123 Main Street, New York, NY 10001

Submit Your BOM

Instrument Power & Protection

Instrument Power & Protection

← Back to: Test & Measurement / Instrumentation

Instrument Power & Protection focuses on building a clean, reliable power tree that survives hot-plug, faults, and external transients without corrupting measurement accuracy. It combines multi-rail sequencing, layered protections (eFuse/OVP/ESD/surge), thermal derating, and actionable telemetry so every trip is explainable and serviceable.

H2-1 · What this page covers (instrument power that stays clean and safe)

This page focuses on instrument-grade power integrity: a power tree that remains low-noise, stable under load steps, and fault-contained under real abuse (hot-swap, short-circuit, over-voltage, ESD/EFT/surge), while also being observable and serviceable through power-good logic, fault codes, and telemetry.

What “Instrument Power & Protection” must achieve

  • Power integrity: keep ripple/noise and rail drift within limits that preserve measurement repeatability and threshold stability.
  • Fault containment: isolate failures to a branch (not the whole instrument), with defined actions (limit / disconnect / latch / retry).
  • Operability: make faults explainable and diagnosable via rail IDs, event counters, and power-good state transitions.

Typical constraints (why this is hard)

  • Low-noise rails: noise and slow drift can translate into unstable readings, shifting trip points, or temperature-dependent offsets.
  • Load steps: sudden current demand can cause brownout or power-good chatter if sequencing and droop margins are not engineered.
  • Hot-swap / shorts: inrush and short-circuit energy can exceed MOSFET SOA unless current limit is time-aware.
  • External transients: ESD/EFT/surge events can inject high energy; protection must coordinate where energy is clamped, limited, and disconnected.
  • 24/7 operation: thermal derating and aging matter as much as nominal specs; the “safe operating region” must be maintained over time.

Out of scope for this page: instrument-specific signal chains and protocol details. The focus stays on the power tree, protection layers, thermal derating, and telemetry-driven serviceability.

Instrument power objectives map A block-style objectives map showing four pillars: low-noise and accuracy, transient and hot-swap robustness, safety and serviceability, and thermal derating control as a foundation. Instrument Power & Protection — Objectives Keep rails clean, survive events, contain faults, and stay serviceable over 24/7 thermal stress. Noise & Accuracy What must stay controlled • Ripple / wideband noise • Drift (temp + aging) • Brownout margin • Power-good stability Transient & Hot-Swap Events to survive • Inrush at plug-in • Load step droop • Short-circuit energy • OVP / reverse events Safety & Service LOG Must be explainable • Fault containment by branch • Latch vs retry policy • Rail ID + reason code • Telemetry for diagnosis Thermal & Derating (24/7 stability) Normal Derate Protect Shutdown

Figure F1 maps the four engineering pillars. Later sections turn each pillar into concrete architecture choices, protection policies, and validation checklists.

H2-2 · Power tree & domain partition (separate domains before choosing a PMIC)

Instrument power complexity is rarely about the number of rails. It is about domains with different sensitivity and failure consequences. A good design starts by partitioning rails into domains, then building a layered power tree, and finally defining protection boundaries that contain faults to a branch.

The 3-step method (repeatable in every instrument platform)

  1. Partition domains: group rails by noise sensitivity, load-step behavior, and allowable fault propagation.
  2. Layer the tree: bus → pre-regulation (buck/buck-boost) → post-regulation (LDO/filters) → point-of-load distribution.
  3. Declare boundaries: each domain entry has a defined action (limit/disconnect/latch/retry) and a clear “who gets affected” rule.

Common domains (kept generic to avoid cross-topic overlap)

  • Digital/compute domain: fast load steps and high di/dt demand stable pre-regulation and robust brownout behavior.
  • Sensitive rails domain: rails that require lowest noise and best drift control; typically protected from other domains’ transients.
  • Reference/precision domain: always-on or tightly supervised rails where power-good chatter is unacceptable.
  • Actuator/utility domain: fan/relay/aux loads; must be isolated so its switching or faults do not collapse the bus.
  • Interface power domain: user-accessible connectors; needs well-defined ESD/EFT/surge coordination and branch isolation.
  • Standby domain: minimal always-on rails for wake/supervision and safe power-down sequencing.

Practical rule: a “domain boundary” is not just a symbol on a block diagram. It is a fault energy stop with an explicit policy (limit/disconnect/latch/retry) and a recordable outcome (rail ID + reason code).

Power tree with domains and protection boundaries A layered power tree: DC bus to pre-regulation to post-regulation, then branching into multiple domains. Each domain includes a boundary block such as eFuse/hot-swap, load switch, or OVP gate. Partition domains → layer the tree → enforce boundaries DC BUS / MAIN INPUT (source → distribution) Pre-regulation (buck / buck-boost) efficiency + wide input handling Post-regulation (LDO / filters) low noise + domain isolation Domains (each entry has a protection boundary) Boundary Digital / Compute load steps + brownout control eFuse Boundary Sensitive Rails low noise + drift control Load switch Boundary Reference / Precision stable PG + supervised ramps OVP gate Boundary Actuator / Utility isolate noisy loads eFuse Boundary Interface Power ESD/EFT/surge coordination Hot-swap Boundary Standby / Always-on supervised shutdown ordering Load switch Boundaries define actions (limit/disconnect/latch/retry) and make faults containable by branch.

Fast engineering checks (useful as acceptance criteria)

  • Every domain has a named entry boundary (eFuse / hot-swap / load switch / OVP gate) and a defined policy (latch vs retry).
  • Sensitive rails are protected from other domains’ load steps through tree layering and boundary isolation.
  • Power-good transitions are stable (no chatter) across load steps, temperature, and controlled brownout events.
  • At least one diagnostic signal exists per domain: rail ID + reason code + counter (enables serviceability).

H2-3 · Requirement decomposition (turn specs into acceptance criteria)

Instrument power requirements become actionable only after they are translated into measurable pass/fail criteria and linked to the design knobs that can actually move them. The four pillars below—noise, transient behavior, fault tolerance, and thermal stability—form a repeatable checklist for defining rail budgets and for signing off a platform.

1) Ripple & noise — “low enough” must be domain-matched

  • Control target: noise is not one number; it is a combination of frequency band, load state, and rail sensitivity.
  • Acceptance window: define a noise/ripple budget per domain (sensitive rails vs utility rails) and require it to hold across temperature and load variation.
  • Verification method: measure at the load point with a short return path; apply a consistent bandwidth limit to avoid “measuring the fixture.”
  • Design knobs: post-regulation (LDO/filters) for sensitive rails, tree layering for isolation, and boundary isolation to prevent noisy domains from injecting transients.

2) Transient behavior — define droop windows and PG/reset linkage

  • Events to cover: load steps, controlled startup ramp/inrush, and brownout during power loss or source sag.
  • Acceptance window: specify a droop window (max dip + max duration) and a required power-good stability window (no chatter) through those events.
  • Verification method: step the load across worst-case corners and confirm recovery time, PG stability, and that reset behavior is deterministic (no “reset storm”).
  • Design knobs: soft-start/ramps, compensation stability, hold-up margins, and PG filtering/deglitching aligned to system state.

3) Fault tolerance — separate “no-damage” vs “fail-safe” goals

  • No-damage goal: common misuse (hot-swap inrush, short overload, reverse event) must trigger a protective action without sacrificing upstream rails.
  • Fail-safe goal: severe or sustained faults must result in clean disconnect, fault containment by branch, and a recordable reason code.
  • Verification method: fault injection with defined pass criteria: action type (limit/disconnect), action time, recovery policy (retry/latch), and impact on other domains.
  • Design knobs: eFuse/hot-swap policy, OVP gating or disconnect strategy, reverse blocking/OR-ing, and explicit latch vs hiccup choices.

4) Thermal stability — keep rails inside a safe operating region over 24/7 stress

  • Control target: heat is a system variable; it changes drift, reduces margin, and can invalidate “nominal” protection thresholds.
  • Acceptance window: define a derating curve (normal → derate → protect → shutdown) and require stable behavior (no oscillation between states).
  • Verification method: thermal soak at high load and high ambient; confirm hotspot sensors correlate with real stress and derating occurs predictably.
  • Design knobs: sensor placement, derating policy, airflow control hooks, and time-aware current limiting to protect MOSFET SOA.
Spec to design knobs mapping for instrument power A two-column mapping from four spec pillars (noise, transient, fault, thermal) to practical design knobs such as post-regulation, soft-start, eFuse policy, and derating control. Spec → Acceptance criteria → Design knobs Spec pillar (what must be controlled) Design knobs (what can be tuned) Noise Ripple / drift budgets by domain verify at load point (consistent bandwidth) Post-reg Tree layering Isolation Transient Droop window + PG stability load step / startup / brownout Soft-start Compensation PG filter Fault Contain by branch + reason codes short / OVP / reverse / hot-swap eFuse OVP gate Latch / retry Thermal Derating ladder keeps 24/7 margins Temp sense Derate curve OTP The mapping is a design review checklist: each spec pillar must have an acceptance window, a test method, and tunable knobs.

Figure F3 is intended for design reviews: it links each “spec pillar” to a small set of knobs that can be tuned and verified.

H2-4 · Multi-rail PMIC architecture (sequencing, dependencies, PG/reset)

A multi-rail PMIC is more than multiple regulators. The real engineering value is in sequencing, dependency control, power-good stability, and fault propagation rules. A robust instrument platform treats power-up and power-down as a deterministic state machine, with defined recovery behavior when rails fail to meet criteria.

Sequencing and dependencies (why order matters)

  • Start stable references first: a rail used as a comparator/reference or supervisory source must be valid before dependent rails ramp.
  • Bring up sensitive rails before noisy, high-step loads: this prevents early brownout and prevents PG chatter during ramp.
  • Bring utility/actuator rails last: large inrush or step load should not collapse the shared bus during platform initialization.
  • Dependency rule: a downstream rail may ramp only when the upstream rail is within its acceptance window and has a stable PG.

Power-good (PG) and reset policy (avoid reset storms)

  • PG must be deglitched: brief droops during load steps should not cause repeated PG toggles.
  • Differentiate phases: strict PG gating during startup, and controlled brownout strategy during run (e.g., degrade → protect → shutdown).
  • Define rollback behavior: if a rail fails PG during startup, the platform should enter a known recovery path rather than oscillating.
  • Contain propagation: not every rail PG should reset the entire instrument; group resets by domain to localize impact.

Remote sense and line-drop (use it when the load point defines correctness)

  • When it is needed: high current, long distribution paths, or tight droop windows where the load-point voltage determines pass/fail.
  • What can go wrong: sense lines can pick up noise or create unstable feedback if the loop is not well-behaved at the load point.
  • Safety rule: sense open/short conditions must be handled deterministically (no uncontrolled voltage rise).
  • Verification method: validate PG and regulation at the load point across temperature and dynamic load changes.

Low-noise layering (pre-reg + post-reg) — the boundary and trade-off

  • Why layer: pre-regulation handles wide input variation efficiently; post-regulation improves noise and isolates sensitive domains.
  • Where to apply: reserve post-regulation for rails where drift/noise directly affects stability; do not apply blindly to high-power utility rails.
  • Trade-off: post-regulation increases dissipation and may slow transient response; margins must be validated under worst-case load steps.
Rail sequencing state diagram for multi-rail PMIC platforms A block-style state machine: OFF to PRECHECK to RAMP to VERIFY (power-good), then RUN, with FAULT leading to RETRY or LATCH depending on policy. Sequencing as a deterministic state machine OFF rails disabled PRECHECK UVLO ok • temp ok RAMP soft-start ramp VERIFY PG stable window RUN telemetry + monitoring FAULT rail ID + reason RETRY hiccup / timer LATCH manual clear required PG fail / OVP / OCP / OTP A platform is robust when startup failure is handled by design: verify, fail with reason, then retry or latch by policy.

Practical acceptance checks for a multi-rail platform

  • Sequencing order and dependencies are documented and testable (no hidden rails that “sometimes” ramp early).
  • PG transitions are stable under worst-case load steps and thermal corners (no chatter-driven resets).
  • Startup failure leads to a deterministic recovery path (retry or latch), with a recorded rail ID and reason.
  • Remote-sense rails regulate at the load point, and sense fault conditions do not create unsafe behavior.

H2-5 · eFuse / Hot-swap / Load switch (inrush, SOA, retry policy)

Hot-plug events are rarely “just a current spike.” A robust instrument platform treats inrush as an energy-and-time problem: input capacitance charging, downstream converter startup, and connector bounce can hold a pass element in a high-dissipation region long enough to violate its safe operating area (SOA). Branch isolation and a clear retry/latch policy prevent one fault from collapsing the entire power tree.

Inrush sources (and why they can look like faults)

  • Capacitor charging: the input sees a controlled ramp of charge current; longer ramps reduce peak current but can extend dissipation time.
  • Downstream DC/DC startup: converters often draw a “startup plateau” current while building regulation, which can resemble a short under a tight current limit.
  • Connector bounce / arcing: repeated micro-connect cycles can re-trigger charging and stress the pass FET multiple times in a short window.

Hot-swap vs eFuse vs load switch (choose by boundary conditions)

  • Load switch: best for simpler on/off control and moderate inrush shaping; limited telemetry and energy control in high-stress hot-plug cases.
  • eFuse: best for configurable current-limit behavior, fault flags, and branch protection policies; must still be checked for pass-element dissipation during long limit events.
  • Hot-swap controller + external FET: best when current level and energy are high (large capacitance, high bus voltage, tight droop windows); external FET selection expands SOA headroom.

SOA and retry policy (current limit is not enough)

  • Why SOA matters: the pass device stress is set by P(t)=VDS(t)×I(t), and the allowable stress depends on time.
  • Common failure mode: a “safe” current limit can hold the device in a high VDS region too long, accumulating heat until SOA is violated.
  • Retry choices: hiccup / timed retry supports availability; latch-off maximizes safety and prevents repeated stress. Both require clear criteria and counters.
  • Containment rule: branch protection should isolate the affected rail without pulling down shared upstream domains.
Inrush and SOA protection timing Simplified timing plot showing bus voltage rise, inrush current limiting, and pass-FET power dissipation versus time. A highlighted region marks where dissipation duration can violate SOA if retry policy is too aggressive. Inrush shaping + SOA is energy over time time → V (bus / load) ramp I (inrush) current limit P (FET) SOA danger window high VDS × limit I too long → overheating Policy knobs hiccup • timed retry • latch A safe design constrains energy: limit current, limit time in dissipation, and choose a retry/latch policy that avoids repeated stress.

Figure F5 emphasizes the failure mode often missed in “current limit only” designs: power dissipation duration can violate SOA.

H2-6 · Core protections stack (OVP/OCP/UVP/SCP/OTP as layered defenses)

A protection strategy becomes reliable when it is built as a layered stack with fault containment. Each layer has a clear trigger, a deterministic action, and a consistent record (rail ID, reason code, counters). This turns “protection features” into an architecture that can be verified and serviced.

Layer 1 — Input-side defenses (surge / OVP / UVP containment at the entry)

  • Goal: prevent external input abnormalities from placing the platform in an unknown state.
  • OVP choice: clamp can absorb brief events; disconnect better contains energy and supports post-event diagnosis.
  • Output requirement: input events must produce a clear reason code and should not silently degrade the power tree.

Layer 2 — Distribution defenses (branch OCP / eFuse policies to localize faults)

  • Goal: a short or overload on one branch should not collapse shared rails or reset unrelated domains.
  • OCP/SCP modes: constant-current, foldback, or shutdown; the best choice depends on startup needs and thermal limits.
  • Stability rule: avoid oscillation (repeated trips) by aligning retry timing, PG deglitch, and brownout policy.

Layer 3 — Load-side defenses (local protection and thermal coordination)

  • Goal: local regulators protect themselves and report status without turning OTP into normal operation.
  • OTP rule: thermal shutdown is the last line; primary control should be derating and controlled limiting.
  • Serviceability: records should indicate whether a shutdown was input-driven, branch-driven, or local thermal.
Protection layers and fault containment Three-layer protection stack: input layer, distribution layer, and load layer. Each layer shows a Trigger to Action to Record chain. A left-side block represents external input events that enter the stack. Layered protection: Trigger → Action → Record External input events surge • OVP • UVP hot-plug • reverse Input layer Trigger OVP/UVP detect Action disconnect / limit Record reason + counter Distribution layer Trigger OCP/SCP detect Action isolate branch Record rail ID + policy Load layer Trigger local OTP/UVP Action derate / shutdown Record local status Fault containment improves availability: input events are contained early, branch faults stay local, and load-side thermal control prevents repeated OTP cycles.

Practical sign-off checklist for the protection stack

  • Every protection has a defined trigger threshold/window and a deterministic action (limit, disconnect, derate, shutdown).
  • Containment is explicit: input events do not propagate into unrelated domains, and branch faults do not reset the whole platform.
  • Retry behavior is bounded by time and count; repeated stress is prevented by policy (cooldown, latch, or escalation).
  • Records are consistent across layers: rail ID, reason code, counters, and last-event timestamp enable serviceability.

H2-7 · ESD / EFT / Surge coordination (graded energy diversion)

IEC transient immunity is rarely solved by a single component. Reliable protection is built by shaping the energy path: fast spikes are diverted early, repeated bursts are prevented from confusing control states, and high-energy events are limited or isolated before they reach the internal bus. Coordination means each stage has a defined role—clamp, limit energy, disconnect, and buffer—with predictable system recovery.

Component-level protection chain (roles and boundaries)

  • TVS clamp: handles fast spikes by shunting current and keeping node voltage below a safe level.
  • Surge stopper / limiter: limits energy delivery during longer events by controlling pass behavior (voltage/current/time).
  • Series impedance (R/NTC): slows di/dt and shares stress, improving survivability of the clamp stage.
  • Disconnect MOSFET: isolates the internal bus when energy is excessive or persistent, preventing propagation into other domains.
  • Input bulk capacitor: buffers the internal bus but must be treated as part of the energy path (it can store and replay stress).

Why ESD vs EFT vs surge require different coordination

  • ESD: extremely fast edges; priority is rapid diversion with minimal path length to protect semiconductors from localized overstress.
  • EFT: repetitive bursts; priority is preventing repeated triggers that cause PG/reset chatter and state-machine instability.
  • Surge: higher energy and longer duration; priority is limiting delivered energy and isolating the internal bus when required.

Placement rule (kept intentionally brief)

Place the earliest diversion stage close to the external entry so energy is shunted before it spreads. Place limiting/isolation stages such that residual stress does not exceed what the internal bus and downstream rails can tolerate.

Transient energy path with coordinated stages Block diagram from external port through TVS clamp, energy limiter, disconnect MOSFET, and internal bus with bulk capacitor. Arrows indicate graded actions: shunt, limit energy, isolate, and buffer. Transient coordination = controlled energy path External port ESD / EFT / surge energy enters here TVS clamp fast shunt to safe sink Energy limiter limit V / I / time R / NTC (share) Disconnect FET isolate if needed Internal bus buffered by bulk cap Cbulk Coordination is staged: shunt fast spikes, limit delivered energy, isolate persistent stress, and keep the internal bus within safe windows.

H2-8 · Thermal management & derating (sustained reliability over 24/7)

For 24/7 instruments, thermal behavior is a primary reliability variable. Hot-plug stress, current limiting, and linear post-regulation can create long-duration heat that shifts margins and increases protection chatter. A durable platform uses a derating ladder with hysteresis and dwell time so temperature control is stable, predictable, and serviceable. Thermal shutdown is a last line—not a normal controller.

Heat sources map (event-driven, not constant)

  • Power MOSFETs: hottest during limiting plateaus and repeated retry events.
  • Linear post-regulators: hottest when headroom (VIN−VOUT) is large under sustained load.
  • Actuator/relay domains: heat spikes during actuation and can add load stress to shared rails.
  • Hot-swap elements: stress accumulates over time when inrush is repeatedly constrained without sufficient cooldown.

Sensing and stability (avoid “temperature chatter”)

  • Hotspot sensors: placed near the highest dissipation devices for fast protection decisions.
  • Ambient/board sensors: track the platform thermal trend for smooth derating and fan control.
  • Anti-oscillation rules: use hysteresis between entry/exit thresholds and a minimum dwell time per state.

Derating ladder principle

Escalate actions in steps: Normal → Derate → Protect → Shutdown. Each step should be reversible only after temperature falls below an exit threshold and remains stable for a dwell interval.

Thermal control ladder with stable derating A stepped ladder versus temperature: Normal, Derate, Protect, and Shutdown. Each step shows a short action label. Hysteresis and minimum dwell time are indicated to prevent oscillation. Thermal control ladder: stable steps, not oscillation Temp ↑ NORMAL full performance DERATE limit current reduce duty PROTECT strong limit shed loads SHUTDOWN OTP (last line) hysteresis + minimum dwell time Stable derating uses entry/exit thresholds and dwell time so temperature control does not bounce between states.

H2-9 · Telemetry & serviceability (faults that are explainable and repeatable)

Protection becomes serviceable when every action is turned into a structured event record. Instead of “it tripped,” a platform should answer which rail, what fault type, which threshold, what measured value, how long, and what action was taken. This makes power faults explainable, reproducible, and fast to repair—without requiring deep protocol or BIST details.

What to observe (per-rail telemetry that supports root cause)

  • Rail state: voltage, current (or limit state), enable status, and PG (debounced).
  • Fault semantics: reason code (OVP/OCP/UVP/OTP/PG_FAIL), threshold, measured value, and duration.
  • Recovery context: retry counter, latch state, and peak temperature around the event.
  • Time record: store an event time marker to correlate repeated failures (no timing-sync details required).

Policy visibility (retry, latch-off, derate must be traceable)

  • Retry mode: record retry spacing, max count, and cooldown so repeated stress can be detected.
  • Latch-off mode: record the latch reason and the allowed clear mechanism (service clear vs auto-clear).
  • Derate mode: record the derate step and the entry/exit thresholds used to avoid oscillation.

Minimum log record (recommended)

rail_id, fault_type, threshold, value, duration, action_taken

Fault record flow from detection to service loop Flow diagram showing event detection, protective action, structured recording, optional reporting over a management bus placeholder, and a service loop for diagnosis and repair. Includes a minimal event schema block. Fault record flow: Detect → Act → Record → Report → Service Detect V / I / Temp PG status Act limit / disconnect derate / latch Record reason code counters + time Report mgmt bus I²C / PMBus (slot) Service loop (fast diagnosis and reproducibility) Identify which rail? which fault type? Reproduce threshold + value duration + action Repair replace/adjust verify closure Minimum record rail_id • fault_type threshold • value duration • action A structured record turns protection into serviceability: the same event can be understood, reproduced, and closed with confidence.

H2-10 · Validation & production checklist (prove power + protection is done)

“Done” means verifiable at three levels: R&D confirms the design meets noise, transient, and fault goals; production ensures every unit matches thresholds and tolerances; field self-checks keep long-term reliability measurable. A test matrix prevents gaps where a protection exists on paper but fails in real operation.

R&D — design verification (examples of must-pass checks)

  • Noise measurement method consistency (bandwidth limit, repeatable probing) and pass/fail windows per sensitive domain.
  • Load-step response: droop window, recovery time, and no false trips during expected transients.
  • Power-up / power-down sequencing: PG/reset gating behaves deterministically under brownout and restart.
  • Fault injection: OVP/OCP/SCP/OTP actions match policy (limit, disconnect, retry, latch) without collateral resets.
  • Thermal soak: derating steps are stable (no oscillation) and protection remains predictable across temperature.

Production — factory checks (thresholds, tolerances, consistency)

  • PG thresholds and rail voltage tolerances across load/no-load conditions.
  • Protection trip points verification (quick stimulus) and correct reason codes.
  • Temperature sensor sanity and unit-to-unit consistency for stable derating.
  • No-fault boot gating: abnormal startup conditions are blocked rather than creating latent damage.
  • Event record path check: basic counters and last-fault snapshot are readable.

Field — self-check & service closure (long-term evidence)

  • Event counters per rail and per fault type reveal repeated stress patterns.
  • Peak temperature and last-fault snapshot support fast diagnosis without lab reproduction.
  • Clear service workflow: rail_id → fault_type → threshold/value → duration → action_taken.
  • Derate state stability: entry/exit thresholds and dwell time prevent field oscillation.
  • Closure verification: after repair, counters stop increasing and rails remain within normal windows.
Validation test matrix: R&D, production, field Three-column checklist diagram with R&D verification, production checks, and field self-checks. Each column includes must-test items for proving power and protection readiness. Test matrix: prove readiness across lifecycle R&D Production Field Noise method + window Load-step response Sequencing + PG/reset Fault injection Thermal soak Recovery behavior PG thresholds Rail tolerance Trip points + codes Temp sensor sanity Abnormal boot block Record path check Event counters Peak temperature Last-fault snapshot Derate stability Service workflow Closure verification Use the same lifecycle structure to avoid gaps: verify design behavior, enforce unit consistency, and preserve field evidence for service closure.

H2-11 · BOM / IC selection checklist (criteria-based: PMIC, eFuse, protection, thermal)

A useful instrument power BOM is built by decision criteria, not by model-number dumping. Selection should start from the bus voltage and energy profile, then decide whether hot-plug isolation is required, and whether telemetry + fault records are needed for serviceability. The checklists below are written so procurement and engineering can converge on the same pass/fail rules.

How to use this section

  • Choose the category (PMIC / eFuse-hot-swap / surge-OVP / thermal) from the decision tree (Figure F11).
  • Apply the criteria list (6–10 items) as procurement-ready requirements.
  • Use the example part numbers only as starting points; validate voltage, current, SOA, and thermal margins in the target design.

A) Multi-rail PMIC / power system manager (sequencing, PG, telemetry)

  • Rail count + mix: number of buck/LDO rails needed and whether any rails must be ultra-quiet or always-on.
  • Sequencing flexibility: parallel vs serial start, dependency handling, and clean failure rollback behavior.
  • PG/reset chain: PG thresholds, deglitching, reset gating options, and brownout handling without chatter.
  • Fault containment: ability to isolate a failing branch so other domains stay alive (service continuity).
  • Telemetry granularity: per-rail V/I (or limit state), fault reason codes, retry counters, and peak temperature hooks.
  • Accuracy + drift: monitoring accuracy and stability across temperature (avoid “false OK / false trip”).
  • Standby power: quiescent current and always-on domain support to meet 24/7 energy budgets.
  • Interface + serviceability: register map readability, event snapshot capability, and simple bring-up tooling.

Example part numbers (reference)

ADI: LTC2977 (power-system management)
Infineon: IRPS5401 (multi-rail PMIC)
TI: TPS65086 / TPS650861 (multi-rail PMIC family)

B) eFuse / hot-swap / load switch (inrush, SOA, retry policy)

  • Voltage range + transients: steady bus voltage plus expected surge/overshoot margin (select safe headroom).
  • Rated current + surge current: continuous and peak current needs, including start-up and fault plateaus.
  • SOA protection method: power limiting / foldback / timer behavior that prevents MOSFET overheating under fault.
  • Programmable inrush: dv/dt control, current limit shaping, and controlled turn-on for hot-plug and large C loads.
  • Disconnect speed: response time and behavior under hard short (protect other domains from bus collapse).
  • Retry strategy: hiccup vs timed retry vs latch-off; cooldown behavior should avoid thermal accumulation.
  • Reverse blocking / OR-ing: support for reverse polarity, backfeed prevention, and redundant supply OR-ing when required.
  • Current sense accuracy: measurement error impacts both protection thresholds and service diagnostics.

Example part numbers (reference)

Integrated eFuse: TI TPS25947, TI TPS2660, TI TPS25982
Hot-swap controller + external FET: TI LM5069, TI LM5060, ADI ADM1278

C) OVP / surge coordination chain (TVS + limiter + disconnect FET)

  • TVS clamp level: verify clamp voltage protects the internal bus and downstream converters at peak current.
  • TVS power/energy: ensure transient power rating matches the event profile (avoid “survives ESD but dies on surge”).
  • Limiter/stopper headroom: input max rating and gate-control behavior under long pulses (limits delivered energy).
  • Disconnect FET rating: VDS rating, SOA, and thermal path (the FET becomes the energy gatekeeper).
  • Energy split: define which part absorbs energy (TVS vs limiter/FET) to prevent a single-point overstress.
  • Leakage + capacitance: keep off-state leakage and added capacitance acceptable for the instrument’s power entry behavior.
  • Failure mode: prefer controlled disconnect + record for instruments (serviceability over “silent damage”).
  • Placement intent: clamp near entry, control/isolator near bus boundary (keep the energy path short and defined).

Example part numbers (reference)

Surge stopper / OVP control: ADI LTC4366, ADI LTC4368
TVS examples: Vishay SMBJ series, Littelfuse SMBJ58A

D) Thermal (sensing, control-loop stability, derating curve)

  • Sensor type + accuracy: choose sensors that support stable thresholds (avoid drift-driven derate oscillation).
  • Response + placement: hotspot sensors for protection decisions; board/ambient sensors for smooth derating control.
  • Control stability: require hysteresis and minimum dwell time per derate state to prevent “temperature chatter”.
  • Derating configurability: multi-step ladder (Normal/Derate/Protect/Shutdown) with editable thresholds.
  • Fan control + protection: PWM channels, tach monitoring, stall detection, and safe response to fan failure.
  • Load shedding hooks: ability to disable non-critical rails when thermal limits are approached.
  • Telemetry for service: peak temperature, time since last derate, and “last thermal event” snapshot.
  • Shutdown is last line: OTP should be rare; frequent OTP indicates missing derate closure or poor thermal design.

Example part numbers (reference)

Temperature sensor: TI TMP117
Fan control: ADI MAX31790, ADI MAX6650, Microchip EMC2301

Selection decision tree for instrument power and protection Flowchart guiding selection from bus voltage and energy profile through hot-plug and telemetry needs, leading to PMIC or power-system management, eFuse vs hot-swap controller, surge stopper plus TVS, and thermal sensing plus fan/derating control. F11 · Selection decision tree (requirements → category) 1) Bus voltage 12V / 24V / 48V + headroom 2) Current + energy Imax + inrush + fault plateau 3) Hot-plug needed? isolation boundary required 4) Telemetry + logs? fault code + counters + snapshot Power management PMIC vs system manager sequencing + PG Typical choices Multi-rail PMIC Power system manager Hot-plug / isolation inrush + SOA + retry branch containment Category output Integrated eFuse Hot-swap ctrl + FET OVP / surge chain TVS + limiter + disconnect graded energy split Category output Surge stopper + FET TVS at entry Thermal strategy sensing + derating ladder fan control + protection Category output Temp sensor(s) Fan / derate controller Use requirements to land on a category first (PMIC/system manager, eFuse/hot-swap, surge/OVP, thermal), then apply the checklist criteria for procurement-ready selection.

Request a Quote

Accepted Formats

pdf, csv, xls, xlsx, zip

Attachment

Drag & drop files here or use the button below.

H2-12 · FAQs (Instrument Power & Protection)

These FAQs focus on multi-rail power sequencing, hot-plug protection, coordinated transient protection, thermal derating, serviceable telemetry, and production-ready validation—without drifting into signal-chain specifics or EMC shielding topics.

1) Why can multi-rail PMIC sequencing cause “sporadic boot failures”?
Sporadic failures often come from timing races: one rail reaches its threshold while another is still settling, PG deglitch windows are too short, or inrush-induced droop shifts rise times across temperature and load. Log rail ramp times and PG states, then add deterministic dependencies (delays, stable PG qualification, and clear rollback) to remove ambiguity.
2) Should PG gate reset, or be used only for monitoring?
Gate reset when running without valid rails is unacceptable (hard dependencies), and qualify PG with deglitch + hysteresis to avoid reset storms. Use PG as monitoring when graceful degradation is allowed (keep the system alive, reduce load, and record the event). A practical split is “power-valid for reset gating” and “power-good for health reporting and service logs.”
3) Why is current limiting not the same as safety? What does SOA protect?
Current limiting constrains I, but a hot-swap FET can still dissipate excessive power (P = V × I) for too long and fail thermally. SOA protection enforces a time-and-energy boundary, not just a current boundary. Prefer power limiting, foldback, or timers that force a controlled shutdown/retry. Validate against worst-case bus voltage, short-circuit duration, and cooling conditions.
4) For inrush, is it better to control the peak or the ramp slope?
Slope control (dv/dt) improves repeatability and reduces connector stress, while peak limiting protects upstream supplies from brownout during charging and downstream startup. Instrument platforms are usually most stable with both: a programmed ramp plus a peak clamp. Choose targets from allowed bus droop, source impedance, and PG timeout limits, then verify with hot-plug and cold-start tests.
5) Hiccup retry vs latch-off: which is better for instruments?
Hiccup retry suits non-critical branches where continuity matters and faults are likely transient, but it must include cooldown and a retry counter to avoid thermal accumulation. Latch-off suits safety- or integrity-critical rails where repeated stress or hidden damage must be prevented. A common pattern is “retry N times, then latch,” while recording fault_type, duration, retry_count, and action_taken.
6) Can foldback OCP cause reboot loops? How can it be prevented?
Yes. Foldback reduces voltage under load, which can pull the system below UV thresholds, trigger resets, then repeat the start attempt. Prevent loops by coordinating foldback with PG/reset logic, adding start-up windows (soft-start or higher start-current limit), and applying deglitched UVLO with hysteresis. If stability cannot be reached, prefer a clean disconnect + timed retry rather than repeated half-boots.
7) For OVP, when is TVS clamping better than disconnecting the load?
TVS clamping is best for very fast, short spikes where the primary need is immediate voltage limiting. Disconnect or surge-stopping is better for sustained overvoltage or high-energy events that would overheat the TVS and stress downstream converters. Instrument power entries often favor “disconnect + record” to avoid silent damage and measurement integrity drift. Use pulse width/energy as the boundary, not only peak voltage.
8) What are the practical damage differences between ESD, EFT, and surge?
ESD is extremely fast with very high peak voltage, often causing localized junction breakdown. EFT is a burst of fast transients that frequently triggers logic upset, resets, and repeated nuisance faults. Surge is slower but far higher energy, causing thermal overstress and sustained overvoltage damage. Practical coordination is: fast clamp for ESD, energy-limited control/disconnect for surge, and robust power-valid qualification to ride through EFT-induced disturbances.
9) Why can “TVS closest to the connector” still be insufficient? How should coordination be done?
Lead inductance and layout impedance can raise the voltage seen at the protected internal bus above the TVS clamp level, and long-energy events can overheat the TVS even if it clamps quickly. Coordination should be staged: TVS at entry for fast clamping, a limiter/series impedance to shape current, and a controlled disconnect or surge-stopper to handle long pulses. Validate by measuring the internal bus node, not only the connector.
10) Thermal thresholds: too low causes nuisance trips, too high risks damage—how should they be set?
Use a derating ladder rather than a single cliff: Normal → Derate → Protect → Shutdown. Set limits from component junction temperature margins, sensor-to-hotspot offsets, and worst-case airflow, then add hysteresis and minimum dwell time to avoid oscillation. Derate should engage early enough that OTP is rare; frequent OTP indicates missing thermal closure. Validate with sustained high-load and elevated ambient tests while monitoring peak temperatures.
11) Which telemetry fields are most valuable for making faults reproducible?
Start with a minimal six-field record: rail_id, fault_type, threshold, value, duration, and action_taken. Add retry_count and peak_temp to distinguish transient glitches from accumulating thermal stress. Capture PG/enables at the moment of failure to show dependency chains, and store the active thresholds to separate calibration/setting errors from real excursions. This data makes “why it tripped” and “how to reproduce it” straightforward.
12) How can production quickly validate protection thresholds without endless test items?
Use a small set of high-coverage checks: verify rail voltages and PG thresholds, spot-check key trip points (OCP/OVP/OTP) using controlled stimuli, confirm startup/inrush behavior stays within limits, and ensure the event-log snapshot is readable. Define clear go/no-go windows, and move long-duration stress tests to sample-based audits per lot. Production should confirm consistency; R&D should prove margins.
FAQ coverage map for Instrument Power & Protection Block map grouping the 12 FAQs into sequencing/PG, eFuse and inrush/SOA, protection and OVP coordination, transient differences, thermal derating, telemetry, and production validation. F12 · FAQ coverage map (12 questions → page intents) Sequencing & PG Q1 · Q2 · Q6 eFuse / Hot-swap Inrush · SOA · Retry Q3 · Q4 · Q5 OVP & Coordination Clamp vs Disconnect Q7 · Q9 Transient Types ESD · EFT · Surge Q8 Thermal Derating Thresholds + Stability Q10 Telemetry & Production Reproducibility + Fast checks Q11 · Q12 The FAQ set is intentionally scoped to power quality, protection actions, coordination, thermal derating, telemetry, and validation—without drifting into shielding or protocol deep dives.
icnavigator

ICNavigator helps engineers find verified ICs, alternatives, and fast quotes.

Explore
Categories
  • Power Management
  • MCU
  • Automotive ICs
  • Sensors
  • Interface & Transceivers
  • Analog Front-End
Get in Touch
  • Email: hello@icnavigator.com
  • WeChat/WhatsApp: +86-xxxx

© 2025 ICNavigator. All rights reserved.