← Back to: Supervisors & Reset
What “Fail-Safe” Means in Reset/Supervision
Define a default safe state for supervisor/reset chains when rails are unvalidated, during brown-out, clock loss, sensor mismatch, or voting disagreement. We specify where the system must land (RESET/EN/limited-power/off) and prove monotonic, chatter-free convergence.
Extremes to Survive
Slow ramps, 20–50 mV ripple, pre-bias back-power, clock loss/spikes, watchdog feed anomalies.
Implementation Options
Bypass/clamp/off/limited-power; OD for passive safety, PP for clean edges (watch cross-domain).
Acceptance Layer
Monotonic, no chatter/oscillation; convergence within t_SAFE, repeatable across temp and spread.
Metrics: t_VALID (valid window entry), t_RP (reset pulse), ΔV_hyst (hysteresis), N_chatter (chatter count).
Min matrix: slope × ripple × temp × clock ⇒ 8–12 points covering worst usable corners.
Pass criteria: N_chatter = 0; t_RP ≥ 1.2 × datasheet min; predictable safe landing & monotonic convergence.
BOM (required): Output type (OD/PP), t_RP(min), hysteresis (typ/min), AEC-Q100 grade, full-temp guarantee. Risks: typical-only specs; PP cross-domain back-power.
Default Safe States: Output Semantics for Mixed Rails
In mixed-voltage boards (1.2/1.8/3.3/5 V), choose output semantics that favor safety under pre-bias and domain skew. Prefer OD + pull-up for passive safety; use PP only when level compatibility is guaranteed and back-power is blocked.
Choice Tree
- Back-power risk present → OD + pull-up for passive low default.
- Single domain & clean edge needed → consider PP with strict level checks.
- Before validation → default to “hold reset”, not “allow start”.
Polarity & Consistency
Keep low-active RESET and high-active EN consistent across domains; document level thresholds and leakage caps.
Verification
Run pre-bias/back-power tests: power child domain first/last, observe RESET/EN default and measure I_leak, V_IH/V_IL margin, and pull-up window.
BOM (required): Output polarity & type (OD/PP), pull-down capability, recommended pull-up range, cross-domain tolerance, full-temp guarantees. Risks: PP output high when target domain is off → back-power/false-enable; too-small pull-up → power/EMI.
Timeout & Mismatch → Safe Convergence
t_SAFE Strategy
- Short timeout to suppress races/glitches during steady run.
- Long timeout around boot to allow logging/reporting.
- Separate profiles: startup vs steady-state.
Convergence & Unlock
Once in a safe state, only clear health evidence (N good heartbeats + debounce + delay) unlocks. Enforce t_hold,min to avoid toggling.
Fault Scenarios
Watchdog feed lost, heartbeat out-of-order/duplicate, boundary spikes, single-point and dual-point deadlocks.
Inject & measure: mismatch / lost heartbeat → record t_to-safe, N_osc (oscillation count).
Matrix: temperature × heartbeat type × phase (startup/steady).
Pass: N_osc=0; t_to-safe ≤ system tolerance; post-unlock hold ≥ t_hold,min.
BOM (required): Programmable delay/blanking, t_SAFE range, external RC tolerance window. Risks: t_SAFE conflicts with upper-level timeout; over-permissive unlock ⇒ oscillation.
Hysteresis for Slow Ramps & Ripple
Size just-enough hysteresis to eliminate chatter under slow ramps with ripple. Use an explicit composite budget combining accuracy, drift, divider tolerance, leakage, and aging. Reserve margin for temperature and lifetime effects.
Composite Rule
Hyst ≥ 3×Ripple_eff + 2×|Budget|, where Budget aggregates accuracy, temp drift (ppm/°C), divider tolerance, leakage and aging.
Ripple_eff must reflect bandwidth/observation window.
Mechanism & Scales
Explain slow-slope crossing with superimposed ripple; relate ripple and hysteresis in consistent units; consider PSRR-affected ripple amplification.
Drift & Aging
Temp drift and aging “eat” hysteresis; reserve margin at high temp and end-of-life to keep N_chatter=0.
Method: Inject 20–50 mVpp ripple across multiple dV/dt ramps; record N_chatter and threshold shift.
Pass: N_chatter=0; mis-trigger probability < 10⁻⁶/boot (specify sample size & repetitions).
BOM (required): Hysteresis (typ/min), temp drift (ppm/°C), threshold accuracy class (±1% / ±1.5%) with full-temp guarantees. Risks: using typ instead of min; bandwidth mismatch inflates/deflates Ripple_eff.
Thermal Derating: Current/Voltage/Time vs Temperature
Parameter Envelopes
Express as rated × coefficient over temperature for ΔV_trip(T), ΔV_hyst(T), t_PD(T), t_RP(T), and I_leak(T). Prefer min/max (or Pxx) over “typ only”.
Leakage & Budgets
High-T leakage eats divider accuracy & threshold budget; include measurement zero-drift. Model t_RP/t_PD temperature coefficients (linear vs quadratic fit).
Margin Allocation
At high-T, cap operating point at 0.8×rated as a conservative upper bound; keep safety functions tighter if required.
Validation: thermal chamber steps at −40/25/85/125 °C + ramps (3–5 °C/min); record parameter-T curves; fit linear & quadratic, compare residuals.
Pass criteria: all parameters remain inside derating envelope; residual margin ≥ x% of target threshold across full-temp.
BOM (required): Full-temp min/max (not typ) for thresholds, hysteresis, t_PD/t_RP, I_leak; temperature coefficients; batch/lot spread. Risks: using typ-T curves; ignoring measurement zero-drift; missing divider tempco.
Lifetime Derating: Aging & Spread
Aging Budget
Include ΔV_aging and Δt_aging in threshold & timing budgets; tie acceptance to hysteresis/hold margins.
Models & Mapping
Use Arrhenius (temp acceleration) and Peck (temp-humidity). Provide conservative constants and mapping from stress to field life.
Distribution & Lots
Report mean ± CI and P95/P99 for S_aging and end-point drift; annotate lot-to-lot variation.
Acceptance: |ΔV| ≤ 0.5×Hyst; Δt ≤ y% of t_RP margin (suggest 30–50%). Demonstrate compliance over target life L.
Validation: 85/85 THB, power cycling, thermal cycling; fit trend slope S_aging with confidence bands; map stress→life with stated constants.
BOM (required): Stress conditions & Eₐ convention, target FIT, life-stage margins (BOL/MT/EOL), Pxx long-term data, lot-to-lot notes. Risks: using sample means as limits; linear extrapolation beyond validated range; ignoring humidity/bias coupling.
Budgeting: Accuracy + Divider Tolerance + Temp Drift → One Number
Unified Threshold Model
Let ideal threshold be Videal, IC accuracy ±A, divider error ΔVdiv, sense-leak error ΔVleak, temperature drift ΔVT, and aging drift ΔVaging.
Effective trigger:
Vtrip,eff = Videal·(1±A) ± ΔVdiv ± ΔVleak ± ΔVT ± ΔVaging
Composite Budget = |Vtrip,eff − Videal| (worst-case or MC P95/P99).
Secondary Safety Check
Define Rippleeff with the measurement bandwidth/observation window. Then ensure:
Hyst ≥ 3·Rippleeff + 2·|Budget|
This prevents chatter under slow ramps and ripple while absorbing composite error.
Divider & Leakage Coupling
- Choose R values / tolerance / TC jointly with sense-node leakage limits.
- For ~1 MΩ-class inputs, bound Ileak,max explicitly.
- Account for ADC/measurement input impedance → load error on the divider.
Dual path: corner-sum worst chain + Monte-Carlo (≥10k samples). Report Pfalse (false-trigger probability).
Conditions: T = −40/25/125 °C; Ripple = 20/50 mVpp; slopes = slow/fast; include pre-bias cases.
BOM (required): Resistor tolerance/TC, sense leakage limits, IC accuracy class (±1% / ±1.5%), temp drift (ppm/°C), aging convention; Optional: MC P95/P99 and ADC/measurement input impedance. Risks: ignoring measurement load; linearizing temp drift; using “typ-only”.
Test Matrix & Acceptance Criteria
Minimal Matrix
T ∈ {−40, 25, 125 °C}; S ∈ {0.1, 1, 10 V/ms}; R ∈ {20, 50 mVpp}; C ∈ {OK, Lost}; Domain ∈ {same, cross}. Define Rippleeff bandwidth/observation window.
Record Set
t_VALID, t_RP, ΔV_trip, N_chatter, t_to-safe, N_osc; include pre-bias and cross-domain cases.
Release Logic
Standardized Pass / Observe / Fail with re-test cadence, lot sampling, and release gates.
Pass: Nchatter=0; tRP ≥ 1.2×DS-min; Hyst ≥ 3·Rippleeff + 2·|Budget|; Nosc=0; recovery ≤ system tolerance.
Observe: Single mild excursion with safe landing; specify re-test N and conditional release.
Fail: Chatter, unpredictable landing, or out-of-envelope (thermal/lifetime). Root cause + corrective actions required.
BOM (required): Sampling frequency, lot size, HASS/HALT conditions covering worst combinations, controlled acceptance template. Risks: room-temp-only tests; ignoring slow slopes & pre-bias; missing bandwidth annotation for Rippleeff.
BOM & Procurement Notes
Fill these fields in RFQ and incoming inspection. Prioritize parts with clear min/max specs over typicals, and verify AEC-Q100 scope where required.
BOM essentials (must-fill)
- Target rails: Vrail (nominal & tolerance), nrails
- Threshold accuracy & hysteresis (min/typ/max)
- t_SAFE, tRP (min reset width), glitch immunity / blanking
- Output type & polarity: OD (open-drain) vs PP (push-pull)
- AEC-Q100 grade & full-temp guarantee (−40~+125 °C)
- Package height constraint; second-source (Y/N)
- Optional: I²C/PMBus; PG/FAULT semantics; required dV/dt window
Risks & countermeasures
- Pin/semantic mismatch between RESET/EN, OD/PP → add level buffer or invertor in ECO plan
- EOL / lead time / MOQ → pre-approve alt PNs; book samples early
- Only typical specs (no min/max) → derate or pick family with guaranteed limits
- Cross-domain back-power with PP outputs → prefer OD + pull-up per domain
- Temp/lifetime drift unbudgeted → require ΔV(T) and aging data in PPAP
Submit your BOM (48h review)
Attach your rails, accuracy/hysteresis targets, reset width, OD/PP choice, and AEC scope. We’ll return cross-brand options + migration notes.
- Sample audit: verify threshold @ temp corners, tRP, hysteresis(min); measure chatter with worst-case ripple/slow-ramp
- Release criteria: Nchatter=0; tRP ≥ datasheet min × 1.2; all params within derating envelope
- Return/hold criteria: pin/semantic mismatch; PP cross-domain leakage above limit; missing AEC statement
Cross-Brand Mapping (series-level with reasons)
Buckets are based on function and guarantee style (accuracy, hysteresis, reset width, multi-rail). Labels call out migration risks (pin, polarity, OD/PP, timing).
| Function bucket | TI | ST | NXP | Renesas | onsemi | Microchip | Melexis* | Migration notes |
|---|---|---|---|---|---|---|---|---|
| Windowed OV/UV (high accuracy) |
TPS3702-Q1 0.25% typ, AEC-Q100, OD outputs. :contentReference[oaicite:0]{index=0} |
STM632x/682x Reset + WDT family; single-rail (no true window). :contentReference[oaicite:1]{index=1} |
Use PMIC/SBC internal supervisor: FS65xx/FS45xx (OV/UV monitored internally). :contentReference[oaicite:2]{index=2} |
ISL88003 (single-rail; pair for window). :contentReference[oaicite:3]{index=3} |
Pair two detectors for window: NCP300/301. :contentReference[oaicite:4]{index=4} |
Pair two resets: MCP1316/132x. :contentReference[oaicite:5]{index=5} |
— (no dedicated supervisor line; see LIN controllers) | Pinout & OD/PP differ; “window” often requires dual singles outside TI. |
| Multi-rail programmable supervisor |
TPS386000-Q1 Quad supply, adj delay, watchdog. :contentReference[oaicite:6]{index=6} |
— (ST favors single-rail + WDT in this class) |
FS65xx/FS45xx Multi-rail monitoring inside SBC PMIC. :contentReference[oaicite:7]{index=7} |
Use PMIC or pair supervisors; no 4-rail drop-in like TPS386000 found. | — (build from NCP300/301 + logic) | — (build from MCP131x family + logic) | — | Migration risk: watchdog semantics & reset polarity; SBCs expose status via SPI/LIN not raw RESET pins. |
| Simple µP reset / brown-out (3-pin) | TPS3831/389x (ref) :contentReference[oaicite:8]{index=8} | STM705/706/707/708 :contentReference[oaicite:9]{index=9} | Use SBC reset output; standalone NXP options limited. | ISL88001/2/3 :contentReference[oaicite:10]{index=10} | NCP300/301, NCP803 :contentReference[oaicite:11]{index=11} | MCP1316/132x, MCP809/810 :contentReference[oaicite:12]{index=12} | — | Reset polarity and OD/PP vary by family; verify tRP min and VIH/VIL vs target domain. |
| Automotive grade / AEC-Q100 | TPS3702-Q1, TPS386000-Q1 :contentReference[oaicite:13]{index=13} | Check each PN’s datasheet; many STM70x/63xx are industrial; automotive options exist per datasheet. :contentReference[oaicite:14]{index=14} | FS65xx/FS45xx (SBC) :contentReference[oaicite:15]{index=15} | Automotive offerings exist; confirm AEC marking per datasheet. :contentReference[oaicite:16]{index=16} | Automotive “NCV” variants may apply; verify per PN. :contentReference[oaicite:17]{index=17} | Select temperature grade & guarantees per PN (e.g., MCP1316/132x). :contentReference[oaicite:18]{index=18} | MLX81113 (LIN lighting IC; not a supervisor) :contentReference[oaicite:19]{index=19} | For Melexis, use LIN/SBC domain controllers; add TI/ST/onsemi/Microchip supervisor for RESET semantics. |
*Melexis focuses on automotive sensors/drivers (e.g., LIN RGB controllers). No dedicated standalone supervisor family was found; pair with a supervisor from other brands when Melexis is used elsewhere on the board.
Request a Quote
FAQs
How do IC accuracy, divider tolerance and temp drift combine into a single threshold budget?
Combine worst-case or MC P95 terms: Vtrip,eff = Videal·(1±A) ± ΔVdiv ± ΔVleak ± ΔVT ± ΔVaging. Budget = |Vtrip,eff − Videal|. Then apply the secondary check: Hyst ≥ 3·Rippleeff + 2·|Budget|. Report Pfalse alongside Budget, and state the bandwidth/window used to define Rippleeff so results are comparable across labs and builds.
What hysteresis is “just enough” for slow ramps and 20–50 mV ripple?
Use the practical guard: Hyst ≥ 3·Rippleeff + 2·|Budget|. Compute Rippleeff from measured ripple within the comparator’s effective bandwidth and your observation window under slow-ramp profiles. Verify Nchatter = 0 across slow and fast slopes with pre-bias present, and ensure the deassertion path includes delay or blanking to prevent edge-induced re-arming.
When should I pick ±1% vs ±1.5% accuracy in automotive rails?
Choose ±1% for safety, watchdog, or cold-crank sensitive rails where reset margins are tight. ±1.5% can be acceptable on noisy rails if you compensate with larger Hyst and verified tRP margins. In all cases, require full-temperature min/max guarantees (not typ-only) and record ΔVT ppm/°C so your Budget and Hyst checks remain valid at −40 to +125 °C.
How do I size the divider to limit leakage error on a 1 MΩ-class input?
Bound Ileak,max at the sense node, then select Rdiv so ΔVleak ≤ 0.25·|Budget| over temperature. Prefer 0.1% resistors with low TC. Include the ADC or measurement input as a parallel load in your calculation. Validate across temperature steps and with representative contamination or moisture to ensure leakage remains below your design assumption.
Does OTP-fixed threshold beat I²C-programmable for stability and spread?
OTP generally yields tighter population spread and simpler PPAP because settings cannot drift. I²C is excellent for prototyping and multi-SKU flexibility, but lock registers, CRC-protect, and store the effective setpoints. For volume, prefer OTP when field variability must be minimized; otherwise keep I²C with a frozen configuration and secure update process.
What blanking/delay avoids chatter on pre-biased rails?
Set tblank to at least two to three times the dominant ripple period and long enough to cover dV/dt settling under the slowest ramp. Combine with tRP ≥ 1.2× datasheet minimum so asynchronous edges cannot retrigger. Validate using pre-biased power-up and power-down sequences across temperature and domain order permutations.
How do I verify window supervisor limits across −40~+125 °C?
Use a minimal matrix: T = −40, 25, 125 °C; slopes = 0.1, 1, 10 V/ms; ripple = 20, 50 mVpp; include pre-bias and cross-domain. Record ΔVtrip, Hyst(min), tRP, Nchatter. Pass if parameters stay within thermal derating envelopes and Nchatter = 0, with recovery times within your system’s accepted limits.
What’s a safe acceptance criterion for lifetime drift vs hysteresis?
Use |ΔVaging| ≤ 0.5×Hyst as a practical threshold, and Δtaging ≤ y% of the available tRP margin, where y is typically 30–50%. Map accelerated stresses to target lifetime L with stated activation energy and confidence. Accept lots whose P95 drift bands remain inside these limits across representative environmental and power cycling profiles.
How do I bind timeout/mismatch to a default safe state without oscillation?
Define tSAFE with a short protection path and a longer reporting window. Once in a safe state, require explicit health evidence plus debounce and delay before release. Verify with injected mismatch and missing heartbeat scenarios. Acceptance: Nosc = 0 and maximum recovery time less than the upper-layer timeout or system safety budget.
Should RESET be open-drain or push-pull for mixed-voltage boards?
Prefer open-drain with per-domain pull-ups to avoid cross-domain back-power and to guarantee a defined low when any domain is off. Push-pull gives a cleaner edge but risks leakage into unpowered domains. Test back-drive with staggered power sequencing and confirm VIH/VIL compatibility and tRP requirements in each target domain.
How do I translate spec ppm/°C into mV shift on a 5 V rail?
Use ΔVT ≈ (ppm/°C × 10⁻6) × V × ΔT. Example: 50 ppm/°C, V = 5 V, ΔT = 100 °C gives about 25 mV shift. Add divider and reference TCs vectorially to your Budget. Validate with stepped temperature profiles and ensure Hyst still satisfies Hyst ≥ 3·Rippleeff + 2·|Budget| at hot and cold.
Can I reuse the same divider for ADC sense and supervisor without skew?
Only if the ADC input impedance and sampling dynamics are included as a parallel load so ΔVleak stays ≤ 0.25·|Budget|. Otherwise the ADC will bias the node and shift the threshold. Options: buffer the ADC, use separate dividers, or raise divider current. Validate with dynamic sampling and full-temperature corners.
