SFFS422 May   2022

 

  1.   Trademarks
  2.   2
  3. 1Scope
  4. 2Related Documents
  5. 3Related Standards and Acronyms
  6. 4Concept Overview
    1. 4.1 System Block Diagram
    2. 4.2 System Specifications
    3. 4.3 Conditions of use: Assumptions
      1. 4.3.1 Generic Assumptions
      2. 4.3.2 Specific Assumptions
    4. 4.4 Safe Torque Off Implementation
      1. 4.4.1 Subsystem Elements
      2. 4.4.2 STO Safe Subsystem States and Timing Diagram
      3. 4.4.3 STO_1 Subsystem
      4. 4.4.4 STO_2 Subsystem
      5. 4.4.5 MCU (SIL 1) Diagnostic Coverage
      6. 4.4.6 STO_FB Subsystem
      7. 4.4.7 Information on ICs
        1. 4.4.7.1 Isolated 24-V Input Receiver
        2. 4.4.7.2 Load Switch: TPS22919
        3. 4.4.7.3 High-Side Switch: TPS27S100
        4. 4.4.7.4 Isolated Gate Driver: ISO5852S (ISO5452)
    5. 4.5 Safe State
  7. 5Concept FMEA
    1. 5.1 System FMEA
  8. 6References

4.3.2 Specific Assumptions

  1. Input signals STO_1 and STO_2
    • Input voltage is between 0- and 24-V nominal with worst case of 3.6 V as logic low and 20.4 V as logic high. No intermediate voltage is expected.
    • The logic low (diagnostic pulse) in the STO signal is assumed either to be less than 1 ms or greater than 2 ms. No intermediate values are allowed.
  2. Diagnostic coverage of STO_1 and STO_2 and STO_FB subsystems
    • The MCU and the related diagnostic software is excluded in the analysis and is assumed to be developed in accordance with functional safety requirements. The MCU is assumed SIL1 certified and the software implemented accordingly to meet at least SIL1.
  3. Output signal STO_FB
    • The output voltage is assumed to be between 0- and 24-V nominal with worst case of 3.6 V as logic low and 20.4 V as logic high. The external supply voltage to the 24-V STO_FB is assumed to be protected against overvoltage and is required to remain within 24 V ±20% tolerance.
  4. Power supply rails of STO_1 and STO_2 subsystem
    • P3V3 supply: Assumed to be protected against fault, remains within –20% tolerance (3.9 V max., 2.7 V min. If out of spec, it will be shut down to 0V. When a single protected power supply is used for both STO_1 and STO_2 subsystems, it shall employ two independent protection circuits (HFT = 1).
    • 24-V supply: The 24-V input supply for the P24V is assumed to be protected against fault and remains within ±20% tolerance. If out of spec, it will be shut down to 0 V.
  5. Isolated gate drive supply TIDA-00199
    • It is assumed that the quad output rails (VCC2 = +15, VEE2 = –8 V) decay to 0 V within less than 10 ms, after the P24V DC input voltage was disconnected.
    • It is assumed that all faults with TIDA-00199 are safe and yield to a 0-V output voltage for all quad output rails VCC2 and VEE2.
  6. Temperature
    • It is assumed the components operate within the recommended operating temperature range. A temperature sensor is required to be added and if the ambient temperature is outside the recommended operating range all safety relevant supplies will be shutdown. This circuit is not part of concept.