H2-3. Metering Signal Chain (Voltage & Current Sensing → ADC → DSP)

The metering chain is only as accurate as its phase alignment, gain integrity, and reference stability under real loads. This chapter maps each major error injection point to a measurable observable, so troubleshooting starts from evidence rather than assumptions.

Voltage sensing: divider, RC, protection (and where error enters)

• Divider ratio drift: tolerance and TCR translate directly into energy scaling error; high-value dividers also magnify leakage sensitivity.
• Leakage paths: clamp/ESD device leakage, PCB contamination, and humidity can bias the divider node and shift readings, especially at low current/low power.
• RC phase shift: front-end filtering changes phase at 50/60 Hz and harmonics; phase error directly impacts P/Q and PF.
• Clamp behavior: protection conduction during spikes can distort the waveform and inflate harmonic metrics or distort instantaneous power.

Current sensing choices: Shunt vs CT vs Rogowski (selection → predictable error modes)

ADC & reference: ΣΔ vs SAR (metering-focused)

• ΣΔ ADC: excels for low-frequency precision and dynamic range; accuracy depends on reference integrity and decimation settings that preserve phase alignment.
• SAR ADC: can work when sampling alignment is tightly controlled; performance hinges on reference settling, sampling jitter, and front-end anti-alias behavior.
• Reference integrity: reference noise or droop becomes a direct scaling error; supply coupling can appear as “mysterious drift” in accumulation.
• Channel alignment: V and I sample misalignment shows up as PF/P/Q instability even when RMS looks stable.

Digital metrology outputs: interpret symptoms without turning into a textbook

• PF instability: often indicates phase error (sensor phase, RC phase, or sampling alignment) rather than pure gain drift.
• RMS stable but kWh off: suggests scaling/accumulation coefficient issues, range switching discontinuity, or reference coupling into the accumulator path.
• Harmonics inflate: commonly caused by clamp conduction, front-end saturation, or anti-alias misconfiguration under real-world spikes.
• Low-load inaccuracy: points to leakage/offset/quantization dominance; this is where divider leakage and amplifier offset become visible.

H2-4. Accuracy & Calibration Strategy (Factory + In-field)

Accuracy is not a single calibration step; it is a closed loop that produces traceable coefficients, stores them with rollback protection, and continuously checks that the metering chain behaves like the calibrated model under real conditions.

Factory calibration: what must be produced (not just “performed”)

• Gain/offset set: multi-point coefficients with residual error recorded as a quality stamp.
• Phase compensation: V/I phase parameters verified under representative load conditions.
• Temperature compensation: coefficient sets or segments tied to temperature points, with a clear version identifier.

In-field verification: minimal checks that keep results credible

• Known-load check: compare readings at a small set of anchor points (low / mid / high) to detect non-linearity and drift patterns.
• Pulse/register consistency: if an energy pulse output exists, verify pulse-count vs accumulator consistency over a fixed time window.
• Time consistency: confirm RTC monotonic behavior across power cycles; time rollback often explains duplicated or missing records.

Drift sources: link each cause to an observable

• Temperature drift: error changes monotonically or in segments; segment behavior suggests model mismatch.
• Self-heating: step-load produces a slow drift curve over minutes (common with shunt paths).
• Magnetic influence: abnormal behavior appears under external field exposure (sensing-specific signature).
• Supply/reference coupling: errors correlate with rail ripple or reference droop during bursts or noisy intervals.

Trusted coefficient storage (no cloud dependency)

• Atomic update: dual-copy or commit-flag update to avoid half-written coefficient sets.
• Anti-rollback: monotonic counter and version binding prevent old coefficient sets from being restored silently.
• Integrity check: CRC or signature (optional SE support) ensures coefficients are not tampered with.
• Audit trail: every coefficient update writes a time-stamped event into the secure log.

H2-3. Metering Signal Chain (Voltage & Current Sensing → ADC → DSP)

The metering chain is only as accurate as its phase alignment, gain integrity, and reference stability under real loads. This chapter maps each major error injection point to a measurable observable, so troubleshooting starts from evidence rather than assumptions.

Voltage sensing: divider, RC, protection (and where error enters)

• Divider ratio drift: tolerance and TCR translate directly into energy scaling error; high-value dividers also magnify leakage sensitivity.
• Leakage paths: clamp/ESD device leakage, PCB contamination, and humidity can bias the divider node and shift readings, especially at low current/low power.
• RC phase shift: front-end filtering changes phase at 50/60 Hz and harmonics; phase error directly impacts P/Q and PF.
• Clamp behavior: protection conduction during spikes can distort the waveform and inflate harmonic metrics or distort instantaneous power.

Current sensing choices: Shunt vs CT vs Rogowski (selection → predictable error modes)

ADC & reference: ΣΔ vs SAR (metering-focused)

• ΣΔ ADC: excels for low-frequency precision and dynamic range; accuracy depends on reference integrity and decimation settings that preserve phase alignment.
• SAR ADC: can work when sampling alignment is tightly controlled; performance hinges on reference settling, sampling jitter, and front-end anti-alias behavior.
• Reference integrity: reference noise or droop becomes a direct scaling error; supply coupling can appear as “mysterious drift” in accumulation.
• Channel alignment: V and I sample misalignment shows up as PF/P/Q instability even when RMS looks stable.

Digital metrology outputs: interpret symptoms without turning into a textbook

• PF instability: often indicates phase error (sensor phase, RC phase, or sampling alignment) rather than pure gain drift.
• RMS stable but kWh off: suggests scaling/accumulation coefficient issues, range switching discontinuity, or reference coupling into the accumulator path.
• Harmonics inflate: commonly caused by clamp conduction, front-end saturation, or anti-alias misconfiguration under real-world spikes.
• Low-load inaccuracy: points to leakage/offset/quantization dominance; this is where divider leakage and amplifier offset become visible.

H2-4. Accuracy & Calibration Strategy (Factory + In-field)

Accuracy is not a single calibration step; it is a closed loop that produces traceable coefficients, stores them with rollback protection, and continuously checks that the metering chain behaves like the calibrated model under real conditions.

Factory calibration: what must be produced (not just “performed”)

• Gain/offset set: multi-point coefficients with residual error recorded as a quality stamp.
• Phase compensation: V/I phase parameters verified under representative load conditions.
• Temperature compensation: coefficient sets or segments tied to temperature points, with a clear version identifier.

In-field verification: minimal checks that keep results credible

• Known-load check: compare readings at a small set of anchor points (low / mid / high) to detect non-linearity and drift patterns.
• Pulse/register consistency: if an energy pulse output exists, verify pulse-count vs accumulator consistency over a fixed time window.
• Time consistency: confirm RTC monotonic behavior across power cycles; time rollback often explains duplicated or missing records.

Drift sources: link each cause to an observable

• Temperature drift: error changes monotonically or in segments; segment behavior suggests model mismatch.
• Self-heating: step-load produces a slow drift curve over minutes (common with shunt paths).
• Magnetic influence: abnormal behavior appears under external field exposure (sensing-specific signature).
• Supply/reference coupling: errors correlate with rail ripple or reference droop during bursts or noisy intervals.

Trusted coefficient storage (no cloud dependency)

• Atomic update: dual-copy or commit-flag update to avoid half-written coefficient sets.
• Anti-rollback: monotonic counter and version binding prevent old coefficient sets from being restored silently.
• Integrity check: CRC or signature (optional SE support) ensures coefficients are not tampered with.
• Audit trail: every coefficient update writes a time-stamped event into the secure log.

H2-3. Metering Signal Chain (Voltage & Current Sensing → ADC → DSP)

The metering chain is only as accurate as its phase alignment, gain integrity, and reference stability under real loads. This chapter maps each major error injection point to a measurable observable, so troubleshooting starts from evidence rather than assumptions.

Voltage sensing: divider, RC, protection (and where error enters)

• Divider ratio drift: tolerance and TCR translate directly into energy scaling error; high-value dividers also magnify leakage sensitivity.
• Leakage paths: clamp/ESD device leakage, PCB contamination, and humidity can bias the divider node and shift readings, especially at low current/low power.
• RC phase shift: front-end filtering changes phase at 50/60 Hz and harmonics; phase error directly impacts P/Q and PF.
• Clamp behavior: protection conduction during spikes can distort the waveform and inflate harmonic metrics or distort instantaneous power.

Current sensing choices: Shunt vs CT vs Rogowski (selection → predictable error modes)

ADC & reference: ΣΔ vs SAR (metering-focused)

• ΣΔ ADC: excels for low-frequency precision and dynamic range; accuracy depends on reference integrity and decimation settings that preserve phase alignment.
• SAR ADC: can work when sampling alignment is tightly controlled; performance hinges on reference settling, sampling jitter, and front-end anti-alias behavior.
• Reference integrity: reference noise or droop becomes a direct scaling error; supply coupling can appear as “mysterious drift” in accumulation.
• Channel alignment: V and I sample misalignment shows up as PF/P/Q instability even when RMS looks stable.

Digital metrology outputs: interpret symptoms without turning into a textbook

• PF instability: often indicates phase error (sensor phase, RC phase, or sampling alignment) rather than pure gain drift.
• RMS stable but kWh off: suggests scaling/accumulation coefficient issues, range switching discontinuity, or reference coupling into the accumulator path.
• Harmonics inflate: commonly caused by clamp conduction, front-end saturation, or anti-alias misconfiguration under real-world spikes.
• Low-load inaccuracy: points to leakage/offset/quantization dominance; this is where divider leakage and amplifier offset become visible.

H2-4. Accuracy & Calibration Strategy (Factory + In-field)

Accuracy is not a single calibration step; it is a closed loop that produces traceable coefficients, stores them with rollback protection, and continuously checks that the metering chain behaves like the calibrated model under real conditions.

Factory calibration: what must be produced (not just “performed”)

• Gain/offset set: multi-point coefficients with residual error recorded as a quality stamp.
• Phase compensation: V/I phase parameters verified under representative load conditions.
• Temperature compensation: coefficient sets or segments tied to temperature points, with a clear version identifier.

In-field verification: minimal checks that keep results credible

• Known-load check: compare readings at a small set of anchor points (low / mid / high) to detect non-linearity and drift patterns.
• Pulse/register consistency: if an energy pulse output exists, verify pulse-count vs accumulator consistency over a fixed time window.
• Time consistency: confirm RTC monotonic behavior across power cycles; time rollback often explains duplicated or missing records.

Drift sources: link each cause to an observable

• Temperature drift: error changes monotonically or in segments; segment behavior suggests model mismatch.
• Self-heating: step-load produces a slow drift curve over minutes (common with shunt paths).
• Magnetic influence: abnormal behavior appears under external field exposure (sensing-specific signature).
• Supply/reference coupling: errors correlate with rail ripple or reference droop during bursts or noisy intervals.

Trusted coefficient storage (no cloud dependency)

• Atomic update: dual-copy or commit-flag update to avoid half-written coefficient sets.
• Anti-rollback: monotonic counter and version binding prevent old coefficient sets from being restored silently.
• Integrity check: CRC or signature (optional SE support) ensures coefficients are not tampered with.
• Audit trail: every coefficient update writes a time-stamped event into the secure log.

H2-5. RTC, Time-Stamping & Data Retention Under Outage

Outage robustness is not just “keeping data.” A home meter must preserve a continuous truth chain: a record stream that can prove no gaps, no edits, and no replay across brownouts and repeated flickers.

RTC architecture: time base, drift, and holdover rails

• Time source: XO/RTC time base stability sets long-outage behavior; drift must be measurable and compensable.
• Temperature drift: the key question is whether drift is predictable (model/segment) or erratic (supply or rail collapse).
• Holdover supply: battery/supercap/keep-alive rail must survive the transition moment when main rails cross BOD thresholds.

Outage modes: brownout, long outage, and repeated flicker

• Brownout: the most dangerous mode—firmware may continue running while storage writes become unreliable (half-written records).
• Long outage: priority is RTC holdover and a restart path that can prove record continuity.
• Flicker (chattering): frequent resets can destroy endurance and create duplicated/partial logs unless commit rules are strict.

Data retention media & write strategy (ring log + atomic commit)

Evidence chain: prove “no loss, no edit, no replay”

• Sequence counter: proves continuity (missing numbers imply gaps or reorder).
• CRC / signature: proves record integrity (edits become detectable).
• Monotonic time: detects rollback and replay; time and sequence anchor each other.
• Atomic commit: guarantees “complete record or none,” preventing half-written evidence.

H2-6. Anti-Tamper Threat Model (Home Meter Reality)

Anti-tamper is not “add a security chip.” A practical home meter design starts from an enumerable threat list and turns each threat into observable evidence that can be recorded as a time-stamped, integrity-checked event.

Threat-to-evidence mapping (engineering closure)

False-positive control (so tamper evidence stays credible)

• Debounce & hysteresis: prevent mechanical chatter or noise from flooding logs.
• Correlation gates: require at least one supporting metrology anomaly for high-impact claims (e.g., magnet).
• Time windows: separate short transient phenomena from sustained tamper attempts.

H2-7. Tamper Sensing & Evidence Logging (Make It Court-Proof)

A tamper subsystem is only useful when it produces repeatable, integrity-checked evidence. The goal is a closed chain: detect → reduce false positives → record atomically → prove continuity → reproduce the trigger.

Sensing methods (evidence anchors, not a parts list)

• Magnetic (Hall/AMR): thresholded B-field becomes credible when aligned with metrology flags (phase/PF consistency anomalies).
• Cover / terminal: a debounced edge plus duration is stronger evidence than raw switch chatter.
• V/I consistency: “physically impossible combinations” (RMS/PF/phase relationships) form robust injection/bypass indicators.
• Vibration (brief): use as a supporting signal (time-aligned) rather than a sole trigger.

Rule engine: thresholds + combinations to control false positives

• Time gates: require sustained evidence (duration > X s) to avoid transient noise triggers.
• Correlation gates: require at least one supporting observable for high-impact claims (e.g., magnet + PF anomaly).
• Hysteresis: avoid repeated triggers near thresholds under flicker/noise conditions.
• Cross-check rules: combine cover/terminal state with metrology consistency to raise event level.

Event record schema (what must be logged to stay credible)

Anti-rollback & log continuity (concept-level, implementation-safe)

• Firmware version counter: monotonic counter prevents “load older rules” to silence detection.
• Log link field (hash-chain concept): each record references the prior record’s digest so deletion/insertion becomes detectable.
• Chain-break handling: a broken link is itself an event that must be logged and integrity-checked.

H2-8. Security Building Blocks (Secure Boot, Keys, Secure Element)

The meter-side security chain protects three assets: firmware integrity, key confidentiality, and tamper/reading authenticity. The design must also respect low-power windows and outage risks so security actions do not create partial states.

Secure boot (prevent modified firmware from running)

• Verify before execute: boot stage checks the image before application code is trusted.
• Fail behavior is evidence: verification failure should enter a safe mode and create an integrity event record.
• Outage interaction: verification and log sealing must not be interrupted without a detectable state.

Key storage: MCU internal security vs external Secure Element / TPM

Signing & authentication (make logs/readings verifiable)

• Event logs: signatures/verification tags allow detection of edits after data leaves the meter.
• Reading summaries: sign periodic summaries (sequence-anchored) so replay and modification become detectable.
• Minimal scope: focus on meter-side authenticity; backend architecture is out of scope.

Security vs power: schedule cryptographic windows safely

• Wake budget: restrict key operations to controlled windows to avoid repeated high-energy actions.
• Power-fail gating: do not start signing when PF detect indicates insufficient time to commit.
• Atomic outcomes: security operations should end in “done” or “not started,” never “half applied.”

H2-9. Communication Options: PLC vs RF (and What to Measure First)

This chapter stays out of protocol-stack details and focuses on why readouts drop or links become unstable. The fastest path is to capture three aligned evidence points and decide whether the failure is driven by the medium (PLC noise / RF environment) or by power & scheduling (TX peaks causing rail droop and retries).

First 3 measurements (triage in minutes)

• Rail droop: measure the main rail or the comm rail during transmit bursts and during heavy retries.
• Retry counter / fail reason: record retries, ACK failures, or a link-quality indicator from the module/stack.
• TX current: capture peak current and timing; align it with retry spikes and timestamp gaps.

PLC (power-line carrier): unstable links are often noise + coupling + impedance changes

• Noise bursts: switching events and appliance activity can cluster errors in repeatable time windows.
• Impedance changes: plug/unplug events and loads on the same branch can shift channel characteristics.
• Near zero-cross interference: certain disturbances concentrate around the AC waveform crossing, creating retry bursts.

Sub-GHz / RF mesh: judge link budget and retry pressure (not routing theory)

• RSSI/SNR: indicates whether the channel margin is fundamentally sufficient.
• Retransmit counts: shows whether reliability is achieved via excessive retries.
• Duty-cycle limits: rate limiting can look like “missing reads” when the system must back off.

NB-IoT (light mention): what it changes in the evidence chain

• Peak TX current: can be the dominant rail droop trigger if power gating is not aligned.
• Uplink latency: extends active time and increases the probability of outage overlap.
• Retries: multiply both energy cost and the need for clean time/sequence logging.

H2-10. Power Architecture & Low-Power Operation (Meter Must Never Lose Truth)

The hardest power requirement is not “never reset.” It is never losing truth: even under edge rails, the system must preserve time, sequence continuity, and atomic logs. The power tree and low-power policy should therefore protect the truth rails first, then restore communications after integrity is secured.

Typical power-tree shapes (home meters vs battery meters)

• Mains-powered (electricity meter): AC/DC front end → main rail → branches (MCU, metrology AFE, comm, display).
• Battery/harvesting (water/gas meters): primary cell/harvester → ultra-low-power rail → gated high-power rail for TX / actuators.
• Truth rails: RTC + secure log + minimal MCU must remain valid through PF detect and commit windows.

Peak loads that most often corrupt evidence (if not gated)

• TX bursts: RF / NB-IoT / PLC activity can create droop and force retries.
• Actuators (if present): relay/valve pulses can overlap log commits.
• Backlight/indicators: small loads can become critical when rails are already marginal.
• NVM commits: the write/verify window is the most sensitive moment for integrity.

Brownout policy: degrade in levels, preserve truth first

Verification: three acceptance metrics (hard to fake)

• Rail droop under pulses: capture worst-case sag during TX and during retries.
• POR/BOD threshold alignment: ensure thresholds leave a usable commit window.
• Commit success rate: under repeated flicker/pulses, verify no half-writes, no sequence gaps, and no chain breaks.

H2-11. Validation & Field Debug Playbook (Symptom → Evidence → Isolate → Fix)

This playbook turns field issues into repeatable steps using minimal tools. Each case follows a fixed pattern: First 2 checks → Discriminator → First fix → Prevent. The goal is not “never reset”; the goal is never losing truth: time, sequence continuity, and atomic evidence stay trustworthy through outages and attacks.

Field record template: timestamp • seq • event_id • rail_min • tx_I_peak • retry_count • chain_status