← Back to: eFuse / Hot-Swap / OR-ing Protection
What It Solves
Multi-rail sequencing chaos
A.PG jitter makes B.EN bounce → undefined cold-start and random lockups.
- Window-OK drives clean PG chain (A→B→C)
- Programmable tDLY and deglitch
Brownout false resets
Transient dips cross the reset threshold → data loss and “ghost resets”.
- UV with proper hysteresis (ΔVHYS)
- Sized tFILTER to reject ripple, keep real brownouts
- Guaranteed tRESET hold
Over-voltage not cut fast
Upstream runaway isn’t shut before damage occurs.
- OV→eFuse EN/SHDN hard-wired fast path
- PG/FAULT semantics for logs and safe recovery
- ΔVHYS > Vripple,pp × 1.3; tFILTER ≥ 2×TSW and < Tbrownout,min
- OV→SHDN should prefer a hardware path; if the MCU is involved, demonstrate total latency stays within the fail-safe window
- Divider accuracy ≤ 1% / ≤ 100 ppm/°C, placed away from switching nodes; add RC filtering and TVS as needed
Signal Semantics
OV — Over-Voltage
VIN > VOV (with hysteresis). Highest-priority event; directly interlocks eFuse EN/SHDN and pulls PG low / sets FAULT.
UV — Under-Voltage
VIN < VUV (with hysteresis). May assert RESET/PG low; critical rails may optionally trigger shutdown.
Window OK
VUV < VIN < VOV and passes deglitch; serves as a stable source for PG.
MR — Manual Reset
Manual fault clear / extend RESET hold; when shared with WD, ensure debounce and state-machine consistency.
RESET
Configurable active-low/high; triggered by UV/OV/WD/MR; ensure tRESET is long enough for consistent startup.
PG — Power-Good
Open-drain/push-pull and polarity configurable; with tDLY; core of the A.PG→B.EN startup chain.
/FAULT
Indicates abnormal conditions and for logging; define whether latched or auto-clear; not a substitute for the timing source.
EN / SHDN
Enable/disable pins of downstream power stages. The PG chain provides “enable”, and the OV fast path provides “disable”.
CT — Timing Capacitor
Hardware anchor that sets tDLY / tRESET; mind tolerance, leakage, and temperature coefficient.
WDI — Watchdog Input
Heartbeat from the MCU; loss triggers reset/fault; when coexisting with MR/RESET, define the state machine.
- Polarity/drive of PG/RESET must match downstream EN/SHDN input levels and fan-out.
- Keep divider networks away from switching nodes; add RC/TVS against surge-induced false trips.
- Document tDLY, tFILTER, tRESET in the BOM; treat OV→SHDN as a safety-of-failure path.
Threshold & Timing
Threshold Types
- Absolute (internal reference): VTRIP ≈ VREF for low-voltage rails.
- Divider (for higher rails): VIN,TRIP = VREF·(1+R1/R2); budget input bias leakage.
- Programmable (pin/I²C/one-time fuse): declare safe defaults and write-protect policy.
Hysteresis (ΔVHYS)
- Set ΔVHYS ≥ 1.3× Vripple,pp to prevent PG “ping-pong”.
- With positive feedback on divider, compute VTRIP↑ and VTRIP↓ separately.
Deglitch (tFILTER)
- Size tFILTER ≥ 2–3× TSW (converter period) and < Tbrownout,min.
- Optional asymmetric filtering: longer on falling edge to avoid false RESET.
Reset Hold (tRESET)
- tRESET ≥ max{ slowest rail startup, clock lock, I/O init } × 1.2–1.5.
- Validate for both cold-start and brownout recovery.
Power-Up Delay (tDLY)
- Use tDLY to queue A.PG → B.EN → C.EN with adequate margin.
- CT-based delays: include C tolerance, leakage, and temperature drift.
Accuracy & Drift Budget
- Contributors: VREF, R1/R2, input bias, PCB leakage, tempco (ppm/°C).
- Report both RSS and worst-case numbers; verify at −40/25/85(125) °C.
- Use ≤1% / ≤100 ppm/°C divider; keep away from switching nodes; add RC and surge clamps if needed.
- Publish both RSS and worst-case budgets for VTRIP; verify at −40/25/85(125) °C.
- Document tFILTER, tRESET, tDLY in the BOM to prevent wrong-part substitutions.
Sequencing Patterns
PG Chain (A→B→C)
Window-OK generates PG; after tDLY, it enables the next rail. Prefer open-drain PG with local pull-up on each board.
Dependency DAG
Acyclic graph: edges point from “must-be-ready” to dependent rails. Use open-drain AND for multi-ready conditions; check low-level margin.
RESET Tree & Priority
Hardware RESET from the supervisor is root; distribute to MCU/FPGA/peripherals with tiered tRESET. OV/thermal overrides software requests.
Glitch / Glitch-Pass Policy
Events shorter than tFILTER must not alter PG/RESET. Stress with ripple bursts at PG’s edge; ensure no short release then re-assert.
- Determinism: A→B→C boot P95 ≤ X ms; P99 ≤ Y ms (define per product).
- Fault propagation: OV→SHDN (hardware path) ≤ Z µs; PG loss→all-rails OFF ≤ W ms.
- Stability: under worst ripple, PG toggles ≤ N times within 1-s window.
Fast-Shutdown Hooks
OV hard-wire path
Comparator output OR-wired to eFuse SHDN (active low). MCU path is optional and never safety-critical.
PG interlock
Window-OK feeds PG; PG enables rails. Any PG drop pulls a global disable chain to shut rails deterministically.
Priority
- 1) OV → hard-wired SHDN
- 2) Short-circuit → eFuse trip/limit
- 3) UV → reset/degrade or optional shutdown
- 4) MR/WDI/soft → lowest priority
- OV→SHDN propagation (hardware path) P95 ≤ X µs, P99 ≤ Y µs; document comparator+gate+trace+eFuse input filter.
- PG-loss → all rails OFF P95 ≤ W ms with deterministic ordering.
- Latch-off on OV with MR/host clear; UV may auto-retry with back-off.
Design Rules
Divider & thresholds
- V
IN,TRIP = VREF ·(1+R1/R2); account for input bias: ΔV ≈ IIN ·(R1∥R2). - Use ≤1% (ratio-critical ≤0.1%) and ≤100 ppm/°C; keep R1/R2 ≤30.
Tolerance synthesis
- RSS: √(REF² + R² + BIAS² + ADC²); worst-case: algebraic sum with signs.
- Report both and verify at −40/25/85(125) °C.
Hysteresis & filtering
- ΔV
HYS ≥ 1.3× Vripple,pp . - t
FILTER ≥ 2–3×TSW and < Tbrownout,min .
ADC/AFE sharing
- Buffer the sense node; define a sampling window away from comparator flip.
- Avoid high-impedance sharing without buffering.
ESD/surge coupling
- Place low-C TVS near the entry; return directly to chassis/earth.
- Add small series R (10–100 Ω) / bead before the comparator node.
- RC pre-filter 10–100 kΩ + 100 pF–4.7 nF as needed.
BOM remarks (paste-ready)
- Supervisor-to-eFuse OV hard-wire SHDN required; MCU path not safety-rated.
- Publish V
TRIP budgets and tFILTER /tRESET /tDLY in BOM. - When sharing the divider with ADC, buffer the node and lock the sampling window.
Validation & Edge Cases
Cold start
VIN 0→nominal under worst load. Verify A→B→C order, deglitch action, and tRESET hold.
Brownout
Short droop < tFILTER must not trip; long droop must assert RESET and keep hold time.
Slow ramp
Micro-slope across thresholds; extract VTRIP↑/↓ and ΔVHYS at −40/25/85/125 °C.
Fast droop
Glitch to UV−Δ for τ ≪ tFILTER. RESET/PG must remain stable (no false trip).
Noise across thresholds
Inject 20–120 mVpp, 100 k–1 MHz. With ΔVHYS ≥ 1.3×Vripple,pp, no “ping-pong”.
OV step & overshoot
Measure hardware path latency: OV→SHDN (comparator→gate→trace→eFuse input).
- OV→SHDN (hardware path): P95 ≤ X µs, P99 ≤ Y µs; record comparator+gate+trace+eFuse input filter stack.
- PG-loss → all-rails OFF: deterministic chain within W ms; document A→B→C timestamps.
- Stability: with ΔVHYS ≥ 1.3×Vripple,pp, PG toggles ≤ N in any 1-s window.
Cross-Brand Options
Below are concrete options mapped to the window-supervision use case. We note type (Window/Single/PMIC-SBC), typical packages, temp grades, AEC-Q, and why each part fits fast-shutdown hooks (PG polarity, open-drain, delay programmability, latch behavior).
Texas Instruments
- TPS3702-Q1 — Window; SOT-23/DFN; −40…125 °C; AEC-Q100. Why: dual thresholds, open-drain outputs, straightforward OV→SHDN tie-in.
- TPS3700 / TPS3700-Q1 — Window; SOT-23; −40…125 °C; (Q1: AEC-Q100). Why: resistor-set window, simple PG chaining.
STMicroelectronics
- STM706/708/709 — Single; SOT-23/uDFN; −40…105/125 °C. Why: clean UV reset; pair with a fast comparator for OV cut.
- STM1831/1832 — Single; SOT-23; −40…125 °C. Why: minimal-BOM UV/RESET; easy PG interlock.
NXP
- UJA1169 — PMIC-SBC; HVQFN; −40…125 °C; AEC-Q100. Why: integrated VSUP monitor + watchdog; safe-state outputs for shutdown.
- MC33907/MC33908 — PMIC-SBC; QFP/QFN; −40…125 °C; AEC-Q100. Why: multi-rail sequencing with supervision hooks.
Renesas
- ISL8801x / ISL8803x — Single; SOT-23/DFN; −40…125 °C. Why: precise reset timing; pair to create window behavior.
- Automotive PMICs (ISLxxxx) — PMIC-SBC; QFN/QFP; AEC-Q100. Why: system-level sequencing and monitoring.
onsemi
- NCV809 / NCV301 / NCP303 — Single; SOT-23/SC70; −40…125 °C; AEC-Q100 (select). Why: UV reset building blocks; wire OV to eFuse for fast cut.
- NCV7425 — PMIC-SBC; QFN; −40…125 °C; AEC-Q100. Why: supply supervision for CAN nodes.
Microchip
- MIC2774 / MIC2775 — Window; MSOP/SOT-23; −40…125 °C. Why: native window detection; easy PG chaining.
- MCP1316/17/18/19 — Single; SOT-23; −40…125 °C. Why: UV/RESET bricks for lightweight rails.
Melexis
- MLX8111x (LIN SBC) — PMIC-SBC; QFN; −40…125 °C; AEC-Q100. Why: integrated supervision for LIN ECUs with fail-safe states.
- MLX8133x (Smart BLDC) — Integrated driver; QFN; −40…150 °C. Why: motor-domain supervision where a discrete window chip is not needed.
- Pin & polarity: prefer active-low open-drain PG/RESET for chaining and OR-wiring to SHDN.
- Delays: document tFILTER/tRESET/tDLY budgets in the BOM; forbid substitutions without re-verification.
- Accuracy & drift: keep divider ≤1% (ratio-critical ≤0.1%) and ≤100 ppm/°C; check temp corners.
- Compliance: align AEC-Q100 grade and ambient range (−40…125/150 °C) with ECU location.
Request a Quote
BOM Remarks
Copy these lines into your BOM or PO notes to prevent unsafe substitutions and to make window, hysteresis, filtering, and PG semantics explicit for suppliers and CM partners.
- Define V_TRIP↑ and V_TRIP↓ with ΔV_HYS ≥ 1.3×V_ripple,pp. Provide both RSS and worst-case threshold budgets over −40/25/85/125 °C.
- Set t_FILTER ≥ 2–3×T_SW and t_FILTER < T_brownout,min. If needed, make falling-edge filtering longer than rising-edge to avoid false resets.
- PG semantics: use active-low open-drain for chaining, list polarity, pull-ups, and release quorum for power-up sequencing.
- OV must hard-wire to eFuse/pack-switch SHDN. MCU/ISR paths are non-safety and must not be the sole shutdown mechanism.
- Specify t_RESET hold (≥ slowest rail settle ×1.2–1.5) and per-hop t_DLY for A→B→C ordering.
- Divider sharing with ADC/AFE: buffer the sense node and define a sampling window away from comparator flip; avoid high-impedance sharing.
- ESD/surge control: low-C TVS at entry with direct return; small series R or bead before the comparator node; optional RC pre-filter 10–100 kΩ + 100 pF–4.7 nF.
- Publish latch policy: OV latch-off with MR/host clear; UV may auto-retry with back-off. Document PG-loss→all-rails-OFF time.
- State AEC-Q grade and temperature range for the selected parts; forbid substitutions without re-verifying V_TRIP, ΔV_HYS, t_FILTER, t_RESET, and t_DLY.
- List companion devices in the shutdown loop (eFuse/ideal-diode part numbers) and target OV→SHDN latency with P95/P99 statistics.
Need a cross-brand mapping for these constraints? /submit-bom
Frequently Asked Questions
How do I size ΔV_HYS to stop PG “ping-pong” without delaying recovery?
Set hysteresis so the falling threshold clears ripple plus measurement noise with margin: ΔV_HYS ≥ 1.3×V_ripple,pp at the worst temperature and load. Keep t_FILTER modest so rising recovery is not masked. Verify across −40/25/85/125 °C with ripple sweeps; PG toggles per second should remain below your specified stability limit.
What’s a good t_FILTER target relative to switching period and brownout?
Use t_FILTER ≥ 2–3×T_SW to average converter ripple yet keep t_FILTER < T_brownout,min so genuine sags still trip. Many designs add asymmetry: longer on falling edges to suppress spurious resets, shorter on rising edges to speed recovery. Validate with ramp, droop and ripple profiles at temperature corners before freezing the BOM.
When should OV force a hard-wired SHDN instead of reset or software ISR?
Use hard-wired SHDN whenever the overvoltage can damage loads faster than firmware can react. The comparator→gate→trace→eFuse input path yields deterministic microsecond latency and bypasses software jitter. Reserve resets or ISRs for non-destructive excursions. Document the hardware path, measure P95/P99 latency, and confirm it beats the component safe-operating window.
How long should t_RESET be after a brownout compared with a cold start?
Hold reset until the slowest rail and dependent PLLs settle with margin: t_RESET ≥ 1.2–1.5× the worst-case settle time. Brownouts often need a slightly longer hold than cold starts due to partially charged capacitances and asynchronous state. Measure at temperature extremes and include interface re-enumeration or sensor warm-up when relevant.
Should PG be active-high or active-low open-drain for multi-rail chains?
Active-low open-drain simplifies wired-AND logic for power-good quorums and lets multiple rails or supervisors share a pull-up. It also eases OR-wiring into global disable lines. If you use push-pull outputs, ensure polarity consistency and never short drivers. Place pull-ups near the receiving device to control edge rate and susceptibility.
How do I calculate V_TRIP↑ and V_TRIP↓ with positive-feedback hysteresis?
Start with the divider ratio to set the mid-threshold using the internal reference. Add a feedback resistor from the output node to the upper divider leg. Solve the two states: rising trip with feedback high, falling trip with feedback low. Include reference accuracy, resistor tolerances and bias currents. Verify both thresholds across temperature and supply ranges.
Can the ADC share the same divider as the comparator without false trips?
Yes, if you buffer or RC-isolate the sense node and schedule a sampling window away from the comparator’s transition region. Avoid high-impedance networks that magnify kickback. Keep routing short, add a small series resistor or bead to the ADC input, and confirm that repeated conversions do not modulate the comparator threshold.
What is the safest way to interlock PG with an eFuse to avoid races?
Use PG only to enable rails when all conditions are good, but wire OV directly to SHDN so destructive events bypass logic. Keep PG chains deterministic and avoid combinatorial loops. If both short-circuit and OV can occur, give the eFuse trip independent authority. Add deglitching on PG and document priority in the safety concept.
How do I validate OV→SHDN latency and report P95/P99 properly?
Inject a controlled overvoltage step and capture comparator output, logic gate output, and eFuse input threshold with a fast scope. Repeat for at least one thousand trials over temperature. Build histograms per corner, then publish P95 and P99 values with probe locations and bandwidths. Ensure margins beat the damaged-in-time window of the protected load.
What layout practices reduce ESD or surge coupling into the divider?
Place a low-capacitance TVS at the entry and return it directly to the chassis or primary ground. Route a short, straight sense trace away from switching nodes. Add a small series resistor or bead before the comparator input and consider an RC pre-filter. Use a Kelvin connection to VIN and keep analog and power grounds single-point tied.
If a brand lacks a native window IC, how do I build one safely?
Combine a precision reference with a fast comparator and design a resistor network that creates two thresholds with hysteresis. Pick a comparator with low input bias and adequate speed. Provide open-drain outputs for PG compatibility and add deglitching. Validate thresholds, hysteresis, and propagation delay across temperature, then document the implementation like a discrete supervisor.
Which data must appear in the BOM for cross-brand substitutions?
Include explicit V_TRIP↑, V_TRIP↓, ΔV_HYS targets and t_FILTER, t_RESET, t_DLY budgets, plus PG polarity and release quorum. State OV→SHDN latency targets and latch policy. Specify AEC-Q grade, temperature range, and companion protection part numbers. Forbid substitutions unless thresholds and timings are re-verified across temperature with documented test methods.
