To make sure that all the POL converters are switched off in the event of one of them failing, those upstream on the EN chain are disabled by a fault control circuit.

The Xilinx KU060 FPGA has tight tolerances on the supply rails and overvoltage limits which are close to the operating voltage. This means that it was not possible to use the power good signals from the POL converters for overvoltage detection. A separate overvoltage detection circuit was used. This comprises a voltage reference (LM4050QML-SP) and set of comparators (LM139AQML-SP), one for each POL converter, which compares the sensed voltage against the maximum permitted value. If an overvoltage is detected, the overvoltage detection circuit asserts the OVD(L) signal. In addition, there are three additional overvoltage detection circuits on the power-supply board that can be used to monitor voltages on other boards in the STAR-Tiger unit and switch off the unit if a potentially damaging fault occurs. Additional POL converters on other boards are monitored by overvoltage circuitry on those boards. If an overvoltage is detected, a FAULTx(L) signal is asserted which drives the OVD(L) signal on the power-supply board, disabling power.

An additional POL enable signal, XPOLEN, is provided for the external POL converters on the other boards in the STAR-Tiger unit. When XPOLEN is asserted the external POL converters are enabled.

The fault control circuit comprises a reset timer, ONTIME, (LM139AQML-SP), and some logic gates (SN54AC00-SP) which are powered by a 3.3-V regulator, the TPS7H1101A-SP, that is powered by Vmain. When the input power switch turns on, the timer is powered by the regulator and the output remains asserted for a power-on timeout period. This power-on timeout is set to be longer than the maximum expected time for the POL converters to all power up and for PGC to be asserted. No faults can be detected during this initial power-up interval. The power-on timeout is also used to provide a system reset signal. The following faults can be detected:

• The POL converters have not reached their power good state in the expected time period. This condition is detected by PGPOLx(H) not being asserted before the power-on timeout timer expires. The POL converters on the other boards are linear regulators and do not have power good outputs.
• One or more POL converters becoming overvoltage, undervoltage, or overtemperature. This condition is detected by the POL converter with the fault de-asserting the power good signal which propagates along the POL power-good and power-enable chain resulting in PGPOLx(H) being de-asserted. The fault is detected when PGPOLx(H) is de-asserted at any time after the power-on timer has expired.
• The overvoltage detection circuit detects that one of the sensed voltages has exceeded a set threshold value and is in danger of damaging the FPGA. When this condition is detected on any of the sensed voltages, the OVD(L) signal is asserted.
• There are also two linear regulators on the FPGA board. POLH is a TPS7H1101A-SP LDO regulator providing 1.2-V VMGTAVTTRCAL and POLJ is a TPS7A4501-SP linear regulator providing 3.3 V for the SpaceWire transceivers on the FPGA board. POLH and POLJ are also monitored by the overvoltage detection circuit on the power-supply board.
• POLH and POLJ are monitored by overvoltage detectors on the power-supply board using the signals POLH_MON and POLJ_MON. POLG_MON is used to monitor the MGTVCCAUX rail on the FPGA board.
• There are three further TPS7A4501-SP linear regulators on the configuration and scrubbing board which are monitored by local overvoltage comparators. When an overvoltage fault is detected, the FAULTx(L) signal is brought low. FAULTx(L) on the FPGA and other boards is connected to OVD(L) on the PSU board, so when FAULTx(L) is brought low, the power switches are turned off and the POL converters disabled.
• Overtemperature of the FPGA or the FPGA board is detected by a TMP461-SP temperature sensor. This sensor is located on the FPGA board which monitors local (board) or remote (FPGA) temperature and which asserts the FAULTx(L) output when an overtemperature condition occurs.

When a fault occurs, the fault control circuit disables the POL converters and asserts the OFF(H) signal, switching off the two power switches. The fault control circuit and comparators are powered from the 3.3-V regulator (REG_3V3), which is powered directly from the 5-V nominal or redundant inputs. Diode ORing is used to combine these two power sources together for the REG_3V3 supply because the load is low. Since the fault control circuitry is not switched off by the power switches, the power switches remain disabled once a fault has occurred. To recover from this fault condition, power-down both the nominal and redundant 5-V inputs and to then turn one on again.

The REG_3V3 supply also provides the 3V3AUX supply to other boards which is used to power the overvoltage detection circuits on those boards.