Parker Variable Speed Drive AC30 series. User’s Manual (2017) - page 6

6-4

Safe Torque Off

Most but not all single component failures will be detected. Diagnostic Coverage (DC) is required to be at least 60% (i.e. the

minimum required for ‘low’ diagnostic coverage).
Detected component failures will result in the STO function being applied without intervention from the user.
The risk associated with the loss of STO safety function caused by multiple failures must be understood and accepted by the

user.
The user must undertake a risk analysis and specify suitable components that, when connected together, meet the risk

assessment requirements.
Mean Time To Failure (dangerous) (MTTFd) of each STO channel must be ≥ 30 years.
Common Cause Failure (CCF) score must be ≥ 65 according to Annex F of the standard.



Performance Level (PL) e:

Average probability of dangerous failure per hour (PFH) must be ≤ 10

-7

EN61800-5-2:2007 AND EN61508

(Adjustable speed electrical power drive systems) and
(Functional safety of electrical/electronic/programmable electronic safety-related systems)

STO aligns to the following aspects of this standard:



Safety Integrity Level (SIL) 3

Probability of dangerous random hardware failures per hour (PFH) must be ≤ 10

-7

Subsystems type A according to EN61508-2:2001 para 7.4.3.1.2
Hardware Fault Tolerance (HFT) = 1
Safe Failure Fraction (SFF) must be ≥ 90%

Safe Torque Off

6-5

Safety Specification

As assessed to EN ISO13849-1 and EN61800-5-2 the inverter has the following related safety values:-

Criterion

Requirement

Value achieved

SIL3

For type A subsystems, HFT = 1:

SFF ≥ 60%

SFF = 99%

SIL3

-7

≥ PFH ≥ 10

-8

PFH = 2.3 x 10

-9

SIL Capability

PLe

Category 3; PFH ≤ 4,29 x 10

-8

PFH = 2.3 x 10

-9

PLe

30 years ≤ MTTFd < 100 years

MTTFd = 100 years

PLe

DC = medium

DC = Medium

Mission Time

20 years

Fault Reaction Function

Latched STO

Note

: all values quoted in this table are valid only when the two STO user inputs are driven independently. This is as required by EN ISO

13849-1 category 3. See the Alignment to European Standards section in this chapter for the required architecture which must be used

throughout the machine design relevant to the drive under consideration.

EN ISO13849 limits MTTFd to 100 years.

A detected fault in the STO circuit causes STO to become active, and remain active until after a power cycle.

6-6

Safe Torque Off

EMC Specification

In addition to the mandatory requirements of EN61800, the STO functionality has been subjected to testing for immunity at higher levels. In particular

the STO function (only) has been tested for radiated immunity according to EN62061:2005 Annex E up to 2.7GHz which includes frequencies used by

mobile telephones and walkie-talkies.

Safe Torque Off

6-7

User Connections

The STO terminals are on a 6-way terminal block X10. This is mounted on the inverter control housing. Terminal designations are:

Terminal Number

Terminal Name

Description

X10/01

STO A Input

0V or not connected = drive will not run, STO is active on channel A.
24V = drive is enabled to run if X10/03 is also 24V.
This input is optically isolated from all other inverter terminals except

X10/02, X10/03 and X10/04.

X10/02

STO Common

Signal return for STO A Input and STO B Input. Connected internally to

X10/04. This terminal or X10/04 must be connected to earth at one

common point in the drive system.

X10/03

STO B Input

0V or not connected = drive will not run, STO is active on channel B.
24V = drive is enabled to run if X10/01 is also 24V.
This input is optically isolated from all other inverter terminals except

X10/01, X10/02 and X10/04.

X10/04

STO Common

Signal return for STO A Input and STO B Input. Connected internally to

X10/02. This terminal or X10/02 must be connected to earth at one

common point in the drive system.

X10/05

STO Status A

Together with X10/06, this terminal forms an isolated solid-state relay

output.
This output is ON (equivalent to closed relay contacts) when the STO

circuit is in the ‘safe’ state, i.e. the drive will not cause its motor to produce

torque.
However, this output should be used primarily as an indication. In the

unlikely event of a fault in the STO circuit, this output could turn on

erroneously to give a false indication of the STO status. It must not be used

as a guarantee that the motor will not produce torque.
The solid-state relay is protected by a self-resetting fuse.

X10/06

STO Status B

Together with X10/05, this terminal forms an isolated solid-state relay

output. See the description for X10/05.

Do not connect both X10/02 and X10/4 to earth, otherwise an earth loop could be created.

6-8

Safe Torque Off

Examples of wiring to X10/05 and X10/06

Active high output:

The load is energised and X10/05 is high when

STO is in the intended safe STO state.

Active low output:

The load is energised and X10/06 is low when STO is in

the intended safe STO state.

The examples show the use of the 24V supply provided on X12/05 (+24V) and X12/06 (0V) as source of power to a load. Alternatively an external 24V

supply could be used.

Note:

If a drive is powered from 24V only, i.e., 24V is applied to terminals X12/05 or X12/06 and the 3 phase power is off, the STO user output will still

reflect the status of the two STO user inputs.

24VDC

INVERTER

X10/06

X12/05

X12/06

X10/05

LOAD

24VDC

INVERTER

X10/06

X12/05

X12/06

X10/05

LOAD

Safe Torque Off

6-9

STO Technical Specification

INPUTS SPECIFICATION

STO A Input and STO B Input comply with IEC61131-2. Note: inputs do not have hysteresis.

Recommended input voltage for low level:

0V to +5V

Recommended input voltage for high level:

+21.6V to +26.4V

Typical input threshold voltage:

+10.5V

Indeterminate input range:

+5V to +15V. Function is undefined.

Absolute maximum input voltage:

-30V to +30V

Typical input current @ 24V

9mA

Fault detection time

2.3sec typical;

< 1.6sec will not generate a fault

> 3.0sec will generate a fault.

Response time

> 2ms

6ms typical

< 10ms

Conditions in which the STO inputs are operative:

All, i.e. STO cannot be disabled in any condition

A fault is defined in this context as STO A Input and STO B Input being sensed in opposite logic states.

Response time is the time from the first STO input becoming active (voltage level is low) until torque production has ceased

6-10

Safe Torque Off

OUTPUT SPECIFICATION

OFF state:

Maximum applied voltage:

±30V (X10/06 relative to X10/05)

Leakage current:

Less than 0.1mA.

ON state:

Maximum output current:

150mA

Overcurrent protection:

Included

Resistance between output terminals:

Less than 6Ω.

WARNING

WIRED CONNECTIONS TO TERMINALS X10/01, X10/03, X10/05 AND X10/06 MUST BE LESS THAN 25 METRES IN LENGTH

AND REMAIN WITHIN THE CUBICLE OR DRIVE ENCLOSURE. PARKER IS NOT LIABLE FOR ANY CONSEQUENCES IF

EITHER CONDITION IS NOT MET.

Safe Torque Off

6-11

TRUTH TABLE

Overview

STO Input A

X10/01

STO Input B

X10/03

Drive Function

STO Status Output

X10/05, X10/06

STO Active

Drive cannot start or supply power to its motor. STO trip

reported.

This is the intended safe state of the product with correct

dual-channel operation.

Abnormal

one-channel

operation

detection

24V

Drive cannot start or supply power to its motor. STO trip

reported. If either of these conditions persists for more than

3.0 seconds (the maximum fault detection time), the STO

function will lock into a fault state. The drive cannot start until

the fault is rectified; all power is removed and reapplied (both

mains and any auxiliary 24V dc power).

This is single channel operation and thus deemed not as

intended for category 3 / PLe / SIL3 structure

implementation.

OFF

24V

STO Inactive

24V

Drive is enabled to run under software control. The drive can

supply power to its motor.

OFF

Drive

unpowered

Don’t care

Drive cannot start or supply power to its motor.

OFF

6-12

Safe Torque Off

STO Input Timing Diagrams

IDEAL OPERATION

In ideal operation, both inputs X10/01 and X10/03 should change state simultaneously reflecting true dual-channel operation as intended.

States:

Both inputs are low. Drive is tripped and STO prevents the drive from starting. User output is ON. This is the “safe torque off” state of

the drive.

Both inputs are high. Drive is able to run under software control. User output is OFF.

Channel A: X10/01

Channel B: X10/03

Output: X10/05, X10/06

STATE

24V

OFF

Safe Torque Off

6-13

TYPICAL OPERATION

In typical operation, there can be a small time difference between changes of state on X10/01 and X10/03, due to different delays in the operation of two

sets of relay contacts.

States:

1  Both inputs are low. Drive is tripped and STO prevents the drive from starting. User output is ON. This is the “safe torque off” state of the drive.
2  Both inputs are high. Drive is able to run under software control. User output is OFF.
3  One input is high and the other input is low. Drive is tripped and cannot start due to STO action. User output is OFF. Normal operation allows this

state to persist for up to 1.6 seconds which is the minimum fault detection time required to generate a fault (3.0 seconds is the maximum). These

tolerable time differences are normally caused by switches or relays; they should be kept as short as possible.

Channel A: X10/01

Channel B: X10/03

Output: X10/05, X10/06

STATE

24V
0V
24V
0V
ON
OFF

< 1.6s

6-14

Safe Torque Off

FAULT OPERATION

A fault is always detected when X10/01 and X10/03 are in opposite states for more than 3.0 seconds.

States:

1 Both inputs are low. Drive is tripped and STO prevents the drive from starting. User output is ON. This is the “safe torque off” state of the drive.
3 One input is high and the other input is low. Drive is tripped and STO prevents the drive from starting. In this example, this state persists for more

than 3.0 seconds (being the maximum fault detection time), after which time the STO logic transitions to state 4 without further changes in input

state. The inverter has detected a fault or single-channel operation.

4 The fault state (one input high, the other input low) has persisted for longer than 3.0 seconds (being the maximum fault detection time). The STO

hardware logic locks into state 4. The drive is tripped and the STO function prevents the drive from starting. User output is OFF. To exit from state 4,

the drive must be powered off (all power removed including any auxiliary 24Vdc) and back on.

DANGER

OPERATION OF THE INVERTER UNIT SHOULD CEASE IMMEDIATELY AND THE UNIT SHOULD BE RETURNED TO A PARKER

AUTHORIZED REPAIR CENTRE FOR INVESTIGATION AND REPAIR.

FAILURE TO DO SO COULD RESULT IN INJURY, DEATH OR DAMAGE.

FURTHER OPERATION OF THE INVERTER WITHOUT RESOLVING THIS FAILURE IS ENTIRELY AT THE USER’S OWN RISK.

SEE SAFETY CATEGORY DEFINITIONS AND LIMITATIONS, REFER TO EN ISO 13849-1:2008.

Channel A: X10/01

Channel B: X10/03

Output: X10/05, X10/06

STATE

24V
0V
24V
0V
ON
OFF

3.0s

1 3 4

Safe Torque Off

6-15

PULSED INPUTS

Some safety equipment, e.g. safety PLCs, regularly pulse the two STO inputs independently in order to detect a short circuit between them. This is

commonly known as OSSD (Output Signal Switch Device). The inverter STO inputs are immune to such pulses when they are less than 2ms in width.

The product will not react to such pulses and therefore will not inadvertently invoke the STO function.

States:

Both inputs are low. Drive is tripped and STO prevents the drive from starting. User output is ON. This is the “safe torque off” state of

the drive.

Both inputs are high, but regularly pulse low independently. External equipment can thus detect a short circuit between the two STO

user inputs. Each input must remain low for 6ms (typical) before the inverter reacts to it.

2 1

<2ms <2ms typ 6ms

Channel A: X10/01

Channel B: X10/03

Output: X10/05, X10/06

STATE

24V
0V
24V
0V
ON
OFF

6-16

Safe Torque Off

STO State Transition Diagram

The flow chart below shows how the drive responds to STO inputs, start and stop commands.

Key:
* = One channel operation
** = Two channel operation

Transitional state.

User should avoid

remaining in this

state

Fault state

Normal state

Out-of-box state

Normal startup state

X10/01 low

X10/03 low

Drive cannot run **

X10/01 low

X10/03 high

Drive cannot run *

X10/03 high

X10/01 high

X10/01 low

X10/03 low

X10/01 high

X10/03 low

Drive cannot run *

X10/01 high

X10/03 high

Drive enabled but

not running

X10/03 high

X10/03 low

X10/01 high

X10/01 low

X10/01 high
X10/03 high

Drive runs

X10/03 low

X10/01 low

START command

STOP command

Fault state

Drive cannot run.

ALL Power must

be cycled

2.3 seconds (typical)

Safe Torque Off

6-17

STO Trip Annunciation

The GKP will display a STO trip message when STO becomes active, i.e. STO prevents the drive from starting, thus:

GKP Display

This message is displayed immediately if, on starting the drive or whilst the drive is running:



One or both STO user inputs X10/01 or X10/03 is low when the user attempts to start the drive, or



One or both STO user inputs X10/01 or X10/03 goes low while the drive is running, or



The inverter has detected a fault in the STO circuit.

Note:

an out-of-box inverter will report this trip if the drive, as supplied, has no connections to X10 when it is first started. Appropriate

connections must be made to X10 to prevent this trip from occurring, as described elsewhere in this chapter. The user must decide if STO is

to be permanently inactive, or to make use of the STO feature. If the STO feature is not required, see the “Applications that do not require

STO function” section on page 6-20.
STO is inserted into the trips history buffer (see Chapter 10 Trips & Fault Finding) if STO is active when the drive is commanded to start or if

STO becomes active while the drive is running, indicating an abnormal condition. The trips history buffer is not updated if STO becomes

active while the drive is not running.

Note:

The normal method of operation is for STO to become active while the drive is not running and the motor is stationary.

Appropriate, application specific risk assessment is necessary when STO is activated on rotating motors, moving loads or when external

forces such as gravitation or inertial loads act on the motor.

**** TRIPPED ****
SAFE TORQUE OFF

6-18

Safe Torque Off

Safety Warnings and Limitations



Only competent personnel are permitted to install the STO function and commission it. They must disseminate and make available all

appropriate instructions and documentation to all personnel who may come into contact with or operate the STO and provide suitable

training on the inverter to ensure it is operated in the correct manner and to avoid damage, injury or loss of life.



The inverter STO function is a factory-fitted and factory-tested feature. Repairs to the inver STO featured-product are to be carried out

only by Parker authorized repair centres. Any unauthorised attempt to repair or disassemble the product will render any warranty null and

void, and STO integrity could be impaired. PARKER WILL NOT ACCEPT ANY LIABILITY FOR FAILURE TO OBEY THESE

INSTRUCTIONS OR FOR ANY CONSEQUENTIAL INJURY, DEATH, LOSS OR DAMAGE.



It is important that the inverter product environment including all aspects of its CE conformance and IP etc., specified elsewhere in this

manual, is maintained to ensure the safety integrity of the STO function.



Should synchronous motors be operated in the field weakening range, operation of the STO function may lead to overspeed and

destructive overvoltages as well as explosions in the drive. Therefore, the STO function must NEVER be used with synchronous drives in

the field-weakening range. The user must ensure this condition is prevented.



When using synchronous permanent magnet motors, shaft movement over a small angle is possible if two faults occur simultaneously in

the power section of the drive. This depends on the number of motor poles. The maximum angle is:

Rotary motors: 360° / number of poles.

Linear motors: 180° electrically.

It is the user’s responsibility to assess, validate and safeguard as necessary against this potential hazard.



If external forces can act on the motor and/or load to cause it to move, additional measures must be taken by the user to restrain it, for

example a mechanical brake. Examples of external forces are suspended loads (effect of gravity), and other web-tensioning devices.



The inverter STO feature does not provide or guarantee any galvanic isolation in accordance with EN 60204-1:2006 A1:2009 Section 5.5.

This means that the entire system must be isolated from the mains power supply with a suitable electrical isolation device before any

drive or motor maintenance or replacement procedures are attempted. Note that even after the power has been isolated, dangerous

electrical voltages may still be present in the inverter. Safe discharge times and details are specified in Chapter 1 Safety of this manual.



The STO function must not be used for electrical isolation of the inverter and power. Whenever any personnel require to work on the

drive, associated motor or other power items, they must always use recognised and suitable electrical isolation devices.



Terminal X10/02 or X10/04 must be connected to earth at one common point in the drive system. For multi-drive systems this can be a

shared earth point.



The STO user output, serial communications or GKP messages relating to accessing or viewing any safety monitoring statuses are for

information only and should not be relied on. They are not part of the drive module safety system and its associated PL/SIL declared

ratings. Any customer use of these must be appropriately risk assessed in accordance with the relevant standards or regulations.



The STO safety function must be tested regularly. The frequency should be determined by the machinery builder. An initial minimum

frequency of once per week is suggested. Refer to page 6-26 and following pages.



When using an external safety control unit with adjustable time delay, for example when implementing an SS1 function, the time delay

must be protected to prevent unauthorized adjustment. The adjustable time delay on the safety control unit must be set to a value greater

Safe Torque Off

6-19

than the duration of the braking ramp controlled by the inverter with maximum load inertia and from maximum speed. Any external forces

must also be considered, e.g. effects due to gravity.



When implementing a SS1 function with the inverter, the user is responsible for ensuring the drive’s configuration will allow a controlled

braking ramp to be initiated by the external safety device. This is particularly important when using serial link communications for normal

control of the drive.



During the active braking phase of SS1 or Stop category 1 (controlled stop with safely monitored time delay according to EN60204-

1:2006), faulty operation of the drive must be allowed for. If a fault in the drive system occurs during the active braking phase, the load

may coast to a stop or might even actively accelerate until expiration of the defined time delay. It is not the remit of this document to

specify these measures. This is for the user to assess.



When the inverter detects either an internal STO fault or an external single-channel user fault, the user must immediately fully resolve the

fault. The user must ensure dual-channel operation has been fully restored before attempting to use the inverter STO safety feature.

DANGER

FAILURE TO DO SO COULD RESULT IN STO NOT BEING ACHIEVABLE, AND THUS THE MOTOR MAY ROTATE UNEXPECTEDLY

AND COULD RESULT IN INJURY, DEATH OR DAMAGE. FURTHER OPERATION OF THE INVERTER WITHOUT RESOLVING THIS

FAILURE IS ENTIRELY AT THE USER’S OWN RISK. SEE SAFETY CATEGORY DEFINITIONS AND LIMITATIONS, REFER TO EN ISO

13849-1:2008.



It is the user’s responsibility to ensure that their overall control implementation recovers safely from supply loss or dips.



In all instances it is the user’s responsibility formally to perform suitable risk assessments, and invoke and fully validate the necessary risk

reduction measures after having thoroughly understood the application, the drive product and its features. Of special relevance is to assess

the risk of the two STO user inputs shorting together.

Content .. 4 5 6 7 ..