123 Main Street, New York, NY 10001

Submit Your BOM

28V Aircraft Power Front-End: DO-160 Surges, eFuse & EMI

28V Aircraft Power Front-End: DO-160 Surges, eFuse & EMI

← Back to: Avionics & Mission Systems

The 28 V aircraft power front-end is the system’s first defense layer: it must survive real bus transients, keep power continuous (or shut down in a controlled way), and leave traceable evidence for every event. A robust design comes from the right protection order (filter → clamp → hot-swap/eFuse) plus correct chassis return paths, stable damping, and field-ready monitoring/logging.
H2-1

What the 28 V power front-end must guarantee (and what it won’t)

A 28 V aircraft power front-end is the input-side protection and control boundary between the aircraft DC bus and the avionics power domain. Its job is to survive defined transients, keep the load powered when allowed, and capture evidence when it must limit or disconnect power—without turning normal bus noise into nuisance trips.

This chapter locks the “page contract”: what is owned at the connector-to-load boundary, and what is explicitly out of scope to avoid overlap with sibling pages.

Guarantee envelope (engineering contract)

  • Normal operating window: pass bus voltage variation to the load within a controlled drop budget (no unnecessary brownout resets).
  • Allowed transient exposure: tolerate spikes/surges/ringing defined by the aircraft power environment and qualification plan (no permanent damage).
  • Fault containment: limit or disconnect under shorts/overloads/miswire so upstream wiring and the avionics domain are protected.
  • Failure behavior: predictable fail-safe or fail-open choice based on mission availability and safety policy, with clear diagnostics.

Survivability

Hardware remains functional after the event: no TVS thermal runaway, no MOSFET SOA burn, no latent leakage drift that appears weeks later.

Continuity

Power stays available during “allowed” bus disturbances; protection trips only when required, with controlled recovery behavior.

Observability

Field evidence explains outcomes: event type, threshold crossed, peak capture/counters, and the moment power was limited or disconnected.

Out of scope

Downstream multi-rail conversion, sequencing/PG trees, hold-up/OR-ing, isolation design, and system crypto/timing subsystems are not expanded here.

Practical reading rule: everything on this page happens before downstream converters and multi-rail distribution. If a topic starts with “how rails sequence” or “how hold-up lasts X ms,” it belongs to sibling pages.

Figure F1 — Staged defense chain from 28 V bus to avionics load
28 V front-end staged defense chain A block diagram showing connector input through EMI filter, TVS clamp to chassis, hot-swap/eFuse control, sensing/logging, and the protected load domain. 28 V Input Front-End = Protection + Control + Evidence survivability • continuity • observability (connector → protected domain) Connector 28 V bus harness EMI Filter DM / CM conducted Clamp TVS / MOV to chassis Hot-swap / eFuse inrush • ILIM SOA • retry Sense / Log Vin / I / T event codes Protected Domain avionics loads power continuity Prefer surge energy to chassis return Chassis / Airframe Reference (short, low-inductance return) surge current blue path: high-energy transient return dark path: controlled power to load
H2-2

28 V bus reality: normal ranges, brownouts, and why DO-160 matters

The aircraft “28 V” line is a dynamic power bus, not a fixed lab supply. Engine start, generator transfer, contactor switching, and harness coupling create disturbances that differ in time scale, energy, and spectral content. Those differences determine what fails first: a clamp overheats, a MOSFET exceeds SOA, an input filter rings, or protection logic trips too aggressively.

Why DO-160 matters (without memorizing the spec)

  • Common test language: power-input events are described in repeatable waveforms so results can be compared across vendors and programs.
  • Evidence-based qualification: “it survived” becomes measurable: peak voltage/current, recovery time, and post-test parametric health.
  • Design intent alignment: the front-end can be engineered for the disturbances it must tolerate, rather than guessing worst-case ad hoc.

Brownout (slow sag)

Waveform cue: tens of ms to seconds drop, sometimes with recovery ramp. Stress: undervoltage, resets, nuisance trips.

Spike (fast dv/dt)

Waveform cue: narrow peaks, high dv/dt. Stress: false trips, gate/ESD stress paths, high-frequency conducted noise.

Surge (energy event)

Waveform cue: wide pulse or elevated plateau with energy. Stress: TVS heating, MOSFET SOA, inductor saturation current rise.

Ringing (filter coupling)

Waveform cue: damped oscillation after a step. Stress: overvoltage overshoot, control instability, repetitive stress accumulation.

Engineering shortcut: classify the bus event by time scale first, then decide whether the primary mitigation should be clamp-to-chassis, controlled current limiting, or damping/stability control. This classification is the input used by the rest of the design chapters.

Figure F2 — Event map: waveform type → dominant stress → first victim
28 V bus event map Four waveform categories—brownout, spike, surge, and ringing—are shown on a time-scale band with stressed components highlighted. Event Map: classify waveform before choosing protection time scale • energy • dv/dt → clamp / limit / damp Time scale µs–ms ms–100ms 100ms–s Spike (fast dv/dt) narrow peaks → false trips / gate stress high dv/dt Trip logic Gate / ESD paths Surge (energy event) wide pulse → TVS heat / MOSFET SOA energy TVS clamp MOSFET SOA Brownout (slow sag) ms–s drop → resets / nuisance disconnect undervoltage UV / PG System resets Ringing (filter coupling) damped oscillation → overshoot / instability resonance Input filter Control margin
H2-3

Surge vs spike: translating waveforms into component stress

A “scary” bus waveform becomes actionable only after it is translated into three stresses: Vpeak (overvoltage margin), dV/dt (false trips and parasitic injection), and energy (thermal damage). The key decision is identifying where the energy is intended to go—into a clamp-to-chassis path or into a through-switch current-limited path—because that choice determines whether the first victim is the TVS, the MOSFET SOA, or the input network.

This chapter is a practical “translator” from scope captures to hardware risk: which parameter dominates, which component is stressed first, and which proof points confirm the diagnosis.

Vpeak (peak voltage)

Stresses: TVS dynamic clamp level, MOSFET VDS rating, controller abs-max.
First checks: clamp voltage at high current, overshoot at the switch node, margin to ratings.
Common signature: no trip, but parts fail “instantly” (punch-through or overvoltage breakdown).

dV/dt (edge rate)

Stresses: comparator/window false trips, Miller injection to gates, unintended ESD/parasitic paths.
First checks: trip pin waveforms, blanking/debounce adequacy, gate spikes vs thresholds.
Common signature: nuisance disconnects with narrow spikes that carry little energy.

Energy (∫v·i dt)

Stresses: TVS heating/thermal runaway, MOSFET linear-region dissipation (SOA), inductor saturation leading to current growth.
First checks: pulse width, current integral, component temperature rise, SOA window duration.
Common signature: survives a few events, then fails later (thermal fatigue or cumulative damage).

Ringing (underdamped network)

Stresses: repeated overshoot, resonance-amplified Vpeak, repeated threshold crossings.
First checks: input LC resonance, damping (RC/ESR), layout inductance, clamp placement.
Common signature: “mystery” overvoltage spikes appearing after a step or switching event.

3-step decision flow (fast triage)

  1. Step 1 — Classify by time scale:
    Narrow, fast spikes are typically dV/dt-dominated; wide pulses or elevated plateaus are typically energy-dominated.
  2. Step 2 — Observe clamp behavior:
    If the clamp conducts (voltage “pins” while current rises), energy is being pushed into the clamp-to-chassis path. If not, the burden shifts downstream.
  3. Step 3 — Observe switch dissipation window:
    If current is limited through the hot-swap device, the risk becomes VDS × ID in the MOSFET linear region—an SOA problem defined by duration and temperature.

Most common root cause pattern: an energy event is unintentionally routed into the “wrong absorber” (TVS forced to dissipate sustained energy, or MOSFET forced to dissipate energy beyond SOA). Fixes usually come from rebalancing the energy path and shortening/damping the parasitic loop rather than simply increasing part ratings.

Figure F3 — Energy path diagram: clamp-to-chassis vs through-switch
Energy path diagram for 28 V transient events A single transient splits into two energy routes: a clamp-to-chassis path that heats the TVS, and a through-switch current-limited path that stresses MOSFET SOA. Energy Path: decide who absorbs the transient Vpeak • dV/dt • ∫v·i dt → TVS heating or MOSFET SOA Transient high dV/dt energy SPLIT Clamp Path TVS / MOV to chassis Risk if overloaded TVS heating thermal runaway Through-Switch hot-swap MOSFET VDS × ID duration matters Risk if extended MOSFET SOA linear dissipation thermal limit Chassis / Airframe Reference energy return Goal: keep high-energy transients on the chassis return, and keep the MOSFET dissipation inside SOA.
H2-4

Reference architecture: clamp + filter + hot-swap — and why order matters

A robust 28 V input front-end is a layered defense chain: harness/connector entry, EMI filtering, a clamp-to-chassis path for fast energy, a hot-swap/eFuse stage for inrush and controlled current limiting, and a sense/log layer to explain outcomes. The order matters because it determines whether transients are shaped, absorbed, or amplified by parasitics.

This chapter provides a canonical blueprint and the “why” behind each block. The focus stays on the input boundary; downstream conversion is intentionally not expanded.

Order rules (why the chain is not interchangeable)

  • First: tame coupling (DM/CM). High-frequency harness noise can trigger protection logic unless filtering and layout control reduce injection.
  • Second: choose the energy absorber. Decide whether events are primarily handled by clamp-to-chassis or by through-switch limiting—then design ratings and paths accordingly.
  • Third: add evidence. Sensing and logging prove whether the front-end stayed in the allowed envelope or intentionally limited/disconnected power.

Connector / harness entry

Do: control entry impedance and bonding; keep the high-energy return path short.
Don’t: route surge return through sensitive grounds.
Field symptom: unpredictable resets during switching events despite “good” lab supplies.

EMI filter (DM/CM)

Do: include damping and consider source/load impedance interaction.
Don’t: create an undamped LC that rings into overvoltage.
Field symptom: repeated overshoot peaks appear after a step, causing nuisance trips.

Clamp-to-chassis (TVS/MOV)

Do: return to chassis with low inductance; place for shortest loop.
Don’t: force sustained energy into the TVS without thermal margin.
Field symptom: TVS runs hot, drifts, or fails short after repeated events.

Hot-swap / eFuse

Do: control inrush (dv/dt), limit current with SOA-aware timing, define retry policy.
Don’t: rely on “low RDS(on)” as the primary robustness metric.
Field symptom: latch-off/retry cycles under transients; MOSFET damage without obvious overvoltage.

Sense / log layer

Do: record event type, threshold, peak/counters, and the moment of disconnect/limit.
Don’t: use raw noisy measurements as trip inputs without filtering/blanking.
Field symptom: “cannot reproduce” failures due to missing evidence and ambiguous trip causes.

Three red-flag pitfalls

REF: clamp reference chosen incorrectly (chassis vs signal return).
RETURN: high-energy loop area too large (layout inductance dominates).
DAMP: filter resonance left undamped (ringing creates new Vpeak).

Blueprint mindset: the architecture should intentionally route transients: fast edges are shaped by filtering and layout, energy events are absorbed by the chosen path, and the hot-swap stage enforces controlled current without violating MOSFET SOA.

Figure F4 — Block-level blueprint with three critical warning points
28 V input front-end block blueprint A block diagram showing connector, EMI filter, TVS clamp to chassis, hot-swap/eFuse, and sense/log with three red warning callouts for reference, return loop, and damping. Block Blueprint: order controls noise, energy, and stability REF (reference) • RETURN (loop) • DAMP (resonance) Connector 28 V bus EMI Filter DM / CM Clamp TVS to chassis Hot-swap / eFuse inrush • limit SOA • retry Sense / Log Vin / I / T Protected Domain avionics loads Chassis / Airframe Reference REF Clamp return to chassis RETURN Keep surge loop low-inductance DAMP Damp filter resonance The right order prevents: false trips (dv/dt), overheating clamps (energy), and ringing overshoot (undamped LC).
H2-5

Hot-swap / eFuse deep dive: inrush, SOA, foldback, retry logic

Inrush is simply charging downstream capacitance. A hot-swap/eFuse succeeds when it controls dV/dt so peak current stays below ILIM, while keeping the MOSFET inside safe linear SOA during current limit. Practical setup means back-solving from Cload, Vbus, target ramp time, Imax, and thermal headroom, then choosing timer/blanking/retry so faults are protected without nuisance disconnects.

Key knobs (what each one really controls)

Current & ramp

ILIM caps peak current; slew / dV/dt sets the charging speed of Cload; together they define whether the device stays in control or hits limit/chatter.

Protection timing

Fault blanking avoids false trips at turn-on; timer defines how long current limit is allowed; thermal foldback protects the MOSFET when dissipation is high.

Recovery policy

Retry/backoff can preserve availability for intermittent faults; latch-off prevents repeated stress when a persistent hard fault exists.

Why SOA matters at 28 V

The worst case is high Vin plus current limiting: the MOSFET sits in the linear region and dissipates power while Vdrop is large. Timer + thermal behavior decide survival.

Back-solve setup (parameter checklist)

Input constraint Translate into a setting / check
Cload (downstream bulk) Pick a ramp such that charging current is controlled. Rule-of-thumb relation: I ≈ C × dV/dt (conceptual).
Vbus (28 V nominal + transients) Check the highest expected Vin during turn-on and faults; SOA stress increases with Vin.
Target ramp time (startup budget) Set dV/dt to meet timing without exceeding ILIM; ensure blanking covers the initial transient.
Imax (allowable peak) Set ILIM below wiring/connector limits; verify that the chosen ramp does not hit ILIM immediately.
Thermal headroom (Tamb + cooling) Set timer and foldback so linear dissipation does not accumulate; prefer backoff for repetitive events.
Fault philosophy (availability vs protection) Choose retry/backoff for intermittent faults; choose latch-off when repeated stress is unacceptable.

Practical guardrail: if current limit is expected during normal ramp, the design is already in the most stressful region. Adjust ramp/ILIM/timer so current limiting is reserved for faults, not for every startup.

Figure F5 — Inrush & SOA concept: Vout ramp, Iinrush, and MOSFET dissipation peaks
Inrush and SOA conceptual timing plot A conceptual timing plot with three stacked tracks: Vout ramps up, inrush current is limited/controlled, and MOSFET dissipation peaks when both voltage drop and current are high; annotations highlight blanking, timer, foldback, and retry zones. Inrush control & SOA: where the stress concentrates Controlled ramp avoids hitting ILIM; timer and thermal behavior protect in limit mode time Vout (ramp) Iinrush MOSFET Power (stress) dV/dt set ILIM boundary worst SOA region blanking / deglitch timer budget thermal foldback retry / backoff or latch Stress peaks when current limit coincides with large voltage drop; use dV/dt, timer, and thermal policy to survive.
H2-6

Fault handling that doesn’t kill availability: short, overload, intermittent arcs

Availability improves when faults are classified and handled with the right policy. Hard shorts need fast protection, soft overloads need controlled limiting, and intermittent arcs require deglitch plus a retry policy that avoids oscillating on/off stress. The most useful outcome is a stable state machine with clear logging: fault type, duration, retry count, Vin/Iin/T.

Three fault classes (what they look like at the input)

Hard short

Sudden, large current demand; Vin droops; protection must react quickly to prevent wiring and switch stress.

Soft short / overload

Current rises and stays high; limiting can maintain partial operation, but thermal budget and timer policy decide survivability.

Intermittent arc / contact bounce

Burst-like events with fast edges and repeated crossings; requires deglitch and a retry/backoff policy to avoid repeated stress cycles.

Strategy comparison (choose policy by fault behavior)

Policy Upside Risk Best fit
Constant-current limiting Maintains continuity; predictable current cap High MOSFET dissipation at high Vin; timer/thermal needed Soft overloads where brief limiting is acceptable
Foldback limiting Reduces dissipation by lowering current as V drops May fail to start heavy loads; can confuse recovery if mis-tuned Overloads where protecting the switch is priority
Fast shutdown Minimizes energy during hard faults May reduce availability; can cause repeated restarts if retry is naive Hard shorts and severe fault signatures
Retry with backoff Recovers from intermittent faults without manual intervention Repeated stress cycles if backoff is too short Intermittent arcing/contacts; transient faults
Latch-off Stops repeated stress when fault is persistent Requires service action to restore power Persistent hard faults; safety-critical cases

Minimum event record (what to log per fault)

  • fault type (hard/soft/intermittent) + cause code
  • duration in the limiting state
  • retry count and backoff phase
  • Vin/Iin/T snapshot or peak-hold near the event

Anti-oscillation rule: intermittent faults should not force rapid on/off cycling. Use deglitch, then apply a backoff policy that increases separation between retries.

Figure F6 — Fault state machine: limit → timer → latch/retry → cooldown
Fault handling state machine for 28V front-end A block-and-arrow state machine showing Normal operation, Current limit, Timer evaluation, Latch-off or Retry with Backoff, Cooldown, and Return to Normal; includes logging taps for event cause, duration, and counts. Fault handling: protect hardware without destroying availability Classify faults, then apply timer + retry/backoff or latch-off with clear logging NORMAL monitoring CURRENT LIMIT constant / foldback TIMER CHECK duration budget RETRY / BACKOFF increasing delay LATCH-OFF service required COOLDOWN thermal recovery intermittent → retry/backoff persistent hard fault → latch LOG cause code duration retry count Vin/Iin/T Stable recovery needs classification + deglitch + backoff; persistent hard faults should not cause rapid cycling.
H2-7

Reverse polarity, miswire, and ground/chassis reference mistakes

Reverse polarity and miswire events are survivable when the input stage enforces a clear rule: block reverse current, route surge energy to chassis, and keep high di/dt return out of signal return. The most frequent “mystery failures” are not caused by the protection device itself, but by choosing the wrong reference for clamps and sensing, which injects transient current into sensitive grounds and triggers false trips.

This section stays strictly at the input boundary. It compares reverse protection options and shows how clamp reference and return-loop inductance dominate outcomes.

Three input-side reverse protection architectures (when to use which)

1) Series diode

Best for: simplest robust protection where voltage drop is acceptable.
Trade-off: steady-state loss and heat; reduces input margin at low bus conditions.
Typical failure mode: “works” but causes brownout sensitivity due to added drop.

2) Ideal diode (controller + MOSFET)

Best for: low drop, lower heat, improved efficiency.
Trade-off: requires clean sensing and fast reverse response; gate protection matters.
Typical failure mode: false turn-on/off under fast dV/dt if layout/reference is poor.

3) Back-to-back MOSFET

Best for: true reverse blocking (both directions) at the input boundary.
Trade-off: more control complexity; dV/dt and gate control must be well managed.
Typical failure mode: ground bounce causes mis-detection or oscillation during faults.

Reference mistakes: the “hidden” cause of damage and false trips

  • A clamp is a routing decision. A TVS does not “remove” energy; it diverts current into a reference. Pick the wrong reference and the energy is injected into the wrong place.
  • Clamps must return to chassis with a short loop. Long return paths add inductance, raise the effective clamp voltage, and create secondary spikes.
  • Do not pull surge current through signal return. Shared impedance (R/L) causes ground bounce and moves sensing thresholds during transients.

Miswire patterns to expect

Reverse polarity: negative bus applied to the input → reverse current risk.
Chassis/return swap: reference is wrong → clamp current enters signal return.
Loose/arched contacts: intermittent connection → repeated dV/dt bursts and false trips.

False trips from ground bounce

Why it happens: high di/dt return flows through shared impedance, shifting “ground” at sense pins.
Practical guardrails: keep Kelvin sensing local to the intended reference; use deglitch/blanking on trip inputs; avoid filtering that delays real protection.

Field-proof rule: the reverse protection device blocks reverse current, while the TVS/clamp path sends surge current to chassis through the shortest loop. If surge return is allowed into signal return, expect false trips, noisy sensing, and unpredictable failures.

Figure F7 — Reverse & reference: back-to-back MOSFET + TVS to chassis (correct return)
Reverse protection and clamp reference diagram A block diagram showing connector entry, back-to-back MOSFET reverse blocking, and a TVS clamping to chassis with a short low-inductance return loop; signal return is kept separate. Reverse & Reference: block reverse current, route surge to chassis Keep surge return out of signal return • minimize loop inductance Connector 28 V entry Back-to-back MOSFET reverse blocking MOS MOS body diodes oppose → reverse blocked Input Node protected Protected Domain front-end load TVS Clamp to chassis Chassis / Airframe Reference SHORT LOOP Signal return (keep clean) Do NOT return surge here Reverse events: block reverse current; transient events: divert to chassis with the lowest-inductance loop.
H2-8

EMI/EMC on the power line: filter design that stays stable

Power-line filtering improves EMI only when it also remains stable with the real source and the real input behavior. An undamped filter can ring and create new overvoltage peaks; interaction with front-end behavior can cause threshold chatter and nuisance disconnects. Effective designs manage DM/CM paths, add damping to reduce Q, and verify performance using scope-based symptoms and proxy metrics rather than assuming “more parts = less EMI.”

This section covers practical DM/CM filtering and the stability pitfalls that make some filters perform worse. Monitoring is discussed as a proxy for trend and diagnosis, not a replacement for certification.

DM vs CM (concept boundary)

DM filtering targets differential ripple between input rails (π networks, series inductance + capacitors).
CM filtering targets common-mode noise coupled to chassis (CM choke + chassis return strategy).
The strongest results come from matching the filter to how current returns, not only which parts are placed.

Feedthrough capacitors (why they help at HF)

A feedthrough-style return is effective because it provides a short high-frequency path to the reference. If the return path is long or shared, the capacitor can lose effectiveness and noise turns into radiation.

Why adding a filter can make things worse

  • Undamped resonance: a high-Q LC creates ringing; peaks can exceed the “no-filter” case.
  • Threshold chatter: ringing crosses trip thresholds repeatedly, causing false trips and repeated limiting.
  • Source/load interaction: the effective source impedance and the input behavior can amplify the resonance.

Common mistake → symptom → troubleshooting path

Mistake: “bigger L/C is always better”

Symptom: post-step overshoot spikes appear; trip inputs chatter.
Troubleshoot: identify resonance frequency; add damping (RC/ESR) to lower Q; shorten loop inductance.

Mistake: unclear CM return path

Symptom: radiated emissions worsen despite more parts.
Troubleshoot: verify chassis bonding/return paths; ensure high-frequency currents do not travel on signal return.

Mistake: filter causes protection instability

Symptom: repeated limit/disconnect during benign transients.
Troubleshoot: correlate trip events to filter ringing; apply deglitch/blanking; reduce resonance amplitude with damping.

Mistake: “monitoring = certification”

Symptom: proxy metrics look good, but compliance still fails.
Troubleshoot: use monitoring for trend and diagnosis only; treat certification as a separate evidence process.

Practical proxy monitoring: track high-frequency noise proxies (e.g., band-limited RMS or limit counters) at the input boundary to spot drift and correlate events. Use these indicators to guide debugging and maintenance—not as a substitute for EMI/EMC certification results.

Figure F8 — Filter + source/load impedance: where resonance appears (concept)
Source, filter, and load impedance interaction diagram A concept diagram showing source impedance feeding an input filter and a dynamic load; a small frequency response box shows a resonance peak that can be reduced by damping, ESR, or segmented filtering. Filter stability depends on source + filter + input behavior Undamped resonance → ringing → threshold chatter Source Impedance harness + bus Input Filter DM + CM L C CM Input Behavior dynamic impedance Resonance (concept) frequency gain resonance peak How to reduce ringing (lower Q) DAMP RC damping snubbers ESR use loss series R SEGMENT multi-stage filtering Verify stability by observing ringing and trip chatter; use proxy noise metrics for trend, not certification.
H2-9

Power-line monitoring & logging: what to measure to prove compliance and reliability

Robustness becomes provable when the input stage records what happened (cause), how big (peak), how long (duration), and how often (counters). The most useful minimum telemetry is Vin, Iin, Tin, fault cause, plus brownout and surge/spike counters. Capture fast events with window comparators + timestamp and slow behavior with an ADC trend, then separate warnings from trips to avoid nuisance disconnects.

Monitoring is used to correlate events and support traceability. Proxy metrics help trend and diagnose; they do not replace certification evidence.

Minimum viable telemetry (input boundary)

Must-have (closes the loop)

Vin (with UV/OV window events), Iin (limit/overload signatures), Tin (key thermal point), fault cause (UV/OV/OC/OT/reverse/chatter), brownout count, surge/spike counter.

High-value add-ons (better diagnosis)

Peak-hold (Vin_peak, I_peak), duration buckets (how long UV/OV persisted), trip chatter counter (repeated threshold crossings), dV/dt flag (fast edge bursts from arcing/contacts).

Sampling strategy: fast events vs slow trends

Fast path (spike / chatter / arcing)

Use window comparators for UV/OV/OC-like thresholds, add deglitch/blanking, then store timestamp + event code and update counters. Optional: peak-hold to preserve the maximum stress.

Slow path (brownout / heating / overload)

Use an ADC for Vin/Iin/Tin trends and keep lightweight snapshots around events. Trend + duration is often more actionable than raw high-rate waveforms.

Alarm layering: warning vs trip (avoid being “too sensitive”)

  • Warning: count and log mild excursions, raise a service flag, but keep continuity when safe.
  • Trip: act only when thresholds are exceeded with a time condition (duration) or repeat condition (count), and record the decisive evidence.
  • Anti-nuisance rule: track chatter (repeated crossings). Chatter is a signature of ringing/reference issues and should not look like random faults.

What to measure vs how to record (two-column checklist)

Signal / indicator Sampling & logging method (practical)
Vin (min/avg) + UV/OV window ADC for trend; window comparator for fast UV/OV events; store timestamp + event code + optional duration bucket.
Iin (limit/overload signatures) ADC for trend; use limit status/event pin (if available) for fast transitions; store I_peak via peak-hold if possible.
Tin (TVS/MOSFET thermal proxy) ADC for slow sampling; log over-temp events with timestamp and capture a snapshot of Vin/Iin around the event.
Fault cause (UV/OV/OC/OT/reverse/chatter) Encode as an event code; store with timestamp; include “action taken” (warning/trip) and retry state if relevant.
Brownout count + duration bucket Comparator triggers count; duration estimated via timer; store bucketed durations to separate “brief dips” vs “long sags”.
Surge/spike counter (proxy) High-threshold comparator + deglitch; count exceedances; optionally store Vin_peak for top-N events.
Trip chatter counter (proxy) Count repeated crossings within a window; high chatter strongly points to ringing/reference/layout issues.

Evidence record template: {timestamp, event_code, Vin_peak, I_peak, duration, temperature_flag, counter_state, action(warn/trip)}. This minimal record turns “it reset” into a traceable, diagnosable event.

Figure F9 — Telemetry stack: comparator windows + ADC + timestamp/event FIFO
Telemetry stack for input power monitoring A layered block diagram showing Vin and Iin feeding fast window comparators with deglitch and timestamped event FIFO plus counters, and a slow ADC path for Vin/Iin/Tin trends and snapshots, with warning versus trip outputs. Telemetry Stack: capture fast events, trend slow behavior, log evidence Fast path = comparators + timestamp • Slow path = ADC trend + snapshots Input Signals Vin • Iin • Tin FAST PATH (spike / chatter / arcing) Window Comp UV / OV / OC thresholds Deglitch blanking filters Timestamp + Event FIFO event_code peak/duration Counters brownout surge/spike SLOW PATH (brownout / heating / overload) ADC Vin/Iin/Tin low-rate Trend averages durations Snapshot pre/post event WARNING TRIP Log: cause + peak + duration + count • Use proxy metrics for trend and correlation, not as certification replacement.
H2-10

Layout & installation notes: making the protection actually work in the aircraft

A correct schematic can fail in the aircraft when high-energy currents take the wrong path. Protection works when clamp, switching, and filter loops have minimum loop area, the surge return bonds to chassis by the shortest path, and sensing references avoid shared impedance. Thermal and mechanical details (copper spreading, fasteners, and connector-adjacent placement order) determine whether TVS and MOSFETs survive repeated events.

Three critical loops (what must be physically short)

Clamp loop (TVS)

High di/dt surge current must return to chassis through the shortest, thickest path. A long loop increases effective clamp voltage and injects noise into sensitive references.

Switch loop (hot-swap / eFuse MOSFET)

Keep the high-current path compact, and keep sense/Kelvin returns out of the power loop. Shared impedance causes threshold drift and nuisance events.

Filter loop (DM/CM)

Filters must enclose the real return loop. If the capacitor/chassis return is long, HF currents escape as radiation and ringing can worsen.

Top 10 layout rules (one sentence each)

  1. Route TVS surge current to chassis by the shortest, thickest, and most direct return path.
  2. Place clamp and filter functions closest to the connector before the switching/control region.
  3. Keep clamp, switch, and filter loops physically tight; treat loop area as a primary design parameter.
  4. Separate high-current paths from sense/Kelvin returns to avoid shared impedance and ground bounce.
  5. Ensure CM return paths are explicit to chassis; do not allow HF return to ride on signal return.
  6. Provide a practical damping location (RC/ESR/segmentation point) to tame ringing during integration.
  7. Keep threshold pins and reference nodes away from high di/dt loops and connector-induced transients.
  8. Thermally spread TVS/MOSFET heat with copper and a repeatable heat path; avoid tiny isolated islands.
  9. Use mechanical attachment (fasteners/clamps) where applicable to reduce thermal resistance and vibration stress.
  10. After installation, verify by measurement: clamp return quality, chatter counters, and peak events should match expectations.

Installation sanity check: the surge return path must remain on chassis and must not cross sensitive regions. If counters show high chatter or repeated spikes after installation, suspect return routing, bonding quality, or loop enlargement.

Figure F10 — Good vs bad layout: correct surge return vs return crossing sensitive area
Good versus bad layout for protection effectiveness Two side-by-side block layouts. The good layout returns surge current directly to chassis through a short loop. The bad layout routes surge current through a long path that crosses a sensitive signal ground region, indicated in red. Layout determines whether protection works in the aircraft Short chassis return loop = good • Long loop through sensitive region = bad GOOD: short chassis return BAD: surge crosses sensitive area CHASSIS CHASSIS Connector TVS Switch Sensitive area kept clean SHORT surge return loop Connector TVS Switch Sensitive region crossed by return LONG loop injects into signal ground The same parts behave differently if the surge return loop changes: keep it on chassis and keep it short.
H2-11 · Validation plan

Validation plan: test the 28 V front-end like a DO-160-minded engineer (without quoting the spec)

A validation plan is “done” only when it proves three things with repeatable evidence: survivability (parts do not degrade under transients), continuity (the load stays powered or shuts down in a controlled way), and observability (events are captured as waveforms + temperature + logs that allow post-mortem and compliance traceability).

Waveform evidence checklist Thermal proof (no slow self-destruction) Log/telemetry field requirements Test Matrix template

1) Validation layers (A→B→C): why a single “surge test” is never enough

Organize verification into three layers so every failure can be localized and fixed quickly. Each layer must output a consistent “evidence pack”: captured waveforms, peak values, temperatures, and log fields.

  • Layer A — Component-level stress: TVS/clamp heating & failure mode, series MOSFET SOA in linear limiting, input magnetics saturation risk, and damping network loss/temperature.
  • Layer B — Module behavior: hot-swap/eFuse state transitions (blanking→limit→timer→retry/latch), inrush control under worst-case Cload, and repeatability across many cycles (no thermal ratcheting).
  • Layer C — System input port: cable/chassis reference correctness, conducted-noise measurement with a DC LISN or equivalent impedance network, and robustness under injected events (spike/surge/brownout) plus realistic source impedance.

Practical rule: if a fix improves Layer C but breaks Layer B (or vice versa), the architecture order/return path is likely wrong (not “just a component value”).

2) Core test cases (what must be covered to claim “complete”)

Cover the complete event space by grouping use cases into five buckets. Each bucket should have at least one “worst-case” corner (temperature, source impedance, and load).

  • Power sequencing: normal power-up, fast power cycling, brownout to recovery, and “partial recovery” where Vin rises slowly through the UV window.
  • Load dynamics: step load changes, downstream large capacitance attachment, and repetitive inrush cycles to validate thermal margins and droop control.
  • Protection behavior: hard short, soft overload, intermittent arcs/contacts (burst faults), and retry/backoff behavior that avoids oscillation.
  • Miswire & reference mistakes: reverse polarity at the input, chassis bond resistance variation, and intentional “wrong TVS return” to prove sensitivity and required layout constraints.
  • Transient injection & conducted emissions: representative spikes/surges and conducted noise measurements (trend and margin building), using a consistent measurement impedance network.

3) Acceptance criteria & evidence pack (what every test must output)

Use a single criteria template across all tests. This prevents “passing by storytelling” and forces the same data fields every time.

SURVIVABILITY — no irreversible degradation

  • TVS/clamp: peak temperature and post-test leakage/drift check; confirm failure mode is not trending toward short/open under repeated events.
  • Series MOSFET: verify worst-case linear-limit power pulse stays within SOA margin; track case temperature rise across repetitions.
  • Magnetics: confirm no saturation-induced current runaway; check for abnormal temperature rise or audible/mechanical symptoms under events.

CONTINUITY — stays powered or shuts down in a controlled way

  • Record Vpeak, Ipeak, droop depth, and recovery time back into the allowed operating window.
  • State-machine correctness: no chatter (rapid on/off), no uncontrolled restart storm, and no false trips under benign ripple.
  • Availability goal must be explicit per test: “ride-through” vs “controlled shutdown” vs “latched off until service.”

OBSERVABILITY — traceable logs and timestamps

  • Minimum required fields: event_type, Vin_peak/min, Iin_peak, T_device, duration, retry_count, state_path.
  • Fast events: peak capture via window comparators + timestamp; slow events: ADC snapshots at defined rate.
  • Evidence pack per test: annotated scope screenshots (channels and timebase), thermal snapshot/plot, and exported log entries.

Figure F11 — Test Matrix (events × criteria × records)

Figure F11 — Test Matrix overview (what “done” looks like)
Test Matrix Rows = Events · Columns = Criteria & Records Evidence required W = Waveforms T = Thermal L = Logs Survivability Continuity Observability Events Power-up / cycle W,T W,L L Brownout W W,L L Spike (fast) W,T W L Surge (energy) W,T W,L L Hard short W,T,L W,L L Intermittent arc W,L W,L L Reverse polarity W,T W L

How to use: treat the matrix as a checklist. A row is not “closed” unless it produces W waveforms, T thermal proof where relevant, and L logs with timestamps.

4) Test Matrix template (practical table to copy into a verification plan)

This table intentionally avoids spec wording. It uses engineering pass/fail statements and evidence requirements. Replace numeric limits with the project’s “guarantee envelope” (H2-1) and keep the record fields unchanged.

Event Stimulus setup Pass criteria (examples) Waveforms (must capture) Logs / records
Power-up / fast cycle Worst-case Cload, min source voltage, max cable resistance. No uncontrolled overshoot; inrush limit behaves as configured; repeated cycles show no rising temperature trend. Vin, Vout, Iin, gate/CS (if available), state pin(s). event_type=POWER_UP, Vin_min, Iin_peak, T_device, ramp_time, state_path.
Brownout & recovery Slow sag through UV window, then recovery; include “slow-ramp” case. No chatter; recovery time bounded; warning vs trip behavior matches availability goal. Vin, Vout, Iin, UV/PG related nodes. brownout_count, Vin_min, duration, recovery_time, trip_reason.
Spike (fast) Fast overvoltage impulse + representative source impedance. Clamp limits peak at protected node; no damage indicators; post-test leakage/offset remains stable. Vin (at connector), protected node, clamp current proxy (if measurable). spike_counter, Vin_peak, timestamp, state_path (if any action taken).
Surge (energy) Energy-bearing transient; repeat for “N events” to validate thermal accumulation. No thermal runaway; MOSFET/TVS temperatures settle; continuity behavior matches design choice (ride-through vs controlled off). Vin, Vout, Iin, MOSFET Vds, ILIM node (if available). surge_counter, Vin_peak, Iin_peak, T_device_peak, retry_count.
Hard short Downstream short at output of hot-swap/eFuse; include cold/hot ambient. Current limit and timer operate as expected; no SOA exceed; safe shutdown or stable limiting; no restart storm. Vout, Iout/Iin, MOSFET Vds, timer/fault pins. fault_type=SHORT, duration, retry_count, latch_flag, T_device_peak.
Soft overload Programmable overload just above nominal; include long-duration case. Foldback/thermal regulation behaves predictably; no nuisance trip under allowable transients; thermal foldback does not oscillate. Vout, Iout, T proxy (NTC/diode), state pin(s). fault_type=OVERLOAD, thermal_foldback_count, time_in_limit, recovery_time.
Intermittent arc/contact Burst short pulses or contact bounce sequence; vary repetition rate. No false latched-off from benign bounce; retry/backoff prevents rapid cycling; logs preserve burst signature. Vin, Vout, Iin, fault pin, retry waveform signature. fault_burst_count, retry_count, burst_duration_histogram (optional), timestamp.
Reverse polarity (input) Reverse at connector for defined duration; include “partial reverse” and miswire cases. No damage; controlled blocking; no backfeed into chassis/signal ground; post-test leakage remains within limits. Vin, protected node, reverse-block device Vds/Vgs proxies. event_type=REVERSE, duration, peak_reverse, protective_state, T_device.
Conducted emissions trend Measure with DC LISN or equivalent; worst-case switching/load states. Trend improves after mitigation; no new resonant peaks introduced; mitigation does not destabilize hot-swap control. Noise port spectrum trace + time-domain snapshots around peaks. measurement_setup_id, config_hash (filter values), peak_list (freq/ampl), notes.

Note: “Pass criteria” numbers should be pulled from the project’s guarantee envelope (H2-1) and kept consistent across all tests.

5) Reference parts list (example BOM items to anchor the plan)

These part numbers are examples to make the test plan concrete. Aviation qualification, derating rules, and procurement constraints still apply. The validation matrix decides whether a given part + layout + settings combination is acceptable.

Block Example part numbers Why it fits the front-end Validation focus
Hot-swap controller TI LM5069 / TPS2490 9–80 V hot-swap control with programmable current limit and power/SOA limiting via external MOSFET. Inrush ramp, ILIM & timer behavior, SOA margin in linear limiting, retry vs latch-off stability.
Surge stopper ADI LTC4366 Overvoltage surge stopper controlling an external MOSFET; can regulate output during overvoltage so the load may remain operational. Energy path (MOSFET dissipation), thermal rise over repeated surges, recovery behavior, clamp setpoint accuracy.
Series MOSFET (100 V class) Infineon IPB017N10N5 (100 V) · Vishay SiR870DP (100 V) Voltage margin and low Rds(on) for series pass usage; candidates for hot-swap / surge-stopper pass elements. Linear SOA (worst case: high Vds + ILIM), transient avalanche exposure, package thermal path verification on PCB.
TVS diode Littelfuse SM8S series (example: SM8S36A) High peak pulse rating family for transient suppression; used as a “fast energy buffer” when referenced correctly to chassis/return. Clamp peak vs layout inductance, thermal accumulation, post-event leakage/drift, failure mode (short/open) trend under repeats.
Common-mode choke Würth Elektronik 744232101 (AEC-Q200) Representative CM choke option to anchor the filter discussion (DM/CM partitioning and impedance shaping). Resonance/damping interaction with input capacitors, temperature rise under ripple current, mechanical robustness if applicable.
Feedthrough capacitor (EMI) Murata NFM21PC105B1C3D (3-terminal feedthrough) Example of a 3-terminal low-ESL capacitor used to improve HF shunting where layout inductance dominates. HF effectiveness vs placement, unintended resonance, and whether added capacitance destabilizes the control loop.
DC LISN (conducted emissions) Tekbox TBLDC32-2 (DC LISN, 9 kHz–30 MHz) Example impedance network for repeatable conducted-emissions measurements on DC lines. Measurement repeatability, peak identification, “fix improves EMI but breaks stability” detection.

6) Test bench essentials (minimum setup to make results defensible)

  • Programmable DC source with controlled ramp and fast drop/recovery; include a switch element or transient source if needed for repeatable events.
  • Electronic load capable of step loads and overload profiles (including long-duration overload for thermal foldback behavior).
  • Oscilloscope + probes: differential voltage probe, current probe (or shunt + differential), and at least one channel reserved for fault/state pins.
  • Thermal instrumentation: thermocouples on TVS + MOSFET case + magnetics, or thermal camera with repeatable emissivity control.
  • Conducted-noise measurement: DC LISN (or equivalent) + spectrum analyzer/receiver; store configuration hashes and peak lists.
  • Logging path: firmware/MCU logger or discrete event counter path that records timestamps and fault/state transitions.

Documentation standard: every test record includes the schematic revision, PCB revision, BOM revision, configuration settings, ambient temperature, and cable length/impedance notes.

Request a Quote

Accepted Formats

pdf, csv, xls, xlsx, zip

Attachment

Drag & drop files here or use the button below.

FAQs — 28 V Aircraft Power Front-End

Field symptoms → root-cause decision rules → concrete actions (focused only on the 28 V input front-end).

01Why does the front-end pass bench tests but trip in the aircraft during engine start?

Bench setups often miss three realities: source impedance (generator + long cable), chassis bonding return paths, and event stacking (a sag with superimposed ringing/spikes). Engine start can pull Vin through the UV window while a fast overshoot triggers OV or current-limit timing. Capture Vin min/peak with timestamps and correlate to fault-state transitions to separate “brownout” from “protection trip.”

Practical move: log Vin_min, Vin_peak, trip_reason, state_path, and event_time for every start attempt; the pattern usually becomes obvious in 2–3 flights.
02Surge vs spike—how to decide whether the TVS or the hot-swap should absorb the energy?

Translate the waveform into stress terms: Vpeak, dV/dt, and energy (∫v·i dt). Spikes are short and steep; TVS is best at fast peak limiting when the return path is low inductance. Surges are energy-bearing; letting a hot-swap/surge-stopper regulate may protect the load but shifts dissipation into the series MOSFET—SOA and thermal repetition then become the deciding constraints.

Decision rule: first identify the energy path (to chassis clamp vs through-switch dissipation), then validate thermal accumulation across repeated events.
03How to size inrush control from Cload without blowing MOSFET SOA?

Inrush is capacitor charging: I ≈ Cload·dV/dt. Choose a target ramp time, then compute the required current limit. Next, bound the worst-case linear dissipation: P ≈ VDS·ILIM during the ramp and during any foldback interval. The most dangerous case is high Vin with current limiting (large VDS). Validate with repeated cycles and temperature rise, not only a single “clean” ramp capture.

Tuning order: slew (dV/dt)ILIMtimer/blankingretry/backoff. Avoid “fixing” inrush only by raising ILIM.
04Foldback vs constant-current—what prevents connector arcing and intermittent faults?

Separate fault types: hard short, soft overload, and intermittent arc/contact bounce. Constant-current can keep feeding an arc, sustaining heating and repeated re-ignition at the connector. Foldback reduces delivered power after the initial detection, often improving survivability and reducing arc persistence. The key is stable retry logic: add cooldown and backoff so the system does not enter a rapid on/off storm that recreates arcing conditions.

Look for “burst signatures”: multiple short faults in a short window. If bursts correlate with retries, increase backoff and tighten arc detection criteria.
05What blanking/debounce is needed to avoid nuisance trips from bus noise?

Apply debounce where false triggers are common: UV/OV windows, current-limit comparators, and fault pins feeding latch/retry logic. Use two time scales: fast noise/ringing should increment counters or capture peaks with timestamps, while true brownouts should be detected by filtered measurements. A good design separates warning from trip: transient counters raise a warning, but only sustained violations initiate shutdown.

Avoid one giant filter for everything. Use short blanking for switching edges, window + counter for spikes, and averaged ADC for brownouts.
06Where should TVS return: chassis or signal ground, and what goes wrong if you pick the wrong one?

TVS is a pulse-current device, so its return must be the shortest, lowest-inductance path for the surge current. Returning to chassis is often the safest for aircraft wiring because it keeps the high di/dt loop out of sensitive signal returns. If the TVS dumps into signal ground, the surge current can lift ground potential, cause false trips, corrupt sensing thresholds, and inject noise into monitoring lines—while the TVS “looks correct” on paper.

Layout rule: prioritize connector → TVS → chassis bond as a tight loop. Keep sensing/logic grounds physically away from that loop.
07Why can an EMI filter worsen ringing or make the hot-swap unstable?

Input filters reshape impedance. With cable inductance and source resistance, the filter can create a high-Q resonance that amplifies ringing at the protected node. At the same time, a hot-swap controller may “see” the filter as a negative-impedance interaction, reducing phase margin and causing oscillation, chatter, or false faults. Stabilize by adding damping (RC/ESR), splitting the filter into stages, and validating stability under worst-case source impedance and load steps.

A filter that improves EMI but triggers trips is not finished. Re-check impedance + damping before changing protection thresholds.
08What’s the minimal telemetry set to “prove” power quality and trip causes in the field?

Minimum set: Vin (min/peak), Iin (peak), device temperature (or proxy), fault cause code, brownout count, spike/surge counters, retry count, and timestamps. Fast events should use peak capture or window comparators plus timestamps; slow events can use ADC snapshots. Separate warning vs trip records, so benign noise is visible without reducing availability. A small, consistent record set beats a large, inconsistent one.

If storage is tight, keep fixed fields and compress history (e.g., counters + last-N events). Consistency matters more than resolution.
09How to differentiate brownout resets from transient-induced protection trips?

Brownout shows sustained Vin below a defined window and a slow recovery; the reset cause aligns with UV duration. Transient trips often show short Vin disturbances (spikes/ringing) and a protection state path such as limit → timer → latch/retry. The reliable method is time alignment: log Vin_min, Vin_peak, duration, reset cause, and the protection state transition timestamps. Patterns emerge quickly when plotted against the same clock.

Treat “reset cause” and “trip reason” as different signals. Combine both with Vin min/peak to avoid misdiagnosing events.
10Reverse polarity protection: diode vs ideal diode vs back-to-back MOSFET—how to choose?

Choose by allowed voltage drop, power loss, reverse leakage, and how long reverse can persist. A diode is simplest but burns margin and heat. Ideal-diode controllers reduce drop but need careful layout and transient robustness. Back-to-back MOSFETs provide low loss and strong reverse blocking, but require gate control and thorough validation under transients and miswire cases. Always validate return paths: reverse events can force unexpected current through clamp networks if references are wrong.

A “perfect” reverse block can still fail if the TVS/return reference creates a hidden backfeed path. Verify with a deliberate miswire test.
11What are the top layout mistakes that make surge protection ineffective?

The most common failures are geometric, not schematic: a large TVS loop (high ESL), a long chassis bond path, and routing surge return currents through signal ground. Other frequent issues: placing the filter/protection far from the connector, sharing high di/dt current paths with sense lines, and forgetting damping so ringing exceeds the clamp level at the protected node. Fixes usually require moving parts, not changing values.

Priority order: short loopscorrect return referenceseparate sensingdamping. If one is wrong, the rest rarely saves the design.
12What should a DO-160-minded validation checklist include for a 28 V input front-end?

Use a layered checklist: component stress (TVS heating, MOSFET SOA, magnetics saturation), module behavior (inrush, limit, timer, retry/latch stability), and system port behavior (cable impedance, chassis bonding, conducted-noise trends). Require an evidence pack for every event: waveforms, thermal proof where relevant, and logs with timestamps and reason codes. Close the plan with a test matrix: events × criteria × required records.

If a test “passes” without saved waveforms + temperature + logs, it is not closed. Repeatability is part of compliance-minded engineering.
icnavigator

ICNavigator helps engineers find verified ICs, alternatives, and fast quotes.

Explore
Categories
  • Power Management
  • MCU
  • Automotive ICs
  • Sensors
  • Interface & Transceivers
  • Analog Front-End
Get in Touch
  • Email: hello@icnavigator.com
  • WeChat/WhatsApp: +86-xxxx

© 2025 ICNavigator. All rights reserved.