Definition (mobile edge terminal)

• Mobile operating context: handheld/vehicle/field use with unstable input and mechanical motion.
• At least one bursty radio load: cellular or satellite TX bursts create rail droop risk.
• Always-on wake path: accel-wake/RTC/GPIO triggers domain bring-up and safe recovery.
• Ride-through requirement: short hold-up to avoid uncontrolled reset and data loss during dips.

Ownership → deliverables (this page must produce)

• accel-wake wake chain + debounce + false-wake evidence checklist.
• always-on AON power budget table + domain handover timing rules.
• hold-up sizing equation + constraints (ESR/temperature) + validation method.
• transients energy path diagram + top 3 waveforms to capture.
• brownout PG/RESET thresholds + delays + reset-reason logging fields.

Hard boundaries (sibling pages)

• GNSS RF / anti-jamming: only power/clock/enable sensitivity is referenced here → see GNSS Timing / Positioning Module.
• Cellular stacks / carrier certification: only TX burst power stress is referenced here → see LTE-M / NB-IoT / RedCap Terminal.
• OTA / PKI / attestation: only “safe power-down & log evidence” is referenced here → see Secure OTA Module / Edge Security Probe.

Evidence rule (mechanical audit)

• Every conclusion must map to power, timing, reset, wake, or logs.
• Any deep dive that requires RF or protocol internals is out of scope by design.
• Minimum evidence set: VIN(t), Vsys(t), key rails PG/RESET, radio status/log, reset reason.

Input sources (why they are untrusted)

• Vehicle 12/24 V: dips (crank), spikes (dump), hot-plug ringing, wiring inductance.
• Adapters: hot-plug + intermittent contact; quality variance; short dropouts.
• External battery pack: internal resistance + temperature drift; connector bounce.
• USB supply: cable drop + insertion dropouts (treated as an input type only).

Event classes (engineering grouping)

• Under-energy input drop • crank • brownout • intermittent contact.
• Over-energy load dump • surge • hot-plug overshoot/ringing.
• Fast-coupled EFT/ESD (very fast edges, coupling paths matter).
• Polarity reverse connection or negative transients (needs direction control).

Success criteria (pass/fail levels)

• L1 No reset: key domains remain up; radios stay stable during the event window.
• L2 Controlled reset: if reset occurs, it is explainable and recoverable via logs and sequencing.
• L3 No data loss: critical transaction completes (log commit / safe stop) within hold-up window.
• L4 Fast recovery: service returns within a defined time after input returns (timing-level only).

Minimum evidence set (top 3 checks)

• Waveforms: VIN(t), Vsys(t), and at least one burst rail (radio rail or main rail).
• Sequencing: PG/RESET timing (including debounce/blanking window).
• Traceability: reset reason + last-known minima + radio status snapshot in logs.

Domain model (three domains)

• Always-on (AON) RTC / AON controller or small MCU • accel wake • power monitor • minimal log storage.
• Active compute main MCU/SoC • memory • peripherals • application tasks (treated as load & state machine).
• Radios GNSS + cellular/satellite modem as boundary blocks: power / clock / enable / status only.

Who “manages power” (responsibility boundary)

• PMIC / Power tree: rail sequencing, PG generation, UV/OV decisions, fault flags, rail isolation.
• AON controller: wake arbitration, domain bring-up order, TX inhibit decisions under droop risk, evidence snapshots.
• Main SoC/MCU: controlled degrade (reduce load), transaction boundary (log commit), explainable recovery after reset.

Domain failure policy (designed behavior)

• AON must outlive others: it preserves reset reason + last minima + event counter.
• Radios are sacrificial first: if droop risk is detected, disable TX / power-cycle radio rail before the system rail collapses.
• Active compute is controlled: if a reset is inevitable, it becomes controlled reset with logs—not a silent crash.

Measurable sequencing (no protocol deep dive)

• wake_req (WAKE_INT) → rails_on (AON_PG / SYS_PG) → clocks_stable (CLK_OK/LOCK) → modem_on (RADIO_PG/READY) → service_ready (status snapshot).
• Each stage must have at least one observable pin/flag so “random reset” can be turned into a traceable timeline.

The 4 integration surfaces

• Power rails avg/peak/TX burst + startup inrush + allowed droop window.
• Clock TCXO/XTAL sharing boundary + “clock stable before TX” sequencing.
• Control EN/RESET/READY timing + AON-gated TX inhibit under droop risk.
• Coexistence isolation/return-path principles (no matching-network deep dive).

Typical failure chain (what to prove)

• MODEM TX burst → rail droop on Vradio or Vsys → GNSS unlock or system brownout/reset.
• Sat/cellular mode switching → transient current step → droop/glitch if sequencing or damping is weak.

Correlation recipe (fast root-cause)

• Trigger: TX_IND rising edge (or equivalent burst indicator).
• Waveforms: capture Vsys(t) + Vradio(t) on the same timebase; note droop amplitude and duration.
• Status: GNSS LOCK / MODEM READY + reset reason snapshot; check alignment with the droop window.

Minimum observable pins/flags

• MODEM: TX_IND, READY/STATUS, EN, RESET.
• GNSS: LOCK/STATUS, EN, (optional) CLK_OK/LOCK boundary flag.
• System: PG/RESET, fault flag from power tree, reset reason register.

Wake chain (measurable state machine)

• Wake source: accel motion trigger raises WAKE_INT (count + timestamp).
• AON arbitration: AON confirms (window + debounce), applies cooldown if noisy, then asserts WAKE_REQ.
• Rails on: PMIC brings up rails in order; AON_PG then SYS_PG must be stable before clocks/radios.
• Host handover: main MCU/SoC reads wake reason + minima snapshot and commits a short log record.

Debounce & false-wake control (integration level)

• Threshold + duration: treat motion as “event in a window”, not a single edge.
• Two-stage wake: INT → AON confirm → rails_on (prevents random bumps from powering the whole system).
• Cooldown window: repeated triggers within a short period enter a hold-off state to protect battery/hold-up budget.

Recommended bring-up order (protect power margin)

• 1) record wake reason in AON → 2) stabilize Vsys and PG → 3) ensure clocks stable → 4) boot active compute → 5) enable radios.
• Default rule: radio TX stays inhibited until Vsys margin is confirmed; avoid burst loads during early ramp.

Sleep current budget (bucket model)

• Power-tree IQ PMIC quiescent + monitoring.
• AON rail IQ LDO/buck quiescent + references.
• Sensor standby accel standby + interrupt logic.
• Retention/RTC timekeeping + minimal retention.
• Leakage & pulls ESD structures, pull-ups, dividers, cap leakage.

False-wake debug tree (symptom → evidence → first action)

• Symptom: wakes at rest → Evidence: WAKE_INT high count → Action: raise threshold / extend confirm window / add cooldown.
• Symptom: wake leads to rapid drain → Evidence: RADIO_EN early + burst indicators → Action: delay radio enable; enforce TX inhibit until PG stable.
• Symptom: wake loops or immediate reset → Evidence: SYS_PG oscillation + reset reason = brownout → Action: tighten PG debounce; verify hold-up & rail ramp margins.

Hold-up targets (three practical types)

• Endurance sustain operation for N seconds (no reset, service maintained).
• Transaction complete one commit/report or controlled shutdown (log consistency is the pass criteria).
• Momentary ride through 10–200 ms contact bounce (no unexplained reset).

Minimal sizing model (usable, not long)

• Cap energy: E = 1/2 · C · (Vhi² − Vlo²)
• Load energy: Eload ≈ Pload · thold / η
• Capacity: C ≥ 2·Eload / (Vhi² − Vlo²)
• Key definition: Vlo is the lowest voltage where PG/RESET policy still guarantees the intended outcome (transaction or ride-through).

Constraints that break hold-up (must be budgeted)

• ESR droop: ΔV = Ipeak · ESR can instantly cross Vlo during bursts. Radios should be shed first under droop risk.
• Low temperature: effective C drops and ESR rises; size for worst-case temperature or define a degrade mode.
• Precharge/inrush: uncontrolled charging looks like a short and can trigger brownout during hot-plug or intermittent contact.

Precharge strategy (does not fight input events)

• Rule 1: stabilize Vsys first, then allow cap charging with current limit.
• Rule 2: cap charge can be paused by AON during droop risk windows (hot-plug/bounce).
• Rule 3: defer high-burst behavior until cap and rails are in a stable state (TX inhibit gating).

Modular power entry (by responsibility)

• Direction & isolation: reverse protection + ideal diode (prevents backfeed, enforces current direction).
• Clamp & withstand: TVS/clamp paths limit peak voltage within downstream safe margin.
• Inrush & hot-plug control: controlled dV/dt + current limiting to tame harness L and input C ringing.
• UV ride-through boundary: UVLO + policy decides when to ride-through, degrade, or disconnect (no “mystery states”).

Event → countermeasure (energy outcome)

• Load dump: clamp energy + ensure downstream withstand/derating; confirm VIN peak stays inside margin.
• Crank / deep UV: ride-through via hold-up and degrade ladder; tune UVLO boundary to avoid reset loops.
• Hot-plug: limit inrush + damp ringing; avoid Vsys dip caused by Iin spikes.
• EFT/ESD: shunt via return path + placement; verify PG/RESET does not chatter and flags stay explainable.

Evidence & observability (pass/fail is measurable)

• VIN(t): event amplitude, duration, and ringing (what actually hits the connector).
• Vsys(t): system bus stability and threshold crossings (what the electronics live on).
• Iin(t) or limit state: inrush peaks and limiter engagement (whether “limit” truly happens).
• Fault/limit flags: protection IC status that matches the waveform (no silent failures).

Boundary (what this section stops at)

Focus is on functional blocks, energy outcomes, and measurement points. Certification procedures and standard clause walkthroughs are intentionally out of scope.

PG/RESET principles (what gates reset vs what only monitors)

• Hard gating rails: must participate in RESET gating because instability corrupts state or data (core bus, compute, critical memory rails).
• Soft monitor rails: degraded performance is acceptable; they should log faults without triggering chatter resets.
• Rule: fewer hard gates, but with stronger debounce; more monitors, but with explicit logging.

Blanking & debounce (stop glitch resets)

• Blanking window: ignore PG changes during known transition windows (hot-plug ramp, rail switching, controlled boot stages).
• Debounce: require stability for a minimum time before declaring PG valid/invalid (filters spikes and ringing).
• Rule: hard gating rails use stricter debounce; soft monitors can log transient anomalies without forcing RESET.

Degrade ladder under brownout (protect bus → data → recovery)

• Stage 1: reduce burst loads first (TX inhibit, delay radio enable) to stabilize Vsys.
• Stage 2: reduce compute/write risk (slow down, suspend risky writes) to protect consistency.
• Stage 3: controlled reset/shutdown when Vsys remains below boundary (avoid “mystery states”).

Traceable reset reason (minimum log fields)

• reset_reason from MCU/PMIC/SoC classification.
• Vsys_min minimum observed during the event window.
• PG_timeline compressed rail PG/RESET order evidence.
• radio_state TX inhibit / burst indicators.
• temperature for explaining margin shifts (ESR/C at low temp).

3-evidence priority template (copy/paste)

• Evidence #1 — Waveforms: VIN(t), VSYS(t), IIN(t) (or limiter state) + PG/RESET on the same capture.
• Evidence #2 — Pins/Flags: TX indicator, enable/reset pins, lock indicators, fault/limit flags (align behavior with droops).
• Evidence #3 — Logs: reset_reason, Vsys_min, PG_timeline, radio_state, temperature (minimum set for replayability).

Routing rules (fast split, no RF/protocol deep dive)

• If VSYS dips near the symptom window → start with burst-load + energy-path checks (inrush/limit/hold-up).
• If VSYS is stable but behavior fails → check enable/clock/reset ordering and debounce/blanking.
• If failures correlate with temperature → check margin shifts (ESR/C/UVLO boundary concepts) and record Vsys_min statistics.
• If “hang without reset” → suspect PG/RESET policy gaps or latched fault states; prove with flags + missing reset_reason.

Layered validation (what is proven at each layer)

• Layer 1 — Power event injection: drop, dip, surge, hot-plug, intermittent contact (energy-path validation).
• Layer 2 — Sequencing & reset policy: PG gating, blanking, debounce, controlled recovery (no mystery states).
• Layer 3 — Wake & sleep: false-wake rate, sleep current breakdown, deterministic wake handoff.
• Layer 4 — Radio power stress: burst loads via TX indicator/workload triggers; verify degrade ladder behavior.

Recommended tools/fixtures (brief)

• Oscilloscope (multi-channel) for VSYS + PG/RESET + TX indicator alignment.
• Programmable supply / event injector for dips/surges; electronic load for steps/bursts.
• Harness-L simulation (series inductance equivalent) to reproduce hot-plug ringing and inrush.
• Temperature chamber / cold plate to capture Vsys_min statistics across temperature.

Pass/fail writing rules (measurable, repeatable)

• Waveform criteria: VSYS must stay within window, or degrade ladder must trigger deterministically.
• Timing criteria: PG stable before RESET release; glitches do not cause resets (debounce works).
• Behavior criteria: Stage order is consistent (TX inhibit → stop risky writes → controlled reset).
• Evidence criteria: logs include reset_reason + Vsys_min + PG_timeline for every failure or recovery.