Below are analyzed 3 methids to trigger emergency stop to the controller, the way that are being implemented and their pros and cons. 


STO


The STO will cut the power to the MOSFET drivers, if any of the two STO inputs goes low. While the MOSFET drivers have not power, the MOSFETs cannot be switched and no torque can be provided to the motor.


pros: 


  • Hardware implementation. It can work even if the MCU is dead
  • Certified (at specific models)


cons:


  • The motor will not brake but continue to rotate until it stops by friction and load
  • In case of short circuit in the power stage, the current will continue to flow


As mentioned, STO cannot help if there is a short circuit, so it cannot replace the main contactor. As you can see in the below image, The battery poles will stay shorted if both Top and Bottom MOSFETs are shorted 



Soft Emergency stop


When software emergency stop is triggered, the MCU will give command to turn all the Power stage MOSFETs OFF. This is a firmware implementation and will work only if the MCU is alive and at correct logic state. Again here, if a MOSFET is shorted, the MCU will not be able to change its state.



pros: 


  • No additional circuitry required. Can be implemented by connecting the sensor/button to a digital input 


cons:


  • Software implementation. Will not work if the MCU is out of order
  • The motor will not brake but continue to rotate until it stops by friction and load
  • In case of short circuit in the power stage, the current will continue to flow


Main contactor


The main contactor that connects the battery to the controller must not open when the motor is moving, so it cannot used at regular basis. The problem by disconnected the battery from the controller while the motor moves is that the controller can get damaged from the motor's regenerative voltage. Also because the controller will be still powered through the motor's regenerative voltage, its performance will be unstable. The solution here is to connect the power ctrl to ground the same time (or sooner) than the time that Vmot switch opens. That way the controller will be completely disabled and will not be able to switch its MOSFETs and make the DC bus voltage increase. This method should only be used if there is a critical controller error.


pros: 


  • The power stage will be completely isolated from the battery
  • The controller will turn off 


cons:


  • The motor will not brake but continue to rotate until it stops by friction and load
  • The controller can get damaged if the motor runs at speeds higher than its maximum rating, because no path to the battery is provided for the regenerative voltage
  • Cannot be used for standard operation, only for critical faults