TIDUDS9B December   2017  – November 2022

 

  1.   Description
  2.   Resources
  3.   Features
  4.   Applications
  5.   5
  6. 1System Description
    1. 1.1 Key System Specifications
  7. 2System Overview
    1. 2.1 Block Diagram
    2. 2.2 Design Considerations
      1. 2.2.1 Conditions of Use: Assumption
        1. 2.2.1.1 Generic Assumptions
        2. 2.2.1.2 Specific Assumptions
      2. 2.2.2 Diagnostics Coverage
        1. 2.2.2.1 Dual-Channel Monitoring
        2. 2.2.2.2 Checking ISO1211 Functionality With MCU (SIL1)
        3. 2.2.2.3 Checking TPS22919 Functionality With MCU (SIL1)
        4. 2.2.2.4 Checking TPS27S100 Functionality With MCU (SIL1)
        5. 2.2.2.5 Optional Monitoring Using RDY Pin of ISO5452, ISO5852S or UCC21750 Integrated Analog-to-PWM Isolated Sensor
      3. 2.2.3 Drive State
    3. 2.3 Highlighted Products
      1. 2.3.1 ISO1211
      2. 2.3.2 TPS27S100
      3. 2.3.3 TPS22919
      4. 2.3.4 ISO5852S, ISO5452
    4. 2.4 System Design Theory
      1. 2.4.1 Digital Input Receiver for STO
      2. 2.4.2 STO_1 Signal Flow Path for Controlling VCC1
      3. 2.4.3 STO_2 Signal Flow Path
        1. 2.4.3.1 High-Side Switch for Controlling Secondary-Side Supply Voltage of Gate Driver
        2. 2.4.3.2 Powering up Secondary Side: VCC2 of Gate Driver
      4. 2.4.4 Gate Driver Design
      5. 2.4.5 STO_FB Signal Flow Path
  8. 3Hardware, Software, Testing Requirements, and Test Results
    1. 3.1 Getting Started Hardware
      1. 3.1.1 PCB Overview
    2. 3.2 Testing and Results
      1. 3.2.1 Logic High and Logic Low STO Thresholds
      2. 3.2.2 Validation of STO1 Signal
        1. 3.2.2.1 Propagation of STO1 to VCC1 of Gate Driver
        2. 3.2.2.2 1-ms STO Pulse Rejection
        3. 3.2.2.3 Diagnostic Pulses From MCU Interface
      3. 3.2.3 Validation of STO2 Signals
        1. 3.2.3.1 Propagation of STO2 to VCC2 of Gate Driver
        2. 3.2.3.2 1-ms Pulse Rejection
        3. 3.2.3.3 Diagnostic Pulses From MCU
        4. 3.2.3.4 Inrush Current Measurement
      4. 3.2.4 3.3-V Voltage Rail From Switcher
      5. 3.2.5 60-V Input Voltage and Reverse Polarity Protection
      6. 3.2.6 Validation of Trip Zone Functionality
  9. 4Design Files
    1. 4.1 Schematics
    2. 4.2 Bill of Materials
    3. 4.3 Layer Plots
    4. 4.4 Altium Project
    5. 4.5 Gerber Files
    6. 4.6 Assembly Drawings
  10. 5Related Documentation
    1. 5.1 Trademarks
  11. 6About the Author
  12. 7Recognition
  13. 8Revision History

2.2.3 Drive State

The safe-state is triggered by the following events:

  1. Active low STO_1 input signal requesting safe torque off
  2. Active low STO_2 input signal requesting safe torque off
  3. Diagnostic coverage of STO_1 or STO_B subsystems (ISO1211 and corresponding load switches) detects a dangerous fault
  4. Safe power supply voltages P24V, P3V3 or the corresponding logic supply voltages of the STO_1 and STO_2 subsystem are cutoff

Drive State Feedback STO_FB Subsystem

The STO_FB signal is an active low signal and indicates the drive state. A high signal (logic level 1) indicates normal drive operation, while a low signal (logic state 0) indicates the drive is in the safe state. The schematic is shown in Figure 2-5. The output signals STO_1_FB and STO_2_FB of the corresponding STO_1 and STO_2 safe subsystems are logically combined to a single active low feedback signal STO_FB through an isolated 24-V digital output. The corresponding logic states are shown in Table 2-3.

Figure 2-5 STO_FB Feedback Monitor Subsystem
Table 2-3 STO Feedback Diagnostics Logic Table

INPUT 1: STO_1

INPUT 2: STO_2

OUTPUT 1: STO_1_FB

OUTPUT 2: STO_2_FB

DRIVE STATE

STO_FB

COMMENT

1

1

1

1

Normal operation

1

0

0

0

0

Safe state (off)

0

1

1

0

1 (stuck high fault)

 Safe state (off)

0

 (1) The MCU has detected a single dangerous fault (stuck high) in subsystem STO_2 and has triggered the safe state through STO_1 subsystem.

1

1

 1 (stuck high fault)

0

 Safe state (off)

0

 (2) The MCU has detected a single dangerous fault (stuck high) in subsystem STO_1 and has triggered the safe state through STO_2 subsystem.

0

0

0

1

 Safe state (off)

0

 Single detected fault could be detected earlier already, see (1) in above row.

0

0

 1 (stuck high fault)

0

 Safe state (off)

0

 Single detected fault could be detected earlier already, see (2) in above row.

0

0

 1 (stuck high fault) 1 (stuck high fault) Normal operation

1

 Dangerous state, due to two dangerous faults, one in each safe subsystem STO_1 and STO_2. Note: The system is designed for single fault tolerance (HFT=1), but not two faults, one in each in each subsystem.

The STO_FB signal can be active low (logic state 0), while both STO_1 and STO_2 are inactive high (logic state 1). This state occurs when the diagnostics MCU (SIL 1) detects a single dangerous fault in one of the STO_1 or STO_2 subsystems. If a short or stuck high was found, the MCU puts the 3-phase IGBT inverter into a safe state by driving both diagnostic pulses MCU_Diag_Ctrl_Out1 and MCU_Diag_Ctrl_Out2 continuously low. This state can be used for example by an external safety PLC to recognize a single fault in either STO_1 or STO_2 systems and take appropriate actions. The safety PLC and related action are out of scope for this design.