← Back to: Supervisors & Reset
Why Isolation + Intrinsic Safety Demands Safe Defaults
In intrinsic-safety contexts, any unknown state must automatically de-energize the path (de-energize-to-trip). Rather than “always cut power,” the practical goal is energy-limited behavior: minor anomalies drive limited-power modes; sustained or major faults escalate to trip.
Semantic over Level
Use active-low, open-drain outputs with pull-ups anchored on the Safe domain. Semantics decide how PG/FAULT/RESET propagate into energy-limited or trip actions without back-powering across isolation.
Unknown → Safe Default
On power-loss, cable break, or isolator channel failure, outputs fall to a safe default: limited-power first, then trip if voting confirms a major fault.
Hooks to eFuse/Hot-Swap
Bind PG_loss to a power-limit mode (e.g., ILIM=0.6–0.8× rated). When 2oo3 voting confirms a major event, escalate to cut-off or timed retry.
Validation & Logging
Inject cable-break, power-loss, and isolator-channel failure; verify entry into limited-power or trip and persist at least one log record before power vanishes.
Procurement & Risk
Choose fail-safe isolators, track EOL/PCN windows, and pre-approve second-source parts with matching semantics (OD/low-true, pull-up domain).
Domain Boundaries & Signal Direction
Model two power/ground domains and make the pull-up domain explicit. Avoid “looks fine but unsafe” cases: mixed pull-ups, push-pull across isolation, and polarity mismatches that invert voting logic.
Implementation Rules
- All pull-ups reside in the Safe domain; Hazardous side is OD pull-down/high-Z only.
- Unify active-low PG/FAULT/RESET; document pull-up domain & resistor (10–100 kΩ) in the schematic/BOM.
- Perform a back-power leak check (μA level) from isolator input to Safe supply.
Validation Steps
- Power down Hazardous rail → measure node voltages/currents; Safe must not sustain a false “high”.
- Open/short isolator inputs → confirm fail-safe default on the Safe side.
- Inject load steps/loom coupling → check for false PG and polarity-normalization issues.
Procurement Notes
Lock the pull-up resistor as a BOM line with domain annotation; avoid push-pull outputs across isolation; pre-qualify second-source parts for identical polarity/semantics.
Isolation-Aware Window Thresholds & Hysteresis
Stabilize UV/OV/window decisions in the presence of cable drop, temperature drift, and noise. Decouple channel quality from voting: first make a robust single-channel decision (hysteresis + digital debounce), then feed voting.
Core Formulas
HYS ≥ 1.5 × (V_noise,pp + ΔV_cable,pp)
V_set(T) = V_ref × [1 + α(T − 25 °C)] ± drift_sense
drift_sense = R-divider tolerance + amp offset/drift + ADC/Comparator bias
Configuration Strategy
- Window: UV = Vmin_app + margin; OV = Vmax_app − margin; pick margin ≥ combined error + aging.
- Debounce (pre-vote): slide-window K-of-M on each channel; sampling ≥ 4–10× dominant interference.
- Isolation-aware: decide locally (Hazardous side) and pass semantics (OD, low-true) across isolation.
Validation
Env chamber (−40~+85 °C) × loom-injected noise (EMI/GND bounce) × load steps; collect false-trigger rate (ppm/h), enter/exit delay, margin at window edges.
Voting (1oo2/2oo3/N-of-M) with Energy-Limited Actions
Reduce nuisance trips via voting while prioritizing limited-power over hard cut-off. Two-stage filtering: channel K-of-M debounce → cross-channel 2oo3/NooM. Bind results to eFuse/Hot-Swap actions.
Trade-offs
- 1oo2: availability ↑, nuisance triggers ↑.
- 2oo3: robustness ↑, channel count/cost ↑.
- N-of-M: generic; pair with per-channel debounce.
Latency Budget
T_total ≈ T_debounce(single) + T_vote(window) + T_action(eFuse/HS)
Aim for fast limited-power entry; reserve hard trip for sustained majors.
Action Mapping
- Minor: log & watch.
- PG_loss: eFuse →
ILIM = 0.6–0.8× rated(limited-power, managed slew). - Major (2oo3 + hold): cut-off or derate + retry back-off.
PG/FAULT/RESET Semantics Across Isolators
Define polarity, pin type, and pull-up domain so that semantics remain consistent and fail-safe under power loss, isolation faults, or cable breaks.
Normative Rules
- OD + active-low for PG/FAULT/RESET.
- Pull-ups only in the Safe domain; Hazardous side: pull-down/high-Z/phototransistor only.
- RESET width meets
t_cold_min(MCU)(POR + oscillator start-up compliant).
Common Pitfalls
- Push-pull across isolation → ghost powering/back-power.
- Mixed default polarities across vendors → inverted voting.
- Insufficient RESET width → no true cold reset.
Validation
De-power/flip/open the isolator; Safe side must default low (fault) and de-energize. Measure leak (µA) from isolator inputs to the Safe supply to rule out back-power.
Safe-State Defaults & Power-Up/Down Behavior
Unify power-up, power-down, reset, cable open, and isolator failure into a single safe default: enter limited-power first, escalate to trip only for sustained/major faults.
Default Strategy Matrix
- Power-up not ready:
RESET=low; eFuse = limited-power (soft-start/ILIM);PG=lowuntil filtered stable. - Power-down: pull-ups vanish → OD naturally low → de-energize with log entry.
- Isolator failure: heartbeat/watchdog lost → derate or trip with back-off policy.
- Cable open: cross-domain input floats → Safe side stays low (fault), no false PG high.
Quantitative Hooks
t_RESET ≥ t_cold_min(MCU),
t_PG_filter ≥ max{debounce_window, rail_settle};
set ILIM and slew to avoid secondary dips on the PDN/loom.
Validation & Logging
Inject de-power, unplug, disable isolation, drop heartbeat; observe Normal → Limited-Power → Trip/Retry, ensure at least one persistent log before energy loss.
Reusable Parameters
class{minor|major}, cause{brownout|iso_fail|cable_break}, action{limit|trip|retry}, ts
Three Deployment Patterns
Practical integration blueprints for isolated supervisors. Each pattern states signal direction, pull-up domain, and action hooks to eFuse/Hot-Swap so you can build fail-safe by default.
Pattern A — Single-Channel + One-Way Isolation
Sensor / light loads- Structure: Local window comparator/supervisor (Hazardous) → digital isolator (H→S) → OD low-true into Safe domain (pull-ups only in Safe).
- Pros/Cons: Low BOM / limited availability & fault tolerance.
- Action hook: On
PG_loss, downstream eFuse enters limited-power (ILIM=0.6–0.8×rated). - Validation: Wire-break, de-power, isolator fail ⇒ Safe side reads fault (low) and de-energizes; measure input leak (µA) to rule out back-power.
Pattern B — 2oo3 Voting + Bidirectional Telemetry
High availability- Structure: Three independent channels → Safe-side 2oo3 voting; a reverse S→H channel issues limited-power/derating commands (bidirectional isolator).
- Filtering: Per-channel K-of-M debounce → cross-channel voting window.
- Actions:
PG_loss⇒ limited-power;Major(sustained) ⇒ cut-off or derate + retry back-off. - Validation: Channel independence (power/placement/device), asynchronous disturbance tests, latency budget (
T_total = T_debounce + T_vote + T_action).
Pattern C — Supervisor Drives Limited-Power Mode
Avoid full blackouts- Structure: Supervisor FAULT/RESET (OD, low-true) → eFuse/Hot-Swap gate/ILIM pin;
PG_OKgates system enable. - Priority: Prefer limited-power first; escalate to trip only for major/sustained faults; ensure RESET width satisfies cold-clock domain.
- Validation: Entry/exit stability in limited-power; controlled slew to avoid secondary dips; confirm at least one persistent log before power loss.
Implementation Checklist
T_debounce/T_vote/T_action.Seven-Brand Mapping & Shortlist Rules
Selection is driven by semantics (window/precision/delay & OD low-true), not just nominal thresholds. Parts below are concrete, in-market PNs with brief rationale to fit Patterns A–C. Use OD/low-true, AEC-Q100, height, voting friendliness, and isolator pairing as primary fields.
TI (Texas Instruments)
- TPS3702-Q1 — Window supervisor, precision UV/OV, OD low-true. Reason: clean window + hysteresis options; Pattern-A local decision.
- TPS3851-Q1 — Supervisor + watchdog. Reason: combines reset & WDT; good independent channel for Pattern-B.
- TPS386000 / TPS3860x-Q1 — Multi-rail supervisor. Reason: multi-rail timing, voting-friendly hub.
- Isolator pairing: ISO7741-Q1 / ISO7721-Q1 (fail-safe semantics).
STMicroelectronics
- STM809/STM810 — µP reset detectors. Reason: low-Iq, many voltage options; entry PN for Pattern-A.
- STM6719 / STM7032 — Supervisor + watchdog/manual reset. Reason: integrates user push-button semantics.
- STWD100 — Standalone watchdog. Reason: adds channel independence for Pattern-B.
NXP
- FS26 (FS26xxA) — Safety SBC with multi-rail supervisor + window WDT. Reason: high-integrity path for 2oo3 (Pattern-B) when mixed with external channels.
- PF5020 / PF8100 — PMICs with sequencing & PG/reset control. Reason: aligns power tree semantics with supervisor actions.
- Domain parts: TJA14xx transceivers (WDT/WAKE in comms domain) can provide independent channels near gateways.
Renesas
- ISL88014 / ISL88002 / ISL88001 — Low-power voltage supervisors. Reason: compact, accurate choices for Pattern-A UV/OV guards.
- RAA271000 / RAA271082 — Automotive PMIC/SBC. Reason: integrates PG/reset/WDT; natural for Pattern-C with eFuse linkage.
onsemi
- NCV809 / NCV810 — µP reset, OD/PP variants. Reason: AEC-Q line, simple and robust for Pattern-A.
- NCP301 / NCP302 — Precision reset detectors. Reason: multiple thresholds, very low current.
- NCV8133 / NCV8115 — LDOs with PG. Reason: use supply-side PG as an independent channel (normalize polarity).
Microchip
- MCP1316/1317/1318 — Programmable delay & thresholds, OD options. Reason: easy RESET tree alignment and OD semantics across isolation.
- MCP100/101/102 — Classic low-power resets. Reason: cost-efficient for Pattern-A.
- MIC809/MIC810 — Micrel lineage. Reason: broad ecosystem, thin packages for low height BOMs.
Melexis
- MLX81113 / MLX81115 — LIN SBC/LED domains with WDT/Reset/PG. Reason: channel independence near body/lighting gateways (Pattern-B).
- MLX81325 / MLX81330 — Motor driver SBCs with diagnostics. Reason: actuator-side local criteria (Hazardous domain) feeding isolation.
| Brand | Part Number | Semantics (OD/Polarity) | Window/Precision/Delay | AEC-Q100 | H_max | Voting-friendliness | Recommended Isolator & Pull-up Domain |
|---|---|---|---|---|---|---|---|
| TI | TPS3702-Q1 | OD, active-low (PG/RESET) | Window UV/OV, precision band, optional hysteresis | Yes (grade per variant) | <= 1.0–1.2 mm (pkg dep.) | Good single-channel guard (Pattern-A) | ISO7741-Q1; pull-ups only in Safe |
| ST | STM809/810 | OD/PP options; prefer OD low-true | Fixed reset threshold, low Iq, common rails | Check per PN | Thin SOT-23 class | Entry node for Pattern-A | Generic digital isolator; pull-ups in Safe |
| NXP | FS26xxA (SBC) | OD low-true PG/RESET/WDT window | Multi-rail, window WDT, sequencing hooks | Yes (automotive safety SBC) | Package dependent | 2oo3 hub (Pattern-B) | Bidirectional isolator for command S→H; pull-ups in Safe |
| Renesas | ISL88014 / ISL88002 | OD low-true recommended | Accurate reset, low power, small packages | Check per PN | ≤ 1.1–1.2 mm | Good single-rail guard (Pattern-A) | Generic isolator; pull-ups in Safe |
| onsemi | NCV809 / NCP301 | OD/PP variants; choose OD low-true | Precision thresholds, very low current | NCV = Automotive | SOT-23 class | Pattern-A / as independent channel for Pattern-B | Fail-safe isolator; pull-ups in Safe |
| Microchip | MCP1316/1317/1318; MIC809/810 | OD options, low-true preferred | Programmable delay (MCP13xx) / classic low-Iq (MIC809/810) | Check per PN | Thin SOT/SOT-143 | RESET tree alignment / independent channel | Generic isolator; pull-ups in Safe |
| Melexis | MLX81115; MLX81330 | Domain PG/Reset/WDT; normalize to OD low-true | Actuator/body domain diagnostics | Automotive domain | Package dependent | Independent domain sources (Pattern-B) | Bidirectional isolator for commands; pull-ups in Safe |
Shortlist Rules (Procurement-Ready)
- List only in-market PNs; note polarity, delay, threshold accuracy, and AEC-Q100 grade.
- Prefer OD, active-low outputs for cross-isolation semantics; pull-ups reside in Safe domain.
- Record H_max for mechanical stackups; choose thin packages when enclosure height is tight.
- Score voting-friendliness (multi-rail, window WDT, channel independence).
- Specify isolator hookup (H→S for PG/FAULT/RESET; optional S→H for commands) and resistors’ domain & value (10–100 kΩ).
- Mark second-source with same polarity & timing semantics to avoid software/logic changes.
Request a Quote
Engineering Validation in Intrinsic-Safety Context
The goal is practical engineering proof, not a certification textbook: a repeatable matrix, scripts, and an auditable evidence chain showing fail-safe by default and limited-power first hold under boundary conditions.
| Dimension | Levels | Notes |
|---|---|---|
| Temperature | −40 / −20 / 25 / +85 °C | ≥30 min dwell; extend to +105 °C if needed. |
| Harness Length | 0.3 / 1 / 3 / 5 m (shielded vs unshielded) | Document cable DCR and routing proximity. |
| Injected Noise | EMI probe; GND bounce 10–80 mVpp; ripple 100 Hz–1 MHz sweep | Record probe position; attach scope screenshots. |
| Load Profiles | Light / heavy / 10→90% steps; capacitive / motor | Capture inrush and recovery envelopes. |
| Fault Injection | Cable open; isolator de-power; single-channel drift; jittered waveform; slow ramp; double-tap reset | Expect Safe-side low (fault), limited-power first, logging before energy loss. |
Key Performance Indicators
- Nuisance trip rate (ppm/h) — target ≤ 50 ppm/h (app-dependent).
- Average action latency
T_total = debounce + vote + action. - Recovery time from limited-power to stable normal.
- Log persist ratio ≥ 99.9% before power loss.
- Polarity/semantics conformance across domains.
Evidence & Records
Event key: ts, channel_id, class{minor|major}, cause{PG_loss|iso_fail|cable_break|brownout}, action{limit|trip|retry}, latency_ms, temp, harness_len, load_case. Attach LA traces (PG/FAULT/RESET), limited-power current envelopes, chamber photos, script hashes.
Tooling & Fixtures
- Scriptable PSU (slope/ripple), programmable load (steps/surge).
- LA/oscilloscope ≥ 200 MHz, ≥ 8 channels; near-field probe.
- Thermal chamber; harness switchboard; Python CLI:
val_matrix.yaml,run_case.py,collect_logs.py.
BOM & Procurement Notes
Convert engineering parameters into orderable fields and risk controls tailored for small-batch validation and rapid substitution.
| Required Fields | Optional Fields | Notes |
|---|---|---|
| V_rail, n_rails, threshold_tolerance, window_hysteresis, K_of_M, output_type (OD/PP; prefer OD low-true), AEC_Q100 (grade), H_max (mm), second_source (Y/N) | I2C_or_PMBus, PG_FAULT_lexicon (polarity/semantics), reverse_telemetry (limited-power), dV_dt_limit, isolator_channels (H→S / S→H) | Keep pull-ups in Safe domain; specify resistor values (10–100 kΩ) and tolerance. |
Risks
- Semantic/pin mismatch (low-true vs high-true; pull-up domain differences).
- EOL / long lead time / MOQ constraints.
- Sample lead time too long, blocking validation.
Mitigations
- Polarity-normalize shim (glue logic / resistor network) with OD low-true output.
- Second-source list with equal polarity, timing, and sink capability.
- A/B/C mixed samples in parallel using identical scripts.
Frequently Asked Questions
How do I choose window thresholds that stay valid across cable drop and temperature drift?
Start from application min/max and add margins for harness drop and noise. Use hysteresis ≥ 1.5×(noise_pp + cable_drop_pp) and apply temperature coefficient to the reference and sensing chain. Combine divider tolerance, comparator/ADC offset, and drift. Validate with thermal chamber plus injected ripple while recording nuisance-trip rate and recovery times.
When should PG/FAULT be open-drain and low-true across isolation?
Prefer open-drain, low-true whenever signals cross isolation or mixed supplies. Pull-ups belong in the Safe domain so power loss or isolator failure defaults to a fault-low, de-energize state. This avoids ghost powering from push-pull outputs and keeps semantics consistent across vendors and domains with minimal glue logic or polarity normalization layers.
How can I add K-of-M voting without increasing boot latency?
Use per-channel digital debounce first, then apply a short voting window sized to expected noise bursts. Keep reset release independent from voting readiness and gate enables through PG_OK. Log channel readiness separately. This preserves fast boot while filtering spurious edges, and lets you escalate from minor flags to limited-power only when the vote remains sustained.
What is a safe default when the isolator channel fails or loses power?
Default to de-energize: OD low-true lines with pull-ups in the Safe domain read as fault when the isolator is unpowered, tri-stated, or broken. Enter limited-power mode first if loads can tolerate degraded current; escalate to full cut-off for sustained faults. Record the failure as a distinct cause with timestamp before energy becomes unavailable.
How do I avoid back-powering across domains with mixed pull-ups?
Place all pull-ups on the Safe side and keep the Hazardous side open-drain, pull-down, or high-Z only. Measure leakage from isolator inputs into the Safe rail at the microamp level. Avoid push-pull drivers across isolation. If vendor defaults differ, normalize polarity with a small glue stage so fault detection remains low-true under every supply condition.
What minimum reset pulse width ensures a cold MCU domain after isolation?
Use the MCU’s cold-start requirement: t_reset ≥ t_cold_min, which includes POR and oscillator start-up plus any clock stabilization period. Add margin for isolator propagation and filtering. Keep reset release earlier than PG_OK but later than POR, so logic comes up clean and voting or telemetry cannot resume with residual state from a warm reset.
How do I log power-fail events if storage is on the Safe side only?
Reserve a tiny, fast-commit ring buffer or FRAM-like store on the Safe side and prioritize “power-fail” class events. Trigger logging on PG loss and throttle lower-priority messages. Use a hold-up capacitor sized for one commit under worst case. Include a monotonic counter so missing entries are detectable after recovery or battery replacement.
What differentiates 1oo2 vs 2oo3 in nuisance-trip vs availability for isolated sensors?
1oo2 favors availability but can trip on single-channel noise; 2oo3 is more robust but costs area and power. Combine per-channel K-of-M debounce with the vote so transient spikes rarely meet the quorum. For degraded states, bind minor votes to limited-power first, reserving full cut-off for sustained major votes to protect uptime and safety.
How can I bind PG loss to a limited-power mode instead of full cut-off?
Wire the supervisor’s OD fault into the eFuse or hot-swap ILIM or gate control so PG loss reduces current to 60–80% of nominal with a controlled slew. Keep retry logic and escalation timers in the Safe domain. If the fault persists past a major threshold or duration, transition to cut-off to protect wiring and energy limits.
How do I route FAULT/ALARM lines to avoid chatter on slow ramps?
Use window thresholds with hysteresis sized to ripple and cable drop, then apply digital debounce before voting. Keep lines short, referenced to the same return, and avoid mixed pull-up domains. For very slow ramps, gate enable through PG_OK with a settle timer so comparators cross cleanly once. Log chatter counts to tune margins deliberately.
What’s the best way to polarity-normalize PG/FAULT through mixed-vendor isolators?
Adopt a single semantic target—OD low-true—and normalize anything else to that at the Safe boundary using a small transistor stage or configurable logic. Keep pull-ups only in Safe. Document normalized polarity in the software contract and test it by forcing each vendor’s native polarity and measuring the resulting Safe-side level during power transitions.
How do I second-source supervisors and isolators without changing reset-tree semantics?
Constrain alternates to the same OD capability, active-low polarity, minimum reset width, and sink current. Match propagation delays within documented margins and keep pull-ups in the Safe domain. Add a polarity-normalization shim only once at the boundary and keep the MCU contract stable. Validate alternates under slow ramps, brown-downs, and wire-break injections.
