H2-1. What This PDU Page Covers (and What It Doesn’t)

This page treats the onboard PDU as a power-distribution + protection + evidence module. The goal is not to explain traction or signaling functions, but to make branch power behavior deterministic under real railway stress: inrush at power-up, hard/soft shorts, reverse connection, surge/lightning coupling, relay/contactor switching, and the telemetry needed to close the field-debug loop.

In the onboard power tree, the PDU sits downstream of the auxiliary power sources and DC buses and upstream of the loads. Conceptually, it is the “last mile” layer that decides whether a disturbance becomes a localized branch event or a whole-bus brownout.

The design intent throughout this page is simple: isolate the failing branch first, keep the shared bus stable when possible, and always emit enough evidence (reason codes + waveforms/peaks + counters) to classify the root cause without guesswork.

• Design: choose the switching/protection style (eFuse/high-side vs relay/contactor vs hybrid) so power-up, normal load steps, and fault isolation are repeatable.
• Validation: prove selectivity under abuse (short, overload, reverse, surge) and verify that the PDU logs the exact fault signature.
• Field debugging: distinguish “false trip” vs “true short” vs “thermal derate” vs “surge coupling” using telemetry and event context.

Out of scope here: traction inverter topology, motor control loops, CBTC/ETCS functional design, wayside I/O cabinets, or general EMC textbooks. Those belong to their dedicated pages.

H2-2. System Power-Tree Context: Where the PDU Sits

A rail PDU cannot be designed from voltage names alone. What matters is the disturbance profile of the upstream sources (interruptions, switchover gaps, overshoot, surge coupling) and the service continuity required by each downstream branch. This chapter establishes the power-tree context so later protection decisions (fast trip vs energy-limit, hiccup vs latch-off, precharge sequencing, and surge clamping paths) are anchored to clear system objectives.

Upstream sources typically include auxiliary converters, onboard batteries, and emergency supplies. Even if the nominal bus is stable most of the time, the PDU must be robust to three categories of stress:

• Switching transients: source switchover, load steps, contactor operations, and bus recovery slopes.
• Abuse faults: hard/soft shorts, overloads, reverse connection, and intermittent wiring faults (vibration/moisture).
• Surge coupling: long harness energy, common-mode injection, and lightning-related spikes that shift local reference potentials.

Downstream, branches should be grouped by service continuity rather than by “device type.” A practical hierarchy is: Vital (must remain powered or degrade safely), Mission (temporary loss is tolerated but must be logged), and Comfort (shed first to protect the shared bus). This hierarchy directly determines: the protection response style, retry policy, and what evidence must be recorded.

With this context, the PDU’s three responsibilities become measurable engineering targets: Switching (repeatable power-up and controlled isolation), Protection (branch-first selectivity without collapsing the bus), and Telemetry (fault signatures that allow unambiguous classification: true short vs false trip vs thermal derate vs surge-induced upset).

Practical consequence: if “one branch fault collapses the bus,” the issue is rarely a single component. It is usually a power-tree problem: selectivity thresholds, shared impedance/return paths, precharge timing, or missing evidence fields that hide the real trigger.

H2-3. Switching Elements: eFuse vs High-Side Switch vs Relay/Contactor

Switching elements in an onboard PDU are selected by system objectives, not by component labels. The decision must balance selective isolation (branch-first protection), service continuity (avoid bus-wide brownouts), and evidence availability (telemetry fields that classify real shorts vs false trips vs thermal derates).

When semiconductor switching is the right default

Semiconductor switching (eFuse / high-side switch) fits branches that require fast, repeatable protection with measurable behavior. It enables deterministic actions such as current limiting, timed fault qualification, controlled retry windows, and export of reason codes and peaks/minima for field diagnosis.

• Use eFuse-style protection when branch behavior must be policy-driven: limit curves, fault timers, retry counters, and clear trip reasons.
• Use high-side switching when remote on/off and basic protection are sufficient and a separate system layer handles deeper evidence/logging.

When relay/contactor switching is still required

Relays/contactors remain valuable for physical isolation, creepage/clearance constraints, and maintenance-safe disconnection. However, mechanical switching alone rarely delivers the telemetry resolution needed to classify transient events, so it often benefits from an electronic layer that records fault signatures and enforces selectivity at branch granularity.

• Prefer contactors for clear open/close states, safety audits, and high-energy isolation.
• Plan for diagnostics (coil health, weld suspicion, event counters) because mechanical behavior can be non-ideal under low bus voltage or vibration.

Hybrid channel: the common rail PDU pattern

A hybrid channel combines precharge (to control inrush), a contactor (for visible isolation), and an electronic branch protector (for fast selectivity + telemetry). This structure decouples three problems: controlled startup, safe isolation, and evidence-rich fault handling.

H2-4. Inrush, Pre-Charge, and Hold-Up: Don’t Trip Yourself

Many “mysterious trips” are not real faults. They are normal startup energy events that collide with protection thresholds. The PDU must separate legitimate inrush (capacitor charging and converter startup) from true short-circuit behavior. Without that separation, protection becomes a self-inflicted outage generator: the more sensitive the trip, the more frequent the false shutdown.

Where inrush comes from (as waveforms, not labels)

• One-shot charging: large input capacitors and EMI capacitance create a high peak that decays quickly.
• Startup loads: DC/DC and motor-driven auxiliaries draw elevated current for longer, often with step-like ramps.
• Harness resonance: long cables and filters can ring or inject common-mode energy, confusing simple threshold logic.

Precharge strategy: control the trajectory

Precharge is a trajectory control problem: limiting peak current is not enough unless the bus recovery slope and switching handoff are also controlled. Common rail patterns include resistor precharge followed by contactor closure, then staged branch enabling so the shared bus does not cross brownout thresholds for vital loads.

Protection style must follow service continuity

• Hiccup (auto retry): useful when brief recovery is expected, but requires cooldown windows to avoid oscillation.
• Foldback (energy-limited): maintains bus stability while bounding device stress during overload-like conditions.
• Latch-off: appropriate for non-critical branches or suspected hard faults, paired with clear reason codes and counters.

A robust restart policy prevents “bounce resets” where repeated retries keep the bus below thresholds. Use retry windows, thermal-aware cooldown, and classified counters so a transient event is not treated as a permanent short.

H2-5. Short-Circuit & Overload Protection: SOA, Fast Trip, Selectivity

Short-circuit and overload handling must be engineered around protection priorities and selectivity. In rail PDUs, the practical objective is not “maximum sensitivity,” but branch-first containment that prevents harness/connector damage and avoids collapsing the shared bus for other branches.

Protection targets (order matters)

• Harness & connectors: prevent thermal runaway and insulation damage.
• Switching device SOA: prevent secondary failures during fault energy handling.
• Load containment: prevent fault propagation and repeated stress.
• Service continuity: preserve vital branches through selectivity and controlled policies.

Fast trip vs energy-limited response

Fast trip is essential for hard shorts to minimize energy. Energy-limited control (I²t/SOA-aware limiting) is often superior for soft shorts and overload-like faults because it keeps the bus stable while bounding device stress. These are not mutually exclusive—an effective PDU uses fault classification and timed qualification to choose the right action.

Selectivity: engineering acceptance, not a slogan

• Time selectivity: branch protection acts before upstream bus-level protection, with margin.
• Energy selectivity: branch I²t remains within harness/connector limits and avoids bus droop crossing vital thresholds.

Fault types and what evidence is needed

• Hard short: high Ipk + rapid trip time.
• Soft short: limiting duration + temperature proxy trend.
• Overload: moderate overcurrent + long duration + thermal accumulation.
• Intermittent short: event counters + correlation to vibration/moisture + repeated V droop signatures.

Minimum evidence to log for each event (enables unambiguous field classification): Ipk, trip reason, trip time, bus V droop, Tj proxy, and retry count.

H2-6. Reverse Polarity, Backfeed, and Miswiring Defense

Maintenance and module replacement can temporarily turn a clean one-direction power tree into a multi-source OR-ing network. The risk is not only component damage. A more severe failure mode is de-energized illusion: a branch appears disconnected yet remains powered through a backfeed path, creating safety hazards, false trips, and confusing field symptoms.

Reverse polarity: block the direction, coordinate the energy

Reverse polarity defense should be treated as a layered strategy. Reverse blocking (ideal diode / back-to-back MOSFET) prevents reverse current while minimizing forward loss. For severe miswiring events, coordination with fuse/breaker elements is required so the system does not rely on semiconductor stress alone.

• Reverse blocking layer: prevents reverse current and protects internal rails from negative injection.
• Isolation layer: defines a verifiable off-state so a disconnected branch cannot remain energized.
• Evidence layer: logs voltage and event signatures that expose the actual backfeed direction.

Backfeed scenarios: three high-probability sources

• Parallel sources: two supplies are inadvertently OR-ed, allowing one to feed the other through a branch path.
• Service injection: external maintenance power energizes a branch and backfeeds upstream nodes.
• Energy loads: motor drives, storage, or large capacitors push energy back into the branch during shutdown or faults.

OR-ing and isolation: prevent “branch OFF but still live”

OR-ing and isolation design must ensure that an OFF command results in a measurable de-energized state. If isolation is only logical (software state) but not electrical, a branch can remain live through unexpected return paths. Practical defenses include reverse-blocking OR-ing, isolation placement near the hazard node, and off-state verification signals.

Field diagnosis: use voltage distribution to trace the backfeed path

A repeatable diagnostic method is to measure four nodes: bus input, PDU input, branch output, and load-side. Observe which node decays last after a controlled disconnect sequence. The node that stays high the longest typically indicates the backfeed source direction and the coupling path.

H2-7. Surge & Lightning: Clamps, Energy Paths, and Placement Rules

Surge protection is not achieved by adding more clamp parts. It is achieved by creating an intentional energy path that safely returns transient current without pulling the control reference or the shared bus into reset conditions. Layout and return routing often dominate part selection in determining whether the PDU survives and whether the system remains stable.

Where surge energy enters (PDU-relevant routes)

• Long harness injection: cable inductance and coupling deliver fast current spikes at the PDU input.
• Chassis/common-mode shift: structural potential changes move the local reference, disturbing sense and logic thresholds.
• Ground potential differences: return paths momentarily separate, producing unexpected voltage at control ground.
• External interfaces: maintenance or auxiliary interfaces can import transient energy into a branch network.

Define the protection target before choosing clamps

A PDU typically protects three layers: (1) input switching and branch protectors (eFuse/high-side/control drivers), (2) vital branch loads that must avoid brownout resets, and (3) sense/control references that must not see common-mode shifts. The clamp network must serve the layer that dominates the failure risk in the installation.

Clamp combinations (roles, not datasheet lists)

• TVS: fast peak clipping near sensitive nodes.
• MOV: energy absorption for larger transient portions.
• GDT: high-energy diversion toward chassis/ground (with trigger behavior).
• RC shaping: reduces dv/dt and ringing that can trigger false fault detection.
• Common-mode suppression: steers common-mode current into controlled return paths and protects measurement references.

Placement rules: make the discharge loop explicit

• Rule 1: every clamp must have a defined current loop: input → clamp → return point → input (minimize loop area).
• Rule 2: high-current discharge paths must be separated from sensitive sense/control reference returns.
• Rule 3: measure both sides: one point before clamping, one after clamping, to classify “surge event” vs “true fault.”
• Rule 4: verify that clamp action does not create a bus undervoltage that resets vital branches or chatters contactors.

Protection can still cause misoperation (and must be proven)

Typical rail symptoms include bus undervoltage resets due to clamp action, contactor chatter under reference shift, and eFuse false trips due to sensing disturbance. The PDU must log bus Vmin, Ipeak, trip reason, and timestamped events so surge-induced misoperation can be separated from genuine short-circuit faults.

H2-8. Relay/Contactor Drive: Coil Power, Demag, Weld Detection, Lifetime

Contactors and relays are the mechanical–electrical boundary of an onboard PDU. Many rail field incidents happen here because failure modes are intermittent and state-dependent: pull-in failures, coil chatter, slow release due to demagnetization choices, and welded contacts that create a dangerous “OFF but still live” condition.

Coil power: separate pull-in energy from hold energy

Robust drive strategy treats coil energization as two phases. Pull-in requires higher energy to overcome the air gap and spring force. Hold reduces power and heat, often via PWM hold or a lower steady current. If the shared bus droops during pull-in, the coil can enter the unstable region where chatter becomes likely.

• Pull-in phase: short high-energy window to guarantee closure under vibration and temperature spread.
• Hold phase: lower power with enough margin to prevent chatter during bus disturbances.
• Evidence to log: pull-in success time, coil brownout events, and chatter counters.

Demagnetization: clamp choice controls release time

The demag path (flyback handling) is a system decision, not a minor detail. A simple diode clamp reduces peak voltage but can make release slower. TVS clamping accelerates release by allowing a higher flyback voltage. Active clamping can target a controlled release window that satisfies safety timing without excessive EMI.

Weld detection: use multi-evidence consistency, not a single indicator

Welded contacts must be detected without confusing backfeed scenarios. A safe approach is to combine: command state, measured branch voltage/current, and optional auxiliary contact feedback. OFF command with sustained load-side voltage and current is stronger evidence than voltage alone.

• Command OFF but branch still conducts: sustained voltage + current → weld suspected.
• Open attempt leaves stable residual voltage: verify against backfeed signatures (H2-6) before declaring weld.
• Aux contact mismatch: state disagreement escalates the confidence level.

Lifetime & health: count what correlates with failure

• Total cycles: basic wear accumulator.
• Load-break cycles: higher stress than no-load switching.
• Thermal exposure: time above elevated temperatures increases coil and contact risk.
• Event counters: chatter, brownout, weld suspected, slow release flags.

Fail-safe: define the de-energized default and the recovery policy

Fail-safe behavior is a policy decision: which channels must default to OFF when drive power is lost, and what evidence is required before re-closing. A recovery policy should avoid repeated close-open oscillations when bus quality is poor.

H2-9. Telemetry & Event Logging: What to Measure So Field Debug Is Fast

Protection without telemetry is not a closed loop. An onboard PDU should produce a compact, consistent evidence set that can answer field questions quickly: was it a real short, a surge-induced misoperation, a brownout during pull-in, or a thermal derate that preserved the bus by design?

Must-have fields (minimal set that enables classification)

• Bus voltage: Vmin and droop duration (brownout proof).
• Branch current: Ipk and trip time (hard vs soft fault signatures).
• Switch temperature proxy: indicates SOA/thermal stress and derating cause.
• Trip reason: short / overload / UV / overtemp / surge event / weld suspected.
• State: OFF / PRECHARGE / ON / FAULT (same state model used across the page).
• Retry count: exposes oscillating restarts and policy-driven recovery.

Recommended fields (accelerate root-cause isolation)

• Line impedance estimate: indicates harness/connection degradation and correlates with surge sensitivity.
• Inrush signature: distinguishes normal charging from abnormal sustained overcurrent.
• Contactor health flags: pull-in success time, chatter count, slow release, weld suspected confidence.

Event triggers (what should generate a record)

• Protection events: trip, overload limit, latch-off, retry escalation.
• Supply quality: brownout/UV, restart loop detection, bus recovery failure.
• Surge indicators: clamp active, surge counter, abnormal V/I transient patterns.
• Mechanical health: weld suspected, coil chatter, pull-in fail, slow release.

Interfaces (names only; protocol details belong elsewhere)

Logs and telemetry are commonly exported via CAN, Ethernet, or RS-485 depending on platform integration. The value is not the bus choice, but consistent timestamps and context fields that stay aligned across subsystems.

H2-10. Derating, Thermal, and Enclosure Reality (EN 50155 Style Thinking)

Rail PDUs often live in sealed, vibration-exposed enclosures where airflow is limited. Reliability depends on treating temperature as a control variable: thermal paths must be understood, and protection must be coordinated with service continuity. A “protect everything immediately” policy can cause repeated outages; a staged derating policy can preserve vital branches while preventing damage.

Thermal path: device to carbody (the only heat exit)

• Junction → copper: local spreading and hot-spot management.
• Copper → enclosure: interface resistance dominates in sealed boxes.
• Enclosure → carbody: final sink; mounting and contact quality become reliability factors.

Derating strategy: thresholds, linear derate, staged shed

• Warning threshold: log peak temperature and time-above-threshold for maintenance evidence.
• Linear derate: limit branch current/power to keep bus stable while reducing stress.
• Staged shed: shed non-vital loads first; preserve vital loads as long as safe.
• Protect/shutdown: last resort when thermal path cannot remove heat.

Resolve “protection vs continuity” by grouping loads

Conflict is resolved by grouping channels (vital vs comfort) and assigning different derating policies. This prevents a single overheated branch from collapsing service for unrelated vital branches. Derating events should be recorded with the same timestamp and state fields used elsewhere so long-term patterns are visible.

Field feedback: make thermal history actionable

• Peak temperature records: quantify excursions that shorten lifetime.
• Thermal cycle counters: correlate expansion stress with intermittent faults.
• Time-at-derate: proves that the system preserved service by policy rather than failing randomly.

H2-11. Validation & Compliance Hooks (Rail Focus)

A rail PDU validation plan should be executable as a checklist and anchored in evidence. Passing is not only “no reset” or “no damage”. A stronger criterion is self-explainability: when a test fails, the PDU must provide enough telemetry to prove which mechanism caused the failure (surge clamp brownout, true short, miswire/backfeed, contactor chatter, or thermal derate).

Electrical abuse checklist (PDU-centric)

• Inrush / precharge: prove that inrush stays below the protection envelope, and that the state machine transitions (OFF→PRECHARGE→ON) are stable.
• Short / overload: prove fast trip or energy-limited behavior without collapsing the upstream bus; confirm selectivity (branch trips before bus).
• Brownout: prove that critical branches either ride through or fail in a controlled way; confirm there is no restart oscillation.
• Reverse polarity / miswire: prove reverse blocking and “de-energized verification” (a disconnected branch does not remain live via backfeed).
• Surge / lightning-like transients: prove the intended energy path (to chassis/return) and that clamp action does not trigger false trips or contactor chatter.

EMC interface points: PDU as both emitter and victim

• As an emitter: switching edges, loop area, and contactor demag spikes can radiate/conduct noise that disturbs local references and creates false trips.
• As a victim: common-mode currents, chassis potential shifts, and clamp-induced bus droop can upset sensing thresholds and state machines.
• Required hooks: clamp-active flag, bus Vmin + droop duration, trip reason, contactor chatter count, and state transitions around the event.

Mechanical environment: vibration-driven intermittent faults (and how to prove them)

• Intermittent short (vibration/moisture): short Ipk spikes, frequent retries, and location-dependent repetition. Evidence: Ipk distribution + trip time + retry burst pattern.
• Connector loosen / contact resistance: random droops and localized heating. Evidence: bus droop duration + impedance estimate proxy + temperature proxy trend.
• Rule: mechanical faults should be detectable from event clustering and evidence consistency, not from a single “fault bit”.

Example MPN hooks (reference parts to implement measurable, testable behavior)

The following MPNs are examples commonly used to build measurable protection, clamping, sensing, and secure logging in harsh environments. Selection must match the platform bus voltage, energy level, thermal design, and safety rules.

Test item → expected telemetry evidence → pass/fail symptom

Mobile note: the table scrolls horizontally to prevent page shift. The goal is “testable + explainable”, not “one-time pass”.