All trademarks are the property of their respective owners.
Revision | Date | Name | Change |
---|---|---|---|
1.2 | 2018/10/25 | Navaneeth Kumar N (TI), Anant Kamath (TI) | Version shared with TUEV SUED for feedback. Refer to “Review Protocol_Concept V1.0.docx” |
1.3 | 2021/08/04 | M. Staebler (TI) |
Changed format to according to TUEV template, added additional references, added further info on conditions of use/assumptions and STO_1 and STO_2 subsystems. Adjusted MCU signal names on schematics to reflect input or output signal w/ MCU. Added info on reinforced isolated gate driver ISO5852S, and pin-compatible ISO5452. |
1.4 | 2021/09/23 | M. Staebler (TI) | Updated conditions of use, removed the STO latching feature, added table to explain U7 load switch QOD. |
1.5 | 2021/09/29 | M. Staebler (TI) | Updated figure 3 which shows STO_1 subsystem (added second transistor Q3 for redundant VCC clamp), added reference to IEC 615008-2 table A DC fault model. Updated figure 4 to match the schematics rev E2 |
1.6. | 2021/11/11 |
M. Staebler, C. Gao (TI) |
Added STO_FB channel, updated block diagram, added description of STO-FB logic and updated system FMEA and references. Modified file name to include STO. |
1.6a | 2022/01/31 | M. Staebler (TI) | No change in content, corrected typos only. |
1.6b | 2022/05/18 | M. Staebler (TI) | Correction to FMEA STO Concept TIDA-01599 secure link |
This document describes a concept implementation of the safety function safe torque off (STO) according to IEC 61800-5-2 for a three-phase IGBT inverter for industrial drives.
The STO subsystem is based on the TI TIDA-01599 reference design and utilizes a dual-channel approach with HFT = 1 specifically for isolated IGBT gate drivers with CMOS and TTL logic input like TI’s reinforced isolated gate driver ISO5852S or ISO5452.
The safety integrity level for the STO function is capable of SIL 3 according to IEC 61508 and category 3 PL e per ISO 13849, as assessed by TÜV SÜD.
Document | Description |
---|---|
Design guide | Redundant dual-channel safe torque off (STO) reference design for AC inverters and servo drives, Texas Instruments, TIDA-01599, https://www.ti.com/lit/pdf/TIDUDS9 Design files will be updated as reflected in this document. |
Schematics | Updated TIDA-01599 schematic rev. E2: TIDA-01599E2.1(001)_Sch.pdf TIDRVA2 |
Design guide | Wide-Input Isolated IGBT Gate-Drive Fly-Buck Power Supply for Three-Phase Inverters Reference Design, Texas Instruments, TIDA-00199, TIDU670 |
Data sheet | ISO1211, Single-channel Isolated 24-V to 60-V digital input receiver for digital input modules, Texas Instruments, https://www.ti.com/product/ISO1211 |
Data sheet | ISO5452, 2.5-A / 5-A 5.7-kV RMS single channel isolated gate driver with split output and protection features, Texas Instruments, https://www.ti.com/product/ISO5452 |
Data sheet | ISO5852S, 2.5-A / 5-A, 5.7-kV RMS single channel isolated gate driver with split output and protection, Texas Instruments, https://www.ti.com/product/ISO5852S |
Data sheet | TPS22919, 5.5-V, 1.5-A, 90-mΩ load switch with adj. output discharge, Texas Instruments, https://www.ti.com/product/TPS22919 |
Data sheet | TPS27S100, 40-V, 80-mΩ, 4-A, 1-ch, Industrial high-side switch with adjustable current limiting and current, Texas Instruments, https://www.ti.com/product/TPS27S100 |
Data sheet | TIOS101, TIOS101x Digital Sensor Output Drivers with Integrated Surge Protection, https://www.ti.com/lit/ds/symlink/tios1013.pdf |
Data sheet | ISO7710 High Speed, Robust EMC Reinforced Single-Channel Digital Isolator, https://www.ti.com/lit/ds/symlink/iso7710.pdf |
Concept FMEA | For access to FMEA STO Concept TIDA-01599, use this secure link |
Functional safety information | TPS22919-Q1 Functional Safety FIT Rate, FMD and Pin FMA: TPS22919-Q1 FMD_FIT_FMA Document.pdf |
Standard | Title |
---|---|
IEC 61800-5-2 | Adjustable speed electrical power drive systems – Part 5-2: Safety requirements – Functional |
IEC 61508 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
ISO13849-1/2 |
Safety of machinery -- Safety-related parts of control systems -- Part 1: General principles for design, --- Part 2: Validation |
IEC 60204-1 | Safety of machinery - Electrical equipment of machines - Part 1: General requirements |
IEC 62061 | Safety of machinery - Functional safety of safety-related electrical, electronic and programmable electronic control systems(1) |
Acronym | Description |
---|---|
DC | Diagnostic coverage |
FIT | Failure in time (1-e9/hour) |
HFT | Hardware fault tolerance |
MTTF | Mean time to failure (per year) |
MTTFd | Mean time to failure – dangerous (per year) |
PFD | Probability of dangerous failure |
PFH | Average frequency of a dangerous failure of the safety function [per hour] |
SFF | Safe failure fraction |
PDS/SR | Power drive system, safety related |
DFD | Dangerous failure detected. Acronym used on the FMEA tables |
DFU | Dangerous failure not detected. Acronym used on the FMEA tables |
SF | Safe failure |
NEF | No effect failures, failures which don’t have an impact on the safety function. Acronym used in FMEA tables. |
FRT | Fault response time |
DTI | Diagnostics time interval |
Figure 4-1 shows the overall system block diagram.
STO_1 and STO_2 control the primary and secondary side power supply to the six isolated IGBT gate driver through a power switch (VCC) and a high side switch (P24V) respectively. As long as a logic 1 (+24-V DC) is present at both STO inputs, the motor is operable. If there is a logic 0 (0 V) at one or both of the STO inputs, the power supplies to the gate drivers will be disconnected and the motor coasts down to zero. The use of 1oo2 architecture helps achieve HFT = 1 and only the occurrence of two simultaneous faults can cause failure of the safety function.
The MCU (SIL 1) implements the diagnostics coverage of the STO_1 and STO_2 safe subsystems and sets the system to a safe state, when a fault is detected.
An STO_FB signal is provided to indicate the status of the drive (safe state or normal operation) and can be used to feedback the drive’s status to a safety PLC for additional diagnostics, if desired.
The PDS/SR is a DC-fed 3-phase inverter which supports the function STO (safe torque off) according to IEC 61800-5-2. The STO function supports IEC 60204-1 stop category 0, resulting in an uncontrolled coast stop too. It shall meet IEC61508 SIL 3 and ISO13849 category 3 PL e.
The STO function removes both supply voltages of the six isolated IGBT gate driver supplies. STO_1 removes the logic input supply (VCC) of the isolated gate drivers, STO_2 removes the input supply (P24V) to the isolated multi-output DC/DC, which therefore removes the isolated output supply rails (VCC2/VEE2) to the six isolated IGBT gate drivers, respectively. Due to that the six outputs of the isolated gate drivers are 0 V (off) and the six IGBTs turn-off respectively. In that case the 3-phase IGBT inverter cannot generate a rotating torque to the motor anymore.
The PDS/SR is operating in high demand or continuous mode, where the rate of demands for operation made on safety sub-function is greater than 1 per year.
Parameter | Value | Comment |
---|---|---|
Safety function | STO | Safe torque off per IEC 61800-5-2 |
Hardware redundancy (HFT) | HFT = 1 (1oo2) | |
IEC 61508 SIL level | SIL 3 | |
ISO 13849 | Category 3, PL e | |
Demand mode | Continuous | |
SFF/DC | ≥ 90% (HFT = 1) | Cat 3 PL e medium DC is ≥90%. |
PFH | < 10-7 | The quantitative analysis is not part of this concept study. |
STO response time | 10 ms (nominal), 200 ms (maximum) | The Time between active low STO and gate drive output (Vgs) low, which means power IGBTs are OFF. The quantitative analysis is not part of this concept study. |
DTI (Diagnostics test interval) | 100 ms (10 Hz) | The quantitative analysis is not part of this concept study. Diagnostics runs at least 10 Hz (load switch STO_1 and load switch for STO_2). |
FRT (Fault response time) | < 200 ms | |
Mission time (TM) | 20 years | |
STO input voltage range |
24-V DC ±15% (nominal) +/-60-V DC absolute maximum |
|
STO input logic level, valid > 2 ms |
15- to 30-V DC: STO function not engaged <10-V DC: STO function engaged |
STO is active low logic input. Input is low-pass filtered to remove OSSD pulses. Valid STO is > 2 ms. |
Support of OSSD test pulses | Test pulse duration < 1 ms, maximum repetition frequency 500 Hz |
Added low-pass filter to remove (filter-out) the test pulses to avoid trigger STO. Diagnostics for OSSD pulses run at 250 Hz (4-ms rate). |
DC supply voltage | 24-V DC ±15% (nominal) | |
Isolated gate driver supply voltages |
Logic supply: 3V3 to 5 V (nominal) Output supply: +15 V, –8 V (nominal) |
It is expected that the supply rails are protected to remain below the recommended maximum operating voltage of the selected isolated gate drivers. |
Operating ambient temperature | –40°C to 85°C |