123 Main Street, New York, NY 10001

Submit Your BOM

Intrinsic Safety Sensor Node (Ex i) Architecture & Certification Hooks

Intrinsic Safety Sensor Node (Ex i) Architecture & Certification Hooks

← Back to: Industrial Sensing & Process Control

This page turns “build an Ex i sensor node” into an engineering checklist: how to constrain available energy, how to demonstrate safety under faults, and how to design self-test + evidence hooks that reduce certification friction.

H2-1. Page Mission & What Ex i Really Means for a Sensor Node

Intrinsic safety (Ex i) is best treated as an energy envelope that must remain valid during credible faults and be supported by verifiable evidence. A sensor node is not made “Ex i” by adding isolation or a clamp alone. The design must bound voltage / current / power and also bound stored energy in capacitance and inductance across the complete hazardous-area circuit, including cables.

A practical way to design Ex i hardware is to assume a cert lab will repeatedly return to three questions: (1) What sets the maximum energy that can reach the hazardous area? (2) Which faults can break that limit? (3) How can the limit be proven quickly and repeatably? This page is organized to answer those questions with design actions and measurable proof, rather than clause-by-clause regulation text.

Core takeaway: Ex i is an engineering contract: Energy envelope (U/I/P + stored C/L) + fault tolerance + auditable diagnostics.

Design-at-a-glance checklist (mechanically testable)

Budget Uo/Io/Po and Co/Lo, allocate owners, keep margin.
Inventory every energy store: caps, inductors, TVS/ESD parasitics, battery.
Implement limiting as a system: current limit + foldback + thermal containment.
Default state is safe: resets/brownouts force the node into a limited-energy mode.
No bypass paths: production test / updates cannot disable the limiter.
Provide measurement hooks: inrush, Ilimit, Vnode, temperature, fault flag.
Self-test plan: boot + periodic + on-demand; define pass/fail thresholds.
Fault evidence: latched fault codes, counters, and version/build identifiers.
Cable is a design input: lock length/type or budget worst-case C/L explicitly.
Change control: separate “configurable” from “safety-locked” parameters.

Figure 1. Ex i sensor node design intent: energy envelope + faults + evidence hooks (schematic overview).

Ex i Sensor Node: What must be bounded and proven Energy envelope + fault behavior + evidence hooks 1) Energy envelope • U/I/P limits (Uo/Io/Po) • Stored energy (Co/Lo vs Ci/Li) • Cable/connector C/L budget 2) Fault tolerance • Short/open/miswire • Limiter stuck-on / drift • Brownout/reset states 3) Evidence hooks • Test points & waveforms • Fault logs & counters • Version/traceability IDs Reference partition (concept) Safe area Barrier / isolation Hazardous-area node Limiter + MCU + sensors Field wiring How this page is written • Every claim maps to a proof: calculation sheet + waveform pack + diagnostic log fields. • Focus is engineering decisions and evidence, not legal clause interpretation.
Cite this figure: Section link | Copy link

H2-2. Ex i Constraint Model: Energy Envelope, Entity Parameters, and Zones

Certification conversations become straightforward when the design is expressed as a constraint model: a small set of parameters that bound how much energy can be delivered into the hazardous area, plus a clear inventory of where energy can be stored and later released. This chapter introduces that model in engineering terms so that each parameter maps to a concrete circuit lever and a measurable proof item.

Use one consistent proof structure for every parameter

(A) Risk meaning What ignition-relevant energy source the parameter represents (delivered power vs stored energy).
(B) Hardware control Which mechanisms set the bound (limiter topology, impedance, thermal containment, partitioning).
(C) Proof artifact What can be shown repeatedly: calculation sheet + short/overload waveforms + logs/counters.
(D) Change sensitivity What commonly breaks compliance: cable swap, “harmless” capacitor change, ESD/TVS substitution, firmware mode change.

Entity parameters mapped to design actions (engineering view)

Parameter Meaning in design terms What controls it in hardware How to prove it (evidence fields)
Uo / Io / Po Maximum voltage/current/power the interface can deliver into the hazardous area under worst-case conditions. Current limit + foldback, series impedance, power limiting policy, thermal limit behavior, safe default states. Max-power measurement record, short/overload waveform pack (response time + steady limit), thermal steady-state under fault.
Co vs Ci Allowed capacitance on the loop (Co budget) vs the capacitance the equipment contributes (Ci load). Input-cap control (distributed caps), elimination of hidden C (ESD/TVS/filter), connector/cable capacitance budgeting. Stored-energy inventory (cap list), worst-case energy calc sheet, inrush/charge waveform, discharge behavior under limiter action.
Lo vs Li Allowed inductance on the loop (Lo budget) vs inductance contributed by the equipment/cable (Li load). Limit peak current, avoid large energy-storing inductors in the hazardous loop, control loop energy during faults. Peak current waveform, inductor inventory, limiter response timing, worst-case energy estimate using ½·L·I² at fault.
Pi Input power / dissipation behavior that influences how long energy can be sustained and how thermal effects evolve. Power-tree partitioning (always-on vs duty-cycled), brownout policy, thermal foldback, mode constraints. Power budget table by mode, thermal rise curves, “worst-case mode” definition tied to firmware states.

Why cables and connectors often decide the margin

Ex i designs commonly fail late not because the limiter is weak, but because the loop’s effective capacitance and inductance were underestimated. Cable length, cable type, and connector/ESD choices can silently consume the Co/Lo budgets. Treat field wiring as a first-class input: specify it, bound it, or explicitly allocate worst-case values in the budget ledger.

Budget ledger practice: Co budget = cable C + connector/ESD C + device Ci + margin; Lo budget = cable L + loop Li + margin. Any supplier change that alters cable C/L or ESD/TVS parasitics is a compliance trigger.

High-level implication of zone / gas group (trend only)

When the target environment becomes more stringent, the practical consequence is predictable: less allowable stored energy, tighter margins for Co/Lo, stricter expectations for fault behavior, and higher value placed on repeatable proof artifacts. The design approach is to pick an envelope early, maintain margin through component control, and make evidence collection simple through test points and diagnostic logs.

Evidence fields to design for (the audit-friendly bundle)

  • Parameter ledger: Uo/Io/Po + Co/Lo budgets with ownership and remaining margin.
  • Stored-energy inventory: every C/L contributor including “hidden” parasitics from protection parts.
  • Waveform pack: inrush, overload/short, foldback timing, recovery policy, brownout/reset behavior.
  • Thermal pack: worst-case mode dissipation + temperature stabilization under fault and recovery.
  • Diagnostic pack: fault codes, counters, build/version IDs, and a reproducible log extraction procedure.

Figure 2. Energy-envelope map: delivered power (U/I/P) and stored-energy budgets (C/L) including cable impact.

Energy Envelope Map (engineering view) Delivered limits + stored energy inventory + cable budgeting Interface / Source side Uo / Io / Po are bounded here Limiter + impedance + thermal Proof: short/overload waveforms + max-P record Field wiring Cable C/L consumes Co/Lo Connector/ESD adds hidden C Action: lock cable type/length Hazardous-area node Ci / Li are contributed here Pi shapes worst-case modes Proof: energy inventory + mode power table Budget ledger (what must be explicit) Co budget Cable C + connector/ESD C + device Ci + margin Lo budget Cable L + loop Li + margin (limit peak I) Uo/Io/Po: bound delivered energy under fault Pi: define worst-case modes & thermal behavior
Cite this figure: Section link | Copy link

H2-3. System Partitioning: Hazardous-Area Node vs Safe-Area Interface

System partitioning defines where the hard safety boundary lives and therefore defines what must be constrained, verified, and kept under configuration control. A clear boundary prevents “scope creep” during certification: any circuit segment inside the hazardous-area boundary must satisfy the energy envelope under credible faults, including stored energy in capacitance and inductance and any energy that can be sustained by a source.

Partitioning is not just a diagram choice. It controls the engineering workload: how much hardware must be treated as “Ex i critical,” which parameters must be budgeted (U/I/P and C/L), and how much evidence must be prepared (waveforms, thermal data, and logs). The three patterns below cover most practical sensor-node deployments.

Partition patterns (choose by energy source and wiring reality)

Pattern A — Safe-area supply + barrier → hazardous node Energy is sourced outside; the barrier enforces U/I/P limits and the node contributes Ci/Li.
Pattern B — Battery-powered hazardous-area node Stored energy dominates; internal energy inventory + fault containment becomes the main battle.
Pattern C — Galvanic isolation + limited-power island Isolation is required for data/grounding; the isolated island still needs explicit energy limiting.
Decision key Identify the dominant energy source (safe-side vs inside) and lock cable assumptions early.

What changes with each partition (engineering consequences)

Pattern Hard boundary location Primary risk driver Typical “silent margin killers” Certification scope (what must be treated as critical)
A At the barrier output into hazardous wiring Delivered U/I/P at the interface + total loop C/L Bulk caps added “to stop resets”; hidden C from ESD/TVS; longer cable in the field Barrier + output network, hazardous node input (Ci/Li contributors), wiring assumptions (cable type/length)
B Entire node is inside the boundary Stored energy (battery + caps/inductors) and sustained fault energy Energy storage added for RF bursts; inductor energy at fault; unintended bypass paths around limiters Battery path + limiter, energy inventory of all C/L, fault-state policies, self-test and logs that prove limiter health
C At the isolated island boundary Isolation parasitics + island energy limitation + grounding clarity Isolation capacitance assumptions; isolated DC-DC stored energy; “isolation = Ex i” misconception Isolation barrier + isolated power/limiters, island storage elements, interface signals that can inject energy
Design output for certification readiness: A partition diagram that marks the Ex i boundary + a scope list that names every component class inside the boundary (limiters, storage elements, protection parts, wiring assumptions) and the evidence artifacts tied to them.

Figure 3. Partition options for Ex i sensor nodes and the “hard boundary” location.

System Partitioning: where the hard boundary lives Three common patterns and what must be treated as Ex i critical A) Safe-area supply + barrier → hazardous node Safe area Barrier / limiter U/I/P bound Hazardous node Ci/Li contributors Field wiring Hard boundary B) Battery-powered hazardous-area node Battery Limiter Node + storage (Ci/Li) Fault policies + logs Field wiring Boundary includes node C) Galvanic isolation + limited-power island Safe area Isolation barrier Data + grounding Limited-power island Limiter + Ci/Li + logs Hard boundary
Cite this figure: Section link | Copy link

H2-4. Energy-Limiting Front End: eFuse / Current Limit / Thermal Foldback

An Ex i energy-limiting front end is a closed-loop safety function: it must bound delivered energy during transients and faults, sustain a safe steady state if the fault persists, and remain predictable during brownouts and resets. A single component rarely provides the full behavior; the safety function is the combination of electrical limiting, time behavior (foldback or latch policy), and thermal containment.

Three coupled loops that define real-world limiting behavior

Electrical loop (U/I/P bound) Programmable current/power limiting using eFuse/hot-swap, sense elements, and safe default states.
Time behavior (fault sustainability) Foldback or latch-off policy reduces sustained fault energy and prevents “infinite fault power.”
Thermal loop (self-heating under fault) Thermal foldback prevents limiter self-heating from becoming the dominant hazard driver.
Evidence loop (proof artifacts) Waveforms + thermal data + logs prove that limits engage quickly and remain valid across modes.

eFuse / hot-swap as programmable current + power limiting (role clarity)

eFuses and hot-swap controllers are useful because they can implement calibrated limits (current, power, and sometimes dv/dt control) and provide fault reporting. In Ex i contexts, the key is not the brand or part number; the key is whether the device can enforce the required Io/Po envelope under short/overload while respecting Co/Lo constraints and the system’s brownout behavior.

MPN anchors (examples only): TI TPS2595 / TPS25947 (eFuse class), ADI LTC4368 (surge-stopper class), onsemi NCP455xx (load-switch class). Final selection should be budget-driven (Uo/Io/Po + Co/Lo + thermal + fault policy).

Foldback vs constant current limit (why foldback helps fault scenarios)

A constant current limit can keep fault current high even when the load is shorted, which can sustain higher fault power depending on the voltage state and series impedance. Foldback reduces delivered energy when a fault persists by decreasing the allowed current as voltage collapses or as time elapses. This reduces sustained heating and improves the chance that the system remains inside the energy envelope during long-duration faults.

Thermal limit as part of the safety envelope

Limiting devices can become their own heat sources during faults. Thermal foldback ties the electrical envelope to a temperature envelope, preventing the limiter from operating indefinitely in a regime that raises component temperatures into unsafe ranges. Thermal behavior must be evaluated using worst-case ambient, worst-case tolerance, and worst-case mode definitions that are consistent with the partition decision in H2-3.

Handling inrush to input capacitance while staying within Io/Po

Input capacitance is frequently added to prevent resets or support burst loads, but charging that capacitance is itself an energy event. The safe objective is not “no droop”; the objective is to charge the required capacitance without violating the Io/Po constraints and without creating uncontrolled peaks. Practical approaches include controlled dv/dt ramps, staged capacitance, or explicit inrush limiting that is included in the evidence pack.

What to measure (the minimum evidence pack for this chapter)

  • Inrush waveform: peak current, duration, dv/dt behavior, and whether a foldback state is entered.
  • Steady-state limit: stabilized current/power under overload and how the limit is maintained across modes.
  • Short-circuit response time: delay from fault to limit engagement and any overshoot energy during the delay.
  • Thermal steady state: limiter temperature stabilization under sustained fault and recovery policy behavior.
  • Fault reporting/logs: flags, counters, and timestamps/build IDs that prove repeatability.

Figure 4. Energy-limiting front end as a closed-loop safety function (electrical + time + thermal + evidence).

Energy-Limiting Front End (closed-loop safety function) Electrical limiting + time behavior + thermal containment + proof artifacts Supply / interface Uo/Io/Po source Limiter block (eFuse / hot-swap) Current / power limit + dv/dt Fault flags + safe default Hazardous-area island Input caps + loads Time behavior Foldback / latch policy Sustained fault energy control Thermal containment Temperature foldback Worst-case ambient & fault Minimum evidence pack (what to capture) Inrush waveform peak I + duration + dv/dt Short response time delay + overshoot energy Thermal steady state fault temp + recovery Steady limit: I/P under overload across modes Logs: fault flags + counters + build/version ID
Cite this figure: Section link | Copy link

H2-5. Barriers & Isolation Options: Zener Barrier vs Galvanic Isolation

Barrier selection determines how the Ex i boundary behaves in the real system: where clamping occurs, which reference the clamp relies on, how much voltage headroom is lost, and how much “hidden” capacitance is introduced into the loop. Two barrier families cover most designs: Zener barriers (clamp + series impedance) and galvanic isolation (signal isolation, often paired with isolated power).

Zener barrier (clamp-based): simple, but reference-dependent

A Zener barrier is conceptually simple: a series resistance limits fault current while a clamp restricts voltage. The tradeoff is that the clamp action depends on the integrity of its reference (often an earth/ground concept in the safe area). In practice this means the barrier must be treated as part of the system grounding strategy, not just a component. Zener barriers also consume voltage headroom; that headroom loss commonly tempts designers to add bulk capacitance at the node, which can silently consume Co margin if not inventory-controlled.

Galvanic isolation: cleaner grounding, more BOM and power implications

Galvanic isolation improves grounding clarity and breaks ground loops, which is valuable when mixed systems share wiring, when data integrity is sensitive, or when isolation is required beyond Ex i. The tradeoff is BOM/area and the need to manage the isolated side’s power domain. Isolation does not automatically imply intrinsic safety: the isolated domain must still enforce U/I/P limits and must still control stored energy. Isolation components and isolated supplies can add parasitics that behave like “hidden capacitance,” so the design must explicitly account for them in the Co ledger.

Placement rule: connector/cable, clamp reference, and series impedance

Transient energy and fault energy should be intercepted before they can charge node storage. A practical placement rule is to treat the connector as the boundary entry point and ensure that the clamp reference and series impedance are placed such that the hazardous-area storage elements are never “upstream” of limiting action. This reduces uncontrolled peak energy and prevents hidden capacitance from participating in the worst-case transient.

Hidden capacitance watchlist: TVS/ESD arrays, EMI capacitors, connector parasitics, isolation parasitics, and “helpful” bulk capacitors added for reset immunity. Any of these can consume Co and must be inventoried.

MPN anchors (category references)

  • Digital isolators: ADI ADuM series, TI ISO77xx, SiLabs Si86xx (selection must consider channel type, supply, and parasitics).
  • Isolated DC-DC (concept level): select per power budget, startup behavior, output capacitance, and fault response evidence.

Figure 5. Zener barrier vs galvanic isolation and the recommended clamp/series impedance placement relative to the connector.

Barrier Families + Placement Rule Clamp reference, series impedance, and hidden capacitance that consumes Co Zener barrier (clamp-based) Galvanic isolation Connector Cable C/L Series R Clamp (Zener/TVS) ref: earth Earth integrity Hazardous-area node Ci contributors + loads Avoid bulk caps upstream of limiting Recommended: clamp + series impedance near entry Connector Cable C/L Digital isolator Isolated power + output caps Limited-power island must still bound U/I/P Account parasitics as hidden C (Co impact) Hazardous-area node Ci contributors + loads Limiter + logs remain required Hidden C → Co Hidden C → Co
Cite this figure: Section link | Copy link

H2-6. Stored Energy Management: Capacitance, Inductance, and “Sneaky” Energy Sources

Intrinsic safety margin is frequently lost to storage that was not treated as a first-class design object. The limiter may bound delivered current, yet certification can still fail if capacitance and inductance inside the hazardous loop exceed the declared budgets, or if protection and filtering parts add “sneaky” storage through parasitics. This chapter formalizes a stored-energy inventory so that every contributor must “report” into the ledger.

Capacitance (Ci): bulk caps, distributed caps, and peak-energy control

Bulk input capacitors are often added to improve reset immunity, reduce supply ripple, or support burst loads. In Ex i contexts, those capacitors are stored energy that can be released into a fault. The objective is not “maximum hold-up,” but controlled energy: keep Ci within budget, prefer distributed capacitance, and ensure inrush/charge is governed by the limiter policy so peak energy stays bounded.

Inductance (Li/Lo): inductor energy and peak current assumptions

Inductors store energy as ½·L·I², so the dangerous case is not merely the presence of inductance but the combination of inductance and the peak current that can occur during faults. Any DC/DC stage, filter inductor, or wiring loop inductance must be budgeted with an explicit peak-fault-current assumption that is consistent with the limiter response in H2-4.

ESD/TVS and why “bigger TVS” can be counterproductive

Protection parts can silently consume Co margin because many TVS and ESD arrays have significant effective capacitance. A “stronger” clamp is not automatically safer in Ex i loops if its parasitics increase stored energy or create alternative transient energy paths. In Ex i design, TVS/ESD should be evaluated by capacitance + energy path, not only by surge power rating.

Battery-powered nodes: chemistry, internal resistance, and sustained fault energy

When the energy source is inside the hazardous boundary, faults can be sustained rather than transient. Cell chemistry and internal resistance influence the available fault current, but the risk is the total energy delivered during a persistent fault and how the system forces a safe state. Battery path limiting and fault-state policies must be paired with evidence (waveforms, thermal stabilization, and logs).

Stored energy principle: Any component that can charge or magnetize inside the hazardous loop must be inventoried: capacitors, inductors, ESD/TVS, module parasitics, and batteries. Un-inventoried storage is certification margin risk.

Deliverable: stored energy inventory template (audit-friendly ledger)

Item Type Location vs limiter Nominal / tolerance Energy metric Counts toward Evidence Change sensitivity
Input capacitor bank (C1..Cn) Capacitor After limiter (preferred) Value + tolerance + ESR ½·C·V² (use worst-case V) Ci / Co ledger Inventory + inrush waveform High
Filter inductor (Lx) Inductor Inside hazardous loop L + saturation current ½·L·I² (use peak fault I) Li / Lo ledger Peak current waveform High
TVS / ESD array Protection Near connector / at node Capacitance + clamp level Effective C + energy path Hidden C → Co Parasitic C record High
Isolated DC-DC output caps Module + caps Within isolated island Output C + tolerance ½·C·V² (startup/fault) Ci / hidden C Startup waveform + thermal Medium
Battery cell Source Inside boundary Chemistry + internal R Sustained fault energy Fault envelope Short response + logs High

Figure 6. Stored energy inventory map: where Ci/Li and hidden C appear, and why placement matters.

Stored Energy Inventory Map Ci/Li contributors + hidden capacitance that silently consumes Co Connector Cable C/L Limiter I/P limit + foldback Node island MCU + sensors + loads Storage contributors Cap (Ci) Cap (Ci) Prefer distributed caps (no single huge C) Inductor (Li) TVS/ESD EMI C Ledger rules (what must be explicit) Cap energy: ½·C·V² (worst-case V) Inductor energy: ½·L·I² (peak fault I) Hidden C (TVS/ESD/EMI/isolation) must count toward Co Battery node branch (if source is inside boundary) Battery Battery limiter Sustained fault energy Inventory every contributor inside boundary
Cite this figure: Section link | Copy link

H2-7. Low-Power MCU & Power Tree: Always-On Safety vs Application Domains

Deep-sleep operation is only safe when intrinsic-safety functions remain deterministic during voltage droop, reset, and rail transitions. The core architecture is a split-rail power tree: an always-on Safety rail that maintains energy limiting and a duty-cycled Sensor/Radio rail that can be shut down without affecting the safety envelope.

Split rails: assign responsibilities, not just loads

Safety rail (always-on) Limiter enable/state, supervisor/BOR chain, minimum sensing for plausibility, fault capture that proves safe-state control.
Sensor/Radio rail (duty-cycled) MCU application domain, sensors, RF and burst loads; permitted to disappear without violating energy-limited state.
Boundary rule Safety-critical outputs must have hardware defaults (pulls/bleeders) so droop cannot create undefined drive states.
Wake policy Application rail re-enables only after the safety rail confirms stable supply and safe limiter status.

Brownout & reset strategy: prevent unsafe latch states during droop

The hazard is not reset itself but undefined I/O behavior during the brownout band: pins can float or glitch while the core is unstable. Safety-relevant control lines (limiter enable, load switch gates, output drivers) must be designed so that their default is safe even if firmware stops executing. Practical controls include: a supervisor that asserts reset early, fixed pull networks on safety pins, and a power-good chain that gates application-rail enable.

Fail-safe default definition: what “safe” means for this node

  • Outputs off: all external-drive pins and load switches default to a non-energizing state.
  • Energy-limited state maintained: limiter stays in a known safe mode (disabled or bounded) consistent with the partition choice.
  • Controlled recovery: after a reset/brownout, application functions remain inhibited until minimum checks pass.

MPN anchors (examples only)

  • Low-power MCU families: STM32L0/L4, TI MSPM0 / MSP430, NXP LPC/LPC55 low-power modes (use per required reset domains & sleep behavior).
  • Supervisors: TI TPS3839, ADI LTC293x class (thresholds, reset timing, and deterministic release behavior).

Figure 7. Split-rail power tree: always-on safety rail dominates limiter and fail-safe outputs while application rails duty-cycle.

Power Tree: Always-On Safety Rail vs Duty-Cycled App Rail Brownout-safe defaults + supervisor gating + deterministic enable sequence Input / interface U/I/P bounded Limiter (eFuse / hot-swap) EN / foldback / flags Rail split Safety rail App rail Safety rail (always-on) Supervisor / BOR PG / gating Safety FSM (minimal logic) holds limiter + safe outputs Fail-safe outputs Fault capture App rail (duty-cycled) MCU application domain Sensors Radio / bursts May power off in deep sleep Re-enable only after safety checks PG gates app rail Brownout: enforce safe defaults Hardware pulls + supervisor dominate
Cite this figure: Section link | Copy link

H2-8. Safety Diagnostics & Self-Test: What to Test, When, and What Counts as Evidence

A self-test plan is only meaningful when it produces measurable evidence that safety functions still work after sleep, resets, and field aging. The practical approach is layered diagnostics that test the power path, the measurement chain, boundary health indicators, and the firmware integrity guards (watchdog and clock assumptions). Every test must define when it runs, what “pass” means, and which log fields prove repeatability.

Self-test schedule: boot / periodic / on-demand

Boot Minimum checks before enabling app rail: limiter status, supervisor stability, sense plausibility.
Periodic Short, energy-bounded tests during runtime to detect drift: sense sanity, watchdog/clock health, log rollover.
On-demand Maintenance-triggered tests with controlled load pulses; results stored as evidence with monotonic counters.
Evidence rule Each test writes a result code + key metrics; missing records are treated as failure.

Layer 1 — Power-path test (prove the limiter engages safely)

The goal is to prove that current limiting and foldback engage under a controlled stimulus, not to create a maximum fault. A safe approach is a short, bounded load pulse (or commanded sink) that should force a known limiter response. Evidence should include peak current, response time to enter foldback/limit state, and recovery behavior. The test energy budget must remain consistent with the intrinsic-safety envelope.

Layer 2 — ADC/sense sanity (plausibility, redundancy, and drift detection)

Single-channel readings are not sufficient for safety-critical decisions. Plausibility checks should compare redundant paths (two ADC channels, ADC vs comparator flag, or physical constraints such as temperature vs current). Evidence should include raw counts, converted values, and the plausibility verdict code.

Layer 3 — Barrier health indicators (open/short symptoms and loopbacks where feasible)

Barrier “health” is often assessed indirectly: open wiring, short conditions, or degraded communication behavior. Where the interface supports it, monitor pins or loopback checks can provide a health indicator without injecting hazardous energy. Evidence should record link status, error counters, and boundary-domain power presence for isolated designs.

Layer 4 — Watchdog + clock (prevent silent degradation of safety behavior)

Watchdogs protect against firmware stalling, but the safety objective is to prevent silent degradation of the safety function. Safety tasks must refresh watchdogs and must publish periodic “alive” markers. Clock checks (timeout windows or clock-source plausibility) provide evidence that timing assumptions remain valid. Evidence includes watchdog resets, clock fault flags, and the safe-state transition code used after a failure.

Nonvolatile fault log (last N events) with monotonic counter

Evidence must survive power loss. A nonvolatile log should store the last N safety-relevant events with a monotonic counter so records cannot be overwritten in a way that hides repeated failures. At minimum, store boot count, test plan version/build ID, the last fault code, brownout count, and limiter-engagement counters. This provides a verifiable chain that the safety envelope is continuously monitored.

Minimum log fields (suggested): monotonic_counter, event_code, event_class (power/sense/boundary/wdt-clock), timestamp_or_uptime, peak_current_mA, foldback_enter_us, brownout_count, boot_count, firmware_build_id, last_selftest_summary.

Outputs (implementation-ready artifacts)

  • Self-test schedule: boot / periodic / on-demand mapping to test layers.
  • Fault codes: grouped codes for power path, sense chain, boundary indicators, watchdog/clock, and NVM log errors.
  • Log schema: fixed header + last N event records keyed by monotonic counter.

Figure 8. Self-test flow and evidence fields: triggers → layered checks → safe state + fault codes + monotonic logs.

Safety Diagnostics & Self-Test: Evidence-Driven Plan Boot / periodic / on-demand triggers → layered checks → fault codes + monotonic NVM logs Triggers Boot Periodic On- demand Layered checks (what to test) L1 Power-path test Limiter engage (safe pulse) L2 Sense sanity Plausibility / redundancy L3 Boundary indicators Open/short symptoms L4 WDT + clock No silent degradation Outputs (what counts as evidence) Safe state action Outputs off + bounded Fault code Class + reason NVM log record Monotonic counter Key metrics + build ID
Cite this figure: Section link | Copy link

H2-9. Fault Model Playbook: Single Fault, Dual Fault, and Worst-Case Scenarios

Ex i robustness is demonstrated through fault response, not through normal operation metrics. A practical playbook starts from energy-path failures (shorts and miswires), then covers safety-function failures (stuck-on limiter, sense drift, MCU hang), and finally addresses external uncertainty (transients and cable parameter changes). Each fault must map to a deterministic safe response and a repeatable proof method.

Fault classes (organized by energy-path risk)

Direct shorts Input short, output short, cross-rail short. Risk: peak current + rapid energy release from Ci/Li.
Safety function failures eFuse stuck-on, sense resistor drift, MCU hang. Risk: limiter or decision logic no longer bounds energy.
Connector & wiring faults Miswire, reverse polarity, transient injection. Risk: external energy enters via unintended paths.
Cable parameter shifts Effective C/L increases. Risk: Co/Lo margin silently consumed; stored energy changes worst-case.

Single-fault vs dual-fault vs worst-case (engineering definitions)

  • Single fault: any one fault must force a safe state within a bounded time and keep outputs non-energizing.
  • Dual fault: analyze combinations that defeat one layer (e.g., sense drift + stuck-on behavior). Use the most hazardous pairings, not random pairs.
  • Worst-case: apply max supply, max Ci/Li, max cable C/L, and high ambient temperature assumptions used for proof capture.
Safe response template: (1) enter bounded energy state (foldback/disable), (2) outputs default off, (3) record evidence (fault code + key metrics), (4) define recovery policy (lockout or controlled restart).

Deliverable: fault matrix (fault → safe response → proof method)

Fault Expected safe response Proof method Evidence fields (examples) Pass/Fail criterion
Short Input short Limiter engages; bounded current/power; outputs off; optional lockout. Scope inrush/limit waveform; verify foldback entry time. peak_I, t_enter_foldback, limiter_flag, brownout_count, fault_code Enters bounded state within target time; no external energizing output.
Short Output short Output driver/load switch turns off or limits; node remains in safe state. Measure output current and gate state; verify recovery policy. out_I, out_disable_flag, fault_code, last_test_id, monotonic_counter Output is forced non-energizing; fault recorded.
Short Cross-rail short Gating prevents backfeed; app rail may collapse; safety rail remains deterministic. Measure both rails; confirm supervisor asserts reset and safe defaults hold. V_safe, V_app, reset_reason, safe_output_state, fault_code Safety rail behavior remains deterministic; outputs remain off.
Failure eFuse “stuck-on” behavior Secondary bounding mechanism must force safe state (hardware defaults + supervisors + load gating). Inject stuck-on equivalent condition; verify outputs still cannot energize and logs capture anomaly. limiter_state_mismatch, supervisor_flag, fault_code, recovery_policy_id System cannot sustain energizing output even if limiter control fails.
Drift Sense resistor drift Plausibility check triggers conservative mode or lockout; safe limits maintained. Emulate drift (offset); verify plausibility verdict and bounded state. sense_raw, sense_plausibility, fault_code, cfg_crc, test_mode_flag Drift detected or bounded by conservative thresholds; logged.
FW MCU hang / silent degrade WDT/BOR forces reset; hardware defaults keep outputs off during hang. Induce hang; observe WDT timeout and pin states during droop. wdt_reset_count, last_alive_marker, safe_output_state, reset_reason No energizing output during hang; reset occurs; event logged.
Wiring Miswire / reverse polarity Protection prevents unsafe energy entry; outputs off; fault recorded. Miswire jig; measure clamp/rail voltages; verify limiter does not bypass. V_in_clamp, reverse_flag, fault_code, monotonic_counter No sustained energizing output; bounded behavior proven at TPs.
Cable Effective C/L increases Worst-case assumptions remain safe; may reduce duty-cycle or enforce stricter limit. Test with worst-case cable; capture limiter waveforms and safe state transitions. cable_profile_id, peak_I, t_enter_foldback, fault_code, mode_id Still meets bounded-state metrics under worst-case cable conditions.

Figure 9. Fault injection map: where faults are applied and how safe response and evidence capture connect to test points and logs.

Fault Injection Map → Safe Response → Proof Shorts, miswire, transients, and cable C/L shifts mapped to TPs + log evidence Connector / cable Limiter foldback / flags Rails Safety + App MCU + outputs Fail-safe default Fault injection points Miswire / reverse Transient inject Input short Cable C/L shift Safe response flow Enter bounded Outputs off Record evidence Recovery policy Proof anchors TP set IN / LIM / SAFE / OUT Waveforms peak_I + t_foldback Logs fault_code + monotonic_counter reset_reason + counts
Cite this figure: Section link | Copy link

H2-10. Certification Hooks by Design: Test Points, Traceability, and Manufacturing Self-Check

Certification friction drops when auditability is built into the design: the right test points make limiting behavior quick to capture, traceability binds evidence to an immutable build/config identity, and manufacturing self-check produces repeatable reports without bypassing safety limits. The objective is a system where lab tests and production tests share the same evidence interfaces.

Mandatory measurement nodes: a minimal TP set mapped to evidence

TP-IN (entry) Clamp/reference behavior and polarity conditions at the interface entry.
TP-LIM (limiter) EN/FAULT/ILIM or sense node to capture foldback/limit entry and recovery.
TP-SAFE (safety rail) Always-on domain stability across droop and reset events.
TP-OUT (external outputs) Proof that fail-safe default remains non-energizing under faults and hangs.

Traceability: firmware build ID + config CRC + lock policy

Evidence is only defensible if it is tied to an identifiable artifact. Each unit should expose a firmware build ID and a configuration CRC that can be reported in logs and manufacturing reports. A lock policy must clearly separate calibrations that may change from safety limits that must never change, and changes (where allowed) must be logged with a monotonic counter so history cannot be hidden by power loss.

Lock policy guidance: calibration coefficients may change only under controlled procedures and must be logged; safety thresholds, limiter policies, and gating rules must never be altered by production test or field calibration.

Manufacturing self-check: test mode that cannot bypass safety limits

Production tests may adjust sampling, timing, or communication to accelerate throughput, but they must not disable the limiter, remove foldback behavior, or change fail-safe defaults. A robust approach is a manufacturing mode that runs bounded self-check steps, records results, and exits cleanly—while the same safety envelope remains enforced. Tests that require higher energy should be performed outside the hazardous boundary using controlled fixtures, not by bypassing internal limits.

Calibration storage rules: what may change vs what must never change

Category Examples Allowed to change? How changes are controlled Evidence fields
Sensor calibration Offset/gain, temperature compensation coefficients Yes (controlled) Procedure-bound update + CRC update + log record cfg_crc, cal_version, monotonic_counter, old/new summary
Safety limits Limiter thresholds, foldback policy, safety-rail gating rules No Hard-locked; immutable in production and field modes lock_state, build_id, cfg_crc, audit_flag
Test parameters Sampling windows, report verbosity Yes (non-safety) Must not influence energy envelope test_mode_flag, test_profile_id

Evidence export: minimal report fields and log extract procedure

  • Manufacturing report header: unit ID, date/time, build ID, config CRC, lock state.
  • Key safety tests: bounded limiter engagement result, brownout/reset chain result, safe-output state proof.
  • Log extract: last N events, monotonic counter range, last self-test summary, last fault code group.

Figure 10. Built-in auditability: minimal test points + traceability chain + manufacturing self-check flow without bypassing safety.

Certification Hooks by Design: TPs + Traceability + MFG Self-Check Fast capture of limiting behavior + immutable identity + repeatable evidence export Minimal test point set TP-IN: entry clamp / polarity TP-LIM: EN/FAULT/sense TP-SAFE TP-OUT Traceability chain Build ID immutable Config CRC lock state Log record monotonic ctr fault code Manufacturing self-check (no bypass) Enter test mode Limiter enforced Run bounded checks foldback verified Generate report build ID + CRC Export logs monotonic ctr Exit mode → normal operation (limits unchanged) Same IDs appear in report + logs
Cite this figure: Section link | Copy link

H2-11. PCB & Packaging for Ex i: Layout Priorities (Without Legal Overreach)

Ex i margin is often lost on the PCB, not in the schematic. Layout and packaging must prevent hidden energy storage, unintended capacitance, leakage paths, and contamination-driven conduction—especially around the connector and any high-impedance sensing nodes. The objective is a board that makes the energy envelope easier to prove in faults (shorts/miswire/transients) and easier to audit in lab and production.

Placement priority: connector → protection/limit → storage → loads

Treat the board as an energy path. The connector zone should immediately route into the protection/limiting network so external energy (miswire, reverse polarity, transient injection) is intercepted before it can charge bulk capacitance or find backfeed paths into other rails. Stored energy elements (bulk caps, EMI inductors) should be positioned and partitioned so that worst-case faults cannot bypass the limiting point.

Connector zone rules Shortest loop to clamps/limit; avoid large copper pours that add hidden capacitance; keep TP access for fast capture.
Limiter zone rules Sense/ILIM nodes tight + guarded; fault/flag pins routed away from noisy loops; place TP-LIM close to device pins.
Storage zone rules Minimize bulk energy after the limiting point; split capacitance into smaller units; avoid “cap banks” near the connector.
Load zone rules Duty-cycled blocks physically separated; outputs default off via hardware pulls/bleeders near the loads.

Guard against unintended capacitance: “hidden Co killers”

Capacitance budget is not only the explicit capacitors. Large copper areas, parallel traces, shield/metal enclosure coupling, and ESD/TVS device capacitance can silently consume Co margin and change fault energy during transients or miswire events. Practical controls include: restricting copper area in the connector zone, avoiding long parallel runs on high-impedance nets, and explicitly tagging “high-C parts” into the stored-energy inventory.

MPN anchors (low-cap ESD/TVS examples): Nexperia PESD5V0S1UL, Nexperia PESD1CAN, TI TPD1E10B06 / TPD2E2U06, Semtech RClamp0521P / RClamp0504P, Littelfuse SP0502BAHT (ESD array). Choose by interface voltage, leakage limits, and allowable capacitance budget.

Leakage paths & contamination: when “high impedance” becomes a conduction path

Moisture, flux residues, dust, and ionic contamination reduce surface resistance and can create unintended leakage between nodes—particularly at high-impedance sensing, configuration, and limiter-control points. In Ex i designs, this can distort current/voltage measurements, defeat plausibility checks, or create slow “sneak” charging paths. Layout should isolate high-Z nodes with keep-out regions, guard rings where appropriate, and mechanical separation from the connector zone where contamination risk is highest.

Creepage/clearance (high-level): design for stable separation under real environments

Separation is an environment problem as much as a geometry problem: humidity, pollution, and condensation can turn the board surface into a conductive path. Use conservative spacing habits on nets with significant potential difference, add slots or cutouts to increase effective surface path where appropriate, and avoid routing high-Z sensing nodes across regions exposed to connector contamination. The goal is to support the safety envelope under aging and field conditions without claiming any legal distance values.

Conformal coating vs potting: thermal vs inspection vs auditability

Coating can reduce contamination-driven leakage while keeping the board inspectable and serviceable; potting can provide stronger environmental robustness but increases thermal resistance and makes inspection/rework difficult. For Ex i evidence capture, ensure that whichever approach is used still preserves access to required test points or provides an alternative evidence export method (log extraction + manufacturing reports).

MPN anchors (coating/potting material examples): HumiSeal 1A33 (acrylic conformal coating), Electrolube APL (acrylic conformal coating), Dow 1-2577 (silicone conformal coating), Dow SYLGARD 184 (silicone elastomer potting/encapsulation), 3M Scotch-Weld DP270 (epoxy potting/adhesive). Material choice must match temperature, inspection needs, and leakage-control goals.

Deliverables: layout checklist + risk list (implementation-ready)

  • Layout priority checklist: connector-zone copper limits, limiter TP placement, high-Z keep-outs, storage partitioning, controlled return paths.
  • Hidden-C & leakage risk list: TVS/ESD capacitance, copper coupling, enclosure coupling, contamination zones, coating voids/cracks.
  • Evidence hooks: TP-IN/TP-LIM/TP-SAFE/TP-OUT access + a repeatable photo/inspection record for the connector and high-Z zones.

Figure 11. PCB layout priority map: energy-path ordering, hidden-capacitance hot spots, leakage keep-outs, and audit-friendly test point placement.

PCB Priority Map for Ex i (Concept-Level) Connector → Protect/Limit → Storage → Loads + high-Z keep-outs + TP access Connector zone TP-IN limit copper avoid big pours Protect / limit TP-LIM tight sense guard high-Z Storage zone Ci / Li split caps avoid banks Load zone TP-OUT duty-cycled default OFF Hidden-C hot spot Stored energy High-Z keep-out & leakage control Guard / clean / coat avoid connector contamination paths Separation concepts (no legal numbers) Use conservative spacing habits + slots/cutouts where helpful Preserve TP access or provide evidence export via logs/reports
Cite this figure: Section link | Copy link

Request a Quote

Accepted Formats

pdf, csv, xls, xlsx, zip

Attachment

Drag & drop files here or use the button below.

H2-12. FAQs × 12 (Accordion; each answer maps back to chapters)

Each FAQ uses the same evidence-driven format: Short answerWhat to measureFirst fix. This keeps answers actionable and ties every claim to a measurable proof path.

Answer format: Short answer (1 line) + What to measure (2 items) + First fix (1 item).
Chapter mapping: each question links back to the relevant H2 sections for the full evidence chain.
My node passes normal load, fails certification under short—what did we forget? → H2-4 / H2-9

Short answer: The design likely bounds “normal” current but not fault energy and response time under a hard short.

  • What to measure: peak short current and time-to-foldback/disable at TP-LIM; temperature rise at the limiter during the short.
  • What to measure: output state during the short (must remain non-energizing) and recovery policy (lockout vs retry).
  • First fix: add foldback/thermal limiting and document a fault matrix entry with pass/fail criteria.
Can I “fix” Ex i by adding a bigger TVS? → H2-6 / H2-5

Short answer: A bigger TVS can increase hidden capacitance and stored energy, hurting margin even if clamping looks better.

  • What to measure: effective capacitance at the interface (including TVS + copper + cable) and inrush/charge energy.
  • What to measure: clamp voltage vs current during transients and whether it backfeeds rails.
  • First fix: choose low-cap ESD/TVS and place clamp + series resistance where the cable energy is intercepted.
Battery-powered node: what dominates risk—cell, caps, or inductors? → H2-6 / H2-9

Short answer: Risk is dominated by whichever element can deliver the most energy into the fault path fastest.

  • What to measure: worst-case fault current from the cell (including internal resistance) and peak discharge from bulk caps.
  • What to measure: inductor energy release in the power stage during a short and the limiter’s response time.
  • First fix: build a stored-energy inventory (Ci/Li/cell) and prove bounded behavior in the fault matrix.
Why does adding bulk capacitance for RF bursts hurt Ex i margin? → H2-6 / H2-7

Short answer: Bulk caps store energy that can dump into faults, and they also worsen inrush that can defeat deterministic safety behavior.

  • What to measure: inrush waveform into the added capacitance and the limiter’s foldback entry time.
  • What to measure: short-circuit energy released from the cap bank before limiting fully engages.
  • First fix: split rails (Safety always-on vs RF duty-cycled) and move burst energy behind controlled limiting.
Foldback vs constant current limit—what is safer for faults? → H2-4 / H2-9

Short answer: Foldback is often safer because it reduces sustained power during a fault instead of holding a high constant fault current.

  • What to measure: steady-state fault power and device temperature with constant limit vs foldback.
  • What to measure: time spent in high-power region after a short and whether the system locks out cleanly.
  • First fix: implement foldback + thermal limiting and set pass/fail thresholds in the fault matrix.
Isolation present, but lab still flags stored energy—how? → H2-5 / H2-6

Short answer: Isolation solves galvanic paths, but it does not remove capacitance/inductance energy stored on the hazardous-side interface.

  • What to measure: hazardous-side Ci/Li (including isolator parasitics, TVS, and copper) and discharge behavior.
  • What to measure: fault energy path during shorts—what dumps first before the limiter reacts.
  • First fix: reduce hidden capacitance, partition storage behind the limiting point, and document the energy inventory.
How do I self-test current limiting without violating the envelope? → H2-8 / H2-4

Short answer: Use a bounded, pulsed self-test that proves limiting engages without creating a sustained high-energy event.

  • What to measure: pulse width/period, peak current, and limiter flag timing at TP-LIM during the test.
  • What to measure: temperature rise and whether outputs remain in fail-safe default throughout the test.
  • First fix: implement a “safe pulsed test” profile and log results with monotonic counters.
MCU resets during inrush—how to keep safety deterministic? → H2-7 / H2-4

Short answer: Deterministic safety requires hardware defaults and supervisors so resets cannot enable unsafe outputs or bypass limiting.

  • What to measure: rail droop (Safety vs App), reset reason counts, and pin states during inrush.
  • What to measure: limiter entry timing vs MCU boot time to confirm safety holds while firmware is down.
  • First fix: split rails, add supervisor gating, and ensure outputs default off without firmware.
What logs are actually useful for certification discussions? → H2-8 / H2-10

Short answer: Logs are useful when they prove bounded behavior, identity (build/config), and fault chronology—noise logs do not help.

  • What to measure: fault_code taxonomy, monotonic_counter continuity, and reset_reason counts across power cycles.
  • What to measure: capture of limiter state (flag) and key metrics (peak_I, t_foldback) summaries per event.
  • First fix: standardize a “cert log bundle” with build ID + config CRC + last N faults.
Can production test mode bypass limits if protected by password? → H2-10 / H2-9

Short answer: Passwords are procedural controls; Ex i safety must not depend on “who is allowed” to bypass limits.

  • What to measure: limiter behavior in production mode (must match normal) and whether foldback/disable still triggers under faults.
  • What to measure: logs that show test_mode_flag while limits remained enforced.
  • First fix: make bypass physically impossible; use bounded test profiles and external fixtures for high-energy tests.
Cable changes broke compliance—what parameters should we lock? → H2-2 / H2-9

Short answer: Cable capacitance/inductance can consume Co/Lo margin, changing worst-case stored energy and fault behavior.

  • What to measure: worst-case cable C/L profiles used in validation and the resulting inrush/fault waveforms.
  • What to measure: whether cable changes alter peak_I, t_foldback, or clamp behavior at TP-IN/TP-LIM.
  • First fix: lock installation assumptions (cable profile limits) and re-validate the fault matrix for the worst case.
Which test points save the most time with a cert lab? → H2-10 / H2-4

Short answer: The best test points are those that prove limiting engages quickly and that outputs remain non-energizing during faults.

  • What to measure: TP-IN clamp/polarity behavior and TP-LIM foldback/flag timing during short and miswire tests.
  • What to measure: TP-SAFE rail stability through resets and TP-OUT default-off proof under MCU hang scenarios.
  • First fix: standardize TP names on schematics and bind waveforms/logs to build ID + config CRC.

icnavigator

ICNavigator helps engineers find verified ICs, alternatives, and fast quotes.

Explore
Categories
  • Power Management
  • MCU
  • Automotive ICs
  • Sensors
  • Interface & Transceivers
  • Analog Front-End
Get in Touch
  • Email: hello@icnavigator.com
  • WeChat/WhatsApp: +86-xxxx

© 2025 ICNavigator. All rights reserved.