← Back to: Battery Charging / Gauging / Protection / BMS
Use Case & Threat Model for Locks/Tags
This page exists to cover a very narrow but very common situation in BMS-based products: electronic locks, warehouse/vehicle tags, magnetic or tamper-protected enclosures that spend >90% of their life in sleep, but must still wake exactly once, open once, and leave a log even when the main battery is empty. We keep this topic inside the charging domain and model it as a tiny backup branch, not as a full “restart the whole system” sequence.
The hard part is not the energy for one actuation — it is keeping a small amount of energy available after long storage or deep discharge, powering an always-armed trigger without draining the pack, and reporting the event to the upper BMS/cloud layer in a format the rest of the charging pages already use.
We explicitly do not cover 12 V automotive cold-crank, starter-motor sizing, HV power distribution, or vehicle-level VCU tamper handling. We also do not cover “always-on camera/telematics” keep-alive rails. This chapter is only for locks / tags / tamper boxes that need a limited, guaranteed action window.
Typical scenarios
1) Passive door / locker lock — actuate for a few seconds, provide enough current to move a latch or motor, then go back to sleep.
2) Asset tag in vehicle — wake once when door is opened or when someone triggers the tag, then upload “door opened by XXX / at XXX”, consuming as little energy as possible.
3) Anti-tamper enclosure — if the enclosure is lifted, opened or the magnetic seal is broken, it must log the event and, if energy allows, drive a small load (LED, buzzer, radio burst).
Failure / threat model
Main battery deeply discharged → user arrives → lock cannot be opened. This is the most expensive failure because it looks like “product dead on arrival”.
Repeated cold-start triggers → backup depleted. An attacker or an operator can keep knocking on the trigger and empty the tiny cell/supercap, so later we will limit the action window and add counters.
Long shipping / sea freight → backup self-drains → customer cannot open on first use. This is why later we will add a “shipping-recharge routine” in the BOM/validation chapter.
Design goals for this page
- Always-armed trigger (< 5 µA): trigger sources (mechanical, magnetic, tamper) must live in an ultra-low-leakage domain.
- Limited, guaranteed action window (3–5 s @ defined current): once armed, the system shall provide enough power to complete the lock/tag action, but not indefinitely.
- Logged and mappable (who / when / trigger-type): every cold-start event must be turned into a structured telemetry item so cloud/gateway can digest it together with charger/gauging events.
Backup Energy Source & Charging Path (Tiny Cell / Supercap)
Now that we know why the page exists, we turn the idea into hardware: we pull a small, current-limited, reportable branch from the main charging domain to feed a tiny Li-ion cell or 1–2 supercaps. This branch must not overload the main charger, must still have NTC/JEITA even if the pack is tiny, and must expose status pins so the logger/cloud can tell whether the backup is actually ready for the next cold-start.
We do not discuss 2S–6S balancing controller design here, we do not discuss USB-PD negotiated backup, and we do not push fast-charging currents. This page is about 50–200 mA, current-limited, low-leakage, high-visibility branches.
Energy source selection
Actuator-level locks (3–5 s, ≤ 500 mA): use a tiny single-cell Li-ion/Li-poly so the branch can supply a stable, bounded current.
MCU + logging only: a supercap or hybrid cap is enough, but you must control self-discharge and storage.
MCU + logging + 1–2 sensors: still use Li-ion, but add a low-Iq LDO so the always-on part doesn’t drain the backup cell.
Electrical requirements of the backup branch
- Current-limited: typically 50–200 mA from the main charging domain.
- NTC / JEITA even for tiny packs: small batteries warm up fast, so we still gate charge by temperature.
- Reverse blocking to main VBAT: backup must never feed back into the main pack.
- Status pins: CHG_STAT / FAULT / THERM (or brand equivalent) must go to MCU/logger.
Low-leakage & shipping mode
Keep the branch’s quiescent current < 2–3 µA. For long-distance shipping or warehouse storage, enable a shipping mode that disables the backup branch entirely, and run a “cold-start recharge routine” on first power-up in the field.
Seven-brand mapping (TI, ST, NXP, Renesas, onsemi, Microchip, Melexis)
TI: tiny single-cell charger with TS pin → report charge state to MCU.
ST: linear single-cell with thermal/NTC support for small packs.
NXP / Renesas: MCU ADC reads NTC, load switch or current-limited switch acts as the charging limiter.
onsemi: automotive-focused, low-Iq, good for harsh temperature storage.
Microchip: MCU-led logging plus a small charger makes it easy for low-volume builds.
Melexis: keep it in the mix when the design already uses Melexis magnetic or hall triggers, so the charging/logging schema stays coherent.
BOM remark (must have): “Backup branch must be current-limited (50–200 mA typ.) and expose charging state. Do not approve ICs without NTC / JEITA even for tiny backup cells. Cross-brand alternatives restricted to TI / ST / NXP / Renesas / onsemi / Microchip / Melexis; update cloud telemetry mapping after replacement.”
Trigger Layer (Mechanical / Magnetic / Tamper) with Ultra-Low IQ
The trigger layer keeps the cold-start system always armed while consuming only a few microamps. It listens to three typical inputs — a mechanical key/switch, a magnetic/reed/hall event, and a tamper/opening switch — and turns them into two outputs: “wake the backup power path” and “send trigger type to the logger”. This layer lives in its own low-leakage domain so it can operate even when the main system is down.
We do not cover high-frequency RFID access, door-control business logic, or Bluetooth/NFC pairing wake-ups. Those belong to higher layers. Here we only describe the minimal, always-on, ultra-low-IQ trigger front-end for cold-start backup.
Always-on power domain for triggers
Power the three trigger inputs from a dedicated low-IQ LDO (1.8–3.3 V). This rail shares ground with the backup cell/supercap, but it may power up earlier than the main system. Keeping this domain separate prevents the trigger from disappearing when the main BMS is off.
Target quiescent current: < 5 µA for the whole trigger front-end (sensing + debounce + pull-ups).
Debounce, hysteresis and classification
Mechanical switch: must use hardware and/or firmware debounce so a single physical key turn does not become multiple cold-start attempts.
Magnetic / reed / hall: must have threshold + hysteresis to ignore slow door movements or thermal drift around the magnetic sensor.
Tamper switch: always log, even if there is not enough backup energy to actuate. Tamper is a higher-priority event.
Trigger-to-power constraints
Trigger ≠ full power-on. After a valid trigger, the system should first ask the backup controller if there is enough energy and if the temperature/JEITA conditions are okay. Only then do we enable the emergency power path.
If repeated triggers arrive too quickly (e.g. someone waves a magnet on the sensor), apply a cooldown counter to protect the tiny backup source.
BOM remark: “Trigger sources shall be powered from an always-on low-leakage domain (< 5 µA). Do not bypass the power-gate even for mechanical triggers. Tamper triggers shall be logged even when actuation fails.”
Emergency Power Path (3–5 s Action Window)
After a valid trigger, the system must supply power to the lock, tag MCU or actuator for only a few seconds. This power must come from the tiny backup cell/supercap, pass through a current-limited, time-limited gate, and stay separate from the main charger FET to avoid cross-page conflicts. We also need to measure if the action succeeded and log failures.
We do not describe long-duration backup (> 30 min), multi-channel outputs or PoE/Ethernet-style backup. This section is strictly about “give me enough energy to open once, then stop”.
Path elements
The path starts from Backup Cell / Supercap, goes through a current-limited gate / load switch / PFET driver, and ends at the Door Lock / Tag MCU / Actuator. The enable pin of the gate comes from the trigger layer in Chapter 3.
Current limiting
Actuators often have a high inrush. Limiting the current prevents the backup source from collapsing. The current limit must be written into the BOM so purchasing can compare parts when cross-brand alternatives are used.
Time limiting (3–5 s)
Keep the emergency path enabled only for 3–5 seconds. Use a timer (MCU-based if available, otherwise a small analog one-shot). After the time window expires, cut the path and log “forced off by timer”.
Failure feedback and blocking
If the output voltage drops below a set threshold during the window, log the event (undervoltage / overcurrent / timeout) and block immediate retries. This protects the tiny backup energy source and prevents someone from draining it by repeated triggers.
Isolation from main system
When the main VBAT returns to a healthy level, the system should stop using the emergency path and return to the normal power path. This emergency branch is subordinate to the main power domain and must not reuse the main charger FET.
BOM remark: “Emergency power path shall be separated from the main charger FET. It shall be current-limited and time-limited (3–5 s) and shall log undervoltage/overcurrent events. Ilimit and Twindow must be specified for cross-brand replacement.”
Event Logging & Cloud-Side Telemetry Mapper
Each cold-start attempt must be recorded: when it happened, which trigger caused it, whether the emergency action succeeded, and how much backup energy was available before/after. This event must then be normalized to the same charging-domain schema that already holds charging state, JEITA zone and fault codes, so cloud/Gateway dashboards can show both normal charging and cold-start branches together.
When a cross-brand alternative charger is used (e.g. TI → ST, or onsemi → Microchip), payload field names and fault naming may change. In that case, the cloud-side telemetry mapper must be updated from this page, not from business logic or UI.
Local event logger (MCU / FRAM)
Local storage can be as simple as MCU flash or FRAM. It must buffer events when the device is offline. A minimal cold-start record should contain:
event_type: "cold_start"trigger_source: mechanical | magnetic | tamperbackup_soc_before / backup_soc_afteraction_result: success | fail | low_energy | timeout | uvcharger_brand_id: TI | ST | NXP | Renesas | onsemi | Microchip | Melexischarger_payload_version: "v1" / "ti-bq-v2" / "st-linear-v1"
Even if the action fails (for example, emergency power was cut by the timer), the event must still be logged.
Upload & buffering strategy
If a main supply and uplink are available, upload immediately. If not, buffer locally and upload on the next session. Edge device must support buffered upload for temporary disconnection.
Unifying with charging-domain telemetry
Cold-start events must be normalized under the charging-domain telemetry schema so that:
1) the same dashboard can show charging and emergency actions,
2) JEITA zone and faults coming from the charger are preserved,
3) pack-level safety rules can be evaluated with both normal and emergency activity.
Cross-brand mapping maintenance
Different chargers name and expose temperature/fault data differently (for example, TI might expose NTC/TS faults, ST might flag thermal suspend, onsemi might flag automotive-grade warnings). Therefore: “Cloud-side telemetry mapping must be updated whenever a cross-brand charger alternative is introduced.”
Safety, NTC / JEITA & Abuse Limits for Tiny Backup Packs
Even a very small backup cell or supercap must be temperature-aware. Small energy sources have low thermal mass, are usually enclosed, and may be triggered repeatedly. Therefore they can heat up faster than the main pack. A simplified JEITA profile (2–3 bands) is still required, and emergency power must honor it.
Repeated triggers are a form of abuse. The system must detect fast temperature rise or too many cold-starts in a short interval and then block further actuation, while still logging the events.
NTC placement
Place the NTC next to the backup cell/supercap, not on the main board environment sensor. This NTC belongs to the backup branch, not to the main charging path. It must reflect the real temperature of the small energy source.
Simplified JEITA bands
Tiny packs can use 2–3 bands:
• Too cold / too hot: log only, do not actuate
• Normal: charge + emergency action allowed
• Derate: charge slowly, emergency action only if trigger is tamper/critical
Devices that only support fixed-temperature charging must NOT replace NTC / JEITA-enabled parts.
Do not approve ICs without reporting capability.
Abuse / repeated trigger protection
If temperature rises too fast within N triggers, or if the backup branch is outside its JEITA band, only logging is allowed and the emergency power path must stay disabled. Tamper events are still logged even when actuation is blocked.
Emergency power controller shall honor JEITA state from the backup charger.
BOM warnings (must stay on page):
“Devices that only support fixed-temperature charging must NOT replace NTC / JEITA-enabled parts.”
“Do not approve ICs without reporting capability.”
“Repeated cold-start attempts in a short time window shall be blocked when backup temperature rises.”
Small-Batch Procurement & Cross-Brand Alternatives (7 brands only)
This section is for small-quantity buyers when the selected tiny backup charger — small current, with NTC/THERM, and with status pins — is not available. You may replace it, but only inside TI / ST / NXP / Renesas / onsemi / Microchip / Melexis, and every time you replace it, you must update the cloud telemetry mapper defined in the previous chapter.
Do not downgrade to a part without NTC/JEITA just for lead time. Do not switch to an unrelated USB-C/PD charger in this branch.
Three replacement paths
1) A → A (same brand, pin-/feature-near): stay in the same family, keep TS/THERM and STAT/FAULT.
2) A → B (cross-brand, same role): switch to another brand’s single-cell / low-IQ charger and remap the payload.
3) A → A (different feature): same brand but choose the one that exposes INT/STAT/FAULT so logger can record more details.
TI (Texas Instruments)
Single-cell, tiny current, TS/STAT available.
• BQ21040
• BQ25100 / BQ25101
• BQ24040 / BQ24072 / BQ24075 (with TS)
• BQ24210 / BQ24232 (power-path style, log-friendly)
STMicroelectronics
Linear Li-Ion chargers with thermal supervision.
• STBC02, STBC03
• STBC08, STBC15
• L6924D (1-cell Li-Ion, widely used)
NXP
Single-cell linear chargers, easy to map.
• MC34671
• MC34673
• MC34674
Renesas / Intersil
Clear temperature / fault reporting.
• ISL9205 / ISL9205A
• ISL6292A
• ISL6294A
onsemi
Automotive-friendly, low-IQ, with thermal flags.
• NCP1852 / NCP1854 / NCP1855
• FAN54015
Microchip
With THERM and STAT, good for logging.
• MCP73833 / MCP73834
• MCP73871 (USB + battery + STAT)
• Note: MCP73831/32 often lack NTC → do not down-grade.
Melexis
Used here for magnetic/tamper co-design.
• MLX90248 / MLX90393 (magnetic)
• MLX81113 / MLX81115 (LIN, body)
Keep actual charger from the other six brands.
BOM remark: “Cold-start backup charger must expose charging state and backup SoC to the logger. Cross-brand alternatives are restricted to TI / ST / NXP / Renesas / onsemi / Microchip / Melexis; update telemetry mapping.”
BOM remark: “Do NOT approve replacement parts without NTC / JEITA just for lead time.”
BOM Remarks, Validation Matrix & Shipping-Recharge Routine
This chapter consolidates all the must-appear BOM sentences, the minimum validation items, and the post-shipping recharge routine, so the purchasing team can copy/paste and the test team can run the exact same checks.
BOM remarks (copy as-is)
- Cold-start backup charger must expose charging state and backup SoC to the logger.
- Magnetic / mechanical triggers must be powered from an always-on, low-leakage domain (< 5 µA).
- Do NOT approve chargers without NTC / JEITA, even for tiny backup cells.
- After long shipment storage, run cold-start recharge routine before handover.
- Cross-brand alternatives restricted to TI / ST / NXP / Renesas / onsemi / Microchip / Melexis; update cloud telemetry mapping when changed.
Validation matrix (descriptive)
72 h storage @ 25 °C
After storage, run cold-start. Must succeed and must log event.
0 °C actuation
Backup path must support actuator inrush at low temperature.
40 °C, 5× repeated trigger
JEITA derate / disable must be honored; still log all attempts.
Main battery empty
Cold-start backup must still log to local buffer.
Shipping-recharge routine
1) Power up the unit on arrival → 2) Read backup SoC / cell voltage → 3) If below threshold (e.g. < 3.6 V or < 40%) start a limited, NTC-protected recharge using the tiny backup charging path → 4) When recharge is done, write log “post-shipping recharge done” and allow normal operation.
Request a Quote
Frequently Asked Questions
Only questions for this branch: cold-start backup, triggers, emergency power, tiny-cell charging, and cloud logging. Use these 12 items for JSON-LD.
How do I recharge a tiny backup cell/supercap from the main charger without overloading it?
You recharge the tiny backup source through a current-limited branch taken from the main charger. Keep the branch at 50–200 mA, keep reverse blocking so VBAT cannot back-feed, and keep the TS/THERM line active. The charger must raise a status flag so the logger knows the refill succeeded.
Can I use the same NTC for both the main battery and the cold-start backup source?
No. The main pack and the cold-start backup often see different temperatures and thermal inertia. Put a dedicated NTC right next to the tiny cell or supercap and just route its reading to the MCU/AFE. You can share the ADC and reporting logic, but do not share the physical sensor.
What is the minimum backup energy to guarantee one door-lock actuation?
Minimum energy depends on actuator current and the 3–5 second action window. Size for the worst-case pull-in at low temperature, then verify that voltage does not collapse below the MCU or driver threshold. Always log success or failure so borderline units can be spotted and serviced earlier.
How can I log which trigger actually woke the device?
Put the mechanical, magnetic and tamper inputs in an always-on, ultra-low-IQ sensing block. On each wake, attach a trigger_type field to the cold_start event, for example mechanical, magnetic or tamper. Write the event even if the actuator failed, so the cloud can see what woke it.
How do I stop repeated cold-start attempts from draining the backup?
Add an abuse counter and a temperature gate in the emergency power controller. Allow only a few cold-starts per time window while temperature is normal. If the backup source heats up or the count is exceeded, switch to log-only mode. This keeps the tiny cell from being drained by repeats.
Can I use an external USB-C revive source to refill the backup after storage?
Yes, but feed it through the same limited, JEITA-aware path you use in normal operation, not directly into the backup cell. External USB-C just becomes another input source. After the refill, write a “post-shipping recharge done” event, so the fleet can tell the unit was revived after storage.
Which JEITA zones still make sense for very small backup cells?
For very small backup cells, 2–3 JEITA bands are enough: too-cold/too-hot → log only; normal → charge and actuation allowed; warm-but-safe → charge derated, actuation only if tamper is critical. Do not replace JEITA-enabled parts with fixed-temperature chargers, or the mapper will lose safety context.
How do I test cold-start after long shipment or warehouse storage?
Power up the device, read backup SoC or cell voltage, and if it is below the project threshold start a limited recharge until the tiny cell is healthy. Then run one cold-start actuation and confirm the event is logged. This reproduces the long-storage scenario seen in shipping or warehouse conditions.
Which load-switch topology is safer for emergency power?
Use a dedicated, current-limited load switch or PFET gate that is separate from the main charging FET. It should be enabled by the trigger logic, time-limited to about 3–5 seconds, and able to detect excessive voltage drop. On a failed action, it must still write the event to the logger.
How do I write a BOM remark so purchasing won’t swap in a non-reporting charger?
Add a BOM line such as: “Cold-start backup charger must expose charging state and backup SoC to the logger. Do not approve fixed-temperature or non-reporting parts. Cross-brand alternatives are limited to TI, ST, NXP, Renesas, onsemi, Microchip, Melexis and require cloud-mapper update.” This blocks silent substitutions.
Can I mix magnetic and mechanical triggers on the same always-on rail?
Yes. Power both trigger types from the same always-on, low-leakage domain under 5 µA. Debounce the mechanical input, use hysteresis for the magnetic input, and encode the source into trigger_type before logging. Mixed triggers must never bypass the tiny backup temperature or abuse protections.
How do I map cold-start events into my existing cloud telemetry schema?
Treat cold-start as another charging-domain event. Build an event with event_type = "cold_start", add trigger_source, backup_soc_before/after, action_result, and the charger_brand_id or charger_payload_version. The cloud mapper then normalizes brand-specific fields. Whenever purchasing swaps a charger, update only this mapping layer.
