What This Page Owns

This topic covers the external safety interface of a gate driver: how faults are reported (/FLT), how readiness is declared (/RDY or PG), and how switching is prevented (EN / nDIS / SD). The focus is end-to-end reliability, especially when signals must cross an isolation barrier.

“Safe Fault Path” as a Verifiable Contract

A safe fault path is not a concept; it is a chain of obligations that can be tested and documented:

• Detect: A fault is detected (by internal comparators/logic).
• Act locally: Gate outputs transition to the safe state locally (must not depend on firmware).
• Report: Fault state is exported as /FLT (and optionally /RDY changes) across isolation in a fail-safe manner.
• Inhibit: A hardware-backed system inhibit prevents re-enabling switching until the recovery policy is satisfied.

Each link must be measurable (timing), resettable (defined clear method), and diagnosable (detect stuck-at/open-wire/short-to-rail behaviors).

Signal Classifiers That Change Real-World Behavior

Four orthogonal attributes determine how /FLT, /RDY, and disable behave in the field:

• Latched vs Auto-retry: lockout until clear vs periodic restart attempts (risk of “retry storms”).
• Level vs Pulse: static assertion vs brief notifications (pulses are easier to lose across isolation).
• Static vs Toggling: constant state vs heartbeat/toggle patterns (toggling supports stuck-at diagnostics).
• Polarity & Output type: active-low vs active-high, open-drain vs push-pull (defines whether open-wire becomes safe or dangerous).

Common Naming Map (Do Not Assume Semantics)

Vendors reuse names with different meanings. A design must treat pin labels as hints, then validate the truth table:

• /FLT, FLT, FAULT, nFAULT — fault indication; often active-low; frequently open-drain.
• /RDY, RDY, PG, PGOOD — readiness; may mean “bias OK,” “fault clear,” or “internal checks passed.”
• EN, nEN, nDIS, SD, SHDN — enable/disable; may affect input logic only, output stage, or both.
• RST, CLR, FLT_CLR — clearing latched states; method and timing are device-specific.

Out of Scope (One-Line Boundary)

• DESAT thresholding, blanking, and soft turn-off tuning (owned by the DESAT topic).
• Deadtime generation and cross-conduction interlock truth tables (owned by the deadtime/interlock topic).
• Active Miller clamp mechanisms (owned by the Miller clamp topic).
• Layout/grounding and parasitic suppression (owned by the design hooks topic).

Safety Objectives (Three Layers)

Fault handling is successful only when all three layers are satisfied:

• Power-stage safe state: gate outputs transition to a defined safe condition (typically OFF) without depending on software.
• Controller awareness: the safety domain receives a reliable, interpretable fault state (including wiring faults and loss-of-power scenarios).
• Restart policy: re-enabling switching follows a defined policy (latched clear procedure or controlled retry with cooldown).

Action Levels: Stop Switching vs Force-Off vs Limited Operation

Shutdown Priority (Hard Rule)

• Local hardware shutdown must act first (driver-level gate-off).
• Isolated fault reporting must remain fail-safe and diagnosable across the barrier.
• Hardware-backed inhibit must prevent re-enabling switching (PWM kill / gate) even if firmware is stalled.
• Digital telemetry and firmware logic are helpful for logging and recovery orchestration, but must not be the only safety barrier.

Timing Budget: Make the Chain Measurable

A correct specification defines timing in segments that can be measured on the bench:

• t_detect: fault occurs → driver recognizes it.
• t_gateoff_local: recognition → gate outputs reach the safe state locally (critical safety segment).
• t_report_iso: /FLT assertion → receiver sees it across isolation.
• t_inhibit_system: receiver sees fault → hardware inhibit prevents re-enable.

For review and validation, timing claims should reference t_gateoff_local explicitly; reporting latency alone can hide unsafe behavior.

Minimum Acceptance Criteria (Field-Proof Baseline)

• Gate outputs reach the defined safe state within X µs of fault detection (independent of firmware).
• /FLT remains interpretable under dv/dt and EMI, with false trips below X events / Y hours.
• Open-wire or missing pull-up on the fault line resolves to a safe outcome (design target: default-to-fault).
• Re-enable behavior is deterministic: either a defined latched clear procedure or a bounded retry + cooldown policy.

Why Output Type Is a Safety Decision

/FLT and /RDY are safety I/Os, not generic GPIOs. Output type determines whether common wiring faults become safe-by-default or dangerous-by-default.

Open-Drain (OD): Wiring Rules That Prevent Nuisance Trips

• Pull-up is mandatory: /FLT is frequently OD and cannot drive high without an external pull-up.
• Pull-up must be in the safety logic domain: this makes “loss of isolated-side power” and “open-wire” easier to map to a safe state.
• Pick pull-up strength by edge integrity: too-weak pull-up creates slow edges and noise sensitivity; too-strong can violate sink capability.
• OD enables wired-OR: multiple /FLT pins can share one bus when each output is OD and the pull-up is shared.

Acceptance baseline: /FLT asserted must pull below Vil(max) under worst-case temperature and leakage; deasserted must rise above Vih(min) within a defined time window (X ms) for the receiver.

Push-Pull (PP): Fast, but Easy to Make Fail-Dangerous

• No wired-OR by default: tying multiple PP outputs together can cause contention and undefined states.
• Default state depends on power and reset: “unpowered” or “resetting” behavior can look like “OK” unless explicitly specified and tested.
• Crossing isolation needs a truth-table check: PP polarity and isolator fail-safe behavior must match the system’s “default-to-fault” goal.

Acceptance baseline: any single wiring fault (open-wire or short-to-rail) must not create an “OK” indication that allows switching.

Current Source/Sink & Open-Collector Special Cases

• Current-mode outputs need an external resistor: the receiver threshold depends on resistor value and compliance voltage.
• Sink capability limits pull-up strength: if the pull-up is too strong, “fault asserted” may not reach a valid LOW level.
• Leakage and temperature matter: current-mode signaling must be validated across temperature and worst-case input leakage.

Acceptance baseline: guaranteed Vlow and Vhigh at the receiver with worst-case current capability, resistor tolerance, and leakage.

Polarity: Why Active-Low Is Common for Safety

• Active-low + OD supports a “default-to-fault” philosophy.
• Open-wire can be designed to look like fault (preferred) rather than “OK.”
• Receiver should treat unknown as unsafe: if the signal becomes floating or invalid, switching must be inhibited.

Failure-Mode Outcomes (Convert Into Test Cases)

Behavior Contract: What the Outside World Must Observe

Fault logic determines field behavior. External signals (/FLT, /RDY, enable state) must remain consistent with a verifiable contract:

• Local gate-off first: the output stage enters the safe state before system-level actions complete.
• Stable reporting: /FLT represents a coherent state (fault present, latched, retrying), not random toggling under noise.
• Deterministic recovery: clear method and timing are defined (latched clear) or bounded (retry + cooldown).

Latch: Why It “Locks” and How It Clears

• Latched fault prevents repeated re-energizing of a damaged or unsafe power stage.
• Common clear methods: RST/CLR pin, toggle EN/nDIS with a minimum low time, or power-cycle.
• Clear is not valid unless prerequisites are satisfied (bias above UVLO, temperature below OTP recovery, etc.).

Acceptance baseline: a documented clear sequence returns /FLT and /RDY to expected states within X ms under defined conditions.

Auto-Retry: When “Chattering Restart” Happens

• Retry period and max attempts shape whether recovery is controlled or becomes a retry storm.
• Cooldown and qualification windows are required to prevent re-enable on marginal bias rails or noisy environments.
• In brownout conditions, retry can oscillate between “almost ready” and “fault,” repeatedly stressing the power stage.

Acceptance baseline: bounded attempts (N) per window (Y s) and a deterministic lockout path after limit is reached.

Blanking & Deglitch: False Trip vs Missed Fault

Observable Symptoms: Fast Mapping to Root Cause

• /FLT low but gate already OFF: reporting is correct, but the receiver path (pull-up/domain/isolator) may be wrong if the controller never sees it.
• /FLT toggling: retry policy interacting with UVLO hysteresis or deglitch too small under dv/dt events.
• /RDY flicker: marginal bias rail or semantics mismatch (“bias OK” does not mean “safe to enable”).
• Clear does nothing: latch clear method or minimum disable timing not met.

Disable Is a Hardware Safety Gate (Not a GPIO)

In isolated power systems, the disable path is the final hardware barrier that must stop switching even when firmware, communications, or timing assumptions are no longer trustworthy.

Default State: “Disabled Unless Proven Safe”

• Power-up default: prefer “disabled by default” until the safety domain asserts enable.
• Open-wire default: missing/invalid enable wiring must resolve to “disabled.”
• Power sequencing: if the control domain is unpowered while the power stage is energized, disable must still keep the driver OFF.

Acceptance baseline: any loss of the enable command (open-wire, missing pull, unpowered control side) must not result in continued switching.

Input Details That Matter: Thresholds, Pulls, RC, Schmitt

• Input thresholds: define V_IL/V_IH margins for the actual logic voltage domain.
• Internal pull-up/down: verify the true default state if the pin is left floating during bring-up or harness faults.
• Schmitt behavior: required when RC or long wiring creates slow edges; otherwise, the input can hover in the undefined region.
• RC delay: use only for controlled sequencing or debouncing; it must not be the only safety mechanism.

Acceptance baseline: under slow-edge and noise stress, disable must not accidentally release; invalid/unknown levels must map to “inhibit.”

Three Disable Layers (Do Not Confuse Them)

Interaction With /FLT and /RDY (Avoid Hidden States)

• Disable asserted: confirm whether /RDY is expected to drop (power-good semantics) and whether /FLT remains meaningful (fault visibility).
• Fault while disabled: the reporting path must not become a “black box” where faults disappear because disable is asserted.
• Clear and re-enable: define the minimum disable time and a qualification window for /RDY stability before allowing switching.

Core Goal: Any Single Fault Must Not Allow Switching

The isolated fault path must be a closed safety loop: faults are reported across isolation in a fail-safe way, and the safety domain enforces a hardware inhibit that prevents re-enable.

Default-to-Off Design Rules (Practical)

• /FLT: prefer active-low OD and place the pull-up in the safety domain to control behavior during power sequencing and wire faults.
• Disable loop: make enable conditional on a valid “not-fault” state; invalid/unknown states must map to inhibit.
• Receiver qualification: treat floating or invalid levels as fault; Schmitt inputs or qualification windows are recommended for long wiring or slow edges.

Single-Point Failures (SPOF): Convert to Validation Cases

Isolation Channel Selection (Only What Matters for Fault Paths)

• Fail-safe default output: define output state when input is floating, unpowered, or invalid.
• Glitch immunity: reject short pulses and slow-edge ambiguity on the fault bus.
• dv/dt robustness: the channel must not self-toggle during high dv/dt events.

Acceptance baseline: across power sequencing and dv/dt stress, the isolation receiver must not produce a false “OK” that allows enable.

Hard Rule: Local Gate-Off Must Happen First

In half-bridge, 3-phase, and multibridge systems, the first safety layer is local hardware gate-off. Remote shutdown (through isolation and firmware) is a second layer that must never be the primary barrier.

Define Measurement Points (Avoid Lab Disputes)

• T0: fault is confirmed (after blanking/deglitch).
• T1: gate outputs enter the safe state (HO/LO OFF or clamp state).
• T2: /FLT is valid at the pin (meets receiver threshold).
• T3: PWM is effectively inhibited (input toggling is stopped by hardware/logic).

Acceptance baseline: record t(T0→T1), t(T0→T2), and t(T0→T3) as separate buckets, not a single ambiguous number.

/FLT Propagation Delay Budget (Bucket Model)

Total budget: t_total = t_local_off + t_pin_valid + t_pd_iso + t_ctrl_in + t_decide + t_pwm_stop (use X/Y placeholders for system-specific limits).

Skew: “All Stop” vs “Staggered Stop”

• Complementary pair first: within a half-bridge, HO/LO must reach a safe state without creating overlap risk.
• Phase skew: 3-phase or multibridge stop behavior must stay within a defined skew window (X) to avoid asymmetric energy stress.
• Recovery discipline: re-enable requires a stability window; fault-cleared alone must not restart switching.

/RDY Is Evidence, Not a Key

/RDY can mean “bias OK,” “self-test pass,” “no-fault,” or a combination. Treating /RDY as a direct PWM gate can cause false start, restart storms, or unsafe enable during boundary conditions.

Power Sequencing: /RDY and /FLT Must Be Interpreted Together

• RDY=1 does not guarantee “safe to switch” unless the vendor definition includes fault-cleared and output-stage readiness.
• RDY glitches can occur during brownout, isolation noise, or floating inputs.
• Recommended rule: /RDY enters a safety state machine with a stability window, not a direct PWM gate.

Goal: Fault Coverage Must Be Provable

Review, acceptance, and production care about provability: faults must be injectable, observable, clearable, and recordable with a consistent definition of time and pass criteria.

Clear / Reset Methods (Define the Allowed Set)

• EN toggle: disable → clear latch → re-arm (preferred for controlled restart).
• RST pin: explicit reset/clear input when available; define what resets and what remains latched.
• Power cycle: strongest reset, slowest method; acceptable for production but not ideal for field recovery.
• Time-based retry: increases availability, but requires qualification windows to avoid restart storms.

Diagnostics Coverage: Convert SPOFs into Tests

Production Script: Inject → Observe → Clear → Qualify

• Inject UVLO-like: bias dip or equivalent stimulus; observe output safe and /RDY behavior.
• Inject SC/DESAT-like: controlled input stimulus; observe /FLT and local gate-off timing buckets.
• Inject OT-like: temperature stimulus or equivalent test mode; observe latch/clear policy.

Logging Contract (Minimum Fields)

Design Gate (Schematic/PCB Rules)

Bring-up Gate (Prove the Closure)

Production Gate (Minimal Coverage, Maximum Value)