System Interlocks for eFuse/Hot-Swap/OR-ing

Interlock philosophy

PG ≠ regulated DC; it is a voted admission signal. Combine multiple PG sources via open-drain AND with debounce (t_PG-valid) and timing guard (t_EN-guard) before enabling downstream converters.

Three-state strategy

Allow when PG-voted true and thermal/ΔV/I_rev are healthy. Limit first on faults (ILIM down-shift, soft-start re-pull) to keep logging & graceful actions. Deny only after exceeded limits or exhausted retries (latch or timed recovery).

Event lifecycle

Admission → Degrade → Deny → Recover, bound to PG/FAULT/thermal/ΔV and timers; every transition creates an auditable log.

Recommended parameter bands

• Debounce tPG-valid: 1–5 ms (noisy backplanes use upper range).
• Enable guard tEN-guard: 2–10 ms (cover upstream settling & sampling windows).
• Limit ladder: 1–2 steps before deny (e.g., 100%→70%→deny).
• Thermal handoff: 85–100 °C triggers deny or longer cool-off.
• Retry budget: 2–3 attempts with exponential backoff (e.g., 20/80/200 ms).

Minimal log dataset

• Timestamp, monotonic counter, supply domain ID.
• Trigger source: PG/FAULT/THERM/ΔV/I_rev.
• Decision: Allow/Limit/Deny; retry index; timers used.
• Measured snapshot: V, I, T, ΔV, I_rev, ILIM step.

Power-up sequences

1. Single-source: AC-DC PG↑ → Hot-Swap PG↑ → DC-DC EN↑ (each step gated by t_PG-valid and t_EN-guard).
2. Dual-source: Preferred source satisfies ΔV_trip & PG↑ → EN↑ (other source held by OR-ing controller).
3. Backplane-card: PG_bus↑ (debounced) ∧ Card PG↑ → Card EN↑ (local guard).

Fault fallback (graceful first)

1. PG↓ or surge detected → Limit (ILIM step-down, re-pull soft-start) + log.
2. Repeated trips or thermal threshold → Deny with latch or timed recovery.
3. Dual-source: if active source fails and ΔV allows, switch to standby (respect t_min-reselect & ΔV_hys).

PG (Power Good)

Default as open-drain, often active-high after pull-up. Treat PG as a voting input. Add debounce tPG-valid=1–5 ms and RC/DF filter. Choose pull-up 4.7–22 kΩ per bus C & length.

FAULT

Open-drain, usually active-low. Clear behavior varies: auto, command, or power-down. Record latched vs momentary sources (OC/OT/UV/OV/I_rev).

EN (Enable)

Gatekeeper with threshold & hysteresis: V_EN(th), V_EN(hys). Add an external guard delay tEN-guard=2–10 ms. Never hard-wire PG to EN directly.

ILIM (Current limit)

DAC / resistor / register controlled. Modes: constant-current or foldback. Use a downgrade ladder (e.g., 100%→70%→50%) and a recover threshold (≤0.7× trip or ΔT ≥ 10–15 °C).

Timers: TMR / RETRY

Debounce & guards (T_PG_valid, T_EN_guard), retry windows (e.g., 20/80/200 ms), latch cooldown, and T_min-reselect for dual-source anti-ping-pong.

Minimal interlock wiring & registers

• Wiring: PG lines → open-drain AND → local RC → MCU/logic → EN; FAULT → MCU/logic → (EN↓ or ILIM↓).
• Regs (starting): ILIM_CFG.step=[100,70]; RETRY=[20,80,200]ms; T_PG_valid=3ms; T_EN_guard=5ms; FAULT_LOG depth ≥ 8.

Acceptance & tests

1. Inject PG chatter (< T_PG_valid) ⇒ EN must not rise.
2. Apply short surge ⇒ first trip enters Limit (ILIM↓); repeat + high temp ⇒ Deny.
3. Clear FAULT per policy; verify retry and cooldown behavior and complete logs.

Power-up

• Trigger: PG_VOTED=1 & T_PG_valid met.
• Action: EN↑, soft-start, SOA coordination.
• Exit: SS done or FAULT ⇒ Limit path.

Short / Surge

• Trigger: OC/surge or FAULT.oc=1.
• Action: Limit-first (ILIM↓ + soft re-pull), log & count.
• Exit: Repeat within N or high temp ⇒ Deny (EN↓, latch/cool).

Dual-source switch

• Trigger: ΔV_trip, PG_A/B change.
• Action: Enforce T_min-reselect & ΔV_hys, cap I_rev; optionally Limit before switch.
• Exit: Active source stable & PG_VOTED=1, log event.

Maintenance (Bypass/Maintain)

• Trigger: Maintenance command or critical-rail keep-alive.
• Action: Bypass (time-limited/audited) or Maintain (keep key rails + ILIM + thermal guard).
• Exit: Time elapsed or risk ↑ ⇒ resume policy or Deny.

Cold-start

• Trigger: Main source UV, need auth/log.
• Action: Use hold-up (cap/supercap) to power MCU; PG delay window for signing/logging.
• Exit: Main recovers → standard power-up; else limited retries → Deny.

Executable test skeleton

1. Power-up: inject PG pulses shorter than T_PG_valid ⇒ EN remains low.
2. OC/Surge: first event ⇒ Limit (ILIM↓); second + hot ⇒ Deny (latch/cool).
3. Dual-source: ±ΔV staircases ⇒ switch rate < 0.2 Hz; dwell ≥ 5×T_min-reselect; I_rev within budget.
4. Maintenance: in Bypass, overheat or reverse-current ⇒ immediate exit to policy or Deny.
5. Cold-start: hold-up powers MCU for sign/log within PG delay window; on failure limit retries then Deny.

BOM & migration reminders

• Declare Limit-first priority & thermal constraints; document ILIM.step[], RETRY_CFG, T_min-reselect, ΔV_trip/hys, T_cooldown, THERM thresholds.
• Before cross-brand swap, update field mapping (Chapter #signals) and re-run the five policy use cases.

Ideal capacity

Use a first-order estimate: C ≥ I_load × t_hold / ΔV_allow. Reserve margin for temperature and aging (≥15%).

With ESR & efficiency

Practical sizing: C ≥ (I_load/η) × t_hold / (ΔV_allow − I_load × ESR). Evaluate at worst-case combo (low temp + aged ESR).

Logging window

Ensure t_boot + t_mount + t_sign + t_flush ≤ t_hold. If exceeded, degrade to limited-current + minimal log.

Worked example

Target: I_load=0.8 A, t_hold=120 ms, ΔV_allow=1.2 V, η=0.9, ESR=40 mΩ → C≈91 mF; with 1.25× margin choose ≈120 mF. Record in BOM: C_hold-up≈120 mF; ESR_total≤40 mΩ; t_hold≥120 ms.

Acceptance & bench correlation

1. Spice step-load + power-loss events; measured ΔV and duration within <10% of formula.
2. Repeat at −20 °C & aged ESR; re-allocate ΔV_allow/ESR budget if out of spec.

Open-drain PG/FAULT voting

Multi-PG → open-drain AND → single pull-up (4.7–22 kΩ) → local debounce (1–5 ms) → MCU/logic. Segment pull-ups on backplane to reduce bus C.

EN guard & active inhibit

Add tEN-guard (2–10 ms) before EN; give FAULT/THERM the right to force EN low. Add series R + clamp on gate path to avoid back-drive.

ΔV_trip & priority

Diff-amp + comparator with hysteresis: set ΔV_hys ≥ 2× ripple p-p; priority window 10–40 mV; T_min-reselect=50–200 ms.

Isolation & level compatibility

PG/FAULT polarity must match across domains via digital isolators; normalize to 3.3 V open-drain at MCU side when mixing 3.3/5/12 V rails.

Layout/DRC checklist

• Unified open-drain polarity; single-point pull-up traceable.
• EN guarded; active-inhibit (FAULT/THERM→EN↓) verified.
• ΔV_trip sampling symmetry; resistor tolerance/tempco checked.
• Isolation creepage/clearance per voltage domain.
• Hot-swap gate/sensing loops shortest; decoupling near pins.
• Hold-up/supercap return path inductance minimized.

Host register set (mapping to #signals)

• ILIM_CFG (mode/level/steps/recover)
• RETRY_CFG (sequence & count)
• PG_STAT (per-source & voted)
• FAULT_LOG (time, temp, ΔV, I_rev, policy)
• THERM_STAT, ΔV_STAT, MAINT_MODE

Scenarios (≥12)

• PG debounce tolerance (1–5 ms jitter)
• Dual-source ΔV flapping (sweep ΔV_trip/ΔV_hys/T_min-reselect)
• Contact degradation (step R_contact, record ΔT & actions)
• Capacitive load steps (1×/2×/3×; dv/dt & SOA guard)
• Surge/short: Limit-first → Deny escalation
• I_rev control during OR-ing priority changes
• Power-loss logging (minimal set in N ms)
• Maintenance bypass window (time limit, ΔT, backfeed)
• Cold-start + hold-up window (t_boot+mount+sign+flush ≤ t_hold)
• Temperature extremes (−20 °C / +85 °C)
• USB-C revive path (CC-limited recharge; no rail collapse)
• Recovery & latch clear (Retry schedule / cool-down)

Metrics (per scenario)

• Switching frequency f_sw & minimum dwell t_dwell
• EN false-on / false-off counts
• ILIM step trajectory (% and repetitions)
• I_rev peak and ΔT on hot spots
• Log coverage: ID/time/cause/policy present
• Pass/Fail with FAULT_LOG evidence

Fault injection (repeatable)

• PG jitter via programmable open-drain pulse (0.2–5 ms)
• ΔV steps ±(5–60 mV), step 5 mV, dwell 50–500 ms
• Programmable series R (0–200 mΩ) for R_contact
• Switched C_load matrix (incl. ESL/ESR models)
• Pulsed load for surge/short with thermal ramp
• Timed power-loss with “countdown” trigger to logger
• Bypass/Maintain timers with ΔT & backfeed monitors
• USB-C revive CC-limited pre-charge to safe threshold

Quantitative thresholds

• Anti-flap: f_sw < 0.2 Hz; t_dwell ≥ 5×T_min-reselect
• Debounce: PG jitter ≤ T_PG_valid/2 must not cause EN↑
• Logging: 100% of scenarios write minimal set & verify
• I_rev: ≤ I_rev(max) with ΔT inside policy limits
• Limit-first: first event → ILIM; repeat/over-temp → Deny

Data & evidence

Capture PG[i], PG_voted, EN, ILIM%, FAULT, THERM, ΔV, I_rev, ts, policy_state, and attach oscilloscope/thermal plots per scenario. Sign each log with CRC/crypto for auditability.

TI

• PN: LM5069 (Hot-Swap), TPS25982 (eFuse), LM74700-Q1 (Ideal Diode), TPS2121 (Dual-source)
• PG/FAULT: open-drain, active-low; pull-up 4.7–22 kΩ
• EN_th/HYS: clean thresholds; add external tEN-guard 2–10 ms
• ILIM_mode: const / foldback / fine steps (policy-friendly)
• RETRY/FAULT: programmable; supports Limit-first → Deny
• Regs map: PG_STAT, FAULT_LOG, ILIM_CFG, RETRY_CFG, THERM_STAT
• Red-flags: none typical; confirm SOA for large C_load
• Compensation: verify ΔV_hys & Tmin for TPS2121 anti-flap

ST

• PN: STEF01/12 (eFuse), STPMIC1 (PMIC)
• PG/FAULT: open-drain; polarity consistent with TI
• EN_th/HYS: check temp drift; add tEN-guard
• ILIM_mode: const with fast-trip; foldback depends on PN
• RETRY/FAULT: mode varies (auto/latched)
• Regs map: PG_STAT/FAULT_LOG via PMIC status
• Red-flags: fewer native ideal-diode/mux options
• Compensation: system ΔV_trip + ΔV_hys + I_rev controller

NXP

• PN: NX5P3290 (CL load switch), PF1550 (PMIC family)
• PG/FAULT: open-drain; low-voltage rails friendly
• EN_th/HYS: ensure guard against line noise
• ILIM_mode: current-limited switch (steps depend on PN)
• RETRY/FAULT: basic auto/command clear
• Regs map: PMIC status → unified keys
• Red-flags: dual-source often system-level only
• Compensation: implement ΔV_hys & Tmin in logic

Renesas

• PN: ISL6146/6145A (Hot-Swap), RAA489xxx (path/mux)
• PG/FAULT: open-drain; retry/latched configurable
• EN_th/HYS: stable; verify thresholds at extremes
• ILIM_mode: const/foldback selectable
• RETRY/FAULT: granular timers; good for policy mapping
• Regs map: rich control/status for PMBus/I²C
• Red-flags: variant-specific defaults differ
• Compensation: audit defaults; align with Limit-first

onsemi

• PN: NIS5021/5020 (eFuse), ideal-diode via FET+ctrl
• PG/FAULT: open-drain; clear semantics
• EN_th/HYS: confirm startup sequence
• ILIM_mode: constant limit with fast trip
• RETRY/FAULT: latch/auto variants
• Regs map: discrete; map via host controller
• Red-flags: mux control typically discrete
• Compensation: ΔV_trip + I_rev controller + timers

Microchip

• PN: MIC2005/2009 (CL switch), MIC2545A (PDS)
• PG/FAULT: open-drain; USB/low-V ecosystems
• EN_th/HYS: add guard; noise-tolerant layouts
• ILIM_mode: const limit; foldback by family
• RETRY/FAULT: predictable; host-driven clear
• Regs map: via host I²C (no native PMBus on switches)
• Red-flags: coarse ILIM steps on some PNs
• Compensation: finer steps in host policy

Melexis

• PN: MLX91220 (current sensing), MLX90614 (temp)
• Role: telemetry augmentation for THERM_STAT & I telemetry
• PG/FAULT: from host mapping
• EN_th/HYS: n/a (sensing functions)
• ILIM_mode: n/a; use with eFuse/diode controllers
• Regs map: expose to host: THERM_STAT/ΔV_STAT
• Red-flags: not native eFuse/hot-swap
• Compensation: ensure sampling sync & calibration

Risk map (semantic differences)

• PG: polarity (active-low/high), open-drain vs push-pull, pull-up range, tPG-valid spec.
• EN: V_EN(th), hysteresis, temp drift; need external tEN-guard.
• ILIM: resistor/DAC/register; constant vs foldback vs stepped; recovery threshold.
• FAULT: polarity/open-drain; clear = auto / command / power-cycle; latch vs retry.
• Timers: retry/cooldown/T_min-reselect clock bases differ → absolute error.

Migration lanes (compensations)

• PG unify: force open-drain + same polarity; add inverter/firmware flip if needed; pull-up ≈ 10 kΩ; align tPG-valid.
• EN guard: add tEN-guard 2–10 ms (digital first); verify V_EN(th)/HYS worst case.
• ILIM conservative: start 20–30% below nominal (e.g., 3.0 A → 2.2 A); confirm Limit-first.
• FAULT clear: MCU-command only; no immediate auto-retry; cool-down then retry; log before retry.
• Timers align: longer windows for ΔV_hys / T_min-reselect / Retry; tighten after bench data.

Case A — Hot-Swap controller

• From → To: <BrandA><PN_A> → <BrandB><PN_B>
• PG: polarity=low/OD; PU=10 kΩ; tPG-valid=3 ms
• EN: add tEN-guard=5 ms; +0.2 V margin
• ILIM: 3.0 A → 2.2 A steps; recovery 0.8×
• FAULT: command-clear; cooldown=200 ms
• Timers: ΔV_hys=25 mV; T_min-reselect=80 ms
• Gate: pass 12 scenarios; I_rev ≤ target; 100% logs

Case B — Dual-source MUX/Ideal-Diode

• From → To: <BrandA><PN_A> (native mux) → <BrandB><PN_B> (comp+FET)
• PG: OD unify; PU=8.2 kΩ (backplane)
• EN: tEN-guard=8 ms; startup noise test
• ILIM: foldback → const 1.8 A
• FAULT: latched→cmd-clear; add THERM to log
• Timers: ΔV_trip=30 mV; ΔV_hys=20 mV; Tmin=120 ms
• Gate: f_sw<0.2 Hz; t_dwell≥5×Tmin; ΔT within policy

Mandatory (paste into BOM)

PG voting is open-drain; any unmet PG → EN=Low. EN guard tEN-guard=<__ms>; ΔV_trip=<__mV>; T_min-reselect=<__ms>. Hold-up C=<__µF>; t_hold≥<__ms>. Bypass only within maintenance window (I=<__A>, T=<__s>). Cross-brand requires PG/FAULT/ILIM mapping + 12-scenario pass. FAULT cleared by MCU command; no instant auto-retry.

Optional

AEC-Q100 / wide temp; package/finish; thermal probes + ΔT; small-batch supply (cut-tape/partial reel); second-source readiness; USB-C revive with current limit.

Quality & Traceability

Lot ID / supplier code / COA; config version & policy hash; minimal log CRC; incoming QA sampling (ΔV flap / PG debounce / power-loss log); hotspot check on OR-ing; fail policy: Limit-first → Deny with evidence.