higher-level controller, allowing it to distinguish between commanded stops, STO execution failures and hardware degradation.

Proper logging of these diagnostics is part of the overall safety case. Parameters such as “STO commanded but current not zero within the allowed time”, “gate supply did not collapse as expected” or “one phase shows residual current after STO” can be recorded with cause codes. These records support failure analysis, maintenance planning and the quantitative calculations required for SIL or PL compliance. Temperature, repetition count and duration of abnormal conditions can also be tracked, with deeper analysis and pattern recognition handled on dedicated condition monitoring and predictive maintenance pages.

Threshold comparators and diagnostics for STO Diagram showing gate supply, DC-link voltage and phase current feeding comparators with reference levels, whose outputs drive a diagnostics and logging block and safe-status feedback towards a safety PLC. Threshold comparators and diagnostics Monitoring voltages and currents to verify STO execution Monitored quantities Gate-driver supply VDD DC-link voltage Phase current sensing Threshold comparators + voltage / current references Vref Iref “Safe / not safe” comparisons Diagnostics & event logging STO success / failure flags timestamps and cause codes Safe status / EDM Output to safety PLC Safety PLC / safety controller Receives safe-status and logs Gate supply, DC-link and current thresholds feed comparators whose outputs drive diagnostics, logging and safe-status feedback, providing evidence that STO has truly removed torque.
Threshold comparators watch gate-driver supplies, DC-link voltage and phase current, feeding diagnostics, logging and safe-status outputs so the safety controller can confirm that STO has achieved a safe, torque-free state.

Self-test injection & periodic proof test

Safe Torque Off is a safety function that must remain effective throughout the life of a robot cell, not just during certification. Self-test injection and periodic proof tests are the mechanisms used to demonstrate that the STO channel still behaves as designed. They exercise the dual STO inputs, voting logic, isolation paths, execution hardware and diagnostic comparators in controlled ways so latent faults do not accumulate unnoticed between service intervals or software updates.

During power-up self-test, the drive-side safety logic forces the STO channel through a set of known combinations. The two STO inputs are driven into defined ON/OFF patterns, including states where only one channel is active, to confirm that the voting logic enforces the chosen 2oo2 or equivalent scheme. At the same time, comparators, isolation channels and gate-driver control paths are stimulated so that each internal block proves it can respond, report status and fall back to a safe state when commanded. These sequences are normally documented in the safety manual with associated diagnostic coverage and maximum undetected fault times.

Once the system enters normal operation, online test mechanisms take over. Safety PLC outputs may superimpose short test pulses on STO_A and STO_B, with timing and amplitude chosen so that they do not cause a visible stop but still exercise wiring and input stages. The drive’s STO input filters and voting logic are expected to recognise these pulses, tolerate them without nuisance trips and use them to update channel health flags. Additional online tests can alternately force one STO channel into the safe state during production pauses, confirming that each path individually can still shut down torque and raise the appropriate diagnostics.

From a project and integration perspective, the safety manual of a drive should clearly state which self-tests are built in, which tests require coordination with the safety PLC and what impact these tests have on machine uptime. Power-on self-tests may require a short period before axes are released. Online test pulses are typically designed to be transparent to the motion control, but any test that forces a real STO reaction needs a defined maintenance or pause window. The safety manual should also give recommended proof-test intervals and explain how failing to observe those intervals affects PFHd, diagnostic coverage and overall SIL or PL claims for the STO function.

At system level, the integrator needs to schedule proof tests into the production plan. This means reserving time windows during shift changes, product changeovers or planned maintenance where STO channels can be exercised deliberately, including forced disconnection of individual STO inputs and verification of response. The results of these tests, together with comparator flags and event timestamps, feed into the safety case and maintenance strategy, ensuring that the STO path retains the diagnostic quality originally assumed in the functional safety calculations.

Self-test injection and periodic proof tests around the STO path Diagram showing power-on self-test, online test pulses and scheduled proof tests exercising the STO inputs, voting logic, isolation and execution hardware, with diagnostics feeding back to the safety PLC. Self-test injection and proof tests How STO is exercised at power-up, online and during maintenance Power-on self-test STO_A/B patterns, isolation & driver checks Online test pulses Channel health and wiring diagnostics Scheduled proof tests Maintenance windows, full STO reaction checks STO path under test Voting logic Isolation Gate drivers Threshold comparators Diagnostics & proof-test logs STO success / failure flags timestamps and cause codes Safety PLC / safety controller Uses diagnostics to plan proof tests Power-on Online operation Maintenance windows
Power-on self-tests, online test pulses and scheduled proof tests exercise the STO path from inputs through isolation and execution hardware, with diagnostics fed back to the safety controller for logging and maintenance planning.

IC selection map for STO channels

Once the STO architecture is clear, component selection becomes a question of assigning suitable IC types to each functional block. A structured IC selection map helps design engineers, integrators and procurement teams see where safety MCUs, safety gate drivers, digital isolators, comparators, references, eFuses and supervisors fit along the STO path. The same map also provides anchor points for brand and family mapping during later sourcing and value-engineering discussions.

At the heart of the STO logic, a safety microcontroller or safety gate driver implements dual-channel voting, self-test routines and STO_OK generation. Devices in this category often come with a safety manual, FMEDA and reference designs that describe how to achieve the claimed SIL or PL. Selection criteria include built-in lockstep cores or diagnostic mechanisms, the availability of certified software libraries and the ease of interfacing with STO_A and STO_B signals and with downstream gate drivers and comparators.

Between the safety logic and the drive power stage, digital isolators or gate drivers with integrated isolation transfer STO_OK, safe-status and diagnostic signals. When stand-alone digital isolators are used, the selection focuses on insulation ratings, common-mode transient immunity and propagation delay in the context of the inverter switching pattern. When isolated gate drivers are chosen, STO and enable pins, fault reporting outputs and the ability to support coordinated power removal strategies become equally important selection factors.

On the monitoring side, comparators and voltage references form the core of the threshold detection scheme. They supervise gate-driver supplies, DC-link voltages and phase currents against defined safety thresholds. Comparator and reference selection must consider accuracy, drift, response time and input common-mode range. Current-sense amplifiers and shunt interfaces that feed these comparators are part of the motor current and temperature monitoring topic and can be cross-referenced from that area when building a complete parts list for the drive.

For safe power removal, eFuses and smart high-side switches define how quickly and cleanly driver and auxiliary supplies can be cut. Selection factors include continuous and peak current ratings, short-circuit behaviour, thermal performance and the type of fault signalling supported. Supervisors and reset ICs complement this picture by monitoring logic and driver supplies, forcing the STO path into a safe state when voltages fall outside defined ranges and coordinating restart behaviour after interruptions or brown-outs.

Safety PLC CPUs and central safety controllers are deliberately excluded from this map, because their selection belongs to system-level safety controller pages. The STO IC selection map focuses on the drive-level components that directly implement and monitor torque removal: safety MCUs or gate drivers, isolation devices, comparators and references, eFuses and high-side switches, and supervisors. These are the hook points where device families can later be mapped against brands, temperature grades, packaging options and long-term availability.

IC selection map along the STO channel Map showing the STO path from safety logic through isolation to gate drivers, comparators, eFuses and supervisors, with each block labelled by IC type for selection and sourcing. IC selection map for the STO channel Where safety MCUs, isolators, drivers and monitors fit in the design Safety MCU / safety gate driver Digital isolator or isolated driver Gate driver with STO / enable Comparators + voltage reference eFuse / high-side switch for supplies Supervisor / reset IC Current / voltage sense front-end Safety PLC CPU / system controller Selection covered on Safety PLC pages STO IC selection focuses on drive-level components: voting logic, isolation, drivers, comparators, eFuses and supervisors. Each STO block corresponds to a class of ICs: safety MCUs or gate drivers, isolators, gate drivers with STO inputs, comparators and references, eFuses, high-side switches and supervisors, while Safety PLC CPUs are handled separately.
The IC selection map shows how safety MCUs or gate drivers, digital isolators, gate drivers, comparators and references, eFuses, high-side switches and supervisors align with the STO channel, providing clear hook points for device and brand mapping.

Layout, grounding & EMC tips for STO paths

A Safe Torque Off channel that looks clean in a block diagram can still fail in the field if layout, grounding and EMC details are weak. STO_A and STO_B need physical separation, dedicated return paths and careful routing around noisy power circuitry. Isolation devices, gate drivers and surge filters must be placed so that high dv/dt and long cable runs do not turn safety lines into unintended antennas or introduce common-cause failures between the two channels.

On the PCB, dual STO channels should be treated as independent nets, not as a single trace that splits near the input connector. Each channel benefits from its own routing path, via set and reference-plane return, so that no single necked segment or shared via can silently defeat both. Long parallel runs between STO_A and STO_B increase capacitive and inductive coupling, so generous spacing and, where possible, different layers or routes are preferred. Underneath these traces, continuous reference planes without slots or splits help keep loop area small and reduce susceptibility to coupled noise.

Isolation devices and gate drivers define the boundary between the safety logic domain and the drive power domain. Placing digital isolators or isolated gate drivers along a clear domain boundary simplifies creepage management and visual inspection. Around these devices, PCB slots and keep-out regions can be used to increase creepage distance in accordance with system voltage and pollution degree. High dv/dt nodes such as half-bridge switch nodes, snubber loops and bootstrap circuits should be kept away from STO-related pins and traces to avoid injecting noise into enable or STO inputs through parasitic capacitances.

External STO and E-Stop signals often travel through long cables across the machine, where they pick up conducted and radiated noise, surge events and ESD strikes. At the drive input, these lines should pass through a dedicated protection and filter stage located close to the connector. Surge protection elements such as TVS diodes, series resistors and RC low-pass networks reduce stress on downstream logic while shaping fast edges into waveforms that are easier to discriminate from noise. Dual-channel architectures benefit when each STO input has its own filter components, rather than sharing a single RC element, so that one damaged filter component cannot disable both channels at once.

Grounding and shielding strategies around STO lines should reflect their safety-critical nature. Shielded multi-core cables with single-point bonded shields at the control-cabinet end help reduce interference. Within the drive, STO channel returns should reference the logic or safety-earth plane rather than high-current power returns, and crossovers between digital and power ground regions should be minimised. Where multiple ground regions are necessary, the isolation barrier marks the intentional separation, and any stitching connection should be placed and dimensioned so that high-frequency currents from power stages do not flow through STO-related reference nodes.

Self-test injection and periodic test pulses add an EMC dimension of their own. Test pulses need edges sharp enough for reliable detection, yet not so steep or frequent that they dominate the radiated or conducted emission profile. Routing these signals over short, well-referenced traces with controlled edge rates and avoiding unnecessary loops keeps emissions under control. During EMC testing, it is useful to capture spectra with and without test injection enabled, so that emission peaks attributable to self-tests can be measured and, if needed, mitigated through small adjustments in pulse timing, filter values or layout. This combination of routing, grounding and EMC practice strengthens the STO path against both noise and latent layout-induced faults.

PCB layout view of STO routing, isolation and EMC measures Top-level board layout view showing safety logic, an isolation corridor and the drive power area, with dual STO lines, filters, isolation devices and power stages marked to highlight routing separation, creepage and EMC measures. Layout, grounding & EMC around STO paths Separation of STO_A / STO_B, isolation placement and cable entry filtering Safety / logic area STO inputs, filters, comparators, supervisors Isolation corridor Digital isolators / isolated drivers Creepage gaps & slots Drive / power area Gate drivers, power bridges, shunts and motor outputs E-Stop / STO cable entry TVS, ESD RC filters STO_A STO_B STO input comparators Keep STO_A and STO_B on separate routes and vias STO logic, diagnostics & MCU Digital isolator Isolated driver PCB slot / creepage gap under isolation devices Gate driver with STO / enable pins Inverter bridge, shunts & motor phases High dv/dt zone: keep STO away Route STO-related pins away from switch-node copper Self-test & test pulses: keep traces short with small loop area Control edge rate so detection is reliable without dominating EMC spectra Separating STO_A and STO_B routing, placing isolation devices on a clear boundary, filtering cable entries and managing loop areas around test pulses strengthens the STO path against noise, EMC stress and common-cause failures.
A board-level view with separated STO_A / STO_B routing, cable-entry filtering, a defined isolation corridor and a drive power area helps bind layout, grounding and EMC practices into a robust STO implementation.

Request a Quote

Accepted Formats

pdf, csv, xls, xlsx, zip

Attachment

Drag & drop files here or use the button below.

STO FAQs for planning, wiring and safety validation

These questions capture the main decisions and pitfalls around Safe Torque Off in industrial robot drives: when STO is required, how to interface dual channels, how to combine STO with other safety functions and how to demonstrate SIL or PL compliance through testing, diagnostics and documentation.

1. When does STO become mandatory instead of only cutting main power via E-Stop?

STO becomes essential whenever loss of torque must be guaranteed even if software crashes, contactors weld or someone bypasses a normal enable. Typical triggers include collaborative or close-range operation, suspended loads, high potential energy, long stopping times and any application claiming SIL2/PL d or above for motion stopping as defined in the risk assessment.

2. How to choose between a drive with built-in STO and an external STO implementation?

A drive with built-in STO simplifies certification and wiring, because the STO path, diagnostics and safety manual are integrated. External STO allows reuse of legacy drives and custom power architectures but shifts responsibility for SIL/PL proof, wiring and proof testing to the system integrator. Projects with tight time and certification budgets typically prefer integrated STO drives.

3. What wiring precautions are needed when connecting dual STO channels to a Safety PLC or safety relay?

Dual STO channels should use separate terminals, separate cores in the cable and, where possible, separate routes in the cabinet. Shared contacts, jumpers or terminal bridges undermine redundancy and create common-cause failures. Cable shields, test pulse compatibility, correct polarity and clear labelling are also important so that commissioning, maintenance and troubleshooting remain unambiguous.

4. In multi-axis systems, should every servo axis include its own STO channel?

In multi-axis robots and gantries, each axis that can generate hazardous motion usually needs its own STO path or participation in a group STO concept. Independent STO per axis enables selective torque removal, for example leaving gravity-compensation or clamping active. Group STO, when justified, must still respect segregation between axes and avoid hidden coupling in power or control wiring.

5. What is the correct way to use STO alongside SS1, SS2 or SOS safety functions?

STO is the end state that removes torque, while SS1 and SS2 provide controlled deceleration and SOS holds a defined speed or position. A typical sequence is SS1 to brake safely within limits, followed by STO once speed is low or zero. STO should always be available as the final torque-off layer even if higher-level safety functions handle normal stopping.

6. How can STO test coverage be shown to meet the required SIL or PL target?

STO test coverage is demonstrated by combining device FMEDA data, the drive’s safety manual and a system-level analysis of self-tests and proof tests. The documentation should describe which faults are detected, by which mechanism, within what time and how remaining undetected faults contribute to PFHd. Third-party assessment reports and type approvals strengthen evidence.

7. What diagnostic faults can prevent STO from reliably removing torque?

Typical STO-related diagnostic faults include welded or shorted power devices, gate drivers that ignore disable commands, gate-supply rails that never collapse, DC-link voltage that stays above the safe window and residual phase current after STO. Broken or bridged STO lines, failed comparators and failed self-test routines also weaken the safety function and must be monitored.

8. What proof-test interval is typically used for STO in production systems?

Proof-test intervals depend on the claimed SIL or PL and on manufacturer guidance, but many projects choose intervals between several months and a few years. Safety manuals often specify a maximum interval beyond which PFHd calculations are no longer valid. Integrators usually align STO proof tests with scheduled maintenance, calibration or annual safety inspections to minimise downtime.

9. How can PCB layout and grounding help avoid common-cause failures in dual STO channels?

Layout can reduce common-cause failures by routing STO_A and STO_B on separate paths and vias, avoiding single narrow necks or shared return segments and keeping both away from high di/dt regions. Clean reference planes, controlled coupling to ground and careful placement of isolation devices and filters limit the probability that one disturbance corrupts both channels simultaneously.

10. What surge and EMI issues commonly affect STO wiring from long cable runs?

STO wiring that crosses a plant can pick up surge events from contactors and motors, fast common-mode noise from inverters and radiated fields from RF sources. Without local TVS protection, series impedance and RC filtering, these disturbances may cause false trips or damage. Poor shielding or improper shield termination further increases susceptibility and complicates EMC compliance.

11. Which IC categories usually implement STO logic and torque removal in a drive?

STO logic is typically hosted in safety microcontrollers or safety gate-driver ICs that perform voting, diagnostics and self-tests. Digital isolators or isolated gate drivers transfer STO_OK into the power domain. eFuses or smart high-side switches cut driver supplies, while comparators, references and supervisors monitor voltages and currents to confirm that torque removal is effective.

12. Which safety manual documentation is essential to prove that STO meets project requirements?

A useful safety manual for STO should provide a clear description of the safety function, architecture, fault assumptions, PFHd and DC values, required wiring, parameter settings, self-tests, proof-test procedures and limits on operating conditions. Alignment between this manual, the overall risk assessment and the robot cell safety concept is critical when justifying SIL or PL claims to auditors.

icnavigator

ICNavigator helps engineers find verified ICs, alternatives, and fast quotes.

Explore
Categories
  • Power Management
  • MCU
  • Automotive ICs
  • Sensors
  • Interface & Transceivers
  • Analog Front-End
Get in Touch
  • Email: hello@icnavigator.com
  • WeChat/WhatsApp: +86-xxxx

© 2025 ICNavigator. All rights reserved.