1) Distributed capacitance / HV filters → phase & transient illusions

Symptom: Riso “drops” right after a switching/topology event, then recovers without a persistent trend.

• Two evidences to capture Response feature: phase jump or τ shift (RC-shaped), not a stable DC shift.
  State correlation: occurs only around precharge/contactor/discharge transitions.
• First confirmation Compare estimates inside a stable-state window versus a transition window. If the “fault” vanishes in stable windows, treat it as C-dominant behavior and tighten gating.

2) dv/dt common-mode injection → saturation & phantom events

Symptom: sharp spikes, clipped readings, or comm errors aligned with contactor pull-in or high dv/dt activity.

• Two evidences to capture AFE quality flags: saturation/clip/over-range or noise-floor surge.
  Time alignment: event timestamps match contactor edges or dv/dt proxies.
• First confirmation Mark the interval as invalid and compare “saturation counter” before/after improved reference/shield routing. Reduced saturation with stable Riso indicates common-mode injection.

3) PCB surface leakage → high-impedance divider drift

Symptom: low Riso mainly in wet conditions, after cleaning, or when dust/film accumulates; improves after drying.

• Two evidences to capture Humidity correlation: Riso changes track RH/condensation events.
  Self-check shift: reference measurement or injection amplitude check drifts consistently.
• First confirmation Perform a controlled drying/cleaning contrast (short window). A repeatable recovery strongly indicates board-surface leakage rather than a fixed HV fault.

4) Temperature coefficient & aging → divider/isolator/source drift

Symptom: slow, repeatable offset across temperature cycles; hot vs cold start mismatch under the same HV state.

• Two evidences to capture Temperature mapping: same temperature → same bias (repeatability).
  Reference point drift: injection amplitude / divider ratio check shows consistent shift.
• First confirmation Hold HV topology stable and apply a mild temperature step (controlled warm/cool). If Riso bias follows temperature without “hard-fault” signatures, treat as drift and apply compensation/calibration.

5) Dirty reference (chassis bounce) → false insulation movement

Symptom: Riso oscillates under heavy return currents, braking/regen, or shield current changes, with no fixed leak found.

• Two evidences to capture Reference indicator: chassis/common-mode swing increases when the fault appears.
  Load correlation: aligns with high-current operating phases or shield/return path changes.
• First confirmation Improve the reference strategy (short, robust, single-point concept) and compare “reference-bounce metric” and Riso stability. If both improve, treat the prior alarm as reference-induced.

Event class A — Soft degradation (predictable trend)

Definition: Riso decreases slowly with stable validity; slope matters more than a single sample.

• Primary evidences Trend window: moving average + slope (dR/dt) under stable HV states.
  Context link: temperature/humidity/operating phase correlation to separate drift vs true leakage.
• Action & logging Warn and persist trend statistics: avg/min Riso, slope, validity ratio, and context snapshots.

Event class B — Intermittent fault (condition-triggered)

Definition: repeated short drops tied to moisture/vibration/harness motion or specific operating phases.

• Primary evidences Trigger clustering: repeats under similar state and environment cues.
  Quality separation: confirm “not clipped” (quality OK) before treating as real.
• Action & logging Alarm with burst logging: pre/post buffers around each event (timestamps, state, quality, short waveform/feature snapshots).

Event class C — Hard fault (rapid collapse / arc)

Definition: near-instant Riso collapse with high confidence; requires immediate escalation.

• Primary evidences Fast collapse: sharp drop that persists across immediate re-check windows.
  Supporting flags: protection activity / arc proxy / “valid reading” indicator (not a clipped artifact).
• Action & logging Trip and store the decision chain: trigger reason, state at trigger, quality flags, and output action result.

1) Define domains and place the isolation boundary

Goal: keep the measurement reference clean while still reporting to vehicle systems.

• Measurement domain: injection + high-Z sensing + estimator inputs (most sensitive to reference bounce and dv/dt).
• Control domain: validity gating, event classification, Warn/Alarm/Trip outputs (should remain stable even when comms are noisy).
• Comms domain: transceivers and cables (highest exposure to long-line interference).

2) Common-mode suppression: close the loop, don’t “absorb” it

CMTI is necessary but not sufficient; the loop geometry decides the outcome.

• CMTI tolerance: choose isolators that survive dv/dt, but treat this as durability, not suppression.
• Return-path control: prevent shield/return currents from sharing the measurement reference path.
• Evidence gating: if AFE clip/noise metrics rise during comm activity, mark data invalid and re-measure in a clean window.

3) Interface selection: pick by disturbance + bandwidth need

Interfaces serve the evidence chain (events vs diagnostics), not the other way around.

• Isolated CAN / RS-485: long wiring, high interference tolerance, reliable event reporting with modest bandwidth.
• Isolated Ethernet: when diagnostic bandwidth is required (logs, extended context, maintenance tools). Shield strategy must be explicit to avoid importing noise.

4) Watchdog & fail-safe: comms can die, evidence must not

When comms fail, the module should still protect, and the last event must remain recoverable.

• Self-sustain behavior: keep local classification and outputs active even when reporting stops.
• Local evidence record: store the last decisive event with timestamp, HV state, quality flags, and action result (small ring buffer is sufficient).
• Timeout policy: comms timeout triggers increased local logging and a clear “comms degraded” status without forcing nuisance trips.

1) Where transients enter (entry points)

Treat the source as an “entry point” problem, not a standards list.

• Pantograph / HV bus coupling: fast energy enters the HV domain and couples through filters and stray capacitance.
• Harness coupling: cabinet wiring injects disturbance into sensing references and control I/O.
• Shield/return path: common-mode currents shift the chassis reference and produce phantom insulation movement.

2) Protection that doesn’t ruin measurement

Protection parasitics can look like leakage or capacitance if not accounted for.

• Placement rule: absorb energy near the entry, then protect the barrier, then protect the AFE.
• Parasitic awareness: clamp leakage can reduce apparent Riso; junction capacitance can increase apparent Ceq and shift phase/τ.
• Make protection visible: expose a protection-activity proxy (or at least a “quality degraded” indicator) to the estimator/logs.

3) Layout rules for high-Z survival

High-impedance nodes fail from contamination and coupling long before components fail electrically.

• Guarding & spacing: guard rings on high-Z nodes; avoid long parallel runs near noisy nets.
• Creepage/slots/coating: use grooves/slots and conformal coating where contamination paths form.
• Isolation gaps: maintain barrier clearance and prevent field concentration at edges/corners.

4) EFT/Surge interpretation: decide with evidence, not with a single Riso sample

Transient events should be classified using quality + context, then confirmed with a clean-window recheck.

• Evidence #1 (quality): AFE clipping / noise metric / coherence drop indicates measurement corruption.
• Evidence #2 (context): HV topology state + transition window + protection activity proxy.
• First confirmation: re-measure in a stable window; if the estimate recovers and quality was degraded, treat as transient artifact. If it stays low with good quality, treat as real leakage/fault.

1) Closed-loop injection integrity (amplitude / frequency / open / short)

Goal: ensure the stimulus is correct and bounded, even when the HV network is abnormal.

• Amplitude & frequency check: verify injection magnitude and frequency/sequence against a tolerance window before using measurements.
• Open/short detection: identify injection-path open (no response) versus short/overload (protection activity or abnormal response).
• Energy bounding confirmation: ensure faults cannot turn the injection path into a hazardous energy source; if integrity fails, mark measurements invalid and raise a service flag.

2) Sensing chain self-test with known R/C reference

Goal: validate the divider/AFE/ADC/estimator path using a predictable equivalent network.

• Reference insertion: switch in a known resistor/capacitor network to emulate a stable R∥C target (maintenance window or controlled stable state).
• Response consistency: compare measured features (gain/phase or step response τ) to expected ranges and produce a Channel_OK flag.
• Quality scoring: record coherence/noise and saturation flags during self-test; rising residuals indicate degradation even if readings appear plausible.

3) Zero and drift management (temperature compensation + periodic verification)

Goal: prevent slow drift from being misread as a real insulation trend.

• Temperature compensation: correct predictable drift of high-value components and injection magnitude using temperature-aware calibration curves or tables.
• Periodic verification: trigger checks by runtime, temperature cycles, or moisture events; store results as traceable calibration records.
• Maintenance mode: allow longer windows and stricter gates when the vehicle is in a safe state; isolate “service measurements” from operational decisions.

4) Health KPIs (trust indicators that drive actions)

Goal: quantify credibility continuously and decide when to re-measure, downgrade confidence, or request service.

• Noise floor: rising noise suggests coupling/contamination; gate decisions or increase recheck windows.
• Saturation/clip count: indicates transient corruption; treat affected windows as invalid.
• Invalid ratio: percentage of time rejected by validity gating; persistent elevation implies gating or grounding strategy problems.
• False-alarm counter: repeated alarm→recover patterns imply intermittent coupling or threshold/timing mismatch.
• Temp/RH correlation score: strong correlation suggests board surface leakage or reference instability rather than a fixed HV fault.

1) Timestamp + sync quality (time credibility)

Why: cross-device correlation requires knowing whether time is trustworthy.

• Event time: record the event timestamp and time source (local vs synchronized).
• Sync quality: if PTP/GNSS exists, store lock/holdover status and a coarse quality indicator.

2) System state snapshot (topology validity)

Why: state defines whether the estimate is valid or in a transition artifact window.

• Contactor / precharge: states and transitions near the trigger.
• Traction enable: enable state to interpret dv/dt and operating phase correlation.
• Discharge path: discharge resistor/path state to explain step-like shifts.

3) Measurement triple (raw / filtered / confidence)

Why: a single Riso value cannot prove whether the event was real or corrupted.

• Raw features: store compact features (gain/phase or step response signature), not necessarily full waveforms.
• Filtered estimate: store the decision estimate (Riso filtered) and the trend window statistics if relevant.
• Confidence: store coherence/residual metrics and quality flags (clip/noise/invalid).

4) Trigger context (dv/dt, saturation, comm errors)

Why: context fields separate true insulation collapse from transient corruption.

• dv/dt proxy: switching/transition counters or an equivalent activity indicator.
• AFE saturation flag: clip/saturation counters to mark corrupted measurement windows.
• Comms error count: CRC/retry/timeouts to test whether reporting links import noise (ties to isolation strategy).

5) Action record (what happened after the trigger)

Why: field response is judged by outcomes, not just commands.

• Decision level: Warn / Alarm / Trip and the decision reason code.
• Outputs result: whether shutdown/degrade outputs succeeded (including feedback if available).
• Report result: reporting success/failure and comm state at the time of report.

6) Two-layer logging (trend vs event packet)

Why: trend supports maintenance; event packets support forensics.

• Trend log: low-rate baseline (avg/min Riso, slope, health KPIs, validity ratio).
• Event packet: high-value record with pre/post buffers around the trigger window.

Layer 1 — Bench (low-voltage equivalent R∥C network scan)

Purpose: map estimator error vs Riso and Ceq before moving to HV/transients.

• Measure: sweep R∥C equivalents (Riso range + multiple Ceq points), plus temperature points to verify drift compensation. Use a switchable reference network so the sensing chain can be exercised in a controlled window.
• Criteria: bounded estimate error across Ceq; confidence drops (invalid gate) when coherence/noise degrades; no threshold “chatter” near boundaries (Warn↔Alarm toggling rate must remain low).
• Must log: injection integrity (Injection_OK, amplitude/frequency), measurement triple (raw feature, filtered Riso, confidence), invalid reason code, noise floor and clip counters.

Example parts used commonly in bench builds (illustrative MPNs): HV divider resistors Vishay HVR37/Vishay VR68, precision HV sense amp isolation TI AMC1311, isolated ADC/modulator TI AMC1301, digital isolator ADI ADuM141E / Silicon Labs Si8661.

Layer 2 — HV rig (real HV + EFT/Surge + switching transients)

Purpose: verify nuisance suppression under the same transient entry/coupling paths seen on vehicles.

• Measure: apply EFT/Surge and controlled switching transients that drive dv/dt; test both “no real leakage” and deliberate leakage/ground-fault cases. Observe AFE headroom, barrier stress, and protection activity.
• Criteria: during transient windows, the system must gate invalid or defer decision; after the window, a stable recheck must recover normal Riso if no true fault exists. When a real leakage is introduced, escalation latency must meet the safety policy.
• Must log: dv/dt proxy / switching counter, AFE clip/saturation flags, comm error counters, recheck result (stable-window Riso + confidence), and action outcome (Warn/Alarm/Trip result).

Example protection & interface parts often used in HV rig prototypes (illustrative MPNs): high-power TVS Littelfuse SM8S series, GDT Bourns 2038 series (as applicable to entry paths), RS-485 surge protector Bourns SM712, isolated CAN transceiver TI ISO1042, isolated RS-485 transceiver ADI ADM2587E.

Layer 3 — On-train (wet/thermal/vibration routes + intermittent faults)

Purpose: validate intermittent fault capture, low false-alarm rate, and forensic completeness.

• Measure: correlate Riso trend/events with humidity/temperature and vibration-induced harness movement; include “intermittent” scenarios (moisture-driven surface leakage, harness rub points) rather than only hard shorts.
• Criteria: low nuisance rate (events per hour or per distance), high capture rate for intermittent faults, and complete event packets enabling post-run diagnosis without guesswork.
• Must log: timestamp + sync quality, state snapshot, measurement triple, trigger context, action record, plus aggregated KPIs (false-alarm counter, invalid ratio, recheck count, temp/RH correlation score).

Example time/telemetry building blocks (illustrative MPNs): PTP-capable Ethernet PHY TI DP83869, secure time source GNSS timing module u-blox ZED-F9T (system-level choice), robust local timekeeper NXP PCF2129.

1) Field cause taxonomy (turn event packets into root-cause labels)

Tag each return with a cause class and the minimum evidence required to support it.

• Harness wear / pinch: intermittent drops tied to vibration or door/roof movement; evidence: repeated events with stable confidence and consistent state context.
• Moisture / contamination: Riso correlates with humidity/temperature; evidence: strong temp/RH correlation score and elevated invalid ratio/noise floor.
• Insulation aging: slow monotonic trend with intact confidence; evidence: trend slope + stable quality metrics.
• Device breakdown: rapid hard fault; evidence: persistent low Riso with good coherence after stable-window recheck.

2) Threshold & window updates (by fleet / route / season)

Tune by segmentation to avoid “one setting breaks all vehicles.”

• Segmented tuning: define profiles by train type, line, and season (wet vs dry), with controlled activation conditions.
• Update order: adjust validity windows / debounce / recheck policy before touching safety trip thresholds.
• Guardrails: enforce hard bounds for any field-update parameter; if bounds are exceeded, require a firmware-controlled release.

3) Version boundaries (parameters vs firmware vs calibration data)

Prevent “fixing” by uncontrolled edits that destroy traceability.

• Parameters (field-allowed, low risk): examples: Warn threshold bands, debounce time, max recheck count, log verbosity (bounded + reversible).
• Firmware (governed release): estimator or gating changes require approval, regression (H2-11), and A/B rollback support.
• Calibration data (maintenance-only): updates only in maintenance mode, with integrity check and timestamp, never overwritten silently.

Example secure storage / integrity building blocks (illustrative MPNs): secure element Microchip ATECC608B, secure element NXP SE050, secure element Infineon OPTIGA Trust M, FRAM Fujitsu MB85RS64V, serial flash Winbond W25Q64JV.

4) “Do not fix into chaos” — five hard rules

Every change must preserve comparability and forensic value.

• Rule 1: every change references a set of event packet IDs (sample set) and the expected KPI outcome (false-alarm rate ↓, capture rate not ↓).
• Rule 2: changes must pass a minimum regression subset (bench + key HV-rig cases) before any fleet deployment.
• Rule 3: deploy in stages (pilot fleet → wider fleet) with monitoring gates and automatic rollback criteria.
• Rule 4: only a small parameter list is field-editable; trip thresholds and estimator logic are firmware-governed.
• Rule 5: calibration data updates are signed/checked and never overwritten without an audit record.