Add Fail-Safe Shoot-Through Protection To Power MOSFET
MOSFETs are widely used as power switching elements in regulators and motor controllers. They can be either discrete devices or integrated into ICs in various H-bridge configurations.
A common arrangement uses a high-side (HS) power MOSFET, M1, and a low-side (LS) MOSFET, M2, to drive an inductive load (Fig. 1). When the HS FET is switched on and LS FET is switched off, current goes from power-supply VCC to inductor L0 and beyond. When the HS FET is switched off and LS FET is switched on, inductor current continues to flow synchronously from ground to L0.
A serious short-circuit condition called shoot-through occurs when both the HS and LS power FETs are on at the same time. Shoot-through can happen even if we never intend to have both FETs on simultaneously. For instance, when the HS FET is commanded on and the LS FET is commanded off, logic propagation delay and the time required for charging or discharging the FETs’ gate capacitances can cause a short period when the HS FET is half on and the LS FET is half off. If so, current flows directly from VCC to GND through both FETs (shoot-through).
Our design for fail-safe MOSFET shootthrough protection is embedded in the half H-bridge topology in Figure 1. The HS_ ON signal, responsible for turning the HS FET on and off through the HS driver, is generated by a digital microcontroller or by a feedback loop that includes a comparator or an error amplifier.
The HS driver translates low-power logic- level signals to the high-power HS_ON signal. Similarly, the LS_ON signal turns the LS FET on and off through the LS driver. The circuit controls a motor system or a buck regulator by correctly sequencing the two power MOSFETs.
The protection scheme senses the conduction states of the HS and LS FETs. The HS FET is prohibited from turning on unless the LS device is completely off, and vice versa. Our anti-shoot-through design provides adequate protection to the MOSFET H-bridge during normal operation and guarantees a fail-safe operation in case of severe noise interference or a faulty control routine in the system.
To turn on the HS FET, the system sets signal HS_ON to high. This design is such that HS_EN is high if the LS FET is off (more on this later). HS_ON high leads to latch LSR0 setting output QZ (LS_EN) low, which disables the LS FET. Also responding to this HS_ON request, the HS driver turns on the HS FET by applying a voltage across its gate and source (VGS).
The HS FET’s on state is detected by the HS VGS monitor, so the HS_IS_ON signal is asserted high and LS_EN_RST remains low. The end result is LS_EN remains low and the LS FET isn’t allowed to turn on. As long as the HS FET is on, the LS FET is disabled. To make the scheme work, HS_ON must also be used at the NOR gate (NOR0) input. This also ensures that LS_EN is kept low whenever HS_ON is high.
Under normal conditions, HS_ON and HS_IS_ON are sufficient to keep the LS FET off when the HS FET is intended to turn on or is indeed on. In practice, the presence of noise interference (or a system fault) often produces glitches in the control signals that make HS_IS_ON unreliable (the VGS monitor fails) due to the limited response time of the driver and VGS monitor (logic race). In this case, LS_EN_BLANK guarantees a fail-safe operation, as described below.
Each time HS_ON is switched from low to high, an edge detector (R0, C3, AND4) produces a 20-ns pulse to turn on M0 for a short time and start the one-shot (M0, C2, INV0), which outputs a 150-ns LS_EN_BLANK pulse to hold LS_EN low for 150 ns. Within this 150 ns, any attempt to turn on the LS FET is an abnormal and unsafe operation. Therefore, the LS FET is kept firmly off. I3UA is a 3-µA current source charging C2. The 150-ns blanking is re-triggerable because of the 20-ns short triggering pulse. This ensures that the protection circuit will function even when multiple interfering glitches are present in the HS_ON line.
Although we used 150 ns here as an example, in general the oneshot must be longer than the total signal propagation delay of both the HS VGS monitor and HS driver, including contributions by all parasitic components. But the one-shot length must be shorter than the normal HS_ON pulse width to avoid interfering with normal operation. For system stability, latch LSR0 acts as a lowpass filter that rejects noise in the control loop.
In Figure 2, the first column of signals (left side) illustrates normal operation. The signal names correspond to those in Figure 1. When HS_ON goes high to tell the driver to turn on the HS FET, HS_FET_G-HS_FET_S becomes high. The monitor circuit detects this and correctly reports HS_IS_ON to disable the LS FET (LS_EN is low) until after the HS FET is completely off (HS_FET_G-HS_FET_S is close to zero).
The second column of signals (right side) illustrates an abnormal operation. When the HS_ON command is terminated prematurely by noise or a firmware glitch, the HS FET is half on. The HS monitor fails to detect this HS FET on state due to its limited response time, so it erroneously reports HS_IS_ON to be low. Without the LS_EN_ BLANK, the LS_EN signal would have become high, allowing the system to turn on the LS FET while the HS FET is still half on. Thanks to the LS_EN_BLANK pulse, LS_EN stays low for 150 ns, allowing the HS FET gate voltage to settle to low before LS_EN is asserted to high. As a result, shoot-through is avoided.
For simplicity, Figure 1 omits the circuit block that derives HS_EN. Simply use the same circuit that generates the LS_EN signal to monitor the LS_FET_G and LS_ON signals to also produce the HS_EN signal.