AOCS / Propulsion Control Electronics: Drivers, AFEs, Safety

Q: After a firing event, how can it be proven that energy was actually delivered to the igniter?

Proof should be evidence-based: capture current and voltage signatures at defined sense points during the authorized window, timestamp the event, and latch a post-event status that cannot be overwritten. The evidence must distinguish normal delivery from open/short or premature inhibit. A good design ties this evidence to telemetry fields and logs so the event can be audited later, not inferred from commands alone.

← Back to: Avionics & Mission Systems

Propulsion control electronics is a proof-driven chain: commands are gated by fail-safe ARM/FIRE interlocks, energy delivery to valves/igniters is controlled and evidenced by I/V signatures, and pressure/temperature sensing plus voting logic determines when the system must return to SAFE. The design goal is not only to actuate, but to make every actuation and fault decision measurable, auditable, and robust against harness transients and reset events.

Scope + ownership (no cross-topic)

H2-1 · What this page covers (and what it doesn’t)

One-sentence definition: propulsion control electronics is the verifiable execution chain Command → ARM/INHIBIT → Driver → Actuator (valve/igniter) → Sensing → Fault logic → SAFE state. The engineering goal is not just “to actuate”, but to prove correct energy delivery, trustworthy measurements, and deterministic transition to SAFE under faults.

Scope Guard — Allowed (Ctrl+F)

Valve drivers (on/off, latching, proportional), peak-and-hold, flyback/clamp strategies
Igniter/squib drivers, one-shot safety, continuity test with safe stimulus
Pressure/temperature AFE chains: excitation, filtering, ADC, diagnostics
Fault voting (1oo2 / 2oo3), fault classes (recoverable vs latched), SAFE behavior
Safety interlocks: hardware inhibits, sequencing, watchdog/RESET default SAFE
Verification logic: fault-injection matrix, pass criteria tied to evidence signals

Scope Guard — Banned (Do not expand)

Satellite bus power architecture (28–50 V front-end), general PoL/PMBus pages
TT&C, SpaceWire/SpaceFibre network design, storage/interconnect topics
AOCS navigation/estimation/control algorithms (GN&C filters, guidance laws)
SADA motor drives, radar/EW, aircraft DO-160 power topics
Crypto/anti-tamper deep dive (only interface-level constraints if needed)

Page ownership contract (what must be answered here)

Energy Delivery: how valve/igniter drive waveforms are shaped, protected, and evidenced (I/V, pulse width, clamp energy, one-shot latch).
Measurement Credibility: how pressure/temperature chains remain trustworthy (excitation stability, drift budget, open/short/stuck detection, plausibility windows).
Safety Proof: how ARM/INHIBIT, voting, and SAFE behave under reset, watchdog, noise, harness faults, and command errors.

Practical rule: any actuator event must leave a digital evidence trail (timestamps + I/V + continuity status + P/T plausibility + fault flags), so that “correct actuation” is testable and reviewable.

Figure F1 — Propulsion control electronics overview (execution + evidence + SAFE)

SAFE → ARMED → FIRE (deterministic, evidence-driven)

H2-2 · System interfaces & operating states (SAFE → ARMED → FIRE)

This section turns the propulsion execution chain into a reviewable contract: what must be true before entering FIRE, what evidence must be captured during FIRE, and what always forces SAFE. The central design theme is two independent barriers (hardware inhibit + software permit) plus time-bounded actuation (no indefinite “enable”).

Interfaces, organized by evidence (not by signal names)

Evidence class	What it proves	Typical signals / fields	Common failure modes this catches
Command evidence	Only valid, authorized commands can arm/fire, and repeats are rejected.	CRC/sequence counter, dual-channel agreement, arming window timer, one-shot token (anti-repeat).	Bit flips, stale command replay, single-channel stuck-high, malformed packets.
Inhibit evidence	Hardware barrier is asserted by default and readable back.	INHIBIT pin state + readback, power-on SAFE flag, watchdog/reset cause → forced SAFE.	Boot glitches, brownout resets, SW hang, unintended GPIO reconfiguration.
Energy evidence	Actuation energy was delivered in a controlled, time-bounded way.	Driver current/voltage samples, pulse width, peak/hold setpoints, clamp status, post-fire latch.	Short/open harness, clamp failure, current sense fault, overdrive causing thermal runaway.
Plant response evidence	Pressure/temperature response is plausible for the commanded event.	P/T plausibility window, rate-of-change limits, stuck-at detection, sensor open/short flags.	Sensor stuck, excitation collapse, wiring intermittent, false “success” without physical response.
Safety outcome	Any safety breach leads to deterministic SAFE, typically latched.	Latched fault output, SAFE state bit, inhibit asserted, disallow re-arm until explicit clear.	Transient spikes, noisy harness, partial resets, logic races during state transitions.

Design intent: “ARMED” must be time-limited. “FIRE” must be a pulse (or controlled profile), never an unbounded enable. Any uncertain condition should bias toward SAFE with clear evidence logging.

SAFE (default after power-on / reset)

Entry: power-on, watchdog/reset, inhibit asserted, latched fault, arming timeout.
Allowed: sensor self-check; continuity test using strictly limited stimulus; telemetry/reporting.
Forbidden: any energy switch closure that could actuate valves/igniters.
Exit: explicit arm sequence with valid authorization and healthy inhibit/readback.

ARMED (prepared but cannot “free-run”)

Entry: HW enable present + SW permit valid + time window started.
Allowed: pre-fire checks (continuity within limits, P/T plausibility baseline); ready-to-fire flag.
Required: arming timeout; any anomaly or timeout → SAFE (often latched).
Exit: FIRE pulse issued within window, otherwise fall back to SAFE.

FIRE (time-bounded, evidence captured)

Entry: FIRE command + one-shot token + inhibit chain in “allow” state.
Action: deliver controlled energy (peak/hold or one-shot) with current/voltage evidence sampling.
Abort: overcurrent/overtemp, clamp anomaly, sense failure, command mismatch → immediate off → SAFE.
Exit: pulse complete → POST-FIRE (lockout / diagnostics) or SAFE if any uncertainty.

POST-FIRE (lockout + verification)

Purpose: prevent re-trigger; freeze evidence; evaluate plausibility response window.
Checks: energy evidence complete; P/T response plausible; fault flags classified (recoverable vs latched).
Outcome: success reported with evidence; failure forces SAFE with latched inhibit as required.

Figure F2 — ARM/INHIBIT + FIRE gating state machine (with priority ladder)

Valve drivers: waveform, clamp, evidence

H2-3 · Valve driver architectures (on/off, latch, proportional)

Valve drivers in propulsion systems are not interchangeable “power switches”. The driver architecture defines actuation time, thermal load, release behavior, and whether the event can be proven with current/voltage evidence. The key design object is the coil current profile—especially how it rises (pull-in), holds (steady state), and decays (release) under a chosen flyback/clamp strategy.

1) On/Off solenoid (Peak-and-Hold)

Pull-in peak: a higher current is applied briefly to overcome stiction and achieve fast seating within a defined time window.
Hold current: reduced to limit I²R heating while maintaining force margin against vibration and pressure.
Release: controlled by the flyback path; slower decay increases release delay but reduces electrical stress.
Evidence: peak level, peak duration, hold level, and decay signature should be recorded for fault diagnosis.

2) Latching valve (Bipolar pulse, often H-bridge)

State change by pulse: a timed pulse sets the magnetic state; power can be removed afterward.
Direction matters: forward vs reverse pulse determines SET/RESET; mis-pulsing can flip the valve.
Safety focus: hard interlocks, one-shot tokens, and lockout prevent unintended second pulses.
Evidence: pulse polarity, width, and current ramp provide “actuation proof” without relying on sensors alone.

3) Proportional valve (Closed-loop current control)

Current = force/flow control: PWM is only a method; the requirement is a stable current setpoint across supply/harness variation.
Sense + compensation: current sensing and loop compensation keep control stable and repeatable.
Disturbance rejection: line resistance changes, connector aging, and supply dips must not create uncontrolled valve motion.
Evidence: setpoint tracking error and saturation flags are essential for FDIR and voting inputs.

Coil physics that must be accounted for

Inductance shapes rise time: the current ramp (di/dt) is limited by coil L and applied voltage.
Resistance drives heating: hold current dominates thermal load; drift can shift thresholds and timing.
Release is clamp-dependent: the flyback strategy defines how quickly energy leaves the coil and how fast the valve can close.

Flyback / clamp choices (release speed vs stress vs diagnosability)

Flyback / clamp path	Release behavior	Electrical stress & EMI	Why it matters for evidence & faults
Diode freewheel	Slow decay → slower release (longer tail).	Lower voltage stress, typically lower radiated noise.	Waveforms are smooth; good for detecting gradual harness resistance changes, but release delay can reduce timing margin.
Synchronous freewheel	Controlled decay; can be tuned for speed vs efficiency.	Lower loss; switching patterns can introduce EMI if uncontrolled.	Offers repeatable decay signatures; useful for fault classification while keeping stress manageable.
TVS / active clamp	Faster decay → faster release.	Higher voltage stress; potentially sharper EMI edges.	Improves release timing but requires robust protection; clamp engagement itself becomes a key evidence signal.

Practical rule: select the clamp strategy based on the required release time window and allowable stress/EMI, then shape the peak/hold profile to meet actuation timing while preserving diagnostic evidence quality.

Figure F3 — Peak-and-hold current profile + flyback paths (diode vs sync vs TVS clamp)

Tip: keep labels minimal (MOSFET, Rsense, Diode/Sync/TVS). Use waveform shape as the primary explanation.

Igniter / squib: evidence, continuity, one-shot

H2-4 · Igniter / squib drivers (energy delivery, continuity, one-shot safety)

Igniter (pyro/squib) actuation is a high-consequence event. The driver must enforce two independent barriers (hardware inhibit + software permit), deliver a time-bounded firing pulse, and produce an evidence record that proves energy delivery. Continuity checks are required for health monitoring, but they must be structured so that no valid failure mode can accidentally cross the firing boundary.

Energy delivery as a verifiable contract

Pulse definition: minimum pulse width and controlled amplitude (constant-current or bounded power) within a defined FIRE window.
Evidence capture: sample current and voltage during the pulse; record peak, duration, and completion flags with timestamps.
Completion rule: if I/V evidence is incomplete or inconsistent, classify as fault and force SAFE (often latched).

Continuity test without inadvertent firing

Amplitude limit: use a strictly limited stimulus (micro-current or short diagnostic pulse) far below firing energy.
Time limit: perform tests only in SAFE/ARMED pre-check windows—never during FIRE enable windows.
Gating limit: keep diagnostic and firing paths independently gated; require both barriers to be true before any high-energy switch can close.
False results: harness capacitance, intermittent connectors, and sampling bandwidth limits can mimic open/short—log confidence flags.

One-shot safety and lockout

One-shot token: a unique, single-use authorization prevents demonstrateable re-trigger from repeated commands.
Post-fire latch: lock out further firing until an explicit, controlled reset/maintenance procedure is satisfied.
Fail-safe bias: any reset, watchdog event, or inhibit ambiguity forces SAFE and retains lockout state.

Protection & harness fault coverage

Open/short: detect with continuity + firing I/V signatures; abort on abnormal ramp or clamp events.
Mis-power / ESD: ensure default inhibit, robust input filtering on arm/fire controls, and clear reset-domain separation.
Post-event integrity: record “fired” state, evidence summary, and whether P/T plausibility aligned with the event window.

Minimum requirement for “fired”: a recorded, time-bounded pulse plus I/V evidence. Sensor response is supportive evidence, but the firing decision should not depend on sensors alone.

Figure F4 — One-shot igniter chain (two barriers + I/V evidence + post-fire latch)

Tip: keep “two barriers” and “evidence capture” visually prominent—this is the page’s EEAT anchor.

Pressure AFE: excitation, filtering, ADC, diagnostics

H2-5 · Pressure AFE chain (excitation, filtering, ADC, diagnostics)

A propulsion pressure channel must be engineered as a traceable measurement chain: stable excitation → sensor transfer → front-end gain/noise control → anti-alias filtering → sampling strategy → digital calibration → a pressure value accompanied by credibility flags. The goal is not just “a number”, but a number that can be trusted by voting and safety interlocks.

Sensor electrical output types (electronics view)

Bridge / ratiometric sensors (mV/V): output scales with excitation; best paired with ratiometric ADC referencing.
Voltage-output sensors: treated as a signal source; more sensitive to supply/ground shifts across the harness.
Resistive elements: require explicit excitation and careful error handling for lead resistance and leakage.

Excitation strategy (voltage, current, ratiometric)

Constant-voltage excitation: simple and common for bridges; ensure drift is either rejected (ratiometric) or monitored.
Constant-current excitation: convenient for resistive sensors; watch self-heating and lead resistance sensitivity.
Ratiometric measurement: tie the sensor scale factor to the same reference used by the ADC so excitation drift cancels.
Minimum requirement: excitation health must be observable (monitor channel or ratiometric path), not assumed.

AFE gain/noise control (IA/PGA) + headroom

IA/PGA sets the noise floor: choose gain so the working range uses ADC input span without frequent clipping.
Headroom matters: fast valve events and line transients can push the front-end into saturation.
Recovery matters: long overload recovery can look like low-frequency drift and corrupt evidence windows.

Filtering and anti-aliasing (do not “erase” events)

Define bandwidth first: choose passband based on the fastest pressure dynamics that must be preserved.
Anti-alias filter: place the cutoff relative to sampling strategy so out-of-band noise cannot fold into the channel.
Group delay awareness: excessive filtering can shift event timing relative to command/driver evidence.

ADC choice boundary: ΣΔ vs SAR (resolution vs event capture)

ADC family	Strengths	Tradeoffs	When it is the better fit
ΣΔ ADC	High effective resolution at low bandwidth; strong digital filtering.	Digital filter adds group delay; fast transients can be smoothed.	Slow variables dominate, and controlled latency is acceptable. Ideal for stable pressure trending with low noise.
SAR ADC	Deterministic sampling instant; better for transient capture and aligned evidence windows.	Requires stronger analog filtering and careful front-end noise design.	Valve/igniter events must be captured as evidence, or pressure spikes must be detected without filter latency.

Credibility flags should include: excitation status, out-of-range, saturation, stuck code, and plausibility checks. These flags are inputs to later fault logic (do not hide them inside “calibration only” code paths).

Diagnostics (must be explicit, not implied)

Open/short detect: window comparators or code-limit logic for sensor nodes and AFE outputs.
Excitation drift monitor: a measured excitation channel or ratiometric reference ensures traceability.
Saturation & recovery: flag when front-end or ADC hits rails; track time-to-recover.
Stuck / frozen output: detect constant code, missing noise, or implausible zero-derivative segments.

Digital calibration (keep it transparent)

Offset/gain trim: apply in engineering units with audit-friendly coefficients.
Temperature compensation (if used): treat as an explicit model term and track validity range.
Quality output: publish Pressure plus QualityFlags (not pressure only).

Figure F5 — Pressure sensing chain (excitation → IA/PGA → filter → ADC → calibration → diagnostics flags)

Tip: keep labels short (Excitation, IA/PGA, Filter, ADC, Cal, Flags). The chain structure carries the message.

Temperature AFE: excitation, linearization, drift, hysteresis

H2-6 · Temperature AFE chain (RTD/NTC/diode, linearization, drift control)

A temperature channel is only useful when its error sources are explainable and its alarms are stable. The measurement pipeline should explicitly separate: sensor excitation → analog conversion → sampling → calibration/linearization → physical temperature → threshold logic with hysteresis → diagnostic outputs for interlocks.

RTD vs NTC vs diode (engineering boundary)

RTD: stable and near-linear; accuracy depends on excitation, lead resistance, and reference drift control.
NTC: high sensitivity but strongly non-linear; linearization strategy and reference stability dominate final error.
Diode-based sensing: convenient electrical interface; requires clear bias/reference assumptions and calibration validity ranges.

Excitation and lead resistance (keep it observable)

Current excitation: simple for RTD/NTC, but lead resistance adds error unless the wiring scheme cancels it.
Self-heating: excitation level must avoid turning the sensor into a heater.
Leakage & bias: high impedance nodes can be pushed by leakage; diagnostic checks must detect implausible behavior.

Linearization pipeline (LUT / segmented model)

Raw code: ADC output in counts (or voltage/resistance) is not yet temperature.
Calibration: apply offset/gain and reference compensation before linearization.
Linearization: LUT or segmented approximation; include validity and out-of-range flags.

Drift budget and self-test

Error decomposition: sensor tolerance + excitation/reference drift + ADC error + layout leakage.
Open/short detect: code-window checks and stimulus sanity checks where appropriate.
Stuck detection: constant code, impossible slopes, or missing noise signatures.

Thresholds and hysteresis (stable alarms, no chatter)

Two-level thresholds: separate trip and reset thresholds to avoid oscillation near the boundary.
Debounce window: require persistence for a minimum time or N consecutive samples before asserting alarms.
Output contract: publish Temperature plus AlarmFlags and QualityFlags.

A robust temperature channel outputs both the value and its confidence. Hysteresis and debounce are part of measurement integrity, not “UI polish”.

Figure F6 — Temperature chain + digital linearization (raw code → calibration → LUT → hysteresis → interlock flags)

Tip: emphasize the pipeline (raw → cal → LUT → temp → hysteresis → interlock). Keep text short and ≥18px.

FDIR: evidence → voting → fault class → SAFE

H2-7 · Fault detection & voting (1oo2, 2oo3) and what triggers SAFE

Fault voting is only credible when it is built on explicit evidence and produces audit-friendly outputs. For propulsion actuation, evidence comes from three layers: (1) driver-side electrical behavior, (2) sensor-side credibility, and (3) command-to-response timing windows. Voting then determines the fault class (latched vs recoverable) and the SAFE action, while hardware inhibits always override software results.

Voting boundary: 1oo2 vs 2oo3

1oo2 (one-out-of-two): any channel fault forces SAFE. Best when the hazard cost dominates and false SAFE is acceptable.
2oo3 (two-out-of-three): requires agreement to assert a fault. Best when single-channel noise/drift is common and false SAFE is costly.
Key constraint: the voter must not share a single point of failure with the channels it votes on.

Evidence layer (inputs to the voter)

Driver evidence: I/V trajectory, over-current/clamp events, continuity results, and post-action signatures.
Sensor evidence: pressure/temp values plus quality flags (range, saturation, stuck, drift anomalies).
Timing evidence: command → electrical actuation → pressure response within a defined window (delay, rise, timeout).

Cross-evidence consistency (reduces false decisions)

Actuation without response: driver evidence indicates action, but pressure response times out → suspect flow/mechanical path.
Response without actuation: pressure jump without matching driver signature → suspect sensor or sampling integrity.
Quality-collapse handling: a value with low credibility should not win a vote against healthy channels.

Fault classes: latched vs recoverable

Latched faults: must hold SAFE until controlled reset/service (e.g., hard inhibit, short/overcurrent, unauthorized fire).
Recoverable faults: can clear after evidence returns healthy (e.g., transient saturation, single-sample spikes with no persistence).
Output contract: publish the class, the decision, and the evidence summary used to decide.

SAFE triggers (priority-ordered, testable)

Trigger	Typical class	Why it forces SAFE	Verification focus
HW inhibit asserted / safety switch open	Latched	Hardware barrier indicates unsafe or unauthorized condition.	Override path bypasses voting; SAFE output guaranteed on fault injection.
Unauthorized command or window violation	Latched	Prevents unintended actuation and replay/sequence errors.	Token/counter checks; time-window enforcement; latch behavior after violation.
Driver short / over-current / thermal trip	Often latched	Electrical hazards can escalate quickly; safe state must be immediate.	Over-current response time; evidence capture; post-event inhibit behavior.
Evidence inconsistency beyond timing window	Policy-dependent	Indicates loss of integrity or unexpected actuator behavior.	Timeout thresholds; persistence criteria; classification correctness.
Sensor credibility collapse with no agreement	Recoverable/SAFE	Invalid inputs must not steer decisions; safe action depends on redundancy.	Stuck/out-of-range detection; degraded-mode behavior; voting stability.

SAFE decisions must produce a minimal evidence record: time, channel IDs, driver signature summary, sensor quality flags, and the timing-window result. This keeps voting actions auditable without exposing algorithm internals.

Figure F7 — Voting logic: evidence inputs → voter → fault class → SAFE/inhibit outputs (hardware overrides bypass voting)

Tip: keep box labels short (Driver I/V, Pressure Q, Timing window, Vote, Classify, SAFE).

Interlocks: default SAFE, priority ladder, watchdog

H2-8 · Safety interlocks (hardware inhibits, sequencing, watchdogs)

A propulsion interlock chain should be designed as a priority ladder with a fail-safe default. Power-on starts in SAFE; any reset or brownout must return to SAFE; and watchdog events must force outputs to a defined safe state. Software permits can only enable actuation inside a controlled authorization window, and can never override hardware inhibits.

Two-lock principle (independent barriers)

Hardware inhibit: discrete gating / safety switch / hard logic that defaults to SAFE.
Software permit: authorization window, command consistency, token/counter checks.
Independence: avoid a single point that can defeat both locks simultaneously.

Power-on and sequencing (SAFE by construction)

Default SAFE: inhibit asserted until self-check passes and required inputs are valid.
Sequencing: prevent “energy present before gating” and avoid ambiguous intermediate states.
Audit points: expose ladder stage indicators so tests can confirm each barrier’s behavior.

Reset, brownout, watchdog (output definition matters)

WDT: remove driver enable immediately, assert SAFE, record reset cause, block auto-ARM.
BOR: treat partial initialization as unsafe; return to SAFE and require re-authorization.
Recovery policy: re-enter ARMED only through controlled authorization, not by default.

Authorization window and command gating

Time-limited permit: actuation allowed only within a bounded window.
One-shot controls: counters/tokens prevent replay and unintended repeated firing.
Consistency checks: require command agreement and valid system state before enabling pulses.

Interlock outputs (clear contract)

Inhibit state: hardware barrier status.
Armed state: software state machine status.
Fire enable: permission state for pulse generation.
Fault latch: latched vs recoverable status.
Reset/WDT cause: must be observable for debugging and certification evidence.

Interlocks should be testable by design: each ladder stage should have an observable state and a well-defined override priority.

Figure F8 — Interlock priority ladder (power-on SAFE → HW inhibit → SW permit → fire pulse → driver enable)

Tip: the ladder shows authority. Any higher-stage block disables all lower stages by design.

Field failures: harness faults + transients + mis-trips

H2-9 · Transients, EMC, and harness faults (what breaks drivers in the field)

Field failures often look like “a bad driver,” but the root cause is frequently the harness: shorts, intermittent opens, rising contact resistance, or common-mode injection that corrupts current sensing and fault flags. Protection must absorb inductive energy safely without turning actuation timing into an unpredictable variable. The most practical diagnostic shortcut is to treat the current waveform as a fingerprint that separates harness faults from coil faults.

Harness fault modes (what appears in real hardware)

Short to supply / short to GND: fast over-current, clamp activation, thermal stress, and immediate SAFE/inhibit needs.
Intermittent open: continuity “sometimes passes,” actuation evidence becomes inconsistent, and time-window checks fail.
Contact resistance rise: peak current drops, pull-in becomes marginal, hold current drifts, and failures correlate with temperature.
Common-mode injection: sensing thresholds shift, causing false open/short or false over-current flags.

Transient energy paths (why clamp choice changes behavior)

Inductive energy must go somewhere: the flyback path sets release time, device voltage stress, and EMI.
Low-voltage clamp (diode): lower stress but slower current decay → slower release.
Higher clamp (TVS / active clamp): faster release but higher dv/dt and voltage stress.
Key constraint: protection should not create ambiguous timing evidence that breaks SAFE logic.

Protection vs “must-actuate-once” constraints

Immediate hazards: short/over-current must force a defined safe state quickly.
No uncontrolled retries: protective cycling should not produce repeated pulses or unintended re-enables.
Evidence capture: when protection triggers, record clamp/OC flags and the I/V signature around the event.

Waveform-based diagnosis (fast separation)

Open circuit: near-zero current (or only test micro-current), no pull-in plateau.
Short: steep rise then clamp/limit behavior, peak collapses early.
High resistance: slow/low peak, marginal pull-in, hold sits below target.
Coil parameter drift: slope changes (L/R) without classic open/short signatures.

Practical rule: use short labels and stable thresholds (I_peak, I_hold, OC limit). Let waveform shape carry the diagnosis.

Figure F9 — Current waveform signatures: normal vs open vs short vs high resistance (minimal text, shape-driven)

All labels are short and ≥18px. The intent is “shape first, text last.”

Done means testable: injection matrix + pass criteria

H2-10 · Verification plan (fault injection matrix + pass criteria)

Verification should prove that the propulsion control electronics reach a safe state deterministically under realistic failures. A practical approach is a three-level plan (board → chain-level subsystem → integrated checks) using the same fault-injection matrix: inject a fault, confirm the detection mechanism, verify the expected response, confirm fault class (latched vs recoverable), and check that the minimum telemetry/log fields are present.

Three verification levels (propulsion chain only)

Board-level: power-stage protection behavior, clamp/OC flags, I/V signature capture.
Subsystem-level: evidence consistency (driver ↔ sensor ↔ timing window) and stable voting.
Integration-level: interlock priority ladder, SAFE entry rules, and logging completeness.

Pass criteria (make it measurable)

Latency/window: detection and SAFE actions occur within the defined time window.
False trips: noise injection does not cause frequent unintended SAFE transitions.
Latch consistency: latched faults stay SAFE until controlled reset/clear; recoverable faults clear only under defined conditions.
Record completeness: each event yields minimum fields (time, channel, cause, evidence summary).

Fault injection matrix (expected behavior per fault)

DetectResponseClassTimingLog

Fault type	Detection mechanism	Expected response	Fault class	Timing focus	Minimum log fields
Open / intermittent open	Continuity + low I(t) + timing window fail	INHIBIT / SAFE + alarm	Recoverable or latched (policy)	Timeout + persistence rules	cause, ch-id, continuity result, I(t) summary
Short to GND / supply	Over-current + clamp flag + abnormal I(t)	SAFE (immediate) + latch	Latched	Protection reaction time	cause, ch-id, OC/clamp flags, peak current
High contact resistance	Low peak / slow rise + pull-in miss	INHIBIT + diagnostic flag	Recoverable (if intermittent)	Rise-time window + trend	cause, ch-id, I_peak/I_hold, temp correlation
Sensor stuck / out-of-range	Quality flags + plausibility + voting	DEGRADED / SAFE (if no agreement)	Policy-dependent	Stuck detect window	sensor-id, Q flags, range, voter decision
Noise injection / false trip stimulus	Threshold stability + persistence filters	No unintended SAFE (or controlled alarm)	Recoverable	False-trip rate	noise event count, threshold crossings, decision
WDT reset / BOR	Reset-cause + state rollback checks	SAFE + block auto-ARM	Latched SAFE state	Output settle time	reset cause, ladder stage, inhibit state
Unauthorized command / window violation	Token/counter + time window	SAFE + latch	Latched	Window enforcement	cmd-id, token status, window result, latch set

Keep the matrix stable across levels: board tests validate protection signatures, subsystem tests validate evidence consistency, and integration tests validate ladder priority and log completeness.

Figure F10 — Fault injection matrix (box-table style): rows=faults, columns=detect/response/class/timing/log

This diagram is a “box-table” so it stays readable on mobile and is easy to screenshot for reviews.

H2-11 · IC/BOM selection criteria (drivers, AFEs, monitors) — criteria + example part numbers

Scope Guard: This section lists selection criteria and example IC part numbers only for the propulsion control electronics chain (valves/igniters + pressure/temperature sensing + interlocks). It does not cover spacecraft bus power architecture, TT&C links, or control algorithms.

Use the scorecard in Figure F11 first: each cell becomes a testable requirement (waveform evidence, fault flags, SAFE behavior, drift budget, survivability constraints). Then shortlist parts that explicitly support those requirements (not just “similar specs”).