Safe Torque Off (STO) in Servo Drives: Architecture, Ratings, and System Design Trends

Safe Torque Off (STO) is the baseline safety function in modern servo motor systems. It is the state to which the drive power stage falls back when any other safety function (Safe Stopping, Safe Limited Speed, Safe Direction) requires the motor to be rendered torque-free without requiring a full power isolation. 

Before STO, machines used redundant mechanical contactors to physically disconnect the drive from the motor. STO eliminates the contactor by using discrete, redundant hardware inputs to the drive power stage, reducing cost, weight, and system complexity while meeting the same safety ratings.

The Problem That STO Replaces

Prior to the widespread adoption of STO, machines implementing functional safety used redundant contactors:

• Two independent mechanical contactors connected in series between the drive and motor.
• Both contactors must be closed for the motor to operate.
• A safety event energizes the safety relay, which opens both contactors simultaneously.
• The motor is physically disconnected from the drive output, guaranteed no torque.

Problems with redundant contactors:

1. Cost scales with axis count: Each axis requires a separate pair of contactors, safety relay, and associated wiring. A 10-axis machine doubles the cost of this safety subsystem versus a 5-axis machine.

2. Weight and space: Each contactor is a substantial electromechanical component. In mobile, battery-powered, or weight-sensitive applications (medical robots, AGVs), this is prohibitive.

3. Wiring complexity: Each contactor pair requires additional wiring, fusing, and auxiliary contact monitoring.

How STO Works

STO uses discrete, redundant enable inputs to the drive power stage, hardware signals that gate the firing of the power transistors. No firmware is involved; the hardware circuitry is the safety function.

Power stage operating principle:

In a 3-phase servo drive, three high-side and three low-side power transistors switch in pairs to drive current through the motor windings. To generate motor torque, both a high transistor and a low transistor in the same phase leg must conduct simultaneously. If either is blocked, no current flows through that phase leg.

STO implementation: two independent enable signals (STO1 and STO2), each capable of blocking the entire upper or lower transistor bank. For motor torque to be generated:

Secure Your Components Stock Now with Torquety

Reliable automation components for high-performance applications.

Check Availability Chat on WhatsApp

• STO1 must be active (enabling the upper transistor bank).
• STO2 must be active (enabling the lower transistor bank).

If either enable is deactivated, the motor cannot generate torque regardless of the drive’s command signal.

Safety rating: The failure mode and effects analysis (FMEA) of the power stage circuitry (specifically the independence of the two enable paths and the probability of simultaneous failure) determines the achievable Performance Level (PL) and Safety Integrity Level (SIL) rating. Advanced drives use a safety-rated processor to perform automated diagnostics of the STO input circuits, enabling higher ratings without external test equipment.

STO in Context of Common Safety Functions

STO is a critical fallback state for higher-level safety functions, not an independent safety function in isolation. Common safety functions that use STO as their final state:

• Safe Stop 1 (SS1): Controlled deceleration to standstill, then STO activated.
• Safe Stop 2 (SS2): Controlled deceleration to standstill with position holding, then STO available.
• Safe Limited Speed (SLS): Monitors that motor speed does not exceed a defined limit; STO if limit exceeded.
• Safe Direction (SDI): Monitors that motor rotation is in the permitted direction; STO if violated.
• Safe Maximum Speed (SMS): Similar to SLS, applied to maximum speed.

Each of these higher functions requires position/velocity feedback from an encoder. The safety rating of the combined function depends on the ratings of both the drive and the encoder.

System Architecture Trends

Traditional Architecture: Safety PLC Controls STO

The conventional safety system architecture:

1. Drive implements STO as its only safety function.
2. All other safety functions (SLS, SDI, SS1, SS2) handled by a separate safety PLC.
3. Safety PLC monitors the machine via a second, independently mounted encoder.
4. Safety PLC activates the drive STO input when a safety function is triggered.

This architecture is functional but has drawbacks:

• Requires a second encoder on each axis (cost, weight, space).
• Complex wiring between safety PLC, second encoder, and drive STO inputs.
• The safety PLC must be qualified to the required functional safety standard.

Current Trend: Integrated Safety in the Drive

The emerging design trend consolidates all safety functions into the drive itself:

1. Drive includes all required safety functions (SS1, SS2, SLS, SDI), not just STO.
2. A single safety-rated encoder communicates with the drive via a safety-rated protocol.
3. Drive and encoder together constitute the safety system, no safety PLC required.
4. Lower-rated encoders (PLd/SIL2) can support higher system ratings (PLe/SIL3) when the drive implements additional diagnostics.

Safety-rated protocol (example: FSoE,  FailSafe over EtherCAT):

Interlocks, collision detection sensors, and emergency stop inputs connect to a master controller that commands STO and other safety functions to multiple drives via a safety-rated EtherCAT network. 

The drive STO is not directly wired to hardware inputs, it is commanded through the safety network. This simplifies wiring for multi-axis systems and enables coordinated safety responses (e.g., stopping all axes simultaneously in a specific sequence).

Encoder communication redundancy:

The safety-rated protocol includes redundant communication frame monitoring within the drive. The drive verifies that encoder messages arrive at the correct intervals and that consecutive position values are physically consistent (velocity and acceleration limits). Communication dropout or inconsistent position values trigger STO automatically.

Selecting Encoder Safety Ratings

Safety-rated encoders are classified by Performance Level (PL, IEC 13849) and Safety Integrity Level (SIL, IEC 61508/62061):

• PLd/SIL2: Suitable for most industrial machinery, tolerated random hardware failure rate of < 10⁻⁷ per hour
• PLe/SIL3: Required for applications with serious injury or death risk, tolerated rate < 10⁻⁸ per hour

When the drive implements additional diagnostics (monitoring encoder message timing, consistency checking, voting between two position computations from a single encoder), a PLd/SIL2 encoder can support a PLe/SIL3 system safety rating. 

This is explicitly permitted by IEC 61800-5-2 when the drive’s diagnostic coverage and random hardware failure rate are properly accounted for.

Before you go, you might want to dive deeper into 

• Overcoming Subsurface Fatigue and Material Limitations in Robotics Bearings, 
• discover more about How NVIDIA’s Simulation-First Strategy Is Redefining the Business Case for Robotics., 
• or check out our guide on The Future of Homebuilding: Automation, Robotics, and the Potential End to Labor Shortages.