123 Main Street, New York, NY 10001

Submit Your BOM

Service Discharge & Safe-Down (T/SOH-Aware, Logged)

← Back to: Battery Charging / Gauging / Protection / BMS

What & Why

Service discharge safely lowers pack energy for shipping, storage, RMA and bench work. The process must stay inside temperature/health limits, interlock with the charger to prevent back-charge, and leave a signed audit log (timestamp, trigger, SoC/Vcell, T_peak, SOH, energy removed).

Logistics & handling

Air/sea shipping often targets ~25–35% SoC. Warehousing adds self-discharge and ambient swings, so a provable safe-down is required.

Safety envelope

Temperature bands and SOH gate current and time. Any out-of-envelope reading pauses/aborts with a recorded reason.

Charger interlock

VIN present (USB-C/adapter) suspends discharge to avoid back-charge; resume only when VSYS is isolated or policy allows hybrid sink.

Service discharge safety envelope Allowed, Derate and Abort regions across temperature and state of health, with a target SoC window and a charger interlock badge. T / SOH Envelope Temperature → SOH → Target SoC 25–35% Allowed Derate Abort VIN interlock
Figure — T/SOH safety envelope with target SoC and VIN interlock.

Targets & Envelopes

Use a conservative SoC window and per-cell voltage guardrails, then apply temperature bands and SOH gating to shape current and duration. Any conflict is resolved by the stricter limit; never over-discharge a weak cell to hit a numeric SoC target.

SoC & Vcell

Default SoC target 25–35% (shipping). Keep Vcell ≥ 3.50 V (NMC placeholder). If a cell lags, reduce current or stop.

Temperature bands

<0°C: forbid; 0–10°C: derate; 10–45°C: normal; 45–55°C: strong derate; >55°C: abort. Monitor dT/dt to avoid slow-cook.

SOH gating

SOH ≥ 70–80%: normal profile; below threshold use small-current/short-time or skip with a logged reason.

Targets and envelopes for service discharge SoC window, per-cell voltage minimum, temperature bands, and SOH gate with a stepped current profile and cool-down pauses. SoC target window Target SoC: 25–35% (shipping placeholder) SoC high SoC window Per-cell voltage guard Vcell ≥ 3.50 V Low cell → reduce current / stop Temperature bands <0°C: forbid 0–10°C: derate 10–45°C: normal 45–55°C: strong >55°C: abort Monitor dT/dt limit SOH gate & current profile SOH ≥ 70–80%: normal SOH low: small-current/short-time Stepped CC with cool-down pauses
Figure — Targets & envelopes: SoC window, Vcell guard, temperature bands and SOH-gated current profile.

Triggers

Define who can start service discharge, under which safety preconditions, and how the system interlocks to prevent back-charge. Every trigger must be traceable and logged with actor, station, policy snapshot, and state transitions.

Station command

Highest priority. Requires station ID, operator ID, work order. Works offline with queued upload.

Shipping preset

SOP before in/outbound. Comes with SoC target and temperature band policy.

RMA / warehouse

Batch scheduler throttles concurrency to avoid thermal peaks; logs batch ID and serial range.

Cloud command

Requires authenticated API and device online check; includes VIN interlock policy, retry and timeout.

Physical button

Low priority. Long-press + confirm; still gated by T/SOH and may be locked by station/cloud.

Trigger priority and safe-down state machine Left: trigger sources ordered by priority. Right: state machine with VIN interlock and abort reasons. Trigger priority 1) Station (actor, station, work_order) 2) Cloud (policy, retry, timeout) 3) Shipping preset 4) RMA / warehouse (batch) 5) HW button (long-press + confirm) Higher priority may preempt lower; log preempted_by. State machine Idle Validate T/SOH/Vcell Arm (VIN interlock) Discharge (CC/step) Cool-pause Resume / Retry Target met Finalize & sign Upload / queued VIN present → pause/isolate Abort reasons T_high / dT/dt Vcell_low sensor_fault timeout
Figure — Triggers: priority order, VIN interlock, and safe-down state machine with abort reasons.

Discharge Paths

Choose between internal (MOS linear / resistor bank) and external (electronic load / dummy load) paths by power budget, thermal limits, measurement accuracy and compliance. Interlock with VIN and record signed logs for audit.

Internal — MOS linear

Smooth control; check FET SOA and PCB thermal vias; monitor dT/dt. Efficiency low, heat stays inside.

Internal — resistor bank

Predictable heat and easy sharing. Use coarse+fine steps, debounce switching, add thermal cutoff.

External — e-load

Precise control and logging, ideal for stations; ensure safe terminals and CM noise handling.

External — dummy load

Low cost, heat off-device; require rated connectors, reverse-current protection and safety SOP.

Internal vs external discharge paths Left: internal (MOS linear / resistor bank) with thermal notes. Right: external (e-load / dummy) with connector and reverse-current cautions. Internal MOS linear Check SOA · vias · dT/dt Resistor bank Coarse+fine · debounce · cutoff P stays inside; limit with P_max and pauses Kelvin sense to avoid I·R drop error External Electronic load Precise control · data capture Dummy load Low cost · heat off-device Use rated connectors; protect reverse current Manage cable length and CM noise Time Thermal Internal faster at small P; External faster at high P Internal keeps heat inside; External moves heat out
Figure — Discharge paths: internal (MOS linear / resistor bank) vs external (e-load / dummy), with power and thermal notes.

Control Law

Choose a measurable current trajectory with temperature/health gates and VIN interlock. Prefer simple constant-current at low power; use stepped or segmented profiles when thermal limits or SOH constraints tighten. Always log policy, states and outcomes for audit.

Constant current (CC)

Low power and stable ambient. Simple model, but watch dT/dt spikes on aged packs.

Stepped current

Drop current at SoC/time/ΔT events. Balances speed vs peak temperature.

Segmented + cool-pause

For hot ambient or weak SOH. Force cooldown windows between segments.

JEITA bands

<0°C: forbid · 0–10°C: derate · 10–45°C: normal · 45–55°C: strong derate · >55°C: abort.

Retry & exit

Pause on VIN/T-high/fault; limit retries; exit on timeout or ineffective progress.

Control law: CC, stepped, segmented; JEITA and ΔT/dt gates Top: three current trajectories. Bottom: JEITA temperature bands and a dT/dt threshold line. Right: retry/exit reasons. Current trajectories time → current → CC Stepped Segmented + cool-pause JEITA bands & dT/dt <0°C: forbid 0–10°C: derate 10–45°C: normal 45–55°C: strong >55°C: abort dT/dt limit → pause/derate when exceeded Retry / Exit VIN present T_high / dT/dt Vcell_low sensor_fault timeout ineffective
Figure — Control law: CC, stepped and segmented profiles under JEITA bands and dT/dt limit, with retry/exit reasons.

Power-Path Coordination

Coordinate with charger and power-path so service discharge never back-charges the pack. Detect VIN, choose a strategy (suspend, isolate, or optional hybrid sink), and sequence VSYS/BAT switching with debounced USB-C role changes. Log every state transition.

Strategies

Suspend charge path or isolate VSYS↔BAT; hybrid sink only with strict audit and external-energy removal from metering.

Topology

Ideal-diode OR-ing and back-to-back FETs block reverse current. Add reverse-current protection on USB side.

USB-C roles

Prefer sink-only during discharge. Disable OTG. Debounce role changes to avoid flapping states.

Power-path coordination and no-backcharge sequencing Left: BAT↔VSYS OR-ing and back-to-back FETs. Right: charger/VBUS with strategies (suspend, isolate, hybrid). Bottom: t0–t3 sequence around VIN events. VSYS↔BAT path BAT B2B FET Ideal diode VSYS Back-to-back FETs + ideal diode block reverse current Charger / VBUS strategies Suspend Isolate Hybrid Prefer suspend/isolate; hybrid only with strict audit and metering exclusion of external energy. USB-C during discharge: Sink-only · OTG disabled · debounce role swaps VIN event sequence (no-backcharge) t0 sample t1 pause discharge t2 apply strategy (suspend/isolate) t3 decide resume if safe or abort no backcharge
Figure — Power-path: OR-ing and back-to-back FETs with charger/VBUS strategies and a VIN event timeline that enforces no-backcharge.

Compliance Logging

Turn service discharge into auditable evidence: who triggered it, which envelope was enforced, what trajectory ran, which interlocks fired, and the final outcome. Logs must be signed, tamper-evident, and survivable under network loss.

Minimum required fields

Identity (device/serial/fw), trigger (source/actor/station), envelope (SoC/Vcell/SOH/T), trajectory, VIN & path states, events, energy_removed_Wh, durations.

Signing & tamper-evidence

Canonical JSON + prev_hash + device key → signature; server re-signs on ingest; record clock skew.

Upload & offline buffering

Append-only queue with retry/backoff; idempotent log_id; gzip + optional field encryption; pause jobs if near queue limit.

Audit & visualization

State machine timeline; I/SoC/T curves colored by JEITA; VIN events; recompute policy_hash and verify chain continuity.

Compliance logging: field groups, signature chain, and offline buffer Left: required field groups. Right-top: chained hashing and signatures. Right-bottom: offline queue with retry/backoff and idempotent commit. Required fields Identity & policy: device_id · serial · fw_version · policy_hash Trigger: source · actor_id · station_id · work_order/batch Envelope: SoC/Vcell_min/SOH/T_peak · dT/dt · profile Interlocks: VIN events · path_state · diode_status · otg_state Outcome: energy_removed_Wh · duration · exit · reason Signature chain canonical_json prev_hash t_utc sig Device signature → server_signature on ingest; record clock skew. Chain continuity: log[n].prev_hash = hash(log[n-1]) Offline queue pending uploading committed Idempotent write: log_id = device_id + monotonic_counter Backoff & max_staleness → pause new jobs & alert
Figure — Compliance logging: required fields grouped for audit, chained signatures, and an offline queue that preserves data until upload.

Validation

Prove the control law and interlocks over temperature, SOH, discharge path, and VIN events. Include repeatability, metering cross-checks, and edge cases like USB-C external power and shallow-charge remnants.

Bench & probes

Programmable VIN/USB-C, e-load/fixtures, thermal chamber, external watt-hour meter, Kelvin taps, synchronized clocks.

Matrix

T: 0/10/25/45/55°C · SOH: 80/70% · Trajectory: CC/Step/Segmented · Path: internal/external · VIN events.

Edge cases

USB-C insert during discharge; role flapping; shallow-charge remnant with voltage rebound window.

Acceptance criteria

No backcharge, no T/dT/dt violations, metering error ≤ target, full log completeness, success or justified exit.

Validation matrix and critical edge-case timelines Left: multi-axis test matrix slices. Right: USB-C VIN event timeline. Bottom: shallow-charge remnant handling. Test matrix T: 0/10/25/45/55°C SOH: 80/70% Trajectory: CC/Step/Seg Path: int/ext T=25 · SOH=80 · CC · internal Outputs: Wh · T_peak · dT/dt SoCΔ · duration · log% T=45 · SOH=70 · Step · external VIN events & response time Rebound final values T=10 · SOH=80 · Seg · internal Pause schedule & thermal Repeatability ≥ 3x T=55 · SOH=70 · Step · external Abort on T_high Log completeness T=0 · forbid · policy proof No action except logging VIN insert → pause Apply suspend/isolate Resume/Abort rule USB-C VIN event t0 sample t1 pause t2 strategy t3 decide No backcharge: VSYS must not exceed VBAT+Δ Shallow-charge remnant → rebound → decision Charge done: wait rebound Stable window → read SoC_start Start discharge or flag NCR Log reasons & proceed with policy
Figure — Validation: a pragmatic test matrix, a USB-C VIN timeline with no-backcharge guard, and the shallow-charge remnant flow.

Small-Batch Procurement Hooks

Lock safety behavior in the BOM. Cross-brand swaps are allowed only within seven vendors and must update cloud telemetry mapping. Prefer parts exposing VIN/path states, JEITA/NTC gates, and sink-only USB-C control.

BOM remark (copy-ready)

NTC-driven derating is REQUIRED. Charger/Power-Path must expose VIN_PRESENT, path_state, no_backcharge. USB-C sink-only, OTG disabled, role debounce ≥200 ms. VSYS↔BAT requires ideal-diode/back-to-back FET (reverse current ≤X mA). External meter error ≤Y%.

Cross-brand policy

Alternatives limited to TI / ST / NXP / Renesas / onsemi / Microchip / Melexis. Before release, update cloud mapping for: charging_state, jeita_zone, path_state, diode_status, otg_state, metering units and SOH basis.

Brand Charger / Power-Path Reverse / eFuse Fuel-Gauge / AFE USB-C Sink/PD Temp / Current (redundant)
TI BQ25713 · BQ25672 · BQ25895 LM74700 · TPS25947 · TPS2663 bq40z50-R2 · bq34z100-G1 · bq76952 TPS25750 · TUSB422
ST STUSB4710/4500 (coordination) STEF01 · STEF05 STC3100 STUSB4500 / 4710
NXP MC34673 (single-cell) — (use MOSFET+B2B) MC33771/MC33772 (AFE) FUSB302 (CC)
Renesas ISL9238A · RAA489204 ISL6144 (OR/ideal-diode) ISL94202 · ISL94208 RAA489204 (PD-aware)
onsemi — (coord. via FET + CC) NIS5021 · NCP3902 LC709203F FUSB302
Microchip MCP73871 (lin+path) MIC2545/2549 (power-switch) MCP39xx (bench) · MCP9808 UPD301C MCP9808 (temp)
Melexis — (sensor role) — (uses AFE from others) MLX91216/91221 (current) · MLX90632 (temp)
Procurement hooks: BOM guardrails and cross-brand mapping Left: BOM guardrails. Right: cross-brand swap → telemetry mapping update flow with required fields. BOM guardrails • NTC-driven derating • Expose VIN/path/no-backcharge • Sink-only, OTG disabled, debounce • Ideal-diode / B2B FET • Metering cross-check ≤Y% Allowed brands: TI · ST · NXP · Renesas · onsemi · Microchip · Melexis Any swap → update telemetry mapping before release Mapping update flow Select replacement PN Compare fields & polarity Remap: charging_state · jeita_zone · path_state · diode_status · otg_state · units Validate with shadow device & log completeness Release only after telemetry A/B passes
Figure — Procurement hooks: enforce BOM guardrails and require telemetry remap before releasing any cross-brand swap.

Edge Cases

Define deterministic responses for fast temperature rise, marginal SOH, lagging cell voltage, and sensor/NTC faults. Log enumerated reasons and verify with redundant sensing where possible.

Fast ΔT/Δt

Pause → step-down or segmented; repeat violations → abort(T_high_rate). Pair with eFuse/limit and redundant temp.

SOH near limit

Only small, short segments. If ΔSoC/cycle < min → exit(ineffective). Use AFE/gauge SOH evidence.

Vcell_min lagging

Derate, then abort if still under threshold. Never over-discharge to hit a numeric SoC goal.

Sensor/NTC fault

Switch to redundant temperature or conservative band; log sensor_fault; block OTG and backcharge risks.

Hooks by brand: TI (TPS25947 · LM74700 · bq40z50-R2 · bq76952) · ST (STUSB4500/4710 · STEF01/05 · STC3100) · NXP (MC33771/72 · MC34673 · FUSB302) · Renesas (RAA489204 · ISL6144 · ISL94208) · onsemi (NIS5021 · NCP3902 · LC709203F · FUSB302) · Microchip (MCP73871 · MIC2545/2549 · MCP9808 · UPD301C) · Melexis (MLX91216/91221 · MLX90632).

Edge cases: triggers → control response → hardware hooks Four quadrants show fast ΔT/dt, SOH limit, lagging cell, and sensor fault with mapped responses and example parts. Fast ΔT/Δt Pause → step-down/segmented; repeat → abort(T_high_rate) Hook: eFuse/limit + redundant temperature Examples: TI TPS25947 · ST STEF01 · Melexis MLX90632 SOH near limit Short, small segments; ineffective → exit Hook: gauge/AFE SOH evidence Examples: TI bq40z50-R2 · Renesas ISL94208 · NXP MC33771 Vcell_min lagging Derate; if still low → abort; never over-discharge Hook: AFE Vcell_min with fast logging Examples: TI bq76952 · NXP MC33772 · Renesas ISL94202 Sensor / NTC fault Fallback to redundant temp; conservative band Hook: dual-channel temperature · log sensor_fault Examples: Microchip MCP9808 · Melexis MLX90632
Figure — Edge cases: each trigger maps to a predictable control response and named hardware hooks for audit-ready behavior.

Request a Quote

Accepted Formats

pdf, csv, xls, xlsx, zip

Attachment

Drag & drop files here or use the button below.

FAQ

Only questions within this page’s scope: triggers → control law → power-path interlocks → compliance logging → small-batch replacement hooks. No balancing, main pack FET strategy, or general charge tuning here.

Which triggers are valid for service discharge and how are they authenticated?

Valid triggers are station command, shipping mode, RMA/storage workflow, approved cloud command, and long-press hardware button. Each event must log trigger_source, actor_id/station_id, policy_hash, and a pre-sample of VIN_PRESENT. Buttons require debounce and long-press duration; cloud commands require signature verification and monotonic log_id to prevent replay.

How is the initial envelope (SoC/Vcell/SOH/T) verified before starting?

Read SoC_start, Vcell_min, SOH, and temperature after a rebound window if charge just ended. Below 0 °C or above policy limits, do not start; at SOH borderline, limit current or segment duration. Persist an envelope snapshot and reasons when start is refused to keep audit and procurement decisions aligned.

What prevents repeated or accidental re-triggers during processing?

Use an interlock window and a cool-down timer, deduplicate by log_id with idempotent intake, and require long-press thresholds for the button. Station commands must carry a batch/work-order, and cloud triggers must include a nonce. Log preempted_by if a higher-priority event cancels an ongoing discharge to aid traceability.

CC vs stepped vs segmented discharge — when should I choose each?

Use constant current for stable thermal headroom and predictable energy metrics. Choose stepped current when enclosure heating is moderate and you need quicker completion. Use segmented with rests when thermal coupling is strong or to improve metering consistency. Always record profile in trajectory=CC|Step|Segmented and energy evidence in energy_removed_Wh.

How does JEITA temperature zoning derate or pause discharge safely?

Apply zone-based limits: cool/cold zones reduce current; hot zone forces pause; forbidden areas abort. A rapid rise (high dT_dt) escalates to pause even inside nominal limits. Persist decisions as action=derate|pause|abort with reason=T_zone|T_high_rate and resume only after temperature re-enters the safe window for a stabilization period.

What is the rule to exit or retry after a pause without harming cells?

After pause, require the metric that caused it to remain in the safe band for a defined dwell time, then resume at reduced current. Limit retries to a small count; if ΔSoC per attempt is below minimum benefit, exit as ineffective. Log each decision with a timestamped state-machine transition for audits.

How do we avoid backcharge when VIN appears mid-discharge (e.g., USB-C)?

Immediately pause, then command power-path suspend/isolate. Enforce sink-only role, disable OTG, and verify VSYS <= VBAT+Δ before resuming. Hardware should include ideal-diode or back-to-back FET. Persist vin_event, path_state, and no_backcharge=true. If the check fails, abort with reason backcharge_risk and provide a service hint.

Can OTG ever be enabled during service discharge or safe-down?

No. During service discharge, OTG is always disabled to avoid unintended sourcing and backfeed. Apply role debounce ≥200 ms to filter flapping. Record otg_state=false and role=sink in the log. If OTG is requested by external software, reject it and add a denial entry with the current safety envelope snapshot.

Internal vs external discharge path — how should I choose under thermal limits?

Internal MOSFET/resistive paths are simple but heat locally and need strong derating. External e-load allows precise current and off-board heating but requires rated connectors and reverse-current protection. Choose based on enclosure thermal budget and connector ratings, then log path=int|ext and the chosen current ceiling tied to measured T_peak limits.

Which fields are mandatory in the compliance log for audits?

Include identity (device_id, serial, fw_version), policy_hash, trigger metadata, envelope snapshot, trajectory, interlock states (VIN_PRESENT, path_state, diode_status), energy_removed_Wh, durations, exit and reason. Add prev_hash, device signature, server signature, and clock_skew_ms so gaps, reorders, or tampering are detectable.

How is metering accuracy validated without a lab watt-hour meter?

Use a periodic cross-check against a calibrated reference unit or shadow device. For each station, enforce an acceptance band (e.g., ±Y %). Flag metering_error_pct when exceeded, require re-run or external meter audit, and block releases until evidence is in range. Persist the reference firmware and calibration IDs in the log.

What must be updated in cloud mapping when swapping parts across brands?

Update field names and polarity for charging_state, jeita_zone, path_state, diode_status, otg_state, and units (Wh/mWh) and soh_basis. Run A/B shadow logging before release. Procurement is limited to TI/ST/NXP/Renesas/onsemi/Microchip/Melexis, and replacements are blocked until the telemetry mapper passes verification.

icnavigator

ICNavigator helps engineers find verified ICs, alternatives, and fast quotes.

Explore
Categories
  • Power Management
  • MCU
  • Automotive ICs
  • Sensors
  • Interface & Transceivers
  • Analog Front-End
Get in Touch
  • Email: hello@icnavigator.com
  • WeChat/WhatsApp: +86-xxxx

© 2025 ICNavigator. All rights reserved.