The most basic approach to power redundancy is to connect two regulated outputs in parallel, each through a diode. For instance, two TPS7H4011-SP step-down converter devices can be configured to feed a single power rail. The diodes maintain that if one supply fails, for example, due to a short-to-ground in the output capacitor,the other remains unaffected and continues to deliver power.

The TPS7H4011-SP like its pin-compatible rad tolerant version TPS7H4011-SEP is especially suited for this configuration due to its integrated protection and monitoring features:

• Power-good output monitor for undervoltage and overvoltage
• FAULT input pin for flexible fault management
• Selectable current limit
• Thermal shutdown protection
• Adjustable input enables and power-good output
• Monotonic start-up into pre-biased outputs
• Adjustable slope compensation and soft-start
• Differential remote sensing

The device can be configured with up-to four devices in parallel without an external clock, either for increased current capabilities or – with regards to FDIR - simply for redundancy with minimized design overhead.

However, robust power systems often require more than just passive diodes. To prevent fault feedback into the main power rail, it may be necessary to actively disconnect a faulty converter from its input side.

This requires:

• Switching elements to isolate the failing device
• Fault detection logic for overcurrent, undervoltage, overvoltage, or overtemperature events
• Latch circuits to retain the fault state after the root cause disappears
• Timing mechanisms to implement retry logic with appropriate delay and retry limits
• Blanking periods to suppress false triggers during events like power-up inrush or benign transients

If not carefully designed, these added elements could actually reduce overall system reliability by increasing the mean time to failure (MTTF). Therefore, smart redundancy requires a well-integrated and tested architecture.

One way to streamline complex redundancy control is to use a high-reliability MCU such as the TMS570LC4357-SEP. If already present on the PCB for other functions, it can also manage power fault response with minimal additional circuitry—adding value without inflating component count or power budget.

Taking the concept one step further, the design principle shown in Figure 6-1 enables fault tolerance with no single point of failure, meaning that any single component in the redundancy scheme can fail without compromising the power delivery to downstream systems. [2]

Using TPS7H2221-SEP as load switch contributes further to robustness and recoverability with its integrated protection features and mechanisms such as:

• Short-circuit protection
• Inrush current limiting to reduce stress on upstream components
• Thermal shutdown with automatic restart
• Quick Output Discharge (QOD) to recover latched downstream loads (see Figure 6-2).

A practical example of optimized redundancy is presented in a joint white paper by Texas Instruments and STAR-Dundee [4], detailing a fault-protected power architecture for the Xilinx KU060 FPGA (see Figure 6-2), as discussed in the application brief, Power Supply for the STAR-Tiger SpaceFibre Routing Switch.

It demonstrates redundant power input management, proper power sequencing and comprehensive fault detection and isolation mechanisms with very low number of components added. The design utilizes the TPS7H2201-SP smart load switch that integrates over-voltage and under-voltage protection, over-current and current sensing, along with thermal protection and internally- or externally- controlled load switching.

The two examples above illustrate how high-performance, space-grade components can be used to build a robust, fault-tolerant system-level power solution for demanding satellite applications.