OVP and common-mode surge protection for INA front ends is primarily a current-routing problem: force surge energy into a short, controlled return path (preferably chassis) and keep it out of rails, references, and precision grounds.
A staged defense (entry shunt → limiting corridor → precision clamp + rail sink) delivers survivability, safe-fail behavior, and deterministic recovery without hiding problems behind reboots.
Definition & scope: what “OVP” and “common-mode surge” mean for INA front ends
This page targets survivability-first protection for instrumentation-amplifier (INA) front ends when field wiring delivers
overvoltage or high-energy common-mode events. The goal is to keep energy out of sensitive silicon domains by controlling
duration, energy, and return path—not to tune EMI/RFI filtering or microvolt-level leakage budgets.
Covers: OVP/miswire (seconds+), surge (µs–ms, high energy), and common-mode (CM) step/surge behavior that can
trigger rail injection, back-power, resets, or permanent damage. Protection is treated as a staged system:
shunt energy early, limit injection, then clamp locally with controlled return paths.
Not covered here: detailed RFI/EMI anti-rectification filtering, IEC ESD/EFT tutorial-level design, or leakage/precision drift
budgeting from protection-device bias. Those belong to sister pages focused on EMI/ESD hooks and leakage error models.
B) Practical taxonomy (engineer’s view): how to classify events fast
Use these three axes to classify a field event in minutes. Correct classification prevents over-design in the wrong direction.
1) Duration
Seconds+ implies thermal stress and sustained overcurrent (miswire/OVP). µs–ms implies high-energy surge
where clamp dynamics and return path dominate. ns–µs is typically ESD/EFT/RFI territory (handled elsewhere).
2) Energy
Peak voltage alone is a poor predictor. Low source impedance and longer pulse width drive high V·I·t,
accelerating TVS heating, rail collapse, and junction overstress. Energy determines whether the system needs
staged shunt + limit + controlled clamp rather than a single “bigger TVS.”
3) Return path
The same input clamp can be safe or catastrophic depending on where surge current returns. The three common
destinations are chassis/PE (preferred for high energy), signal ground (often collateral damage), and
supply rails (often causes back-power / “fake power-up” behavior).
C) Design objectives (measurable, not vague)
Survivability: no permanent damage; no sustained overcurrent/overheat; functional operation remains possible after the event.
Safe-fail: out-of-range events drive predictable behavior (clamp/limit) without exporting energy into sensitive domains
(ADC rails, reference, digital IO, analog ground).
Recoverability: after the event ends, the signal chain returns to valid readings within the system-allowed window,
with clear rules on whether a reboot or recalibration is required.
Quick classification tip
If a surge event causes reset, rail rise, or unexpected partial power-up, treat it as a return/back-power problem first—
not only as an input clamp problem. Protection must provide a controlled destination for injected current.
Threat taxonomy overview (OVP · Surge · CM step/surge)
Threat model: where the energy comes from and how it enters the board
Protection design improves dramatically when the field threat is treated as an energy source connected through real wiring.
A surge is not “a voltage number”—it is a source impedance delivering current for a certain time, with a return path that may
pass through chassis, ground, or supply rails.
A) Common field sources (engineer’s list)
Miswire / wrong supply contact: sustained overvoltage, often seconds+; survivability depends on limiting and safe-fail behavior.
Long cable coupling: cable inductance stores energy; common-mode rises can inject current into rails and cause resets.
Ground/chassis potential differences: CM step events; “both lines move” and recovery behavior becomes a system property.
Mode reminder
DM (differential-mode) stresses the two input wires against each other. CM (common-mode) moves both wires together and mainly stresses
the system via return routing and rail injection.
B) Minimal model: parameters that actually decide survivability
A practical threat model can be built with only a few terms. These terms decide whether energy is shunted safely or exported into
INA/ADC rails and sensitive grounds.
Source impedance (Rs)
Low Rs means high peak current into clamps. This drives TVS heating, rail injection, and latch-up risk far more than “rated system voltage.”
Edge rate / di/dt
Fast edges excite cable and layout inductance. The “hidden” L·di/dt voltage can exceed clamp targets and create unexpected overshoot.
Pulse width / repetition
Width and repetition decide thermal accumulation. This is why “it passed once” can still fail in real plants after hours of switching.
Return impedance (Zreturn)
Zreturn decides where surge current closes its loop. If the loop crosses analog ground or supply rails, collateral damage and resets become likely.
C) Why “the same 24 V system” can be safe or destructive
Field risk diverges because energy delivery differs. A 24 V bus with low source impedance, long inductive wiring, and uncontrolled return
can force high current through input clamps and into rails. A limited source with controlled chassis return can be benign even with higher peak voltage.
Fast debug rule
If both input wires rise together and the symptom is reset or rail disturbance, investigate CM return routing and rail injection/back-power first.
Input-only fixes rarely solve system resets.
Minimum information to request (field template)
Cable length and whether shield is bonded to chassis near the connector.
Power source type and its protection behavior (current limit, foldback, crowbar, fuse).
Presence of inductive loads and switching frequency near the wiring harness.
Chassis/PE bonding scheme and where the return current is intended to flow.
System policy after an event: must continue, may reset, may latch-off, or must report fault.
Energy entry path (connector → staged protection → INA → ADC) with CM/DM loops
Failure mechanisms inside an INA system: what actually breaks first
In real surge/OVP incidents, the first failure is often not the “input pin.” Damage and system faults usually begin when
surge current is redirected into internal clamps, supply rails, or output drivers. Protection must be designed
around where the current goes and what domains it stresses.
Supply back-power → LDO/reference upset, “partial power-up,” resets, or lockups.
Output-stage overstress → thermal runaway, driver damage, or long recovery from saturation.
Two non-fatal traps: long output saturation after clamping, and slow CM recovery creating invalid measurements.
Field symptom shortcut
Reset, rail rise, or unexpected partial power-up usually indicates rail injection/back-power, not an input-only issue.
Hot output driver or stuck output often points to output overstress.
B) Input clamp overcurrent → injection / latch-up
When input voltage exceeds internal limits, clamp structures conduct. If the source is low-impedance or pulse width is long,
clamp current can drive parasitic conduction paths and create latch-up-like behavior.
Typical triggers
Input exceeds rails; repeated pulses; low source impedance; long cable inductance delivering current into clamps.
Common symptoms
Abnormal supply current after the event; local heating; measurement stuck or unstable until power is removed.
Fast checks
Observe rail current during/after the event; verify whether input is forcing current into AVDD/AGND through clamp conduction.
Design implication
Injection failures are controlled by limiting clamp current and choosing the clamp destination.
This drives the need for Stage-B limiting and Stage-C controlled clamping, not only a larger entrance TVS.
C) Supply back-power → LDO/reference upset, resets, “fake power-up”
Rail clamping can protect silicon while exporting current into the supply domain. If the supply cannot absorb or discharge injected current,
rails can rise unexpectedly and partially power logic, references, or IO.
Typical triggers
Input clamps to AVDD/IOVDD; no rail sink path; long discharge time constant; shared rails with sensitive digital domains.
Common symptoms
Reset or lockup; unexpected IO activity; LEDs faintly on; reference output shifts; rail remains elevated after the event.
Fast checks
Capture AVDD/IOVDD during the surge; verify if rails rise when the input is clamped; check discharge behavior after the event.
Design implication
Rail clamping must be paired with a rail sink/discharge path and domain-aware routing.
Without that, “protecting the input” can still reset the system.
D) Output-stage overstress → heat, damage, long saturation
Even with strong input protection, output drivers can fail when forced to source/sink into heavy loads, capacitive networks,
or downstream clamps. Output overstress is a common “surprise” failure mode in real systems.
Typical triggers
Output forced beyond swing; large capacitive loads; downstream input clamps conducting; prolonged saturation after clamping.
Common symptoms
Hot driver region; output stuck to a rail; slow return to linear operation; distortion or invalid samples after the event.
Fast checks
Monitor output waveform and rail current; verify whether output is sourcing/sinking continuously into a clamp or heavy load.
Design implication
A staged architecture should keep high-energy stress away from output drivers by shunting early and limiting injection,
so output stages are not the “energy sink of last resort.”
E) Non-fatal but unstable: long saturation and slow CM recovery
Long saturation
Clamps can prevent damage while leaving the output pinned. Data may look “alive” but is not valid until the chain returns to linear operation.
Slow CM recovery
A CM step can push the front end into non-linear regions. Recovery time becomes a system property tied to return path and rail injection control.
Takeaway
“No damage” is not equal to “measurement-ready.” A protection design must also control recovery behavior and define what outputs are considered valid after an event.
Protection architecture: staged defense from connector to silicon
A robust design uses staged defense: shunt large energy early, limit injection into sensitive domains, then clamp locally to keep silicon within safe limits.
The objective is to send energy away as early as possible and through the shortest return loop, so it does not traverse rails, grounds, and output drivers.
A) Why staged defense wins (cause → effect)
Stage A handles high-energy current by shunting near the connector into a controlled return (often chassis/PE).
Stage B converts “voltage events” into controlled current, limiting injection through clamps and reducing heating.
Stage C provides local precision clamping to keep silicon within limits, but must not create uncontrolled rail injection.
Core rule
Do not allow the surge current loop to cross analog ground, reference ground, or ADC/digital rails. A staged layout creates an intentional “energy highway” away from sensitive domains.
B) Stage A — entrance shunt (energy diversion)
Role
Shunt the highest surge current near the connector into a controlled return (often chassis/PE) to prevent energy from entering board interiors.
Typical parts
TVS (primary), optional GDT for very high energy, chassis bond hardware.
Failure modes
Short: system must fail safely (fuse/limit/latch-off). Open/degraded: protection reduces, so Stage B/C must still prevent silicon overstress.
C) Stage B — limit & isolate (injection control)
Role
Turn “overvoltage” into controlled current so internal and external clamps do not conduct destructive currents.
Typical parts
Series resistor, PTC, protection switch, or current-limit network (application-dependent).
Failure modes
Open: channel fails but is diagnosable. Drift/assembly issues: can shift measurement behavior; precision impact is handled in leakage/accuracy pages.
D) Stage C — local precision clamp (silicon boundary)
Role
Keep INA inputs within safe operating limits with a short clamp loop near the pins. Works only when Stage B limits current.
Clamp destinations
Rails, mid-supply, or a controlled reference domain. Each destination must have a defined sink/discharge path to avoid back-power.
Failure modes
Frequent clamp conduction can cause long saturation or slow CM recovery. Rail-clamped designs can inject current and reset the system if rails are not designed to absorb it.
Prioritize Stage B (limit/latch-off) to prevent sustained heating. Stage A is support; Stage C prevents silicon overstress under limited current.
Surge (µs–ms)
Prioritize Stage A (entrance shunt) to keep energy out of the board interior. Stage B limits injection; Stage C clamps locally.
CM step / CM surge
Return routing and rail injection control dominate. Choose Stage-A return destination intentionally and ensure Stage-C clamping does not back-power sensitive rails.
Clamp reference choices: clamp to rails, to mid-supply, or to chassis?
Clamping is current steering. The clamp destination defines where surge current is injected and which domain must absorb it.
A “strong clamp” can still collapse system behavior if the chosen reference cannot sink/discharge the injected current or if the return path is uncontrolled.
A) The decision frame (what must be true)
1) Current landing point
Where does the surge current go when the clamp conducts: chassis, rails, or VMID?
2) Sink / discharge capability
Can that node absorb injected current without rising in voltage or destabilizing other domains?
3) Return path control
Is the current loop short and isolated from sensitive analog ground, reference ground, and digital rails?
Rule of thumb
Choose a clamp reference only after defining the landing node and the return path. Without that, clamping can back-power rails, shift VMID, or bounce ground.
B) Clamp to chassis / PE (early energy diversion)
Best when
High-energy surges where the safest outcome is to keep current out of board interior and sensitive rails.
Must-have
A controlled chassis bond near the connector and a short, low-impedance return loop.
Watch-outs
If chassis return is uncontrolled, current can flow through board grounds and create CM recovery issues or ground bounce.
Quick check
During an event, measure the voltage drop across the chassis bond path and verify the loop closes near the connector.
C) Clamp to rails (fast boundary, but rail-injection risk)
Best when
The rails can absorb injected current and the design prioritizes strict silicon boundary control with predictable clamping.
Must-have
A defined rail sink/discharge path so injected current does not raise AVDD/IOVDD and back-power logic or references.
Watch-outs
Rail injection can trigger resets, partial power-up, reference shifts, or long recovery even when no silicon damage occurs.
Quick check
Capture AVDD/IOVDD during the event and confirm rails do not rise into logic-on regions and discharge promptly afterward.
D) Clamp to mid-supply (VMID / virtual ground)
Best when
Single-supply systems with a defined bias point where signals are centered and keeping inputs near VMID improves recoverability.
Must-have
VMID must be able to sink injected current (buffer output impedance and dynamic capability must match event behavior).
Watch-outs
VMID shift can move the entire measurement chain, causing saturation or slow recovery. VMID stability becomes the system limiter.
Quick check
Inject a CM step and measure VMID deviation and recovery time; verify the VMID buffer does not current-limit into instability.
E) Precision note (boundary bridge)
Any clamp reference choice changes leakage paths and injected currents. If the measurement target is µV-level,
clamp leakage and thermal drift must be explicitly budgeted in the dedicated “Input Clamp & Leakage Budgeting” section.
Three clamp references compared (same surge, different current landing points)
Current-limiting networks: resistive, PTC, active limit, and what they trade
Overvoltage becomes destructive when current is uncontrolled. A staged front end uses limiting to keep clamp currents, rail injection,
and output heating within survivable bounds. Limiting choices should be driven by event duration, energy, and acceptable measurement impact.
A) Pick a limiter by event + measurement constraints
Duration (µs/ms/s)
Allowed drop
Bandwidth impact
Recovery policy
Short pulses usually need fast current reduction (series R first).
Long miswire/OVP needs sustained protection (PTC or active limiting).
Tight bandwidth/accuracy pushes toward active limiting or hybrid networks.
B) Series resistor (simple, fast, predictable)
Role
Limits peak clamp current immediately and reduces rail injection and heating during short events.
Trade
Adds drop and forms a time constant with input capacitance; can influence overload recovery and settling (RFI details handled elsewhere).
Pass criteria
After an event, rails stay below logic-on regions and the measurement chain returns to linear operation without long saturation.
C) PTC / resettable fuse (strong for sustained miswire)
Role
Raises resistance under heating so long OVP/miswire does not deliver unlimited current into clamps and rails.
Trade
Recovery can be slow (thermal memory). Temperature dependence and repeated stress can shift behavior.
Pass criteria
Under sustained fault, the system avoids overheating and remains in a safe state; after fault removal, recovery is diagnosable and predictable.
D) Active limiting (MOSFET / protection IC)
Role
Controls current without forcing large passive drops and enables fault signaling, fast disconnect, or latch-off strategies.
Trade
Adds complexity and needs a defined failure policy (off/short). Layout must ensure the limiter does not become the unintended energy sink.
Pass criteria
Fault current stays bounded, rails are not back-powered, and the recovery/lockout behavior matches the system safety plan.
E) Hybrid networks and precision bridge
Many real systems require both short-pulse robustness and long-miswire survivability. A hybrid approach often uses a series resistor to reduce peak current,
then a sustained limiter (PTC or active) for seconds-level faults.
Precision note
Limiters add leakage, heating, and drift paths that can dominate µV-level measurements. Quantify these in “Input Clamp & Leakage Budgeting.”
Limiting method selection tree (duration · energy · allowed drop · bandwidth)
TVS selection and placement: clamp level, dynamic resistance, capacitance, and survivability
A TVS does not “remove” surge energy. It steers surge current into a chosen landing node (chassis, rails, or VMID).
Selection must start from system limits (pin voltage, allowed injection, allowed capacitance, survivability), then map TVS parameters to those limits.
A) Start with four system limits (not Vrwm)
Max pin voltage
The highest acceptable input node voltage during the event (silicon and downstream boundary).
Max injection current
The maximum current that may be allowed into rails/VMID/grounds without causing back-power or domain collapse.
Allowed capacitance
The maximum added input capacitance compatible with settling and overload recovery.
Survivability
TVS energy/thermal margin under the target pulse shape, repetition, and temperature derating.
B) Map TVS parameters to system targets
Vrwm
Prevents unintended conduction in normal bias/CM conditions. It does not guarantee safe clamping.
Vclamp @ Ipp
The clamp level is defined at a specific pulse current. Use the relevant current point for the threat model.
Rd (dynamic resistance)
Determines how fast Vclamp rises with higher current. High energy events can exceed boundaries if Rd is ignored.
Cj (junction capacitance)
Adds input capacitance and can slow recovery or disturb settling. Verify step/overload recovery after the event.
Energy / thermal rating
Must match pulse width, repetition, and temperature. “Survives once” is not the same as “survives the field.”
C) Unidirectional vs bidirectional (decide by bias + event mode)
Bidirectional
Fits signals that may swing both directions around a bias point and for differential lines where symmetric behavior reduces bias shifts.
Unidirectional
Useful when the signal is referenced to ground and one polarity is the dominant overvoltage direction, but check reverse paths under bias.
Practical check
Under maximum normal common-mode and bias, the TVS should remain off (no soft conduction that shifts VMID or adds leakage-driven offset).
D) Placement rules (effective only with a controlled return)
Near connector
Keep the high di/dt loop local to the entry region so surge current does not roam across planes and sensitive grounds.
Return node clarity
TVS “ground” must land where the event is intended to close: chassis/PE, or a dedicated entry return—not through ADC/REF grounds.
Quick check
During an event, verify the return path closes at the entry region and the local loop voltage drop stays small compared to the clamp target.
E) Common failure patterns (TVS works, system fails)
Rail injection
Clamp current is redirected into AVDD/IOVDD without a sink path, causing resets, partial power-up, or reference shifts.
Long return loop
TVS return crosses sensitive planes, so the “clamp point” moves with ground bounce and the silicon still sees excessive stress.
Cj too large
Added capacitance creates overload “memory” and slows recovery; the front end survives but measurement remains saturated longer than allowed.
TVS parameter → system target mapping (selection logic)
Common-mode surge routing: return paths, chassis bonding, and “do not cross” rules
Common-mode surge is a return-path problem. Both input lines rise together; what decides survival is where the current loop closes.
The highest leverage design action is to give surge current a short, controlled return at the entry and keep it out of sensitive grounds.
A) The CM surge model (what matters)
In a CM event, the cable and both conductors move together relative to the board reference. The “damage path” is the return loop that
crosses planes, grounds, references, and ADC regions. Controlling that loop is more important than increasing clamp strength.
B) “Do not cross” rules (board-level hard constraints)
Rule 1
Surge return loops must not cross AGND, REF_GND, or ADC ground sensitive regions.
Rule 2
Entry protection return (TVS-to-chassis/entry return) must form a short local loop near the connector.
Rule 3
Sensitive zones need a routing corridor and isolation boundary (keep surge current outside with layout partitioning).
C) Chassis bonding (the PCB requirement)
Key point
System-level single-point vs multi-point is a separate decision. The PCB must still provide an entry return node that closes the loop locally.
Quick check
During a CM step, verify that the voltage disturbance is concentrated at the entry return and not across ADC/REF ground nodes.
D) Field symptoms that point to a return-path problem
Event passes “no damage” but output saturates and recovers slowly.
ADC codes jump or drift during nearby switching events (relay/solenoid).
Occasional resets or reference shifts coincide with surges.
Return path comparison: correct vs wrong (do not cross sensitive zones)
Co-design with supplies and references: preventing back-power and rail collapse
Clamping an input to a rail is not “free protection.” It injects current into the power domain. If the rail has no controlled sink path,
the injected energy can create phantom power, domain cross-feeding, or brownout oscillation.
A) Back-power causal chain (what happens first)
Trigger
Input clamp conducts to AVDD / IOVDD / VMID (TVS, internal ESD, clamp diodes, or external networks).
Propagation
The rail rises or distorts. Reverse paths in regulators and ESD structures can cross-feed other domains.
Failure mode
Phantom power, partial boot, resets, reference shifts, or brownout oscillation, even if the front end “survives.”
B) Three signatures that indicate rail-injection stress
Phantom power
AVDD/IOVDD crosses logic thresholds and creates undefined domain states (partial boot, I/O latch, sporadic resets).
Brownout oscillation
Rails collapse and recover repeatedly due to protection interaction or reverse conduction in regulators/loads.
Recoverability loss
Output/ADC input saturates longer than the system window because VMID/VREF must discharge through weak paths.
C) Co-design checklist (interface-level)
Reverse current behavior
Confirm whether LDO/PMIC tolerates reverse current. If not, rail injection can cause uncontrolled states or damage.
Domain cross-feed paths
Identify ESD/body-diode paths from AVDD to IOVDD/MCU/REF blocks. Prevent “powering through pins.”
Reference and VMID immunity
Ensure VREF/VMID has a controlled discharge or clamp so injected charge does not create long recovery tails.
D) Provide a controlled sink path for injected energy
Passive sink
Use local energy buffering (capacitance) plus a bleed path (resistive discharge) so rail behavior is predictable after an event.
Chassis diversion
Add a path that diverts rail overvoltage to chassis/entry return when the system grounding model supports safe energy export.
Active discharge
Use controlled discharge or protection ICs when static bleed loss is unacceptable and recovery time must be enforced.
E) Power policy: avoid undefined states (OV/UV + shutdown behavior)
Add OV/UV detection and a defined shutdown/hold-off strategy so the system does not operate inside partial-power windows.
The goal is not just “no damage,” but no unpredictable boot or reference mode after an event.
Back-power chain and sink paths (rail injection → safe discharge)
Verification plan: test setups, waveforms to capture, and pass/fail criteria
Protection is engineering only when it is measurable. This plan turns “good ideas” into a repeatable workflow:
define event types, capture the minimum waveforms, and decide pass/fail by observable system behavior.
A) Test matrix (three event classes)
DC OVP / miswire
Long duration stress. Verify current limiting, thermal stability, and post-event recoverability without undefined domain states.
Surge pulse (µs–ms)
High energy transient. Verify clamp behavior, peak injection, and that the return loop stays at the entry.
CM step / recovery
Common-mode disturbance. Verify ground/reference stability, output saturation time, and recovery inside the allowed system window.
B) Capture the minimum waveforms (what to probe)
Probe 1: Input node
Validate the real event amplitude and edge at the connector side (do not rely on nominal generator settings).
Probe 2: TVS/clamp
Confirm the clamp engages and the plateau does not lift due to Rd or loop inductance/ground bounce.
Probe 3: AVDD (and IOVDD if relevant)
Detect back-power, rail collapse, UVLO/POR boundary crossing, or oscillation after the event.
Probe 4: Output / ADC input
Measure saturation and recovery time. Recovery must fit the system window without requiring manual reboot.
Injection current (recommended)
Add a current probe or a small sense element in the clamp return path to quantify peak and duration of injected current.
C) Repeatable test script (works for all event classes)
Baseline: record normal AVDD, output range, and a stable reference snapshot.
Apply event: define duration and repetition (single hit and multi-hit sequences).
Capture: record probes 1–4 (and injection current if available) with a shared trigger.
Post-event check: confirm the system returns to a defined state (no partial boot, no stuck outputs).
Repeat: perform N hits, then compare with baseline to detect degradation.
D) Pass/fail criteria (observable behavior, no fixed numbers)
Survivability
No permanent functional loss after the event and after repeated hits.
No phantom power
Rails do not enter undefined partial-power windows that create resets, stuck I/O, or abnormal boot states.
No rail collapse oscillation
No repeated brownout cycles or regulator protection interactions that keep the system bouncing between states.
Recoverability
Output and ADC input return to a valid operating region within the system-allowed recovery window.
E) Result logging template (production-ready discipline)
Test case
Waveforms captured
Pass criteria
Result
Notes
DC OVP / miswire
P1, P2, P3, P4, I
No phantom power; recoverable
—
—
Surge pulse
P1, P2, P3, P4, I
Clamp effective; rail stable
—
—
CM step / recovery
P1, P3, P4
Recovery within window
—
—
Test wiring and measurement points (4 probes + current observation)
Engineering checklist: survivability-first layout and safe-fail design rules
This checklist is designed for design reviews and production readiness. The focus is survivability, safe-fail behavior, and
repeatable field outcomes under OVP and common-mode surge conditions.
A) Placement order (connector → protection → silicon)
Check
Physical order must enforce: Connector → (Chassis bond) → TVS/GDT/MOV → Series limiter (R/PTC/Fuse) → Precision clamp → INA pins.
Why
Energy must be diverted and contained at the entry. Any “detour” increases loop inductance and forces surge current to cross sensitive areas.
Pass criteria
Entry protection is closest to the connector and its return path is short and local (no long traces into the board).
B) Surge return paths and via stitching (surge loop first)
Check
TVS/GDT/MOV return copper is wide / short / direct.
Multiple stitching vias exist at the entry return node (avoid single-via bottlenecks).
Surge loop does not traverse analog ground, reference ground, ADC ground, or sensitive split boundaries.
Do-not-cross rules
Surge return current must not cross: REF network, ADC input return, INA input bias network, or quiet ground islands.
C) Keep-out zoning (entry protection zone vs precision zone)
Check
Create three physical regions: Entry protection, Energy return, and Precision measurement.
Connect regions through a single controlled corridor (series limiter stage).
Why
Separating “dirty energy” routing from the measurement core prevents unpredictable coupling during CM surge and clamp conduction.
Pass criteria
Entry return copper and the precision reference ground do not share narrow necks or critical vias. The limiter stage is the only intentional bridge.
D) Safe-fail behavior (TVS short/open and diagnostics)
Check
TVS short: channel becomes a detectable fault (not random resets). Add fuse/PTC to localize the short.
TVS leakage rise: drift risk is detectable by production leakage/offset screening.
Limiter open: system reports loss-of-signal instead of undefined bias states.
Pass criteria
A protection failure forces a stable and diagnosable system state (fault flag, channel disable, or known out-of-range reading).
E) Rail injection control (clamp-to-rails requires a sink path)
Check
If any clamp conducts to AVDD/IOVDD/VMID, a controlled sink path must exist:
local buffering + a predictable discharge route (bleed, chassis diversion, or active discharge).
Why
Without a sink, injection creates phantom power, cross-feeding, and recovery tails that exceed the system timing window.
Pass criteria
Rails do not enter undefined partial-power windows during events, and outputs recover within the system-allowed time window.
TVS/GDT placement is controlled by assembly constraints (no “close enough” interpretation).
Return via count and copper width are specified as requirements, not suggestions.
Chassis bond (spring, screw, gasket) has a measurable continuity/contact resistance test.
Protection part tolerances and voltage ratings are validated across the BOM substitution list.
Pass criteria
Field behavior remains stable across vendors and lots (no dependence on uncontrolled chassis contact or placement drift).
G) Production test hooks (verify protection chain is present)
Check
Accessible test points exist for: entry node, TVS clamp node, post-limiter node, AVDD, and INA input-side node.
A low-energy functional test can confirm clamp conduction and limiter continuity without full surge energy.
Fault detection paths exist (firmware flags or hardware indicators) for shorted protection parts.
Pass criteria
Assembly defects and protection failures are detectable at production (no silent “almost connected” chassis bonds or missing vias).
Reference BOM examples (starting points only)
These part numbers are provided to speed up datasheet lookup and prototyping. Final selection must be driven by event energy,
clamp targets, and the system grounding model.
FAQs: OVP & common-mode surge protection for INA front ends
Short, actionable answers only. Each item follows a fixed 4-line structure to keep troubleshooting and design decisions reproducible.
Why does a TVS “protect” the input but the board still resets?
Likely cause: Surge current is diverted, but the return path crosses rails/grounds that trigger brownout, POR, or a reset chain.
Quick check: Scope AVDD/DVDD + RESET/POR + TVS node during the event; look for rail dips/bounces and ground shift coincident with reset.
Fix: Force a short chassis/entry return loop (TVS close to connector + stitching vias); add a defined rail sink/hold-up path so injection cannot create rail collapse/phantom power.
Pass criteria: No reset occurs; rails remain within valid operating windows (no POR/UVLO crossings) while the TVS clamps.
Clamp-to-rail vs clamp-to-ground: which causes less collateral damage?
Likely cause: Collateral damage is set by where surge current is forced to flow: into rails (back-power risk) or into chassis/return (ground-shift risk).
Quick check: With rails off, apply a controlled stimulus and watch if any rail rises (back-power). With rails on, watch if sensitive ground/reference shifts during a clamp event.
Fix: Prefer chassis/entry return for high-energy surge; use rail clamp only if a strong sink path exists (bleed/discharge/ideal-diode isolation) and the rail cannot phantom-power other domains.
Pass criteria: No phantom-power on any rail; no sensitive reference/ADC ground shift that causes reset or irreversible saturation.
How to size the series resistor so it limits injection without ruining response?
Likely cause: R is chosen for “normal” signal levels, but surge injection is dominated by clamp voltage and transient source impedance.
Quick check: Compute a first bound: R ≥ (V_event − V_clamp) / I_inj_limit, then validate bandwidth/settling with the total input C (sensor + TVS Cj + pin C).
Fix: Use a staged approach: small series R at the pin for injection control, plus entry shunt (TVS to chassis) for energy; keep the “limiter corridor” as the only bridge into the precision zone.
Pass criteria: Injection current stays within the front-end’s safe limit during the event; step response/settling still meets the system timing window.
Why does the INA survive the surge but the reading stays saturated afterward?
Likely cause: A clamp/bias node (VMID/VREF/output load) is charged or shifted by injection and has no fast discharge path, leaving the signal chain pinned.
Quick check: Scope INA output, ADC input, and the bias/reference node; check whether the node returns slowly and whether the output remains at a rail or clamp plateau.
Fix: Add controlled discharge/bleed for VMID/VREF/output nodes; prevent rail clamp injection from charging bias networks; ensure post-event recovery does not depend on a reboot.
Pass criteria: Output and bias nodes return to linear operation within the allowed recovery window, with no manual reset required.
What is the most common back-power path in rail-clamped inputs?
Likely cause: Input protection diodes/clamps conduct into AVDD/IOVDD, lifting a rail that then cross-feeds other domains through ESD structures and I/O pins.
Quick check: Power the board off and apply a small controlled input stimulus; watch AVDD/IOVDD rise and observe unexpected partial power on digital pins or references.
Fix: Add ideal-diode/ORing isolation, rail discharge/bleed, and a defined sink path; reduce injection with series R and prefer entry-to-chassis diversion for high-energy events.
Pass criteria: With main power off, rails remain off (no phantom rise); with power on, no partial-power windows occur during surges.
How to tell whether the failure is TVS wear-out or INA latch-up?
Likely cause: TVS wear-out shifts leakage/clamp behavior over time; latch-up shows abnormal supply current and a stuck state that often clears only after power removal.
Quick check: Measure post-event quiescent current and input leakage at a controlled bias; compare channel-to-channel and against a known-good board.
Fix: For TVS wear-out: upgrade energy rating and return path, and add staged limiting; for latch-up: increase series limiting, enforce rail integrity, and prevent back-power/ground-shift triggers.
Pass criteria: Post-event Iq and leakage return to normal and remain stable across repeated events; no “stuck” states appear.
Why does adding a bigger TVS sometimes make things worse (capacitance / layout / return)?
Likely cause: Higher Cj loads the sensor and slows/warps response; lower dynamic resistance can increase surge current and ground/chassis stress if return is not controlled.
Quick check: Compare bandwidth/settling and the surge waveform at the TVS node; look for increased ground shift, longer recovery tails, or new resets after TVS change.
Fix: Split roles: a low-C clamp near the precision zone (if needed) plus a higher-energy shunt at the connector to chassis; keep the return loop short and stitched.
Pass criteria: Dynamic response remains within spec and surge events do not introduce resets, long saturation, or new recovery tails.
How to design for “safe-fail” when the TVS shorts?
Likely cause: Shorted TVS can turn a protected port into a hard short that drags shared rails/returns unless current is localized and the fault is detectable.
Quick check: Force a “TVS short” condition in analysis (or by substitute) and verify rail stability, fuse/PTC behavior, and fault indication at the system level.
Fix: Add series protection (PTC/fuse) to localize current, define a diagnosable fault state (channel disable/alarm), and avoid shared bottlenecks in return copper.
Pass criteria: A TVS short produces a stable, diagnosable fault without collapsing system power or causing secondary damage.
Where should the surge current return: chassis, signal ground, or supply return?
Likely cause: Returning surge current through signal ground or supply return creates ground shift and rail disturbances that look like “mystery failures.”
Quick check: Observe ground/reference movement at the ADC/INA area during a surge event; any coincident shift implies the return path is crossing sensitive territory.
Fix: Prefer chassis/entry return with a short loop and via stitching; if chassis is not available, create a dedicated “dirty return” corridor that never crosses the precision ground/reference region.
Pass criteria: Surge return currents do not cause measurable reference/ground shifts in the precision zone, and system behavior remains stable.
What to measure first on the scope to debug a surge-induced failure in minutes?
Likely cause: Debug stalls because measurements miss the actual clamp/return/rail interaction that triggers the failure chain.
Quick check: Use 4 probes: (1) connector input node, (2) TVS/clamp node, (3) AVDD/DVDD rail, (4) INA output or ADC input; capture the same event and align timing.
Fix: If rails wobble → fix return + rail sink/hold-up; if clamp node overshoots → improve TVS selection/placement; if output saturates long → add discharge/bleed on bias/output nodes.
Pass criteria: The failure root is visible in one capture (clamp/rail/output chain) and is resolved by a topology/layout change, not by “trying parts.”
How to verify recovery without hiding problems behind a reboot?
Quick check: Run a “no-reboot recovery test”: continuous streaming/logging through the event and for a defined post-event window; track offset/gain/rail state and saturation time.
Fix: Add discharge/bleed on charged nodes, prevent phantom power, and ensure clamps return current away from the precision zone so recovery is intrinsic.
Pass criteria: Without any reboot, readings return to the pre-event baseline behavior within the allowed window and remain stable across repeated events.
When is an active protection switch worth it over passive networks?
Likely cause: Passive networks cannot satisfy both survivability and measurement performance when events are long-duration (miswire) or energy is high and rails must stay clean.
Quick check: If required series R/PTC values would violate bandwidth/settling, or if rail clamp repeatedly causes phantom-power/rail collapse, passive-only is unlikely to meet targets.
Fix: Use an active surge-stopper / hot-swap style limiter and rail isolation (ideal diode/ORing) to keep rails in a defined state while limiting energy into the precision corridor.
Pass criteria: Survivability is achieved without compromising required response, and post-event recovery is deterministic (no resets, no long saturation tails).
