123 Main Street, New York, NY 10001

Submit Your BOM

AOCS / Propulsion Control Electronics: Drivers, AFEs, Safety

AOCS / Propulsion Control Electronics: Drivers, AFEs, Safety

← Back to: Avionics & Mission Systems

Propulsion control electronics is a proof-driven chain: commands are gated by fail-safe ARM/FIRE interlocks, energy delivery to valves/igniters is controlled and evidenced by I/V signatures, and pressure/temperature sensing plus voting logic determines when the system must return to SAFE. The design goal is not only to actuate, but to make every actuation and fault decision measurable, auditable, and robust against harness transients and reset events.

Scope + ownership (no cross-topic)

H2-1 · What this page covers (and what it doesn’t)

One-sentence definition: propulsion control electronics is the verifiable execution chain Command → ARM/INHIBIT → Driver → Actuator (valve/igniter) → Sensing → Fault logic → SAFE state. The engineering goal is not just “to actuate”, but to prove correct energy delivery, trustworthy measurements, and deterministic transition to SAFE under faults.

Scope Guard — Allowed (Ctrl+F)

  • Valve drivers (on/off, latching, proportional), peak-and-hold, flyback/clamp strategies
  • Igniter/squib drivers, one-shot safety, continuity test with safe stimulus
  • Pressure/temperature AFE chains: excitation, filtering, ADC, diagnostics
  • Fault voting (1oo2 / 2oo3), fault classes (recoverable vs latched), SAFE behavior
  • Safety interlocks: hardware inhibits, sequencing, watchdog/RESET default SAFE
  • Verification logic: fault-injection matrix, pass criteria tied to evidence signals

Scope Guard — Banned (Do not expand)

  • Satellite bus power architecture (28–50 V front-end), general PoL/PMBus pages
  • TT&C, SpaceWire/SpaceFibre network design, storage/interconnect topics
  • AOCS navigation/estimation/control algorithms (GN&C filters, guidance laws)
  • SADA motor drives, radar/EW, aircraft DO-160 power topics
  • Crypto/anti-tamper deep dive (only interface-level constraints if needed)

Page ownership contract (what must be answered here)

  • Energy Delivery: how valve/igniter drive waveforms are shaped, protected, and evidenced (I/V, pulse width, clamp energy, one-shot latch).
  • Measurement Credibility: how pressure/temperature chains remain trustworthy (excitation stability, drift budget, open/short/stuck detection, plausibility windows).
  • Safety Proof: how ARM/INHIBIT, voting, and SAFE behave under reset, watchdog, noise, harness faults, and command errors.
Practical rule: any actuator event must leave a digital evidence trail (timestamps + I/V + continuity status + P/T plausibility + fault flags), so that “correct actuation” is testable and reviewable.
Figure F1 — Propulsion control electronics overview (execution + evidence + SAFE)
AOCS / Propulsion Control — Electronics Execution Chain Command → ARM/INHIBIT → Drivers → Actuators → Sensing → Voting → SAFE + Telemetry Execution Actuation Evidence + Safety Command Controller ARM / INHIBIT Chain Valve Driver Peak & Hold / PWM / Clamp Igniter / Squib Driver One-shot + Continuity Test Actuators Valves / Thrusters / Igniters Pressure AFE Excitation + ADC + Diagnostics Temperature AFE RTD/NTC + Linearization Fault Voting 1oo2 / 2oo3 Interlocks SAFE Latched output OFF Inhibit asserted Telemetry Blue = gating / safety-critical boundary
SAFE → ARMED → FIRE (deterministic, evidence-driven)

H2-2 · System interfaces & operating states (SAFE → ARMED → FIRE)

This section turns the propulsion execution chain into a reviewable contract: what must be true before entering FIRE, what evidence must be captured during FIRE, and what always forces SAFE. The central design theme is two independent barriers (hardware inhibit + software permit) plus time-bounded actuation (no indefinite “enable”).

Interfaces, organized by evidence (not by signal names)

Evidence class What it proves Typical signals / fields Common failure modes this catches
Command evidence Only valid, authorized commands can arm/fire, and repeats are rejected. CRC/sequence counter, dual-channel agreement, arming window timer, one-shot token (anti-repeat). Bit flips, stale command replay, single-channel stuck-high, malformed packets.
Inhibit evidence Hardware barrier is asserted by default and readable back. INHIBIT pin state + readback, power-on SAFE flag, watchdog/reset cause → forced SAFE. Boot glitches, brownout resets, SW hang, unintended GPIO reconfiguration.
Energy evidence Actuation energy was delivered in a controlled, time-bounded way. Driver current/voltage samples, pulse width, peak/hold setpoints, clamp status, post-fire latch. Short/open harness, clamp failure, current sense fault, overdrive causing thermal runaway.
Plant response evidence Pressure/temperature response is plausible for the commanded event. P/T plausibility window, rate-of-change limits, stuck-at detection, sensor open/short flags. Sensor stuck, excitation collapse, wiring intermittent, false “success” without physical response.
Safety outcome Any safety breach leads to deterministic SAFE, typically latched. Latched fault output, SAFE state bit, inhibit asserted, disallow re-arm until explicit clear. Transient spikes, noisy harness, partial resets, logic races during state transitions.
Design intent: “ARMED” must be time-limited. “FIRE” must be a pulse (or controlled profile), never an unbounded enable. Any uncertain condition should bias toward SAFE with clear evidence logging.

SAFE (default after power-on / reset)

  • Entry: power-on, watchdog/reset, inhibit asserted, latched fault, arming timeout.
  • Allowed: sensor self-check; continuity test using strictly limited stimulus; telemetry/reporting.
  • Forbidden: any energy switch closure that could actuate valves/igniters.
  • Exit: explicit arm sequence with valid authorization and healthy inhibit/readback.

ARMED (prepared but cannot “free-run”)

  • Entry: HW enable present + SW permit valid + time window started.
  • Allowed: pre-fire checks (continuity within limits, P/T plausibility baseline); ready-to-fire flag.
  • Required: arming timeout; any anomaly or timeout → SAFE (often latched).
  • Exit: FIRE pulse issued within window, otherwise fall back to SAFE.

FIRE (time-bounded, evidence captured)

  • Entry: FIRE command + one-shot token + inhibit chain in “allow” state.
  • Action: deliver controlled energy (peak/hold or one-shot) with current/voltage evidence sampling.
  • Abort: overcurrent/overtemp, clamp anomaly, sense failure, command mismatch → immediate off → SAFE.
  • Exit: pulse complete → POST-FIRE (lockout / diagnostics) or SAFE if any uncertainty.

POST-FIRE (lockout + verification)

  • Purpose: prevent re-trigger; freeze evidence; evaluate plausibility response window.
  • Checks: energy evidence complete; P/T response plausible; fault flags classified (recoverable vs latched).
  • Outcome: success reported with evidence; failure forces SAFE with latched inhibit as required.
Figure F2 — ARM/INHIBIT + FIRE gating state machine (with priority ladder)
SAFE → ARMED → FIRE → POST-FIRE Two barriers + time window + one-shot latch SAFE Outputs OFF INHIBIT asserted ARMED Window active Pre-checks only Timeout → SAFE FIRE Pulse / profile Capture I/V POST-FIRE Lockout + verify P/T plausibility HW+SW OK One-shot Pulse done Fault / Timeout → SAFE Priority ladder (highest wins) Latched fault → FORCE SAFE Hardware INHIBIT → blocks FIRE Software PERMIT (window + token) Notes: “ARMED” is time-limited; “FIRE” is a pulse/profile; uncertainty biases toward SAFE.
Valve drivers: waveform, clamp, evidence

H2-3 · Valve driver architectures (on/off, latch, proportional)

Valve drivers in propulsion systems are not interchangeable “power switches”. The driver architecture defines actuation time, thermal load, release behavior, and whether the event can be proven with current/voltage evidence. The key design object is the coil current profile—especially how it rises (pull-in), holds (steady state), and decays (release) under a chosen flyback/clamp strategy.

1) On/Off solenoid (Peak-and-Hold)

  • Pull-in peak: a higher current is applied briefly to overcome stiction and achieve fast seating within a defined time window.
  • Hold current: reduced to limit I²R heating while maintaining force margin against vibration and pressure.
  • Release: controlled by the flyback path; slower decay increases release delay but reduces electrical stress.
  • Evidence: peak level, peak duration, hold level, and decay signature should be recorded for fault diagnosis.

2) Latching valve (Bipolar pulse, often H-bridge)

  • State change by pulse: a timed pulse sets the magnetic state; power can be removed afterward.
  • Direction matters: forward vs reverse pulse determines SET/RESET; mis-pulsing can flip the valve.
  • Safety focus: hard interlocks, one-shot tokens, and lockout prevent unintended second pulses.
  • Evidence: pulse polarity, width, and current ramp provide “actuation proof” without relying on sensors alone.

3) Proportional valve (Closed-loop current control)

  • Current = force/flow control: PWM is only a method; the requirement is a stable current setpoint across supply/harness variation.
  • Sense + compensation: current sensing and loop compensation keep control stable and repeatable.
  • Disturbance rejection: line resistance changes, connector aging, and supply dips must not create uncontrolled valve motion.
  • Evidence: setpoint tracking error and saturation flags are essential for FDIR and voting inputs.

Coil physics that must be accounted for

  • Inductance shapes rise time: the current ramp (di/dt) is limited by coil L and applied voltage.
  • Resistance drives heating: hold current dominates thermal load; drift can shift thresholds and timing.
  • Release is clamp-dependent: the flyback strategy defines how quickly energy leaves the coil and how fast the valve can close.

Flyback / clamp choices (release speed vs stress vs diagnosability)

Flyback / clamp path Release behavior Electrical stress & EMI Why it matters for evidence & faults
Diode freewheel Slow decay → slower release (longer tail). Lower voltage stress, typically lower radiated noise. Waveforms are smooth; good for detecting gradual harness resistance changes, but release delay can reduce timing margin.
Synchronous freewheel Controlled decay; can be tuned for speed vs efficiency. Lower loss; switching patterns can introduce EMI if uncontrolled. Offers repeatable decay signatures; useful for fault classification while keeping stress manageable.
TVS / active clamp Faster decay → faster release. Higher voltage stress; potentially sharper EMI edges. Improves release timing but requires robust protection; clamp engagement itself becomes a key evidence signal.
Practical rule: select the clamp strategy based on the required release time window and allowable stress/EMI, then shape the peak/hold profile to meet actuation timing while preserving diagnostic evidence quality.
Figure F3 — Peak-and-hold current profile + flyback paths (diode vs sync vs TVS clamp)
Valve Driver: Peak & Hold + Flyback Strategy Same driver core, different flyback paths → different release timing & stress Driver core (common) PWM / Gate MOSFET low-side switch Rsense current evidence Coil (Solenoid) L + R defines di/dt Flyback / clamp options (choose one) Diode freewheel Synchronous freewheel TVS / active clamp Coil current profile (concept) time current PEAK HOLD RELEASE diode: slow sync: medium TVS: fast Evidence: I/V + clamp status
Tip: keep labels minimal (MOSFET, Rsense, Diode/Sync/TVS). Use waveform shape as the primary explanation.
Igniter / squib: evidence, continuity, one-shot

H2-4 · Igniter / squib drivers (energy delivery, continuity, one-shot safety)

Igniter (pyro/squib) actuation is a high-consequence event. The driver must enforce two independent barriers (hardware inhibit + software permit), deliver a time-bounded firing pulse, and produce an evidence record that proves energy delivery. Continuity checks are required for health monitoring, but they must be structured so that no valid failure mode can accidentally cross the firing boundary.

Energy delivery as a verifiable contract

  • Pulse definition: minimum pulse width and controlled amplitude (constant-current or bounded power) within a defined FIRE window.
  • Evidence capture: sample current and voltage during the pulse; record peak, duration, and completion flags with timestamps.
  • Completion rule: if I/V evidence is incomplete or inconsistent, classify as fault and force SAFE (often latched).

Continuity test without inadvertent firing

  • Amplitude limit: use a strictly limited stimulus (micro-current or short diagnostic pulse) far below firing energy.
  • Time limit: perform tests only in SAFE/ARMED pre-check windows—never during FIRE enable windows.
  • Gating limit: keep diagnostic and firing paths independently gated; require both barriers to be true before any high-energy switch can close.
  • False results: harness capacitance, intermittent connectors, and sampling bandwidth limits can mimic open/short—log confidence flags.

One-shot safety and lockout

  • One-shot token: a unique, single-use authorization prevents demonstrateable re-trigger from repeated commands.
  • Post-fire latch: lock out further firing until an explicit, controlled reset/maintenance procedure is satisfied.
  • Fail-safe bias: any reset, watchdog event, or inhibit ambiguity forces SAFE and retains lockout state.

Protection & harness fault coverage

  • Open/short: detect with continuity + firing I/V signatures; abort on abnormal ramp or clamp events.
  • Mis-power / ESD: ensure default inhibit, robust input filtering on arm/fire controls, and clear reset-domain separation.
  • Post-event integrity: record “fired” state, evidence summary, and whether P/T plausibility aligned with the event window.
Minimum requirement for “fired”: a recorded, time-bounded pulse plus I/V evidence. Sensor response is supportive evidence, but the firing decision should not depend on sensors alone.
Figure F4 — One-shot igniter chain (two barriers + I/V evidence + post-fire latch)
Igniter / Squib Driver: One-shot Safety Chain Arm key + dual inhibits → energy switch → igniter → I/V evidence → post-fire latch ARM key authorized window Dual inhibits HW inhibit SW permit + token Energy switch time-bounded pulse Igniter pyro / squib I / V sense evidence during pulse Evidence capture peak + duration + timestamp Post-fire latch lockout + report Continuity test (safe stimulus) limited amplitude + limited time + gated path Two independent barriers Hardware inhibit + software permit (token + window) Any ambiguity → SAFE + lockout retained Verification anchor: a firing event is only valid when pulse + I/V evidence + latch state are consistent.
Tip: keep “two barriers” and “evidence capture” visually prominent—this is the page’s EEAT anchor.
Pressure AFE: excitation, filtering, ADC, diagnostics

H2-5 · Pressure AFE chain (excitation, filtering, ADC, diagnostics)

A propulsion pressure channel must be engineered as a traceable measurement chain: stable excitation → sensor transfer → front-end gain/noise control → anti-alias filtering → sampling strategy → digital calibration → a pressure value accompanied by credibility flags. The goal is not just “a number”, but a number that can be trusted by voting and safety interlocks.

Sensor electrical output types (electronics view)

  • Bridge / ratiometric sensors (mV/V): output scales with excitation; best paired with ratiometric ADC referencing.
  • Voltage-output sensors: treated as a signal source; more sensitive to supply/ground shifts across the harness.
  • Resistive elements: require explicit excitation and careful error handling for lead resistance and leakage.

Excitation strategy (voltage, current, ratiometric)

  • Constant-voltage excitation: simple and common for bridges; ensure drift is either rejected (ratiometric) or monitored.
  • Constant-current excitation: convenient for resistive sensors; watch self-heating and lead resistance sensitivity.
  • Ratiometric measurement: tie the sensor scale factor to the same reference used by the ADC so excitation drift cancels.
  • Minimum requirement: excitation health must be observable (monitor channel or ratiometric path), not assumed.

AFE gain/noise control (IA/PGA) + headroom

  • IA/PGA sets the noise floor: choose gain so the working range uses ADC input span without frequent clipping.
  • Headroom matters: fast valve events and line transients can push the front-end into saturation.
  • Recovery matters: long overload recovery can look like low-frequency drift and corrupt evidence windows.

Filtering and anti-aliasing (do not “erase” events)

  • Define bandwidth first: choose passband based on the fastest pressure dynamics that must be preserved.
  • Anti-alias filter: place the cutoff relative to sampling strategy so out-of-band noise cannot fold into the channel.
  • Group delay awareness: excessive filtering can shift event timing relative to command/driver evidence.

ADC choice boundary: ΣΔ vs SAR (resolution vs event capture)

ADC family Strengths Tradeoffs When it is the better fit
ΣΔ ADC High effective resolution at low bandwidth; strong digital filtering. Digital filter adds group delay; fast transients can be smoothed. Slow variables dominate, and controlled latency is acceptable. Ideal for stable pressure trending with low noise.
SAR ADC Deterministic sampling instant; better for transient capture and aligned evidence windows. Requires stronger analog filtering and careful front-end noise design. Valve/igniter events must be captured as evidence, or pressure spikes must be detected without filter latency.
Credibility flags should include: excitation status, out-of-range, saturation, stuck code, and plausibility checks. These flags are inputs to later fault logic (do not hide them inside “calibration only” code paths).

Diagnostics (must be explicit, not implied)

  • Open/short detect: window comparators or code-limit logic for sensor nodes and AFE outputs.
  • Excitation drift monitor: a measured excitation channel or ratiometric reference ensures traceability.
  • Saturation & recovery: flag when front-end or ADC hits rails; track time-to-recover.
  • Stuck / frozen output: detect constant code, missing noise, or implausible zero-derivative segments.

Digital calibration (keep it transparent)

  • Offset/gain trim: apply in engineering units with audit-friendly coefficients.
  • Temperature compensation (if used): treat as an explicit model term and track validity range.
  • Quality output: publish Pressure plus QualityFlags (not pressure only).
Figure F5 — Pressure sensing chain (excitation → IA/PGA → filter → ADC → calibration → diagnostics flags)
Pressure AFE: Traceable Measurement Chain Ratiometric paths and explicit diagnostics support credible voting and interlocks Main signal chain Excitation V or I Pressure sensor bridge / Vout IA / PGA gain + CMRR Anti-alias filter ADC ΣΔ / SAR Digital calibration offset + gain Diagnostics flags + plausibility Pressure output value + quality flags Excitation monitor drift flag Quality flags (examples) out-of-range · open/short · excitation drift · saturation · stuck code · plausibility
Tip: keep labels short (Excitation, IA/PGA, Filter, ADC, Cal, Flags). The chain structure carries the message.
Temperature AFE: excitation, linearization, drift, hysteresis

H2-6 · Temperature AFE chain (RTD/NTC/diode, linearization, drift control)

A temperature channel is only useful when its error sources are explainable and its alarms are stable. The measurement pipeline should explicitly separate: sensor excitation → analog conversion → sampling → calibration/linearization → physical temperature → threshold logic with hysteresis → diagnostic outputs for interlocks.

RTD vs NTC vs diode (engineering boundary)

  • RTD: stable and near-linear; accuracy depends on excitation, lead resistance, and reference drift control.
  • NTC: high sensitivity but strongly non-linear; linearization strategy and reference stability dominate final error.
  • Diode-based sensing: convenient electrical interface; requires clear bias/reference assumptions and calibration validity ranges.

Excitation and lead resistance (keep it observable)

  • Current excitation: simple for RTD/NTC, but lead resistance adds error unless the wiring scheme cancels it.
  • Self-heating: excitation level must avoid turning the sensor into a heater.
  • Leakage & bias: high impedance nodes can be pushed by leakage; diagnostic checks must detect implausible behavior.

Linearization pipeline (LUT / segmented model)

  • Raw code: ADC output in counts (or voltage/resistance) is not yet temperature.
  • Calibration: apply offset/gain and reference compensation before linearization.
  • Linearization: LUT or segmented approximation; include validity and out-of-range flags.

Drift budget and self-test

  • Error decomposition: sensor tolerance + excitation/reference drift + ADC error + layout leakage.
  • Open/short detect: code-window checks and stimulus sanity checks where appropriate.
  • Stuck detection: constant code, impossible slopes, or missing noise signatures.

Thresholds and hysteresis (stable alarms, no chatter)

  • Two-level thresholds: separate trip and reset thresholds to avoid oscillation near the boundary.
  • Debounce window: require persistence for a minimum time or N consecutive samples before asserting alarms.
  • Output contract: publish Temperature plus AlarmFlags and QualityFlags.
A robust temperature channel outputs both the value and its confidence. Hysteresis and debounce are part of measurement integrity, not “UI polish”.
Figure F6 — Temperature chain + digital linearization (raw code → calibration → LUT → hysteresis → interlock flags)
Temperature AFE + Digital Linearization A clear pipeline produces temperature plus stable alarms and credibility flags Analog measurement layer Excitation I or V Sensor RTD / NTC / diode Front-end filter + bias ADC counts Digital processing layer Raw code Calibration offset + gain Linearization LUT / segments Temperature °C + flags Threshold + hysteresis trip vs reset debounce window Interlock inputs alarm flags quality flags Flags O/S range
Tip: emphasize the pipeline (raw → cal → LUT → temp → hysteresis → interlock). Keep text short and ≥18px.
FDIR: evidence → voting → fault class → SAFE

H2-7 · Fault detection & voting (1oo2, 2oo3) and what triggers SAFE

Fault voting is only credible when it is built on explicit evidence and produces audit-friendly outputs. For propulsion actuation, evidence comes from three layers: (1) driver-side electrical behavior, (2) sensor-side credibility, and (3) command-to-response timing windows. Voting then determines the fault class (latched vs recoverable) and the SAFE action, while hardware inhibits always override software results.

Voting boundary: 1oo2 vs 2oo3

  • 1oo2 (one-out-of-two): any channel fault forces SAFE. Best when the hazard cost dominates and false SAFE is acceptable.
  • 2oo3 (two-out-of-three): requires agreement to assert a fault. Best when single-channel noise/drift is common and false SAFE is costly.
  • Key constraint: the voter must not share a single point of failure with the channels it votes on.

Evidence layer (inputs to the voter)

  • Driver evidence: I/V trajectory, over-current/clamp events, continuity results, and post-action signatures.
  • Sensor evidence: pressure/temp values plus quality flags (range, saturation, stuck, drift anomalies).
  • Timing evidence: command → electrical actuation → pressure response within a defined window (delay, rise, timeout).

Cross-evidence consistency (reduces false decisions)

  • Actuation without response: driver evidence indicates action, but pressure response times out → suspect flow/mechanical path.
  • Response without actuation: pressure jump without matching driver signature → suspect sensor or sampling integrity.
  • Quality-collapse handling: a value with low credibility should not win a vote against healthy channels.

Fault classes: latched vs recoverable

  • Latched faults: must hold SAFE until controlled reset/service (e.g., hard inhibit, short/overcurrent, unauthorized fire).
  • Recoverable faults: can clear after evidence returns healthy (e.g., transient saturation, single-sample spikes with no persistence).
  • Output contract: publish the class, the decision, and the evidence summary used to decide.

SAFE triggers (priority-ordered, testable)

Trigger Typical class Why it forces SAFE Verification focus
HW inhibit asserted / safety switch open Latched Hardware barrier indicates unsafe or unauthorized condition. Override path bypasses voting; SAFE output guaranteed on fault injection.
Unauthorized command or window violation Latched Prevents unintended actuation and replay/sequence errors. Token/counter checks; time-window enforcement; latch behavior after violation.
Driver short / over-current / thermal trip Often latched Electrical hazards can escalate quickly; safe state must be immediate. Over-current response time; evidence capture; post-event inhibit behavior.
Evidence inconsistency beyond timing window Policy-dependent Indicates loss of integrity or unexpected actuator behavior. Timeout thresholds; persistence criteria; classification correctness.
Sensor credibility collapse with no agreement Recoverable/SAFE Invalid inputs must not steer decisions; safe action depends on redundancy. Stuck/out-of-range detection; degraded-mode behavior; voting stability.
SAFE decisions must produce a minimal evidence record: time, channel IDs, driver signature summary, sensor quality flags, and the timing-window result. This keeps voting actions auditable without exposing algorithm internals.
Figure F7 — Voting logic: evidence inputs → voter → fault class → SAFE/inhibit outputs (hardware overrides bypass voting)
FDIR Voting: Evidence → Decision → SAFE Hardware inhibits override any software voting result Evidence inputs Driver evidence I/V Continuity Clamp/OC Signature Sensors value + Q Pressure Temp Range Stuck/Q Timing windows Delay Rise Timeout Persist Voter 1oo2 / 2oo3 Decision Fault class latched / recoverable Latched Recover Outputs SAFE Inhibit Report flags HW inhibit override WDT / Reset
Tip: keep box labels short (Driver I/V, Pressure Q, Timing window, Vote, Classify, SAFE).
Interlocks: default SAFE, priority ladder, watchdog

H2-8 · Safety interlocks (hardware inhibits, sequencing, watchdogs)

A propulsion interlock chain should be designed as a priority ladder with a fail-safe default. Power-on starts in SAFE; any reset or brownout must return to SAFE; and watchdog events must force outputs to a defined safe state. Software permits can only enable actuation inside a controlled authorization window, and can never override hardware inhibits.

Two-lock principle (independent barriers)

  • Hardware inhibit: discrete gating / safety switch / hard logic that defaults to SAFE.
  • Software permit: authorization window, command consistency, token/counter checks.
  • Independence: avoid a single point that can defeat both locks simultaneously.

Power-on and sequencing (SAFE by construction)

  • Default SAFE: inhibit asserted until self-check passes and required inputs are valid.
  • Sequencing: prevent “energy present before gating” and avoid ambiguous intermediate states.
  • Audit points: expose ladder stage indicators so tests can confirm each barrier’s behavior.

Reset, brownout, watchdog (output definition matters)

  • WDT: remove driver enable immediately, assert SAFE, record reset cause, block auto-ARM.
  • BOR: treat partial initialization as unsafe; return to SAFE and require re-authorization.
  • Recovery policy: re-enter ARMED only through controlled authorization, not by default.

Authorization window and command gating

  • Time-limited permit: actuation allowed only within a bounded window.
  • One-shot controls: counters/tokens prevent replay and unintended repeated firing.
  • Consistency checks: require command agreement and valid system state before enabling pulses.

Interlock outputs (clear contract)

  • Inhibit state: hardware barrier status.
  • Armed state: software state machine status.
  • Fire enable: permission state for pulse generation.
  • Fault latch: latched vs recoverable status.
  • Reset/WDT cause: must be observable for debugging and certification evidence.
Interlocks should be testable by design: each ladder stage should have an observable state and a well-defined override priority.
Figure F8 — Interlock priority ladder (power-on SAFE → HW inhibit → SW permit → fire pulse → driver enable)
Safety Interlocks: Priority Ladder Fail-safe default: any higher-stage block forces SAFE and disables lower stages Top-to-bottom priority Power-on SAFE (default) HW inhibit (discrete gating) SW permit (window + token + consistency) Fire pulse generator Driver enable (valve / igniter) WDT / BOR force SAFE Higher stage overrides
Tip: the ladder shows authority. Any higher-stage block disables all lower stages by design.
Field failures: harness faults + transients + mis-trips

H2-9 · Transients, EMC, and harness faults (what breaks drivers in the field)

Field failures often look like “a bad driver,” but the root cause is frequently the harness: shorts, intermittent opens, rising contact resistance, or common-mode injection that corrupts current sensing and fault flags. Protection must absorb inductive energy safely without turning actuation timing into an unpredictable variable. The most practical diagnostic shortcut is to treat the current waveform as a fingerprint that separates harness faults from coil faults.

Harness fault modes (what appears in real hardware)

  • Short to supply / short to GND: fast over-current, clamp activation, thermal stress, and immediate SAFE/inhibit needs.
  • Intermittent open: continuity “sometimes passes,” actuation evidence becomes inconsistent, and time-window checks fail.
  • Contact resistance rise: peak current drops, pull-in becomes marginal, hold current drifts, and failures correlate with temperature.
  • Common-mode injection: sensing thresholds shift, causing false open/short or false over-current flags.

Transient energy paths (why clamp choice changes behavior)

  • Inductive energy must go somewhere: the flyback path sets release time, device voltage stress, and EMI.
  • Low-voltage clamp (diode): lower stress but slower current decay → slower release.
  • Higher clamp (TVS / active clamp): faster release but higher dv/dt and voltage stress.
  • Key constraint: protection should not create ambiguous timing evidence that breaks SAFE logic.

Protection vs “must-actuate-once” constraints

  • Immediate hazards: short/over-current must force a defined safe state quickly.
  • No uncontrolled retries: protective cycling should not produce repeated pulses or unintended re-enables.
  • Evidence capture: when protection triggers, record clamp/OC flags and the I/V signature around the event.

Waveform-based diagnosis (fast separation)

  • Open circuit: near-zero current (or only test micro-current), no pull-in plateau.
  • Short: steep rise then clamp/limit behavior, peak collapses early.
  • High resistance: slow/low peak, marginal pull-in, hold sits below target.
  • Coil parameter drift: slope changes (L/R) without classic open/short signatures.
Practical rule: use short labels and stable thresholds (Ipeak, Ihold, OC limit). Let waveform shape carry the diagnosis.
Figure F9 — Current waveform signatures: normal vs open vs short vs high resistance (minimal text, shape-driven)
Current Waveform Signatures Use shape to separate harness faults from coil behavior Normal (peak → hold) Open circuit (no rise) Short (clamp/limit) High resistance (low peak) I t I_peak I_hold I t ≈0 I t OC limit I t Target low peak I(t) thresholds
All labels are short and ≥18px. The intent is “shape first, text last.”
Done means testable: injection matrix + pass criteria

H2-10 · Verification plan (fault injection matrix + pass criteria)

Verification should prove that the propulsion control electronics reach a safe state deterministically under realistic failures. A practical approach is a three-level plan (board → chain-level subsystem → integrated checks) using the same fault-injection matrix: inject a fault, confirm the detection mechanism, verify the expected response, confirm fault class (latched vs recoverable), and check that the minimum telemetry/log fields are present.

Three verification levels (propulsion chain only)

  • Board-level: power-stage protection behavior, clamp/OC flags, I/V signature capture.
  • Subsystem-level: evidence consistency (driver ↔ sensor ↔ timing window) and stable voting.
  • Integration-level: interlock priority ladder, SAFE entry rules, and logging completeness.

Pass criteria (make it measurable)

  • Latency/window: detection and SAFE actions occur within the defined time window.
  • False trips: noise injection does not cause frequent unintended SAFE transitions.
  • Latch consistency: latched faults stay SAFE until controlled reset/clear; recoverable faults clear only under defined conditions.
  • Record completeness: each event yields minimum fields (time, channel, cause, evidence summary).

Fault injection matrix (expected behavior per fault)

DetectResponseClassTimingLog
Fault type Detection mechanism Expected response Fault class Timing focus Minimum log fields
Open / intermittent open Continuity + low I(t) + timing window fail INHIBIT / SAFE + alarm Recoverable or latched (policy) Timeout + persistence rules cause, ch-id, continuity result, I(t) summary
Short to GND / supply Over-current + clamp flag + abnormal I(t) SAFE (immediate) + latch Latched Protection reaction time cause, ch-id, OC/clamp flags, peak current
High contact resistance Low peak / slow rise + pull-in miss INHIBIT + diagnostic flag Recoverable (if intermittent) Rise-time window + trend cause, ch-id, I_peak/I_hold, temp correlation
Sensor stuck / out-of-range Quality flags + plausibility + voting DEGRADED / SAFE (if no agreement) Policy-dependent Stuck detect window sensor-id, Q flags, range, voter decision
Noise injection / false trip stimulus Threshold stability + persistence filters No unintended SAFE (or controlled alarm) Recoverable False-trip rate noise event count, threshold crossings, decision
WDT reset / BOR Reset-cause + state rollback checks SAFE + block auto-ARM Latched SAFE state Output settle time reset cause, ladder stage, inhibit state
Unauthorized command / window violation Token/counter + time window SAFE + latch Latched Window enforcement cmd-id, token status, window result, latch set
Keep the matrix stable across levels: board tests validate protection signatures, subsystem tests validate evidence consistency, and integration tests validate ladder priority and log completeness.
Figure F10 — Fault injection matrix (box-table style): rows=faults, columns=detect/response/class/timing/log
Fault Injection Matrix (Propulsion Chain) Inject → Detect → Respond → Classify → Log Fault Detect Response Class Timing Log Open Continuity INHIBIT RECOV Timeout cause Short OC / clamp SAFE LATCH Fast flags High R I_peak low INHIBIT RECOV Rise trend Sensor Q Q flags DEGRADE POLICY Window voter WDT/BOR cause SAFE LATCH Settle ladder Bad cmd token SAFE LATCH Window cmd-id RECOV = recoverable LATCH = latched Keep cells short & testable
This diagram is a “box-table” so it stays readable on mobile and is easy to screenshot for reviews.

H2-11 · IC/BOM selection criteria (drivers, AFEs, monitors) — criteria + example part numbers

Scope Guard: This section lists selection criteria and example IC part numbers only for the propulsion control electronics chain (valves/igniters + pressure/temperature sensing + interlocks). It does not cover spacecraft bus power architecture, TT&C links, or control algorithms.

Use the scorecard in Figure F11 first: each cell becomes a testable requirement (waveform evidence, fault flags, SAFE behavior, drift budget, survivability constraints). Then shortlist parts that explicitly support those requirements (not just “similar specs”).

Card A — Valve driver chain (solenoid / latching / proportional)

Criteria (what to demand)
  • Energy & clamp control: define allowable coil release time and maximum node stress; verify with current/voltage waveforms under worst harness and temperature.
  • Evidence-grade current sensing: sensing must remain stable during PWM and flyback (common-mode swings), enabling “signature-based” diagnostics (normal/open/short/high-R harness).
  • Diagnostics coverage: require at least open-load/short-to-GND/short-to-supply indications, plus a way to detect rising harness resistance (trend or waveform shape metrics).
  • Hard enable/disable interface: a hardware interlock must be able to inhibit actuation independent of firmware state.
  • Survivability constraint: apply mission screening (TID/SEE/temperature/lot control) as a filter, not as an afterthought.
Example part numbers (shortlist anchors)
  • INA240-SEP (TI) — current sense amplifier family; useful as a robust coil current evidence front-end when flyback/PWM conditions exist.
  • INA240PMPWTPSEP / INA240PMPWPSEP (TI, ordering variants) — check lifecycle/availability for mission planning.
  • OPA4H014-SEP (TI) — low-noise precision op-amp option for conditioning current/voltage evidence nodes (filtering, scaling, buffering).
  • ADC128S102-SEP (TI) — 8-ch SAR ADC option for capturing multiple diagnostics nodes (coil I/V, clamp node, continuity sense, etc.).
Practical pattern: space designs often implement the valve power stage as discrete MOSFET(s) + clamp network + evidence sensing. Selection should be driven by “what must be proven in telemetry and logs” rather than by a single “solenoid driver” IC label.

Card B — Igniter / squib energy path (two barriers + one-shot safety)

Criteria (what to demand)
  • Two independent barriers: separate ARM permission from the energy path enable; default must be SAFE; reset/brownout must return to SAFE deterministically.
  • One-shot / lockout behavior: require a defined post-fire lockout state (latched inhibit, logged event, explicit service action to re-arm).
  • Protected energy switching: demand overload/short protection and controlled turn-off behavior that limits transient EMI while still guaranteeing safe inhibit.
  • Built-in evidence hooks: provide a means to measure “delivered event evidence” (I/V monitoring points and a time window), without embedding recipe-like firing guidance.
  • Mission constraints: apply RHA/VID/QML and SEE behavior as selection gates for the switching and supervision elements.
Example part numbers (shortlist anchors)
  • TPS7H2211-SP / TPS7H2211-SEP (TI) — eFuse/load-switch class devices for controlled enable, protection, and hardware barrier implementation.
  • TPS7H2140-SEP (TI) — quad-channel eFuse class device for multi-branch protected enables with diagnostics/current sense.
  • ISL70062SEH (Renesas) — radiation-hardened load switch alternative class for protected energy-path gating.
Implementation rule: the interlock chain should be able to inhibit actuation even if firmware is stuck, rebooting, or in an unintended state. Treat “barrier independence” as a measurable architecture requirement.

Card C — Pressure AFE + ADC (excitation, filtering, ratiometric, diagnostics)

Criteria (what to demand)
  • Ratiometric strategy: prefer measurement architectures that cancel excitation/reference drift (same reference domain for sensor and ADC where practical).
  • Anti-alias & bandwidth boundary: choose ΣΔ vs SAR based on required bandwidth and event capture (slow high-resolution vs transient evidence).
  • Input protection & fault flags: require clear detection of open/short, saturation/stuck codes, and excitation anomalies.
  • Calibration hooks: require a defined place for digital calibration/linearization and a way to detect calibration invalidity.
  • Drift budget: allocate error across sensor + reference + AFE + ADC + PCB leakage; verify by temperature sweep and long-duration stability tests.
Example part numbers (shortlist anchors)
  • ADS1278-SP (TI) — radiation-hardened 24-bit 8-ch simultaneous-sampling ΔΣ ADC option for multi-channel precision sensing.
  • OPA4H014-SEP (TI) — AFE building block for PGA/filter/buffer stages when mission constraints apply.
  • ADC128S102-SEP (TI) — SAR option for multi-node diagnostic sampling and event-oriented capture (as a complement or alternative, depending on bandwidth needs).

Card D — Temperature AFE (RTD/NTC/diode) + linearization + drift control

Criteria (what to demand)
  • End-to-end drift model: treat accuracy as sensor + excitation + ADC/reference + layout leakage; document each term and how it is verified.
  • Lead resistance awareness: define the acceptable impact of harness/lead resistance and how open/short is detected (do not rely on “looks OK” readings).
  • Digital linearization contract: specify the linearization method (table/segmented) and how out-of-range/invalid conditions produce fault flags.
  • Threshold + hysteresis: require deglitch/hysteresis to prevent oscillatory interlock triggering near trip points.
Example part numbers (shortlist anchors)
  • ADS1220 (TI) — 24-bit ΔΣ ADC with PGA and IDACs; a strong architecture reference for RTD/NTC front-ends (use mission-qualified alternatives as required).
  • OPA4H014-SEP (TI) — precision low-bias AFE building block for buffering, filtering, and scaling temperature sensor nodes.
If mission requirements demand SEP/SP/QML/VID screening, treat ADS1220 as an “architecture template” and replace with a qualified equivalent while keeping the same verification contract.

Card E — Supervisors, watchdogs, and interlock enforcement (what guarantees SAFE)

Criteria (what to demand)
  • Reset semantics: define outputs during reset, brownout, and watchdog events; “SAFE by default” must be true at the pin level.
  • Multi-rail awareness: specify monitored rails, thresholds, hysteresis, and delay timers; avoid ambiguous partial-power states.
  • Hardware priority ladder: ensure hardware inhibit outranks software permission; require a deterministic path from any fault class to SAFE.
  • Fault classification support: support latched vs recoverable faults (and clear rules for re-arm) to feed the voting logic.
Example part numbers (shortlist anchors)
  • TPS7H3024-SP (TI) — 4-channel radiation-hardened supervisor with watchdog timer (multi-rail reset + timing contract).
  • TL7700-SEP (TI) — adjustable voltage supervisor in space-enhanced plastic (wide input supervision use-cases).
  • MIC1832 / MIC706 (Microchip) — supervisor/watchdog architecture references for non-space builds or secondary monitoring layers.
Figure F11 — IC selection checklist scorecard (criteria → requirements → shortlist)
Selection scorecard (use as pass/fail requirements) Each cell becomes a verification item (waveforms, fault flags, SAFE behavior, drift budget, survivability constraints) Valve Driver Igniter Energy Path Pressure AFE + ADC Temperature AFE Supervisors + WDG Spec Power Diag Coverage Safety Interlock Drift Budget Surviv Constraints Peak/Hold headroom Clamp energy, thermals Protected enable path Current limit, SOA Ratiometric plan Anti-alias, bandwidth Excitation & range Linearization contract Multi-rail thresholds Delay + hysteresis I/V evidence nodes Open/short signatures Status + current sense Latch vs retry Stuck/sat detection Excitation fault flag Open/short detect Out-of-range flag Reset cause defined PWRGD + WDG HW inhibit input Deterministic OFF Two barriers One-shot lockout Fault→SAFE mapping Voting inputs ready Trip + hysteresis Debounce window SAFE by default Priority ladder Sense offset & gain Temp sweep proof Gate timing margin No false enable Ref + ADC drift Cal validity checks Model vs reality Aging + leakage Threshold stability Delay repeatability TID/SEE constraint Lot control/VID RHA / QML filter Derating rules Latchup behavior Graceful degrade EMI + ESD robust Harness faults Field recoverability Latched vs retry Tip: Put part numbers under the cell they justify; if a cell cannot be justified, the shortlist is incomplete.

Request a Quote

Accepted Formats

pdf, csv, xls, xlsx, zip

Attachment

Drag & drop files here or use the button below.

H2-12 · FAQs ×12 (answers + structured data)

FAQ intent: These answers stay inside propulsion control electronics (valves/igniters + pressure/temperature sensing + voting/interlocks + harness faults + verification). No system bus power architecture, TT&C links, or control algorithms are discussed.

Frequently Asked Questions

1) How should peak and hold currents be defined for a peak-and-hold valve driver?

Set the peak segment to guarantee repeatable pull-in across worst-case supply, temperature, and harness loss, then reduce to a hold level that keeps the valve latched without excessive coil heating. The correct boundary is proven by current waveforms plus thermal rise over time, not by a single “nominal” number. Validate pull-in margin and hold stability with repeated actuations and logging.

Mapped: H2-3
2) TVS, diode, or active clamp for flyback—how does it change release time and robustness?

A higher clamp voltage demagnetizes the coil faster (shorter release time) but increases stress and EMI risk; a diode-like low clamp is gentler but slows release and can blur timing windows. Active clamps trade complexity for tunable behavior. Choose based on the release-time requirement, allowable stress, and field transient environment, then verify with waveforms under harness faults and temperature.

Mapped: H2-3, H2-9
3) Why do latching valves need bidirectional drive, and how is mis-toggle prevented?

Latching valves change state with a polarity-dependent actuation pulse, so the driver must control direction to set and reset reliably. Prevent mis-toggle by enforcing hardware inhibits above firmware, making opposite directions mutually exclusive, and only allowing direction changes inside a defined authorization window. Evidence-grade sensing (current polarity and timing) plus lockout rules helps distinguish valid toggles from noise or partial pulses.

Mapped: H2-3, H2-8
4) How can an igniter continuity test be implemented without accidental activation?

Treat continuity testing as a diagnostics path that is electrically and logically separated from the energy delivery path, with SAFE as the default for power-up, reset, and faults. Limit the test to controlled conditions (explicit authorization, time window, and inhibited energy switch) and verify that any single fault still cannot enable delivery. The result should produce a clear open/short indication and a traceable log entry.

Mapped: H2-4
5) How can “ARM / FIRE” dual gating be designed to fail-safe to SAFE by default?

Use two independent barriers: a hardware inhibit that blocks actuation regardless of firmware, and a software permission that only becomes true inside a validated command window. Define SAFE outputs for power-up, brownout, watchdog reset, and loss of command so the system always returns to an inhibited state when uncertain. Prove the priority ladder with reset tests and fault injection that forces ambiguous states.

Mapped: H2-2, H2-8
6) After a firing event, how can it be proven that energy was actually delivered to the igniter?

“Proof” should be evidence-based: capture current and voltage signatures at defined sense points during the authorized window, timestamp the event, and latch a post-event status that cannot be overwritten. The evidence must distinguish normal delivery from open/short or premature inhibit. A good design ties this evidence to telemetry fields and logs so the event can be audited later, not inferred from commands alone.

Mapped: H2-4
7) Why is ratiometric measurement common for pressure sensing, and when is it not appropriate?

Ratiometric measurement cancels excitation and reference drift by keeping the sensor and ADC in the same reference domain, improving stability over temperature and time. It becomes less suitable when the sensor output is not proportional to excitation, when an absolute reference is required, or when multiple reference domains create mismatch. Decide using an error budget (sensor, reference, AFE, ADC, leakage) and validate with temperature sweep and long-run drift tests.

Mapped: H2-5
8) How should pressure/temperature channels detect open/short faults and “stuck” signals?

Open/short detection targets electrical failures (out-of-range, saturation, excitation anomaly), while “stuck” detection targets frozen acquisition paths (constant codes, no dynamics, invalid timing). Combine range checks, plausibility and rate-of-change checks, excitation health flags, and time-based freshness rules. The output must be a fault class and confidence that can feed voting logic, then drive SAFE behavior with clear latch vs recover rules.

Mapped: H2-5, H2-6, H2-7
9) 1oo2 vs 2oo3 voting—how is the boundary chosen and false alarms reduced?

1oo2 is conservative (any one channel can force SAFE), while 2oo3 resists nuisance trips but requires stronger evidence quality and channel independence. Choose by comparing the cost of false SAFE versus the cost of missed detection, then ensure each input has a defined confidence and failure mode. Reduce false alarms using deglitch/hysteresis, fault classification (latched vs recoverable), and evidence fusion (I/V, pressure/temperature, timing window).

Mapped: H2-7
10) What current-waveform signatures indicate an intermittent harness open on a valve load?

Intermittent opens often appear as abrupt current dropouts, unstable hold levels, irregular decay during flyback, or high run-to-run variation under identical commands. Rising contact resistance can look like reduced peak margin and drift with temperature, while a coil fault tends to be more repeatable but shifted. The practical method is repeated captures and statistics: compare waveform features against a “known-good” signature and correlate with fault flags and timing windows.

Mapped: H2-9
11) During watchdog/reset, what output state is safest for propulsion actuation?

The safe rule is deterministic inhibit: actuation enables must return to SAFE whenever the system is not fully in control (power-up, brownout, watchdog reset, firmware fault, or lost command). This should be true at the pin level via hardware interlocks, not dependent on software executing cleanup. Define and test the exact output levels and timing during reset, and log the reset cause so SAFE transitions can be audited and correlated with events.

Mapped: H2-8
12) In a fault-injection matrix, which three categories of cases are most often missed?

The most missed categories are boundary timing (authorization window edges, debounce/hysteresis limits, reset transients), combined faults (sensor anomaly plus driver anomaly challenging voting consistency), and intermittent faults (contact bounce, harness intermittency, noise-induced misclassification). Each category must specify the expected result: SAFE/inhibit action, fault class (latched or recoverable), and what telemetry/log fields must be written. Coverage is proven when outcomes remain consistent across repeats and environments.

Mapped: H2-10
Figure F12 — FAQ intent map (which section answers what)
FAQ clusters → section anchors Keep answers short; use sections for deep technical detail and verification evidence. Valve drive & flyback Q1, Q2, Q3 → H2-3 (+ H2-9) Igniter safety & evidence Q4, Q6 → H2-4 State machine & interlocks Q5, Q11 → H2-2, H2-8 Pressure/Temp sensing diagnostics Q7, Q8 → H2-5, H2-6, H2-7 Voting & SAFE triggers Q9 → H2-7 Harness faults & verification Q10, Q12 → H2-9, H2-10 Rule: FAQ answers point to sections; sections contain the measurable requirements and proof artifacts.
icnavigator

ICNavigator helps engineers find verified ICs, alternatives, and fast quotes.

Explore
Categories
  • Power Management
  • MCU
  • Automotive ICs
  • Sensors
  • Interface & Transceivers
  • Analog Front-End
Get in Touch
  • Email: hello@icnavigator.com
  • WeChat/WhatsApp: +86-xxxx

© 2025 ICNavigator. All rights reserved.