123 Main Street, New York, NY 10001

Submit Your BOM

Robustness for CAN/LIN/FlexRay: Short, ESD, CM Range, CMTI

Robustness for CAN/LIN/FlexRay: Short, ESD, CM Range, CMTI

← Back to: Automotive Fieldbuses: CAN / LIN / FlexRay

Robustness is not a slogan—it is a testable contract.
Define pass/fail across short survivability, ESD comparability, common-mode bands, and (for isolated links) CMTI, then verify on bench → harness → vehicle with measurable recovery and drift limits.

Robustness: What It Means and What It Doesn’t

30-second definition

Robustness is not a slogan. It is a set of testable claims about what a bus port can survive, what it can keep operating through, and how it recovers — under real automotive threats.

  • Four axes: Short survivability, ESD meaning, common-mode range, and CMTI (for isolated types).
  • Two outcome classes: functional continuity (keeps communicating) vs survivability (does not get damaged).
  • Scope guard: this page defines metrics and selection logic; detailed TVS/CMC/split-termination/layout belongs to EMC / Protection & Co-Design.
Make robustness measurable (selection fields)
Each axis should translate into concrete fields in a selection sheet. Use the same wording consistently across pages to avoid spec drift.
1) Short survivability (VBAT/GND)
  • Condition: short type (to VBAT, to GND, bus-to-bus), duration (pulse vs continuous), temperature point.
  • Behavior: current limit, thermal shutdown, dominant timeout, fail-safe state.
  • Outcome: “no damage” vs “keeps communicating” vs “recovers in X ms after release”.
2) ESD levels (meaning and comparability)
  • Model: IEC system-level vs HBM component-level vs vehicle-focused variants.
  • Method: contact vs air discharge, test point (pin vs connector/harness), repetitions, polarity.
  • Pass criteria: no damage, no latch-up, no param drift beyond limits, recovery time defined.
3) Common-mode range (operating vs fault)
  • Operating CM: guaranteed communication range (receiver thresholds + symmetry assumptions).
  • Fault CM: no-damage / recoverable range under ground offset or surge return stress.
  • Measurement rule: define the reference point (ECU ground vs chassis) to avoid “fake CM” readings.
4) CMTI (isolated transceivers)
  • Definition: immunity to fast common-mode dv/dt (kV/µs) crossing the isolation barrier.
  • System link: HV inverter switching and ground potential differences drive dv/dt stress.
  • Outcome: no false toggles, no resets, no loss-of-communication under specified dv/dt.
Functional continuity vs survivability (do not mix)
Survivability (damage-focused)
  • No permanent damage (no open/short, leakage within limit).
  • No latch-up or uncontrolled current paths.
  • Param drift bounded (thresholds, standby current, driver strength).
Functional continuity (communication-focused)
  • Communication continues through the event (or drops within an allowed envelope).
  • Recovery time is specified and verified (e.g., “recovers in X ms”).
  • Error counters and bus-off behavior remain within system assumptions.
Pass/Fail template (use the same four lines everywhere)
  • Damage: any permanent change (open/short/leakage drift) beyond limits?
  • Communication: does the link stay up, or drop within an allowed window?
  • Recovery: time to resume normal operation after event removal.
  • Drift: thresholds/standby current/edge symmetry drift after stress.
What robustness does NOT guarantee (avoid cross-topic duplication)
Figure 1 · Robustness Map (four measurable axes)
ROBUST PORT Short Survivability Short-to-VBAT / Short-to-GND Current limit · Thermal · Auto-recover ESD Meaning IEC vs HBM · Contact vs Air Pass criteria · Drift · Recovery Common-Mode Range Operating CM · Fault CM Ground offset · Reference point CMTI (Isolated) kV/µs · False toggles HV dv/dt · Barrier immunity
Reading tip: treat each quadrant as a row in a selection sheet. Every “kV” or “range” must include the test condition and pass criteria.

Threat Model: What Actually Kills Automotive Fieldbus Ports

Why a threat model comes before specs

Many field failures are not “ESD problems” in isolation. They are event + path + condition + pass-criteria mismatches. A threat model prevents overfitting selection to a single headline number.

Threat sources (what happens on real harnesses)
1) Miswire / short events
Harness faults and assembly mistakes create short-to-VBAT/GND or bus-to-bus shorts. The dominant question is: “no damage” only, or “automatic return to communication” within a bounded time.
2) Hot-plug / reverse / jump-start transients
Service actions (connect/disconnect) and supply-domain disturbances can force ports through undervoltage/overvoltage corners. Robustness must separate port limits from system return-path realities.
3) ESD touch and connector handling
ESD is frequent and repeatable, but only comparable when the model and pass criteria are identical. “Pass once” does not guarantee no param drift or long-term fragility.
4) Surge-like pulses and fast supply disturbances
Short pulses can trigger resets, brownouts, and fault states even when the port “survives.” Detailed pulse coupling and protection partitioning belongs to EMC / Protection & Co-Design.
5) Ground offset and HV dv/dt (isolated domains)
In e-drive / HV areas, rapid dv/dt and ground potential differences stress the isolation barrier. CMTI becomes a primary robustness axis, not a “nice-to-have.”
Failure modes (what changes, what is observable)
Hard failures (damage)
  • Permanent open/short on bus pins; leakage rises beyond limits.
  • Latch-up or uncontrolled current paths under stress.
  • Insulation breakdown indicators (isolated types).
Soft failures (behavior and recovery)
  • Thermal protection oscillation → repeated link drops.
  • Dominant timeout / fault-state transitions not aligned with system assumptions.
  • Param drift after stress → reduced margin (edge symmetry, thresholds).
False diagnosis (system path & measurement traps)
  • “Port failure” caused by return-path or reference-point errors (ground clip artifacts).
  • ESD “pass” defined only as no damage, while the system requires no link drop.
  • Common-mode measured at the wrong node → misleading “in-range” conclusion.
Fast triage (30-second routing)
  1. Identify the event class: short, ESD, pulse disturbance, ground offset, or HV dv/dt.
  2. Pick the outcome definition: survivability-only or functional continuity required.
  3. Measure at the correct reference: define ECU ground vs chassis, and avoid scope ground artifacts.
  4. Map to a robustness axis: short / ESD / CM range / CMTI, then validate with explicit pass criteria.
Figure 2 · Vehicle Port Threat Tree (event → path → outcome)
Bus Port Failure / Link Drop Event + Path + Criteria Short Events ESD Handling Pulse Disturbance Thermal cycling Auto-recover? Contact vs Air Leakage drift Supply dip Clamp path Ground Offset HV dv/dt (Isolated) Reference point Return path CMTI glitch Isolated supply dip
Practical rule: treat each branch as a diagnosis route. A headline spec is only valid when the event type, test setup, and pass criteria match the system requirement.

Metrics Vocabulary: Survivability vs Functionality (Pass/Fail Definitions)

Why pass/fail language must be fixed

Headline robustness numbers are not comparable unless the same outcome definition is used. This page fixes the vocabulary so every test item can be written, executed, and audited with the same four-line pass criteria.

Two outcome classes (do not mix)
Survivability (damage & recovery)
  • No damage: no permanent open/short; leakage and clamp behavior remain within limits.
  • Bounded drift: thresholds, driver strength, and standby current stay within specified drift limits.
  • Recoverable state: returns to a defined normal mode without uncontrolled latch-up behavior.
Functionality (communication performance)
  • Continuity: link stays up, or drops only within an explicitly allowed envelope.
  • Error bound: error counters / frame errors / bus-off events remain below a defined limit.
  • Recovery time: resumes normal communication within a defined time window after the event.
Fixed pass criteria template (copy into every test item)
  • Damage? Any permanent change (open/short/leakage/clamp shift) beyond limits?
  • Communication? Does the link stay up, or drop only within an allowed window? Are errors bounded?
  • Recovery time? Time to return to normal mode after event removal (define start reference).
  • Drift? Post-stress drift of thresholds/standby/driver symmetry ≤ X (define measurement method).
Audit rule: a robustness number is valid only when the event type, test setup, and the four pass lines are stated together.
Vocabulary mapping (remove comparability ambiguity)
HBM IEC
  • Meaning: component-level vs system-level stress and coupling.
  • Not comparable unless: discharge method, test point, repetitions, and pass criteria match.
  • Must be stated: contact/air, pin/connector location, and “no damage” vs “no link drop”.
Operating Fault
  • Operating: communication guaranteed (functional) inside specified thresholds.
  • Fault: no-damage / recoverable behavior under abnormal stress.
  • Must be stated: which range is quoted (operating vs fault vs absolute max).
CM Range CMTI
  • CM Range: a voltage window (steady/slow variation) referenced to a defined ground.
  • CMTI: immunity to fast dv/dt across isolation (kV/µs), not a DC window.
  • Must be stated: reference point for CM, and dv/dt profile + pass criteria for CMTI.
Abs Max Functional
  • Abs Max: “do not exceed” damage boundary, not a communication guarantee.
  • Functional: guaranteed operation window with bounded errors and recovery.
  • Must be stated: which requirement the system needs (ladder level).
Figure 3 · Pass Criteria Ladder (from “no damage” to “no link drop”)
System demand increases → Level 0 No damage Level 1 Recoverable Level 2 Bounded recovery (≤ X ms) Level 3 No link drop (errors bounded) Level 4 No drift (≤ X) after stress Use this ladder to write requirements • choose a level per threat event • attach the 4-line pass template • state test conditions explicitly
Engineering rule: a “kV” or “range” is not a requirement. The requirement is a ladder level plus explicit pass criteria and test conditions.

Short-to-Battery / Short-to-GND: Survivability Mechanisms and Limits

What “short robustness” must declare
  • Short case: which pin group is shorted (bus pins vs logic pins) and to what (VBAT, GND, bus-to-bus).
  • Time definition: pulse vs continuous short; start reference for recovery timing.
  • Required outcome: survivability-only, bounded recovery, or no functional drop (ladder level).
Short type matrix (pin-group driven)
Bus pins (physical port)
  • CANH/CANL, FlexRay A/B, LIN single-wire.
  • Short-to-VBAT, short-to-GND, bus-to-bus shorts.
  • Key question: is communication expected during the short, or only after release?
Logic pins (state control)
  • TXD/RXD/EN/INH behavior can change system symptoms under a port short.
  • Dominant-timeout and fail-safe receive logic determine “what the system sees.”
  • Key question: does fault handling cause repeated drops or a stable safe state?
Supply & environment (constraints)
  • VBAT domain (12 V / 24 V / jump-start corners) sets stress energy.
  • Harness resistance and temperature shift thermal limits and recovery time.
  • Rule: verify on realistic harness loads, not only on a bench fixture.
Mechanisms (what keeps the port alive, and what it changes)
Current limit
Limits instantaneous power to avoid permanent damage. The limit value and its temperature dependence determine whether a continuous short is survivable.
Thermal shutdown
Prevents over-temperature damage. A common failure symptom is thermal oscillation: periodic shutdown and restart leading to repeated link drops.
Dominant timeout
Prevents the bus from being locked in a dominant state. This improves system recoverability but changes the observed fault pattern and must be budgeted.
Fault-state behavior
Defines how transmit/receive behave under fault (fail-safe receive, forced recessive, or controlled transitions). This determines diagnostic visibility and recovery.
Time definition (pulse vs continuous)
  • Pulse short: short asserted for a defined duration; often reveals reset/fault-state sensitivity.
  • Continuous short: thermal equilibrium dominates; survivability depends on current limit and heat dissipation.
  • Recovery start: define whether recovery time starts at short release, VBAT normalization, or logic re-enable.
Deliverable: Short test matrix (minimum set)
Use one card per test case to prevent mobile overflow. Each case must explicitly state the four pass lines (Damage / Communication / Recovery / Drift).
Case A Bus pin short-to-VBAT
  • Duration: pulse / continuous (X).
  • Conditions: VBAT (12/24/jump-start), temperature (X), harness R (X).
  • Pass: Damage? Communication? Recovery time? Drift? (fill per ladder level).
Case B Bus pin short-to-GND
  • Duration: pulse / continuous (X).
  • Conditions: VBAT level (X), temperature (X), harness equivalent (X).
  • Pass: Damage? Communication? Recovery time? Drift? (fill per ladder level).
Case C Bus-to-bus short (H ↔ L)
  • Duration: pulse / continuous (X).
  • Conditions: termination present (Y/N), temperature (X), harness load (X).
  • Pass: Damage? Communication? Recovery time? Drift? (fill per ladder level).
Figure 4 · Short Event Timeline (short → limit → heat → protect → recover)
Time Short asserted Current limit Thermal rise Protection state Short released Communication allowed? Recovery requirements T_recover ≤ X ms Error bound ≤ Y Drift ≤ Z Pulse vs continuous Start reference Ladder level
Practical rule: “short survivability” is incomplete without time definition and a recovery requirement. Declare which ladder level is required for each short case.

Common-Mode Range: Operating vs Fault vs Ground Offset

What “CM range” must be separated into

A larger common-mode number is not automatically better. Robust selection requires three different statements: operating CM (must communicate), fault CM (must not be damaged / must recover), and expected ground offset (system input).

Three bands (do not mix)
Operating CM must communicate
  • Defines the CM window where normal communication is guaranteed.
  • Must be tied to mode, data rate, load/termination, and temperature corners.
  • Pass criteria uses the fixed template: Communication + bounded errors (and any allowed drop envelope).
Fault CM must survive / recover
  • Allows communication degradation, but requires survivability and a declared recovery behavior.
  • Must state whether recovery needs reset/power-cycle and the recovery time reference.
  • Pass criteria uses Damage + Recovery time + Drift limits from the same template.
Ground offset system expectation
  • A system-level input: ECU-to-ECU ground difference, not a standalone component “spec”.
  • Must be mapped to Operating band (normal) and Fault band (abnormal transients).
  • Must specify reference points; otherwise CM numbers are not actionable.
Where common-mode problems come from (classify → map to a band)
Harness drop & return-path shift (slow CM bias)
Resistive voltage drop and shared return paths shift the reference between ECUs. This typically maps to the Operating CM band limits.
Ground bounce & switching events (transient CM)
Fast current steps can create transient offsets that may exceed Operating CM briefly. These should be budgeted under Fault CM with bounded recovery criteria.
E-motor dv/dt coupling (fast CM disturbance)
High dv/dt environments can inject fast CM disturbances. In isolated domains this often pairs with CMTI requirements, but CM band mapping must still be declared here.
Reference mismatch (measurement-driven “fake CM”)
Different ground references can make the same waveform appear as a large CM issue. If the reference is not stated, CM conclusions are not transferable.
Measurement pitfalls (fast checks to avoid wrong CM numbers)
  • Scope ground clip artifact: ground lead loops can inject noise and exaggerate CM.
  • Wrong reference point: battery ground vs ECU local ground can invert conclusions.
  • Probe bandwidth/settings: bandwidth limits can “smooth” dv/dt into a false offset.
  • Differential probe CMRR roll-off: high-frequency CMRR drop can look like real CM growth.
Deliverable: CM requirement template (scenario → offset → band → pass criteria)
Row fill one per scenario
  • Scenario: e.g., engine-on, charging, HV switching, service jump-start.
  • Ground offset estimate: DC offset (X) + transient envelope (Y).
  • Required band: Operating / Fault (Abs max is only “do not exceed”).
  • Pass criteria: Damage / Communication / Recovery time / Drift (same template).
  • Measurement reference: define reference points to avoid non-actionable CM claims.
Boundary rule: this section defines CM requirements and verification language only. Component-level EMC/TVS/CMC/layout prescriptions belong to the dedicated EMC/Protection pages.
Figure 5 · CM Range Bands (Operating vs Fault vs Absolute Max)
Common-mode voltage Absolute max boundary Fault CM band survive / recover (bounded) Operating CM band must communicate Ground offset expectation → map here Reference point must be stated
Selection rule: pick an operating band for “must communicate” and a fault band for “must survive / recover”, then map system ground offset expectations to these bands.

ESD Levels: IEC vs HBM vs ISO 10605 — What the Numbers Really Mean

Why kV numbers are not directly comparable

An ESD claim must be decoded by model, discharge method, test point, repetition count, and pass criteria. Without those, “±8 kV” and “±12 kV” can describe entirely different outcomes.

Three ESD vocabularies (focus: comparability, not standard text)
HBM component model
  • Often expresses IC-level handling robustness; does not capture system coupling paths.
  • Cannot be used as a proxy for connector-level or cable-level performance.
  • Must state the pass criteria: no damage vs post-stress drift limits.
IEC system coupling
  • Strongly depends on discharge method, test point, return path, and layout context.
  • Contact vs air discharge changes repeatability and results.
  • Must state whether pass requires “no reset”, “no link drop”, or “bounded recovery”.
ISO 10605 automotive context
  • Used in automotive environments; comparability still depends on method, test point, and criteria.
  • Cannot be “converted” to HBM or IEC without identical conditions.
  • Must state repetition, operating mode, and post-stress acceptance checks.
The comparability keys (decode before comparing kV)
Discharge method
Contact vs air discharge changes repeatability and stress waveform. “Air” is highly environment dependent; do not treat it as interchangeable.
Test point
Pin-level, connector-level, and cable-level tests represent different coupling paths. A port-level claim must state where the gun is applied.
Repetitions & operating mode
One-shot survival is different from repeated hits. State repetitions per polarity and whether the DUT is active, standby, or sleep during the test.
Pass criteria
“No damage” is not “no link drop”. Decode the claim into a ladder level: survivability-only, bounded recovery, or no functional drop.
“Still communicates, but becomes fragile” (typical causes and fast verification)
Symptom
After ESD: sporadic link drops, false wake events, or elevated error counters under the same harness that previously passed.
Likely causes
Marginal latch-up boundary, protection element aging, or leakage increase that shifts thresholds and reduces noise margin.
Fast verification
Compare pre/post stress: standby current, leakage behavior, threshold points, and error-counter trends under the same operating mode.
Selection rule: do not accept a kV claim without post-stress acceptance checks (drift + recovery + functional envelope).
Deliverable: ESD comparability checklist (decode before comparing)
  1. Which model is claimed (HBM / IEC / ISO 10605)?
  2. Discharge method: contact or air?
  3. Test point: IC pin, connector shell, or cable/harness?
  4. Repetitions per polarity and interval (one-shot vs repeated hits)?
  5. Operating mode during test (active / standby / sleep)?
  6. Pass criteria level: no damage, bounded recovery, or no link drop?
  7. Post-stress drift checks included (standby/leakage/threshold/driver)?
  8. Context dependency stated (reference layout / return path disclosure)?
Boundary rule: this section defines decoding and comparability language only. External protection selection and placement details belong to the EMC/Protection pages.
Figure 6 · ESD Spec Decoder (from claim → conditions → comparability)
Input Datasheet ESD claim Model HBM / IEC / ISO 10605 Method contact / air Test point pin / connector / cable Repetition & mode N hits + active/sleep Pass criteria damage / recovery / no drop Output Comparable: YES / NO Missing info: list Risk: layout dependent Rule: compare claims only after decoding conditions + pass criteria (same ladder level)
Decoder rule: if any decoder field is missing (model, method, test point, repetitions, mode, pass criteria), treat the kV number as non-comparable.

Transients Beyond ESD: ISO 7637 / Load Dump Interface (Boundary-Only)

Key point: “ESD passes” does not imply “automotive transients safe”

ESD is a short discharge event. ISO 7637 and load dump represent vehicle harness and supply transients with different waveforms, energy, and coupling paths. Robust selection needs a boundary statement: what the transceiver guarantees, and what must be handled by system protection.

Why an ESD claim cannot be used as a transient guarantee
Waveform & energy are different
ESD stresses pins with a fast, high-voltage discharge. Vehicle transients can be lower voltage but longer duration and higher total energy once harness and supply coupling are included.
Coupling path is different
ESD is often applied to connector shells or pins. ISO 7637 / load dump commonly enters through supply rails, return paths, and harness-induced currents that propagate system-wide.
Acceptance criteria are different
ESD claims often mean survivability. Automotive transient requirements frequently need declared behavior during the event (fail-safe mode) and a bounded recovery definition after the event.
Responsibility split (boundary statement)
System protection absorbs large-energy events
Supply-domain clamps and external networks handle high-energy harness/supply transients and limit node excursions. Implementation details belong to the Protection & Co-Design page.
Transceiver interface declares limits + behavior
The device must declare absolute limits, fault tolerance envelope, in-event behavior (fail-safe), and recovery criteria (automatic vs reset required). This page defines the interface language only.
Deliverable: transient interface checklist (what must be stated to be comparable)
  1. Which nodes are covered (bus pins vs logic pins vs supply pins)?
  2. Absolute maximum vs fault tolerance: pulse vs continuous, and the time reference.
  3. Allowed in-event behavior: continue communication, drop allowed, or fail-safe state.
  4. Recovery definition: automatic vs requires reset/power-cycle, and the recovery timer start point.
  5. Post-event drift checks required (leakage/standby current/threshold behavior).
  6. Does the device declare false-wake susceptibility under transient stress?
  7. Bus stuck behavior (dominant/recessive) and exit criteria declared?
  8. Boundary assumption with external protection declared (node excursion limits assumed by the IC).
Boundary rule: this section defines interface requirements only. External protection selection and placement live in Protection & Co-Design.
Figure 7 · Boundary Diagram: IC Capability vs External/System Protection
Transceiver capability (interface guarantees) Abs max + fault tolerance In-event behavior (fail-safe) Recovery (auto vs reset) Post-event drift checks External / system protection see Protection & Co-Design TVS / clamp networks Supply-domain clamp CMC / RC (interface shaping) Return path / chassis coupling Boundary: assume clamped nodes ISO 7637 / load dump
Use this boundary diagram as a spec-writing tool: define the transceiver’s limits and behaviors, and treat external protection as a separate, explicit contract.

CMTI & Isolation: When Ground Potential Differences Become a Design Constraint

Robustness in isolated CAN/FD is driven by CMTI + insulation system

CMTI (kV/µs) measures immunity to fast common-mode transients. In e-drive and HV domains, dv/dt coupling across the isolation barrier can trigger errors, link drops, false wake events, or inconsistent recovery if the required CMTI and verification criteria are not declared.

Engineering definition (keep CM range vs CMTI separated)
CMTI fast CM transient immunity
Expressed in kV/µs. It describes tolerance to rapid common-mode steps across the isolation barrier (dv/dt), not steady-state operating CM range.
CM range operating window
Defines where communication must work in normal conditions. It is not implied by a high CMTI number and must be specified separately.
Typical dv/dt sources (system inputs that drive CMTI requirements)
Inverter switching edges
Fast power switching creates high dv/dt. Parasitic capacitances can inject common-mode current through the isolation barrier into the bus or logic side.
Ground return inductance
Long return paths can convert current steps into rapid ground shifts. These shifts appear as common-mode steps and can trigger errors if CMTI is insufficient.
Barrier capacitive coupling
Even with isolation, capacitive coupling across the barrier can inject fast common-mode transients. Isolation changes the boundary, but does not eliminate EMC verification needs.
Selection dimensions (must be declared and comparable)
Isolation rating safety boundary
Choose reinforced/basic levels based on system requirements. This is a boundary declaration, not an EMC solution.
Creepage / clearance geometry constraint
Must match the insulation system and environment constraints. Treat it as a comparability field for package/structure choices.
CMTI dv/dt immunity
Specify a target CMTI derived from expected dv/dt and define how it will be verified (test points + pass criteria).
Isolated power system integration
Internal isolated power options and external isolated supply requirements change system integration constraints and verification scope.
Two common misconceptions (correct them early)
  • High CMTI does not imply a larger operating CM range. Both must be specified.
  • Isolation does not remove EMC verification needs; it changes coupling paths and boundaries.
Deliverable: isolation requirement template (dv/dt → CMTI target → verification)
  • HV dv/dt estimate: X kV/µs (measured or budgeted).
  • Coupling path category: barrier capacitance / return path / harness injection.
  • Target CMTI: ≥ Y kV/µs (include margin and polarity notes if applicable).
  • Verification method: injection side + observation side + test point naming.
  • Pass criteria: error counters, no stuck state, bounded recovery time.
  • System mode: active / standby / sleep (state must match real use-case).
Boundary rule: this section defines requirement mapping and verification language only. Layout hooks and external networks belong to EMC Hooks & Layout.
Figure 8 · HV dv/dt → CMTI Mapping (inputs → coupling → targets → verification)
dv/dt source Inverter edge dv/dt source HV domain shift dv/dt source Return-path step Coupling paths Barrier capacitance / return path / harness CMTI target ≥ Y kV/µs (with margin) Verification Error count / link drop / recovery Do not confuse: CMTI ≠ CM range
Mapping rule: derive a CMTI target from expected dv/dt inputs, then verify using explicit test points and pass criteria (errors, link stability, recovery).

Robustness vs Signal Quality Trade-offs (Don’t Mix with Timing/EMC)

Stronger protection and stronger drive can reduce link margin

Protection strength, parasitic capacitance, and drive/slew settings change edges and symmetry. A robustness number is only meaningful when evaluated together with harness, termination, and protection parasitics. Timing math and EMC recipes are intentionally excluded here.

Typical trade-off patterns (cause → waveform impact → link symptom)
Stronger clamp / larger protection capacitance
Adds load and can introduce imbalance (Cdiff/Ccm). Edge rate slows and symmetry can degrade, shrinking the effective decision margin.
Stronger drive / faster edges
May amplify reflections and ringing on real harness topologies. In some cases, error counters rise even though the driver is “stronger.”
Protection/termination changes without version control
Small changes in parasitics can move the failure mode from “damage” to “communication fragility.” Comparable results require fixed harness, termination, and protection BOM revisions.
FD/XL note (boundary-only)
Higher bit rates increase sensitivity to waveform symmetry and capacitive loading. This section names the dependency only. SIC/SIC-XL waveform criteria and compatibility details belong to the SIC page.
Output principles (use these as selection rules)
Rule 1: robustness claims must include conditions
A kV/short/CM/CMTI number is not comparable without declared harness/termination/protection conditions and pass criteria.
Rule 2: evaluate as a system, not as a pin
Protection parasitics, termination style, and harness topology define waveform reality. Device selection must include the “external envelope.”
Rule 3: keep page boundaries strict
No timing parameter derivation here, and no EMC layout recipes. Use the Data Rate & Timing page for timing budgets and the EMC page for implementation hooks.
Minimal checklist (avoid “robustness upgrades” that reduce margin)
  • Protection capacitance and matching declared (Cdiff/Ccm awareness).
  • Termination style and mid-point network version-locked for tests.
  • Harness length/topology (stubs/T-branches) fixed and recorded.
  • Drive/slew setting changes tracked as a configuration variable.
  • Waveform symmetry and edge shape observed before concluding “more clamp = more stable.”
  • Error counters and recovery behavior compared across BOM revisions.
Figure 9 · Trade-off Triangle (Robustness / SI Margin / Emissions)
Robustness SI Margin Emissions Evaluate as a system harness + termination + parasitics Clamp + C Drive / Slew Edge speed No timing math here No layout recipes here
Use the triangle to keep page boundaries clean: state trade-offs and evaluation rules here, and defer timing budgets and EMC implementation to their dedicated pages.

Verification Plan: Tests You Must Run (Bench → Harness → Vehicle)

A minimal, executable verification route with version-controlled conditions

Run the same robustness categories through three gates: bench board, real harness, and vehicle/system. Each gate requires explicit recording of temperature, supply, harness topology, termination, protection BOM revision, and recovery behavior.

Three gates (bench → harness → vehicle)
Gate 1 Bench (board-level)
Establish baseline behavior and recovery definitions with controlled wiring and known termination. This gate prevents “system noise” from masking device behavior.
Gate 2 Real harness
Repeat the same categories under real topology (length, stubs, loads). Version-lock termination and protection BOM to keep results comparable.
Gate 3 Vehicle / system
Add real supply dynamics, ground offsets, operational states (active/standby/sleep), and wake attribution fields. Validate robustness with system constraints.
Deliverable: minimal test set (Test / Condition / Instrument / Pass criteria)
Test Short-to-VBAT / Short-to-GND
Condition: duration (pulse/continuous), temperature points, supply domain, termination/harness fixed.
Instrument: controlled short fixture, current logging, thermal observation, bus analyzer.
Pass criteria: no damage, declared behavior during event, bounded recovery time, no stuck dominant.
Test System-level ESD (contact / air)
Condition: test point definition (pin/cable/shell), polarity, repetitions, and recovery definition fixed.
Instrument: ESD gun, monitoring of error counters and wake events, leakage/standby measurement after stress.
Pass criteria: no permanent drift beyond limit, no latent fragility, stable comm within X errors per window.
Test Common-mode offset (operating vs fault)
Condition: declared ground offset levels, reference points, harness/termination fixed, temperature included.
Instrument: differential probes, controlled CM injection or offset source, bus analyzer.
Pass criteria: communication maintained in operating band, survivability and recovery in fault band, no false wake.
Test CMTI (isolated transceivers only)
Condition: dv/dt target, injection side, observation side, system mode (active/standby/sleep).
Instrument: dv/dt source or coupling setup, error counter logging, link drop detection, recovery timing.
Pass criteria: no stuck state, bounded recovery, error counters within limit under dv/dt stress.
Required record fields (make results comparable)
Temp Supply Harness Termination Protection BOM rev Recovery time
Record these fields for every gate. Without them, a “pass” result cannot be compared across boards, harness variants, or vehicle builds.
Figure 10 · Verification Flow (Gate 1 → Gate 2 → Gate 3)
Gate 1 Bench baseline behavior Gate 2 Harness real topology Gate 3 Vehicle system constraints ±CM ±CM ±CM Short ESD CM CMTI Short ESD CM CMTI Short ESD CM CMTI Record fields (every gate) Temp / Supply / Harness / Termination / Protection BOM rev / Recovery Temp Supply Harness Termination Protection BOM rev Recovery
Gate rule: repeat the same robustness categories at each stage, and treat “record fields” as mandatory metadata for comparability and root-cause work.

Engineering Checklist (Design → Bring-up → Production)

Convert robustness claims into auditable deliverables

Use this checklist board to lock definitions, test gates, and required record fields. Example part numbers are provided as references (package/grade variants must match the ECU program requirements).

Design Requirements → capability cross-check → boundary statement
☑ Robustness requirement sheet
Deliverable: scenario → Short / ESD / CM (operating vs fault) / CMTI targets with declared test conditions and pass criteria. Acceptance: no standalone “kV” or “range” without conditions and recovery definitions.
☑ Capability cross-check table
Deliverable: datasheet claims mapped to the project vocabulary (survivability vs functionality; operating vs fault). Acceptance: each claim has a matching condition set (harness/termination/protection BOM revision).
☑ Boundary statement (keep pages non-overlapping)
Deliverable: explicit boundary notes for timing budgets and EMC implementation details. Acceptance: timing math and layout recipes remain in their dedicated pages; this page keeps interface-only definitions.
☑ Protection parasitics envelope (interface-only)
Deliverable: allowed parasitic window declaration (capacitance / mismatch awareness) and “BOM revision lock” rule for validation. Acceptance: any protection change triggers a new validation record version.
☑ Gate plan skeleton
Deliverable: Gate1 (bench) → Gate2 (harness) → Gate3 (vehicle) minimum test set and mandatory record fields. Acceptance: recovery time definition includes start/end markers and system state (active/standby/sleep).
Example BOM references (Design-stage candidates)
  • HS CAN (Classic): NXP TJA1042
  • CAN FD: NXP TJA1044, TI TCAN1042, Infineon TLE9255W
  • Selective wake / Partial networking: NXP TJA1145A, TJA1146
  • Isolated CAN / CAN FD: TI ISO1042, Analog Devices ADM3053
  • System basis chips (SBC) w/ CAN(+LIN options): NXP UJA1169, Infineon TLE9278
Bring-up First-run order → symptom triage → version discipline
☑ First-run order (recommended)
Run: ShortCM offsetSystem-level ESDCMTI (isolated only). This sequence prevents “unsafe unknown states” and locks recovery definitions early.
☑ Symptom triage (4-axis)
Always classify results using: Damage? / Communication? / Recovery time? / Parameter drift?. This keeps “pass” language consistent across teams and vendors.
☑ Version discipline (A/B rules)
Any change in termination, harness, protection, or drive/slew settings becomes a tracked variable. Results are comparable only under the same “external envelope.”
☑ Measurement traps (record, do not debate)
Record reference points and probe types for CM-related observations. “Looks OK on scope” is not a pass criterion without declared measurement conditions.
☑ Stop rules (prevent hidden fragility)
Stop and re-baseline if any of the following appears: uncontrolled recovery time, repeated thermal protection cycling, false wake events, or rising leakage/standby current.
Example protection BOM references (for bring-up comparison)
  • CAN ESD arrays (examples): Nexperia PESD2CAN, ST ESDCAN01-2BLY, Littelfuse SM24CANB
  • LIN ESD arrays (examples): Nexperia PESD1LIN (or equivalent low-C automotive ESD diode)
Production Sampling → environment control → black-box fields
☑ Sampling strategy
Define sampling across supplier lots and seasonal humidity extremes. Robustness tests are sensitive to environment; results require comparable field metadata.
☑ ESD equipment discipline
Keep ESD gun calibration and setup records (tip type, contact/air, point definition). Pass criteria must include recovery and drift checks, not only “no damage.”
☑ Environment control fields
Record humidity, temperature, and handling conditions. “Dry winter air” and “high humidity” can change system-level ESD outcomes even when silicon is unchanged.
☑ Black-box logging fields
Minimum fields: error counters, bus utilization windows, wake source attribution, and recovery time stamps. This prevents “passed in ATE, failed in vehicle” blind spots.
☑ Yield correlation hooks
Correlate robustness-related anomalies with station ID, operator/environment fields, and BOM revision. This is the fastest path to repeatable fixes.
Figure 11 · Checklist Board (Design / Bring-up / Production)
Checklist Board deliverables + acceptance Design Bring-up Production Requirement Cross-check Boundary Parasitics Gate plan First-run Triage A/B rules Probe ref Stop rules Sampling ESD discipline Environment Black-box Correlation
Use the board as a review artifact: each checkbox represents a deliverable with an acceptance rule, not a suggestion.

Applications + IC Selection Logic (Robustness-First)

Close “what level should be chosen for this scenario?” into a decision tree

This section outputs a robustness profile (Short / ESD / CM / CMTI) and provides example part numbers as reference anchors. Specific BOM finalization should be performed in the corresponding device pages to avoid cross-topic overlap.

Scenario buckets (robustness-only view)
HV cross-ground (e-drive / inverter domains)
Primary threat: high dv/dt and large ground potential differences.
Priority: CMTI + isolation system rating; CM operating range is not a substitute for CMTI.
Example ICs: TI ISO1042, Analog Devices ADM3053.
Body long harness / heavy loads
Primary threat: CM offsets, wiring drop, topology variability, and fault events.
Priority: short survivability + CM (operating vs fault); keep protection parasitics version-locked.
Example ICs: NXP TJA1044 (CAN FD), Infineon TLE9255W.
Frequent service / hot-plug handling
Primary threat: system-level ESD and recovery behavior, not only pin-level survivability.
Priority: IEC/ISO test condition comparability + bounded recovery; track “after-ESD fragility”.
Example protection parts: Nexperia PESD2CAN, ST ESDCAN01-2BLY, Littelfuse SM24CANB.
Low-power body ECUs (wake sensitivity matters)
Primary threat: false wake and ambiguous wake attribution under noise and faults.
Priority: robustness + wake filtering behavior; mandatory logging fields for serviceability.
Example ICs: NXP TJA1145A, TJA1146.
Robustness-first selection logic (6-step decision tree)
  1. Select domain: Body / Powertrain / HV / Service handling.
  2. Short requirement: VBAT/GND fault types, duration class, recovery expectations.
  3. CM requirement: operating band vs fault band vs expected ground offset.
  4. ESD requirement: IEC/ISO method, contact/air, point definition, repetitions, recovery language.
  5. Isolation/CMTI: apply only when dv/dt and ground shifts become design constraints.
  6. Output profile: minimal configuration across Short / ESD / CM / CMTI, plus mandatory record fields.
Output: minimum configuration examples (profile + reference parts)
Profile A · HV cross-ground (isolated)
Short: Medium  |  ESD: Medium  |  CM: Medium  |  CMTI: High (required)
Example ICs: TI ISO1042, Analog Devices ADM3053.
Profile B · Long harness / heavy load
Short: High  |  ESD: Medium  |  CM: High (operating + fault)  |  CMTI: Optional
Example ICs: NXP TJA1044, Infineon TLE9255W.
Profile C · Frequent service / handling
Short: Medium  |  ESD: High (system-level focus)  |  CM: Medium  |  CMTI: Optional
Example protection: Nexperia PESD2CAN, ST ESDCAN01-2BLY, Littelfuse SM24CANB.
Figure 12 · Robustness Selection Tree (scenario → profile)
Body long harness HV cross-ground Service frequent handling Low Power wake sensitive Step 1 · Domain Step 2 · Short Step 3 · CM bands Step 4 · ESD conditions Step 5 · CMTI Step 6 · Output profile Robustness Profile Short High ESD Med CM High CMTI Req No part numbers here Example part numbers are listed in the section text to keep the tree clean and readable.
The tree outputs a robustness profile first; part numbers serve as reference anchors, while final BOM decisions remain in the corresponding device pages.

Request a Quote

Accepted Formats

pdf, csv, xls, xlsx, zip

Attachment

Drag & drop files here or use the button below.

FAQs (Robustness)

Purpose

Close long-tail troubleshooting strictly within robustness: short survivability, ESD comparability, common-mode bands, and CMTI (isolated cases). Each answer follows a fixed, testable 4-line script.

Datasheet says ±12 kV ESD, but field failures still happen—what’s the first comparability check?
Likely cause: The “kV” number is not comparable (HBM vs IEC/ISO, air vs contact, pin vs cable point, or undefined pass/recovery rule).
Quick check: Confirm standard, discharge method, test point, repetitions, polarity, and recovery definition in the datasheet footnotes and the project requirement sheet.
Fix: Rewrite the requirement as “condition + pass criteria,” then re-test using the same method/point/repetition that matches the field exposure.
Pass criteria: Pass ±X kV (method specified) for X shots/polarity at the defined point; no permanent damage; recovery ≤ X s; drift (Iq/leakage) ≤ X% vs baseline.
ESD passes once, but the port becomes “fragile” later—what degradation sign is fastest to spot?
Likely cause: Post-ESD parametric drift (leakage, standby current, thresholds) causes reduced margin while still “working” at first.
Quick check: Compare pre/post-ESD: standby current, pin leakage, recessive level stability, and error-counter rate under the same harness/termination.
Fix: Add a post-stress drift screen (Iq/leakage/error rate) and lock the test setup (return cable, point, repetition) as part of production discipline.
Pass criteria: After X strikes, Iq delta ≤ X µA, leakage delta ≤ X nA, error rate ≤ X/10 min, and no progressive degradation over X repeated cycles.
Short-to-battery survives, but the bus keeps dropping—thermal cycling or dominant-timeout behavior?
Likely cause: Survivability is met, but functionality fails due to repeated thermal shutdown/restart cycles or dominant-timeout/fault-state behavior.
Quick check: Correlate link drops with fault/status pins, thermal events, and TXD dominant-timeout triggers; log cycle count and recovery time.
Fix: Separate “no damage” from “no drop”: adjust fault-handling policy (TXD behavior), reduce thermal stress, and ensure deterministic recovery after fault removal.
Pass criteria: During the defined short event, no uncontrolled oscillation; after removal, recovery ≤ X ms; link drop ≤ X per X min; no permanent drift.
Common-mode looks in-range on scope, yet comm fails—what reference mistake is most common?
Likely cause: Common-mode is measured to the wrong reference (earth/bench ground or incorrect ECU ground), producing a false “in-range” reading.
Quick check: Re-measure with a proper differential probe (CANH–CANL) and a defined local ECU ground reference; remove ambiguous ground clips.
Fix: Standardize a measurement recipe (reference point, probe type, bandwidth, and where CM is computed) and require it in all robustness reports.
Pass criteria: CM computed under the declared reference stays within operating band; error counters ≤ X per X min; no link drop under the same harness setup.
Same transceiver, different TVS footprint makes it worse—first parasitic sanity check?
Likely cause: Protection parasitics changed (capacitance imbalance, asymmetry, return inductance), shrinking signal margin while “robustness” looks stronger on paper.
Quick check: Compare old/new: symmetry (CANH vs CANL), effective added capacitance mismatch, and placement-induced loop length; keep harness/termination identical.
Fix: Lock a “parasitic envelope” requirement (C mismatch/placement symmetry) and treat protection BOM/layout footprint as a controlled versioned artifact.
Pass criteria: Added capacitance mismatch ≤ X pF; waveform symmetry within X%; error rate ≤ X/10 min under the same harness and termination.
Ground offset is small, but errors spike under load—first return-path hypothesis?
Likely cause: Dynamic ground bounce / return-path coupling under load steps creates transient CM excursions even if static ground offset is small.
Quick check: Time-align error counters with load steps; measure ECU local ground movement and transceiver supply droop during the same event window.
Fix: Re-route/partition high-current returns, improve local decoupling, and enforce a documented return-path plan as part of robustness validation records.
Pass criteria: During load steps, ground bounce ≤ X mV and supply droop ≤ X mV at the transceiver; errors ≤ X per X min; no link drop.
Isolated CAN passes insulation, but link still resets during inverter switching—CMTI or local supply dip?
Likely cause: The event is either a CMTI margin issue (CM transient exceeds immunity) or a local isolated-supply transient that triggers reset/UVLO.
Quick check: Capture isolated supply rail and reset/fault indicators during inverter switching; compare with an injected CM transient test under controlled setup.
Fix: If supply dip dominates: strengthen decoupling and isolated power transient response. If CMTI dominates: raise CMTI margin in the requirement and validate with a clean fixture.
Pass criteria: No reset or link drop under dv/dt = X kV/µs events; isolated rail dip ≤ X mV; recovery ≤ X ms; error spikes ≤ X per event window.
CMTI spec is high, but the system still glitches—what test setup artifact happens most?
Likely cause: Measurement and fixture coupling dominate (long leads, unintended return paths, probe ground coupling), creating artifacts that look like CMTI failures.
Quick check: Shorten leads, remove ambiguous probe grounds, use isolated/differential measurement, and re-run with the injection network documented and repeatable.
Fix: Define a “validated CMTI fixture” (layout + return + measurement method) as a controlled artifact; reject results from non-comparable setups.
Pass criteria: With the validated setup, no functional glitch under dv/dt = X kV/µs for X events; artifact-induced triggers reduced to 0 within X repeats.
Short pulses cause resets but continuous short is okay—what protection mode mismatch explains this?
Likely cause: Fast pulses trigger supply transients (UVLO/reset) before thermal/current-limit steady-state protection engages; continuous faults settle into a stable limited mode.
Quick check: Log supply rail, reset line, and fault indicators during pulse faults; compare pulse width/repetition against the reset threshold behavior.
Fix: Harden the local supply transient response (decoupling/hold-up) and define pulse-fault tests explicitly in the robustness matrix (not only continuous faults).
Pass criteria: No reset for pulse width ≤ X µs at ≤ X Hz; supply droop ≤ X mV; if reset occurs, deterministic recovery ≤ X ms and no cumulative drift.
ESD air-discharge “looks fine” but contact fails—what should you change first in the test plan?
Likely cause: Air discharge is less repeatable and often less stressful at the actual pin/cable point; contact discharge is the comparable, worst-case method.
Quick check: Switch to contact discharge at a clearly defined point with a documented return path and repetition count; compare recovery behavior, not only “no damage.”
Fix: Prioritize contact tests in the plan, increase repetitions, and require post-test drift checks (Iq/leakage/error rate) as acceptance criteria.
Pass criteria: Pass ±X kV contact for X shots/polarity at the defined point; recovery ≤ X s; drift ≤ X% vs baseline; no link drop beyond X events.
After ESD, leakage rises and sleep current is wrong—first measurement isolation step?
Likely cause: A leakage path changed (silicon or external protection path), and the current measurement includes unintended parallel paths (bus, pull-ups, fixtures).
Quick check: Isolate the transceiver supply measurement (remove ambiguous loads, define bus state, and measure baseline vs post-ESD on the same fixture).
Fix: Lock a measurement procedure (bus disconnected/known state) and add leakage/Iq drift as a mandatory acceptance item after robustness stress.
Pass criteria: Post-ESD Iq within X µA of baseline (procedure-defined); leakage within X nA; no progressive increase over X cycles.
Why does a “higher rugged” part sometimes have worse signal quality—what’s the first trade-off check?
Likely cause: Higher ruggedness often comes with different drive/slew behavior or increased effective loading, reducing symmetry/margin under the same harness and protection envelope.
Quick check: A/B compare edge symmetry and error counters with identical termination/harness/protection BOM; verify drive/slew configuration is identical.
Fix: Treat robustness as “system envelope” (IC + harness + termination + protection parasitics); tune drive/slew only within the declared parasitic window and re-validate.
Pass criteria: Waveform symmetry within X%; error rate ≤ X/10 min; recovery behavior unchanged; robustness tests still pass under the same declared conditions.
icnavigator

ICNavigator helps engineers find verified ICs, alternatives, and fast quotes.

Explore
Categories
  • Power Management
  • MCU
  • Automotive ICs
  • Sensors
  • Interface & Transceivers
  • Analog Front-End
Get in Touch
  • Email: hello@icnavigator.com
  • WeChat/WhatsApp: +86-xxxx

© 2025 ICNavigator. All rights reserved.