123 Main Street, New York, NY 10001

Submit Your BOM

Ex Power & Intrinsic-Safety Barriers

Ex Power & Intrinsic-Safety Barriers

← Back to: Industrial Sensing & Process Control

H2-1 · Center Idea

Center Idea

Ex power is not “higher power delivery”; it is power that remains energy-limited under any single fault. A barrier, isolated supply, energy-limit monitor, and fault-bypass path together form an energy guardrail with diagnosable failure paths.

Practical meaning: compliance depends on controlling not only steady-state V/I/P, but also stored and transient energy that can appear during open/short events, startup/retry cycles, and surge interactions.

  • Steady-state energy: open-circuit voltage, short-circuit current, output power limits.
  • Stored energy: capacitors/inductors (including cable-equivalent C/L) that can release energy during faults.
  • Transient energy: startup, hiccup/retry, clamp recovery, and fast fault transitions.
  • Coupled/return-path energy: isolation capacitance and any to-earth protection path that changes where energy flows.
SAFE AREA HAZARDOUS AREA ISOLATED SUPPLY IS BARRIER energy limiting FIELD LOAD ENERGY-LIMIT MONITOR FAULT-BYPASS PATH availability with interlocks Evidence: V/I waveforms · foldback · ∫VI dt Evidence: fault flags · bypass threshold · logs
Figure H2-1. Energy guardrail view: limiting steady, stored, and transient energy while preserving diagnosable fault paths.
Cite this figure: Copy link to this section
H2-2 · Verifiable Guarantees

What “Ex Power & Barriers” Must Guarantee

The design target should read like an acceptance checklist: each item must have a measurable upper bound, a fault-trigger condition, and a repeatable verification method.

  • Energy limit (steady + stored + transient): output voltage/current/power and available stored energy (C/L, including cable-equivalent C/L) remain bounded in normal and single-fault conditions.
  • Fault tolerance (single fault): typical faults (short/open/component failure/overvoltage/reverse polarity/cable short or break) do not create an unsafe energy release.
  • Isolation & leakage explainability: isolation rating, creepage/clearance constraints, and leakage/return paths remain interpretable (including clamp-to-earth interactions).
  • Fail-safe behavior: clear degraded modes (foldback/hiccup/shutdown/latch), controlled bypass under interlocks, alarm/reporting, and recovery policy.
Evidence Chain (what to capture)
  • Waveforms: Vout, Iout, startup/retry transitions, open/short response.
  • Limit curves: I-V foldback shape and maximum transient peaks.
  • Energy window: time-windowed ∫V·I dt upper bound under each injected fault.
  • Status fields: fault flags, latch reason, retry counter, bypass enable and duration.
  • Bypass thresholds: interlock conditions (V/I/T/isolation health) and post-bypass compliance proof.

Practical note: passing a steady-state Uo/Io table alone is insufficient if startup, clamp recovery, or stored-energy discharge can exceed the safe energy envelope. Verification must include transient capture and energy-window validation under fault insertion.

Guarantees (Shall) Energy limit steady · stored · transient Single-fault tolerance short · open · parts fail Isolation & leakage paths explainable Fail-safe behavior foldback · hiccup · latch · bypass Evidence (Measure / Log / Test) Waveforms Vout · Iout · startup · fault response Limit curves I-V foldback · peak bounds Energy window E = ∫V·I dt (time-windowed) Status & logs fault flags · latch reason · retry · bypass Rule: table compliance alone is not enough — verify transients and energy windows under fault insertion.
Figure H2-2. Convert requirements into measurable evidence: waveforms, foldback curves, energy-window bounds, and diagnostic fields.
Cite this figure: Copy link to this section
H2-3 · Deployment Context

Hazardous-Area Context & Deployment Models

Barrier selection is a system decision driven by the hazardous-area classification, loop topology, and installation constraints. The same barrier can be compliant or non-compliant depending on where the boundary is drawn, how grounding is implemented, and how cable C/L is budgeted.

1) Zone/Div level sets the “energy envelope” strictness

Higher-risk deployments require tighter control of open-circuit voltage, short-circuit current, stored energy (C/L), and transient peaks during startup and fault transitions. As strictness increases, designs typically shift toward architectures that reduce installation dependence and improve diagnosability.

Zone 0 / Div 1: most conservative Zone 1: strong fault focus Zone 2 / Div 2: more deployment flexibility

2) Loop topology drives voltage drop, fault behavior, and diagnostics

  • 2-wire loop power (4–20mA / HART): power and signal share the same pair. Key constraints are minimum operating voltage, line drop, and a current limit strategy that avoids “brownout oscillation” under marginal supply.
  • 3/4-wire sensors: separated power and signal lines reduce some interface coupling, but longer cable runs and additional wiring can increase external C/L to be counted in the energy budget.
  • Discrete I/O / NAMUR: focus shifts to defined open/short thresholds and robust detection of cable faults while keeping open-circuit energy bounded.

3) Barrier placement defines what must be budgeted and proven

Placement determines which portion of the cable is inside the hazardous boundary and therefore which C/L must be included when proving compatibility. A barrier closer to the load can reduce hazardous-side cable length but increases environmental stress; a barrier in the safe-area cabinet simplifies access but often consumes the allowable Co/Lo budget with long cable runs.

4) Grounding model decides whether the solution depends on installation quality

Grounding affects leakage paths and surge diversion. If the design requires a low-impedance protective earth to remain safe, the installation becomes part of the safety case. Ground-independent solutions reduce reliance on site conditions but introduce isolation-health evidence requirements.

Evidence checklist for this chapter

  • Boundary drawing: installation diagram showing safe/hazardous sides and barrier location.
  • Grounding statement: required earth topology and acceptable impedance ranges (if applicable).
  • Cable/Load table: Ci/Li (field device) + cable C/L + barrier Co/Lo matching result.
Deployment Model: Zone/Div · Loop Type · Boundary · Grounding Area Class Zone 0 / Div 1 Zone 1 Zone 2 / Div 2 Loop Topology 2-Wire 4–20mA / HART 3/4-Wire Sensors Discrete NAMUR / DI/DO Barrier Placement Models A) Cabinet (Safe Area) PSU BARRIER Hazardous-side cable: long Co/Lo consumed by cable C/L Boundary B) Junction Box (Near Boundary) PSU BARRIER Balanced access vs cable length Often best for maintenance Boundary C) In Field (Hazardous) BARRIER LOAD Shortest hazardous cable Harsh environment & thermal Boundary Grounding note: installation quality can be part of the safety case (especially for earth-dependent barriers).
Figure H2-3. Deployment drives compliance: classification strictness, loop topology, barrier placement, and grounding model set the proof obligations.
Cite this figure: Copy link to this section
H2-4 · Barrier Families

Barrier Taxonomy: Zener vs Galvanic Isolator

Two dominant families exist. The correct choice is dictated by installation dependence, fault-path explainability, diagnostic expectations, channel density, and surge/leakage behavior — not by schematic simplicity alone.

Zener barrier (earth-dependent limiting)

  • Strength: cost-effective and simple energy limiting when protective earth is low-impedance and controlled.
  • Primary risks: earth impedance variation, unintended leakage/return paths, and surge diversion relying on site grounding.
  • Best fit: stable cabinet grounding, clear earth bonding practices, moderate channel needs.

Galvanic isolator barrier (isolated power + signal)

  • Strength: reduced dependence on site grounding, stronger diagnosability (status, fault reasons, controlled recovery).
  • Primary risks: isolation barrier health (with age/contamination), common-mode/leakage behavior, and thermal limits in high density.
  • Best fit: uncertain grounding environments, high audit/diagnostic requirements, multi-channel systems.
Decision Dimensions (what matters most)
  • Grounding dependency: required earth quality vs ground-independent operation.
  • Failure modes: how single faults manifest and how energy is diverted/limited.
  • Diagnosability: fault flags, latch reasons, and recoverability policies.
  • Power & channel density: thermal headroom and per-channel energy budget stability.
  • Surge behavior: where surge energy flows (to-earth paths vs across isolation boundaries).

Evidence checklist for this chapter

  • For Zener barriers: earth resistance/impedance verification and wiring topology.
  • For isolators: isolation withstand + leakage measurements under relevant environmental conditions.
  • For both: fault insertion results showing bounded output energy and defined recovery behavior.
Zener vs Galvanic Isolator — Decision Map Zener Barrier Earth-dependent limiting SAFE PSU ZENER BARRIER PE / Earth Strength Simple · low cost · high density potential when earth is controlled Risks / Proof Obligations Earth impedance must be verified Surge energy may divert to earth Leakage/return paths must be explainable Galvanic Isolator Isolated power + signal SAFE PSU ISOLATOR BARRIER Isolation Strength Ground-independent operation Diagnostics and controlled recovery Risks / Proof Obligations Isolation health + leakage evidence Thermal headroom in high density Surge interaction across boundaries Choose by proof obligations: ground quality vs isolation evidence, and by fault insertion energy bounds.
Figure H2-4. Zener barriers rely on controlled earth; galvanic isolators reduce installation dependence but require isolation/leakage and thermal evidence.
Cite this figure: Copy link to this section
H2-5 · Entity Parameters & Budgeting

Entity Parameters & Energy Budgeting (Uo/Io/Po, Co/Lo…)

Intrinsic-safety design is an energy-budgeting exercise. The goal is to prove that the maximum available energy remains bounded in normal operation and under a defined single-fault set, including steady, stored, and transient energy.

1) Start with the entity output limits (Uo / Io / Po)

The entity defines its maximum output envelope using Uo (maximum open-circuit voltage), Io (maximum short-circuit current), and Po (maximum power). These values must be interpreted as worst-case limits that include tolerance, temperature, and the limiting behavior (foldback/hiccup/latch), not as nominal ratings.

2) Budget allowable external storage (Co / Lo) against the site input (Ci / Li)

Stored energy is controlled by limiting the permitted external capacitance and inductance. The field device contributes Ci / Li, while the installation contributes cable C/L. Compliance requires that the sum remains within the entity allowance.

Core matching rule (budget form)

  • Co ≥ (Ci + Cable C) → capacitance budget must not be exceeded
  • Lo ≥ (Li + Cable L) → inductance budget must not be exceeded

Margin should be computed using worst-case cable length, worst-case C/L per meter, and conservative device Ci/Li values.

3) Make cable a first-class parameter (Cable C/L estimation)

Cable is a distributed component. Long runs can consume the Co/Lo allowance before the device is even considered. Cable C/L should be estimated from per-meter values and bounded by installation length limits. The final budget should explicitly state the maximum cable length that preserves margin.

Evidence Pack (what to keep)
Item What it proves Evidence source
Entity Table Uo/Io/Po/Co/Lo Maximum output envelope + allowed external C/L Vendor certified parameters / datasheet
Site Input Ci/Li Device inherent storage contribution Field device documentation
Cable Model C/L per meter Installation storage contribution bounds Cable spec + max length assumption
Margin Co/Lo headroom Worst-case compliance robustness Budget worksheet + assumptions list
Energy Budget Flow: Entity Limits → Allowed Storage → Site Inputs → Margin Entity Output Limits Uo max open-circuit voltage Io max short-circuit current Po max power envelope Allowed External Storage Co allowed external capacitance Lo allowed external inductance Site Inputs (must fit within Co/Lo) Ci / Li field device storage Cable C / L per-meter × length Margin Co−(Ci+Cc) · Lo−(Li+Lc) Matching rule: Co ≥ (Ci + Cable C) · Lo ≥ (Li + Cable L) · Use worst-case length and tolerance for margin
Figure H2-5. Treat intrinsic safety as budgeting: entity limits (Uo/Io/Po) plus allowed storage (Co/Lo) must cover device + cable inputs with margin.
Cite this figure: Copy link to this section
H2-6 · Power Architectures

Intrinsic-Safety Power Architectures (Isolated Supplies & Loops)

Isolation and loop-power strategies are combined with energy limiting to control fault energy paths, common-mode behavior, and recovery policy. Architecture choice should be justified by startup behavior, voltage-drop budgeting, and fault containment across channels.

1) Isolated DC/DC: isolation as a fault-energy and path-control tool

Isolation is used to define boundaries that keep fault energy contained and to reduce dependence on site grounding. The safety case must still explain common-mode coupling and leakage behavior across the isolation barrier, especially after surge events.

2) 2-wire loop supply: manage headroom, startup/hold current, and brownout oscillation

In 2-wire loops (e.g., 4–20mA / HART), power and signal share the same conductors. Key obligations are a voltage-drop budget from source to device minimum operating voltage, and a startup policy that avoids repeated reset under current limiting.

Minimum evidence for loop-power readiness

  • Voltage-drop sheet: barrier drop + cable drop + device min V under worst-case current.
  • Startup waveform: V/I during power-up, fault recovery, and retry cycles.
  • Low-headroom behavior: defined response when device min V is not met (flags/logs).

3) Multi-channel systems: prevent a single fault from collapsing the bus

Shared supplies can propagate a fault from one channel to others via bus droop or control resets. Robust systems use per-channel limiting and fault containment so that one channel’s short/open does not force global restart. This must be verified with fault injection and cross-channel observation.

Evidence Pack (what to capture)
  • Startup & retry waveforms: power-up and recovery under short/open events.
  • Voltage-drop budget: headroom to device minimum operating point in 2-wire loops.
  • Coupling test: inject one-channel fault and record other channels’ V/I + status.
Intrinsic-Safety Power Architectures: Isolation · 2-Wire Loop · Multi-Channel Containment A) Isolated DC/DC + Barrier SAFE PSU ISOLATED DC/DC Isolation IS BARRIER FIELD LOAD Evidence: isolation withstand & leakage · startup/retry waveforms · fault-energy bounds at barrier output B) 2-Wire Loop Power (Headroom Budget) SOURCE BARRIER DROP CABLE DROP DEVICE MIN V startup / hold current Evidence: voltage-drop sheet · startup waveform (avoid brownout oscillation) · low-headroom status/logs C) Multi-Channel Fault Containment SHARED BUS CH1 LIMIT CH2 LIMIT CH3 LIMIT Inject fault on CH1 Evidence: one-channel fault → observe bus droop + other channels V/I + status flags (no global reset)
Figure H2-6. Architecture proofs: isolation evidence + loop headroom budgeting + multi-channel containment verified by fault injection.
Cite this figure: Copy link to this section
H2-7 · Monitoring Chain

Energy-Limit Monitoring: What to Measure, Where to Sense

Monitoring is part of the proof chain. Measurement choices must support both steady-state power control and transient energy bounding, while making single-fault conditions observable at the correct points in the topology.

1) What to measure (signals that bound energy)

  • Vout / Iout / Pout: output envelope and limiting behavior (foldback/hiccup/latch).
  • Temperature: limiter drift and thermal headroom (channel density and ambient stress).
  • Isolation leakage / common-mode: evidence of isolation health and unintended coupling paths.
  • Storage-node voltage: capacitor/inductor-related energy that may dominate short transients.

2) Where to sense (visibility depends on placement)

Sensing position determines which faults are visible. A robust proof chain typically distinguishes before/after the limiter and before/after isolation.

Common sensing points

  • Limiter-upstream: input stress, control faults, bus collapse precursors.
  • Limiter-downstream: hazardous-side energy bounds (closest to the proof target).
  • Isolation-upstream: safe-side perturbations, supply droop, surge coupling into the barrier.
  • Isolation-downstream: leakage/common-mode behavior and output-side transient energy.

3) Time windows: transient energy vs steady power

Two time scales are required: a fast window for short-circuit and surge events, and a slow window for continuous power/thermal behavior. Transient proof is based on energy integration rather than only instantaneous power.

Fast window (ms): E = ∫ V·I dt Slow window (100ms–s): steady P + thermal

4) Threshold and action policy (auditable behavior)

  • Hard shutdown: strict containment; requires defined reset conditions.
  • Foldback: controlled short-circuit; must avoid oscillation at low headroom.
  • Hiccup: bounds energy by duty-cycled retries; requires retry timing evidence.
  • Latch / auto-recover: defines maintenance and safety posture; must log root cause.
Evidence Pack (time-aligned)
Artifact What it must show Mapped field(s)
Limit Curve Current limit / foldback curve and mode transitions Vout, Iout, mode
Energy Window Trigger point for E=∫VI dt under short/surge E_window, V·I trace
Fault Flags Reason codes and reset conditions (auditable) fault_id, latch, reset
Thermal Derating or shutdown behavior vs temperature temp, derate_state
Monitoring Chain: Sense Points → Windows → Actions → Evidence Topology & Sense Points INPUT LIMITER ISOLATION HAZARDOUS OUTPUT Sense: pre-limiter Sense: post-limiter Sense: post-isolation Time Windows Fast window Short / surge / startup E = ∫ V·I dt trigger Slow window Continuous power Thermal / derating Action Policy (auditable) SHUTDOWN FOLDBACK HICCUP LATCH / RECOVER Evidence alignment: limit curve + energy trigger + fault flags + reset conditions on one timeline
Figure H2-7. Monitoring must support proof: correct sense points, separate fast/slow windows, and auditable action states with time-aligned evidence.
Cite this figure: Copy link to this section
H2-8 · Proof by Fault Injection

Fault Modes & Proof via Fault Insertion (Single-Fault Thinking)

Depth comes from proof. Fault insertion verifies that maximum available energy remains bounded under representative single faults, and that recovery behavior is defined, repeatable, and diagnosable.

1) Organize faults into a repeatable injection plan

Each fault category should produce three outputs: trigger conditions, maximum output energy (fast-window E=∫VI dt plus peaks), and a defined recovery policy.

Fault Families (6)
  • Output short (near-end / far-end): cable dynamics change peak energy.
  • Output open: high open-circuit voltage and storage charge risk.
  • Limiter element failure (open/short): core single-fault proof target.
  • Input overvoltage / reverse: upstream stress must not bypass limiting.
  • Cable shorts (to earth / adjacent line): tests path explainability.
  • Thermal anomaly: temperature shifts thresholds and leakage behavior.

2) Use a consistent “3-evidence” template per fault

Per-fault evidence template

  • How to insert: where, what resistance/condition, and duration.
  • What to measure: sense point + fast/slow window + max peak + E_window.
  • Expected safe behavior: action mode + flags + reset rules + retry timing.

3) Summarize results as a fault injection matrix

A matrix makes the proof auditable: each row is a fault family; columns capture trigger definition, maximum bounded energy, and recovery behavior, mapped back to the monitoring chain (H2-7).

Fault Trigger definition Bounded energy evidence Recovery policy
Short near/far Location + Rshort range E_window + V/I peaks Foldback / hiccup / latch
Open output Disconnect event Voc peak + storage behavior Clamp + log + safe retry
Limiter elem fail Open/short equivalent Still bounded at hazardous side Latch + interlock
Input OV/reverse OV level / reverse condition Output remains bounded Shutdown + defined reset
Cable to earth/line Short-to-PE / line-line Path explainability + E_window Latch or controlled retry
Thermal anomaly Ambient + airflow limit Derating keeps power bounded Derate / shutdown / latch
Proof via Fault Insertion: Inject → Measure → Bound Energy → Recover 4-Step Proof Flow 1) INJECT defined fault 2) MEASURE sense points 3) BOUND E = ∫ V·I dt 4) RECOVER policy + flags Fault Families (single-fault set) Output short near / far Output open Voc risk Limiter failure open / short Input OV / reverse upstream stress Cable shorts to earth / line Thermal anomaly ambient / airflow Per-Fault Evidence (3) Trigger conditions Max bounded energy Recovery policy
Figure H2-8. Fault insertion makes the safety case auditable: define injection conditions, measure bounded energy, and verify recovery with flags and reset rules.
Cite this figure: Copy link to this section
H2-9 · Availability

Fault-Bypass Paths & Availability (Keep the plant running)

Bypass paths are not “escape routes.” They are controlled degradation paths designed to preserve minimum availability while maintaining bounded energy and an auditable safety posture.

1) Why bypass exists: availability without violating the energy guardrail

Industrial sites often prefer “keep running in a reduced mode” over full shutdown. A bypass strategy should therefore define a minimum service level (e.g., diagnostics-only or reduced-power operation) that remains compliant with the same energy budgeting principles used for normal operation.

Availability tiers (typical)

  • Tier A: keep communication & diagnostics alive (signal continuity).
  • Tier B: keep minimum process function (reduced power / reduced features).
  • Tier C: safe stop with complete traceability (latch + service action).

2) Bypass types: signal, power, and controlled bypass

  • Signal bypass: preserve loop communications and diagnostic reporting during fault containment.
  • Power bypass (reduced mode): deliver a lower envelope (reduced Uo/Io/Po) to maintain minimum operation.
  • Controlled bypass: bypass switch is only allowed when safety interlocks are satisfied.

3) The main risk: bypass creating a new fault path

A bypass can unintentionally route around the limiter or introduce new coupling to ground. For this reason, bypass must be guarded by interlocks and continuously verified by monitoring.

Interlock gates (typical)

Bypass enable must satisfy all gates

  • Energy gate: V/I/P and fast-window E=∫VI dt remain below limits.
  • Thermal gate: temperature and thermal slope remain within safe range.
  • Isolation gate: leakage/common-mode indicators show isolation is healthy.
  • Timing gate: bypass has a maximum duration and defined exit policy.

4) Evidence pack: conditions, bounded energy in bypass, and event logs

Artifact What it proves Minimum fields
Bypass Enable Rules Entry/hold/exit criteria are explicit and repeatable gates, thresholds, timeout
Post-Bypass Energy Proof Output envelope remains bounded in bypass mode V/I peaks, E_window, mode
Bypass Event Log Traceable why/when bypass occurred and how it ended reason_id, duration, exit_reason
Fault-Bypass Paths: Controlled Degradation with Interlocks and Logs Normal Path INPUT LIMITER ISOLATION HAZARDOUS OUTPUT Controlled Bypass (Reduced Mode) BYPASS SWITCH INTERLOCK CTRL enable / hold / exit REDUCED OUTPUT ENVELOPE Energy gate Thermal gate Isolation gate Timing gate Traceability BYPASS EVENT LOG reason_id · duration · exit_reason · energy_window · mode supports audit and root-cause analysis
Figure H2-9. Controlled bypass preserves minimum availability while keeping energy bounded via interlocks and event logging.
Cite this figure: Copy link to this section
H2-10 · Isolation & Surge

Isolation, Creepage/Clearance, Leakage & Surge Interaction

In intrinsic-safety systems, isolation is not just a voltage rating. Creepage/clearance, leakage paths, and surge protection placement interact and can shift the effective energy boundary unless the design is explicitly modeled and re-verified after stress.

1) Creepage/clearance is a stability problem, not only a distance number

Clearance controls air breakdown, while creepage controls surface tracking. In the field, humidity, contamination, conformal coating quality, and material aging can change the effective margin. Isolation design should therefore assume real-world conditions and provide evidence of robustness.

2) Leakage paths: isolation barrier capacitance and surge-to-ground shunts

Isolation barriers have parasitic capacitance that can carry common-mode currents. Surge protection components that shunt to ground can also create temporary or persistent current paths that affect how the energy boundary is explained and measured.

3) Surge/ESD placement can move the energy boundary

Protection placement should be treated as part of the topology. Placing a TVS/MOV/GDT at different points can change the current return path, alter common-mode stress, and influence post-event parameter drift. Designs should therefore define protection locations and validate post-surge behavior.

Minimum diagnostic obligations

  • Detect: leakage increase, insulation degradation, abnormal heating.
  • React: controlled derating or shutdown; bypass interlocks must consider isolation status.
  • Re-verify: re-test key entity parameters (Uo/Io/limit curve) after surge exposure.

4) Evidence pack: hi-pot/insulation, leakage, and post-surge re-verification

Artifact What it proves Minimum fields
Hi-pot / Insulation Isolation withstand and insulation level baseline test level, pass/fail, leakage
Leakage Test Common-mode and leakage behavior is bounded I_leak, CM indicators, temp
Surge Definition Stress event is repeatable and location-specific level, waveform, injection point
Post-Surge Re-test Entity parameters did not drift beyond allowed range Uo/Io, limit curve, leakage delta
Isolation + Creepage/Clearance + Leakage + Surge Placement = Effective Energy Boundary ISO barrier SAFE SIDE supply / limiter / reference Surge device (option) TVS / MOV / GDT HAZARDOUS SIDE field wiring / load Surge device (option) TVS / MOV / GDT Creepage & Clearance distance + contamination + humidity + coating quality → effective margin stability leakage / CM coupling PE / Earth interaction surge-to-ground shunts and return paths can shift the effective energy boundary Post-surge re-verification re-test: Uo / Io / limit curve / leakage delta / heating
Figure H2-10. Isolation robustness depends on environment and surge placement. Leakage and surge-to-ground paths can shift the effective boundary unless re-verified after stress.
Cite this figure: Copy link to this section
H2-11 · Validation & Compliance

Validation & Compliance Checklist (ATEX/IECEx-Style Mindset)

This checklist is designed for practical acceptance: define inputs, perform repeatable checks, apply pass rules, and record traceable evidence. Example MPNs below are reference building blocks (always confirm ratings and approvals in the latest datasheets and certification notes).

How to use this checklist

  • Inputs: entity parameters (Uo/Io/Po, Co/Lo), field device (Ci/Li), and cable C/L.
  • Checks: parameter match, single-fault proof, installation dependencies, traceability controls.
  • Evidence: waveforms, energy window results (E=∫VI dt), hi-pot/leakage tests, event logs.
A · Parameter Match

1) Entity parameter compliance (Uo/Io/Po vs Ci/Li/Co/Lo)

Treat the barrier as an energy budget component. Document the configured entity parameters and verify that the permitted external load (Co/Lo) covers the field device (Ci/Li) plus cable parasitics with explicit margin.

Item Input Check Pass rule Record fields
Uo/Io/Po Barrier/isolator entity parameters (incl. config profile) Confirm max open-circuit voltage, short-circuit current, and power mode Matches documented safety case and intended loop/device class profile_id, Uo, Io, Po, temp
Co/Lo Barrier permitted external C/L Compute device+wire totals (Ci+Cable_C, Li+Cable_L) Co ≥ Ci + Cable_C and Lo ≥ Li + Cable_L with margin Co, Lo, Ci, Li, Cable_C, Cable_L, margin
Cable model Cable type, length, routing Estimate/measure capacitance & inductance per meter and total Worst-case length and environment covered cable_pn, length_m, C_per_m, L_per_m
Config control Firmware/config registers Lock/verify entity-limiting parameters at runtime No unauthorized changes; checksum/manifest matches fw_ver, cfg_hash, lock_state

Helpful measurement MPN examples: current/voltage sense ICs such as INA240A1 (current-sense amplifier), INA219 (shunt monitor), or AD8210 (high-voltage current-sense amp).

B · Single-Fault Proof

2) Single-fault validation (fault insertion + bounded energy + recovery)

Each fault family must produce: fault definition, bounded energy evidence (fast window E=∫VI dt + V/I peaks), and a recovery policy (shutdown/foldback/hiccup/latch) that is repeatable and traceable in logs.

Fault family How to inject What to measure Pass rule Record fields
Short near/far Defined Rshort range; defined location (near/far end) V/I peaks + E_window + mode transition timestamp Energy remains within budget; mode is defined; no uncontrolled restart fault_id, inj_point, Rshort, Vpk, Ipk, Ewin, mode, exit_reason
Open output Disconnect event; worst-case cable parasitics Voc peak + storage-node voltage + E_window Voc and stored energy remain bounded; event logged fault_id, Voc_pk, Vcap, Ewin, log_id
Limiter elem fail Equivalent open/short of key limiting element Hazardous-side energy bound remains enforced Single fault cannot defeat energy limiting; latch/interlock as defined fault_id, elem, fail_mode, Ewin, latch_state
Input OV/reverse Defined OV level; defined reverse condition Output envelope + E_window; thermal response Output remains bounded; no unsafe bypass to hazardous side Vin, fault_id, Vpk, Ipk, Ewin, temp

Protection/control MPN examples used in proof setups: TPS2660 (eFuse with adjustable current limit), TPS25982 (eFuse/hot-swap), TPS2663 (eFuse family variant), LM5069 (hot-swap controller).

C · Installation Dependencies

3) Installation constraints (grounding, cable, ambient)

Validation is only representative if installation dependencies are satisfied. For Zener-style barriers, grounding quality is a primary dependency. For galvanic isolators, installation still affects leakage/common-mode and surge return paths.

Dependency Check Pass rule Record fields MPN examples (support parts)
Grounding Verify ground bonding method and impedance (as applicable) Ground path meets design assumptions; no unexpected return paths ground_method, Zg/impedance, site_notes TVS: SMBJ33A / SMBJ58A (examples), GDT: 2038-xx series (example)
Cable Confirm cable type/length and re-check Ci/Li budget Worst-case length and routing are within modeled bounds cable_pn, length_m, routing, Cable_C/L Loop monitor: INA219 (shunt monitor) for validation logging
Ambient Test at high ambient and poor airflow (thermal stress) Derating/shutdown follows defined policy; leakage remains bounded Tamb, airflow, temp_hotspot, derate_state Temp sensor: TMP117 (example) for accurate logging

Isolation interface MPN examples (system building blocks): digital isolator ADuM141E, isolated amplifier AMC1100, isolated ADC family example AD7401A, isolated DC/DC module example NXE1 series (confirm approvals for the target program).

D · Traceability

4) Traceability requirements (logs, counters, calibration & versioning)

A compliance mindset requires that every acceptance result can be mapped to a specific device, configuration, and test event. This is especially important for bypass events and post-surge re-verification.

Trace item What to enforce Pass rule Record fields MPN examples (logging/identity)
Device identity Unique identity and immutable hardware/firmware versioning Test result maps to a single unit without ambiguity SN, HW_rev, FW_ver, cfg_hash Secure element: ATECC608B (identity/keys, example)
Event logs Fault IDs, bypass reasons, energy-window triggers, exit reasons All critical transitions are logged with timestamps log_id, ts, fault_id, bypass, Ewin, exit_reason FRAM: MB85RC256V (robust log storage, example)
Calibration Calibration coefficients and versioned parameters Changes are controlled and auditable cal_date, cal_ver, coeff_crc, operator RTC: DS3231 (timestamping, example)
Test Record Template (minimum fields)

Use these fields to keep acceptance records auditable and repeatable across builds and sites.

  • Meta: date, operator, site, DUT serial number, HW/FW versions, config profile ID.
  • Parameter set: Uo/Io/Po, Co/Lo, device Ci/Li, cable type/length, calculated Cable_C/L, margin.
  • Fault insertion: fault family, injection point, injection method, duration, Rshort (if used).
  • Measurements: V/I peaks, E_window, limit curve screenshot/file name, temperatures, leakage/hi-pot results.
  • Outcome: pass/fail, recovery mode, exit reason, log IDs, retest requirements.
Validation Checklist: Execute → Prove → Record (Auditable) 4 Compliance Blocks A) Parameter Match Uo/Io/Po vs Ci/Li/Co/Lo Cable C/L + margin B) Single-Fault Proof Fault insertion + E=∫VI dt Recovery mode + flags C) Installation Grounding / cable / ambient Surge placement assumptions D) Traceability Logs + counters + versions Calibration + audit fields One Record Template (connects all blocks) date · operator · SN · HW/FW · profile_id · fault_id · injection · V/I peaks · E_window · leakage/hi-pot · pass/fail · log_id
Figure H2-11. A compliance checklist becomes valuable when every check has inputs, pass rules, and recorded evidence that is auditable.
Cite this figure: Copy link to this section

Request a Quote

Accepted Formats

pdf, csv, xls, xlsx, zip

Attachment

Drag & drop files here or use the button below.
H2-12 · FAQs

FAQs (Accordion) — Practical Decisions & Proof

Each answer points back to measurable evidence (Uo/Io/Po, Co/Lo, E=∫VI dt window, leakage, logs) rather than theory.

Zener barrier is cheaper—why do projects still insist on galvanic isolation?

Isolation is often chosen to remove grounding dependency and to make leakage/surge behavior easier to bound and audit. Zener barriers can be cost-effective, but performance hinges on ground impedance and return paths, especially after surge-to-earth shunting. Proof typically requires leakage tests and post-surge re-verification (Uo/Io and limit curve) that stays stable across installation variance.

Maps: H2-4H2-10
Open-circuit voltage spikes but short-circuit current is limited—what is more dangerous?

Both can be hazardous, but the governing metric is delivered energy, not only Io. Open-circuit can drive higher Voc and charge allowed capacitance, so stored energy may rise unless Co/Ci and cable C are budgeted correctly. Short-circuit stresses the limiter thermally and dynamically. Use V/I peaks plus an energy window E=∫VI dt and verify the recovery mode is deterministic under fault insertion.

Maps: H2-5H2-8
The same barrier fails when the cable is longer—Co/Lo limit or a grounding loop issue?

Start with the budget: longer cable increases Cable_C and Cable_L, shrinking margin against Co/Lo. If budgets still pass on paper, suspect installation paths: grounding loops, shield termination, or surge-to-earth devices can change return currents and apparent leakage. Evidence should include a cable C/L estimate table, measured loop impedance (if Zener), and before/after waveforms showing where the limiter triggers and how E_window changes.

Maps: H2-5H2-3
Auto-retry or latch after a fault—what is better without sacrificing availability?

Use a tiered policy. Transient faults (momentary shorts, brief overload) often suit hiccup/auto-retry with capped retry count and thermal gating. Isolation-health faults (leakage rise, insulation degradation) should latch to prevent repeated stress and to require a proof step. The decision should be backed by logs (fault_id, count, exit_reason), thermal slope, and an explicit interlock rule set tied to bypass eligibility.

Maps: H2-7H2-9
Energy-limit monitoring before isolation or after isolation—what is the difference?

The placement changes what faults can be “seen.” Before isolation, sensing captures controller actions and input-side anomalies, but may miss hazardous-side wiring dynamics. After isolation, sensing is closer to delivered energy and better reflects field events, but measurement circuits must not introduce new leakage paths. Validate by fault insertion: compare trigger timing, E_window accuracy, and whether the chosen point reliably flags the same hazard conditions.

Maps: H2-7H2-6
Can a bypass path “escape” energy limiting, and how is compliance still proven?

A compliant bypass is not a hard short; it is a controlled degradation path with interlocks. Proof requires three artifacts: bypass enable conditions (energy, thermal, isolation, timing gates), post-bypass entity limits (re-bounded Uo/Io/Po and E_window), and an auditable bypass event log. If bypass cannot be proven to keep E=∫VI dt below budget, it should be treated as a safety defect, not an availability feature.

Maps: H2-9H2-5
After surge-to-earth shunting, why does leakage testing become harder to pass?

Surge devices and their placement can reshape common-mode return paths. After surge stress, protection components or insulation interfaces may drift, increasing measured leakage or changing parasitic coupling across the isolation barrier. The correct response is not only “move the TVS,” but to prove stability: baseline leakage/hi-pot, defined surge injection point, and post-surge re-test of leakage delta plus Uo/Io and the limit curve to confirm the boundary did not shift.

Maps: H2-10H2-4
Output short survives, but temperature exceeds limits—foldback strategy or magnetics loss?

Electrical safety can still pass while thermal safety fails. Foldback/hiccup can park operation in a high-loss region (high RMS current or frequent restart pulses), overheating resistors, switches, or magnetics. Separate the hypotheses with evidence: temperature vs time, retry frequency, current waveform RMS, and hotspot location. If temperature tracks retry cadence, adjust timing/thresholds; if it tracks RMS under foldback, revisit magnetics/core loss or sense-resistor dissipation.

Maps: H2-8H2-7
Field device Ci/Li is unknown—how to set a worst-case boundary?

Use a conservative boundary method: assume the maximum Ci/Li for the device family or the largest plausible variant, then add worst-case cable C/L for the maximum permitted length. If uncertainty remains, reduce the allowed external envelope (choose a lower entity profile or stricter Co/Lo) until margin is recovered. Record assumptions in the acceptance template (data source, margin, configuration hash) so the safety case is auditable and repeatable.

Maps: H2-5H2-11
Intermittent dropouts—barrier protection action or loop voltage-drop budgeting?

Distinguish by logs and waveforms. Protection action will show fault flags, limit-mode entry, or E_window trigger around the dropout timestamp. Voltage-drop issues appear as Vout falling below device minimum during inrush/step load, often without protection flags. Measure Vout/Iout transients, minimum sustaining voltage, and cable resistance contribution. A stable fix typically targets the first failing constraint: raise voltage headroom, reduce peak load, or tune thresholds/retry timing.

Maps: H2-6H2-7
With shared supply across channels, one channel fault impacts others—how to localize?

Identify the shared node and break the evidence chain there: shared input rail, shared isolation, shared monitoring reference, or shared return path. Inject a fault on one channel and observe whether other channels show synchronized UV events, E_window triggers, or log timestamps. If coupling aligns with a shared rail droop, isolate channels or add per-channel limiting. If it aligns with shared sensing/reference shifts, re-architect monitoring points and grounding to avoid false trips.

Maps: H2-6H2-8
Factory validation is done—how to run periodic field proof tests?

Use a minimal proof-test set that is repeatable onsite: re-check entity limits (Uo/Io and limit curve), perform a lightweight fault insertion at a defined point and duration, and verify traceability fields (versions, calibration, fault counters, and log integrity). After any surge event or wiring change, include leakage delta and a post-stress re-verification step. Pass/fail must reference the same record template used at factory acceptance.

Maps: H2-11H2-8

icnavigator

ICNavigator helps engineers find verified ICs, alternatives, and fast quotes.

Explore
Categories
  • Power Management
  • MCU
  • Automotive ICs
  • Sensors
  • Interface & Transceivers
  • Analog Front-End
Get in Touch
  • Email: hello@icnavigator.com
  • WeChat/WhatsApp: +86-xxxx

© 2025 ICNavigator. All rights reserved.