123 Main Street, New York, NY 10001

Submit Your BOM

Satellite Bus Power (28–50 V) for Spacecraft

Satellite Bus Power (28–50 V) for Spacecraft

← Back to: Avionics & Mission Systems

Satellite bus power (28–50 V) is the spacecraft’s primary energy backbone: it must generate and distribute stable rails with rad-aware margins, deterministic sequencing, and fast fault isolation (especially SEL) so the system can safely recover instead of repeatedly browning out. The practical proof is measurable evidence—telemetry accuracy, bounded cut-off energy, and qualification data across electrical stress, thermal-vac, and radiation-related upsets.

TAvionics & Mission Systems · Spacecraft & Space Electronics

Satellite Bus Power (28–50 V)

Rad-hard DC-DC conversion, deterministic power sequencing, latch-up/SEL containment, and precision telemetry for spacecraft bus distribution.

H2-1 · What this page covers (and what it intentionally does NOT)

Page snapshot A practical definition (bus → distribution → proof)

This page focuses on the 28–50 V spacecraft power bus chain as an engineering system that can be specified, protected, measured, and verified: source interfaces (solar array and battery), bus conditioning (filtering and inrush), distribution/isolated channels, rad-hard DC-DC conversion, deterministic sequencing, SEL/latch-up containment, and telemetry that feeds power FDIR. The goal is not “power theory,” but a bus-power architecture that survives radiation effects, recovers from faults in controlled ways, and produces health data that can be audited.

  • Rad-hard readiness: design choices are tied to TID/SEE outcomes (drift, transients, latch-up) and how the bus chain is qualified.
  • Deterministic sequencing: rails and channels have explicit ordering, timeouts, and retry policy (not “best effort”).
  • Fault containment + measurability: SEL/short events are isolated quickly, and V/I/T telemetry supports diagnosis and trend health.

Scope boundaries In-scope vs mention-only vs out-of-scope

In-scope Must be covered here

28–50 V busPCDU/PPU chainInput conditioning Inrush controlDistribution channelsRad-hard DC-DC Power sequencingPG/UV/OT policySEL/latch-up protection Precision current sensingTelemetry registersPower FDIR

Mention-only One sentence + link

Load-side PoL details, payload electronics, comms/data links, and dedicated radiation monitor implementation are not taught here. They may be referenced only as interfaces and load classes.

  • Payload rails and avionics PoL internals (only “load class” & interface constraints).
  • Radiation monitor device design (only “event class” and protection response timing).

Out-of-scope Do not teach on this page

  • TT&C modem/FEC, SpaceWire/SpaceFibre and payload data processing chains.
  • SDR/SATCOM RF architecture (mixers, PLLs for comms, waveforms).
  • Propulsion valve/igniter driver design beyond “load class”.
  • SADA motor-drive details and avionics bay environment/vibration sensing.
  • Aircraft-specific DO-160 compliance details (this page is spacecraft bus power).

What can be verified Concrete outcomes this page enables

  • Bus chain contract: a clear boundary from source interfaces to PCDU outputs, including where conditioning, isolation, and telemetry live.
  • Fault response logic: a repeatable reaction to overload, short, over-temperature, and suspected SEL (isolate → cool-down → limited retry or latch-off).
  • Telemetry for health: which measurements (V/I/T) support anomaly classification, energy budgeting, and trend-based maintenance decisions.
  • Qualification evidence: what tests prove the bus-power chain is mission-ready under thermal-vac and radiation-driven fault drills.

Design depth is expressed as decision criteria, protection timing, interface contracts, and verification steps—rather than generic topology tutorials.

Figure F0 — Bus Power Boundary Map (in-scope vs interface-only)
Boundary: 28–50 V Spacecraft Bus Power In-scope blocks are inside the blue boundary; loads are interface-only. Source interfaces Solar Array Interface only Battery Interface only Bus input Nominal: 28–50 V Connector + harness Transient envelope Return path In-scope: PCDU / Bus Power Chain Input conditioning filter · inrush · clamp Distribution isolated channels Rad-hard DC-DC isolated rails Sequencing + PG timeouts · retry policy SEL containment fast isolate · controlled reset Telemetry V · I · T Load classes (interface-only) Payload rails Avionics PoL Heaters Pyro IF interface only Blue boundary = in-scope power chain White blocks = interfaces / load classes only
ALT: Satellite bus power boundary map showing solar array and battery interfaces feeding an in-scope PCDU chain (conditioning, distribution, rad-hard DC-DC, sequencing, SEL containment, telemetry) and interface-only load classes.

H2-2 · System-level bus power architecture: where 28–50 V sits in the spacecraft power tree

Where the bus sits Distribution-layer voltage with explicit contracts

In a spacecraft power tree, 28–50 V is typically a distribution-layer voltage: high enough to reduce harness current (and I²R loss) while still practical for protected switching, isolation, and conversion into load rails. The bus is not “the final rail.” It is the common trunk where protection, segmentation, and measurement are centralized so that a single fault does not collapse the entire power domain.

  • Upstream interfaces: source inputs are treated as interfaces (availability, envelope, return path), not taught subsystems.
  • Bus layer duties: conditioning, inrush control, distribution segmentation, conversion entry points, telemetry, and fault policy.
  • Downstream handoff: bus outputs define what loads can assume (steady-state, transient limits, channel isolation behavior), without teaching load internals.

Regulated vs unregulated bus Decision matrix (engineering trade-offs)

“Regulated” and “unregulated” refer to where tight voltage control is enforced. The choice impacts efficiency, transient behavior, distribution losses, and—critically—fault containment and recovery. The practical goal is to create a bus contract that downstream channels can tolerate and that FDIR can reason about.

Option Strengths Trade-offs Verification focus
Regulated bus Predictable distribution voltage simplifies downstream tolerance and sequencing contracts; easier to set uniform UV/OV thresholds and power-good windows. Regulation overhead can reduce end-to-end efficiency; failure modes must be carefully contained so regulation faults do not propagate system-wide. Bus regulation stability under load steps; protection response to regulator faults; recovery behavior after overload/thermal limits.
Unregulated bus High efficiency and simpler trunk; natural alignment with source variability; downstream converters can optimize locally for load profiles. Wider bus envelope demands stronger tolerance and brownout strategy downstream; sequencing and PG thresholds must account for bus drift and source dynamics. Worst-case envelope analysis; sequencing robustness across bus sag; channel isolation effectiveness during source transients.

A “better” choice is the one that yields a measurable contract: known bus envelope + known isolation behavior + known recovery policy.

PCDU/PPU minimum set The smallest chain that is still mission-proof

The power-control and distribution unit (PCDU/PPU) is best described as a sequence of required functions, not a single box. Each function exists at the bus layer because it reduces the probability that a local fault becomes a system-wide power event.

  • Input conditioning: define the bus envelope with filtering, inrush limiting, and transient clamping so converters see predictable stress.
  • Distribution segmentation: switchable or protected channels isolate short/overload events to a branch instead of collapsing the bus.
  • Conversion entry: rad-hard conversion stages create the “rails family,” with isolation chosen to contain faults and manage noise/returns.
  • Sequencing & gating: deterministic ordering and timing prevents ambiguous partially-powered states; timeouts and retry rules avoid oscillatory brownouts.
  • SEL/latch-up containment: fast detect-and-cut limits energy during latch-up; controlled cool-down and retry limits repeated stress.
  • Telemetry pipeline: voltage/current/temperature measurement turns power into observable health data that FDIR can classify and log.
  • Power FDIR policy: fault signatures map to actions (isolate, retry, latch-off, log) with bounded retries and explicit safe states.

The system-level objective is fault containment with traceable evidence: not only “it survived,” but “which channel faulted, how it recovered, and what measurements justify the decision.”

Interface contract What downstream loads may assume (without teaching them)

  • Envelope: nominal bus range, allowed droop/overshoot limits, and recovery time after a protection event.
  • Isolation behavior: whether a branch fault is local (preferred) or can backfeed/propagate (must be prevented).
  • Sequencing rules: what must be stable before enabling a rail/channel, and how long “PG” must remain valid.
  • Telemetry semantics: how to interpret measured I/V/T (sampling windowing, averaging vs peak capture, and fault counters).
Figure F1 — 28–50 V Bus Tree (source → bus/PCDU → load classes)
Power Tree View: Distribution Layer at 28–50 V Layer 1: Sources Layer 2: Bus + PCDU Layer 3: Loads (interfaces) Solar Array interface Battery interface Source envelope availability · sag transients return path 28–50 V Bus V/I Conditioning filter / inrush Distribution isolated chans Rad-hard DC-DC Monitor + FDIR policy + logs Payload Rails Avionics PoL Heaters Pyro IF interface ISO Measured points (bus / channels) Isolated channel boundary Loads shown as classes only
ALT: Three-layer spacecraft power tree showing solar array and battery sources feeding a 28–50 V bus, PCDU functions (conditioning, distribution, rad-hard DC-DC, monitoring/FDIR), and interface-only load classes with measured points and isolated channels.

H2-3 · Space constraints that reshape power design (radiation, vacuum, thermal, lifetime)

Why this matters Space turns “power design” into proof-based engineering

In spacecraft bus power, constraints are not abstract environment notes—they translate directly into predictable fault signatures and required response behavior. Radiation effects shift parameters over life (TID), inject transients (SET), or trigger sustained overcurrent (SEL). Vacuum and lifetime constraints make temperature the dominant driver of reliability, because heat removal relies on controlled conduction paths and radiation, not airflow. A robust bus-power chain must therefore be designed so that drift is budgeted, transients do not cause false trips, and hard faults are contained quickly.

Design inputs → fault signatures Fault signatures → actions (FDIR) Actions → verifiable evidence

Event types TID vs SET vs SEL (power-system viewpoint)

  • TID (Total Ionizing Dose): cumulative shift of references and device parameters that changes regulation accuracy, thresholds, and efficiency over mission life.
  • SET (Single-Event Transient): short disturbances that can appear as droop spikes, PG glitches, or temporary control-loop perturbations.
  • SEL (Single-Event Latch-up): sustained parasitic conduction that manifests as a persistent overcurrent condition until energy is removed.

This page focuses on how these events appear in bus-power measurements and how protection and sequencing policies are set to avoid ambiguous or oscillatory behavior.

3-layer impact map Device → module → system (what changes and why)

Constraint / event Power-layer symptom Design lever (what to specify and verify)
TID drift Reference drift → output setpoint shift; MOSFET parameter shift → efficiency loss; isolated feedback elements may degrade, altering regulation accuracy. Budget drift in a margin stack; define acceptable Vout error over life; re-check thresholds (UV/OV/PG) with end-of-life limits.
SET transient Short droops or spikes; PG chatter; false UV/OV detection if the decision window is too short; nuisance resets if debounce is missing. Use time-qualified thresholds (debounce/integrate); align PG validity windows with converter and load dynamics; log transient counters instead of immediate latch-off.
SEL latch-up Persistent overcurrent; channel heating; possible bus sag if not isolated; repeated power cycling can amplify damage if not controlled. Fast isolate (energy cut) + cool-down + limited retry policy; separate “hard fault” action from “soft transient” handling; prove timing with drills.
Vacuum thermal Higher sensitivity to small efficiency changes; hot spots rise faster; protection thresholds shift with temperature; aging accelerates under sustained stress. Define heat paths (to baseplate/structure); validate temperature margins in thermal-vac; verify protection trip points and recovery behavior at extremes.
Lifetime Gradual efficiency degradation increases temperature; drift and aging reduce margins; repeated fault recovery may consume limited cycle life. Derating policy (voltage, current, temperature); cap retry counters; record trends (I/V/T) to justify operational decisions and detect slow degradation.

Soft vs hard faults FDIR must separate “recoverable noise” from “energy-cut events”

A spacecraft bus-power chain must treat events differently based on whether they are soft (temporary, non-damaging, recoverable) or hard (persistent, potentially destructive). The practical separation is: duration + energy. A short droop should not permanently disable a channel, while a sustained overcurrent must be isolated quickly.

  • Soft class: short droop or PG glitch → debounce + log + allow continued operation, unless repetition exceeds a threshold.
  • Hard class: sustained overcurrent (suspected SEL or short) → isolate, cool down, then controlled retry (bounded count) or latch-off.
  • Evidence: store event counters and last-fault signature (which channel, peak current, duration bucket, temperature at trip).
Figure F2 — Radiation-to-fault chain (cause → symptom → power response → FDIR action)
Radiation / Thermal Constraints → Power Faults → FDIR Actions Goal: separate soft transients from hard energy-cut events using measurable signatures. Cause Observable symptom Power response TID cumulative drift threshold shifts Vout drift efficiency ↓ temperature ↑ Margin stack re-check UV/OV derate / verify SET short transient glitch risk Droop spike PG glitch false UV trip Debounce time-qualify log counters SEL sustained I energy hazard Overcurrent lock bus sag risk heating Fast isolate cool-down limited retry FDIR action tags (power layer) Reset Latch-off Retry Log Derate
ALT: Diagram mapping TID, SET, SEL and thermal-vac constraints to power symptoms (drift, droop, sustained overcurrent) and FDIR actions (debounce, isolate, latch-off, retry, logging).

H2-4 · DC-DC conversion for 28–50 V: topology selection and isolation strategy

Decision frame Select a topology by input range, power class, and fault containment

For a 28–50 V spacecraft bus, DC-DC conversion is most useful when treated as an interface contract: the chosen topology must tolerate the bus envelope, deliver the required rail family, and behave predictably under overload and radiation-driven events. Practical selection begins with power class and how many outputs must be produced, then checks whether isolation is needed for functional partitioning, noise control, or hard-fault containment.

  • Low power / multi-output: Flyback is often favored for compact multi-rail conversion, but requires careful ripple/EMI management.
  • Medium power: Forward-derived approaches can offer a stable balance of efficiency, magnetics size, and EMI controllability.
  • Higher power: Push-pull or half-bridge can scale efficiently, at the cost of higher drive/magnetics complexity and stricter symmetry/control.

Isolation strategy Functional, noise, and fault isolation (engineering purpose)

Isolation in spacecraft power is not a checkbox—it is a design tool used to define domains, control return paths, and contain faults. Isolation choices must be consistent with the protection philosophy of the bus: a branch fault should remain a branch event, not a system event.

  • Functional isolation: separates power domains so an off-nominal condition in one domain does not shift references in another.
  • Noise isolation: blocks switching noise and common-mode coupling from returning to the bus or sensitive rails through unintended paths.
  • Fault isolation: limits fault energy propagation during overload/SEL, enabling fast isolate-and-recover behavior per channel.

Only power isolation is discussed here. Data-link isolation details are intentionally excluded.

Topology selection table Practical criteria (spacecraft bus-power context)

Topology Best-fit power Strengths Trade-offs Isolation & verification notes
Flyback Low / multi-rail Multi-output friendly; compact magnetics; simple control; good for auxiliary rails and distributed branches. Ripple and EMI can be higher; switch stress and leakage effects need margin; transient response depends strongly on output filter design. Isolated feedback sensitivity must be checked over drift; verify worst-case ripple and PG stability across bus envelope and temperature.
Forward Medium Balanced efficiency and EMI controllability; clearer magnetics utilization; often easier to meet ripple and transient targets than flyback at mid power. More parts than flyback; transformer reset and clamp paths must be robust; design complexity increases with tighter EMI limits. Isolation supports domain definition; verify stability with input filter and confirm protection timing (OCP/OTP) under cold/hot extremes.
Push-pull / Half-bridge Higher Scales to higher power with good efficiency potential; supports synchronous rectification and high-current rails. Drive symmetry and magnetics balance are critical; more complex control/drive; EMI management requires careful layout and return-path control. Fault isolation can be strong if channels are segmented; verify symmetry, thermal headroom, and recovery behavior after overload/SEL drills.

Engineering knobs Efficiency–EMI–thermal triangle (what can be tuned)

  • Synchronous rectification: improves efficiency and reduces heat, but adds drive complexity and verification burden.
  • Switching frequency: higher frequency can shrink magnetics and filters, but increases switching loss and may worsen EMI margin.
  • Magnetics design: leakage and coupling drive both efficiency and EMI; design must align with isolation goals and thermal paths.
  • Output filtering: filters reduce ripple but can slow transient response; selection must match sequencing and PG qualification windows.

A space-ready choice is the one that preserves margin after derating and still demonstrates stable, repeatable protection timing.

Figure F3 — Topology comparison (Flyback vs Forward vs Bridge class)
Isolated DC-DC Candidates from a 28–50 V Bus Each view uses the same “module grammar” to compare complexity and interfaces. Flyback Forward Push-pull / Half-bridge Input filter Switch stage XFMR (iso) Rectification Output filter FB iso OCP Telemetry tap Input filter Switch + clamp XFMR (iso) Rectification Output filter FB iso OTP Telemetry tap Input filter Bridge drive XFMR (iso) Sync rect Output filter FB iso OCP Telemetry tap Blue-stroked blocks highlight common bus interfaces (filter and telemetry). No waveforms; block-level view only.
ALT: Side-by-side block diagrams comparing flyback, forward, and push-pull/half-bridge isolated DC-DC topologies from a 28–50 V bus, including filter, switch stage, transformer isolation, rectification, output filter, isolated feedback, protection, and telemetry taps.

H2-5 · Choosing rad-hard DC-DC modules/ICs: derating, margins, and failure modes

What “selection” means A criteria checklist, not a shopping list

Rad-hard power selection is strongest when it is treated as a verifiable contract: input envelope tolerance, end-of-life (EOL) output accuracy, predictable protection behavior, and measurable recovery actions. This section provides a criteria checklist and reading method that stays stable across vendors, parts, and mission programs.

Define the bus envelope
Budget drift and heat
Prove protection timing
Separate SET vs SEL handling

Selection checklist Minimum criteria for a 28–50 V bus converter

Category What to check (engineering form) Why it matters on a spacecraft bus
Input envelope Rated input range and survivability limits; start-up behavior at minimum bus; tolerance to short spikes and ripple. Confirm whether protection clamps or shuts down under overvoltage. The converter must remain stable and predictable across bus excursions without causing nuisance resets or oscillatory retries.
Output accuracy & drift Regulation tolerance over temperature; line/load regulation; reference drift assumptions; stability of trim/setpoint features. Treat TID and aging as part of the accuracy budget. End-of-life output drift is a system-level risk because it erodes headroom for downstream rails and thresholds.
Protection behavior OCP style (limit/foldback/hiccup), OVP action, UVLO thresholds and debounce, OTP mode (throttle vs shutdown), restart policy (auto-retry vs latched). Protection must match fault philosophy: soft transients should not permanently disable a channel, while hard faults must be isolated quickly.
SEE characteristics SET susceptibility (transient droops / control perturbations) and how they appear at output/PG; SEL behavior and whether the module can be protected externally with fast energy cut. SET should be handled with time-qualified logic; SEL requires fast isolation and controlled retry to prevent damage and bus sag.
Thermal & derating Derating curves vs baseplate temperature; efficiency vs load; thermal impedance assumptions; maximum allowed hot-spot. Verify operation at worst-case cold start and hot steady-state. In vacuum, small efficiency loss drives temperature rise quickly; temperature controls lifetime and stability of thresholds.
Qualification evidence Qualification/lot acceptance scope; traceability and screening; which conditions are guaranteed vs characterized. Identify what is program-specific vs universally applicable. The most useful data is the data that is reproducible under the same boundary conditions used in the mission power budget.

How to read datasheets A repeatable “power-first” reading order

  • Step 1 — Boundaries: input range, output range, start-up constraints, and any “do not cross” absolute maximums.
  • Step 2 — Protection truth: identify how OCP/OVP/OTP/UVLO behave, not just that they exist.
  • Step 3 — Efficiency & heat: find efficiency curves and convert them into heat expectations at the baseplate limits.
  • Step 4 — Drift sources: temperature drift + long-term drift; treat EOL accuracy as a requirement, not a bonus.
  • Step 5 — SEE perspective: classify events as “transient disturbances” vs “sustained current hazards” and plan matching actions.
  • Step 6 — Evidence quality: separate guaranteed specifications from characterization; note test conditions and their match to the bus envelope.

Failure modes Common ways space DC-DCs break the system contract

  • Margin erosion: output drift plus rising temperature pushes rails into UV/OV windows or reduces load headroom.
  • Nuisance trips: SET-driven droops cause PG chatter or UV events when debounce/integration windows are too short.
  • Thermal runaway: efficiency degradation increases heat; without derating, protection thresholds become unstable and recovery oscillates.
  • Hard current events: SEL or downstream shorts create persistent overcurrent; without fast isolation, bus sag and localized damage become likely.

Margin stack template A compact budget to prove EOL headroom

A practical margin stack answers one question: after worst-case input, EOL efficiency drift, and temperature rise, does output accuracy still meet the system headroom requirement? Use the stack below as a repeatable template.

Stack item Worst-case direction How to bound it
Minimum bus input Vin ↓ Use lowest allowed steady bus + ripple; confirm start-up and regulation at this condition.
Efficiency degradation η ↓ Apply conservative efficiency at EOL/load/temperature; convert into heat at the baseplate limit.
Thermal rise ΔT ↑ Use worst thermal impedance assumptions; validate in thermal-vac with steady-state plus transient loads.
Output setpoint error |Vout error| ↑ Combine temperature drift + long-term drift; verify with end-of-life assumptions and threshold spacing.
System headroom Margin window Compare final worst-case Vout and transient droop against UV/OV windows and load tolerance.

This template intentionally avoids part numbers. It is designed for consistent review, audit, and verification planning.

Figure F4 — Derating & margin stack (worst-case chain to EOL headroom)
Derating & Margin Stack (EOL-proof) A compact chain: worst-case inputs and drifts → final headroom against thresholds. 1) Minimum bus input Vin ↓ (steady + ripple) 2) Efficiency degradation η ↓ (EOL / temperature) 3) Thermal rise ΔT ↑ (baseplate path) 4) Output setpoint error Vout ± (temp + long-term) 5) System headroom window Compare worst-case output vs UV/OV limits UV Allowed window steady + transient OV Worst-case Vout OK NOT OK Derating rule of thumb If heat margin shrinks, reduce load or raise efficiency before relaxing thresholds. Protection timing must remain stable across temperature and EOL drift.
ALT: Stepwise margin stack showing minimum bus input, efficiency degradation, thermal rise, and output drift leading to a final headroom check against UV/OV limits with OK/NOT OK outcome.

H2-6 · Input protection & bus conditioning: EMI filter, inrush control, and fault containment

Front-end contract Make the bus interface predictable and measurable

The front end from the bus terminal to the converter input defines whether the spacecraft bus behaves like a stable source or a coupled resonant system. A robust conditioning chain limits peak energy, controls conducted emissions, prevents reverse/backfeed, and constrains inrush so that start-up and recovery are repeatable across temperature and bus variations.

Clamp energy
Filter EMI
Limit inrush
Contain faults

Typical chain A practical block order for 28–50 V conditioning

  • Clamp / limiter: limits spike energy and protects downstream stages from brief excursions.
  • EMI filter (LC/π): reduces conducted noise; the filter Q must be controlled to avoid low-frequency ringing.
  • Reverse & backfeed protection: prevents unintended current flow during off-nominal states or channel interactions.
  • Inrush limiter / hot-swap stage: controls charging of input capacitance and prevents bus droop during start-up.
  • Segmented enable: sequences power-up so that not all branches present peak demand at the same instant.

This section intentionally focuses on power-layer conditioning, not on regulatory compliance text.

Inrush made predictable The minimum model and the tuning knobs

The goal of inrush design is not “zero surge”—it is a bounded and repeatable peak current that does not cause bus droop or protection oscillation. A simple first-order model is often sufficient to set expectations:

I_inrush ≈ C_in × dV/dt
  • C_in: total effective input capacitance (including distributed capacitance near the converter).
  • dV/dt: the controlled rise rate set by soft-start or current-limit control.
  • Current limit threshold: sets the peak; pairing it with a time qualifier avoids repetitive “hiccup” cycles.
  • Segmenting: splitting large capacitance across stages reduces a single large surge event.

Verification cue: measure I_peak and bus droop at worst-case cold start, minimum bus, and maximum downstream capacitance.

Input filter interaction Prevent coupled oscillation (engineering method)

An EMI filter is a dynamic element. If its resonance interacts with the converter’s input behavior, start-up or load steps can produce low-frequency ringing or repeated protection trips. The practical objective is to keep the input network well-damped.

Symptom Likely mechanism Engineering fix (power-layer)
Ringing at start-up High-Q LC/π resonance excited by ramp or current limiting Add damping (R-C, controlled ESR); reduce Q; distribute capacitance instead of one large block.
“Hiccup” retries Inrush limit + filter resonance causes repeated UV events Adjust dV/dt; increase time qualification; coordinate UVLO/PG windows with inrush profile.
Noise spikes at load steps Converter draws pulsating input current that excites filter Use local decoupling near converter; add damping; check layout return paths and sense-tap placement.

Fault containment A branch fault should remain a branch event

The bus-conditioning chain should prevent a downstream short or sustained current event from collapsing the whole bus. Containment relies on two elements: fast energy limitation and clean isolation boundaries.

  • Energy limit: current limiting and fast disconnect prevent bus sag and reduce local thermal stress.
  • Isolation boundary: per-branch gating allows other branches to remain operational during a fault event.
  • Measurable signatures: V/I taps on both sides of the conditioning chain help separate a transient droop from a sustained fault.
  • Controlled recovery: cool-down and limited retries avoid oscillation and repeated damage during persistent faults.
Figure F5 — Front-end conditioning block (bus terminal → DC-DC input with sense taps)
Bus Input Protection & Conditioning (28–50 V) Keep start-up and recovery repeatable, damp resonances, and contain branch faults. Bus terminal Clamp TVS / limit EMI filter LC / π, damped Reverse backfeed block Inrush limit stage DC-DC input Segmented enable gate V/I sense (bus-side) V/I sense (converter-side) Fault containment intent • Clamp limits spike energy without forcing a full-bus shutdown. • Damped EMI filtering avoids start-up ringing and “hiccup” loops. • Inrush limiting bounds peak current set by C_in and dV/dt. • Segmented gating keeps a branch fault from collapsing the whole bus.
ALT: Front-end conditioning block diagram from spacecraft bus terminal to DC-DC input showing clamp/TVS, damped EMI filter, reverse/backfeed protection, inrush limiting, segmented enable gating, and bus-side vs converter-side V/I sense taps.

H2-7 · Power-up sequencing PMIC: deterministic rails, resets, and safe retry behavior

Design goal Deterministic start-up, observable faults, recoverable behavior

Sequencing is most useful when it behaves like a repeatable control process rather than a one-time “power-up script”. The contract is: rails rise in a known order and slope, dependencies are enforced (PG/UV/thermal), failure reasons are classified with a code, and retries are controlled to avoid oscillation, repeated stress, or full-bus collapse.

Order
Slope
Dependencies
Safe retry

Sequencing axes Order, slope, and dependencies (PG/UV/thermal)

  • Order: group rails into primary power, sensitive analog, and interface/aux rails; enforce must-before/must-after constraints.
  • Slope: soft-start and dV/dt must avoid both bus droop and internal load stress; slow ramps can cause PG timeout while fast ramps can excite transients.
  • Dependencies: PG should represent a qualified “OK” state—voltage in range and stable enough to allow the next rail, reset release, or mode transition.

PG & reset as timing Blanking, debounce, and timeout prevent false decisions

Power-good and reset logic must tolerate switching ripple and brief disturbances without misclassifying them as a failed rail. A timing contract makes this deterministic:

Element What it does Engineering guidance (practical)
Blanking Temporarily ignores PG during ramp and settling. Cover soft-start + loop settling so ripple/settling does not trigger early “bad” decisions.
Debounce Requires PG to be continuously valid before accepting it as true. Choose a window long enough to reject brief droops and ripple bursts, but short enough to avoid delaying dependent rails.
Timeout Defines the maximum allowed time from enable to qualified PG. Base on worst-case temperature, slowest load start, and the chosen soft-start; a timeout yields a clear fault cause (PG_timeout).

Failure taxonomy Make “why it failed” explicit and actionable

A recoverable system distinguishes transient conditions from persistent faults. A compact taxonomy improves logging, decision making, and retry safety:

  • UV / brown-in: rail cannot maintain regulation or collapses during dependency checks.
  • PG_timeout: ramp/settling exceeds allowed time (often load anomaly or current limiting).
  • OCP_event: current exceeds allowed profile; treat persistent faults differently from short bursts.
  • Thermal inhibit: temperature or thermal model indicates unsafe operation; prevents entering RUN.
  • External inhibit: upstream command or safety interlock blocks progression (safe hold state).

Safe retry policy Controlled recovery prevents oscillation and cumulative stress

“One-shot success” is not the target. The target is bounded recovery: retry only when conditions are likely to have improved, and stop after a defined count or fault class.

Fault class Default action Why this is safe
UV / brown-in Timed retry after bus/temperature re-check; limit retry count. Prevents repetitive attempts during a low-bus period that would sag the system again.
PG_timeout Retry with enforced cooldown; escalate to latch-off if repeated. Reduces stress on converters and avoids indefinite “half-started” states.
OCP_event Classify persistent vs brief; persistent faults may latch-off; brief faults may retry. Prevents false lockout while still containing genuine sustained faults.
Thermal inhibit Hold-off until temperature falls below a safe threshold; then single retry. Stops thermal oscillation and cumulative lifetime damage.
External inhibit Hold state; require command to resume. Prevents unintended re-energization when a higher-level safety logic is active.

Retry count and cooldown should be explicitly logged as part of the fault record (reason code + counter).

Figure F6 — Rail sequencing state machine (deterministic rails + qualified PG + safe retry)
Rail Sequencing State Machine Deterministic ramps, qualified PG, explicit fault codes, bounded retry. OFF Rails disabled PRECHECK Bus / thermal OK RAMP_PRIMARY Soft-start, slope RAMP_SECONDARY Dependent rails VERIFY PG debounce RUN Monitor faults FAULT Reason code RETRY_WAIT Cooldown + count Enable Bus OK Primary OK PG ready Debounced PG Fault MONITOR PG / I / T Policy Retry < N Latch-off / manual Key timing knobs Blanking window • PG debounce • PG timeout • Retry counter • Cooldown delay
ALT: Rail sequencing state machine showing deterministic ramp states, PG qualification (blanking/debounce/timeout), fault classification, and a bounded retry path with cooldown and retry counter.

H2-8 · Latch-up / SEL protection: detection, fast isolation, and reset strategy

Engineering target Cut energy in milliseconds without false kills

SEL protection is a power-layer safety loop. The purpose is to interrupt energy fast when a sustained abnormal current event appears, while avoiding accidental shutdown during legitimate current bursts (start-up, load steps, switching ripple). A robust design pairs a time-qualified decision with a fast disconnect and a controlled recovery policy.

Sense
Decide (time window)
Switch-off
Cooldown & retry

Protection chain Sense → integrate → trip → disconnect → cooldown → retry/latch

  • High-side current sense: produces an observable I_sense that tracks branch energy.
  • Threshold + integration window: classifies sustained abnormal current while rejecting short bursts and ripple.
  • Trip action: generates a TRIP signal that commands a fast disconnect device (eFuse / switch stage).
  • Hold-off: enforces a cooldown interval before attempting recovery.
  • Retry logic: allows limited retries and escalates to latch-off with a reason code if repetition is detected.

This section focuses on the protection chain behavior, not on radiation monitor device design or dose modeling.

Avoid false trips Separate “short bursts” from “sustained abnormal current”

False kills usually come from normal peak current (start-up, load steps) being treated as a latch-up. Time qualification is the practical discriminator:

Technique What it rejects How it is applied
Integration window Short spikes and ripple bursts Require current to remain above a threshold for a minimum duration before TRIP.
Two-level logic Legitimate high peak + fast decay Use a higher “peak threshold” and a lower “sustained threshold” with time qualification.
Context gating Start-up transients Apply different thresholds or longer qualification during ramp/enable windows (while still limiting absolute energy).

Parameter setting Four knobs that bound risk and improve recoverability

A practical SEL policy is defined by four parameters. Together they bound the maximum energy delivered to a fault and control recovery stability.

Parameter Definition How to choose it (engineering view)
I_threshold Current level that indicates abnormal conduction. Separate from normal peak distribution with margin; consider worst-case load bursts and temperature behavior.
t_integrate Minimum time above threshold before TRIP. Long enough to reject switching ripple and brief bursts; short enough to bound fault energy.
t_cutoff Trip-to-switch-off delay. As fast as practicable to limit energy; validate with realistic sense/logic delays and disconnect dynamics.
t_cooldown & retry_count Recovery delay and maximum retries before latch-off. Cooldown prevents repeated thermal stress; limited retries prevent oscillation and repeated damage in persistent faults.

Reset strategy Controlled recovery: retry when safe, latch when persistent

  • Immediate isolation: once TRIP is declared, disconnect quickly to bound energy.
  • Cooldown before retry: allow thermal and electrical settling before reenabling the branch.
  • Retry counter: cap repeated attempts; escalation to latch-off prevents indefinite cycling.
  • Reason code logging: record “SEL_suspected” (or equivalent) with timing and counter values to support downstream diagnosis.
Figure F7 — SEL protection timing (sense → integrate → trip → switch-off → cooldown → retry)
SEL Protection Timing Time-qualified decision + fast disconnect + controlled recovery. Event start Integrate Trip Switch-off Cooldown + Retry time → I_SEL threshold I_peak normal I_sense Normal burst Sustained abnormal t_integrate TRIP SW_OFF Decision & action signals TRIP SW_OFF Cooldown → Retry
ALT: SEL protection timing diagram showing current sense exceeding a threshold for an integration window, generating TRIP and fast switch-off, followed by cooldown and a controlled retry with counters to prevent repeated cycling.

H2-9 · Precision current sensing & telemetry: from shunt to digitized health data

Why measure Turn branch current into decision-grade health data

Current telemetry is most valuable when it supports energy accounting, anomaly trending, fault localization, and FDIR thresholds—not just “a number on a bus”. The measurement chain should make accuracy explainable: it must be clear where drift and bias come from and how quality is tracked.

Energy budget (E, Wh)
Trend & early warning (dI/dt, drift)
Branch localization (which load changed)
FDIR signatures (windowed peaks + counters)

Architectures High-side, bidirectional, and power-measurement isolation

  • High-side shunt + differential amplifier: a practical default for branch-level measurement; supports bus-referenced rails while keeping load ground intact.
  • Bidirectional measurement: required when backfeed, charge/discharge paths, or reverse current must be distinguished; keep sign handling explicit in registers.
  • Magnetic sensing boundary (when needed): useful when power loss across a shunt is unacceptable at high current, or when galvanic separation is preferred; treat it as a selection boundary, not a protocol topic.
  • Isolation for power measurement: used to protect the digitization domain and maintain measurement integrity under large common-mode movement; this page focuses on the measurement chain only.
Common-mode high-side Direction ±I Quality range_id Separation measurement isolation

Explainable accuracy Build an error budget that predicts real drift modes

Precision is not a single specification; it is the sum of predictable contributors across the chain. A useful error budget ties each contributor to a visible symptom and an engineering mitigation.

Error source Typical symptom Mitigation keywords (practical)
Shunt tolerance + tempco Gain shifts with temperature; readings “walk” with thermal state. Low-tempco shunt, Kelvin routing, thermal placement, calibrate at representative temperature points.
Shunt self-heating Current-dependent drift; error grows at high load and recovers slowly. Power-rated shunt, copper heat spreading, avoid hot spots, use thermal-aware compensation.
Amp offset + drift Large relative error at mA-level; “zero” becomes non-zero over time/temperature. Low-offset amplifier, periodic zero tracking, dual-range strategy, stable biasing and guarding.
ADC gain/INL + Vref drift Full-range scaling error or nonlinearity; long-term drift across conditions. Stable reference, ratiometric design when applicable, self-check points, calibration coefficients.
Layout thermal gradient + ripple coupling Reading depends on board location and switching state; false peaks from ripple. Kelvin sense, quiet routing, sampling windowing, anti-alias filtering, digital averaging per window.

Dynamic range From mA standby to A-level peaks without “range chatter”

A single gain path rarely meets both standby sensitivity and peak-event robustness. A structured dynamic-range strategy preserves decision integrity for both trends and events:

  • Dual path or dual gain: a high-gain path for low current plus a low-gain path for peaks; avoid saturating the event channel.
  • Range hysteresis: add explicit enter/exit thresholds and a short debounce so the measurement does not oscillate near a boundary.
  • Windowed metrics: define peak and average in fixed windows (e.g., 100 ms peak, 10 s average) so “events” are comparable and not random samples.
  • Quality flags: publish range_id, saturation, and calibration status to prevent FDIR from acting on low-quality data.
Register/field Purpose Notes (decision-grade)
I_inst, I_sign Instantaneous branch current and direction. Used for fast protection and short-window peaks; sign supports bidirectional interpretation.
I_peak_100ms Short-window peak for event capture. Defined window avoids random spikes; pairs with overcurrent counters.
I_avg_10s Long-window average for trend and budget. Stable for drift detection; suitable for anomaly trending and derating checks.
P = V×I, E_integrated Power and energy accounting. Energy counters support system-level budget closure and lifetime analysis.
quality_flags, range_id Measurement validity and range context. Prevents acting on saturated/invalid readings; supports robust FDIR gating.
Figure F8 — Telemetry chain: shunt → amp → ADC → health registers → FDIR decisions (with error injection points)
Telemetry Chain (Decision-Grade) Error sources are marked at the point they enter the measurement chain. SHUNT High-side DIFF AMP Gain + sign FILTER Windowed ADC Digitize HEALTH Registers FDIR Window Trend Vref Stability Tempco Self-heat Offset drift Ripple Gain / INL Vref drift Health fields I_peak I_avg E_integrated quality_flags range_id counters
ALT: Telemetry chain diagram from high-side shunt to differential amplifier, filtering and windowed sampling, ADC with stable reference, health registers, and FDIR logic. Callouts mark where errors enter (tempco, self-heating, offset drift, ripple coupling, gain/INL, and reference drift).

H2-10 · Power FDIR (fault detection, isolation, recovery) for spacecraft bus power

FDIR loop Detect → isolate → recover, with bounded behavior and logs

Power FDIR is the glue between telemetry and protection hardware. It classifies signatures using time windows and trends, isolates at the smallest practical granularity (branch first), and recovers using a bounded policy (cooldown + retry counter). Every decision should leave a traceable record: fault code, counters, and pre/post telemetry snapshots.

Decision windows (peak vs average)
Trend checks (slow drift)
Branch isolation (containment)
Cooldown + retry budget

Fault classes Four signatures that map to deterministic actions

Class Signature (what is observed) Primary action
Transient Short I_peak or brief V_dip; I_avg quickly returns; no repeated counters. Filter/debounce; allow operation; record event counter if needed.
Soft fault Sustained mild overcurrent or rising temperature; trend shows persistence. Limit power or staged derate; timed retry; escalate if repetition persists.
Hard short Current remains high and V collapses; repeated protection hits within a short time. Fast branch isolation; latch-off the branch; mark as failed; keep the bus stable.
Suspected SEL Sustained abnormal current consistent with latch-up behavior; recurrence after re-enable. Immediate disconnect → cooldown → limited retries; latch after retry budget is exceeded.

Stability rules Prevent FDIR-induced oscillation and bus-wide collapse

  • Debounce/integrate first: reject ripple and short spikes before taking disruptive actions.
  • Backoff on retries: increase cooldown after repeated trips to avoid “thrashing”.
  • Retry budgets by class: transient events do not burn the retry budget; persistent faults do.
  • Graceful degrade: soft faults prefer power limiting/derating before full disconnect.
  • Bus-first containment: isolate the smallest unit (branch) to protect the main bus and other loads.
Window peak vs avg Trend drift check Backoff cooldown Budget retry_cnt Logs code+snapshot

Action table Fault signature → action → log fields (implementation-friendly)

Fault signature Decision basis Action Log fields
Short I_peak with rapid recovery Short window Ignore / debounce; keep running event_cnt, I_peak, V_dip, state_id
Persistent mild OCP or rising temperature Long window + trend Limit / derate; timed retry fault_code, I_avg, T, cooldown, retry_cnt
V collapse + sustained high current Integration + repeat Isolate branch; latch-off fault_code, I_inst, V_bus, trip_time, latch_state
Abnormal current that repeats after re-enable Repeat + retry budget Disconnect → cooldown → limited retry → latch fault_code, retry_cnt, cooldown, pre/post I/V snapshot
Figure F9 — Fault matrix card (detect / isolate / retry / latch / log) for four power fault classes
Power FDIR Fault Matrix Classify signatures with windows/trends, contain at branch level, recover with bounded retries. Fault class Detect Isolate Retry Latch Log Transient Soft fault Hard short Suspected SEL Window None Allow No Event + peak Trend Limit Timed Maybe Code + avg Integrate Branch off No Latch Code + V/I Repeat Off Cooldown After N Code + cnt Recommended log fields fault_code retry_cnt I_peak V_dip T state_id
ALT: Fault matrix chart mapping four power fault classes to FDIR actions across detect, isolate, retry, latch, and log columns, plus a recommended log field bar (fault code, retry counter, peak current, voltage dip, temperature, and state ID).

H2-11 · Verification & qualification checklist: proving the bus power is space-ready

Goal: produce objective evidence that the 28–50 V bus power chain is predictable, fault-contained, recoverable, and measurable under electrical stress, thermal-vacuum conditions, and radiation-related upsets.

This checklist turns design intent into proof: startup determinism, inrush containment, load-step stability, SEL cut-off and safe retry, telemetry accuracy across temperature and aging, and power-side logs that support traceability.

Prove stability Prove containment Prove recovery Prove telemetry integrity Prove traceable logs

Acceptance logic What “done” looks like (evidence-driven)

  • Startup is deterministic: rail order, ramp behavior, and PG timing remain consistent across input extremes and thermal points.
  • Input stress is contained: inrush and line transients do not trigger unintended resets or bus-wide collapse; front-end filter/control interaction remains stable.
  • Fault behavior is bounded: SEL/overcurrent isolation is fast enough to limit energy, and retry policies are limited (cooldown + retry budget + latch conditions).
  • Telemetry remains decision-grade: current/power accuracy and drift are explainable (error budget) and verified across temperature and life margins.
  • Logs are sufficient for root-cause: every protection event records a power-side signature (pre/post V/I, counters, state, and cause code).
Figure F10 — Qualification ladder: Electrical → Thermal-Vac → Radiation & fault drills (evidence outputs)
Qualification Ladder (Bus Power Chain) Each rung produces measurable evidence that maps to acceptance criteria. Level 1 — Electrical Inrush control Line transient Load step PG & sequencing Filter stability Level 2 — Thermal-Vac Hot/cold start Thermal path Derating verify Telemetry drift vs temp Level 3 — Radiation & fault drills TID drift SET upset SEL cut-off Retry policy Log audit Evidence outputs: waveforms · tables · drift curves · event logs · sign-off items
ALT: Three-level qualification ladder showing Electrical tests, Thermal-Vac verification, and Radiation & fault drills. Blocks include inrush, line transient, load step, PG sequencing, telemetry drift vs temperature, TID drift, SET upset, SEL cut-off, retry policy, and log audit, ending with evidence outputs for sign-off.

Checklist format Use an implementation-friendly test matrix

A qualification checklist is most actionable when every line item includes stimulus, measurement, pass/fail, and required log fields. The matrix below is a compact baseline that can be expanded per mission margins and power-domain criticality.

Test item Stimulus Measure & pass/fail evidence Required power-side logs
Inrush containment Worst-case C_in, cold start, max input, repeated startups I_in peak & duration; bus droop; PG timeout count; no oscillation at the input filter/control interface event_cnt, V_bus, I_in_peak, PG_state, state_id
Line transient Step/impulse input changes across min/max input window Output remains within regulation limits; recovery time bounded; no unintended latch/retry fault_code, V_in/V_out snapshot, retry_cnt, latch_state
Load step stability Fast load steps at multiple operating points ΔV and recovery; PG remains stable (debounce works); no false OCP triggers I_peak_100ms, I_avg_10s, V_dip, quality_flags
Sequencing robustness Hot/cold start, varied load, repeated cycles Order/ramp/PG gating consistent; timeout path correct; retry/backoff matches policy state_id, rail_status, retry_cnt, timeout_cnt
SEL isolation drill Controlled overcurrent injection to emulate latch-up energy t_detect → t_off bounded; estimated cut-off energy bounded; cooldown then limited retries; latch after budget fault_code, I_inst, t_off, cooldown_ms, retry_cnt
Telemetry calibration Known current points across temperature plateaus Offset/gain verified; drift tracked; range switching hysteresis prevents chatter; quality flags correct range_id, cal_status, I_meas vs I_ref, temp
TID drift tracking Periodic measurements at increasing dose points Setpoint drift, protection-threshold drift, and telemetry drift remain within reserved margins dose_step_id, V_out, thresholds, cal_coeff_version
SEE behavior mapping Observe upset events and power-chain response SET-like transients are filtered/debounced; SEL-like events produce fast cut-off and bounded recovery event_cnt, V/I snapshots, classification, action_taken

Traceability Minimum log fields to make every trip explainable

Logs should be power-domain-native and sufficient for root-cause without requiring communication-protocol details. A recommended minimal set is listed below.

ID branch_id Time timestamp Cause fault_code State state_id Retry retry_cnt Latch latch_state V V_bus / V_out I I_inst / I_peak / I_avg T T_hotspot Quality quality_flags

Best practice: store pre-trigger and post-trigger snapshots (fixed windows) so protection events can be reconstructed as evidence.

Parts Example part numbers to anchor the checklist (verify datasheets for program suitability)

The list below is a practical reference set to make the verification items concrete. Selection must be validated against mission dose, orbit environment, screening level, and procurement constraints.

Function in this page Example parts (candidates) Why it matters in qualification
Rad-hard DC-DC module VPT SVRHF2800S (example series), Interpoint MOR series (example family) Anchors efficiency/thermal-vac drift, output setpoint stability, and repeated startup determinism evidence.
SEL isolation / eFuse TI TPS7H2201-SP, TI TPS7H2211-SEP Anchors end-to-end cut-off time, cut-off energy, cooldown behavior, and bounded retry budget.
High-side current sense amplifier TI INA901-SP, TI INA950-SEP Anchors telemetry offset/gain drift verification and range strategy proof across temperature and life margins.
Supervisor / PG monitor TI TL7700-SEP (example supervisor) Anchors PG threshold stability, debounce/blanking robustness, and reset cause traceability.
Precision reference (telemetry chain) ADI REF43-803 (space grade example), MSK109RH (rad-hard reference example) Anchors long-term drift and “decision-grade” telemetry integrity through thermal-vac and TID steps.
Rad-hard MOSFET (power path) Infineon IRHN7054 (example) Anchors conduction loss vs temperature, fault isolation path characterization, and lifetime margin evidence.
External ADC (if applicable) Microchip MCP37D31-RT200 (rad-tolerant example) Anchors digitization stability for telemetry fields; this page keeps interface details out of scope.

Use part numbers as “verification anchors” (what gets tested and logged), not as a procurement recommendation list.

Request a Quote

Accepted Formats

pdf, csv, xls, xlsx, zip

Attachment

Drag & drop files here or use the button below.

H2-12 · FAQs (Satellite Bus Power 28–50 V)

128V vs 50V bus—what changes in converter stress and distribution loss?
Moving from 28V to 50V usually reduces distribution loss because the same power can be delivered with lower current, cutting cable and switch conduction losses. The trade is higher voltage stress on front-end protection and the primary converter stage, often requiring higher-rating switches, revised magnetics margins, and tighter EMI control. Qualification must re-check transients, inrush, and fault isolation timing.
Mapped topics: architecture tradeoffs, converter topology stress, protection and EMI implications.
2Regulated vs unregulated bus—when is each safer for payload rails?
A regulated bus gives payload rails a predictable input window, simplifying downstream design and reducing brownout risk during source variation. An unregulated bus can improve system efficiency and simplify upstream control, but it pushes input tolerance and transient handling to payload converters. “Safer” typically means the power chain maintains stable sequencing and protection thresholds under worst-case source swings and load steps.
Mapped topics: bus tree placement, predictability vs efficiency, brownout and recovery behavior.
3How does TID typically shift DC-DC output accuracy over life?
Total ionizing dose (TID) tends to shift DC-DC accuracy through reference drift, feedback network shifts, and control-loop parameter changes, which can move the output setpoint and protection thresholds over mission life. Efficiency may also degrade, raising temperature and accelerating additional drift. The practical mitigation is a margin stack (setpoint, load, thermal) plus verification at dose steps to prove remaining headroom.
Mapped topics: radiation constraints, derating/margins, drift tracking in qualification.
4What’s the practical difference between SET and SEL for power systems?
A single-event transient (SET) is a short upset that can appear as a brief voltage dip, spurious comparator trigger, or controller glitch; it is often handled with filtering, debouncing, and bounded retries. A single-event latch-up (SEL) is a sustained overcurrent condition that can self-heat into damage unless energy is removed quickly. SEL therefore requires fast isolation plus controlled cooldown and retry limits.
Mapped topics: fault taxonomy, fast isolation chain, debounce vs cut-off policies.
5How fast must SEL protection react, and what sets the threshold?
SEL protection must react fast enough that the delivered energy stays below the device and power-path safe limits; the needed response is usually set by thermal time constants and worst-case bus voltage. Threshold selection starts from measured normal peak current distributions and adds margin for temperature and ripple, then chooses an integration window to reject switching noise. The design is validated by cut-off time and energy evidence, not by a single number.
Mapped topics: detection chain (sense→decision→switch-off), threshold and window setting, evidence-based validation.
6Foldback vs latch-off—what recovery policy avoids repeated brownouts?
Foldback limits current and can keep the bus alive through soft faults, but it risks prolonged undervoltage that repeatedly resets sensitive rails. Latch-off removes power decisively for hard faults and suspected SEL, preventing sustained brownouts and thermal escalation. A robust recovery policy uses cooldown plus timed retry with an attempt budget, and it escalates to latch-off with a persistent fault flag when signatures repeat.
Mapped topics: SEL/overcurrent behavior, FDIR action matrix, retry/backoff and escalation rules.
7Why can an input EMI filter destabilize a DC-DC, and how to damp it?
An input EMI filter can destabilize a DC-DC when the filter impedance interacts with the converter’s input dynamics, producing oscillation or repeated startup because the converter can present a “negative incremental impedance” over some range. Practical damping uses series resistance, RC snubbers, or controlled filter Q, and it is proven by observing stable input current and bus voltage under load steps and line transients without PG chatter.
Mapped topics: front-end conditioning, stability proofs, measurable symptoms and damping tactics.
8How to size inrush limiting so it won’t false-trip during cold start?
Inrush sizing begins with worst-case input capacitance and a target dV/dt, then selects a current limit that stays above legitimate cold-start peaks while keeping bus droop within bounds. Cold temperature increases uncertainty because device thresholds and resistances shift, and some loads draw higher startup current. Validation should include repeated cold starts at minimum input, logging peak current, PG timing, and any retry or latch events.
Mapped topics: inrush predictability, cold-start margins, repeatability evidence and logs.
9What makes sequencing “deterministic” under temperature and load variation?
Sequencing is deterministic when rail order, ramp behavior, and dependency checks (PG gating, timeouts, thermal qualifiers) remain consistent across hot/cold conditions and load variability. Determinism requires defined debounce/blanking windows and explicit failure handling so that transient dips do not scramble the state machine. Proof comes from repeated startup runs showing stable timestamps, bounded variance, and correct transitions into retry or latch-off states when faults are injected.
Mapped topics: sequencing PMIC strategy, state machine evidence, debounce and timeout behavior.
10High-side current sensing accuracy—what dominates error over temperature?
Over temperature, accuracy is typically dominated by shunt resistor drift and thermal gradients, plus amplifier offset drift and reference drift in the digitization path. Layout-induced temperature differences between shunt and amplifier can create apparent current error even when parts are “in spec.” A useful approach is an error budget that identifies dominant terms and a calibration plan that validates offset and gain at multiple plateaus, with quality flags for range and saturation.
Mapped topics: telemetry chain, error sources, calibration strategy and decision-grade accuracy.
11How to cover mA sleep and A-level peaks without losing resolution?
Covering mA sleep and amp-level peaks usually requires segmented measurement: multiple shunts, dual-range gain paths, or parallel channels optimized for low and high currents. The key is stable range switching with hysteresis and filtering so noise and switching ripple do not cause “chatter” at boundaries. Qualification should verify continuity across ranges using known current steps, ensuring consistent readings and correct quality flags during transitions.
Mapped topics: dynamic range strategy, range switching robustness, continuity and evidence checks.
12What qualification evidence proves a rad-hard power chain is mission-ready?
Mission-ready evidence combines three layers: electrical stress results (inrush, line transients, load steps, sequencing), thermal-vac verification (hot/cold start, derating, telemetry drift), and radiation-related behavior (TID drift tracking plus SEE-response drills). The most convincing proof shows bounded fault energy, correct isolate/retry/latch actions, and traceable logs with pre/post snapshots. Sign-off should reference waveforms, drift curves, and a completed action matrix.
Mapped topics: qualification ladder, fault drills, logs and sign-off artifacts.
icnavigator

ICNavigator helps engineers find verified ICs, alternatives, and fast quotes.

Explore
Categories
  • Power Management
  • MCU
  • Automotive ICs
  • Sensors
  • Interface & Transceivers
  • Analog Front-End
Get in Touch
  • Email: hello@icnavigator.com
  • WeChat/WhatsApp: +86-xxxx

© 2025 ICNavigator. All rights reserved.