← Back to: eFuse / Hot-Swap / OR-ing Protection
What is a Hot-Swap Controller?
A hot-swap controller uses an external MOSFET to shape the power-up ramp (dv/dt), limit inrush and short-circuit current, keep the MOSFET within SOA, block reverse current, and coordinate system readiness via PG/FAULT.
Center idea
Constrain capacitive charging and fault current inside the MOSFET’s SOA while avoiding back-drive; PG/FAULT serve as the system beat—PG = safe-to-operate, not guaranteed steady state.
What it is not
- No DC/DC compensation or loop tuning here.
- No BMS pack-FET strategy; only port hot-plug reliability.
- No ideal-diode theory (interface only), no long PN lists.
Key equations
I_inrush ≈ C_load × dV/dt
P_linear ≈ Vds × Id
ΔT ≈ P × RθJA
Use dv/dt and ILIM as dual knobs with fast/slow trip coordination.
Validation (repeatable)
- Hot-plug loop: 10×/min × 10 min; capture Gate/Vout/Iin/PG, count PG chatter.
- Hard short: measure fast-trip delay (µs), energy, and recovery (latch/retry/hiccup).
- MCU debounce: hardware RC + N consecutive valid samples.
Typical pitfalls
- Replacing controlled hot-swap with a Schottky “soft start” → drop & heat & back-drive.
- Confusing upstream current limit with low inrush → use proper source & sense setup.
- Ignoring remote C and cable L → ringing & nuisance trips; add snubber and retune dv/dt/ILIM.
Hot-swap with dv/dt soft-start; limit inrush to __A (dV/dt = __V/ms). ILIM = __A; fast trip ≤ __µs; PG asserted after current-limit exit. Do NOT replace with Schottky “soft start”. Seven-brand limit: TI / ST / NXP / Renesas / onsemi / Microchip / Melexis.
Design Inputs
Define the worst-case envelope, then map it to design knobs: dv/dt, ILIM, and trip modes. Compliance needs (AEC-Q100, telemetry) determine capability requirements.
Five-tuple (inputs)
<VIN_max, C_load, I_nom, T_range, L_cable>
- VIN_max → MOSFET Vds rating & SOA curve selection
- C_load → target I_inrush → dv/dt
- I_nom → ILIM lower bound (with peak margin)
- T_range → Rds(on)/trip delay temperature derating
- L_cable → remote ringing → snubber & probing
Failure hypotheses (preset)
- Hard/soft short; reverse connection/back-drive
- Power-down back-drive; long-cable overshoot
- Cold-start parameter drift
Each hypothesis maps to one lab script and a pass criterion.
Compliance & capability
- Automotive → thermal derating & latch behavior
- Telemetry → I²C/PMBus, PG/FAULT level & timing
- Reverse blocking threshold & energy limits
Fill-in inputs
VIN_max = __ V; VIN_min = __ V
C_load = __ µF (include remote bulk)
I_nom = __ A; I_peak = __ A
T_range = __ to __ °C; L_cable = __ µH
Derived knobs
I_inrush_max = __ A → dV/dt = I_inrush_max / C_load = __ V/ms
ILIM = __ A
trip = fast/slow + latch / retry / hiccup
Pass criteria (corners)
- Hot-plug loop: PG chatter < __ per 10 cycles.
- I_inrush_peak ≤ __ A; fast-trip ≤ __ µs.
- Reverse inject: cutoff ≤ __ µs; no back-drive.
- Linear window ΔT ≤ __ °C (ΔT ≈ P × RθJA).
Automotive builds: prefer latch or qualified hiccup; enforce reverse-blocking threshold ≥ |V_backup − V_main|max. Telemetry (I²C/PMBus) required if PG/FAULT logging or remote diagnostics are part of the spec.
Inrush Control (dv/dt & Gate)
Shape the output ramp using gate control so that dv/dt → I_inrush is predictable, ringing is damped, and the MOSFET’s linear energy stays within SOA. Strategies include fixed RC, internal programmable ramp, and two-stage soft-start (pre-charge → main ramp).
Design objective
Limit I_inrush without exceeding SOA while keeping start-up timely. Smaller dv/dt reduces inrush and cable ringing but lengthens the linear power window—co-design with SOA and thermal.
Key relations
I_inrush = C_load × dV/dt
t_rise ≈ ΔV / dV/dt
P_linear ≈ Vds × Id ; ΔT ≈ P × RθJA
Gate path sets dv/dt: RC pull, internal ramp, or staged soft-start around the Miller plateau.
Common pitfalls
- dv/dt too slow → excessive linear heating, late PG.
- Upstream current limit masks real inrush (“false low inrush”).
- Ignoring remote C and cable L → ringing and nuisance trips.
Implementation options
- RC gate pull for fixed slope (tune around the Miller plateau).
- Internal ramp (fixed or programmable) with scope-based calibration.
- Two-stage soft-start: pre-charge to reduce ringing, then main ramp.
Validation (repeatable)
- Scope 3-trace capture: Gate / Vout / Iin; ≥10 MSa/s.
- Quantify peak Iinrush, linear energy (area under Vds·Id), PG time.
- Remote ringing check with end-of-cable probing and snubber if needed.
Current Limit & Trip Curves
Set ILIM to avoid nuisance trips yet protect the MOSFET and connector energy limits. Coordinate fast-trip (µs) for hard shorts and slow-trip (ms) for transient tolerance, then pick a protection mode: latch, auto-retry, or hiccup.
Setting steps
- Inputs: I_nom, I_peak, C_load, upstream limit, temperature, load type.
- Initial: ILIM ≥ I_nom×(1+margin) and ≤ upstream capability.
- Delays: fast-trip ≤ connector/trace energy window; slow-trip ≈ transient need.
- Co-tune with dv/dt so normal ramp never triggers fast-trip.
What to verify
- Hard-short triggers fast-trip; disconnection time ≤ target.
- Load steps verify slow-trip without false trips.
- For auto-retry/hiccup: record period, duty, and peak thermal rise.
Key relations
ILIM ≈ k / R_sense (k in vendor range)
fast-trip_delay ≤ __ µs ; slow-trip_delay ≈ __ ms
retry period = __ ms ; hiccup duty = __%
Mode selection
- Latch: highest safety; manual recovery.
- Auto-retry: self-recovery; check duty-cycle thermal rise.
- Hiccup: cool-off intervals; validate restart stress and availability.
Lab scripts
- Load step then hard-short; measure trip delay distribution (µs/ms).
- Record retry period, duty, and peak temperature for chosen mode.
- Ensure normal ramp never triggers fast-trip under corner conditions.
Corner criteria
- fast-trip ≤ __ µs; slow-trip ≈ __ ms; ILIM = __ A.
- Average power in retry/hiccup ≤ __ W; ΔT ≤ __ °C.
- No nuisance trip for motor start / write bursts.
MOSFET Selection & SOA Check (Linear Thermal/Power)
Turn SOA verification into a repeatable procedure: quantify the linear window energy, estimate thermal rise via package/board Rθ, and validate against pulse width and repetition rate so repeated hot-plug does not accumulate into thermal runaway.
Why SOA matters
During dv/dt-controlled start-up and short events, the MOSFET lives in the linear region where P ≈ Vds × Id. The window duration is set by ramp time and load profile—verify against the device’s SOA at the same pulse width and duty.
Read the SOA correctly
- Place the measured point (Vds_pk, Id_pk, t_pulse) inside the curve for that pulse width.
- Repeated pulses: apply the vendor’s “repetitive SOA” or derate via average power & cooling time.
- Use worst-case temperature and board-level Rθ, not typical.
FET selection knobs
- SOA strength at your pulse width
- Rds(on) for steady loss after ramp
- Qg (affects gate speed & linear window length)
- Package/thermal path (pad, vias, copper island)
Step-by-step SOA workflow
- Capture waveforms; extract Vds_pk, Id_pk, t_linear and shape factor.
- Compute E_linear, P_avg, and ΔT with worst-case Rθ.
- Place the pulse on the SOA at the same t_pulse; apply repetitive derating if needed.
- Adjust device/package, copper area, vias, or shorten the linear window.
Fill-in fields
Vds_pk = __ V ; Id_pk = __ A ; t_linear = __ ms ; E_linear = __ mJ
RθJA = __ °C/W ; ΔT_pk = __ °C ; P_avg = __ W ; Repetition = __ per min
Lab validation
- IR thermography synchronized with Gate/Vout/I waveforms.
- Worst ambient & low airflow box test; repeat hot-plug cycles.
- Inject faults (short/stall) and re-check SOA placement.
Reverse Blocking & Power-Down
Define reverse-current thresholds and switching hysteresis so source overlap does not cause chatter or back-drive. During power-down, control the discharge slope and enforce a secondary cutoff to prevent Vout→VIN feedthrough.
Core relations
V_rev_block ≥ |V_backup − V_main|max
t_cutoff ≤ __ µs (detect → turn-off)
ΔV_hys = __ V (switching hysteresis)
Back-to-back FETs or an ideal-diode controller minimize body-diode conduction during overlap.
Power-down sequence
- Controlled Vout fall (fast gate discharge / sync short-off).
- Secondary cutoff to clear residual energy if needed.
- PG low & MCU interlock; only re-enable after no reverse current for __ ms.
Test methods
- External injection from Vout: measure reverse spike and cutoff time.
- Dual-source overlap sweep: map ΔV window and PG/FAULT timing.
- Power-down/up: verify no re-start during back-drive decay.
Interlock logic
if (PG_low) hold_off();
if (PG_high && no_rev_current for __ ms) allow_switch();
Use PG/FAULT with MCU to prevent premature restart while reverse current decays.
Fill-in fields
V_backup_max = __ V ; V_main_min = __ V ; V_rev_block = __ V
t_cutoff = __ µs ; ΔV_hys = __ V ; PG_reassert_delay = __ ms
Validation checklist
- Injection test: reverse spike amplitude & cutoff time within targets.
- Overlap sweep: no chatter inside hysteresis; PG/FAULT timing sane.
- Power-down: controlled fall, no Vout→VIN feedthrough restart.
Hiccup / Derate Strategies (Self-Recovery & Power Limiting)
Choose between hiccup (disconnect → cool → retry) for uncertain shorts and derate (current/power limiting) for loads that must not drop, then validate average power and thermal rise under long runs.
Triggers & parameters
- Triggers: fast-trip (hard short), slow-trip (overload), over-temperature.
- T_hic = t_off + t_restart ; D_hic = t_restart / T_hic
- I_derate = α · ILIM (0<α<1) or P_max limit
Engineering checks
- Hiccup: average power P_avg ≈ ΣE_try / T_hic → ΔT ≈ P_avg · RθJA.
- Derate: steady P ≈ Vds · I_derate, output stability, minimum-function current.
- Availability vs safety trade-offs documented.
Long-run validation
- 10-minute loop: record duty, peak temperature, recovery success, nuisance trips.
- Thermography synced with current/voltage traces.
- Edge cases: low-T cold start, cable ringing, write bursts.
PG/FAULT Integration (Timing with MCU / PMIC)
Treat PG as the power-up tempo, not the end state: debounce in hardware and firmware, chain it to EN/RESET with stagger, and interlock with reverse-current checks so re-enable never happens inside a back-drive window.
Definitions & thresholds
PG := (Vout ≥ V_PG,th) & (current state = normal)
N-sample debounce: N = __, Ts = __ ms
FAULT is latched until cleared (manual or power cycle); align with watchdog/host policy.
Timing chain
- PG(raw) → RC debounce → MCU filter → EN enable → RESET release (staggered).
- On FAULT: log event, apply protection mode (latch/retry/hiccup), report upstream.
- Interlock with no_rev_current & ΔV hysteresis (Ch.6).
Metrics to record
- PG jitter count & minimum high width under plug/short scripts.
- EN/RESET actual timing vs plan; downstream start integrity.
- Power-down/up: no restart during back-drive decay.
Validation & Lab Scripts (Repeatable Tests)
Minimal, repeatable scripts so engineers and sourcing can quantify risk: hot-plug playback, hard-short fast trip, back-drive injection, and thermal imaging—each with CSV fields and pass/fail thresholds.
Hot-Plug Playback
- 10×/min plug events; capture Gate, Vout, Iin, PG.
- E_linear ≈ ∫ Vds·Id·dt (trapezoid)
- Record: I_inrush_pk, t_linear, PG_delay, PG_jitter.
Hard-Short Fast Trip
- Relay/SS switch ≤ 200 ns at Vout steady.
- Measure t_fasttrip(µs), E_pretrip(mJ), mode: latch/retry/hiccup.
Back-Drive Injection
- Inject from Vout (ΔV or constant I).
- Measure V_rev_block(V), t_cutoff(µs), ΔV_hys(V), chatter?
Thermal Imaging
- Linear window & steady-state sets, 10-min loop.
- Record ΔT_pk(°C), hotspot(x,y), P_avg, saturation/migration.
Small-Batch Sourcing & Cross-Brand Alternatives
Three lanes—A→A same-series, A→B cross-brand, A→C higher-capability with light redesign—locked to a capability checklist so replacements don’t break safety or timing.
Capability checklist (must match)
- ILIM set method & range; fast/slow trip (µs/ms) and mode.
- dv/dt control type (RC/internal/segmented soft-start).
- Reverse blocking (topology, V_rev_block, t_cutoff).
- PG/FAULT type & levels; telemetry (I²C/PMBus/ADC).
- SOA & Rθ at board level; Qg & gate drive need; AEC-Q100.
Example families (7 brands)
TI: LM5069 (HSW), TPS25982 / TPS2663 (eFuse)
ST: STEF12 / STEF01 (eFuse)
NXP: NX5P3090 / NX5P3290 (power switch)
Renesas: ISL6146 / ISL6144 (HSW)
onsemi: NIS5021 / NIS5420 (eFuse/protect)
Microchip: MIC2005 / MIC2026 / MIC2545A (power dist)
Melexis: use only if capability match is proven (not primary for HSW/eFuse)
Always confirm with official datasheets and your internal PN pages.
Sourcing lanes
- A→A same series/pin-compatible (fastest).
- A→B cross-brand, capability-matched.
- A→C add telemetry/SOA margin with light changes.
Copy-ready BOM remark (fill blanks)
Hot-Swap with dv/dt soft-start; ILIM = __ A; fast trip ≤ __ µs; mode = latch/auto-retry/hiccup(__); reverse blocking ≥ __ V; OR-ing if dual source; PG/FAULT → MCU with debounce; telemetry = (I²C/PMBus/__); NTC derating required. Do NOT replace ideal-diode/Hot-Swap with Schottky-based “soft start”. Seven-brand limit: TI / ST / NXP / Renesas / onsemi / Microchip / Melexis.
Request a Quote
Common Pitfalls (Symptoms, Root Causes, Fixes)
Each card lists Symptom → Root Cause → Fix → Validation. Use these as rapid “risk flags” during reviews and bring metrics back to Chapter 9 scripts.
PG jitter during ramp
PG toggles several times before staying high on power-up.
dv/dt too slow; PG criterion coupled to “exit current-limit”; insufficient debounce.
Increase dv/dt or use segmented soft-start; add RC + MCU N-sample confirmation; only release EN/RESET after current-limit exit + hold time.
PG_jitter ≤ __ / 10 plugs; record t_PG_delay.
Linear overheating / blown FET
FET case temperature spikes; occasional catastrophic failure.
SOA violation; high repetition; slow gate due to large Qg.
Higher-SOA device or parallel; shorten linear window via faster ramp or pre-charge; reduce Qg or strengthen driver; reduce repetition.
E_linear ≤ __ mJ, ΔT_pk ≤ __ °C.
Remote ringing / overshoot
Ringing or second bump seen at remote load node.
Cable inductance plus large end-cap; weak source damping.
Add RC snubber at the load; add series R/damping at source; partition routing to isolate hot-swap loop.
Peak overshoot ≤ __%; decay ≤ __ µs.
Nuisance short detection (motors)
Trips during motor start or pulse loads.
Inrush mistakenly trips fast-trip.
Widen slow-trip window; step ILIM; soft-start or pre-charge inductive load.
Start passes 100%; hard-short still trips within __ µs.
Back-drive restart
Unit restarts while reverse current is still decaying.
Missing interlock during power-down window; timing mismatch in ideal-diode/back-to-back FETs.
Interlock EN/RESET with PG/FAULT; require no_rev_current ≥ __ ms before re-enable.
Back-drive test shows no unintended restart.
Treating PG as “steady-state”
Downstream boots too early and resets again.
PG ≠ steady-state; it marks “admission,” not settled operation.
Add stability window after PG; stagger RESET; confirm exit from current limit.
Consistent downstream start; zero unintended resets.
Excessively slow dv/dt
Safe current but large linear heating; PG arrives too late.
Over-constrained inrush; long high-Vds·Id window.
Trade inrush vs energy; use segmented ramp or pre-charge to shrink linear time.
E_linear reduced to ≤ __ mJ.
Measurement path corrupts control
ILIM oscillates or telemetry disagrees with scope.
Shared sense path or inadequate bandwidth/filtering.
Separate measurement vs control; raise bandwidth; configure filters correctly.
Two methods agree within ≤ __ %.
Long cables / inductive loads trip
Nuisance trips on long harnesses or solenoids.
L-induced overshoot/undershoot against trip thresholds.
Broaden ILIM/trip timing; add damping near the load; verify with step tests.
Zero nuisance trips over scripted cases.
Thermal accumulation → intermittent lockups
Unit fails only after repeated stress cycles.
Hiccup off-time too short; high average power.
Extend t_off, improve cooling, or switch critical ports to latch.
10-minute loop shows bounded ΔT and stable behavior.
Reverse-block threshold too low
Chatter when sources overlap; occasional reboots.
ΔV window not aligned with main/backup spread.
Set V_rev_block ≥ |V_backup − V_main|max with hysteresis; align timing.
No chatter; t_cutoff ≤ __ µs.
Using eFuse as hot-swap replacement
Safe in the lab, fails in field at harsh edges.
Integrated FET lacks required SOA/flexibility vs external FET design.
Only replace when capability checklist matches; re-run Chapter 9 scripts at corners.
All four scripts pass at VIN/C/Temp corners.
FAQ (Scope: Hot-Swap Controller on This Page)
Twelve focused Q&A items. Answers keep to this page’s scope and include measurable placeholders you can bind to Chapter 9 thresholds.
How do I set dv/dt to avoid both over-current and SOA stress?
Start from the upstream source and connector ratings to define a safe inrush current, then back-calculate the target dv/dt using I_inrush = C_load · dV/dt. Verify linear energy against FET SOA and shorten the high-Vds window with segmented ramps or pre-charge. Target placeholders: I_inrush_pk ≤ __ A, E_linear ≤ __ mJ.
With unknown C_load and cable inductance, how can I set ILIM safely?
Use a conservative ILIM derived from connector and harness limits, then sweep load steps while monitoring trip behavior. If C_load is uncertain, bias toward a lower ILIM and compensate with a faster ramp. Validate with hot-plug scripts at corners. Placeholders: ILIM = __ A, t_slowtrip = __ ms.
When should I choose fast-trip + latch vs auto-retry vs hiccup?
Use fast-trip + latch for high-risk ports where repeating energy is unsafe; auto-retry for transient overloads that typically clear; hiccup for uncertain faults that need energy limiting across time. Decide by availability versus safety and average thermal rise. Placeholders: t_fasttrip ≤ __ µs, D_hic = __%.
How do I validate reverse blocking and avoid back-driving the upstream source?
Inject from Vout with ΔV steps and measure reverse current cutoff time and chatter. Add hysteresis and an interlock so EN/RESET cannot assert while back-drive is present. Confirm with decay timing. Placeholders: V_rev_block ≥ __ V, t_cutoff ≤ __ µs.
How do I debounce PG when it jitters during the ramp?
Treat PG as a tempo signal, not a steady-state flag. Add an RC filter at the pin and require N consecutive MCU samples with a hold time after current-limit exit before enabling downstream rails. This eliminates chatter-driven restarts. Placeholders: N = __, t_PG_hold = __ ms.
How can I script hot-plug and short-circuit tests reliably?
Automate 10×/min hot-plug cycles and a relay-based hard short with timestamps. Capture Gate, Vout, Iin, and PG on every run, export CSV, and tag events consistently for later review. Pass when energy, delays, and jitter meet limits. Placeholders: E_linear ≤ __ mJ, t_fasttrip ≤ __ µs.
What’s a quick way to estimate linear-window temperature rise?
Approximate energy during the linear window, divide by the cycle time to get average power, then multiply by board-level thermal resistance to estimate rise. Confirm with thermography at the worst corner. Placeholders: P_avg = __ W, ΔT_pk ≤ __ °C.
Can shared sense/telemetry paths make ILIM unstable?
Yes. Shared paths add impedance and filtering that can interact with the limiter. Split measurement and control paths where possible, raise bandwidth judiciously, and validate with step loads while logging both channels. Placeholders: reading mismatch ≤ __ %, stability margin ≥ __ dB.
How to combine a hot-swap with an ideal-diode OR-ing path?
Place the OR-ing stage to enforce priority and ensure the hot-swap controller sees only one effective source. Align reverse-block thresholds and add an interlock so restarts do not occur within the back-drive window. Placeholders: ΔV_hys = __ V, re-enable delay ≥ __ ms.
Which parameters are most sensitive at low temperature?
Gate threshold and mobility shift slow the ramp; ILIM mirrors and trip comparators drift; ESR changes alter inrush shape. Validate at the cold corner with the same scripts and extend hold times when needed. Placeholders: TA = __ °C, t_PG_hold = __ ms.
How do I avoid nuisance trips with long cables or inductive loads?
Add damping near the load, widen slow-trip timing, and verify with step and plug scripts. Ensure thresholds account for L-induced overshoot and undershoot while preserving fast-trip response to true faults. Placeholders: overshoot ≤ __ %, slow-trip = __ ms.
What BOM remark prevents “Schottky soft-start” from replacing a hot-swap?
State that a hot-swap with dv/dt control, programmable ILIM, fast/slow trips, and reverse-blocking is mandatory. Explicitly forbid Schottky-only “soft start” substitutions and require Chapter 9 validation at corners. Placeholders: ILIM = __ A, fast-trip ≤ __ µs.
