Working definition (engineer-first)

A Hybrid Fiber Panel for CCTV is a field-deployable fiber distribution point that combines: (1) link-health sensing (optical power and trend), (2) controllable switching/relay matrix (path selection, spare assignment, service bypass), and (3) audit-grade logging (power loss, tamper, switching, threshold events). The objective is to shorten MTTR by turning “fiber is a black box” into measurable evidence.

Deployment positions (and what changes technically)

• MDF / IDF (closet / comm room): higher port density, cleaner environment, emphasis on telemetry aggregation (NMS) and consistent labeling. Focus: maintainability + audit trail of patch changes.
• Pole cabinet / outdoor junction box: harsh transients, temperature swings, vibration. Focus: robust AFE stability, surge path control, reliable power-loss logging, and tamper inputs.
• Campus ring node / multi-building hop: link margin and path redundancy matter most. Focus: switch matrix capability (spare fiber, bypass), trend-based degradation detection, and event time-line clarity.

Own vs Reference (scope lock to prevent cross-page overlap)

• This page OWNS (deep coverage required): Optical-power AFE (PD/TIA/ADC + compensation), relay/switch matrix behavior (topology, insertion loss impact, fail-safe), Ethernet-managed MCU telemetry/control model, and event & power-loss logging (RTC, NVM, commit rules).
• This page REFERENCES ONLY (name-level): upstream PoE switch (power source only), NVR/VMS (alarm destination only), timing sync source (timestamp reference only).
• This page BANS (belongs to sibling pages): PoE PSE allocation/L2-L3 switching, camera ISP/encoding pipelines, platform ingest/storage/analytics, timing-network architecture.

When to use / when not to use (fast decision)

• Use this panel when: fiber health must be monitored (trend + thresholds), remote path changes are needed, and maintenance requires a defensible audit trail (power loss, cabinet open, switching, config changes).
• Do not use it when: the requirement is mainly port expansion or switching capacity (use a PoE switch), or when the objective is video recording/AI processing (use NVR/VMS/AI box).

What this chapter proves

The panel’s value is not “more ports”; it is observability: identifying whether a CCTV outage is caused by fiber margin, intermittent physical disturbance, tamper/patch changes, or power events—using measurable evidence at the distribution point.

Use cases (operational outcomes)

• Faster MTTR: turn “video down” into a ranked suspect list (optical step drop vs drift vs power timeline).
• Remote maintenance: switch to spare/bypass paths without a truck roll when switching rules allow it.
• Responsibility boundaries: prove whether the fault is upstream power vs local tamper vs fiber degradation.
• Auditability: provide a time-stamped event trail for outages, cabinet opens, and path changes.

Failure modes (field-realistic) mapped to panel evidence

• Degradation (slow): connector contamination, excessive bend radius, water ingress, splice aging, marginal optics.
  Typical panel evidence: optical power trend down, noise/variance rises, temperature correlation strengthens.
• Intermittent (fast): vibration, thermal cycling, loose patch cords, microbends, cabinet door movement.
  Typical panel evidence: step changes, bursty variance spikes, repeatable patterns vs temperature or door events.
• Tamper / unauthorized patching: cabinet open, fiber pulled, patch re-route, intentional disconnect.
  Typical panel evidence: door/tamper event + optical step drop + matrix/port state change log.
• Power events: brownout, backup failure, undervoltage resets, missing hold-up commit window.
  Typical panel evidence: power-fail record, reboot reason code, log-commit status, RTC continuity markers.

Evidence-first question (the discipline that prevents guesswork)

Ask: “What can be measured at the panel that is otherwise invisible?” If a hypothesis cannot be supported by at least two independent signals (example: optical power step drop + door-open event), it is treated as a low-confidence guess and should not drive field actions.

Minimum telemetry set (to make failures observable)

• Optical power per channel: average + variance (or short-window deviation) to separate drift vs intermittency.
• Temperature: for correlation (degradation that worsens with heat/cold is common in outdoor nodes).
• Door/tamper: to distinguish natural failure vs human intervention.
• Switch/matrix state: last-change time + source (local/remote) to avoid “mystery reroute”.
• Power timeline: power-fail event + reboot reason + log-commit status (proves whether evidence is complete).

What “link budget” means here (practical, panel-owned)

The panel does not “design the fiber network”; it must ensure the optical-power measurement chain stays accurate across the real operating envelope so that alarms, trends, and correlations remain trustworthy. This chapter defines what range to cover, where to sense, and which metrics make CCTV failures observable—without OTDR-style theory.

Optical power range you must cover (how to derive it safely)

• Define the effective measurement window: use the transceiver/receiver datasheet values as anchors: Rx sensitivity (low end) and Rx overload (high end). Your sensing path must remain meaningful across that band.
• Include the panel’s own impact: any inline tap adds insertion loss to the main path; do not “hide” it. Treat tap ratio + connector loss as part of the field budget.
• Protect both extremes: at the low end, noise floor and drift dominate; at the high end, AFE/ADC saturation can mask overload events. A saturated reading must be flagged (do not log it as a valid high-power value).
• Engineering rule-of-thumb (method, not fixed numbers): choose AFE gain and ADC reference so that the lowest expected sensing-branch power still produces stable statistics (avg + variance), while the highest expected does not silently clip.

Where to sense: inline tap vs near-receiver monitor (decision card)

• Inline optical tap (e.g., 90/10, 95/5): best for multi-channel, module-agnostic deployments.
  Trade-offs: insertion loss on the main path; sensing branch is weaker (needs better AFE).
• Near-receiver monitor photodiode: can minimize additional loss and reflect receiver-side overload more directly.
  Trade-offs: coupling to specific modules/mechanics; replacements can shift calibration and baselines.
• Choose inline tap when: field modularity and consistent telemetry across vendors matters.
  Choose near-Rx monitor when: insertion loss must be minimized and hardware is tightly controlled.

Metrics that matter for CCTV observability (what to compute and why)

• Absolute optical power: proves “near sensitivity” vs “overload risk” conditions.
• Delta over time (trend): detects slow degradation (contamination, water ingress, splice aging).
• Step vs drift classifier: step changes often indicate disturbance/tamper/loose patch; drift indicates aging/environment.
• Short-window variance: catches intermittency (vibration, microbends, door movement) that averages may hide.
• Variance vs temperature correlation: flags mechanical/connector sensitivity to thermal cycling in outdoor cabinets.

Implementation note: compute these on-window (e.g., seconds-to-minutes) and log only summarized statistics plus threshold crossings, not raw continuous samples (reduces storage and makes logs audit-friendly).

Calibration strategy (factory + field baseline, no textbook OTDR)

• Factory offset/gain: remove channel-to-channel component spread (PD responsivity, TIA gain, ADC reference). Store per-channel coefficients in NVM with CRC.
• Field baseline capture: after installation, record a stable-window baseline for each link (avg + variance + temperature). Baseline enables meaningful alerts even when absolute levels differ by link length/optics.
• Threshold design: combine absolute bands (sensitivity/overload anchors) with baseline-relative change (drift limit, step threshold, variance limit) to avoid false alarms.

Why this chapter is the “hard part”

Optical-power telemetry becomes useless if it is noisy, temperature-drifting, or disturbed by relay activity and cabinet EMI. The AFE must deliver stable, repeatable statistics (avg/variance/step detection) so that alarms map to real-world causes rather than measurement artifacts.

Photodiode (PD) selection: what matters for stable RSSI

• Responsivity: sets usable signal level at the low-power end (trend accuracy near sensitivity margin).
• Dark current: pushes the noise floor and long-term drift at very low optical power.
• Capacitance: directly affects TIA stability and noise trade-offs (higher C makes stability harder).
• Package + shielding: reduces ambient light coupling and EMI pickup in outdoor cabinets.
• Leakage paths: contamination/humidity can create parasitic leakage; keep high-impedance nodes protected and short.

Design intent: bandwidth is rarely the limiter; repeatability is. Choose PD and mechanics to keep readings stable over time.

TIA guardrails: stability, noise, and protection without guesswork

• Noise budgeting: ensure the RMS noise at the ADC input is small compared to the alarm band (prevents false steps).
• Stability vs PD capacitance: validate phase margin across PD tolerance + temperature; instability looks like “variance spikes.”
• Input bias/leakage control: bias currents and PCB leakage create slow drifts; treat input as a high-impedance sensor node.
• ESD/Surge protection: clamp at the correct boundary (connector/entry), not randomly near the amplifier; avoid adding large capacitance at the PD node.
• Gain switching (optional): use two gain ranges when dynamic range is wide; log the gain state with each measurement.

ADC + sampling: make “avg/variance/step” dependable

• Resolution: controls quantization steps; coarse steps can be mistaken as “drift” or “mini steps.”
• Sample rate: must be high enough to capture brief disturbances (relay switching, vibration-induced microbends).
• Statistics windows: compute avg (trend), variance (intermittency), and step detection (tamper/loose patch) on consistent time windows.
• Robust filtering: use median filtering to suppress spikes; use moving averages to stabilize trend; never hide saturation events.
• Data tagging: include flags for saturation, gain range, and temperature so logs remain interpretable months later.

Ambient/EMI coupling: layout rules that prevent “phantom alarms”

• AFE island: keep PD/TIA/ADC in a dedicated analog region with a controlled return path.
• Keepout from coils: relay coils and their drive loops must not share return impedance with the AFE.
• Guarding and shielding: guard high-impedance input nodes; add shielding/ground fences where needed.
• TVS placement: place protection at the correct entry boundary; avoid large parasitic capacitance on the PD node.
• Switching blanking (if needed): during relay transitions, optionally blank samples or tag them, rather than “averaging them away.”

Temperature compensation: co-located sensor + simple model

• Co-located temperature sensor: place near PD/TIA to capture the real drift source.
• Linear vs LUT: linear correction is sufficient when drift is near-linear; LUT helps when multiple drift sources compound.
• What to compensate: PD responsivity shift + TIA gain drift + ADC reference drift (document which are included).
• Validation: temperature sweep tests should show reduced baseline movement and stable variance bands.

AFE design checklist (pass/fail guardrails you can validate)

• Noise floor: low-power readings remain stable; variance does not dominate the alarm band.
• Drift control: compensated drift stays within the baseline band across expected temperature range.
• Relay immunity: relay actions do not create false “step drops” (or are tagged/blanked during transitions).
• Saturation handling: saturation is detected and flagged; logs never treat clipped data as valid telemetry.
• Calibration integrity: factory coefficients and field baseline are CRC-protected; invalid data forces safe behavior.

What this chapter owns (scope-locked)

The switch matrix is not “generic switching.” In a hybrid CCTV fiber panel it defines what can be re-routed, how paths are represented, and how switching is made safe and auditable. The goal is to enable maintenance and fault isolation while avoiding new failures (loss, bounce, cold-start mistakes).

What gets switched in hybrid panels (two distinct planes)

• Optical path switching: re-route the fiber signal itself using an optical switch module (e.g., 1×N or N×N optical matrix).
  Typical actions: spare fiber assignment, maintenance bypass, ring-node bypass.
• Electrical relays / switching: switch panel-owned electrical functions such as alarm I/O, enable lines, and service interlocks.
  Typical actions: isolate a subsystem, force a known-safe state, route an alarm output.

Keep the planes separate in design and logs: optical switching changes the signal path; electrical switching changes control/aux behavior.

Matrix topology (capabilities expressed as maintenance outcomes)

• 1×N (example 1×8): one inbound fiber can be mapped to one of many outbound options.
  Best for: spare assignment, controlled selection of a single critical path.
• N×N (example 4×4): multiple inputs and outputs can be re-mapped.
  Best for: reconfigurable distribution; requires stronger interlocks and audit controls.
• Ring protection bypass: a default bypass state can keep a ring alive during node maintenance.
  Best for: campus and multi-hop deployments where continuity matters more than local service.
• Spare fiber assignment: reserve fibers become remotely assignable resources.
  Best for: rapid recovery when a primary path degrades.

What switching can break (risk map → observable checks)

• Insertion loss / margin erosion: each switch element and connector can reduce optical margin.
  Check: compare optical-power statistics before/after switching and enforce a path loss budget.
• Contact bounce / transient mis-states (electrical): relay transitions can create false alarms or brief control glitches.
  Check: debounce + “switching window” tagging; do not treat transitions as stable states.
• Contact aging (electrical): repeated cycling can increase resistance and instability.
  Check: switch-cycle counters + maintenance thresholds + “unstable state” flags.
• Cold-start default state mistakes: after power loss, an unsafe default mapping can cause widespread outage.
  Check: enforce a fail-safe mapping at boot and require validated config before enabling switching.
• EMI coupling into sensing: relay coil drive loops can corrupt optical AFE readings.
  Check: layout keepout + sample blanking/tagging during switching events.

Safe switching rules (the minimum SOP that prevents escalation)

• When to switch: prefer maintenance windows; avoid switching during unstable power, abnormal temperature, or when audit logging is unavailable.
• Interlocks: prevent conflicting mappings; enforce “one resource → one owner” and block illegal topologies.
• Confirm state readbacks: after switching, read back the matrix state and verify link-health indicators (optical power and stability).
• Audit every action: log before/after mapping, operator source (local/remote), timestamp, and sequence counter.
• Rollback policy: if post-switch checks fail within a defined window, revert to a safe default mapping and log the rollback.

Control plane in one sentence

The MCU is the panel’s control and evidence engine: it gathers sensor data, enforces switching rules, maintains counters and logs, and publishes a consistent management interface over Ethernet.

MCU + Ethernet PHY: practical architecture boundaries

• MCU responsibilities: acquisition, statistics, policy/interlocks, event logging, and management endpoints.
• Ethernet PHY role: stable network connectivity for management traffic and event export.
• Multiple ports (if present): treat as mgmt/uplink roles only. Avoid complex switching features unless the hardware explicitly includes them.

Management interfaces (what each one should expose)

• Web UI: configuration, manual switching, dashboards, and audit views.
• SNMP: periodic polling of stable counters and telemetry (optical power stats, temperature, door/tamper, relay state).
• Modbus/TCP: register-like status and alarm integration for building/industrial systems.
• Syslog (event export): time-ordered events (power loss, door open, switch executed, threshold crossing) for audit trails.

Design rule: Telemetry is periodic summarized statistics; Events are discrete records with timestamp + sequence counter.

Minimum telemetry set (structured so it remains useful months later)

• Per-channel optical telemetry: average power, short-window variance, optional min/max, plus flags (saturation, gain range, cal valid).
• Environmental: temperature (and humidity if available) to support correlation and drift interpretation.
• Physical security: door open / tamper input state with event timestamps.
• Matrix / relays: current mapping, relay states, and last-change markers.
• Power health: brownout/power-fail indicators, reboot reason, and “log commit status” markers.
• Audit primitives: RTC/time-valid status, configuration version, configuration CRC OK, and a monotonic sequence counter.

Events: what must be logged (and why)

• Switch executed: before/after mapping, operator source (local/remote), success/fail, confirmation readback.
• Threshold crossing: which metric crossed (trend/step/variance), channel, and the current temperature.
• Door/tamper: open/close transitions and duration windows.
• Power loss / brownout: detection time, commit result, reboot reason (if reset occurred).

Each event should carry timestamp and sequence counter so gaps and replays are detectable.

Update strategy (high-level security basics, no protocol deep dive)

• Signed firmware: only authenticated images can run.
• Config integrity: store configuration with CRC and versioning; reject corrupted configs at boot.
• Rollback protection: prevent downgrades or fall back to a known-safe image/config if validation fails.
• Audit updates: log update start/end, version change, and validation result.

Why “power-loss logging” is non-trivial

A hybrid fiber panel is often deployed in cabinets where power quality is imperfect. If the panel loses power, the worst outcome is not just rebooting—it is producing ambiguous or incomplete logs. The design goal is to guarantee a predictable time window to flush events, write a commit marker, and restart with a verifiable “what happened” record.

Typical power inputs (kept scope-tight)

• 12–24 VDC (most common in field cabinets and poles)
• Optional PoE-powered auxiliary used as power-only input (no PoE allocation logic here)

Design rule: treat all inputs as “can disappear abruptly.” Log reliability must not depend on graceful shutdown.

Power domains (who must stay alive the longest)

• MCU / Ethernet PHY domain (critical): must stay alive long enough to detect droop and complete log commit.
• Storage / RTC domain (critical): must support deterministic writes and preserve time validity.
• Relay / driver domain: should be frozen (no switching) once droop is detected to avoid mis-states.
• Analog AFE domain: can be sampled for a last “evidence snapshot,” but does not need to run indefinitely.

Hold-up choices (engineered for a reliable commit window)

• Supercap hold-up: great for short, frequent interruptions.
  Guardrails: controlled charging (inrush), ESR/aging margin, and a “hold-up ready” flag.
• Small Li backup: supports longer retention but requires more health management.
  Guardrails: charge control, UV protection, temperature protection, and a battery health metric.
• OR-ing / ideal diode: prevents reverse feed and makes input transitions predictable.
• Brownout detection: must trigger before the MCU collapses, so the firmware can enter a controlled commit sequence.

Hold-up is not for “keep running.” It is for “finish a verifiable commit.”

Power-loss sequence (the minimum reliable state machine)

1. Detect droop: rail monitor / power-good fails → enter power-loss mode.
2. Freeze risky actions: lock switching; tag telemetry as “power event window.”
3. Flush log: write pending events and key snapshots from RAM to non-volatile storage.
4. Commit marker: update the ring-buffer commit pointer (or commit record) so “last valid record” is provable.
5. Safe shutdown: enter lowest safe state until power is fully lost.
6. Boot reason on return: after restart, record boot reason + last power-loss stage + commit status.

Evidence to record (so root cause is provable)

• Power event ID + trigger rail (what condition fired droop detection)
• VIN / rail at trigger + minimum rail observed (if available)
• Hold-up ready (was the reservoir actually charged/healthy before the event?)
• Flush completed (0/1) and commit sequence (the last fully committed record)
• Last operational snapshot (matrix mapping + key status flags)
• Time validity + time uncertainty (if RTC/timebase is not guaranteed)
• Boot reason and unclean shutdown marker (if commit did not finish)

Goal: logs that are actionable and defensible

Logging is only useful if it answers two questions under stress: What happened? and Can the timeline be trusted? This chapter defines a minimal event taxonomy, integrity mechanisms, and a forensic workflow to separate fiber issues from power or tamper events.

Event taxonomy (grouped by what it proves)

• Optical link evidence: threshold crossings, sudden steps, variance spikes, temperature-correlated drift.
• Switching & configuration: matrix switch executed (before/after), config change (version + CRC), operator source.
• Physical security: door open/close, tamper asserted, abnormal open-close bursts.
• Power & reboot: brownout/power fail, unclean shutdown, reboot reason, commit status on boot.

Integrity basics (minimum set that survives field reality)

• Monotonic sequence counter: every record increments a seq# so missing or replayed records are detectable.
• CRC per record: detects corruption (partial writes, noisy storage) at the record boundary.
• Ring buffer + commit marker: “last valid record” is provable even after sudden power loss.
• Optional HMAC/signature (brief): adds tamper resistance for compliance-driven deployments.

Trust comes from verifiable structure (seq# + CRC + commit), not from “more logs.”

Timekeeping (be honest when time is uncertain)

• RTC with hold-up: keeps continuity across short power gaps.
• Sync source reference: record the time source name (e.g., NTP/PTP/manual) without protocol deep dive.
• Time validity + uncertainty: if time is not guaranteed, log a time_valid flag and an uncertainty field so audit users do not infer false precision.

Forensic workflow: prove “fiber issue” vs “power issue”

1. Check power window: look for brownout/power fail/reboot events in the same time slice.
2. If no power events: use optical step/threshold/variance + temperature correlation to classify degradation vs intermittent.
3. Check human/tamper path: door/tamper and matrix switching events can explain sudden topology or link changes.
4. Verify completeness: use sequence counter continuity + commit marker to confirm the timeline has no gaps.

Minimal log record fields (so every event is self-contained)

• timestamp + time_valid + time_uncertainty
• seq# (monotonic)
• event_id (taxonomy key)
• channel (or target object)
• value/payload (measured value or state transition)
• CRC (record integrity)
• prev_hash (optional) for tamper-evident chaining

Validation intent (EEAT: measurable pass criteria)

This plan is designed to produce repeatable evidence that the panel’s three core functions are trustworthy: (1) optical sensing, (2) switching behavior, and (3) power-loss logging integrity. Each test defines what to stimulate, what to measure, and how to decide pass/fail.

Bench tests (prove the fundamentals first)

• Optical sensing chain: calibration points, linearity, noise floor, step response.
• Switching behavior: insertion-loss delta, repeatability, readback correctness.
• Power-loss logging: brownout injection, hold-up margin, commit marker validity after abrupt cutoff.

Environmental tests (prove stability under stress)

• Temperature sweep: optical drift vs temperature, false step/threshold triggers, compensation effectiveness.
• Vibration / handling: intermittent variance spikes, connector microbend sensitivity, repeatability of detection.
• Humidity exposure (if relevant): slow drift patterns and noise changes correlated with environmental sensors.

Rule: environmental results must be reported as before/after statistics, not anecdotes.

Field acceptance tests (prove “install-ready” behavior)

• Baseline capture: record initial optical baseline per channel and confirm time validity status.
• Controlled disturbance: small bend/connector touch → confirm the panel detects a step/variance change and logs an event.
• Safe switching: execute a planned switch and verify mapping + post-switch optical margin checks.
• Power interruption drill: short outage → confirm flush/commit completeness + boot reason on return.

Optical sensing validation (what to measure and what “good” looks like)

• Calibration points: verify multiple attenuation points across the working dynamic range.
  Measure: expected vs measured power, gain range, cal_valid flag.
• Linearity: sweep optical input and evaluate worst-case residual vs fitted response.
  Measure: max non-linearity error, saturations, gain switching boundaries.
• Noise floor: hold a stable optical level and compute short-window RMS/variance.
  Measure: variance statistic used by the firmware (same window as field detection).
• Drift vs temperature: sweep temperature and quantify drift slope and compensation effectiveness.
  Measure: raw_power vs comp_power, temperature, time_valid/uncertainty.
• Step response: apply a controlled step with an attenuator and measure detection latency and settling behavior.
  Measure: step_detect_time, stability time, false-trigger rate.

Switching validation (matrix behavior that must be provable)

• Insertion loss delta: measure optical loss before/after switching for the same source path.
  Pass criteria: delta loss stays within an allocated budget.
• Repeatability: cycle the same switch path multiple times and check loss distribution + state readback.
  Pass criteria: success rate, low variance, and zero illegal mapping states.
• Fail-safe on power cycle: force power cycles and confirm the panel returns to a known-safe mapping.
  Pass criteria: safe mapping on boot + switching locked until config integrity checks pass.

Power-loss logging validation (trust under abrupt cutoff)

• Brownout injection: ramp down VIN with different slopes to test droop detection timing.
  Pass criteria: droop detection always leaves enough flush+commit window.
• Hold-up margin: measure the worst-case time available for log flush and compare to write time + margin.
  Pass criteria: flush_completed=1 and commit_seq advances reliably across repetitions.
• Corrupted log recovery: force mid-write interruption and validate commit marker points to last valid record.
  Pass criteria: CRC rejects partial records; seq# continuity detects gaps.

Panel-level EMC/surge sanity checks (no standards lecture)

• ESD points: enclosure, connectors, shield points, and exposed metal near fiber terminations.
• EFT/burst: supply input and relay-driver adjacency.
• Surge path sanity: verify return paths do not inject noise into optical AFE measurement or cause spurious events.

Evidence focus: no false optical step alarms, no repeated brownout resets, and no missing commit markers during disturbances.

Deliverable format (recommended)

• Test matrix table: Test ID, setup, stimulus, measure, pass criteria, evidence artifact.
• Minimum tools list: optical attenuator or controlled source, bench PSU + droop injector, log capture PC/NMS, basic meter/scope (optional).

Playbook intent: fastest isolation using panel evidence + simple tools

The goal is to resolve common failures using the panel’s own evidence chain: optical power statistics, matrix state/readback, door/tamper, and power/log integrity markers. Each symptom follows a repeatable decision pattern.

Common pattern (apply to every symptom)

1. First 2 checks: verify two high-value signals before touching anything.
2. Discriminator: decide between two likely root-cause buckets using measurable evidence.
3. Isolate: perform the smallest reversible action to localize the issue.
4. First fix: apply the lowest-cost fix that restores margin and leaves an audit trail.

Symptom A: “Video drops only at night / cold”

• First 2 checks: optical power trend vs temperature; variance statistics during the drop window.
• Discriminator: drift correlated with temperature → microbend / mechanical stress / connector contamination.
• Isolate: reduce bend stress, re-seat patch cord, inspect and clean connector end-face; compare optical baseline after action.
• First fix: strain relief + routing correction + cleaning; optionally move to spare fiber and log the before/after loss delta.

Symptom B: “Random disconnects, power looks fine”

• First 2 checks: optical sudden step events; door/tamper log near the same time.
• Discriminator: step aligned with door-open/tamper → patch change or unauthorized handling.
• Isolate: verify matrix mapping vs physical patch, check for recent switch events or config changes, lock cabinet if needed.
• First fix: restore correct patch/mapping; enforce audit policy (log every switch, require confirmation readback).

Symptom C: “After switching path, link never recovers”

• First 2 checks: matrix state + readback; post-switch optical loss delta vs pre-switch baseline.
• Discriminator: state shows switched but loss delta is large → bad port / switch element / incorrect mapping.
• Isolate: rollback to last known-good mapping; re-apply switch once; compare repeatability; identify the failing port.
• First fix: disable the bad port in configuration, reassign fiber, or replace the switch module; keep an audit record of the change.

Symptom D: “Power outage happened but logs are missing”

• First 2 checks: commit marker / commit_seq and flush_completed status; boot_reason + unclean_shutdown flag.
• Discriminator: commit not advanced → droop detection too late, threshold too high, or hold-up window too short.
• Isolate: reproduce with controlled droop if possible; verify the flush window margin and whether switching was frozen in time.
• First fix: increase hold-up capacity, trigger droop earlier, reduce write time, and enforce commit marker integrity checks at boot.

How to use this BOM list (examples, not a catalog)

The part numbers below are example MPNs that match typical hybrid fiber panel needs: optical-power sensing, switch/relay control with readback discipline, Ethernet-managed telemetry, and power-loss-safe audit logging. Each block includes panel-specific guardrails and what to pin in the spec.

Scope reminder: upstream PoE switching, NVR/VMS ingest, and timing stack details are referenced by name only and are not selected here.

1) Photodiode (Si PD) + TIA / AFE (optical RSSI sensing)

Panel-specific guardrails: temperature drift and leakage can look like slow fiber degradation; relay/PHY noise can masquerade as variance spikes; PD capacitance + protection parts can destabilize the TIA.

• Pin these specs: PD dark current & capacitance, shielding/stray light control; TIA input bias/leakage, noise density, stability with capacitive source; ESD strategy that does not add large leakage.
• Layout rule: keep AFE as an “island” away from coils/DC-DC; single-point analog return and short PD node.

Example MPNs (PD):

• Vishay BPW34 (widely available Si PD; good for general RSSI monitoring)
• ams OSRAM SFH 229 (compact Si PD option; choose package by mechanical/shielding)
• Hamamatsu S1226-44BQ (higher-performance Si PD class; use when low leakage/stability matters)

Example MPNs (TIA / op-amp suitable for PD-TIA):

• Texas Instruments OPA380 (photodiode amplifier family; stable TIA use cases)
• Texas Instruments OPA381 (same family variant; choose by bandwidth/noise window)
• Analog Devices ADA4530-1 (ultra-low input bias class; useful when leakage dominates)

2) ADC (external, if not using MCU ADC)

Panel-specific guardrails: RSSI monitoring is typically low bandwidth; prioritize repeatability and low noise over raw sample rate. Reference drift and ground return can corrupt absolute power readings.

• Pin these specs: effective resolution / noise-free counts, reference stability, input range matching TIA output, channel count vs AFE scaling.
• Firmware tie-in: align sampling window and filtering with “variance/step” detection used in field logs.

Example MPNs:

• Texas Instruments ADS1220 (low-speed high-resolution ΔΣ; good for stable sensing)
• Texas Instruments ADS1115 (common 16-bit I²C ADC; define noise/offset guardrails carefully)
• Microchip MCP3424 (multi-channel ΔΣ ADC option; useful for several optical channels)

3) MCU with Ethernet MAC (control plane + telemetry + logging)

Panel-specific guardrails: must support deterministic power-loss state machine (flush/commit), stable counters, and secure-ish update basics (signed firmware/config CRC/rollback discipline).

• Pin these specs: Ethernet MAC availability, SPI/I²C count (NVM/RTC/sensors), enough RAM for log buffering, watchdog + reset-cause visibility, low-latency interrupt handling.
• Evidence fields: boot_reason, unclean_shutdown, commit_seq, config_crc/version, time_valid/uncertainty.

Example MPNs:

• STMicroelectronics STM32F767ZI (Ethernet MAC MCU class; strong ecosystem for managed devices)
• Microchip ATSAME70Q21B (Ethernet MCU family; industrial deployments common)
• Texas Instruments TM4C129ENCPDT (Ethernet MCU family; useful for telemetry + web/SNMP stacks)

4) Ethernet PHY (10/100BASE-TX typical)

Panel-specific guardrails: cabinet ESD/surge coupling is real; PHY-side noise and return currents must not pollute the optical AFE. Choose robust PHY + magnetics strategy.

• Pin these specs: supply noise tolerance, ESD robustness (system-level with protection), link status behavior, clocking requirements, strap options for deterministic bring-up.

Example MPNs:

• Texas Instruments DP83825I (industrial Ethernet PHY class; common for managed edge devices)
• Microchip KSZ8081RNA (widely used 10/100 PHY option; ensure ESD/magnetics design)
• Analog Devices ADIN1200CCPZ (industrial PHY class; good robustness tier)

5) Relay / coil driver + protection (matrix actuation)

Panel-specific guardrails: coil flyback and switching transients can corrupt optical sensing; cold-start default state must be safe and logged; switching should be locked during droop window.

• Pin these specs: per-channel current, integrated clamp vs external diode strategy, thermal at max duty, diagnostic/readback needs, fail-safe default mapping.
• Protection note: clamp choice affects EMI and return currents—keep coil energy out of AFE ground.

Example MPNs (drivers):

• Texas Instruments ULN2803A (8-channel Darlington low-side driver; simple multi-relay drive)
• Texas Instruments TPIC6B595 (power shift-register sink; neat for many coils with controlled logic)
• Texas Instruments TPS272C45A (dual high-side switch class; useful for power lines/enable lines with protection)

If using high-channel-count relay matrices, consider “driver + latch/shift” architecture to keep control deterministic during brownout.

6) Non-volatile memory for logs (FRAM/EEPROM) + RTC

Panel-specific guardrails: power-loss logging needs predictable write time. EEPROM page write latency can exceed the flush window; FRAM is often better for commit markers and frequent writes.

• Pin these specs: write time (worst-case), endurance, interface speed, data retention, and behavior under sudden cutoff.
• RTC rule: always log time_valid + uncertainty; do not imply precision when power/time sync is uncertain.

Example MPNs (FRAM / EEPROM):

• Infineon/Cypress FM24CL64B (I²C FRAM; fast writes and high endurance)
• Fujitsu MB85RS64V (SPI FRAM; good for deterministic commit behavior)
• Microchip 24LC256 (EEPROM baseline option; must budget page-write latency)

Example MPNs (RTC):

• Analog Devices / Maxim DS3231M (temperature-compensated RTC class; stable for audit timelines)
• Microchip MCP79410 (RTC with timestamp features; pair with hold-up strategy)
• NXP PCF8523T (common RTC option; define drift/uncertainty policy)

7) Power: buck regulators, ideal diode / eFuse, supervisor, supercap charger

Panel-specific guardrails: power tree partitioning is mandatory (AFE vs coils vs PHY). Droop detection must occur early enough to flush logs. If using supercaps, inrush control is not optional.

• Pin these specs: buck ripple/noise, protections (UV/OV/OC/OT), ideal-diode drop and reverse-blocking, supervisor threshold accuracy, and hold-up charge current limiting.

Example MPNs (buck regulators):

• Texas Instruments TPS62130A (buck regulator class; define EMI and ripple targets)
• Analog Devices LT8609S (low-EMI buck class; helpful for mixed-signal panels)
• Texas Instruments TPS54202 (buck class; ensure layout/EMI discipline near AFE)

Example MPNs (eFuse / load switch / protection):

• Texas Instruments TPS25940A (eFuse class; programmable current limit for input protection)
• Texas Instruments TPS2662 (protection switch class; choose by voltage/current window)
• Analog Devices LTC4368 (surge stopper / protection class; useful for harsh 24V lines)

Example MPNs (ideal diode / OR-ing):

• Analog Devices LTC4412 (ideal diode controller class; good for OR-ing inputs)
• Analog Devices LTC4359 (ideal diode controller class; choose by current and FET strategy)

Example MPNs (supervisor / reset):

• Texas Instruments TPS3808G01 (supervisor class; accurate reset threshold options)
• Analog Devices / Maxim MAX809S (simple supervisor class; define threshold and delay)

Example MPNs (supercap backup / charger, if used):

• Analog Devices LTC3350 (supercap backup controller class; supports hold-up design)
• Analog Devices LTC3351 (related family; choose by channel count and telemetry needs)

8) Sensors: temperature/humidity + door/tamper interface

Panel-specific guardrails: temperature is required to explain drift; door/tamper events must correlate with optical steps and switching events to support audit conclusions.

• Pin these specs: temp accuracy and response time, long-term drift; tamper switch debouncing and ESD tolerance; wiring fault detection policy (optional).

Example MPNs (temp/humidity):

• Sensirion SHT31-DIS-B (temp/humidity sensor class; widely used and stable)
• Texas Instruments HDC1080 (temp/humidity sensor class; common option)
• STMicroelectronics HTS221 (temp/humidity sensor class; compact integration)

Example MPNs (door/tamper interface helpers, optional):

• NXP PCA9555 (I²C GPIO expander; useful for many inputs with stable readback)
• Texas Instruments SN74LVC14A (Schmitt trigger inverter class; good for noisy long switch lines with proper protection)

Panel BOM selection notes (quick checklist)

• AFE stability first: PD capacitance + protection must be included in stability analysis and layout.
• Switching must be auditable: always log “requested mapping” and “confirmed readback” with seq#/CRC.
• Power-loss evidence is mandatory: droop detect early, flush fast, commit marker verifiable after reboot.
• Noise partitioning: coils and Ethernet PHY are “noise engines”; treat AFE as a protected island.