Figure 4-1 shows the overall system block diagram.

STO_1 and STO_2 control the primary and secondary side power supply to the six isolated IGBT gate driver through a power switch (VCC) and a high side switch (P24V) respectively. As long as a logic 1 (+24-V DC) is present at both STO inputs, the motor is operable. If there is a logic 0 (0 V) at one or both of the STO inputs, the power supplies to the gate drivers will be disconnected and the motor coasts down to zero. The use of 1oo2 architecture helps achieve HFT = 1 and only the occurrence of two simultaneous faults can cause failure of the safety function.

The MCU (SIL 1) implements the diagnostics coverage of the STO_1 and STO_2 safe subsystems and sets the system to a safe state, when a fault is detected.

An STO_FB signal is provided to indicate the status of the drive (safe state or normal operation) and can be used to feedback the drive’s status to a safety PLC for additional diagnostics, if desired.