Ensuring the safe stopping of a machine is a critical component of functional safety in industrial environments. Automation engineers often face the dilemma: should they simply cut off the power, apply controlled braking, or maintain the drive under voltage? The answer lies in selecting the appropriate stopping function: Safe Torque Off (STO), Safe Stop 1 (SS1), or Safe Stop 2 (SS2). This article explains step-by-step how these functions operate, when to use each, and what to consider when designing a machine safety system. All this is based on standards and best practices, presented in a practical, engineering manner.
Table of Contents
Step-by-Step Guide to Safe Machine Stopping
Before diving into the specifics of STO, SS1, and SS2, it’s essential to understand the categories of safe stopping defined in standards. The standard PN-EN 60204-1 outlines three stopping scenarios (categories) that correspond to our safety functions:
- Category 0 (STO) – Emergency stop by immediately cutting off the drive power without controlled braking. This is the fastest way to stop a machine, akin to pressing an emergency stop button. However, it is an uncontrolled stop and may be too harsh for delicate machinery, potentially leading to long restart times.
- Category 1 (SS1) – Controlled stop where the system actively brakes the machine before cutting off the power (transitioning to STO). This minimizes mechanical shocks and allows for a more civilized stop. It requires a moment to brake but reduces the risk of mechanical damage. It is typically used when safety requires slowing down rather than immediate power cut-off, such as in production lines with delicate elements.
- Category 2 (SS2) – Controlled stop with torque maintenance after stopping. Here, after braking, the power is not cut off, and the drive enters a safe operating stop (SOS) state. The motor remains powered and actively maintains position, preventing any movement. This is essential where position stabilization is required after stopping, such as in industrial elevators or machines with suspended elements.
This classification allows for selecting the stopping method tailored to the machine’s specifics and hazards. Different scenarios require different stopping methods, and a thorough risk analysis during the design phase should indicate which stopping scenario ensures the safety of people and equipment. Remember, emergency stopping (E-STOP) should be implemented in category 0 or 1, i.e., as STO or SS1. Category 2 (SS2) is not intended for typical emergency buttons, as in life-saving situations, we aim to reduce all energy sources.
How Safe Torque Off (STO) Works
Safe Torque Off (STO) is the simplest and most basic safe stopping function. It works by immediately disconnecting energy to the motor, either by cutting the inverter’s output voltage or disconnecting contactors in the power circuit. As a result, the motor ceases to produce torque (or force, in the case of linear actuators). In other words, the drive can no longer power the machine’s moving parts. STO corresponds to the uncontrolled stop of category 0, as described earlier.
It’s important to note: STO does not actively brake the motor – it simply coasts to a stop due to friction and resistance. Therefore, the stopping time with STO depends on the system’s inertia. In machines with low inertia and high resistance, the movement will stop almost immediately. However, if there is a rapidly spinning spindle or a heavy rotor, it may continue to spin for a while after the power is cut. STO is best suited for situations where immediate stopping of the entire drive is not required – natural resistance forces are sufficient to stop the machine in an acceptable time.
The advantage of STO is its simplicity and high reliability. It is a function built into almost every modern frequency converter or servo amplifier. It meets stringent standards (often SIL 2 or SIL 3, PL d/e), so it can replace traditional contactors that cut off power. STO prevents unexpected motor starts – it is a fundamental protection against uncontrolled movement after the machine is shut down. The emergency button typically activates STO, cutting off energy and stopping the drive in the simplest possible way.
Limitations? Since STO does not control braking, it does not protect against inertia effects. If stopping a conveyor full of goods by simply cutting power, the goods may slide off due to momentum. In vertical axes (e.g., cranes, elevators), STO alone can be dangerous – cutting torque risks the suspended load falling due to gravity. Therefore, in certain applications, STO must be supplemented with additional measures, such as mechanical brakes to stop movement. This is where the SBC (Safe Brake Control) function comes into play, which, in conjunction with STO, safely engages the mechanical brake on the motor or axis.
In summary: STO immediately cuts torque and prevents the motor from generating force. It is a quick emergency stop of category 0, ideal when every second of energy cut-off counts. However, ensure that the machine’s natural coasting does not pose a hazard – if it does, supplement STO with brakes or opt for SS1.
Safe Stop 1 (SS1) – Controlled Braking to a Stop
When a controlled stop is needed, Safe Stop 1 (SS1) comes into play. SS1 performs a two-phase stop. In the first phase, the drive actively brakes the motor – reducing speed according to a set braking ramp or monitoring braking time. When speed approaches zero, the second phase begins: automatic transition to STO (safe torque off) and possibly engaging a mechanical brake (SBC) for full axis immobilization. In other words, SS1 first dissipates motion energy in a controlled manner, then cuts off power like STO.
This mode corresponds to category 1 stopping in the standard – controlled braking + power disconnection. SS1 is recommended when the machine needs to be stopped as quickly and safely as possible. A typical scenario: the device operates at high speed or has significant inertia. Sudden power cut-off (STO) would cause prolonged coasting or strong mechanical jolt at sudden stop. Instead, SS1 dynamically brakes the motors – often stopping faster than with friction alone – while doing so in a monitored, safe manner for mechanics.
Examples? Circular saws, grinders, centrifuges, mechanical presses – generally, machines with high rotating energy should be stopped using SS1. Imagine a large band saw: pressing STOP causes the inverter to apply a braking ramp and quickly reduce the saw’s speed. When the saw stops, torque is cut off (STO), and the machine remains safely immobilized. This way, stopping is much faster than waiting for the saw to seize on its own, while avoiding the risk of damaging the drive or material through sudden jerks – braking is fully controlled by the system.
It’s worth noting that the PN-EN 61800-5-2 standard allows various ways to implement SS1. Drive manufacturers offer versions like SS1-r (ramp monitoring) – where the system monitors the braking ramp and activates STO when speed falls below a set threshold – or SS1-t (time controlled), where STO activates after a set time, regardless of speed. Regardless of implementation, the goal is the same: stop motion as quickly and safely as possible, then disconnect energy. SS1 typically requires more advanced control (e.g., safety module in the inverter or safety PLC), but most modern drives have these functions standard or as an option.
On a side note, SS1 is often chosen for emergency stop category 1 – e.g., pressing an emergency button, after which the machine should brake instead of immediately cutting power. Such an emergency stop with controlled braking is required when immediate power cut-off could increase danger (e.g., material could spill from a rapidly rotating drum). In practice, it’s implemented so that after pressing E-STOP, the safety controller issues a braking command to the inverter (SS1 ramp), and if speed doesn’t drop to zero within a set time, power is cut off for safety. This is because emergency stopping must always work, even if braking fails. The safety system designer should anticipate such a scenario.
Safe Stop 2 (SS2) – Stopping with Position Maintenance
The third function is Safe Stop 2 (SS2). SS2 is somewhat an extension of SS1. It also performs a two-phase stop (braking + safe stop), but the difference is that power is not disconnected after stopping the motor. Instead of transitioning to STO, the drive actively maintains torque on the motor at zero speed, using the SOS (Safe Operating Stop) function. In other words, the motor is safely stopped in a specific position, and this position is continuously monitored and maintained by the control system. This safe stop under voltage corresponds to the controlled stop of category 2, as previously mentioned.
What does this offer? Primarily – quick machine restart. Since the motor remains powered (though at zero speed), movement can be resumed immediately without additional procedures. In comparison, after SS1 (category 1), the system transitions to STO, so to restart, you must first re-enable drive power, which can be time-consuming (requiring safety system reset, etc.). SS2 eliminates this delay – movement can be unlocked almost immediately when safety conditions allow.
SS2 is used where the machine or its part needs to remain stopped only for a short time, and we want to resume it quickly or where a stop is required, ready for further work. This often results from the technological process or the need for regular, short operator interventions. An example might be a production line where the operator must occasionally approach and clean something, set a sensor, or remove a defective product. Instead of shutting down the entire machine (and then laboriously restarting it), SS2 can be used: the line stops in a controlled manner and remains in a safe stop, the operator does their work for a minute, then resumes the machine without a full restart. Another example is calibrating a vision system on a machine – stopping the conveyor at a precisely defined point, with the camera remaining on and ready for further work after adjustment.
In applications like robotics or assembly, SS2 is often used for so-called standby stops – the robot stops in a specific position, holds it (e.g., with a tool over a detail) during a short break, and then continues without needing recalibration. However, it’s important to remember that the system remains under voltage – therefore, SS2 is not used for emergency stops, only for controlled stops during planned breaks or service modes. Standards clearly require disconnecting power in emergencies (STO or SS1).
From a technical standpoint, implementing SS2 requires the drive to have speed and position monitoring (SOS) and certification for holding torque in a stationary state. Many modern drives offer this capability – e.g., servo drives with safety modules can detect if the motor is stationary and safely hold it in position. If there’s a risk that the load might move (e.g., due to gravity in vertical axes), a mechanical brake is usually used for full assurance. SS2 doesn’t exempt us from considering physics – the fact that current flows in the motor holding it in position doesn’t always suffice in case of a serious failure. However, during short stops, nothing usually goes wrong, and we gain continuity of work.
Is SS1 Sufficient for Applications with High Inertia?
It’s time to answer the question many designers ask: is SS1 sufficient in systems with high inertia, or is something more needed? High inertia means the machine stores a lot of kinetic energy – making it harder to stop quickly. Intuition suggests that STO alone would be insufficient, as heavy parts would coast for a long time. SS1 seems like the minimum to actively brake the drive. Indeed, in most cases, SS1 is the gold standard for machines with high inertia – it ensures the fastest stop, as the drive acts as a brake. The previously mentioned examples (saws, centrifuges, presses) are machines with significant rotating mass, where SS1 is almost a necessity.
Does SS1 always suffice? It depends on the circumstances. SS1 guarantees stopping motion, but after braking, power is disconnected (STO). If our application only needs to stop a heavy mechanism and wait for the operator to remove a detail or replenish raw material, SS1 will likely fully meet the task – the machine stops safely, and power disconnection prevents any surprises. We must ensure the drive and its components are designed to absorb braking energy (e.g., appropriate braking resistors in the inverter to prevent damage during high energy dissipation). The industrial automation designer should verify if the inverter/servo drive has sufficient braking power for the given inertia – a common mistake is that the safety function works, but the drive throws an overload error when trying to brake a heavy flywheel.
The second issue is what happens after stopping. If the system has high inertia but stops in a stable position (e.g., a horizontally lying cylinder simply stops rotating), that’s fine. However, in machines where a large mass can move due to external forces (such as gravity), SS1 alone may not suffice – because after transitioning to STO, the weight may start moving. An example: a large conveyor inclined at an angle – it has a large mass of belt and goods. We brake it with the motor (SS1), but when power is cut, there’s a risk gravity will move the belt downward. In such situations, adding a mechanical movement lock is necessary. This can be the previously mentioned brake SBC, which clamps when power is cut and holds the position. Without this, it’s not possible – the electrical function alone won’t overcome the laws of physics. In other words, SS1 must be supplemented with mechanical measures when the application requires it.
Could SS2 be better for high inertia? After all, SS2 maintains torque, so there’s no risk of releasing the weight. True, SS2 provides active position holding after stopping, which is beneficial for vertical axes with loads. However, in most cases, a mechanical brake is still used for additional security. SS2 is useful when quick restart is essential – if this heavy system needs to start often, and we don’t want to reset the drive each time. High inertia alone doesn’t necessitate SS2, but it does require controlled braking – which SS1 provides. In summary: in machines with high inertia, SS1 with a well-designed braking system usually suffices, provided we include additional brakes on axes that could move on their own. SS2 can be added if quick restart benefits are significant or if a stop in readiness is required (but these are technological process issues, not inertia itself).
STO, SS1, and SS2 are three different answers to the question of how to stop a machine safely. Each of these functions has its place in the automation engineer’s arsenal. STO cuts energy immediately – simply and reliably, but allowing the machine to coast by momentum. SS1 adds controlled braking, making stopping faster and gentler on mechanics, and after stopping, the machine is de-energized. SS2, on the other hand, stops as quickly as SS1 but keeps the machine under control under voltage, ready to restart in an instant.
In designing safe control systems, it’s worth following both standards (PN-EN 61800-5-2 describes these functions in detail) and common sense, as well as risk analysis. Documents will guide us on legal requirements, but we – as industrial automation integrators – must tailor the solution to the specific machine. Sometimes the simplest STO will be the best (fewer things to break!), and sometimes SS1 is indispensable, as otherwise, the equipment would fall apart during an emergency stop. In other situations, we’ll appreciate SS2, which saves us downtime and allows us to quickly resume the work cycle.
Finally, remember: none of these functions will work miracles if we design them poorly or use them contrary to their purpose. We must ensure the right components (inverters with STO/SS1/SS2 certification, sensors, safety controllers), proper configuration, and regular testing. It’s also worth considering training on standards (e.g., Machinery Directive 2006/42/EC, PN-EN ISO 13849-1, PN-EN 62061), as knowledge of regulations goes hand in hand with engineering practice. We hope this article shed some light on the STO vs SS1 vs SS2 dilemma. Next time you design a safe machine stop, you’ll be able to consciously choose the best option – and most importantly, ensure maximum safety without compromising the process. Good luck with your projects and always safe work!
FAQ: STO, SS1 or SS2
SS1 controls braking and ends in STO (torque = 0, drive de-energized); SS2 controls braking and ends in SOS (drive under voltage, monitors and maintains stillness/position). In practice, SS1 is used for category 1 stopping, SS2 for safe operational stop and quick resumption.
Yes. STO corresponds to category 0 (torque cut-off, coasting to stop) and often implements E-STOP. Remember, STO does not brake – for high inertia or vertical axes, add SBC (brake) or choose SS1.
SS1-t (time-controlled): after set time the system transitions to STO – simple and predictable when stopping time is constant. SS1-r (ramp/speed-monitored): monitors speed/ramp, switches to STO after meeting criteria – better when braking time varies. Selection depends on inertia, time tolerance, and available feedback.
No. E-STOP = cat. 0 or 1 (STO or SS1). SS2 = cat. 2, leaves drive under voltage (SOS), so it’s for safe operational stop, not for emergency stopping.
When you need to maintain position and quickly resume movement: vertical axes/suspended loads, tool change, short operator interventions. Remember, with gravitational loads, you often add a brake (SBC) for redundancy.