ALSTOM STO1726KO1 Safety Torque Off (STO) Module

I. Overview

• Collecting key equipment parameters (speed, pressure, temperature, with a signal range of 4-20mA/0-10V and 16-bit resolution) via 8 analog inputs (AI) to monitor in real time whether parameters exceed limits;

• Receiving equipment fault signals (e.g., sensor faults, valve jamming, with a response time of ≤1ms) through 4 digital inputs (DI);

• Outputting emergency trip commands (e.g., cutting off fuel supply, closing steam valves, with an output current of ≤5A) via 4 digital outputs (DO) to trigger equipment shutdown;

• Incorporating a built-in 32-bit safety processor that supports dualized logic operations (2oo2/1oo2 voting mechanisms) to avoid false trips or trip failures caused by single-point faults;

• Equipped with redundant power inputs and redundant communication interfaces (Modbus TCP/Profibus DP) to ensure uninterrupted power supply and data transmission;

• Supporting parameter configuration (e.g., over-limit thresholds, trip delays) and status monitoring via Alstom Harmony software;

• Featuring self-diagnostic functionality for faults (input short circuits/overvoltages, output overloads, processor abnormalities), which triggers immediate alarms and logs records when faults occur.

Its core advantages lie in "high safety level (SIL 3), fast trip response (≤10ms), wide temperature adaptability (-30℃~75℃), and redundant fault-tolerance design". It is a core component of Alstom's power equipment safety protection system and is widely used in safety control scenarios for critical power equipment such as gas turbines, steam turbines, and large compressors.

• I/O Channels and Signal Processing: It has 8 AI channels (4 channels for 4-20mA, 4 channels for 0-10V, 16-bit resolution, accuracy ±0.05% FS, sampling rate 2kHz per channel), supporting dualized sensor access (e.g., two speed sensors connected to different AI channels respectively); 4 DI channels (24V DC dry contacts, high level ≥18V, low level ≤5V, response time ≤1ms), supporting dualized input of fault signals; 4 DO channels (24V DC relay output, output current ≤5A, response time ≤5ms), supporting dualized output of trip commands (two DO channels controlling the same actuator). All I/O channels are equipped with photoelectric isolation (isolation voltage ≥3kVrms) and electromagnetic shielding (metal housing + double-layer shielded wires) to avoid on-site electromagnetic interference (e.g., from motors and frequency converters). Input channels have overvoltage protection (maximum input 30V DC) and short-circuit protection (response time ≤5μs), while output channels have overload protection (short-circuit current ≤10A).

• Core Safety Control Unit: It contains two built-in 32-bit safety processors (TI TMS570LS3137, compliant with IEC 61508 SIL 3) that execute the same logic operations in parallel. It adopts a 2oo2 (two-out-of-two) voting mechanism (a trip command is output only when both processors determine an over-limit) or a 1oo2 (one-out-of-two) voting mechanism (a trip command is output when one processor determines an over-limit, and it can still work if the other processor fails), which can be configured via software. It is equipped with 128MB Flash (for storing safety programs, configuration parameters, and fault logs) and 64MB RAM (for caching real-time monitoring data), supporting online firmware upgrades (without interrupting the operation of safety logic). It supports safety communication protocols (PROFIsafe/Modbus Safety) to transmit safety-related data with the main controller, with a communication delay of ≤5ms.

• Housing and Protection: It uses a die-cast aluminum alloy housing (with anti-corrosion coating, thickness ≥2mm) with dimensions of 200mm×150mm×80mm (length × width × height), supporting DIN rail mounting (35mm standard rail) and panel mounting. It has an IP20 protection rating (dust-proof and finger-touch proof), suitable for industrial control cabinet environments. The operating temperature range is -30℃~75℃, the storage temperature range is -40℃~85℃, and the relative humidity range is 5%~95% (non-condensing). It has vibration resistance (compliant with IEC 60068-2-6 standard: 10-500Hz, 2g acceleration) and shock resistance (compliant with IEC 60068-2-27 standard: 25g acceleration, 11ms pulse width), making it suitable for the vibration environment of gas turbines.

• Safety and Redundancy Design: It supports dual redundant power inputs (24V DC±20%, compatible with 12V DC/48V DC), which automatically switch when a single power supply fails, with a switching time of ≤0.5ms and no power supply interruption. It is equipped with dual communication interfaces (1 Modbus TCP, 1 Profibus DP, both supporting redundancy), and the backup communication takes over within 1ms when the main communication fails. Key circuits (processor, power supply, I/O driver) adopt a dualized design to prevent safety function failure caused by single-point faults. It complies with IEC 61508 SIL 3 certification, EN 50155 railway standard (wide temperature and vibration), and UL 508 industrial safety standard, meeting the safety requirements of multiple industries.

II. Technical Parameters

1. I/O Channels and Signal Parameters

2. Safety and Control Performance Parameters

3. Environmental and Reliability Parameters

III. Functional Features

1. SIL 3 High Safety Level to Eliminate Safety Accidents

• Dualized Processors and Logic Operations: Dual safety processors operate in parallel and adopt a 2oo2 voting mechanism (a trip is triggered only when both determine an over-limit), avoiding false trips caused by single-processor faults (in a gas turbine system, the module has no incorrect actions when a single processor is abnormal, ensuring normal operation of the unit). It supports 1oo2 logic (a trip is triggered when one processor determines an over-limit), meeting scenarios where "trip failures are not allowed" (e.g., auxiliary equipment in nuclear power plants) and balancing safety and availability.

• SIL 3 Full-Link Certification: From hardware (processors, I/O channels) to software (logic operations, diagnostic programs), all comply with IEC 61508 SIL 3 certification, achieving the highest level of safety integrity. In a compressor system of a petrochemical enterprise, the module avoids trip failures caused by sensor faults and successfully prevents compressor explosion due to overpressure (with an accident loss exceeding 100 million yuan).

• Fail-Safe Design: Under extreme conditions such as power interruption and processor failure, the module outputs a trip command by default (or maintains a safe state) to prevent equipment out of control. In a steam turbine system, the module immediately triggers a shutdown when the power supply is interrupted, preventing continuous increase in steam pressure.

2. 10ms Fast Trip Response to Reduce Equipment Damage

• High-Speed Signal Acquisition and Operation: With an AI sampling rate of 2kHz (data collected every 0.5ms) and 160MHz safety processor operation, the over-limit detection delay is ≤3ms; the DI response time is ≤1ms, and there is no delay in triggering trips via fault signals. When the speed of a gas turbine suddenly rises, the module outputs a trip command within 10ms, and the unit shuts down within 3 seconds, preventing turbine blade damage due to overspeed.

• Simplified Trip Logic: Safety logic is solidified in hardware to avoid delays caused by complex software operations. It supports "direct over-limit trip" and "delayed trip" (adjustable 0-100ms). In a compressor system, a 50ms delayed trip is set to avoid false shutdowns caused by instantaneous pressure fluctuations.

• High-Power Output Drive: The DO output current is ≤5A, which can directly drive actuators such as emergency shutdown valves and fuel cut-off valves without additional amplification modules, reducing delays in intermediate links. The response time of the trip command from the module to the actuator is ≤15ms.

3. Full-Link Redundancy Design to Ensure Continuous Safety Control

• Dual Redundant Power Supply and Communication: Dual 24V DC power inputs (switching time ≤0.5ms) ensure seamless switching to the backup power supply when the main power supply fails; dual Modbus TCP communication (or Profibus DP redundancy) enables switching to the backup within 1ms when the main communication is interrupted. In a gas turbine system of a power plant, communication interruption does not affect the trip function, and normal monitoring and protection are still maintained.

• Dualized I/O Access: AI supports access to two sensors (e.g., dual speed sensors), DI supports dualized input of fault signals, and DO supports dualized output to control the same actuator. In a steam turbine system, when a single sensor fails, the module continues monitoring through the other sensor without affecting safety protection.

• Redundant Fault Diagnosis: Dual processors diagnose faults separately and cross-verify fault information to avoid single-point diagnosis errors. When a fault occurs, an alarm is triggered immediately and records are logged. Maintenance personnel can check the fault location (e.g., "AI1 short circuit", "DO2 overload") via software, reducing troubleshooting time from 2 hours to 30 minutes.