Design intent: This page focuses on safe HV connection and provable safe exit. The deliverable is not just “it works,” but evidence that explains what happened during arcs, insulation events, and sequencing failures.

• Physical boundary: overhead line / third rail contact → pantograph head & mechanism → HV switching chain (pre-charge, main contactor, discharge, breaker interface) → DC-link node (Vdc) → downstream load interface (referenced only).
• Electrical boundary: HV domain (Vdc, contactor/breaker) + isolated sensing boundary + LV control domain (controller, comms, logging).
• Responsibility boundary: this subsystem owns connect/disconnect sequencing, supervision, and evidence integrity; it does not own propulsion energy conversion.

• HVIL
• Pre-charge
• Contactor/Bkr
• IMD
• Arc
• Evidence Packet

In scope (explicit modules with acceptance evidence):

• Pantograph actuation + sensing AFEs: motor/servo or pneumatic actuation; position/pressure/force sensing; plausibility checks; sensor health flags; log state transitions + key sensor snapshots.
• DC-link connect/disconnect sequencing: pre-charge ramp validation, main close verification, discharge timing, contactor feedback (aux contact), weld/stuck detection; store sequence timeline and timeouts.
• Insulation monitoring + ground/leakage detection: estimator output + confidence, hysteresis, action ladder; capture leakage trend + context (Vdc, environment, mode).
• Arc detection + classification + protective actions: arc sensing and feature extraction; distinguish arc vs interference; actions (drop/raise policy, open contactor, lockout); save pre/post-trigger waveforms.
• Event recording as evidence: trusted timestamps, ring buffer, counters, configuration/version stamps; produce a minimal evidence packet readable after power events.

Out of scope (intentional non-overlap):

• Traction inverter switching, PWM, SiC/IGBT drive details, propulsion control loops (handled by a dedicated traction inverter page).
• Station/substation converter equipment and site-level controls (handled by traction power/substation pages).
• Signaling / passenger systems business logic (handled by signaling/PIS pages).

Interfaces only (named, not expanded): downstream load interface (“DC-link load”), and vehicle supervisory interface (“TCMS status/command & time sync”).

Evidence outputs (what this page ultimately promises):

• Waveforms: Vdc ramp (pre-charge), contactor coil/feedback timing, arc feature traces (pre/post trigger), insulation estimator trend snapshots.
• Logs: state machine transitions, trip reason codes, confidence scores, recovery gates, commit status under brownout.
• Counters: arc event counts, lockout counts, pre-charge retries, contactor operations, discharge completion failures.
• Integrity: timestamps + configuration versions (firmware/config IDs) to make evidence auditable.

How standards are used on this page: each touchpoint is translated into a concrete engineering obligation:

• Standard pressure (what the rail environment forces)
• Design action (hardware/firmware policy that prevents unsafe behavior)
• Validation evidence (what must be measured during qualification)
• Field evidence fields (what must be logged so incidents are explainable)

Key rail reality: “pass on the bench” is insufficient. Power interruptions, EMC bursts near HV arcs, and vibration-induced intermittents can produce false arc/IMD trips unless the design preserves context and evidence.

• EN 50155
• EN 50121
• IEC 61373
• Fail-safe
• Evidence retention

Standards-to-actions mapping (implementation view):

Implementation rule: each module must expose measurable signals that support a post-incident explanation. A module is considered complete only when it provides both control behavior and evidence fields.

• Inputs/Outputs
• Isolation
• Failure Modes
• Evidence Fields

Module set (acceptance-oriented):

• Actuation & mechanics: raise/lower/hold/drop capability; actuator health; mechanical limits and bounce behavior.
• Sensor AFEs: position + pressure/force + wear/contact channels; noise immunity; plausibility checks; open/short detection.
• HV switching chain: pre-charge, main contactor, discharge, breaker interface, HVIL gating; coil drive and feedback validation.
• Insulation monitoring: injection/measurement, leakage estimation and classification, hysteresis and action ladder.
• Arc detection block: sensors → features → classifier → action policy; correlation with context to reduce false trips.
• Controller & comms (TCMS interface only): commands, status, alarms, and time synchronization signals for consistent timestamps.
• Event recorder: timestamping, ring buffer, nonvolatile commit, counters, and a minimal evidence packet schema.

Cross-module dependency examples: arc classification quality depends on synchronized context (actuation state + Vdc transient + HVIL status); sequence failures require both Vdc slope and contactor feedback to isolate root cause.

Evidence fields that must be routable to the recorder:

• Sequencing: pre-charge start/stop, Vdc ramp slope, main close time, discharge completion time, timeout reasons.
• Interlocks: HVIL state with debounce counters, maintenance/roof access mode (as an input), contactor auxiliary feedback state.
• Arc/IMD: arc confidence + feature summary, leakage estimate + confidence + trend index, action taken and lockout gates.
• Versions: configuration ID, classifier version, threshold set ID, recorder schema version.

Control objectives (measurable acceptance points):

• Raise/Lower determinism: bounded time-to-position, controlled overshoot, consistent limit detection, and repeatable state transitions.
• Contact stability: maintain uplift force/pressure within a defined band; detect abnormal bounce and suppress unsafe oscillation.
• Emergency drop latency: bounded trigger-to-drop response; action must remain deterministic even during supply disturbances.
• Policy-driven recovery: recovery is gated by measurable conditions (interlocks valid, insulation/arc conditions cleared), not by blind retries.

• Raise/Lower
• Hold Uplift
• Emergency Drop
• Anti-bounce
• Recovery Gates

Failure-safe ladder (trigger → action → recovery gate → evidence fields):

State machine (high-level):

• IDLE: interlocks verified; sensors healthy; awaiting command.
• RAISE: actuator moves; position/pressure trends monitored; time-to-target bounded.
• CONTACT/REGULATE: transition into stable uplift control; anti-bounce window active.
• RUN: continuous monitoring; arc/IMD policies active; evidence triggers armed.
• DROP: deterministic drop action; HV chain opened as required; record evidence packet.
• LOCKOUT: repeated hazard or failed recovery gate; requires explicit clearance conditions.
• RECOVER: gate checks executed; re-entry allowed only when measurable conditions pass.

Hard interlocks in-scope: HVIL, roof/maintenance input, and optional speed gate are treated as gating inputs only (no vehicle-wide business logic on this page).

Primary risk: false readings are more dangerous than small accuracy loss. The AFE must prevent common-mode bursts and ground shifts from becoming state-machine triggers.

• Long cable
• CM noise
• Isolation
• Ratiometric
• Open/Short
• Plausibility

Sensor interface set (examples with interface risks):

• Position: LVDT / linear potentiometer / encoder. Risk: cable pickup, bounce/glitch, reference shift.
• Pressure: pressure transducer (voltage or bridge-type). Risk: excitation ripple coupling and offset drift.
• Force: strain/force element. Risk: low-level differential signals are sensitive to EMI and thermal drift.
• Limit / switch: discrete sensors. Risk: vibration bounce and intermittent contacts.

AFE chain (engineering choices that impact immunity and evidence):

• Protection at the cable entry: clamp placement must avoid pushing the ADC into saturation during bursts. Track clamp-related events when available.
• Excitation & ratiometric strategy: for bridge-like sensors, measure sensor output and excitation reference to suppress excitation drift.
• Filtering vs latency: filter reduces EMI but adds group delay. Choose bandwidth to preserve event timing (e.g., bounce/transition windows).
• ADC selection: prioritize robustness to interference and predictable data-valid flags; record mode/config IDs for auditability.
• Open/short detection: detect cable faults explicitly (open, short-to-rail, short-to-reference) and log persistence duration.

Minimum evidence fields: sensor_valid, open_short_flag, adc_saturation_cnt, noise_metric, drift_index, cal_version.

Immunity blueprint (installation-grade rules):

• Isolation placement: place isolation so the long cable does not create uncontrolled ground return paths across the HV↔LV boundary.
• Shield termination: define shield bonding points intentionally; avoid using shield as signal return. Prevent uncontrolled ground loops across boundaries.
• Common-mode control: prefer differential sensing where possible; ensure reference strategy remains stable under ground shift.
• Debounce for discrete inputs: treat switch/limit as “noisy by default” under vibration and log bounce counters.

Prohibited patterns: shield-as-return, floating references across long runs, and ambiguous grounding that defeats isolation.

Health diagnostics (turn raw signals into trustworthy inputs):

• Plausibility: cross-check position vs pressure/force changes. Inconsistency raises a confidence warning rather than forcing immediate hazardous actions.
• Drift detection: separate slow drift from step changes (step changes often indicate intermittents rather than true mechanical movement).
• Calibration versioning: every coefficient update must carry version ID + activation timestamp; logs must always include the active cal_version.

Power truth: the primary hazards are partial energization, unverified contactor state, and brownout mid-sequence. A correct design makes these cases detectable and explainable.

• Pre-charge profile
• Main close verify
• Discharge proof
• Weld detect
• Timeouts
• Evidence

Sequence specification (step → measurement → timeout → evidence):

• Step 0 — Gating: HVIL stable, maintenance mode not active, safety conditions OK. Evidence: gate_result + fail_reason.
• Step 1 — Pre-charge: limit inrush and validate Vdc ramp slope to threshold. Timeout: Tpc. Evidence: vdc_slope, t_to_threshold.
• Step 2 — Main close: drive coil and verify auxiliary feedback transition. Timeout: Tcl. Evidence: coil_on_ts, aux_fb_ts.
• Step 3 — Validate: confirm stable close (no “false close”); check Vdc behavior consistency. Timeout: Tval. Evidence: validate_flags.
• Step 4 — Run monitor: watch aux feedback stability, Vdc anomalies, HVIL bounce counters. Evidence: runtime_counters.
• Step 5 — Open: command open and verify feedback and Vdc response. Timeout: Top. Evidence: open_fb_ts, open_verified.
• Step 6 — Discharge: prove Vdc drops below safe threshold within a window and stays stable. Timeout: Tdsg. Evidence: vdc_below_ts, discharge_fail_cnt.

Contactor / breaker control (must be verifiable):

• Coil drive strategy: pick/hold phases with an economizer while keeping feedback validation deterministic.
• Weld / stuck detection: open command with unchanged AUX_FB and/or non-decreasing Vdc indicates a suspect weld or partial energization.
• Open-time verification: record open command, feedback edge, and confirm window outcomes.

Minimum evidence fields: precharge_start_ts, vdc_slope, aux_fb_ts, validate_flags, hvil_bounce_cnt, open_verified, vdc_below_ts, commit_status.

Edge cases (detectable and explainable):

• Brownout mid-sequence: enforce a safe exit policy and log commit_status + last stable state to avoid “unknown HV state.”
• HVIL bounce: apply debounce and prevent unsafe oscillation; log edge timestamps and bounce counters.
• Partial energization: treat mismatched Vdc behavior vs feedback as hazardous; lock out until measurable clearance gates pass.

Design goal: avoid two failure modes—(1) transient contamination causing over-actions, and (2) slow degradation being ignored. The output must be leak_est + confidence + class, not a single alarm bit.

• Leak model
• Confidence
• Classification
• Hysteresis
• Evidence fields

IMD measurement model (what must be controlled and recorded):

• Injection parameters: mode, level, and frequency define the observability and immunity trade-off.
• Measurement window: sample window and filter strategy define response time and false-trigger susceptibility.
• Context coupling: leakage interpretation depends on Vdc, contactor state, and the active sequence state (precharge/validate/run/open/discharge).

Minimum config evidence: inj_mode, inj_level, inj_freq, window_id, filter_id, estimator_ver.

Leakage classification (shape → decision meaning):

Estimator outputs to log: leak_est, leak_conf, leak_class, noise_metric, variance, trend.

Hysteresis and action ladder (policy must be explicit):

• Two-threshold hysteresis: use TH_UP to enter an elevated state and TH_DN to exit, preventing oscillation.
• Time qualification: require N consecutive windows or a minimum dwell time before stepping up.
• Action levels (example): L0 log-only → L1 maintenance flag + higher logging density → L2 protective restrictions → L3 drop/open → L4 lockout with clear exit criteria.

Decision trace evidence: action_level, hys_state, reason_code, repetition_cnt, dwell_time, clear_gate.

Core rule: treat “single-sensor spikes” as suspect. Escalation requires cross-domain consistency (electrical + mechanical and/or physical-domain signatures).

• Sensor fusion
• Features
• EMC gate
• Arc storm
• Evidence packet

Arc sources and what they tend to look like (evidence-centric):

• Bounce / contact loss: repeated pulses; strong correlation with position/force disturbances.
• Flashover: higher pulse energy; larger Vdc disturbance; may form short “storm” windows.
• Ice / debris: intermittent events that cluster under certain environmental conditions.
• Uplift mis-control: patterns correlate with force-control deviations rather than random EMI.

Sensing options (each has a dominant false-positive risk):

• HV dv/dt pick-up: sensitive but can mistake unrelated transients as arc without context gates.
• Optical / UV: direct evidence but vulnerable to occlusion/contamination; requires health checks.
• Acoustic: useful corroboration but susceptible to environmental noise; needs time alignment.
• Current derivative (di/dt): strong electrical signature but may be triggered by other disturbance sources.
• RF signatures: informative in storms, but EMC environment can mimic bursts; relies on fusion scoring.

Feature extraction (small set, explainable, loggable):

• Pulse energy proxy: peak × width or integral proxy.
• Repetition rate: pulses per time window; supports “arc storm” decisions.
• Cross-correlation: event alignment with position/force changes and Vdc ripple.
• Sensor agreement score: how many sensors and domains concur within a time window.

Minimum feature logs: E_pulse, R_rep, corr_mech, vdc_dist, agree_score.

False-positive control (EMC gate + exclusion rules):

• State gating: apply different sensitivity windows across sequence states to avoid mislabeling switching windows as arcing.
• Exclusion: if only dv/dt triggers but mechanical/optical evidence is missing, classify as suspect and limit action escalation.
• Decision trace: record which rule fired (reason_code) and whether the EMC gate reduced confidence.

Decision evidence: arc_conf, arc_class, emc_gate, reason_code, storm_cnt.

Protective actions (graded policy with storm lockout):

• A0 Observe: log + increase sampling and buffering.
• A1 Protect: restrict recovery transitions; require additional validation gates.
• A2 Emergency: drop pantograph and open contactor chain when confidence is high.
• A3 Arc storm lockout: repetition rate exceeds a window threshold with high agreement; requires explicit clearance conditions.

Purpose: every protective action must be explainable after the fact. That requires a consistent schema and a recording plan that survives power loss.

• Triggers
• Ring buffer
• Trusted time
• Integrity
• Fixed schema

Trigger strategy (design rules, not a wishlist):

• Arc detected: classifier confidence exceeds threshold or “storm” counter window is met.
• IMD threshold crossing: leakage model crosses TH_UP with minimum dwell time.
• Sequence failure: timeout, mismatch (e.g., Vdc vs AUX_FB), or partial energization suspected.
• HVIL open: debounced open event while HV switching is active or transitioning.
• Contactor weld suspected: open command without verified open feedback and inconsistent Vdc decay.

Trigger log fields: trigger_id, trigger_reason, confidence, storm_cnt, seq_state, action_level.

Ring buffer (capture windows and sampling plan):

• Pre-trigger window: keeps causal context (what happened before the decision).
• Post-trigger window: confirms outcome (did Vdc decay, did AUX_FB change, did arc stop).
• Per-signal sampling rates: assign higher rates to fast signatures (dv/dt, di/dt, AUX_FB edges) and lower rates to slow context (position/force trend, leak_est).
• Bandwidth discipline: record downsampled “summary channels” plus short high-rate bursts to preserve evidence without runaway storage.

Buffer fields: pre_ms, post_ms, fs_fast, fs_slow, burst_len, buffer_overrun.

Trusted time (survive clock loss and prove ordering):

• Monotonic counter: provides strict ordering even under wall-clock loss.
• PTP/GNSS sync (when available): provides absolute time; record sync status and measured skew.
• Skew handling: keep both mono_ts and wall_ts, plus sync_state so investigators can reconstruct timelines.

Time fields: mono_ts, wall_ts, sync_state, skew_us, time_src.

Integrity and anti-tamper (tamper-evident by design):

• Hash + signature: compute a digest over the evidence payload and sign it; store signature alongside the packet.
• Commit discipline: write “header → payload → footer(signature)” so incomplete writes are detectable.
• Upload/extraction: define transport (e.g., via T2G gateway) and depot extraction procedures; always log upload status.

Integrity fields: hash_alg, hash, sig_alg, signature, commit_status, upload_status.

Minimum evidence packet schema (fixed layout recommended):

Focus: arcs and roof wiring create fast transients. Most field failures come from unexpected return paths (common-mode) and protection elements placed too far from the real entry points.

• Surge/ESD path
• CM return
• Protection placement
• Brownout
• Test mapping

Surge/ESD paths near roof equipment (what must be mapped):

• Common-mode return: transient current often returns via vehicle structure, not signal ground. Design assumes structure is part of the circuit.
• Long harness pickup: sensor and command lines behave like antennas; CM bursts appear as false sensor motion unless controlled.
• Arc proximity: arcing produces broadband energy; avoid relying on “clean ground” assumptions.

Protection placement (make the energy go where it should):

• TVS/MOV selection and location: place clamps at the true entry points, not deep inside the controller.
• Coil snubbers: use RC snubbers or clamp networks to limit coil kick and prevent feedback misreads.
• Shield bonds: define where shields bond to structure; prevent the shield from becoming an uncontrolled signal return.
• Isolation strategy: isolate where CM currents would otherwise cross boundaries and turn into measurement offsets.

Placement evidence: document entry points, clamp location, and the intended return path in drawings and test reports.

Controller survivability (brownout + holdup + safe outcome):

• Brownout strategy: define thresholds and priorities: which functions shut down first and which must remain alive.
• Holdup budget: reserve energy to perform “commit log then safe drop/open” rather than leaving ambiguous state.
• Atomic logging: the event recorder must write a detectable commit_status even when power collapses.

Survivability evidence: brownout_level, holdup_ms, last_safe_action, commit_status.

Test mapping (inject vs observe, and what counts as pass):

Rule: every “PASS/FAIL” must map to two independent proofs (e.g., a waveform + a state/log), and must produce an evidence packet if a protective action occurs.

• Checklist
• 2 proofs
• Waveforms
• Counters
• Evidence packet

A) Commissioning (first power-up & mechanical sanity)

Objective: prove sensors, actuation limits, calibration constants, and safety interlocks are coherent before any HV switching sequence is trusted.

• Sensor sanity: confirm each channel toggles/changes in the expected direction; detect open/short; record sensor_ok and diag_code.
• Actuation end-stops: drive to raise/lower limits with reduced force/velocity; verify end-stop detection and no overshoot; log endstop_hit and pos_range.
• Uplift/pressure calibration: verify ratiometric stability and plausibility (position vs pressure/force); log cal_id, cal_ver, offset, gain.
• HVIL integrity: validate debounce and fail-safe; open HVIL must force safe states; log hvil_state, hvil_bounce_cnt, safe_action.

MPN examples (commissioning instrumentation / interfaces): TI ADS131M04 (multi-channel ADC), ADI ADXL357 (low-noise accelerometer), TI ISO7741 (digital isolator), NXP S32K3 family (automotive-grade MCU; rail suitability to be verified).

B) Sequencing validation (precharge / close / validate / open / discharge)

Objective: prove the HV switching chain executes deterministically and leaves no “partial energization” ambiguity.

• Precharge waveform: measure Vdc(t) ramp slope and monotonicity; verify timeout and minimum ramp; log precharge_start, vdc_rise_rate, precharge_timeout.
• Contactor timing: confirm coil drive edge, AUX feedback edge, and Vdc response align; log coil_cmd, aux_fb, close_time_ms.
• Discharge time constant: verify Vdc falls below threshold within expected time; log discharge_start, vdc_below_th_ms, bleed_ok.
• Weld detection: open command + no AUX open + Vdc not decaying = suspected weld; log weld_suspect, aux_mismatch_cnt, safe_lockout.

MPN examples (coil drive / sensing): TI DRV110 (solenoid/contactor driver), Infineon TLE9104SH (protected low-side switch), TI ISO1212 (industrial digital input receiver), TI AMC1311 (isolated amplifier for HV measurement chains).

C) IMD validation (known-leak injection + hysteresis proof)

Objective: prove the insulation monitoring decision is stable, repeatable, and resilient to interference—by using controlled leak injection and explicit hysteresis checks.

• Known leak injection: apply a calibrated leakage path (test fixture) and verify estimator convergence; log leak_est, leak_conf, inj_mode.
• Threshold & hysteresis confirmation: step leak across TH_UP and back below TH_DN; verify no oscillation; log hys_state, dwell_time, enter_cnt.
• False-trigger resilience: inject CM disturbance while holding leakage constant; verify confidence gating prevents escalation; log emc_gate, reason_code.

MPN examples (isolation + measurement front-ends): ADI ADuM141E (digital isolator), TI ISO224 (isolated analog measurement), TI AMC1100 (isolated amplifier), ADI LTC6363 (diff amp for sensing chains; isolation boundary still required).

D) Arc validation (stimulus/replay + basic confusion checks)

Objective: prove arcing is not confused with EMC bursts by validating sensor fusion behavior and recording a minimal “confusion” summary.

• Controlled stimulus / replay injection: replay stored waveforms (dv/dt, optical pulses, RF bursts) into the classifier input path where feasible; verify consistent classification; log arc_class, arc_conf, agree_score.
• Confusion checks (basic): run two labeled sets: “arc-like” vs “EMC-like”; report false positives/negatives at a fixed threshold; log fp_cnt, fn_cnt, threshold_set.
• Storm behavior: verify repetition-rate logic triggers lockout only when agreement holds; log storm_cnt, storm_window_ms, lockout_reason.

MPN examples (time alignment / fast capture building blocks): Microchip LAN7430 (Ethernet with IEEE-1588 timestamping), TI SN65HVD1781 (robust RS-485 transceiver), u-blox NEO-M9N (GNSS timing source where applicable).

E) EMC validation (disturbance injection with “no evidence gaps”)

Objective: inject disturbances and verify the subsystem remains safe, stable, and still produces complete evidence (no missing packets, no ambiguous commit states).

• ESD/surge injection: inject at roof harness entry points and structure-adjacent locations; verify no unsafe action and no silent resets; log reset_reason, packet_drop_cnt.
• CM burst validation: verify EMC gate reduces confidence rather than triggering false arc/IMD escalation; log emc_gate, arc_conf, leak_conf.
• Brownout survivability: pull controller supply below threshold; verify “commit log then safe drop/open” executes or fails safely with detectable status; log brownout_level, commit_status, last_safe_action.

MPN examples (protection / holdup / integrity): Littelfuse SM8S series TVS (high-power transient suppression; select exact voltage), TI TPS25982 (eFuse/hot-swap), Microchip ATECC608B (secure element for signatures / anti-tamper evidence).

Field debug triad (Symptom → 2 evidence checks → First fix)

Use the same triad for every case. It forces disciplined diagnosis and prevents “parameter guessing.”

Non-negotiable: field-driven tuning is allowed only when it is reproducible (evidence), reversible (rollback), and auditable (who/what/when/why).

• Evidence-driven
• Rollback
• Audit trail
• Staged rollout
• KPI

A) What can be updated (and what must never be “live tuned”)

• Allowed (governed updates): IMD thresholds/hysteresis parameters; arc classifier thresholds; feature gates; debounce/dwell windows; EMC gating parameters.
• Never live tuned: fail-safe default states; hard interlock logic; evidence packet integrity rules; minimum pre/post trigger windows for black-box recording.

Design rule: any parameter that changes safety outcome requires sign-off + staged rollout + rollback.

B) Update workflow (evidence → change proposal → validation → rollout)

• Field evidence intake: every candidate update must reference real evidence packets (H2-9) and the exact failure mode (false trip vs missed event).
• Change proposal: define parameter diffs (old/new), expected KPI impact, and safety impact classification.
• Validation gate: rerun the validation playbook items that cover the changed behavior (H2-11), including “no evidence gaps” under disturbance.
• Rollout: depot rollout in stages (pilot fleet → expanded fleet), with an explicit rollback trigger and rollback package.

C) Parameter governance (versioning, sign-off, rollout policy)

• Config versioning: every parameter set has config_id, threshold_set, estimator_ver, classifier_ver, and a monotonic release number.
• Sign-off: record approver(s), rationale, linked evidence packets, and validation report IDs. No anonymous edits.
• Staged rollout: apply a canary strategy and an A/B policy only when the safety case allows it (A/B never changes fail-safe states).
• Rollback: a rollback must be a first-class artifact: previous config package, compatibility notes, and rollback KPI thresholds.

MPN examples (integrity / governance building blocks): Microchip ATECC608B (signed config / anti-tamper), ST STSAFE-A110 (secure element alternative), Infineon OPTIGA™ Trust family (platform-specific fit to be verified).

D) Drift tracking (separating environment vs true fault)

• Sensor drift: track long-term offset/gain drift using “known stable” phases (e.g., parked/maintenance) and compare against calibration metadata.
• Mechanical wear: correlate contact quality issues with wear indicators (position/force patterns) while keeping IMD/arc signals separate.
• Environment cycles: detect humidity/rain cycles that raise EMI-like artifacts; require sensor-fusion agreement (H2-8) before escalating.

Drift evidence fields: drift_ppm, offset_trend, gain_trend, wear_index, env_tag, confidence.

E) KPIs that drive updates (must be measurable from evidence)

• False trip rate: number of protective actions later classified as non-fault, normalized by operating hours.
• Missed event rate: confirmed field faults with no corresponding event detection or incorrect class.
• Evidence completeness rate: percent of events that produce a complete evidence packet (header+context+buffers+versions+signature+commit status).

Release gates: do not roll forward unless KPI improves without degrading evidence completeness.

Use this rule in the field: do not change parameters until two independent evidence checks agree (e.g., waveform + state log). If a protective action occurs, confirm an evidence packet exists (H2-9).