123 Main Street, New York, NY 10001

Submit Your BOM

Medical PSU & Isolation for MOPP/MOOP and Leakage Control

Medical PSU & Isolation for MOPP/MOOP and Leakage Control

← Back to: Medical Imaging & Patient Monitoring

Medical PSU & Isolation is about proving patient-safe power delivery: isolation targets (MOOP/MOPP), leakage current control, and deterministic safe-state behavior under faults. It turns those safety goals into measurable design inputs and a signable validation/production checklist that stays traceable from R&D to every shipped unit.

What “Medical PSU & Isolation” Must Guarantee

This page focuses on engineering guarantees for medical-grade power—not general power-supply theory. A medical PSU must keep safety boundaries predictable across normal operation, expected stress, and single-fault conditions, and it must provide evidence that the design remains compliant and manufacturable over time.

The practical output is a set of measurable targets, design inputs, and validation gates that translate safety intent into testable engineering artifacts.

Three core KPIs (acceptance-driven)
1) Isolation (target level + evidence)
  • Isolation objective mapped to protection type (MOOP/MOPP) and boundary location.
  • Dielectric withstand (hipot) + insulation resistance (IR) planned as repeatable tests.
  • Manufacturing reality captured: spacing control, insulation system, and drift/aging considerations.
2) Leakage (budget + measurement coverage)
  • Leakage current treated as a budgeted quantity, not an afterthought measurement.
  • Dominant common-mode coupling paths identified (Y-caps, parasitics, transformer capacitance, filtering).
  • Measurement plan includes relevant operating states (power source, load states, single-fault scenarios where applicable).
3) Fault-safe behavior (safe state + containment)
  • “Safe state” defined up front (what must shut down, what may remain on, what must discharge).
  • Fault energy containment: inrush/short events do not propagate or create unpredictable brownout states.
  • Evidence: fault injection tests + recorded outcomes (trip reason, state transition, recovery/lockout policy).
“Done” criteria (what to be able to prove)
  • Isolation boundary is drawn on the power tree and matches the applied-part risk boundary.
  • Test matrix exists for hipot/IR/leakage with defined conditions and pass/fail rules.
  • Leakage budget is allocated to known coupling elements; top contributors are measurable or bounded.
  • Safe-state transitions are defined for undervoltage/overcurrent/ground issues (as applicable) and verified by injection.
  • Production hooks exist: manufacturing tests are feasible and detect spacing/insulation regressions early.
System overview: medical PSU domains, isolation barrier, and leakage paths Block diagram showing AC or battery input feeding an AC/DC and DC/DC power tree. A marked isolation barrier separates primary from isolated patient rails, with chassis/PE and common-mode leakage path arrows highlighted. Medical PSU & Isolation — What must be guaranteed Domains • Isolation barrier • Common-mode leakage paths • Fault-safe control Isolation Leakage Fault Input sources AC mains Battery / DC Power conversion AC/DC + DC/DC rails System rails Isolated rails Isolation Barrier Load domains Patient-side (isolated) System-side Chassis / PE Dashed arrows indicate common-mode leakage coupling paths (budget + verification required) Fault-safe expectation Predictable safe state Define what shuts down and what discharges Contain fault energy No runaway inrush No stuck brownout Evidence and logs Hipot / IR / Leakage Fault injection results

Isolation Targets: MOOP vs MOPP and Applied-Part Thinking

MOOP and MOPP are best treated as engineering targets that describe who is being protected and how robust the isolation boundary must be. MOOP typically aligns with operator/equipment protection, while MOPP aligns with patient protection. The correct target comes from how the power domain relates to the applied part and any patient-accessible conductive paths.

The goal here is not to repeat standard text, but to translate protection intent into design inputs that can be reviewed, implemented, and tested consistently.

A practical way to set the isolation target (review-friendly)
  1. Draw the boundary: mark patient-side vs system-side vs chassis/PE on the power tree.
  2. Identify patient-accessible conductors: any conductive path that can touch the patient or form a patient loop elevates the target toward MOPP.
  3. Convert target to design inputs: insulation system type, spacing constraints, and the verification plan (hipot/IR/leakage).
Translate “MOOP/MOPP” into concrete design inputs
  • Insulation system: basic / supplementary / reinforced insulation selection that matches the protection target.
  • Spacing constraints: creepage and clearance become layout + transformer + assembly requirements (not just schematic notes).
  • Verification: dielectric withstand (hipot), insulation resistance (IR), and leakage measurements defined as a test set.
  • Production stability: design choices should be tolerant to manufacturing variation (spacing drift, contamination, material aging).

Note: final compliance targets and test conditions must be confirmed against the applicable IEC 60601-1 edition and device classification.

Mapping protection target to insulation system and verification tests Three-column diagram: MOOP vs MOPP on the left, insulation system types in the middle, and concrete implementation plus tests (hipot, IR, leakage) on the right. MOOP/MOPP → Insulation System → Verification Turn protection intent into reviewable design inputs and test gates 1) Target 2) Insulation 3) Inputs & Tests MOOP Operator / equipment Risk boundary: non-patient MOPP Patient protection Applied-part driven Higher robustness target Basic insulation Single barrier element Supplementary Independent second layer Reinforced Equivalent to double protection Common for patient-side rails Concrete inputs Creepage + clearance Insulation system choice Verification gates Hipot (dielectric) IR (insulation R) Leakage (states) Production stability Spacing & contamination Aging & drift sensitivity Use this mapping to keep requirements traceable: protection target → insulation system → measurable verification.

Power Tree & Domain Partitioning: Where to Isolate, Where to Bond

A medical power design becomes reviewable only after the power tree is split into electrical safety domains. The domain map defines where the isolation barrier sits, how chassis/PE is referenced, and which grounds must never “accidentally float.” Without this, leakage and safety behavior are dictated by parasitics rather than by design intent.

The objective is to make every cross-domain connection explicit: direct bond, capacitive coupling, or galvanic isolation.

Domain-based power tree (what each block is responsible for)
Primary (mains / HV side)
  • Energy source and dominant common-mode coupling origin (transformer parasitics, filters).
  • Must be separated by the isolation barrier from any patient-related conductive path.
Secondary (system-side)
  • Powers internal compute/control and enclosure-level functions; often has a defined relationship to chassis/PE.
  • Should not create hidden return paths into patient-side domains through cables, shields, or service fixtures.
Patient-side (isolated rails)
  • Rail(s) that can touch or reference the applied part; isolation target is typically driven by patient protection.
  • Patient GND must be clearly defined; any coupling to chassis/PE must be intentional and measurable.
I/O boundary (cross-domain “gates”)
  • Any cable, shield, service port, or module connector can create a return path and must be classified by domain.
  • Each crossing must be tagged as: direct bond, capacitive coupling, or galvanic isolation.
Bonding rules that prevent uncontrolled “floating” behavior
  • Isolation barrier is a safety boundary: treat any unintended conductive connection across it as a defect until proven safe.
  • Chassis/PE relationship must be explicit: if system GND references chassis/PE, define the connection policy (single-point vs distributed) and keep it reviewable.
  • Capacitive coupling is still a connection: Y-cap and parasitic capacitance create measurable leakage; document them as part of the domain map.
  • Floating is not “free”: an unreferenced domain lets parasitics set its common-mode potential, which makes leakage and measurement stability unpredictable.
  • Service fixtures and shields count: cable shields, scope grounds, and programming adapters can silently bypass domain intent—label them as I/O boundary paths.
Power-domain partitioning with PE, chassis, system ground, and patient ground Diagram partitioning the power tree into primary, secondary, patient-side, and I/O boundary domains. Shows isolation barrier, and three connection types between grounds: direct bond, capacitive coupling, and galvanic isolation. Domain Partitioning: isolate, bond, and control coupling paths Primary • Secondary • Patient-side • I/O boundary • Explicit ground relationships Primary (HV) AC mains / HV bus Secondary System rails Patient-side Isolated rails I/O boundary Cables • shields • service ports • fixtures (tag every crossing) Isolation barrier AC/DC Primary switching DC/DC System rails Isolated DC/DC Patient rails PE (Protective Earth) Safety reference Chassis Enclosure metal System GND Defined reference Patient GND Isolated reference Connection types Direct bond Cap coupling Galv isolation Single-point Draw and label every crossing to prevent hidden return paths and unstable common-mode behavior.

Topology Selection Under Medical Constraints

In medical equipment, topology choice is a system trade across thermal headroom, standby behavior, domain count, and isolation implementation—not a single-number efficiency decision. A “perfectly efficient” topology is still the wrong answer if it makes isolation validation fragile, standby power uncontrolled, or mechanical integration impractical.

The selection process should start from inputs and constraints, then converge to a small set of proven architectures.

Selection criteria (write these down before comparing topologies)
  • Input type: AC mains vs DC input (battery/external adapter) and the required hold-up expectation.
  • Power range: thermal density and magnetics scale strongly with power; choose with enclosure constraints in mind.
  • Isolation domains: one isolated rail vs multiple isolated rails; patient-side rails are often isolated separately.
  • Standby target: low standby bias and predictable behavior at light/no load.
  • Noise sensitivity: control of ripple/common-mode behavior as it impacts leakage paths and measurement stability.
  • Mechanical reality: height, creepage/clearance keepouts, and service/production accessibility for tests.
Common medical power architectures (reviewable templates)
  • Template A (AC mains): AC/DC front end (PFC optional by power level) → intermediate bus → system rails + isolated patient rail(s).
  • Template B (DC input): DC in → protected bus → multi-rail DC/DC for system + isolated DC/DC for patient-side domains.
  • Template C (multi-domain modular): intermediate bus → distributed isolated DC/DC modules (useful when domain count grows).
Topology decision tree with typical medical power architectures Decision tree based on input type, power range, domain count, and standby target, mapping to three architecture templates: AC/DC to bus to isolated rails, DC input to protected bus, and modular distributed isolated DC/DC. Topology Decision Tree (medical constraints first) Input type → Power range → Isolation domain count → Standby target → Architecture template Decision tree Input type AC mains / DC input Power range Thermal density / magnetics Isolation domains 1 rail / multiple rails Standby target Low bias / stable light-load Converge to a template Pick an architecture you can validate Architecture templates Template A (AC mains) AC/DC Bus Isolated rails Template B (DC input) DC in Protected bus DC/DC Template C (multi-domain modular) Bus Iso DC/DC Module 1 Iso DC/DC Module 2 Keep templates simple and testable; domain count and standby target often drive the architecture more than peak efficiency.

Isolation Barrier Implementation: Transformer, Insulation System, Spacing

The isolation barrier must be treated as a physical insulation system, not a schematic symbol. A compliant design needs repeatable structure (winding separation, barriers, spacing) and repeatable evidence (hipot/IR tests that remain stable in production).

The goal is to prevent “paper compliance” where drawings pass review but manufacturing variation breaks margin.

Insulation system building blocks (what must be explicitly defined)
Transformer construction
  • Winding segregation: primary and secondary must have defined separation and keepout zones.
  • Barrier system: bobbin wall / insulation sheet / tape stack must be treated as a controlled layer set.
  • Pin-side spacing: creepage/clearance near pins and solder fillets often sets the real margin.
Shield layer (if used)
  • Shield placement changes parasitic capacitance and therefore common-mode coupling behavior.
  • Shield termination must be explicit (reference domain and discharge intent), otherwise coupling becomes unpredictable.
Potting / tape system (consistency drivers)
  • Tape overlap window and layer count must be defined, not left to operator habit.
  • Potting fill quality affects local field stress and long-term stability; voids create weak points.
  • Contamination control matters for creepage along surfaces; process cleanliness is part of the design.
“Paper compliance” vs production stability (what typically breaks margin)
  • Winding offset: small shifts can reduce separation and increase coupling; define allowed offset and controls.
  • Stack variation: tape thickness and overlap variation changes effective insulation distance.
  • Pin-side reality: solder height, flux residue, and nearby copper can reduce creepage distance.
  • Test access: if hipot/IR nodes are hard to fixture, production will drift toward weak testing.
Review checklist (barrier implementation)
  • Insulation system is documented as a stack (barrier + tape + potting + spacing keepouts).
  • Shield (if present) has a defined reference and is treated as a coupling contributor for leakage budgeting.
  • Creepage/clearance constraints exist in both transformer and PCB implementation drawings.
  • Hipot/IR tests are feasible as production tests (fixture access, stable contact, unambiguous pass/fail).
Isolation transformer cross-section: barrier, shield, and creepage path Simplified transformer cross-section showing primary and secondary windings separated by an insulation barrier, optional shield layer, potting region, and a dashed creepage path along the surface near pins. Isolation Barrier Implementation (Transformer Cross-Section) Primary • Secondary • Barrier • Shield • Potting • Creepage path Bobbin / barrier structure Primary Winding Secondary Winding Insulation barrier Shield Potting / insulation fill Primary pins Secondary pins Creepage path (surface) Tape overlap Winding offset Potting fill Control structure and process windows so hipot/IR and leakage behavior remain stable across production.

Leakage Current Engineering: Budgeting, Paths, and Measurement

Leakage current should be engineered as a budgeted system quantity. Measuring at the end is not enough, because the dominant contributors are often structural (Y-cap selection, transformer parasitics, shield coupling, filter capacitors, and mechanical parasitics).

A budget-first method prevents “trial-and-error” and keeps changes traceable to a contributor and a path.

Practical leakage budget allocation (contributors that must be bounded)
  • Y-cap (if used): intentional coupling element; treat as a first-class budget item.
  • Transformer parasitic capacitance: driven by winding geometry and barriers (ties directly to H2-5).
  • Shield capacitance: coupling to each side depends on placement and termination.
  • Input/output filter capacitors: can create unexpected return paths to chassis or patient reference.
  • “Other parasitics”: heatsinks, shields, cable assemblies, and fixtures; document the top suspects early.
Leakage paths (what must be drawn, not assumed)
  • Primary → chassis/PE: common-mode coupling via Y-cap/parasitics returns through chassis bonding.
  • Primary → patient reference: coupling into patient-side ground must remain bounded and measurable.
  • Chassis ↔ system ground: connection policy (direct / single-point / capacitive) changes the measured distribution.

This section intentionally avoids EMC “passing tactics” and focuses only on contributors, paths, and measurement coverage.

Measurement coverage (define a state set, not a single test point)
  • Supply state: AC mains vs DC input (when applicable).
  • Grounding state: PE present vs alternative reference conditions used in validation.
  • Load state: light-load vs typical load (switching behavior affects common-mode coupling).
  • Connection state: patient-side cables/accessories connected vs disconnected (return paths change).
  • Production repeatability: fixtures and procedures that yield consistent readings across units.
Leakage current paths and budget allocation Top: leakage path diagram from primary through coupling elements (Y-cap, parasitic capacitance, shield coupling) to chassis/PE and patient ground. Bottom: budget bar allocation across contributors with a margin segment. Leakage Engineering: paths (top) + budget allocation (bottom) Budget first • Draw paths • Validate across operating states Leakage paths Primary AC/DC switching Coupling origin Coupling elements Y-cap C_par C_shield Chassis / PE Return path Patient GND Isolated reference Dashed arrows show common-mode leakage coupling (contributors must be budgeted and verified). Budget allocation Y-cap Parasitic Filter Others Margin Allocate first, then measure across states; keep a margin segment to absorb unit-to-unit variation.

Protective Earth (PE), Chassis, and Ground Monitoring Strategies

Grounding strategy is a safety behavior decision: when PE is required versus when floating is allowed. “Floating” is not a free option; it must include a controlled discharge path, energy limiting, and monitoring so the chassis potential does not become parasitic-defined and unpredictable.

Practical decision cues (design inputs)
  • PE preferred/required: metal enclosure with multiple external interfaces, service accessories, or strong system-to-chassis coupling.
  • Floating possible (with controls): isolation system is robust and the design includes discharge, energy limiting, and monitoring.
  • Goal: make chassis behavior measurable and repeatable across units and operating states.
Make “monitoring” concrete: what to measure and what it detects
1) PE continuity monitoring
  • Detects PE wire open, loose contact, or high-contact resistance drift.
  • Implemented by controlled injection (DC/low-frequency) and measuring effective resistance/impedance.
2) Chassis ground-bond monitoring
  • Detects chassis-to-PE bonding degradation (oxidation, fastener loosening, mechanical stress).
  • Use a stable measurement window and trend logging to separate transient events from persistent drift.
3) Isolation monitoring (when applicable)
  • Detects insulation degradation trends that increase coupling to chassis/PE and destabilize common-mode behavior.
  • Thresholds should include hysteresis and debounce to avoid alarms caused by short switching-state transitions.
Threshold selection and false-alarm control (engineering rules)
  • Measure in stable windows: gate decisions after startup and after load transitions settle.
  • Use two-level decisions: Warning (log + notify) vs Trip (derate/shutdown) to avoid boundary chatter.
  • Debounce and hysteresis: require persistence for trips; treat short spikes as events to log.
  • Track trends: gradual resistance/impedance drift is more meaningful than isolated outliers.
  • Common false sources: switching mode changes, cable/accessory changes, service fixtures, and plug-in transients.
Action chain (make safety behavior explicit)
  • Warning: alarm + event log (timestamp, state snapshot, measured value, persistence time).
  • Derate: limit output power or disable non-essential rails to reduce energy in abnormal conditions.
  • Trip: shut down high-risk rails or block enable paths; require explicit recovery policy.
PE, chassis, and ground monitoring chain with actions Block diagram showing PE and chassis connection points, monitoring modules (injection, sensing, decision), and outputs to alarm, event logging, derating, and shutdown interlock paths. PE & Chassis Monitoring Chain Measure → Decide (hysteresis/debounce) → Alarm / Log / Derate / Trip Reference nodes PE Protective Earth Chassis Enclosure metal System GND Defined reference Patient GND Isolated domain Monitoring modules PE continuity Inject Sense Decide Chassis bond Inject Sense Decide Isolation monitor Inject Sense Decide Hysteresis + debounce Actions Alarm Event log Derate Trip / Interlock Disable enable paths Engineer thresholds with stable windows, hysteresis, and persistence so alarms reflect real degradation—not transients.

Inrush, Hot-Swap, and eFuse: Safe Startup and Fault Containment

Medical systems often fail “quietly” at startup: a capacitor bank charges too fast, the bus droops, monitors reset, alarms trigger incorrectly, or a hot-plug event creates a destructive transient. Inrush control and fault containment must keep the system stable while ensuring abnormal energy is cut off quickly.

  • Large capacitive loads: predictable charge profile is required to protect upstream rails.
  • Hot-plug bounce: repeated connect/disconnect can heat switches and cause spark transients.
  • Short/reverse: fast turn-off reduces delivered energy to the fault.
eFuse / hot-swap engineering modes (pick based on safety behavior)
  • Inrush limiting: control dv/dt so the charge current stays within a known envelope.
  • Current limit style: constant-limit vs foldback changes heat and recovery behavior.
  • SOA awareness: linear-region stress during precharge must remain inside the switch thermal envelope.
  • Fast fault cut-off: short/reverse events should minimize energy delivered to the load and wiring.
  • Recovery policy: auto-retry for transient faults vs latched-off for safety-first containment.
Auto-retry vs latched-off (fault containment behavior)
  • Auto-retry: useful for temporary overloads, but must limit retry count and include cooldown windows.
  • Latched-off: preferred when the fault is ambiguous or safety-critical; recovery requires explicit conditions.
  • Logging: record fault reason, peak current, trip time, retry count, and rail voltage at trip.
Validation checklist (what to prove with waveforms)
  • Inrush current is limited and repeatable across units and temperatures.
  • Bus droop stays within the system’s stability window during charging.
  • Fault cut-off is fast and does not “ring” into repeated resets or false alarms.
  • Retry/latched policy matches the required safe state and does not overheat the switch path.
Hot-swap/eFuse state machine and waveform windows Left: state machine from idle to inrush limit, normal, fault, and retry or latch-off. Right: voltage and current waveforms highlighting inrush clamp and fault shutdown windows. Safe Startup: eFuse / Hot-Swap State Machine + Waveform Windows Control inrush • Contain faults • Define recovery policy State machine Idle Inrush limit Normal Fault OC / SC / UV / OT Retry Latch-off Recovery policy decides the branch Waveform windows Vout Iinrush Inrush ramp Fault drop ILIM clamp Cut-off The combined view links decisions (state machine) to observable proof (waveform windows) for release validation.

Power-Good (PG), Sequencing, Reset, and Safe-State Control

Multi-rail medical power systems fail most often in the gaps between rails: PG asserts too early, sequencing drifts with load and temperature, or a brownout leaves MCU/FPGA logic partially alive and unpredictable. A robust design treats PG + sequencing + reset as a single behavior system that guarantees a clean start, a controlled brownout response, and a predictable shutdown to safe state.

Common “half-alive” causes
  • PG is based on voltage only (no stability time), so reset releases during soft-start ripple or transient dips.
  • Rail dependency is implicit, so one domain back-powers another through I/O or protection structures.
  • Brownout detection is slow or ungated, so logic toggles in and out of reset and corrupts state.
Sequencing design “three-piece kit”
1) Rail dependency graph (the system truth)
  • Group rails by domains: primary, system, logic, patient-side, and any high-energy control domain.
  • Explicitly mark “must be up before” and “must be down before” relationships.
  • Flag back-power risks: interfaces that can source current when one rail is off.
2) Time budget (tPOR, tSEQ, margins)
  • tPOR: power-on reset window from “power applied” until all required rails are stable.
  • tSEQ: per-rail enable → soft-start → stable-time → PG delay → next-rail enable.
  • Margins: include load, temperature, and unit variation; avoid tuning for a single golden unit.
  • Brownout budget: detection + decision + shutdown action must fit inside the energy hold-up window.
3) Reset strategy (detect → hold → release)
  • Detect: select which rails participate in reset validity (logic + critical references).
  • Hold: assert reset through soft-start and transient dips; add debounce and minimum hold time.
  • Release: release only when dependencies are satisfied and PG includes stability time, not just threshold.
Safe state is a priority table (not a sentence)

Define which rails must drop first, which rails must remain briefly to complete controlled shutdown, and how discharge behavior stays predictable. Tie the safe-state table to brownout detection so the same logic path handles “power removed” and “power unstable.”

  • Must shut first: rails that can drive high energy, uncontrolled outputs, or uncertain I/O states.
  • Must hold briefly: controller/supervisor rail that performs logging, interlock actions, and discharge commands.
  • Exit conditions: residual voltage reached, timers satisfied, and “no re-enable” conditions clearly defined.
Multi-rail sequencing timeline with PG and reset, including brownout and discharge window Timing diagram showing four rail waveforms (Vsys, Vlogic, Vpatient, Vaux), PG and RESET signals, and marked windows tPOR, tSEQ, brownout region, and discharge time. Power Sequencing + PG + RESET (with Brownout Safe-State) tPOR • tSEQ • brownout window • discharge time time Vsys Vlogic Vpatient Vaux PG RESET brownout stable threshold tPOR tSEQ discharge time Treat PG as “stable-and-valid,” gate reset release, and make brownout drive the same safe-state sequence every time.

Discharge, Interlocks, and Fault-Energy Control

Safety does not end at power-off. High-energy nodes can retain dangerous voltage after shutdown, and repeated faults can accumulate heat even when the system appears “off.” Discharge and interlocks must form a closed loop: detect an unsafe condition, force shutdown, trigger discharge, and verify that residual voltage reaches the target within a defined time.

  • Control objects: HV node, bus, capacitor bank (any node that stores significant energy).
  • Core proof: residual voltage target + discharge time + event logging for exceptions.
Discharge methods (predictable behavior first)
Bleeder (passive)
  • Always available; simple and predictable.
  • Trade-off: continuous dissipation and thermal considerations at normal operation.
Active discharge (triggered)
  • Low standby loss; fast discharge on command.
  • Requires control logic, timeout behavior, and a fallback path if the active element fails.
Interlocks must drive a verified discharge loop
  • Inputs: door/cover switch, service mode, connector detect, and critical “HV ready” states.
  • Decision: debounce + priority; define when an interlock causes immediate trip vs controlled shutdown.
  • Actions: force shutdown, trigger discharge, alarm, log, and optional lockout policy.
  • Verification: measure high-energy node voltage until residual target is reached or timeout escalates behavior.
Fault-energy control metrics (what to prove)
  • Residual voltage target: define the “safe to touch/service” endpoint.
  • Discharge time: time-to-target across temperature, tolerance, and aging.
  • Fault energy limitation: reduce delivered energy by fast cutoff and controlled discharge action.
  • Repeated-fault thermal accumulation: limit retry cycles and log thermal conditions.
  • Event record: trigger source, start voltage, time-to-target, timeout flag, and recovery policy applied.
Discharge and interlock control chain for high-energy nodes Block diagram showing high-energy nodes (HV, bus, capacitor bank) feeding two discharge paths (bleeder and active discharge), with interlock inputs driving a safety controller that forces shutdown, triggers discharge, alarms/logs events, and verifies residual voltage target within a timeout. Discharge + Interlocks (Closed-Loop Verification) High-energy node → discharge paths → controller → verify residual voltage target High-energy nodes HV node High energy Bus Distribution Cap bank Stored energy Voltage sense Discharge paths Bleeder path Always available Active discharge Switch Resistor Triggered by controller Safety control Interlock inputs Door / cover Service mode Connector detect Safety controller Decision + timer Residual V target Timeout Outputs Force shutdown Trigger discharge Alarm + log Close the loop: interlock triggers shutdown and discharge, then voltage sensing verifies residual targets within a timeout policy.

Validation & Production Checklist (What Proves It’s Done)

“Done” means more than passing one test once. The proof package should show that isolation, leakage behavior, safe-state transitions, and fault-energy control remain correct across operating modes, temperature, and aging—and that every shipped unit has a traceable end-of-line record. This section turns those goals into a signable checklist for R&D validation, production EOL, and field self-check.

Minimum mandatory coverage (must appear in records)
  • Hipot + Insulation Resistance (IR) + Leakage in multiple states (normal / single-fault / supply modes).
  • Fault injection: short / open / PE open (if PE exists) / brownout → safe state + recoverability policy.
  • Discharge & interlock: residual-voltage target reached within timeout and logged.
A) R&D validation checklist (EVT/DVT — worst-case proof)
Pre-conditions (avoid false failures)
  • ☐ Discharge step executed before Hipot/IR/Leakage (record discharge time and measured residual voltage).
  • ☐ Defined stabilization time after mode changes (AC/DC, enable/disable patient-side rails, standby/active).
  • ☐ Fixture self-check logged (open/short checks, cable capacitance sanity check, tester calibration ID).
Electrical safety tests (multi-condition)
  • ☐ Hipot: run under normal + single-fault conditions; include cold/hot corners and post-aging sample.
  • ☐ IR: run under the same matrix; verify repeatability (multiple runs) to detect moisture/fixture artifacts.
  • ☐ Leakage: measure in defined states (standby/active, patient-side enabled/disabled, AC vs DC supply mode where applicable).
Required record fields (no exceptions)
SN • HW_Rev • FW_Rev • TestScript_Ver • TesterID • FixtureID • Timestamp • Env(Temp) • Mode • Raw(V/I/t) • ResultCode • OperatorSign
Fault injection (prove safe-state + containment)
  • ☐ Output short: current limiting → shutdown → retry/latched policy as designed; log trip cause and timing.
  • ☐ Output open: no uncontrolled overshoot; PG/reset behavior remains deterministic; log rail validity status.
  • ☐ PE open (if PE exists): detect continuity/bond failure → alarm + safe-state action; log the detection path.
  • ☐ Brownout: detect → safe-state sequence → discharge; confirm “no half-alive” logic and consistent recovery policy.
Pass definition (engineering language)
PASS = safe state entered within budgeted time, discharge reaches residual target within timeout, system does not oscillate/reset-loop, and the root cause is uniquely identifiable from logs.
B) Production EOL checklist (PVT/EOL — consistency + traceability)
  • ☐ One-button recipe executes Hipot + IR + Leakage + (GB/PE continuity if applicable) and stores full records.
  • ☐ Quick sequencing sanity: PG asserts only after stable-time; reset release follows dependency rules.
  • ☐ Minimal fault screen (fast, high-value): output short trip behavior OR PE continuity failure detection (choose one or both by takt time).
  • ☐ Traceability: tester calibration ID + fixture revision + script version are embedded into the result file.
Sign-off block (example)
Operator
QA / Supervisor
Date / Shift
C) Field self-check & logs (serviceability + trend detection)
  • ☐ Boot self-check: rails valid, PG/reset sequence matches policy, no “boot with missing rail” path.
  • ☐ Event counters: brownout count, eFuse/hot-swap trips, discharge timeouts, interlock triggers (with timestamps).
  • ☐ Safe-state verification record: last residual-voltage check result and the applied recovery policy.
  • ☐ Service report export: includes LogHash/LogID to prevent silent record loss.
Example material numbers (test equipment + “design hooks”)
Safety-test equipment commonly used for Hipot/IR/Leakage (examples)
  • Chroma 19032 / 19032-P electrical safety analyzer (Hipot / IR / Leakage / Ground Bond).
  • Associated Research HypotULTRA 7800 (AC/DC Hipot + IR; production-oriented tester family).
On-board hooks that make validation traceable (examples)
  • Sequencing/rail supervision: ADI ADM1266, ADI LTC2937 (fault logging and deterministic sequencing).
  • eFuse / hot-swap containment: TI TPS25947 (eFuse family example for programmable protection).
  • Isolation signal hooks (monitoring/telemetry): TI ISO7741 (digital isolator), TI AMC1311 (isolated amplifier).
  • Insulation monitoring module (system-level example): Bender iso165C (IMD category example for unearthed systems).

Note: the part numbers above are examples to illustrate “design hooks” that enable measurable evidence and root-cause logging; selection depends on voltage domain, isolation class, interfaces, and system architecture.

Validation matrix: tests vs conditions with pass/fail criteria and required record fields Matrix table with rows as safety and robustness tests (Hipot, IR, Leakage, Inrush, Fault Injection, Sequencing/Reset, Discharge, Interlock) and columns as conditions (Normal, Single-Fault, Cold, Hot, Aging, Supply Mode). Right column shows pass definition and log fields. F11 · Validation Matrix (Signable Evidence) ● Required ◐ Sample ○ N/A | Right column: PASS definition + mandatory record fields Test item Normal Single-fault Cold Hot Aging Supply mode PASS + record fields Hipot (dielectric withstand) PASS: script PASS; no trips Log: SN, TesterID, V/I/t, Code Insulation Resistance (IR) PASS: repeatable IR trend Log: Mode, Env, Raw, Code Leakage (multi-state) PASS: within target in all states Log: State, uA, Env, Code Inrush / hot-plug behavior PASS: controlled ramp; no latch-up Log: Ilimit, t, trip flags Fault injection (short/open/PE/brownout) PASS: enters safe state deterministically Log: FaultType, action, time Sequencing / PG / RESET PASS: no reset-loop; no boot-missing-rail Log: rails-valid bitmap, code Discharge to residual target PASS: Vres reached within timeout Log: Vstart, Vres, t_dis, code Interlock (door/service/cover) PASS: forces shutdown + logs action Log: interlock code, timestamp Use the same matrix for: R&D (full) → Production EOL (reduced, traceable) → Field (self-check + event logs).

Request a Quote

Accepted Formats

pdf, csv, xls, xlsx, zip

Attachment

Drag & drop files here or use the button below.

FAQs (Medical PSU & Isolation)

These FAQs focus on isolation safety, leakage engineering, safe startup/shutdown, and signable proof (R&D → production → field). Answers are written to be testable and traceable.

1) When should a rail be designed as MOPP vs MOOP in a mixed-domain system?
Use MOPP for any domain that can be patient-accessible through applied parts or patient-referenced sensors, even indirectly via connectors or shields. Use MOOP for operator/equipment-only domains. Convert the decision into a rail map: patient-side rails, system rails, chassis/PE, and the barrier between them. Prove the mapping by documenting “touchable points” and the safe-state behavior when the barrier is compromised.
2) What is the quickest way to turn isolation targets into concrete design inputs (spacing, tests, construction)?
Start with a one-page “isolation input sheet”: barrier location, insulation system concept (transformer, opto/isolator, feedback path), and the required test set (Hipot, IR, leakage by state). Then freeze manufacturable controls: creepage/clearance keep-outs, transformer construction notes, and inspection points. Close the loop by linking each input to a checklist row and required record fields (SN, script version, raw results, pass code).
3) How should leakage be budgeted before any lab measurement is taken?
Build a leakage budget as a design artifact, not a test afterthought. Allocate the total allowed leakage to known contributors: Y-capacitors, transformer interwinding capacitance, EMI filter parasitics, and any shield-to-chassis coupling. Tie each contributor to a schematic reference and “state enable” (standby vs active, patient rails on/off). The budget becomes the test plan: measure each state and compare to allocated segments.
4) Why can leakage pass in standby but fail in active mode, and how should multi-state leakage tests be structured?
Active mode can change common-mode voltage swings, switch-node dv/dt, and which capacitive paths are “energized,” so leakage is often state-dependent. Structure testing as a state machine: (1) standby, (2) active low load, (3) active nominal load, (4) patient-side enabled/disabled (if applicable), (5) supply mode variants (AC vs DC). Record state ID, stabilization time, raw leakage value, and result code for each step.
5) Where do “mystery” leakage paths usually come from in production, and how can false failures be prevented?
Common sources include transformer construction variation (shield placement, winding spacing), contamination/moisture on high-impedance surfaces, and fixture/cable capacitance that changes the measured path. Prevent false failures by enforcing pre-conditions: discharge before test, fixed dwell time after mode changes, fixture self-check, and repeat runs for trend consistency. Any PASS/FAIL should include TesterID, FixtureID, Env, and raw readings.
6) When is Protective Earth (PE) mandatory vs acceptable to float, and what monitoring makes floating safe and diagnosable?
PE is used when the architecture relies on a defined chassis reference and bond integrity for safety and fault clearing. Floating is only acceptable when the system includes engineered controls: controlled discharge paths, defined capacitance to chassis (by design), and an explicit monitoring/logging plan for isolation health or unexpected chassis drift. For unearthed systems, an insulation monitoring device (example: Bender iso165C) can be used as a system-level hook.
7) How can PE open / poor ground bond be detected without causing nuisance trips?
Use a layered decision: fast detection for hard failures, and filtered confirmation for borderline impedance changes. Gate the alarm with operating state (e.g., ignore during known transients such as plug-in) and add a persistence timer to avoid one-sample trips. Separate “user warning” from “forced safe state” so minor degradations remain serviceable but traceable. Always log the measured value, threshold used, time-in-state, and the action taken.
8) How should eFuse/hot-swap retry vs latch-off policies be chosen for medical safe-state behavior?
Retry is useful for transient faults and improves uptime, but it must not create repeated energy pulses into an unknown fault. Latch-off is preferred when repeated attempts could increase hazard, heat, or unpredictable rail states. Define a policy table: fault type → allowed retries → cool-down time → lockout condition. Implement with a protection element such as an eFuse (example: TI TPS25947) plus a supervisor/log path that counts trips and escalates behavior deterministically.
9) What measurements prove inrush limiting is controlled (not just “it boots”)?
Controlled inrush is proven by waveforms and repeatability: measure input current peak, current limit plateau, ramp time to nominal bus voltage, and the absence of oscillation or latch-off under worst-case load and temperature. Confirm that downstream rails do not glitch and that PG/reset remains gated until the bus is stable. Store the capture ID (or summary metrics) with SN and test script version to make the proof traceable.
10) How can PG/reset be designed so brownouts never create “half-alive” logic states?
Treat PG as “stable-and-valid,” not just “above threshold.” Add stability time, dependency gating (which rails must be valid), and reset hold time that spans soft-start and transient dips. On brownout, force the same safe-state sequence every time: assert reset, shut down energy rails in priority order, and verify discharge actions. A sequencing/supervision device (examples: ADI ADM1266 or LTC2937) can provide deterministic timing and fault logs as design hooks.
11) What defines a safe shutdown for high-energy nodes (residual voltage, discharge time, logging)?
Safe shutdown is defined by measurable endpoints: the high-energy node reaches a residual-voltage target within a specified time, and exceptions are logged. Include both passive (bleeder) and triggered (active discharge) behaviors with a timeout policy that escalates to lockout if verification fails. Record Vstart, Vres, time-to-target, interlock state, and the applied recovery action so service teams can distinguish real hazards from test artifacts.
12) What is the minimum signable evidence package for R&D, production EOL, and field service?
Minimum evidence has three layers. R&D: full matrix (Hipot/IR/leakage by state, faults, brownout, discharge/interlock) with raw data and root-cause logs. Production EOL: reduced one-button recipe with traceability fields (TesterID, FixtureID, script version, calibration ID). Field: self-check results and event logs (brownouts, protection trips, discharge timeouts) with timestamps and a log hash or export ID. Safety testers such as Chroma 19032 or HypotULTRA 7800 are common examples for structured records.
icnavigator

ICNavigator helps engineers find verified ICs, alternatives, and fast quotes.

Explore
Categories
  • Power Management
  • MCU
  • Automotive ICs
  • Sensors
  • Interface & Transceivers
  • Analog Front-End
Get in Touch
  • Email: hello@icnavigator.com
  • WeChat/WhatsApp: +86-xxxx

© 2025 ICNavigator. All rights reserved.