SFFS422 May   2022

 

  1.   Trademarks
  2.   2
  3. 1Scope
  4. 2Related Documents
  5. 3Related Standards and Acronyms
  6. 4Concept Overview
    1. 4.1 System Block Diagram
    2. 4.2 System Specifications
    3. 4.3 Conditions of use: Assumptions
      1. 4.3.1 Generic Assumptions
      2. 4.3.2 Specific Assumptions
    4. 4.4 Safe Torque Off Implementation
      1. 4.4.1 Subsystem Elements
      2. 4.4.2 STO Safe Subsystem States and Timing Diagram
      3. 4.4.3 STO_1 Subsystem
      4. 4.4.4 STO_2 Subsystem
      5. 4.4.5 MCU (SIL 1) Diagnostic Coverage
      6. 4.4.6 STO_FB Subsystem
      7. 4.4.7 Information on ICs
        1. 4.4.7.1 Isolated 24-V Input Receiver
        2. 4.4.7.2 Load Switch: TPS22919
        3. 4.4.7.3 High-Side Switch: TPS27S100
        4. 4.4.7.4 Isolated Gate Driver: ISO5852S (ISO5452)
    5. 4.5 Safe State
  7. 5Concept FMEA
    1. 5.1 System FMEA
  8. 6References

4.4.1 Subsystem Elements

The elements used to implement safe torque off include:

  • STO_1 safe subsystem: Set VCC = 0 V, on demand
    • Input: STO_1
    • Output: VCC

    On demand, the VCC input supply of all 6 isolated gate drivers ISO5852S (or ISO5452) is set to 0 V, which set the output of the six ISO5852S (or ISO5452) gate driver to 0 V, hence all six IGBTs turn off. Refer to Section 4.4.3.

  • STO_2 safe subsystem: Set P24V = 0 V, on demand
    • Input: STO_2
    • Output: P24V

    On demand, the 24-V input supply P24V to the TIDA-00199 fly-buck converter is disabled. Then the isolated supply voltages of TIDA-00199 (VCC2, VEE2) of all 6 isolated gate drivers ISO5852S (or ISO5452) will decay to 0 V, which set the output of the ISO5852S (or ISO5452) gate driver to 0 V or high-impedance. With the external pull-down resistors, the six IGBTs will turn off. Refer to Section 4.4.4.

  • Diagnostic coverage: MCU (SIL 1) software periodically disable the two load switches TPS22919 and TPS27S100 through logic low diagnostic pulse and check if the output of corresponding switches goes low. If a single fault is detected by the diagnostics software, the MCU will continuously drive the diagnostic signals MCU_Diag_Cntrl_Out1 and MCU_Diag_Cntrl_Out2 low, which will move the system to the safe state, where no force producing power is available at the motor. Refer to Section 4.4.5.
  • STO_FB: The STO_1 and STO_2 safe subsystem outputs are combined into a single logic feedback STO_FB. STO_FB is active low and indicates the drive state, either normal operation or safe state. The STO_FB signal can be used as monitor to validate the drive status. Refer to Section 4.4.6.