How to Build a Functionally Safe Motor Control Circuit

IEC 61800-5-2 is an industrial standard which covers the functional safety of variable speed drives. In effect it tells you how to build a safe motor control circuit. In this blog I will discuss an example circuit found in Annex B of IEC 61800-5-2 to implement the STO (safe torque off) safety function. This blog should be of interest to anybody working on industrial or automotive functional safety even if variable speed drives are not your thing.

STO is one of seventeen safety functions identified in IEC 61800-5-2 and is the most important one as it is designed to remove all motion producing power from the electric motor and therefore represents the safe state for many of the others.

Below is shown picture of a PDS(SR) which is defined in the standard as an “adjustable speed electrical power drive system providing safety functions” which is more commonly known as a variable speed drive.

Figure 1 - Power drive system (safety related) from IEC 61800-5-2

Before we look at the block diagram to implement STO (safe torque off) it is described in IEC 61800-5-2 as “This function prevents force-producing power from being provided to the motor. This safety sub-function corresponds to an uncontrolled stop in accordance with stop category 0 of IEC 60204-1”.

Figure 2 a graphical representation of STO

Graphically this is shown above. If the STO inputs are asserted at time t₁ the drive will coast to a half at time t₂ with the interval t₂-t₁ depending on things like the mass of the motor and the friction in the system. Annex B of IEC 61800-5 shows an example circuit to implement STO. It divides it into two subsystems with Subsystem A/B implementing the two-channel core STO functionality and subsystem PS/VM implementing a single channel power supply system with monitoring.

Figure 3 - STO example circuit from IEC 61800-5-2:2016 Annex B

I have spoken in previous blogs about how I don’t like mandatory requirements in standards. This is a good example of why it doesn’t make sense as sub-system PS/VM is the only single channel even if the core functionality is two-channel. Nevertheless, the two-channel portion of this circuit is excellent.

The core functionality of the variable speed drive is implemented by a uP with 6 PWM outputs. The PWM outputs control 3 H bridges with 3 mosfets on the high side and 3 on the low side to chop a DC voltage and produce 3 phase excitation of the motor.

The first channel implementing STO has an input labelled STO-A and is fed in through an opto-coupler before entering the uP. In the uP it kills the 6 PWM signals which on its own should be sufficient to stop the motor rotating.

The second channel implementing STO has an input labelled STO-B and once again is fed through an optocoupler but in this case it removes the power of motion by killing the 5V power supply to the opto-couplers and completely avoids the uP. Power removal is a “basic safety principle” according to ISO 13849-2:2012.

So, the circuit has two diverse channels, one killing the PWM signals directly and the second indirectly by removing power, and this give good protection against both random and systematic sources of failure.

In effect there is a 3^rd channel as the first channel also removes the power to the opto-couplers on the high side but typically for machine safety there is no claim made for the 3^rd channel as ISO 13849 has no way to account for it. Each channel has a diagnostic signal labelled as DIAG_A and DIAG_B which feed back into the uP so it knows the power has been removed and the uP generates STO-FB as an output which can then be used as an input to an external PLC.

Before I comment on the circuit I should mention that I was and still am a member IEC SC22G/MT 12 who developed the IEC 61800-5-2:2016 standard and I hope my colleagues on that group who I haven’t seen in over five years are all doing well. After 5 years it is probably due for an update this year but given IEC 61508 hasn’t changed and won’t do for another 2 years then I imagine IEC 61800-5-2 will be confirmed until after that.

Anyway, some comments on the circuit:

Comment 1 – I would have loved to see digital isolators instead of opto-couplers used in the circuit. Digital isolators are opto-coupler replacements which use small transformers build on top of the circuitry in an IC and couple the signal across a polyimide insulation layer. The digital isolators are typically faster, more reliable (no reduction in light transmission over time as found on optos) and lower power than opto-couplers and now have their own IEC standard namely IEC 60747-17:2020 . The new standard is good because up to then they were certified to the opto-coupler standard. Because they are based on standard CMOS technology extra functionality and features can be added to the digital isolators. For instance the ADuM1310 features 3 channels of isolation, the ADuM4150 can be used to isolate an SPI interface with 3 forward and one reverse channel and the ADuM4135 has only a single channel but with specific features for motor control.  

While the change from optos to digital isolators in the Annex B example didn’t happen, IEC 61800-5-2 D.3.13 has also been modified to refer to “Signal isolation components” rather than opto-couplers so that the fault exclusion for failures across the barrier previously only available to opto-couplers is now also available to digital isolators.

The diagram below shows how the magnetic based isolation works and in this case there are three die with the middle die containing no active circuitry. In some cases there are only two die.

Figure 4 - Illustration of an iCoupler circuit showing 3 die in one package

Comment 2 – It is unclear how easy channel 1 would be to analyze if using a standard uP. A uC such as the ADSP-CM407 has a dedicated PWM_TRIP input which disables the PWM outputs independent of any software running in the uC and doesn’t pass through any storage elements.  For a standard uC it may be unclear what path the signals take in the uP/uC/DSP. Keeping programmable software out of a safety function is always advantageous as safety related software in your system creates another set of problems.

Another possibility if using an ADuM1310, or similar instead of an opto-coupler, is to attach STO-A to the disable input of the ADuM1310 instead of the uP. This removes the uP from the safety function except for diagnostics.

Comment 3 – While the diversity between the channels is good it might have been used to have one of the STO inputs active high and the other active low. Many digital isolators can be easily setup this way. Perhaps the 3 optos (2 input and 1 output ) could have been replaced by a single digital isolator such as the ADuM1311.

Comment 4 – while the core functionality is two channel, the power supply monitor is one channel with diagnostics. This could meet the requirement for SIL 3 provided the SFF greater than or equal to 99% and meet the requirements for CAT 3 according to ISO 13849-1 but what about ISO 10218 (robot safety) where it specifically requires SIL 2 with HFT = 1 or PL d CAT 3?

Otherwise the power supply circuit looks good with a fuse to protect it from over current and a means to remove all downstream power if the power supply voltages are out of spec. This implements “Voltage control (secondary) with safety shut-off” as described in IEC 61508-2:2010 table A.9 which allows a claim of up to high (99%) for SFF. Power supply monitor parts such as the LTC 4365 or the ADM1169 could implement this functionality as described in a previous blog with the ADM1169 also being able to implement a windowed watchdog timer with resolution down to the mS for the uP.

Comment 5 – the circuit should stop the motor when at least one of the STO inputs are asserted and if the uP discovers a diagnostic failure in channel 2. But shutdown if a failure is discovered in channel 1 is not assured because the uP is part of channel 1 and could be the source of the failure and therefore cannot be relied upon to take the system to the safe state.

All in all, it’s an excellent circuit and if anything, my criticisms only go to show that. The analysis of the circuit in IEC 61800-5-2 also comes with  an interesting example of Markov analysis.

Figure 6 - safety functions from IEC 61800-5-2:2016

In future blogs I might discuss the other safety functions from IEC 61800-5-2 including two other stopping functions which use the drive functionality to achieve faster stopping times and safety functions related to speed and position.

The advantages of STO are best described by these two excellent videos from Rockwell automation:

• Before the advent of STO
• A drive with STO

To learn more see:

     IFA report – Safe drive controls with frequency converters