# Design Guide: TIDA-01599 TUEV-Assessed Safe Torque Off (STO) Reference Design for Industrial Drives (IEC 61800-5-2)



## Description

This reference design outlines a safe torque off (STO) subsystem for a 3-phase inverter with CMOS input isolated IGBT gate drivers. The STO subsystem employs a dual channel architecture (1002) with a hardware fault tolerance of 1 (HFT=1). It is implemented following a de-energize trip concept. When the dual STO inputs (STO\_1 and STO\_2) go active low, the corresponding power supplies of the primary and the secondary side of the six isolated IGBT gate drivers are cut off through load switches, hence removing the possibility to control and energize the motor. The STO reference design (1002) has been assessed by the TUEV SUED to be generally suitable for SIL 3 and PL e | Cat. 3.

#### Resources

| TIDA-01599, TIDA-00199 | Design Folders  |
|------------------------|-----------------|
| ISO1211, ISO5852S      | Product Folders |
| TPS27S100, TPS22919    | Product Folders |
| ISO5452, ISO7710       | Product Folders |
| UCC21750, UCC5350      | Product Folders |
| TIOS1013               | Product Folder  |



Ask our TI E2E<sup>™</sup> support experts



## Features

- Dual-channel STO architecture (1002) assessed by TUEV SUED to be suitable for SIL 3 (IEC 61508) and PL e | Cat. 3 (ISO 13849)
- TUEV report, safety concept description and qualitative system FMEA available to further help designers implement the STO subsystem
- Safe torque off (STO) subsystem for 3-phase inverters with CMOS input isolated IGBT gate drivers like ISO5852S, UCC21750, or UCC53x0
- 24-V isolated input receivers ISO1211 compliant to IEC 61131-2 and ±60-V input tolerance with reverse-polarity protection
- Interface to MCU (SIL 1) for diagnostic coverage of the load switches in the STO subsystems
- Option to monitor input and output supply UVLO of the ISO5852S gate driver through RDY pin
  - Additional monitoring capabilities with UCC21750 integrated analog-to-PWM isolated sensor
- 24-V isolated STO\_FB output indicates drive state: Safe state (STO) or normal operation

#### Applications

- Motor drives systems
- Servo drive power stage module
- AC drive power stage module
- Robot servo drive



1

2



## **1** System Description

Motor drives are used in a wide range of applications, such as computer numerical control (CNC), robotics, grinders, process control, and so forth. These applications often require drive-based safety functions to reduce the risk from unexpected and hazardous movement. The integrated safety functions within a drive can replace the time-consuming and expensive installation of external safety components like mains contactors or motor contacts. In addition, electronic switching times are significantly quicker than electromechanical devices, such as contactors or relays. The integrated safety functions reduce the risk of personal damage in hazard areas and reduce installation requirements.

The *safe torque off* (STO) function is one such functional safety provision. The STO can be requested or triggered in case of a system fault. The IEC 61800-5-2 defines STO as a function that prevents torque-producing power from supplying the motor. This safety sub-function corresponds to an uncontrolled stop according to stop category 0 of IEC 60204-1. The STO safety function is also useful where power removal is required to prevent an unexpected start-up.

This STO reference design implements a dual-channel architecture (10o2) with a hardware fault tolerance of 1 (HFT = 1) according to IEC|EN 61800-5-2. As long as a logic 1 (+24-V DC) is present at both STO inputs, the motor is operational. If there is a logic 0 (0-V DC) at one or both of the STO inputs, the corresponding power supplies to the primary and the secondary side of the six isolated IGBT gate drivers are cut through load switches. Removing the supply voltage to the gate driver IC disables the insulated-gate bipolar transistors (IGBTs) and thus the torque-producing energy.

This reference design deals with the circuit-level implementation of the two isolated STO signals to turn off the VCC1 and VCC2 supply of the isolated gate drivers with CMOS input. Monitoring has been provided at various points for diagnostics and fault detection. A microcontroller (SIL 1 MCU) is assumed to run the diagnostics of the STO hardware by monitoring the STO inputs signals as well as the diagnostic feedback signals. The MCU and the related diagnostics software are not part of this reference design. A feedback of the drive state is provided with the STO\_FB signal.

This design guide validates the functionality of the design specifications through data extracted from various test results.

This STO reference design hardware architecture (10o2) was assessed by the TUEV SUED to be generally suitable for SIL 3 and PL e | Cat. 3. A TUEV report<sup>(6)</sup>, a qualitative system FMEA and system description<sup>(7)</sup> are available to further help designers implement the STO subsystem.



## **1.1 Key System Specifications**

| Table 1-1. Key System Specific | cations |
|--------------------------------|---------|
|--------------------------------|---------|

| PARAMETER                            | VALUE                                                                          | COMMENT                                                                                                                                                             |
|--------------------------------------|--------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Safety function                      | STO                                                                            | Safe torque off per IEC 61800-5-2                                                                                                                                   |
| Hardware fault tolerance (HFT)       | HFT = 1 (1002)                                                                 |                                                                                                                                                                     |
| IEC 61508 SIL level                  | SIL 3                                                                          |                                                                                                                                                                     |
| ISO 13849                            | Category 3, PL e                                                               |                                                                                                                                                                     |
| Demand mode                          | Continuous                                                                     |                                                                                                                                                                     |
| SFF/DC                               | ≥ 90% (HFT = 1)                                                                | Cat. 3 PL e, medium DC is ≥ 90%                                                                                                                                     |
| PFH                                  | < 10 <sup>-7</sup>                                                             | The quantitative analysis is not part of this concept study                                                                                                         |
| STO response time                    | 10 ms (nominal), 200 ms (maximum)                                              | The time between active low STO and gate drive output $(V_{GS})$ low, which means power IGBTs are OFF. The quantitative analysis is not part of this concept study. |
| DTI (Diagnostics test interval)      | 100 ms (10 Hz)                                                                 | The quantitative analysis is not part of this concept<br>study. Diagnostics runs at least 10 Hz (load switch<br>STO_1 and load switch for STO_2).                   |
| FRT (Fault response time)            | < 200 ms                                                                       |                                                                                                                                                                     |
| Mission time (TM)                    | 20 years                                                                       |                                                                                                                                                                     |
| STO input voltage range              | 24-V DC ±15% (nominal)<br>±60-V DC absolute maximum                            |                                                                                                                                                                     |
| STO input logic level, valid > 2 ms  | 15- to 30-V DC: STO function not<br>engaged<br>< 10-V DC: STO function engaged | STO is active low logic input. Input is low-pass filtered to remove OSSD pulses. Valid STO is > 2 ms.                                                               |
| Support of OSSD test pulses          | Test pulse duration < 1 ms, maximum<br>repetition frequency 500 Hz             | Added low-pass filter to remove (filter-out) the test pulses<br>to avoid trigger STO. Diagnostics for OSSD pulses to run<br>at 250 Hz (4-ms rate).                  |
| STO feedback (STO_FB)                | 24-V DC, isolated                                                              | Indicates the status of the drive (safe state or normal operation) and can be used to feedback status to a safety PLC for additional diagnostics, if desired        |
| DC supply voltage                    | 24-V DC ±15% (nominal)                                                         |                                                                                                                                                                     |
| Isolated gate driver supply voltages | Logic supply: 3V3 to 5 V (nominal)<br>Output supply: +15 V/–8 V (nominal)      | It is expected that the supply rails are protected to<br>remain below the recommended maximum operating<br>voltage of the selected isolated gate drivers            |
| Operating ambient temperature        | -40°C to 85°C                                                                  |                                                                                                                                                                     |
| Interface to MCU                     | 3.3 V I/O                                                                      | See Table 3-1 to Table 3-4                                                                                                                                          |

# 2 System Overview

## 2.1 Block Diagram

Figure 2-1 shows the overall system. The system includes the TIDA-01599 reference design, a diagnostics MCU (SIL 1), which is not part of the TIDA-01599 design, an isolated DC|DC gate drive power supply TIDA-00199<sup>(1)</sup> and a three-phase IGBT power stage with CMOS input isolated gate drivers, as for example implemented with TIDA-00195<sup>(2)</sup>.



Figure 2-1. System Block Diagram With TIDA-01599

The TIDA-01599 reference design incorporates dual 24-V isolated inputs through ISO1211 for the STO\_1 and STO\_2 signals. OSSD pulses are supported through low-pass filters which should reject STO pulses of less than 1 ms. The outputs of the STO\_1 and STO\_2 subsystem provide the corresponding supply voltage P24V and VCC. The STO\_1 and STO\_2 signals control the primary (VCC) and secondary (P24-V) side power supply to the six isolated IGBT gate drivers through a power switch TPS22919 and a high-side switch TPS27S100, respectively. P24V is the 24-V input voltage to the isolated DC|DC converter TIDA-00199. The TIDA-00199 board accepts 24 V with a tolerance of  $\pm 20\%$  and provides four isolated sets (15 V, -8 V) of bias voltages. In this design, the TIDA-00199 is used to provide the bipolar supply to the secondary side of the six isolated IGBT gate drivers. VCC is the supply voltage to the primary logic side of the six isolated gate drivers.

As long as a logic 1 (+24-V DC) is present at both STO inputs, the motor is operable. If there is a logic 0 (0 V) at one or both of the STO inputs, the power supplies to the gate drivers are disconnected and the motor coasts down to zero. The use of 10o2 architecture helps achieve HFT = 1 and only the occurrence of two simultaneous faults can cause failure of the safety function.

An STO\_FB signal is provided to indicate the status of the drive (safe state or normal operation) and can be used to feedback the status of the drive to a safety PLC for additional diagnostics, if desired.

The diagnostic signals are routed to a 3.3-V LaunchPad<sup>™</sup> compatible interface to connect an MCU (SIL 1) such as a C2000 MCU to run the corresponding diagnostic and monitoring software. The MCU (SIL 1) and the software are not part of this design.



## 2.2 Design Considerations

#### 2.2.1 Conditions of Use: Assumption

Refer to Figure 2-1 for a high-level system block diagram of the safety elements, which are the STO\_1 and STO\_2 safety subsystems and the diagnostics software running on a MCU (SIL 1). The following list outlines the assumptions, which are out of scope with this design.

#### 2.2.1.1 Generic Assumptions

- PCB design: The common cause failure on PCB design is out of scope for this design guide.
- Over- and undervoltage protection circuits must be assessed in the implementation of this design. Out of the scope of this activity.
- Diagnostic and any firmware must be assessed in the implementation of this design. Out of the scope of this activity.
- Common cause factors and determination of beta-factor and CCF must be assessed in the implementation of this design. Out of the scope of this activity.
- Quantitative analysis (PFH, MTTFd, and so forth) must be assessed in the implementation of this design. Out of the scope of this activity.

#### 2.2.1.2 Specific Assumptions

- Input signals STO\_1 and STO\_2.
- 1. Input voltage is between 0-V and 24-V nominal with worst case of 3.6-V as logic low and 20.4-V as logic high. No intermediate voltage is expected.
- 2. The logic low (diagnostic pulse) in the STO signal is assumed either to be less than 1ms or greater than 2ms. No intermediate values are allowed.
- Diagnostic coverage of STO\_1 and STO\_2 and STO\_FB subsystems
- 1. The MCU and the related diagnostic software is excluded in the analysis and is assumed to be developed in accordance with functional safety requirements. The MCU is assumed SIL 1 certified and the software implemented accordingly to meet at least SIL 1.
- Output signal STO\_FB:
- 1. The output voltage is assumed to be between 0-V and 24-V nominal with worst case of 3.6-V as logic low and 20.4-V as logic high. The external supply voltage to the 24V STO\_FB is assumed to be protected against over-voltage and is required to remain within 24V ±20% tolerance.
- Power supply rails of STO\_1 and STO\_2 subsystem
- P3V3 supply: Assumed to be protected against fault, remains within ±20% tolerance (3.9 V maximum, 2.7 V minimum. If out of spec, it will be shut down to 0V. When a single protected power supply is used for both STO\_1 and STO\_2 subsystems, it shall employ two independent protection circuits (HFT = 1).
- 2. 24-V supply: The 24V input supply for the P24V is assumed to be protected against fault and remains within ±20% tolerance. If out of spec, it will be shut down to 0V.
- Isolated gate drive supply TIDA-00199
- 1. It is assumed that the quad output rails (VCC2 = +15 V, VEE2 = -8 V) decay to 0 V within less than 10 ms, after the P24V DC input voltage was disconnected.
- 2. It is assumed that all faults with TIDA-00199 are safe and yield to a 0V output voltage for all quad output rails VCC2 and VEE2.
- Temperature
- 1. It is assumed the components operate within the recommended operating temperature range. A temperature sensor is required to be added and if the ambient temperature is outside the recommended operating range all safety relevant supplies will be shutdown. This circuit is not part of this design.

5

#### 2.2.2 Diagnostics Coverage

#### 2.2.2.1 Dual-Channel Monitoring

The STO function is realized through dual channels STO\_1 and STO\_2, respectively, to de-energized the power to the gate driver (See Figure 2-2). In a safety unit, if one of the STO signals is removed, then the status changes to *STO triggered* (See Table 2-1). The unit then waits for a fixed amount of monitoring time to check if both inputs are switched off. If the same signal is not present on both the inputs after the session, then the system signals an error. The PLC performs the monitoring by periodically checking the two stop paths for errors through 1-ms OSSD pulses (See Table 2-2).



Figure 2-2. Dual-Channel Isolated STO

| Table 2-1. Dual-Charlier Isolated 510 |       |                                                                                               |  |
|---------------------------------------|-------|-----------------------------------------------------------------------------------------------|--|
| STO_1                                 | STO_2 | DESCRIPTION OF STATE                                                                          |  |
| 0                                     | 0     | STO state is triggered and there is no error in STO function                                  |  |
| 0                                     | 1     | STO state is triggered and monitoring for error starts.<br>After some time, error is signaled |  |
| 1                                     | 0     | STO state is triggered and monitoring for error starts.<br>After some time, error is signaled |  |
| 1                                     | 1     | STO state not triggered                                                                       |  |

Table 2-1. Dual-Channel Isolated STO

In the TIDA-01599, an MCU (SIL 1) is assumed to do the diagnostic coverage. The MCU is not part of the analysis. A hardware based diagnostic coverage is possible too. Table 2-2 shows the diagnostic logic and state. Note that STO related signals are active low.

| STO_1 <br>STO_2 | MCU_STO_1<br>_in  <br>MCU_STO_2<br>_in | MCU DIAGNOSTICS :<br>FAULT DETECTED       | MCU_Diag_Cntrl_Out1  <br>MCU_Diag_Cntrl_Out2 | IGBT GATE DRIVER<br>OUTPUT | STATE            |
|-----------------|----------------------------------------|-------------------------------------------|----------------------------------------------|----------------------------|------------------|
| 1   1           | 1 1                                    | No                                        | Normal operation                             | Normal operation           | Normal operation |
| 1 1             | 1 1                                    | Yes (for example, Load switch stuck high) | 0                                            | 0                          | Safe state       |
| 1 1             | 1 1                                    | Yes (for example, No OSSD pulse)          | 0                                            | 0                          | Safe state       |
| 0   0           | 0 1                                    | Yes (for example, ISO1211<br>stuck high)  | 0                                            | 0                          | Safe state       |
| 0   0           | 1 0                                    | Yes (for example, ISO1211<br>stuck high)  | 0                                            | 0                          | Safe state       |
| 0   0           | 0   0                                  | No                                        | 0                                            | 0                          | STO              |

| Table 2-2 | MCU | <b>Diagnostics</b> | Logic | Table |
|-----------|-----|--------------------|-------|-------|
|-----------|-----|--------------------|-------|-------|

#### 2.2.2.2 Checking ISO1211 Functionality With MCU (SIL1)

As previously addressed, the PLC sends OSSD test pulses with 1-ms logic low to the input of the ISO1211 device. The signals MCU\_STO1\_In and MCU\_STO2\_In from the corresponding ISO1211 outputs are periodically monitored to ensure that the digital isolator is functioning properly. If no logic low is detected for more than 4 ms, the MCU concludes the corresponding ISO1211 output is stuck high or shorted to VCC and puts the 3-phase IGBT inverter into a safe state by driving both diagnostic pulses MCU\_Diag\_Ctrl\_Out1 and MCU\_Diag\_Ctrl\_Out2 continuously low. This in turns will disable the six gate drivers, the six IGBT will be turned off and the drive will enter the safe state.

#### 2.2.2.3 Checking TPS22919 Functionality With MCU (SIL1)

For diagnostic purposes, the MCU interface periodically sends 200-µs pulses MCU\_Diag\_Ctrl\_Out1 with logic low. The output of the switch is connected to the GPIOs of the MCU (Monitor\_1) and the STO\_FB subsystem as STO\_1\_FB input, as Figure 2-3 shows.

7

8



Figure 2-3. STO\_1 Signal Flow Path

The gate driver not power off during these periodic pulses. A 0.47-µF capacitor is used to hold the 3.3-V primary supply voltage. Monitor\_1 represents the status of the TPS22919 switch which is fed back to the MCU. If a short or stuck high was found, the MCU puts the 3-phase IGBT inverter into a safe state by driving both diagnostic pulses MCU\_Diag\_Ctrl\_Out1 and MCU\_Diag\_Ctrl\_Out2 continuously low. This in turns will disable the six gate drivers, the six IGBT will be turned off and the drive will enter the safe state.

Moreover, STO\_1\_FB is an active low signal and indicates the load switch state which works with the other channel STO\_2\_FB together to indicate the drive state. This state can be used for example by an external safety PLC to recognize a single fault in either STO\_1 or STO\_2 systems and take appropriate actions. The safety PLC and related action are out of scope for this reference design.

#### 2.2.2.4 Checking TPS27S100 Functionality With MCU (SIL1)

The MCU interface periodically sends 200-µs pulses MCU\_Diag\_Ctrl\_Out2 with logic low for diagnostic purposes. The output of the switch is connected to the general-purpose input/outputs (GPIOS) of the MCU (Monitor\_2), as Figure 2-4 shows by using a resistor divide network. And also connect to the STO\_FB subsystem as STO\_2\_FB input.





Figure 2-4. STO\_2 Signal Flow Path

The gate driver does not power off during these periodic pulses. This reference design uses a 20-µF capacitor to hold the 24-V secondary supply voltage. The TPS27S100 switch provides full diagnostics by accurately monitoring the output current. The output current is translated into volume, which is then fed back to the MCU, this feature enables intelligent control of the load. If a short or stuck high was found, the MCU puts the 3-phase IGBT inverter into a safe state by driving both diagnostic pulses MCU\_Diag\_Ctrl\_Out1 and MCU\_Diag\_Ctrl\_Out2 continuously low. This in turn disables the six gate drivers, the six IGBT will be turned off and the drive will enter the safe state.

Moreover, STO\_2\_FB is an active low signal and indicates the load switch state which works with the other channel STO\_1\_FB together to indicate the drive state. This state can be used for example by an external safety PLC to recognize a single fault in either STO\_1 or STO\_2 systems and take appropriate actions. The safety PLC and related action are out of scope for this reference design.

#### 2.2.2.5 Optional Monitoring Using RDY Pin of ISO5452, ISO5852S or UCC21750 Integrated Analog-to-PWM Isolated Sensor

The I/O circuitry of the ISO5452, ISO5852S device interfaces with an MCU and consists of gate drive control (IN+/IN–) inputs, RESET (RST) input, READT (RDY) alarm output, and FAULT (FLT) alarm output. The output of the gate driver turns off if the VCC1 supply drops below VIT – (UVLO1), irrespective of IN+, IN – , and RST inputs, until VCC1 rises above VIT+ (UVLO1). In a similar manner, the output of the gate driver is turns off if the VCC2 supply drops below VIT – (UVLO2), irrespective of IN+, IN –, and RST inputs, until VCC2 rises above VIT – (UVLO2), irrespective of IN+, IN –, and RST inputs, until VCC2 rises above VIT+ (UVLO2).

The ready (RDY) pin indicates the status of the UVLO internal protection feature for the input and output sides. If either side of the device has an insufficient supply (VCC1 or VCC2), the RDY pin output goes low; otherwise, the RDY pin output is high.

In addition to the RDY pin, the UCC21750 features an isolated analog to PWM signal function from AIN to APWM pin, which allows additional system monitoring for example isolated temperature sensing, high voltage dc bus voltage sensing, and so forth.

Copyright © 2022 Texas Instruments Incorporated

9

#### TEXAS INSTRUMENTS www.ti.com

## 2.2.3 Drive State

The safe-state is triggered by the following events:

- 1. Active low STO\_1 input signal requesting safe torque off
- 2. Active low STO\_2 input signal requesting safe torque off
- 3. Diagnostic coverage of STO\_1 or STO\_B subsystems (ISO1211 and corresponding load switches) detects a dangerous fault
- 4. Safe power supply voltages P24V, P3V3 or the corresponding logic supply voltages of the STO\_1 and STO\_2 subsystem are cutoff

#### Drive State Feedback STO\_FB Subsystem

The STO\_FB signal is an active low signal and indicates the drive state. A high signal (logic level 1) indicates normal drive operation, while a low signal (logic state 0) indicates the drive is in the safe state. The schematic is shown in Figure 2-5. The output signals STO\_1\_FB and STO\_2\_FB of the corresponding STO\_1 and STO\_2 safe subsystems are logically combined to a single active low feedback signal STO\_FB through an isolated 24-V digital output. The corresponding logic states are shown in Table 2-3.



Figure 2-5. STO\_FB Feedback Monitor Subsystem

|                   | Table 2-3. STO Feedback Diagnostics Logic Table |                         |                         |                  |        |                                                                                                                                                                                                                                                                    |
|-------------------|-------------------------------------------------|-------------------------|-------------------------|------------------|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| INPUT 1:<br>STO_1 | INPUT 2:<br>STO_2                               | OUTPUT 1:<br>STO_1_FB   | OUTPUT 2:<br>STO_2_FB   | DRIVE STATE      | STO_FB | COMMENT                                                                                                                                                                                                                                                            |
| 1                 | 1                                               | 1                       | 1                       | Normal operation | 1      |                                                                                                                                                                                                                                                                    |
| 0                 | 0                                               | 0                       | 0                       | Safe state (off) | 0      |                                                                                                                                                                                                                                                                    |
| 1                 | 1                                               | 0                       | 1 (stuck high fault)    | Safe state (off) | 0      | (1) The MCU has detected a single<br>dangerous fault (stuck high) in subsystem<br>STO_2 and has triggered the safe state<br>through STO_1 subsystem.                                                                                                               |
| 1                 | 1                                               | 1 (stuck high fault)    | 0                       | Safe state (off) | 0      | (2) The MCU has detected a single<br>dangerous fault (stuck high) in subsystem<br>STO_1 and has triggered the safe state<br>through STO_2 subsystem.                                                                                                               |
| 0                 | 0                                               | 0                       | 1                       | Safe state (off) | 0      | Single detected fault could be detected earlier already, see (1) in above row.                                                                                                                                                                                     |
| 0                 | 0                                               | 1 (stuck high fault)    | 0                       | Safe state (off) | 0      | Single detected fault could be detected earlier already, see (2) in above row.                                                                                                                                                                                     |
| 0                 | 0                                               | 1 (stuck high<br>fault) | 1 (stuck high<br>fault) | Normal operation | 1      | Dangerous state, due to two dangerous<br>faults, one in each safe subsystem<br>STO_1 and STO_2. <i>Note: The system</i><br><i>is designed for single fault tolerance</i><br>( <i>HFT=1</i> ), <i>but not two faults, one in each</i><br><i>in each subsystem</i> . |

Table 2-3. STO Feedback Diagnostics Logic Table

The STO\_FB signal can be active low (logic state 0), while both STO\_1 and STO\_2 are inactive high (logic state 1). This state occurs when the diagnostics MCU (SIL 1) detects a single dangerous fault in one of the STO\_1 or STO\_2 subsystems. If a short or stuck high was found, the MCU puts the 3-phase IGBT inverter into a safe state by driving both diagnostic pulses MCU\_Diag\_Ctrl\_Out1 and MCU\_Diag\_Ctrl\_Out2 continuously low. This state can be used for example by an external safety PLC to recognize a single fault in either STO\_1 or STO\_2 systems and take appropriate actions. The safety PLC and related action are out of scope for this design.



# 2.3 Highlighted Products

## 2.3.1 ISO1211

Figure 2-6 shows the pin diagram of the ISO1211. The ISO1211 devices are isolated, 24- to 60-V digital input receivers These receivers are compliant to IEC 61131-2 Type 1, 2, and 3 characteristics and suitable for programmable logic Controllers (PLCs) and motor-control digital input modules. Unlike traditional optocoupler solutions with discount, impair current-limiting circuit, the ISO121x devices provide a simple, low-power solution with an accurate current limit to enable the design of compact and high-density I/O modules. These devices do not require field-side power.



Figure 2-6. ISO1211 Pin Diagram



## 2.3.2 TPS27S100

Figure 2-7 shows the TPS27S100 functional block diagram. The TPS27S100 is a single-channel, fully-protected, high-side switch with an integrated NMOS and charge pump. An adjustable current-limit function greatly improves the reliability of the whole system. The device diagnostic reporting has two versions to support both digital fault status and analog current monitor output. Accurate current monitor and adjustable current limit features differentiate this device from alternatives in the market.



Figure 2-7. TPS27S100 Functional Block Diagram



## 2.3.3 TPS22919

Figure 2-8 shows the TPS22919 functional block diagram. The TPS22919 is a small, single channel load switch with controlled slew rate. The device can support a maximum continuous current of 1.5 A with short-circuit protection. The switch is controlled by an ON and OFF input (ON pin), which is capable of interfacing directly with low- voltage control signals.



Figure 2-8. TPS22919 Functional Block Diagram



14





#### 2.3.4 ISO5852S, ISO5452

The ISO5852S and ISO5452 are isolated smart gate driver for IGBTs and MOSFETs. The input CMOS logic and output power stage are separated by a silicon dioxide (SiO<sub>2</sub>) capacitive isolation. Figure 2-9 shows the functional block diagram.



Figure 2-9. ISO5852S, ISO5452 Functional Block Diagram

The I/O circuit on the input side interfaces with an MCU and consists of gate drive control (IN+|IN–) inputs, RESET (RST) input, READY (RDY) alarm output, and FAULT (FLT) alarm output. The power stage consists of power transistors which supply 2.5-A pullup and 5-A pulldown currents to drive the capacitive load of the external power transactions, as Well as the DESAT detection circuit to monitor the IGBT for collector-emitter overvoltage during short-circuit events. The capacitive isolation core consists of transmit circuitry to couple signals across the capacitive isolation barrier and receive the circuitry to convert the resulting low-swing signals into CMOS levels. The ISO5852S, ISO5452 also contains undervoltage lockout (UVLO) circuitry to prevent insufficient gate drive to the external IGBT. Additionally, it offers an active output pulldown feature, which ensures that the gate-driver Output is held low if the output supply voltage is absent. The ISO5852S, ISO5452 also has an active Miller clamp function which can be used to prevent parasitic turn-on of the external power transistor, due to the Miller effect, for unipolar supply operation.



## 2.4 System Design Theory

## 2.4.1 Digital Input Receiver for STO

The ISO1211 receives 24-V digital signals and provides isolated digital outputs, without the requirement of a field-side power supply. External resists on the input signal path (R12 and R21) precisely set the limit for the current drawn from the field input. This current limit helps to minimize the power dissipated in the system. The current limit can be set for Type 1, 2, or 3 operation. The voltage transition thresholds are compliant with Type 1, 2, and 3 and can be increased further using an external resistor, R22 and R15. These two resistors are carbon MELF (pulse-proof) type used to prevent surge. For detailed test results, see the *How to Design Isolated Digital Input Modules for Surge Immunity* application brief.

Figure 2-10 shows a schematic of the ISO1211 receivers.





Copyright © 2022 Texas Instruments Incorporated

As per the specifications of the design, the voltage limits defined for an input voltage of 24 V is as follows:

- 1. 15- to 30-V DC: STO function not engaged (motion allowed)
- 2. 0- to 5-V DC: STO function engaged (motion inhibited)

These design requirements comply with Type 1 characteristics.

As Figure 2-10 shows, Type 1 operation uses a value of 560  $\Omega$  for R12 and R21 and results in a current limit of 2.25 mA (typical). The relationship between the R<sub>SENSE</sub> resistor and the typical current limit (I<sub>L</sub>) is given by Equation 1.

$$I_{L} = \frac{2.25 \text{ mA} \times 562 \Omega}{R_{\text{SENSE}}} = \frac{2.25 \text{ mA} \times 562 \Omega}{560 \Omega} = 2.25 \text{ mA}$$
(1)

Resistors R22 and R15 set the voltage thresholds ( $V_{IH}$  and  $V_{IL}$ ) in addition to limiting the surge current. Use a resistor of 2.5 k $\Omega$  for R22 and R15 for a Type 1 system. Equation 2 and Equation 3 are used to calculate the typical  $V_{IH}$  and  $V_{IL}$  values, respectively.

$$V_{IH(TYPICAL)} = 8.25 V + R22 \times \frac{2.25 \ mA \times 562 \ \Omega}{R^{21}} = 8.25 V + 2.5 \ k\Omega \times \frac{2.25 \ mA \times 562 \ \Omega}{560 \ \Omega} = 13.875 V$$
(2)

$$V_{IL(TYPICAL)} = 7.1 V + R22 \times \frac{2.25 \, mA \times 562 \, \Omega}{R21} = 7.1 V + 2.5 \, k\Omega \times \frac{2.25 \, mA \times 562 \, \Omega}{560 \, \Omega} = 12.725 \, V \tag{3}$$

Note that the specific assumption of input signals STO\_1 and STO\_2 is that the input voltage is between 0-V and 24-V nominal with worst case of 3.6-V as logic low and 20.4-V as logic high. Logic high range is 24-V DC  $\pm$ 15% (nominal) with  $\pm$ 60-V DC absolute maximum. No intermediate voltage is expected.

As per the design specifications, low STO pulses that are less than 1 ms are rejected. Address this rejection by placing a low-pass filter at the output signals of the ISO1211 device. To meet the design requirements, place an RC combination with R = 1 k and C =  $3.3 \ \mu$ F (see Equation 4).

Time Constant =  $R \times C = 1 K \times 3.3 \ \mu F = 3.3 \ \mu sec$ 

The cutoff frequency of this filter is 48 Hz, where:

- V(t) = 3.3
- At t = 1 ms
- V(t) = 2.8 V, which is within the logic threshold high range of the AND gate.

For implementation, use 2 × 499  $\Omega$  R17 and R20 in series for STO 1 and use 2 × 499  $\Omega$  R6 and R13 in series for STO 2. This is to get rid of the short or change value failure mode of resistor which will bypass the filter for logic gate input.

(4)



## 2.4.2 STO\_1 Signal Flow Path for Controlling VCC1

The TPS22919 is a small, ultra-low leakage current, single-channel load switch. Figure 2-11 shows the schematic design of the TPS22860.



Figure 2-11. TPS22919 Schematic

The device power supply is 3.3 V which is assumed to be protected against fault and remains within ±20% tolerance. To limit the voltage drop on the input supply, which is caused by transient inrush currents when the switch turns on into a discharged load capacitor, a ceramic capacitor of 1  $\mu$ F is placed between the V<sub>IN</sub> and GND pins.

The ON pin which is compatible with standard GPIO logic threshold controls the state of the switch by signal STO1\_EN. The QOD pin is left open, the output will be floating when ON pin is logic low.

Use Equation 5 to calculate the inrush current during turn on for a given capacitance and slew rate:

 $I_{INRUSH} = Slew Rate \times C_{LOAD} = 2.3 mV/ \mu s \times 0.57 \mu F = 1.311 mA$ 

(5)

The output of the switch is connected to the primary 3.3-V supply (VCC) of the gate driver. Dual redundant PNP bipolar junction transistors Q2 and Q3, actively clamp the logic side gate drive supply VCC to GND when STO\_1 is activated. This prevents reverse bias of the VCC supply through the CMOS input gate driver ISO5852S (or ISO5452) in case the PWM signals are still active high (3V3).



#### 2.4.3 STO\_2 Signal Flow Path

#### 2.4.3.1 High-Side Switch for Controlling Secondary-Side Supply Voltage of Gate Driver

The TPS27S100x is a single-channel, fully-protected, high-side switch with an integrated NMOS and charge pump. An external adjustable current limit improves the reliability of the whole system by clamping the inrush or overload current. Figure 2-12 shows the schematic design of the TPS27S100.



Figure 2-12. TPS27S100 Schematic

The device power supply is 24-V which is assumed to be protected against fault and remains within ±20% tolerance. Pin 3 Enable the control for channel activation by signal STO2\_EN.

Equation 6 calculates the value of resistor R4, which is required to keep the 1-A nominal current in the 0to 3.3-V current-sense range. To achieve better current-sense accuracy, a 1% tolerance or better resistor is preferred.

$$R4 = \frac{V_{(IMON)} \times K_{(IMON)}}{I_{OUT}} = \frac{3.3 \text{ V} \times 500}{1 \text{ A}} = 1.65 \text{ k}$$

The value of resistor R4 is selected as 1.65 K. The current-sense (CS) pin is connected to the ADC input of the diagnostic MCU (SIL 1) with a low-pass filter (R3 and C6).

To set the adjustable current limit value at 1 A, calculate R7 using Equation 7.

$$R7 = \frac{VLIM_{(TH)} \times K_{(ILIM)}}{I_{OUT}} = \frac{1.233 \text{ V} \times 2000}{1 \text{ A}} = 2.47 \text{ K}$$
(7)

The value of resistor R7 is selected as  $2.55 \text{ k}\Omega$ .

The enable pin is permanently connected to 3.3 V to enable continuous diagnostic monitoring and also send back to the diagnostic MCU (SIL 1).

#### 2.4.3.2 Powering up Secondary Side: VCC2 of Gate Driver

The output of the smart switch is connected to J4 for powering up the TIDA-00199 board. The TIDA-00199 design generates a bipolar supply of +15 V, 0 V and –8 V, which powers up the secondary side of the isolated gate driver, ISO5852S on the TIDA-01599 board. For a detailed design procedure, see the *Wide-Input Isolated IGBT Gate-Drive Fly-Buck*<sup>™</sup> *Power Supply for Three-Phase Inverters* design guide.

(6)

#### 2.4.4 Gate Driver Design

Figure 2-13 shows the schematic design of the isolated gate driver. VCC1 and GND1 are the supply pins for the input side of the ISO5452 or ISO5852S device. The supply voltage at VCC1 can range from 3.0 V to 5.5 V with respect to GND1. VCC2 and GND2 are the supply pins for the output side of the ISO5452 or ISO5852S device. VEE2 is the supply return for the output driver and GND2 is the reference for the logic circuitry. The supply voltage at VCC2 can range from 15 V up to 30 V with respect to VEE2. The PWM is applied across the IN+ and IN– pins of the gate driver.



Figure 2-13. ISO5852S Schematic

On the secondary-side of the gate driver, gate resistors R27 and R28 control the gate current of the switching device. The DESAT fault detection prevents any destruction resulting from excessive collector currents during a short-circuit fault. To prevent damage to the switching device, the ISO5452, ISO5852S slowly turns off the IGBT in the event of a fault detection. A slow turnoff ensures the overcurrent is reduced in a controlled manner during the fault condition. The DESAT diode D3 conducts the bias current from the gate driver, which allows sensing of the IGBT-saturated collector-to-emitter voltage when the IGBT is in the ON condition. D1 blocks high voltage when the IGBT of F condition. In this reference design, D1 blocks a maximum of 1200 V during the IGBT OFF condition. Switching inductive loads causes large, instantaneous forward-voltage transients across the freewheeling diodes of IGBTs. These transients result in a large negative spike in the DESAT pin, which draws substantial current out of the device. To Limit this current below damaging levels, a 1-kΩ resistor is connected in series with the DESAT diode. A 220-pF blanking capacitor C10 is required, which disables the DESAT detection during the OFF-to-ON transition of the power device. For a detailed design procedure, see the *Wide-Input Isolated IGBT Gate-Drive Fly-Buck*<sup>™</sup> *Power Supply for Three-Phase Inverters* design guide.



#### 2.4.5 STO\_FB Signal Flow Path

The ISO7710 is a reinforced digital isolator which receives the input signal STO\_FB\_EN and operates with TIOS1013 (a push-pull driver) to provide feedback signal STO\_FB (Logic high = 24 V) to safe PLC. STO\_FB\_EN is the output signal of the OR gate SN74AHC1G32 which receives the dual-channel feedback signal STO\_1\_FB and STO\_2 FB. Figure 2-14 shows the schematic.





The STO\_1\_FB is the output of the load switch TPS22919 (controls the primary side VCC1 of the gate driver) and the STO\_1\_FB connects to the gate of Q5 with the resistors divided network (R54|R55 – 1.4 kQ|1 kQ) to synchronize the switching threshold of STO\_1\_FB with maximum UVLO1 threshold-voltage of gate driver ISO5852S (or ISO5452). According the data sheet of FET Q5 CSD13383F4 and gate driver ISO5852S (or ISO5452), the V<sub>GS (th) min</sub> = 0.7 V, V<sub>IT+(UVLO1)</sub> = 2.25 V, then to simulate the switching threshold. The logic 0 (OFF) for STO\_1\_FB is from 0-V to 2-V and Logic 1 (ON) is from 2 V to 3.9 V (3.9 V is maximum voltage of P3V3). The V<sub>GS</sub> = 1.37 V during ON state with 1.6-mA I<sub>DS</sub> current thanks to the limit resistor R52 (2 kQ).

The STO\_2\_FB is the output of the load switch TPS27S100 (controls the secondary side VCC2 of gate driver via TIDA-00199 safe power supply) and the STO\_2\_FB connects to the gate of Q4 with the resistors divided network (R48|R50 – 154 kQ|10 kQ) to synchronized the switching threshold of STO\_2\_FB with maximum UVLO threshold-voltage of the TIDA-00199 design. According the data sheet of FET Q4 CSD13383F4 and TIDA-00199 design guide, the V<sub>GS (th) min</sub> = 0.7 V, V<sub>OFF(UVLO)</sub> = 14 V, then to simulate the switching threshold. The logic 0 (OFF) for STO\_2\_FB is from 0 V to 14 V and Logic 1 (ON) is from 14 V to 28.8 V (28.8 V is maximum voltage of P24-V). The V<sub>GS</sub> = 1.46 V during ON state with 1.65 mA I<sub>DS</sub> current due to the limit resistor R47 (2 kQ).



## 3 Hardware, Software, Testing Requirements, and Test Results

## 3.1 Getting Started Hardware

## 3.1.1 PCB Overview

Figure 3-1 shows a top view of the printed-circuit board (PCB) with RevE2.1



Figure 3-1. TIDA-01599 PCB - Top View

J5 is a six-pin connector, which provides an input to the two 24-V STO signals. J3 is a five-pin connector, which provides the 24-V power supply from safe PLC and also feedback the STO FB signal to safe PLC. J1 is a 24-V connector, which powers up the high-side load switch. The 3.3-V rail is generated on the board, which supplies power to the digital isolator, AND Gate, low-side switch, and MCU. J4 and J8 are the connectors which supply 24 V and 3.3 V, respectively, from the output of the two switches.

J6 and J7 are female connectors, which have been set 52-mm apart for interfacing to the C2000<sup>™</sup> MCU LaunchPad<sup>™</sup> Development Kit.

Table 3-1 through Table 3-4 list the pin assignments, pin description and levels of all the connectors used in TIDA-01599 reference design.

| PIN  | SIGNAL | SPECIFICATION        | COMMENT |  |  |
|------|--------|----------------------|---------|--|--|
| J5-1 | STO_2  | 24-V for STO_2 input |         |  |  |
| J5-2 | GND2   | 24-V input GND2      |         |  |  |
| J5-3 | GND1   | 24-V input GND1      |         |  |  |
| J5-4 | STO_1  | 24-V for STO_1 input |         |  |  |
| J5-5 | NC     |                      |         |  |  |
| J5-6 | NC     |                      |         |  |  |

#### Table 3-1. Pin Assignment Connector J5 (STO)

#### Table 3-2. Pin Assignment Connector J3 (STO\_FB)

| PIN  | SIGNAL       | SPECIFICATION                                              | COMMENT |
|------|--------------|------------------------------------------------------------|---------|
| J3-1 | Safe PLC 24V | 24-V power supply from safe<br>PLC                         |         |
| J3-2 | NC           |                                                            |         |
| J3-3 | STO_FB       | STO feedback signal with logic high 24-V and logic low 0-V |         |
| J3-4 | NC           |                                                            |         |
| J3-5 | СОМ          | Reference GND of safe PLC<br>24-V                          |         |

#### Table 3-3. Pin Assignment Connector J1, J4, J8

| PIN  | SIGNAL | SPECIFICATION     | COMMENT      |  |  |
|------|--------|-------------------|--------------|--|--|
| J1-1 | DGND   | 24-V input DGND   |              |  |  |
| J1-2 | 24VIN  | 24-V input        |              |  |  |
| J4-1 | P24V   | 24-V output       | STO_2 output |  |  |
| J4-2 | DGND   | 24-V output DGND  |              |  |  |
| J8-1 | VCC    | 3.3-V output      | STO_1 output |  |  |
| J8-2 | DGND   | 3.3-V output DGND |              |  |  |

#### Table 3-4. Pin Assignment Connector J6, J7 MCU Interface

| BILL  |                    |                                               |                                                  |  |  |
|-------|--------------------|-----------------------------------------------|--------------------------------------------------|--|--|
| PIN   | SIGNAL             | SPECIFICATION                                 | COMMENT                                          |  |  |
| J6-1  | P3V3               | 3.3-V output                                  |                                                  |  |  |
| J6-2  | NC                 |                                               |                                                  |  |  |
| J6-3  | NC                 |                                               |                                                  |  |  |
| J6-4  | DGND               | DGND for 3.3-V amd I/Os                       |                                                  |  |  |
| J6-5  | MCU_STO2_In        | 3.3-V output from ISO1211 for STO_2 channel   | For ISO1211 diagnostic                           |  |  |
| J6-6  | Monitor_1          | 3.3-V output from TPS22919 for STO_1 channel  | For TPS22919 diagnostic                          |  |  |
| J6-7  | MCU_Diag_Ctrl_Out1 | 3.3-V logic high pulse from SIL 1 MCU         | Diagnostic pulse to turn off the safety switch 1 |  |  |
| J6-8  | Monitor_2          | 2.8-V output from TPS27S100 for STO_2 channel | For TPS27S100 diagnostic                         |  |  |
| J6-9  | MCU_Diag_Ctrl_Out2 | 3.3-V logic high pulse from SIL 1 MCU         | Diagnostic pulse to turn off the safety switch 2 |  |  |
| J6-10 | NC                 |                                               |                                                  |  |  |



|       | Table 3-4. Pin As | ssignment Connector J6, J7 MCU Int                                                                  | erface (continued)                                                                                                                                    |
|-------|-------------------|-----------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|
| PIN   | SIGNAL            | SPECIFICATION                                                                                       | COMMENT                                                                                                                                               |
| J6-11 | NC                |                                                                                                     |                                                                                                                                                       |
| J6-12 | NC                |                                                                                                     |                                                                                                                                                       |
| J6-13 | RDY               | Power-good output of gate driver, connect to 3.3-V with pull up resistor                            | Active high when both supplies are good                                                                                                               |
| J6-14 | NC                |                                                                                                     |                                                                                                                                                       |
| J6-15 | FLT               | Fault output of gate driver, connect to 3.3-V with pull up resistor                                 | Active-low during DESAT condition                                                                                                                     |
| J6-16 | NC                |                                                                                                     |                                                                                                                                                       |
| J6-17 | RST               | Reset input of gate driver (Logic high 3.3-V)                                                       | Apply a low pulse to reset fault latch                                                                                                                |
| J6-18 | NC                |                                                                                                     |                                                                                                                                                       |
| J6-19 | CS                | Current-monitor output of TPS27S100,<br>connect to MCU ADC input with voltage<br>range 0-V to 3.3-V |                                                                                                                                                       |
| J6-20 | NC                |                                                                                                     |                                                                                                                                                       |
| J7-1  | PWW_In            | PWM Pulse from MCU (Logic low 0-V, Logic high 3.3-V)                                                |                                                                                                                                                       |
| J7-2  | DGND              | DGND for I/Os                                                                                       |                                                                                                                                                       |
| J7-3  | NC                |                                                                                                     |                                                                                                                                                       |
| J7-4  | NC                |                                                                                                     |                                                                                                                                                       |
| J7-5  | NC                |                                                                                                     |                                                                                                                                                       |
| J7-6  | NC                |                                                                                                     |                                                                                                                                                       |
| J7-7  | NC                |                                                                                                     |                                                                                                                                                       |
| J7-8  | NC                |                                                                                                     |                                                                                                                                                       |
| J7-9  | NC                |                                                                                                     |                                                                                                                                                       |
| J7-10 | NC                |                                                                                                     |                                                                                                                                                       |
| J7-11 | NC                |                                                                                                     |                                                                                                                                                       |
| J7-12 | NC                |                                                                                                     |                                                                                                                                                       |
| J7-13 | MCU_STO1_In       | 3.3-V output from ISO1211 for STO_1 channel                                                         | For ISO1211 diagnostic                                                                                                                                |
| J7-14 | NC                |                                                                                                     |                                                                                                                                                       |
| J7-15 | DIAG_EN           | Enable and disable pin of TPS27S100 for diagnostic functions                                        | The enable pin is permanently connected<br>to 3.3-V to enable continuous diagnostic<br>monitoring and also send back to the<br>diagnostic MCU (SIL 1) |
| J7-16 | NC                |                                                                                                     |                                                                                                                                                       |
| J7-17 | NC                |                                                                                                     |                                                                                                                                                       |
| J7-18 | NC                |                                                                                                     |                                                                                                                                                       |

| 24 | TUEV-Assessed Safe Torque Off (STO) Reference Design for Industrial Drives |
|----|----------------------------------------------------------------------------|
|    | (IEC 61800-5-2)                                                            |

NC

NC

J7-19

J7-20



## 3.2 Testing and Results

Note

The test results in this chapter were all tested based on RevE1.0 board. Table 3-5 lists all the design change from Rev E1.0 to Rev E2.1.

|        |          | <b>_</b>          | Change Log for Rev E2.1                                                                                                                                                                                                                                                 |
|--------|----------|-------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| NUMBER | REVISION | DOC. REF.         | CHANGE DESCRIPTION                                                                                                                                                                                                                                                      |
| 1      | E2.1     | Schematic and BOM | Change U5 (dual channel isolator ISO1212) to 2 single channel isolator U5 and U9 (ISO1211) to achieve a hardware fault tolerance of 1 (HFT=1).                                                                                                                          |
| 2      | E2.1     | Schematic and BOM | Remove U4, U6 (TVS3300) on the input of isolator since ISO1211 with $R_{sense}{=}562W$ and $R_{th}{=}2.5kW$ supports $\pm1kV$ surge. Refer to ISO1211 data sheet Table 3.                                                                                               |
| 3      | E2.1     | Schematic and BOM | Add 2 <sup>nd</sup> clamp circuit (R46, C37, Q3) for the STO 1 output VCC (Gate driver logic power).<br>This prevents reverse bias of the VCC supply through the CMOS input gate driver ISO5852S (or ISO5452) in case the PWM signals are still active high (3V3).      |
| 4      | E2.1     | Schematic and BOM | Add isolated 24 STO_FB output circuit to provide indication of the drive's status (safe state or normal operation). Can be used to feedback the drive's status to a safety PLC for additional diagnostics, if desired.                                                  |
| 5      | E2.1     | Schematic and BOM | Change all the capacitors (MLCC) which design state is" obsolete" or" not for new design" to the parts with" Active" status.                                                                                                                                            |
| 6      | E2.1     | Schematic and BOM | Change indication LED D7 which design state is" obsolete" to the part with" Active" status. Change R31 from 50ohm to 200ohm according to new D7 rated current.                                                                                                          |
| 7      | E2.1     | Schematic and BOM | <ul> <li>Load switch U7 change from TPS22860 to TPS22919 to overcome the input pin open fault:</li> <li>TPS22860 input open Hiz&gt; will lead un-determinate state of the output.</li> <li>TPS22919 input open Hiz&gt; will not pass through voltage to OUT.</li> </ul> |
| 8      | E2.1     | Schematic and BOM | Change single U2 (4 channels logic gate SN74HC7001DT) to dual separate logic gates U2 and U10 (SN74LVC2G132YZPR) to achieve HFT=1.                                                                                                                                      |
| 9      | E2.1     | Schematic and BOM | Separate R13 (1kohm) to R6 and R13 (2*499ohm).<br>Separate R20 (1kohm) to R17 and R20 (2*499ohm).<br>To get rid of the short change value failure mode of resistor which will<br>bypass the filter for logic gate.                                                      |
| 10     | E2.1     | Schematic and BOM | Change J2 from OST ED555/3DS to PHX 1751251.<br>Easier for assembly cables with bigger screw holes.                                                                                                                                                                     |
| 11     | E2.1     | Schematic         | Add line around the STO_1 and STO_2 circuits and exclude<br>the power supply. Add note for PSU that not part of the<br>TUEV concept review, needs to be a protected supply. (refer to<br>TIDA-01599_STO_Concept_FMEA_1v6.docx)                                          |
| 12     | E2.1     | Schematic         | Add requirements for power rails to schematic (refer to TIDA-01599_STO_Concept_FMEA_1v6.docx)                                                                                                                                                                           |
| 13     | E2.1     | Schematic and BOM | Change R15, R22 to surge proof MELF, change C8, C11 voltage rating to 100V                                                                                                                                                                                              |
| 14     | E2.1     | Layout            | Change layout and board dimension according to above modification.                                                                                                                                                                                                      |
| 15     | E2.1     | Layout            | Swap POWER layer (mid layer 2) and Ground layer (mid layer 1) to have a proper return ground for the high-speed signals on TOP layer.                                                                                                                                   |

#### Table 3-5. Design Change Log for Rev E2.1



## 3.2.1 Logic High and Logic Low STO Thresholds

Figure 3-2, Figure 3-3, and Figure 3-4 show the input logic high and low thresholds of the ISO1212. Note that the VIH (min) is 14.20 V and VIL (max) is 11.20 V, which correlates with the typical values calculated in Section 2.4.1.



Figure 3-2. Logic Threshold for Digital Isolator



Figure 3-3. Logic Thresholds for Digital Isolator— Falling Edges

26



Figure 3-4. Logic Thresholds for Digital Isolator— Rising Edges



#### 3.2.2 Validation of STO1 Signal

## 3.2.2.1 Propagation of STO1 to VCC1 of Gate Driver

The STO1 signal goes low for a period of 15 ms. As Figure 3-5 and Figure 3-6 show, the response time measured between the STO signal going low to the activation of the RDY pin is 2.7 ms. The response time is a function of the capacitance C16 at the output of the load switch. Vary the response time by changing the value of capacitance. As the VCC1 goes below the UVLO threshold, the RDY pin is activated. The UVLO+ threshold for ISO5852S is 2.25 V.



Figure 3-5. Propagation of STO1 to VCC1 of Gate Driver



Figure 3-6. Indication of RDY Signal (Active Low) When VCC\_1 Turns OFF

#### 3.2.2.2 1-ms STO Pulse Rejection

Figure 3-7 and Figure 3-8 show that the low-pass filter at the output of the digital isolator rejects the STO low pulse of 1 ms.



Figure 3-7. Rejection of 1-ms Pulse by LPF on STO1 Signal Path



Figure 3-8. Rejection of 1-ms Pulse by LPF on STO1 Signal Path—RDY Pin Remains High



## 3.2.2.3 Diagnostic Pulses From MCU Interface

The MCU periodically sends low pulses of 100  $\mu$ s. The VCC1 does not fall much below the UVLO of the gate driver during this time period. A capacitor of 0.47  $\mu$ F ensures that VCC\_1 does not fall below the UVLO threshold. Use a higher value of capacitance to minimize the voltage drop in VCC1 during the 100- $\mu$ s STO pulses. Figure 3-9 shows the test results.



Figure 3-9. Effect of Diagnostic Pulses From MCU Interface on STO1 Signal Path

#### 3.2.3 Validation of STO2 Signals

#### 3.2.3.1 Propagation of STO2 to VCC2 of Gate Driver

The STO2 signal goes low for a period of 15 ms. As Figure 3-10 and Figure 3-11 show, the response time measured between the STO signal going low to the activation of the RDY pin is 7.4 ms. As the VCC2 goes below the UVLO threshold, the RDY pin is activated. The UVLO+ threshold for ISO5852S is 12 V. The response time is a function of the capacitance C7 at the output of the smart switch. Vary the response time by changing the value of capacitance.



Figure 3-10. Indication of RDY Signal (Active Low) When VCC\_2 Turns OFF



Figure 3-11. Propagation of STO2 to VCC2 of Gate Driver



#### 3.2.3.2 1-ms Pulse Rejection

Figure 3-12 and Figure 3-13 shows that the low-pass filter at the output of the digital isolator rejects the STO low pulse of 1 ms.



STO2 Signal Path—RDY Pin Remains High



STO2 Signal Path

#### 3.2.3.3 Diagnostic Pulses From MCU

The MCU periodically sends low pulses of 100  $\mu$ s. The VCC1 does not fall much below the UVLO of the gate driver during this time period. This is taken care of by using a capacitor C7 of 10  $\mu$ F at the output of the switch. Figure 3-14 shows the test results. Use a higher value of capacitance to minimize the voltage drop in VCC2 during the 100- $\mu$ s STO pulses.



Figure 3-14. Effect of Diagnostic Pulses From MCU Interface on STO2 Signal Path

#### 3.2.3.4 Inrush Current Measurement

Set the current limit with the TPS27S00 device. As mentioned in Section 2.4.3, the current limit is set to 1 A. The current during the peak is limited to 1 A, as calculated in Equation 8.

$$I_{OUT} = \frac{V_{(IMON)} \times K_{(IMON)}}{R4} = \frac{3.3 \text{ V} \times 500}{1.65 \text{ K}} = 1 \text{ A}$$
(8)

Calculate the current in the switch during the ON state using Equation 9.

$$I_{OUT} = \frac{V_{(IMON)} \times K_{(IMON)}}{R4} = \frac{0.3 \text{ V} \times 500}{1.65 \text{ K}} = 90 \text{ mA}$$
(9)



This calculated value for  $I_{OUT}$  matches well with the value measured by the multimeter (see Figure 3-15 and Figure 3-16).



Figure 3-15. Inrush Current Measurement From TPS27S100



Figure 3-16. Zoomed-In Shot of Inrush Current Measurement From TPS27S100

The two peaks that Figure 3-15 and Figure 3-16 show during the transition state corresponds to the current limit due to the input and output capacitance of the TIDA-00199 board. Path 1 and path 2 in Figure 3-17 show the two capacitances charging on the TIDA-00199 board.



Figure 3-17. Charging of Input and Output Capacitors of TIDA-00199

#### 3.2.4 3.3-V Voltage Rail From Switcher

Figure 3-18 and Figure 3-19 show the ripple voltage on the 3.3-V rail at a load current of 13 mA. The peak-to-peak ripple voltage at 13 mA is 27.75 mV.



Figure 3-18. Ripple Voltage at Load Current of 13 mA



Figure 3-19. Zoomed-in Ripple Voltage at Load Current of 13 mA

Figure 3-20 and Figure 3-21 show the ripple voltage on the 3.3-V rail at a load current of 40 mA. The peak-to-peak ripple voltage at 40 mA is 33 mV.





Figure 3-21. Zoomed-in Ripple Voltage at Load Current of 40 mA

#### 3.2.5 60-V Input Voltage and Reverse Polarity Protection

Figure 3-22 and Figure 3-23 show that, when a positive and negative voltage of 60 V is applied at the input of the digital isolator, the output remains unaffected.



Figure 3-22. 60-V Input Voltage Protection



Figure 3-23. 60-V Reverse Polarity Protection



#### 3.2.6 Validation of Trip Zone Functionality

Figure 3-24 shows the implementation of the trip feature. As the STO goes low, the trip starts to fall. Within 1.52 ms, the input PWM to the gate driver (and hence the output to the gate of the switching device) is terminated.



Figure 3-24. Validation of Trip Zone Functionality Through STO2

Figure 3-25 shows the rejection of a 1-ms STO low pulse by the design.



Figure 3-25. Effect of Rejection: 1-ms Pulse on Trip



# 4 Design Files

## 4.1 Schematics

To download the schematics, see the design files at TIDA-01599.

#### 4.2 Bill of Materials

To download the bill of materials (BOM), see the design files at TIDA-01599.

#### 4.3 Layer Plots

To download the layer plots, see the design files at TIDA-01599.

#### 4.4 Altium Project

To download the Altium project files, see the design files at TIDA-01599.

#### 4.5 Gerber Files

To download the Gerber files, see the design files at TIDA-01599.

#### 4.6 Assembly Drawings

To download the assembly drawings, see the design files at TIDA-01599.

#### **5** Related Documentation

- 1. Texas Instruments, TIDA-00199 *Wide-Input Isolated IGBT Gate-Drive Fly-Buck™ Power Supply for Three-Phase Inverters* design guide
- 2. Texas Instruments, TIDA-00195 *Three-Phase High PWM Frequency GaN Inverter Reference Design for 200-V AC Servo Drives* design guide
- IEC 61800-5-2, Adjustable speed electrical power drive systems Part 5-2: Safety requirements Functional
- 4. IEC 61508, Functional safety of electrical | electronic | programmable electronic safety-related systems
- 5. ISO13849-1 | 2, Safety of machinery Safety-related parts of control systems Part 1: General principles for design, Part 2: Validation
- 6. Texas Instruments, TIDA-01599 STO Concept TUEV Report TF97657T Rev.1.1
- 7. Texas Instruments, Overview STO Concept TIDA-01599 functional safety information

#### 5.1 Trademarks

TI E2E<sup>™</sup>, LaunchPad<sup>™</sup>, Fly-Buck<sup>™</sup>, and C2000<sup>™</sup> are trademarks of Texas Instruments. All trademarks are the property of their respective owners.

#### 6 About the Author

**AISHWARYA BHATNAGAR** is a systems engineer at Texas Instruments, where she is responsible for developing reference design solutions for the Motor Drive segment within Industrial Systems. Aishwarya earned her bachelor of technology in electronics and communication engineering from MNNIT, Allahabad.

**NAVANEETH KUMAR** is a system architect in the Industrial Systems-Motor Drive team at Texas Instruments, where he is responsible for specifying and developing reference designs for industrial drives.

**MARTIN STAEBLER** is a system architect in the Industrial Systems-Motor Drive team at Texas instruments, where he is responsible for specifying and developing reference designs for industrial drives.

**CHEN GAO** is a system engineer at Texas instruments, where he is responsible for developing reference design solutions for the Motor Drive segment within Industrial Systems.

#### 7 Recognition

The authors would like to recognize the excellent contributions from **NELSON ALEXANDER** during the design, test, and documentation phases of the TIDA-01599 design.

## **8 Revision History**

NOTE: Page numbers for previous revisions may differ from page numbers in the current version.

| С | Changes from Revision A (April 2022) to Revision B (November 2022) |    |  |  |
|---|--------------------------------------------------------------------|----|--|--|
| • | Removed two images from Section 2.4.5.                             | 21 |  |  |

| С | Changes from Revision * (December 2017) to Revision A (April 2022)   |    |  |
|---|----------------------------------------------------------------------|----|--|
| • | Changed title of document                                            | 1  |  |
| • |                                                                      |    |  |
| • | Updated all figures according to the design of revision A            |    |  |
| • |                                                                      |    |  |
| • | Updated the Key System Specifications table                          |    |  |
| • | Updated the <i>Block Diagram</i> section for revision A              |    |  |
| • | Added the Design Considerations section for revision A               |    |  |
| • | Added Table 2-1 to Table 3-4 for revision A                          |    |  |
| • | Updated the Highlighted Products section for revision A              | 12 |  |
| • | Updated the PCB Overview section for revision A                      |    |  |
| • | Updated PCB Layout recommendations with Layer Plots for revision A   |    |  |
| • | Added references in the Related Documentation section for revision A |    |  |

## IMPORTANT NOTICE AND DISCLAIMER

TI PROVIDES TECHNICAL AND RELIABILITY DATA (INCLUDING DATA SHEETS), DESIGN RESOURCES (INCLUDING REFERENCE DESIGNS), APPLICATION OR OTHER DESIGN ADVICE, WEB TOOLS, SAFETY INFORMATION, AND OTHER RESOURCES "AS IS" AND WITH ALL FAULTS, AND DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS.

These resources are intended for skilled developers designing with TI products. You are solely responsible for (1) selecting the appropriate TI products for your application, (2) designing, validating and testing your application, and (3) ensuring your application meets applicable standards, and any other safety, security, regulatory or other requirements.

These resources are subject to change without notice. TI grants you permission to use these resources only for development of an application that uses the TI products described in the resource. Other reproduction and display of these resources is prohibited. No license is granted to any other TI intellectual property right or to any third party intellectual property right. TI disclaims responsibility for, and you will fully indemnify TI and its representatives against, any claims, damages, costs, losses, and liabilities arising out of your use of these resources.

TI's products are provided subject to TI's Terms of Sale or other applicable terms available either on ti.com or provided in conjunction with such TI products. TI's provision of these resources does not expand or otherwise alter TI's applicable warranties or warranty disclaimers for TI products.

TI objects to and rejects any additional or different terms you may have proposed.

Mailing Address: Texas Instruments, Post Office Box 655303, Dallas, Texas 75265 Copyright © 2022, Texas Instruments Incorporated