Fail-Safe State: UVLO Defaults & Single-Fault Diagnostics
← Back to: Digital Isolators & Isolated Power
H2-1 · Definition & Scope Guard
Fail-Safe State defines what an isolation channel must do during power anomalies or reset: the output enters a predefined safe default and exposes a diagnostic indicator to separate normal-off from fault-off.
Definition (testable contract)
A Fail-Safe State is a defined output behavior of an isolated channel under power events (UVLO, brownout, power-down), reset, or barrier/IO fault. The channel must:
UVLO_P / UVLO_S crossings, reset/enable assertion, or barrier-side link loss that makes input state undefined.
OUTx transitions into a predefined default (LOW / HIGH / Hi-Z / Glitch-Free) and remains deterministic across the “risk window” (threshold crossing + recovery interval). Pass criteria thresholds are recorded as X/Y/N placeholders for system sign-off.
A DIAG/PG/status signal (or encoded combination) differentiates Normal-Off vs Fault-Off, enabling single-point failure isolation in the field.
Out-of-scope (non-overlap contract)
- Safety standards / VIORM / creepage/clearance: only referenced here; definitions and compliance paths live on the Safety & Compliance page.
- Protocol stacks and interoperability: not covered; interface behavior is limited to default state, tri-state, and timing hooks; details belong to each Isolated Interface page.
- Gate-driver protection mechanisms (DESAT, soft turn-off, etc.): not expanded; this page only defines control-lane defaults and diagnosability; details belong to Isolated Gate Driver pages.
Rule: this page defines state-machine intent + diagnostic meaning, not topology, protocol, or full protection design.
Figure 1 · Scope Map (state inputs → default outputs → diagnostic)
Scope is limited to state inputs (UVLO/EN/RESET) and observable outputs (OUTx default + DIAG meaning), enabling deterministic review and test planning.
H2-2 · Why Fail-Safe Matters on Isolation Barriers
Isolation creates asymmetric power and timing conditions. Without a defined default state and diagnostic meaning, “OFF” becomes ambiguous and unsafe.
Asymmetry (power and reset are not synchronous)
Primary and secondary domains often power up/down at different times. During threshold crossings, the input interpretation can diverge across the barrier. The design goal is to guarantee a deterministic output across the risk window (UVLO crossing + recovery interval).
- Case A: Secondary falls first → output may float or collapse early.
- Case B: Primary falls first while secondary stays alive → input becomes undefined → output can chatter if not clamped.
- Case C: Resets release at different times → channels recover out of order without a defined priority rule.
Unsafe defaults (float/weak bias becomes “fake logic”)
A common failure chain is: secondary power-down → OUT enters Hi-Z → external pull-up or capacitive coupling presents a “valid-looking” HIGH → downstream logic interprets an unintended command. This is not a protocol issue; it is a default-state contract issue.
If Hi-Z is used, it must be paired with an explicit system-level bias and a defined interpretation rule; otherwise, force-low/force-high defaults are safer for control lanes.
Field return (Normal-Off vs Fault-Off must be distinguishable)
In the field, both normal shutdown and a fault-triggered shutdown can look identical at OUTx. Without DIAG meaning, root-cause becomes guesswork, increasing rework time and risking repeated unsafe events.
- Normal-Off: intentional disable/reset with healthy power.
- Fault-Off: UVLO, brownout, barrier-side input loss, or a single-point failure forcing a safe default.
- Requirement: DIAG/PG/status encoding must make these two states separable at test and in logs.
Figure 2 · Asymmetric Power Timeline (risk window focus)
The “risk window” (UVLO crossing + recovery interval) is where pass/fail is judged: OUT must remain deterministic and DIAG must reflect fault vs normal-off meaning.
H2-3 · Fail-Safe Taxonomy
Default states must be defined as a testable contract. Each category below includes meaning, best fit, primary risk, and pass-criteria placeholders.
Force-Low / Force-High
Meaning: OUTx is actively driven to a fixed logic level under fail-safe entry.
Best fit: unidirectional control lanes (EN/CS/INHIBIT/SHDN).
Primary risk: contention with external pulls or downstream bias; choose level consistent with safety goal.
Pass criteria: OUTx stays within logic threshold X and never toggles more than N times inside risk window Y.
Hi-Z / Tri-State
Meaning: OUTx releases drive (high impedance) and line state is determined by external bias or other nodes.
Best fit: shared buses or bidirectional lanes where arbitration/release is required.
Primary risk: external pull-up or capacitive coupling can create a “valid-looking” level (fake HIGH) and trigger unintended actions.
Pass criteria: leakage < X, and system bias guarantees line remains in non-active range for Y with N false actuation events.
Hold-Last
Meaning: OUTx attempts to maintain the last valid state across a defined interval.
Best fit: only when an external interlock guarantees safety independent of OUTx state.
Primary risk: during brownout/power-down, “hold” can degrade into random behavior or brief toggles; unsafe for safety-critical control by default.
Pass criteria: hold time ≥ X ms under defined ramp; otherwise do not claim Hold-Last. Recovery must not emit pulses > Y ns.
Pulse-Suppress / Glitch-Free
Meaning: no valid output pulse is permitted during UVLO crossing and recovery (risk window).
Best fit: lanes where a short pulse can cause an irreversible action (enable, latch, shoot-through risk).
Primary risk: “glitch” definitions differ across teams; specify width/amplitude/time-window for verification.
Pass criteria: effective pulses with width ≥ X ns (or amplitude ≥ Y V) must be N=0 within the risk window.
Fail-Safe Receiver (idle vs fault-idle separation)
Meaning: when input is missing/undriven, receiver-side output defaults to a defined 1/0 level.
Best fit: isolated receiver outputs where “no input” must not look like a valid command.
Primary risk: normal idle can be confused with fault idle unless DIAG/PG encodes power loss vs intentional idle.
Pass criteria: output remains stable at default level for Y with N flips; DIAG=1 must indicate fault-idle per system rule.
Figure 3 · Default-State Menu
Each default type must be tied to a system meaning and a risk-window pass criterion (X/Y/N). Labels without verification definitions are not acceptable.
H2-4 · Power Events Model
Power events must be defined consistently; otherwise design intent, lab verification, production test, and field diagnosis will not align.
Event definitions (contract terms)
Fail-safe entry/exit must reference observable boundaries. Each event below is defined by a measurable condition that can be reproduced in verification and production fixtures.
Define whether fail-safe entry is based on VDD falling edge or VDD below VUVLO. The chosen boundary must be used everywhere (DV, production, field logs).
Risk window begins at the selected UVLO boundary and lasts for Y until OUT and DIAG reach stable fail-safe meaning.
Power-down: VDD cannot sustain channel behavior and output contract must force a default state. Brownout: VDD is marginal; transitions may repeat without hysteresis, creating toggling risk.
Brownout must be treated as a first-class event because repeated entry/exit can generate the highest false-actuation probability.
Exit from fail-safe requires VDD stable for Tstable (placeholder X) and reset released. Recovery behavior is judged in a recovery risk window Y (placeholder) after reset release.
Explicitly define which has priority: RESET, EN low, UVLO_P, UVLO_S. Priority rules determine whether OUT clamps immediately or waits for internal qualification.
State transitions (NORMAL → FAILSAFE → RECOVERY)
A minimal state machine enables deterministic design reviews and repeatable test scripts. It separates entry behavior, steady fail-safe behavior, and recovery behavior.
- NORMAL: OUT follows input; DIAG indicates healthy.
- FAILSAFE: OUT is clamped to the selected default; DIAG encodes fault-off (or the specific reason class).
- RECOVERY: VDD is OK but output remains controlled until tREC completes and DIAG clears per policy.
Review focus: entry and recovery are the two risk windows where “glitch-free” must be proven with X/Y/N thresholds.
Figure 4 · Event-State Machine
The state machine enforces consistent event definitions. Entry and recovery windows are the only places where “glitch-free” must be proven with X/Y/N thresholds.
H2-5 · Default-State Design Rules
Rules below are written as executable engineering requirements. Each rule includes a measurable hook (X/Y/N) and a short “why”.
Rule 1 Default must match the system safety goal
Select a default state whose system meaning is safe under worst-case interpretation. For control lanes (enable/inhibit/shutdown), safe default is typically default-off. Record the safe meaning in the interface contract and review checklist.
Rule 2 Cover the undefined VDD region (risk window)
Define fail-safe entry at a single boundary (VDD falling vs VDD < VUVLO) and apply it consistently. Guarantee that no valid pulse occurs while VDD crosses the undefined region and while internal rails settle. Use X/Y/N placeholders for pulse width, amplitude, and event count.
Rule 3 Shared / bidirectional buses: Hi-Z + external fail-safe bias
Prefer Hi-Z on shared or bidirectional lanes, and provide an explicit external bias so “released” never looks like “valid”. Define the bias resistor range as X (placeholder) and ensure the biased line stays inside a non-active voltage zone for Y. Document the interpretation rule: Hi-Z is not a logic level.
Rule 4 Do not rely on firmware to enforce safety after boot
Safety must be guaranteed by hardware defaults during reset, early boot, and brownout loops. Firmware may add policy and logging, but it must not be the first line of defense. The interface contract must remain safe with MCU pins floating for Y.
Rule 5 Budget contention with external pulls (avoid fight current)
If the default actively drives LOW/HIGH, budget worst-case contention against external pull-up/down or downstream bias. Verify the contention current stays below X and does not shift the logic threshold into an ambiguous region. Where needed, reduce drive strength or change default type.
Rule 6 Make recovery timing predictable (tSTARTUP / tREC)
Define a clear “output valid” moment: VDD OK stable for X + reset released + recovery delay Y. During RECOVERY, keep outputs controlled until the contract is met. Record these timings as test checkpoints for validation and production fixtures.
Rule 7 “Glitch-free” must be implemented structurally and verified
Pulse suppression must be achieved by a defined mechanism (edge suppression / qualification / one-shot / filtering). “No pulse” must be defined by width ≥ X ns or amplitude ≥ Y V counted as valid. Verification must show valid pulses count N=0 inside the entry and recovery windows.
Rule 8 Map default state to diagnosability (OUT + DIAG/PG encoding)
OUT defines action state; DIAG/PG must define cause class. Their combination must separate Normal-Off and Fault-Off. Provide at least one dedicated diagnosable signal (DIAG/PG/FAULT) or a documented encoding. Ensure the encoding remains valid during power loss and recovery.
Figure 5 · Rule Map (events → default → bias → diagnose → verify)
The design is complete only when the workflow delivers: default spec (X/Y/N), bias range (X), diagnosable encoding, and risk-window verification.
H2-6 · Diagnosability Model
Single-point failures must be diagnosable at the signal level. This section maps default-state-related faults to observable combinations (OUT + DIAG + PG).
Minimum diagnostic interface (recommended)
A minimal interface set that supports field isolation of “normal-off vs fault-off”: OUTx (action state) + DIAG (cause class) + PG/VDD_OK (supply class). Optional: heartbeat across the barrier for liveness.
Objective: separate at least four classes—Normal-Off, UVLO_P, UVLO_S, and barrier/input invalid—without requiring protocol knowledge.
Fault → Observable mapping (default-state related)
Figure 6 · Diagnostic Encoding (OUT + DIAG + PG)
Encoding binds action state (OUT) to cause state (DIAG/PG). Keep mappings short (4–6 rows) to remain mobile-safe and field-usable.
H2-7 · Device-Class Patterns
A pattern library of default-state templates by device class. Scope: only fail-safe defaults, bias, diagnosability, and recovery hooks. No deep dives into each device family.
Template A · Digital Isolator (unidirectional / multi-channel)
Use deterministic defaults for control lanes. Prefer default-off semantics (often Force-Low) and define a glitch-free requirement across entry/recovery windows.
OUTx = LOW (or Hi-Z when release is required) during UVLO/RESET/EN low.
DIAG=0 → Normal off; DIAG=1 → Fault off (UVLO / input invalid). Placeholders: X/Y/N.
Entry/recovery windows: valid pulses N=0 for width ≥ X ns or amplitude ≥ Y V.
Template B · Isolated Interface (I²C / 485 / CAN class — defaults only)
Treat “released bus” as a default state with explicit external bias. Distinguish normal idle from fault idle using DIAG/PG encoding.
Bus pins = Hi-Z when undriven; enforce non-active zone using bias XΩ (placeholder).
OUT state describes action; DIAG/PG describes cause: Normal-idle vs Fault-idle.
After VDD_OK + reset release, hold bus release for tREC = X before allowing active drive.
Template C · Clock Isolator (enable + quiet output)
Default states focus on CLK quieting and EN default-off. Avoid unpredictable output edges during recovery.
EN=OFF by default; CLK output = gated/quiet (no toggles) during fail-safe.
Recovery window: no unintended edges (N=0) until tREC completes (placeholders X/Y).
Template D · Isolated ADC / ΔΣ Modulator (data-valid + silent)
Default is defined as silent output + invalid data flag, not “force zeros”. The system must detect power loss vs intentional idle.
DATA stream = silent/idle; DATA_VALID=0 (or DIAG=1) during UVLO/power loss.
DATA_VALID=0 + DIAG=0 → intentional quiet; DATA_VALID=0 + DIAG=1 → fault quiet (placeholders).
Template E · Gate-Driver Control Lanes (EN / FLT only)
Control-lane defaults must guarantee driver disabled without firmware. FLT/DIAG must encode fault-off vs normal-off.
EN defaults to OFF across entry/recovery windows; OUT_EN must be glitch-free (N=0 pulses).
FLT/DIAG asserts during UVLO or control invalid; use PG to separate supply-missing class.
Template F · Isolated Power Module (PG / UVLO signaling only)
Default behavior is communicated through PG/FAULT and stable outputs. PG must be conservative during start-up and brownout loops.
PG=0 (not OK) until VDD is stable for X and recovery delay Y expires.
PG=0 + DIAG=1 → supply missing/fault class; PG=0 + DIAG=0 → intentional off (example policy).
Figure 7 · Pattern Library (copyable mini-templates)
Each mini-template shows only the ports needed to define fail-safe behavior. Fill X/Y/N in the written contract and verify in risk windows.
H2-8 · Interface-Specific Notes
Scope is limited to isolation-driven defaults: directionality, Hi-Z behavior, external bias, recovery window, and diagnostic hooks. No protocol-stack content.
SPI / QSPI (push-pull lanes — default behavior only)
Default state Define CS as deasserted by default; define CLK/MOSI/MISO as quiet/Hi-Z or forced-low per system meaning.
Direction / Hi-Z If multiple devices share lanes, require release (Hi-Z) when not selected; ensure default does not look like “active transfer”.
External bias (XΩ) Use optional weak bias for quiet lanes where floating could be interpreted as edges; placeholder XΩ.
Recovery timing Keep lanes quiet until VDD_OK + reset release + tREC=X; define “output valid time”.
Diagnostic hook DIAG=1 indicates fault-off/invalid-input class while pins remain in default state.
I²C (open-drain bidirectional — defaults only)
Default state Default is released bus (Hi-Z) with deterministic pull-up behavior; “released” must not be treated as a logic level.
Direction / Hi-Z Both sides may be powered asymmetrically; require safe release in entry and recovery windows to avoid unintended low pulses.
External bias (XΩ) Pull-ups are mandatory; specify range XΩ (placeholder) that guarantees a non-active zone during fault release.
Recovery timing Maintain release for tREC=X before allowing active low pulls; N=0 valid pulses inside recovery window.
Diagnostic hook Use DIAG/PG encoding to separate normal idle (released) from fault idle (released + DIAG=1).
UART / GPIO (simple lanes — safe defaults)
Default state For control GPIO, use default-off semantics (often forced-low). For RX/TX, define quiet/idle meaning and avoid floating interpretation.
Direction / Hi-Z Use Hi-Z where shared wiring exists; otherwise prefer deterministic levels for safety-critical control pins.
External bias (XΩ) If the downstream interprets floating as “valid”, enforce a bias resistor range XΩ.
Recovery timing Define the point when RX/TX is valid: VDD stable + reset released + tREC=X.
Diagnostic hook DIAG asserts for pin invalid / supply missing while outputs remain in safe default.
RS-485 / CAN class (defaults only — no protocol)
Default state Define receiver-side default output for “no drive” and ensure it maps to a non-command meaning at the system level.
Direction / Hi-Z Use Hi-Z release where required; avoid forced levels that fight bus bias networks.
External bias (XΩ) Coordinate with bus biasing so released state is deterministic; document XΩ range and contention limits.
Recovery timing Hold safe defaults until tREC=X; prevent toggling during brownout loops.
Diagnostic hook Encode normal idle vs fault idle using DIAG/PG (e.g., DIAG=1 indicates fault-off class).
Figure 8 · Bus Release & Bias (Hi-Z vs Force-Low with pull-up)
Hi-Z needs bias to create deterministic meaning. Forcing LOW against pull-up creates fight current; budget it or change the default type.
H2-9 · Verification & Production Tests
Turn default states into pass/fail items. Scope: event injection, observation, thresholds (X/Y/N), and recording fields. No device-internal mechanisms.
DV (Design Verification) · prove “no pulse / no glitch” across corners
Validate fail-safe entry and recovery under slope scans and brownout plateaus. Define a measurable pulse rule and apply it consistently across all tests.
Stimulus set
- Power-slope scan: fast/slow VDD fall and rise (dV/dt placeholder X).
- Brownout plateau: hold VDD near the UVLO boundary for Y (placeholder) to stress the undefined region.
- Corner coverage: hot/cold + min/nom VDD (placeholders) with the same event script.
Observations
- OUT action state: reaches the defined default (LOW / Hi-Z / quiet) inside the entry window.
- DIAG/PG encoding: remains stable and separates normal-off vs fault-off during the full window.
- No-glitch rule: valid pulse defined as width ≥ X ns OR amplitude ≥ Y V; pass requires N=0 inside entry and recovery windows.
Entry + Recovery: valid pulses N=0 under the pulse definition (X/Y). Encoding must not flip more than N (placeholder) during the same windows.
Bring-up · asymmetric supply ordering scripts
Validate that default behavior is deterministic when primary and secondary supplies do not drop together. Use repeatable scripts and record the same fields as DV.
Event order cases
- Case A: Primary VDD drops first → verify OUT default and DIAG class.
- Case B: Secondary VDD drops first → verify OUT default and DIAG/PG indicates supply-missing class.
- Case C (optional): simultaneous drop → verify no pulses and consistent encoding.
For each case, log (OUT state, DIAG, PG, pulse_count N, max_pulse_width, tREC) and compare against the same X/Y thresholds.
Production · fixture injection + encoding readout (pass/fail)
Production testing must be able to inject UVLO-like events and read DIAG/PG encodings without requiring protocol knowledge. Results must be recorded as structured fields.
Fixture actions
- Inject event: UVLO_P / UVLO_S (event type recorded).
- Control pins: EN low / RESET assert/release (if applicable).
- Readout: measure OUT state (LOW/Hi-Z/quiet) + read DIAG/PG encoding.
Recording fields (recommended)
- Event: {UVLO_P, UVLO_S, EN, RESET}
- Measured: pulse_count N, max_pulse_width, window_duration Y
- Encoding: OUT state + DIAG + PG
- Thresholds: X/Y used for this lot
- Result: PASS / FAIL
During injected events: valid pulses N=0 (X/Y definition) and encoding matches the contract for that event class.
Field · black-box logging contract (consistent with DIAG encoding)
Field diagnostics must separate normal-off from fault-off and provide enough context to reproduce the event class in DV or on the fixture.
Minimum log set
- Fail-safe counter: total count and per-class counts (UVLO_P / UVLO_S / control invalid).
- Duration: time spent in fail-safe per event (bucketed or exact).
- Reason code: class derived from DIAG/PG encoding.
- Recovery code: VDD stable / reset released / manual clear (placeholders).
A “fault-off” event must always have a cause class (DIAG/PG) and a recovery code; otherwise it is not diagnosable.
Figure 9 · Test Matrix (Event × Corner × Observation)
This matrix turns “fail-safe default” into structured coverage: event class, corner condition, and observable contract (OUT + DIAG/PG + N=0 pulses).
H2-10 · Design Hooks & Pitfalls
Common field-return pitfalls related to defaults, biasing, return paths, recovery ordering, and diagnosability. Scope is limited to fail-safe-state behavior.
Pitfall 1 · Hi-Z default + external pull-up looks like “active-high”
The system behaves as if a command is asserted during power loss or reset, even though the isolator output is “released”.
Hi-Z is treated as a logic level by downstream biasing; the pulled-up line maps to an active meaning.
Change the default type (Hi-Z → Force-Low) OR keep Hi-Z but define bias to a non-active zone (XΩ range) and encode fault-idle via DIAG.
Pitfall 2 · Return path crosses the isolation gap and drifts the default
Default level changes with cabinet state, cable routing, or nearby switching; behavior differs between bench and system.
A return/coupling path unintentionally bridges domains, changing the effective bias and causing drift during the risk window.
Enforce strict domain partition: no return across the gap; place pull-ups/pull-downs on the domain that defines meaning; re-verify N=0 pulses in entry/recovery.
Pitfall 3 · EN pin floating causes random recovery / oscillation
Outputs appear to recover and drop repeatedly, or show intermittent pulses around brownout.
EN/RESET lacks a deterministic bias; noise and leakage toggle the control input during the undefined region.
Add explicit bias to EN/RESET (XΩ) and gate output validity until tREC completes; verify the control contract with injection tests.
Pitfall 4 · Multi-channel skew restores some lanes early and triggers mis-sequencing
One control line becomes active earlier than others after recovery, causing an unintended sequence.
Recovery is not aligned across channels; some lanes become valid before the system declares outputs valid.
Use a common gate (EN) to align release OR enforce a contract that all lanes remain in default until tREC; verify with bring-up order scripts.
Pitfall 5 · DIAG shared on a bus makes diagnosability unavailable
Field sees “OFF” but cannot tell normal-off vs fault-off; DIAG cannot be reliably read during bus activity.
Diagnostic signaling is multiplexed onto a shared line whose state masks fault encoding.
Provide a dedicated diagnostic hook (DIAG/PG/FAULT) OR use an encoding that is always observable when the system is in default; validate observability in production tests.
Figure 10 · Pitfall Anatomy (wrong vs right wiring)
Wrong wiring breaks meaning and observability. Right wiring keeps domains separated, biases deterministic, and diagnostics readable.
H2-9 · Verification & Production Tests
Turn default states into pass/fail items. Scope: event injection, observation, thresholds (X/Y/N), and recording fields. No device-internal mechanisms.
DV (Design Verification) · prove “no pulse / no glitch” across corners
Validate fail-safe entry and recovery under slope scans and brownout plateaus. Define a measurable pulse rule and apply it consistently across all tests.
Stimulus set
- Power-slope scan: fast/slow VDD fall and rise (dV/dt placeholder X).
- Brownout plateau: hold VDD near the UVLO boundary for Y (placeholder) to stress the undefined region.
- Corner coverage: hot/cold + min/nom VDD (placeholders) with the same event script.
Observations
- OUT action state: reaches the defined default (LOW / Hi-Z / quiet) inside the entry window.
- DIAG/PG encoding: remains stable and separates normal-off vs fault-off during the full window.
- No-glitch rule: valid pulse defined as width ≥ X ns OR amplitude ≥ Y V; pass requires N=0 inside entry and recovery windows.
Entry + Recovery: valid pulses N=0 under the pulse definition (X/Y). Encoding must not flip more than N (placeholder) during the same windows.
Bring-up · asymmetric supply ordering scripts
Validate that default behavior is deterministic when primary and secondary supplies do not drop together. Use repeatable scripts and record the same fields as DV.
Event order cases
- Case A: Primary VDD drops first → verify OUT default and DIAG class.
- Case B: Secondary VDD drops first → verify OUT default and DIAG/PG indicates supply-missing class.
- Case C (optional): simultaneous drop → verify no pulses and consistent encoding.
For each case, log (OUT state, DIAG, PG, pulse_count N, max_pulse_width, tREC) and compare against the same X/Y thresholds.
Production · fixture injection + encoding readout (pass/fail)
Production testing must be able to inject UVLO-like events and read DIAG/PG encodings without requiring protocol knowledge. Results must be recorded as structured fields.
Fixture actions
- Inject event: UVLO_P / UVLO_S (event type recorded).
- Control pins: EN low / RESET assert/release (if applicable).
- Readout: measure OUT state (LOW/Hi-Z/quiet) + read DIAG/PG encoding.
Recording fields (recommended)
- Event: {UVLO_P, UVLO_S, EN, RESET}
- Measured: pulse_count N, max_pulse_width, window_duration Y
- Encoding: OUT state + DIAG + PG
- Thresholds: X/Y used for this lot
- Result: PASS / FAIL
During injected events: valid pulses N=0 (X/Y definition) and encoding matches the contract for that event class.
Field · black-box logging contract (consistent with DIAG encoding)
Field diagnostics must separate normal-off from fault-off and provide enough context to reproduce the event class in DV or on the fixture.
Minimum log set
- Fail-safe counter: total count and per-class counts (UVLO_P / UVLO_S / control invalid).
- Duration: time spent in fail-safe per event (bucketed or exact).
- Reason code: class derived from DIAG/PG encoding.
- Recovery code: VDD stable / reset released / manual clear (placeholders).
A “fault-off” event must always have a cause class (DIAG/PG) and a recovery code; otherwise it is not diagnosable.
Figure 9 · Test Matrix (Event × Corner × Observation)
This matrix turns “fail-safe default” into structured coverage: event class, corner condition, and observable contract (OUT + DIAG/PG + N=0 pulses).
H2-10 · Design Hooks & Pitfalls
Common field-return pitfalls related to defaults, biasing, return paths, recovery ordering, and diagnosability. Scope is limited to fail-safe-state behavior.
Pitfall 1 · Hi-Z default + external pull-up looks like “active-high”
The system behaves as if a command is asserted during power loss or reset, even though the isolator output is “released”.
Hi-Z is treated as a logic level by downstream biasing; the pulled-up line maps to an active meaning.
Change the default type (Hi-Z → Force-Low) OR keep Hi-Z but define bias to a non-active zone (XΩ range) and encode fault-idle via DIAG.
Pitfall 2 · Return path crosses the isolation gap and drifts the default
Default level changes with cabinet state, cable routing, or nearby switching; behavior differs between bench and system.
A return/coupling path unintentionally bridges domains, changing the effective bias and causing drift during the risk window.
Enforce strict domain partition: no return across the gap; place pull-ups/pull-downs on the domain that defines meaning; re-verify N=0 pulses in entry/recovery.
Pitfall 3 · EN pin floating causes random recovery / oscillation
Outputs appear to recover and drop repeatedly, or show intermittent pulses around brownout.
EN/RESET lacks a deterministic bias; noise and leakage toggle the control input during the undefined region.
Add explicit bias to EN/RESET (XΩ) and gate output validity until tREC completes; verify the control contract with injection tests.
Pitfall 4 · Multi-channel skew restores some lanes early and triggers mis-sequencing
One control line becomes active earlier than others after recovery, causing an unintended sequence.
Recovery is not aligned across channels; some lanes become valid before the system declares outputs valid.
Use a common gate (EN) to align release OR enforce a contract that all lanes remain in default until tREC; verify with bring-up order scripts.
Pitfall 5 · DIAG shared on a bus makes diagnosability unavailable
Field sees “OFF” but cannot tell normal-off vs fault-off; DIAG cannot be reliably read during bus activity.
Diagnostic signaling is multiplexed onto a shared line whose state masks fault encoding.
Provide a dedicated diagnostic hook (DIAG/PG/FAULT) OR use an encoding that is always observable when the system is in default; validate observability in production tests.
Figure 10 · Pitfall Anatomy (wrong vs right wiring)
Wrong wiring breaks meaning and observability. Right wiring keeps domains separated, biases deterministic, and diagnostics readable.
H2-11 · Quick Pairings
Shortest-path system templates for fail-safe defaults and diagnosability. Scope: default behavior + wiring hooks + minimal diagnostic lines. No deep selection tables (Key Specs & Selection), no standards detail (Safety), no protocol stacks (Interfaces).
Pairing A Motor / Inverter — default-off control + readable fault class
Any supply anomaly, reset, or undefined input must force gate drive control to a deterministic OFF state and expose a diagnosable reason.
- Isolated gate-driver control lanes: EN + FLT/DIAG + (optional) READY/PG.
- Isolated bias: secondary bias with PG/UVLO exported to logic.
- EN default: Force-Low / default-off (no “MCU will fix it later”).
- Undefined region coverage: require N=0 valid pulses in entry/recovery windows (pulse rule X/Y placeholders).
- Recovery contract: declare outputs valid only after PG=1 and tREC = X (placeholder).
- External bias: add deterministic pull for EN/RESET (XΩ placeholder) to prevent floating toggles.
Minimum set: EN (action) + DIAG/FLT (reason) + PG (supply class). Example encoding: EN=OFF & DIAG=0 → normal off; EN=OFF & DIAG=1 → fault off; PG=0 → supply missing class.
- Isolated gate drivers: TI UCC21520, TI UCC21750; Silicon Labs Si8239.
- Digital isolator for control/DIAG lanes: ADI ADuM140x, ADI ADuM141x; TI ISO7741; Silicon Labs Si864x.
- Isolated bias modules: Murata MGJ2 / MGJ6 series; RECOM RxxPxx (isolated DC-DC families).
- Transformer driver for bias (discrete): TI SN6505 + Würth transformer 750315371 (example).
Pairing B BMS / HV Systems — silent-by-default comms + PG + heartbeat
On power loss or invalid states, isolated communications must default to a safe silent state and remain diagnosable (normal silent vs fault silent).
- Isolated comms link: isolated CAN-FD / RS-485 transceiver, or transformer-coupled isoSPI style link.
- Isolated power with PG: expose secondary PG/UVLO class to the controller side.
- Simple heartbeat: a minimal “alive” indicator across the barrier (no protocol stack required).
- Default: bus release (Hi-Z) where appropriate + external fail-safe bias (XΩ placeholder) so “released” never maps to “active”.
- Contention avoidance: avoid force-low vs pull-up conflict unless contention current is budgeted.
- Recovery: define “bus valid” only after PG=1 and tREC (placeholder).
Minimum set: BUS released (action) + DIAG (reason) + PG (supply class) + HB (alive). HB indicates activity; DIAG/PG indicates why silence occurs.
- Isolated CAN / CAN-FD transceivers: TI ISO1042 (isolated CAN), TI ISO1050 (isolated CAN).
- Isolated RS-485 transceivers: TI ISO1410, ADI ADM2682E (family example).
- isoSPI / transformer-coupled link: ADI (Linear Tech) LTC6820 (isoSPI interface).
- Digital isolators for HB/DIAG/PG lanes: TI ISO7721, ADI ADuM120x, Silicon Labs Si862x.
Pairing C Precision Sampling — clock quiet-by-default + data-valid contract
Prevent false sampling/sync during brownout or reset by forcing clock/data into a controlled quiet state and exposing a readable validity signal.
- Clock isolation: clock isolator with enable gating (EN default-off) or clock lane through a digital isolator with explicit gating.
- Data isolation: data lanes + a dedicated DATA_VALID (or DIAG) lane.
- Isolated low-noise power: PG exported as a prerequisite for “valid”.
- Clock default: CLK_EN default-off; clock output must be quiet (no uncontrolled edges).
- Data default: data idle/silent plus VALID=0 (do not masquerade “forced 0” as valid data).
- Recovery ordering: PG OK → clock release → VALID asserted after tREC/tSTARTUP (placeholders).
- No-glitch: N=0 valid pulses on clock/data edges inside entry/recovery windows (X/Y/N placeholders).
Minimum set: CLK_EN (action) + DATA_VALID (validity) + DIAG/PG (reason). Example: VALID=0 & DIAG=0 → intentional quiet; VALID=0 & DIAG=1 → fault quiet.
- Digital isolators usable for clock/data lanes (with gating): TI ISO7741, ADI ADuM141E, Silicon Labs Si866x.
- Low-jitter differential isolation (example class): ADI ADN4650 (LVDS isolation family example).
- Isolated ΔΣ modulators (sensing class): ADI AD7403 / AD7405.
- Isolated amplifiers (high-side measurement class): TI AMC1301, TI AMC3301.
Pairing D Medical HMI — isolated USB + PG + low-leakage strategy hook
During faults or power loss, the service/HMI port must default to a safe quiet state and remain diagnosable; leakage strategy is referenced but not expanded here.
- USB isolation: isolate data paths and, where needed, separate VBUS handling.
- Isolated power with PG: export PG to distinguish “no response due to power” vs “intentional off”.
- Diagnostic hook: DIAG/PG visible to the host-side controller.
- Default: USB data quiet/released in fail-safe; avoid ambiguous “half-powered” states.
- PG priority: declare port valid only after PG=1 and tREC (placeholder).
- Low leakage strategy: minimize barrier leakage paths (details belong to Safety & Compliance page).
Minimum set: USB quiet/release (action) + PG (supply class) + DIAG (reason). Example: PG=0 → supply class; PG=1 & DIAG=1 → fault quiet.
- USB isolators: ADI ADuM3160 (USB FS), ADI ADuM4160 (USB FS/LS), TI ISOUSB211 (USB isolation family example).
- Isolated DC-DC modules (medical/industrial classes): Murata NXJ series (family example), RECOM RxxPxx isolated families.
- Digital isolators for DIAG/PG sideband: TI ISO7721, ADI ADuM120x.
Figure 11 · System Pairing Block Diagram (defaults + diagnostics wiring)
Each template explicitly wires action defaults (EN/CLK_EN/bus release) and diagnostic lines (DIAG/PG/VALID/HB) to avoid field ambiguity.
Request a Quote
H2-12 · FAQs
Review / acceptance / field-rework clarifications only. Each answer is fixed to four lines: Likely cause / Quick check / Fix / Pass criteria (threshold placeholders X/Y/N).
Output should default-low, but field sees random highs during power-down — first suspect? Default + Bias
Likely cause: output is effectively Hi-Z during the VDD fall/UVLO region, and an external pull/coupling lifts the line to “high”.
Quick check: scope OUT during the entry window; confirm whether OUT is actively driven low or released while VDD crosses UVLO.
Fix: enforce Force-Low default (or add/relocate the correct-domain bias resistor) and gate validity until PG=1.
Pass criteria: in the entry window, valid pulses N=0 under the pulse definition (width≥X or amplitude≥Y), and OUT stays LOW (or defined state) for ≥Y.
Two labs disagree on “glitch-free” — what definition is usually mismatched first? Definition
Likely cause: labs use different “valid pulse” rules (width threshold, amplitude threshold, measurement bandwidth, or observation window).
Quick check: align the pulse definition first: width≥X ns OR amplitude≥Y V, plus the exact entry/recovery windows.
Fix: publish a single test contract: pulse rule + scope bandwidth + window start/stop points tied to UVLO/PG/RESET edges.
Pass criteria: both labs report the same metric set (N, max pulse width, max amplitude) and meet N=0 within the defined windows.
Hi-Z default is used, but the system still triggers — what external bias did we forget? Bias
Likely cause: missing or wrong-side pull resistor; released bus/line resolves to an active meaning by downstream biasing.
Quick check: verify Rpull/Rbias exists, value range (XΩ–YΩ), and is placed on the domain that defines “idle”.
Fix: add/relocate the bias to enforce a non-active idle; if needed, change default type (Hi-Z → Force-Low) for safety-critical lines.
Pass criteria: with isolator in Hi-Z, the line settles to the intended idle level within X ms, and no false trigger occurs across Y power cycles (N=0 events).
Primary off, secondary on: why does OUT chatter — missing which pin priority rule? Priority
Likely cause: EN/RESET/UVLO priority is undefined, so a floating/invalid input is treated as toggling during asymmetrical supply conditions.
Quick check: force EN=0 and RESET asserted while primary is off; see if OUT becomes deterministic or still chatters.
Fix: define priority: UVLO/PG → forces fail-safe; RESET/EN → clamps outputs until VDD stable and tREC completes; add deterministic bias to EN/RESET.
Pass criteria: for “primary off, secondary on”, OUT stays in the defined fail-safe state and DIAG indicates the correct class; valid pulses N=0 within window Y.
DIAG says fail-safe, but OUT looks normal — fastest encoding sanity check? Encoding
Likely cause: “normal-off” and “fault-off” share the same OUT level, but the DIAG meaning (polarity / timing / sampling point) is misinterpreted.
Quick check: reproduce a known trigger (UVLO_S or UVLO_P) and verify the truth-table row: (OUT state + DIAG + PG) matches the contract.
Fix: lock a minimal encoding: OUT defines action; DIAG/PG defines class; specify when DIAG is valid (after X ms or after PG edge).
Pass criteria: for each injected event, the observed row matches the expected row for ≥Y ms and DIAG does not flip more than N times (≤N).
Recovery works on bench, fails in cabinet — what power sequence corner was not tested? Sequence
Likely cause: missing corner: supply ordering (VDD1 first / VDD2 first), different ramp rate, or brownout plateau that keeps logic in the undefined region.
Quick check: run the same cabinet sequence on bench: order + ramp rate + plateau time; compare against the DV script.
Fix: extend verification to include the cabinet sequence; enforce recovery gating (PG=1 + tREC) and add holdoff/hysteresis if needed.
Pass criteria: across all defined sequences (A/B/C), recovery completes within X ms and outputs remain fail-safe until release; valid pulses N=0 in windows Y.
Multi-channel isolator: one line recovers earlier and causes mis-sequencing — what skew budget check? Skew
Likely cause: channel-to-channel propagation / enable-release skew is not budgeted, so one control lane becomes “valid” before others.
Quick check: measure lane-to-lane release timing relative to a common event (PG or EN edge) and compare to the allowed skew X.
Fix: align release with a common gate (shared EN) or hold all lanes in default until a single “release” condition is met.
Pass criteria: release skew ≤ X ns across corners, and sequence-dependent faults do not occur across Y cycles (N=0 mis-sequence events).
Enable pin floating causes intermittent wake — what pull strategy is safest? EN Bias
Likely cause: EN/RESET lacks deterministic bias, so noise/leakage toggles it during brownout or after hot-plug.
Quick check: temporarily strap EN to the intended default (LOW or HIGH) and confirm the intermittent wake disappears.
Fix: add a defined pull (Rbias XΩ–YΩ) on the correct domain; avoid “weak” pulls that lose to leakage/coupling; gate output validity to PG.
Pass criteria: EN state remains stable through the entire entry/recovery windows (no toggles > N), and system shows N=0 unintended wakes over Y cycles.
Brownout causes repeated enter/exit fail-safe — what hysteresis/holdoff knob is missing? Brownout
Likely cause: UVLO thresholds or release conditions are too tight; no holdoff causes chattering around the boundary.
Quick check: record VDD vs state transitions; confirm repeated toggles occur within a small VDD band around UVLO (ΔV ≈ X).
Fix: add hysteresis (UVLO_ENTER vs UVLO_EXIT) and a minimum holdoff time (tHOLD = X) before allowing recovery.
Pass criteria: for a brownout plateau test (VDD near UVLO for Y), state transitions ≤ N and outputs remain glitch-free (N=0 valid pulses).
Production test passes, field fails — what fixture assumption about ramp rate is wrong? Fixture
Likely cause: production uses an unrealistically fast or clean ramp, missing slow-fall or plateau behaviors that trigger undefined-region glitches.
Quick check: measure fixture dV/dt and compare to field dV/dt; reproduce the slower case on the bench.
Fix: update production script to include ramp-rate coverage (X–Y), plus a brownout hold; keep the same pulse definition and windows.
Pass criteria: across ramp rates X–Y and hold time Y, outputs meet glitch-free rule (N=0) and DIAG encoding matches expected class.
Fail-safe receiver reports idle wrong — first “default idle” vs “fault idle” confusion? Idle Meaning
Likely cause: the system treats “released/biased idle” as a valid idle state, but the diagnostic contract does not distinguish fault-idle.
Quick check: compare two cases: (A) intentional idle with supplies OK vs (B) induced UVLO; verify if OUT looks the same but DIAG differs.
Fix: define two-idle contract: OUT shows action (idle), DIAG/PG encodes cause (normal idle vs fault idle); ensure DIAG is always observable.
Pass criteria: case A and B produce distinct encodings for ≥Y ms; misclassification events N=0 over Y cycles.
Review asks for single-point failure diagnosable — what minimum signals should be logged? Logging
Likely cause: logs capture only OUT behavior, so “normal silent” cannot be separated from “fault silent”.
Quick check: list available observables and confirm whether at least one “cause line” exists (DIAG/PG/VALID/HB) besides OUT.
Fix: log the minimum set: OUT state + DIAG + PG (and VALID/HB if used), plus event timestamps and recovery code; keep class mapping stable.
Pass criteria: every fail-safe occurrence is classified (UVLO_P/UVLO_S/EN/RESET) with ≥X fields recorded; unknown-class rate N=0 over Y events.
