Definition: Black-Box vs Debug Log vs Telemetry

Black-box is event-centric and evidence-grade: structured records, strict field requirements, power-loss survivability, and an auditable clear policy.

Debug logs are developer-centric: often free-form, frequently disabled, and rarely reliable under brownouts, resets, or event storms.

Telemetry is trend-centric: periodic sampling that may miss short-lived trips (UV/SC/DESAT) and cannot prove “first fault” or “who cleared it”.

Why Isolation Systems Need a Black-Box

• Fast protection, faster recovery: UVLO/OT/SC/DESAT can trip and recover before a scope is attached; evidence must survive resets and power-cycles.
• Cross-domain symptoms: primary and secondary sides can show different symptoms; correlation requires domain tags and a shared “evidence contract”.
• Common-mode stress: high dv/dt can create false triggers or masked droops; diagnostics must separate cause vs symptom.
• Field behavior is uncontrolled: repeated rebooting can erase fragile logs; black-box must preserve “last critical fault” as non-erasable evidence.

Page Deliverables (What This Topic Produces)

• Event dictionary: stable Event IDs, severity semantics, latch classes, required fields, debounce rules, and clear conditions.
• Latch/Clear state machine: auditable transitions, clear authority, cooldown/escalation, and verification gates after clear.
• Record format: schema versioning, required/core/optional fields, and integrity checks (CRC).
• NVM storage policy: ring buffer, atomic commit, brownout-safe write, and event-storm controls.
• Export interface: deterministic readout and report fields (protocol-agnostic).

Fault Taxonomy (Category + Role)

Use two orthogonal tags to prevent mis-triage: Category describes where the fault lives; Role describes whether it is a cause or a symptom.

• Device fault: internal flags (UVLO asserted, OT trip, DESAT/SC trip).
• Power fault: rail droop, brownout window, start-up collapse, no-load anomalies.
• Barrier-related symptom: unexpected toggles, domain resets, abnormal CM coupling signatures.
• Interface fault (symptom): CRC spike, timeout, framing error counters (protocol-agnostic).

Severity Semantics (Action-Oriented, Not Color-Oriented)

Severity must map to system action, otherwise latch/clear policy drifts across teams and versions.

• S0 Info: non-impacting evidence (retained for correlation).
• S1 Degraded: performance-limited mode (derating, rate-limit, power-limit).
• S2 Protective Trip: protection action occurred, may auto-recover with verification gate.
• S3 Safety Latch: requires explicit clear authority (service / controlled power-cycle).
• S4 Evidence-Critical: must survive reset/power-cycle and remain non-erasable until readout.

Minimal Event Dictionary Schema (Field Contract)

A compact schema ensures the black-box remains readable across firmware versions and service tools.

Inputs Map (Evidence vs Clues)

Inputs must be grouped by how directly they prove a protection condition. “Symptoms” can guide triage, but should not be treated as evidence without correlation.

Trust Ladder (Credibility Ranking)

A ranking is required because not all inputs survive common-mode stress equally. Higher rungs prove “what happened”; lower rungs indicate “what looked wrong”.

• Rung 1 — Hard-latched internal flag: strongest evidence; closest to protection action.
• Rung 2 — Comparator/pin latched: strong but sensitive to layout and ground bounce.
• Rung 3 — Firmware computed: explainable but sampling-window dependent.
• Rung 4 — External symptom: triage clue; never a standalone root cause.

Anti-False-Trigger Toolbox (Strategy, Not Code)

False triggers usually originate from transient injection or sampling misalignment. Controls must be applied at the right layer and must leave audit traces.

• Blanking window: ignore detection for X µs after switching edges, start-up, or driver enable (prevents dv/dt injection spikes).
• Deglitch filter: require N samples / N µs persistence before confirming an event (prevents narrow glitches).
• Majority vote: confirm only if M-of-N samples agree inside a bounded time window (improves noise immunity).
• Correlation tags: record “dv/dt window”, “start-up phase”, or “brownout window” tags to explain false-looking events.

Two-Lane Capture Concept (Bounded-Time Evidence)

The fast lane must succeed even during brownouts and reset storms. The slow lane improves diagnosis quality but must never block the fast lane.

• Fast path (ISR / hardware latch): Event ID + monotonic time/sequence + domain tag + minimal snapshot.
• Slow path (background): rail/temperature snapshots, mode/state ID, counters, and last reset cause (when available).

Fast Path: Minimum Evidence Record (MEE)

The minimum evidence record must be sufficient to answer “what happened first” even if context enrichment fails.

• Required: Event ID, monotonic counter/time, domain (P/S), latch snapshot.
• Minimal snapshot: rail class tag (OK/LOW), reset window tag (YES/NO), and a compact “source” tag (flag/pin/symptom).
• Storm safety: bounded queue push + drop accounting when the queue is full.

Slow Path: Context Enrichment (When Stable)

Context fields explain why a trip occurred and whether recovery is safe. Missing context is allowed, but the reason must be recorded.

• Context set: primary/secondary rails, temperature, operating mode/state ID, key counters (fault/retry/CRC), last reset cause.
• Correlation tags: dv/dt window tag, start-up phase tag, brownout window tag.
• Missing-context rule: record “context_unavailable = reset/brownout/overrun” rather than leaving silent gaps.

Loss Strategy (Overrun, Rate-Limit, Coalescing)

When event pressure exceeds capacity, the pipeline must preserve diagnostic value and leave auditable evidence of suppression.

• Buffer overrun handling: keep-last-critical (S3/S4), drop-low-severity first, and store dropped_count.
• Rate limit: cap repeated events to X per Y seconds while retaining first and last occurrences.
• Event coalescing: merge repeats into one entry with count + first_time + last_time (ideal for CRC/timeout storms).

Latch Classes (Semantic Freeze)

Each Event ID must map to a latch class with stable meaning. Latch class changes across versions break field comparability and invalidate audit trails.

Clear Authority (Who Can Clear What)

Clear actions must be treated as audit events. Authority defines permission scope without depending on any specific protocol or transport.

• Local HMI: operator-level actions for low-risk events (S0/S1, select S2). Must log an operator token (placeholder).
• Service tool: engineering/service authority for S2/S3 clear. Must log identity (placeholder), reason code, and verification result.
• Factory mode: controlled manufacturing authority. Must log factory-mode flag and time window tag.

Anti-Thrash Controls (Cooldown, Retry Budget, Escalation)

Repeated recover-fail loops destroy evidence quality and can create unsafe oscillation. Controls must prevent rapid cycling and must be observable in logs.

• Cooldown: after clear, block repeated clears for X seconds/minutes (placeholder) to avoid immediate re-trigger loops.
• Retry budget: limit recovery attempts to Z times within Y minutes (placeholders) for each Event ID/class.
• Escalation: repeated trips (e.g., 3 times) upgrade latch class to hard latch. Must log escalation_count and escalation_reason.

Pass Criteria After Clear (Verification Gates: X / Y / N)

“Cleared” is not “recovered”. Returning to Normal requires gates that are measurable, repeatable, and suitable for acceptance testing.

• Margin gate: UV margin ≥ X; temperature ≤ Y; rails stable for Y seconds (placeholders).
• Stability gate: no repeat of the same event for N minutes; symptom counters below X per window Y (placeholders).
• Functional gate: system returns to expected mode ID = X; key outputs/driver status = expected (placeholders).

Core Schema (Minimum Evidence Fields)

Core fields must be sufficient to reconstruct “what happened, when, and under which latch/clear semantics”, even if optional context is missing.

• Header: schema_version, record_length, record_type (event/clear/escalation).
• Core evidence: Event ID, monotonic counter/sequence, timestamp (policy placeholder), domain tag (P/S/Both).
• Policy fields: latch class, power state tag, mode ID.
• Clear audit (for clear records): clear_authority, clear_reason, verify_result.

Optional Context (TLV Groups)

Optional fields provide diagnostic depth while keeping the base record compact and stable. Unknown groups must be skippable by older tools.

• Rails: primary/secondary snapshots, brownout window tag.
• Thermal: temperature snapshot and thermal state tag.
• Driver status: gate-driver flags (placeholder), UV/OT sub-flags.
• Link counters: CRC/timeout counters (placeholder), error bursts.
• Reset cause: last reset reason (if available).
• Correlation tags: dv/dt window, start-up phase.

Versioning & Backward Compatibility

Versioning rules prevent “new firmware writes unreadable records”. Compatibility must be designed into the schema layout.

• Core freeze: core field order and semantics remain stable across versions.
• Append-only growth: new information is added as optional TLVs, not by reshaping the core.
• Graceful decode: unknown TLVs are skipped; unknown record_type is preserved as “unknown” rather than breaking parsing.

Integrity & Auditability (CRC, Commit Markers, Counters)

Records must be verifiable in the presence of brownouts and partial writes. Integrity signals enable detection of corruption and missing evidence.

• CRC: computed over Header + Core + Optional; invalid CRC means “record not trusted”.
• Commit marker: explicit valid flag or equivalent to detect partial commits (placeholder).
• Monotonic counter: detects gaps (lost records) and supports ordering across resets.
• Pressure evidence: dropped_count and coalesced_count preserve auditability under event storms.

Failure Modes & Design Goals

Survivability requires explicitly handling partial writes, brownout reset loops, event storms, and endurance limits. Storage must expose evidence quality (valid vs partial) rather than hiding uncertainty.

• Last-entry loss: partial record without commit; must be detectable (commit missing / CRC fail).
• Brownout reboot loop: repeated interrupted writes; must remain parseable and non-destructive.
• Event storms: repeated low-value events cannot overwrite first/last critical evidence; suppression must be auditable.
• Endurance exhaustion: write budget must be modeled; rate-limit and coalesce reduce wear.

Ring Buffer Layout (Fixed Slots, Pointers, Wrap)

A fixed-layout ring avoids filesystem complexity and ensures predictable recovery scanning. Slots spread wear naturally and keep the decoder simple.

• Slots: slot[0..K-1], each holds one record (header + payload) with fixed maximum size.
• write_ptr: advances monotonically and wraps; a generation counter distinguishes “new wrap” vs “old data”.
• read_ptr (optional): for export streaming, but recovery prefers scanning for valid commits.
• Metadata robustness: pointer metadata should be mirrored or versioned to recover the latest state.

Atomicity & Integrity (Prepare/Commit, CRC, Magic)

Atomic commit ensures a record is either fully valid or clearly partial. Commit and CRC must be designed so that power loss never produces ambiguous “maybe valid” entries.

• Magic word: fast slot recognition to filter noise/erased patterns.
• Length + schema_version: bounded parsing, supports forward/backward decode.
• CRC: validates header + core + optional payload.
• Commit marker: last-step flag; only commit=1 + CRC pass is valid.

Write Budget & Storm Behavior (Wear, Rate-Limit, Coalesce)

Write endurance is protected by controlling amplification and avoiding redundant writes. Storm behavior must preserve critical evidence and leave auditable suppression traces.

• Write amplification: WA ≈ ceil(record_bytes / page_bytes) (placeholders).
• Endurance model: total_records ≈ (slots × erase_cycles) / WA (placeholders).
• Storm controls: rate limit (X per Y), coalesce (count + first/last), and priority retention (keep first/last S3/S4).
• Audit evidence: dropped_count / coalesced_count recorded to show pressure, not silence.

Time Sources (Taxonomy)

Time policy must be declared so field analysis can interpret timestamps correctly. Each source has different reliability and correlation capability.

• MCU tick / monotonic counter: strongest for ordering; requires boot_id/epoch across resets (placeholders).
• RTC / wall clock: enables absolute timelines; validity must be logged (time_valid yes/no).
• External sync: improves cross-domain alignment; only source presence is declared here (no protocol details).

Dual-Domain Tagging (P/S)

Every record must identify which domain it belongs to. Cross-domain conclusions must not be made unless correlation quality is explicitly stated.

• domain_tag: P / S (and optional Both).
• t_local or seq_local: per-domain ordering that stays valid even without RTC.
• boot_id / epoch: differentiates ordering across power cycles.
• quality tags: brownout_window / startup_phase tags explain time anomalies (placeholders).

Minimal Correlation Methods (No Protocol Dependence)

Cross-domain alignment can be achieved with lightweight markers. When markers are absent, correlation must fall back to a bounded uncertainty window.

• Shared marker event: record marker_id with tP and tS; compute offset_estimate = tS − tP (placeholders).
• Ping-pong correlation: record corr_seq and send/recv local times to estimate offset and delay window (placeholders).
• Correlation window: if exact alignment is not possible, store corr_window = W and constrain conclusions to ±W.

Field Reconstruction Workflow (From Order to Causality)

A consistent workflow turns two domain logs into a usable timeline without overstating certainty.

• Step 1: sort per-domain by (boot_id, seq_local).
• Step 2: locate markers (marker_id or corr_seq).
• Step 3: estimate offset_estimate and correlation quality (good/weak).
• Step 4: merge views; annotate uncertainty (corr_window) when alignment is weak.

Integrity Primitives (CRC → Hash Chain → Signature)

Integrity should be layered so the system can start with strong basics and optionally add stronger anti-tamper evidence. Each layer must produce visible evidence quality in the exported report.

• Record CRC (mandatory): detects corruption and partial writes; CRC failure must be reported as invalid evidence, not silently dropped.
• Hash chain (optional): detects insertion/deletion/replacement by linking records; a chain break must be explicit in the report.
• Signature (touch only): proves the record set is device-originated; only presence and verification result are logged here (no PKI details).

Access Control Semantics (Read / Clear / Factory Gate)

Trustability is not only about data integrity. It also requires clear authority boundaries and audit trails for readout and clearing actions.

• Read permission: readout is allowed, but every export must be auditable (who, when, which session).
• Clear permission: clear actions must be gated by authority and recorded with reason and verification outcome.
• Factory-mode gate: factory-only actions must be detectable; operations outside the factory window should be flagged as policy violations.

Tamper Evidence in Practice (Leave Traces)

Field disputes often arise when suspicious behavior leaves no trace. The black-box should record attempts, denials, and mode transitions so the report can explain anomalies without guesswork.

• Denied attempts: denied reads/clears should increment counters with reasons (not just “no”).
• Mode transitions: entering/exiting service or factory modes must be recorded to preserve the evidence chain.
• Pressure artifacts: partial_count, dropped_count, and coalesced_count should be reported to distinguish system pressure from tampering.

Privacy Minimization (Only Engineering Evidence)

A trustworthy black-box should also be safe to export. Records should contain only engineering fields needed for diagnosis and compliance, and exclude sensitive user data.

• Allowed: event IDs, rail/temperature snapshots, counters, mode IDs, clear history, and verification outcomes.
• Disallowed: personal identifiers, content payloads, location data, or anything that can identify a user.
• Exception policy (placeholder): if identifiers are unavoidable, store minimized tokens and mark privacy_mode accordingly.

Step 1 — Readout (Preserve Evidence First)

Evidence must be preserved before any clearing or reboot actions. Readout itself should be auditable so the evidence chain remains intact.

• Read-before-clear rule: clear actions require prior readout, except safety emergencies (placeholder exception).
• Readout trace: record who exported logs and when (session_id, authority).
• Analysis window: freeze the case context for consistent triage (placeholder policy).

Step 2 — Triage (Classify with Rules)

Classification should be rule-driven to avoid disputes caused by subjective symptoms. Decisions should reference verification gates and evidence quality.

• Continue: low severity and stability gates pass (no repeat for N minutes, placeholder).
• Derate: trending risk without hard latch; outputs a derate_level and recheck time (placeholders).
• Return/Service: hard latch or escalation, or evidence_quality is insufficient (CRC/chain issues).

Step 3 — Action (Continue / Derate / Service)

Actions must be traceable and consistent. Each action writes a disposition record so future analysis can distinguish operational policy from device behavior.

• Continue: requires verify pass + recurrence_check=0 within N minutes (placeholders).
• Derate: applies a bounded operating limit and schedules a recheck (placeholders).
• Service: triggers a service_required_code and prevents repeated unsafe clears (placeholders).

Verification & Close (Make Disputes Converge)

A case is closed only after verification and stability checks. This prevents recurring disputes about “cleared but not fixed” and makes reset storms diagnosable.

• Clear history: every clear must include authority, reason, and verification result.
• Stability gate: recurrence_check must remain 0 for N minutes (placeholder) after recovery.
• Reset storm evidence: boot_id + reset_cause + partial_count distinguishes power issues from missing logs.
• Symptom mismatch rule: event ID + latch class + correlation window (±W) overrides symptom-only narratives.