In the TIDA-01599 STO concept an MCU (SIL 1) is assumed to do the diagnostics coverage. The MCU is not part of the analysis. A hardware based diagnostic coverage is possible too.

MCU diagnostic coverage tasks:

• Task 1: Periodically monitors STO_1 and STO_2 inputs for OSSD test pulses with 1ms logic low signal present on STO_1_In1 and STO_2_In2 from the corresponding ISO1211 outputs. If no logic low is detected for more than 4ms, the MCU concludes the corresponding ISO1211 output is stuck high or shorted to VCC and puts the 3-phase IGBT inverter into a safe state by driving both diagnostic pulses MCU_Diag_Cntrl_Out1 and MCU_Diag_Cntrl_Out2 continuously low. This in turns will disable the six gate drivers, the six IGBT will be turned off and the drive will enter the safe state.
• Task 2: MCU periodically generates short low pulses on the MCU_Diag_Cntrl_Out1 and MCU_Diag_Cntrl_Out2 signals disables the output of the AND gates, which in turn turns off the corresponding load switches. The MCU reads back the output of the load switches through the signals MCU_Diag_Monitor_In1 and MCU_Diag_Monitor_In2. If a short or stuck high was found, the MCU puts the 3-phase IGBT inverter into a safe state by driving both diagnostic pulses MCU_Diag_Cntrl_Out1 and MCU_Diag_Cntrl_Out2 continuously low. This in turns will disable the six gate drivers, the six IGBT will be turned off and the drive will enter the safe state.
• Task 3: MCU periodically monitors STO_1 and STO_2 signals from the corresponding ISO1211 output. If either STO_1 or STO_2 or both are active low, the MCU also continuously drives MCU_Diag_Cntrl_Out1 and MCU_Diag_Cntrl_Out2 signal low.

Table 4-3 shows the logic table. Note that STO related signals are active low.