Well it turns out that I hadn't told you the whole story, because I had been making assumptions about the source of the problem.
I had been looking for voltage spikes, as I had assumed, as colin55 said, that voltage is what usually kills these things.
In this case it was current.
Flowing backwards through the regulator.
After many tests I found that additional capacitors made no difference, but I noticed that the regulator would not fail unless the PIC was programmed.
Following that up, I found that it was the action of turning on the mosfet that killed the regulator. If I left it turned off, or linked it out, the regulator was fine.
What was happening was that the 4V line would rise from zero to about 3V. That is controlled by a ramp capacitor and is quite slow. If at the point, the 12 V input was disconnected, due to switch bounce, the 4 V supply stayed at 3 V and only decayed slowly. When the PIC turned the mosfet on, the two additional 100 µF capacitors pulled the 4 V line down.
The body diode within the
ZXCL300 turned on, and pulled down the voltage on the 10 µF capacitor. That exceeded the 30 mA reverse that the diode is rated at. I think that caused the ZXCL300 to latch up and effectively short out the 4 V supply.
If that was the moment that switch bounce caused the 12 V to be applied, the full short-circuit current from the 4 V, 2 A supply was conducted to ground through the ZXCL300, causing the smoke.
The software fix is to delay turning on the mosfet for several seconds, to make it far less likely that the 12 V is off and will turn on a few ms after the mosfet. If the 4 V supply is at 4 V and running when the mosfet turns on, the voltage dips much less, and there isn't much, if any, reverse current in the ZXCL300.
The hardware fix is a schottky diode across the ZXCL300 so that the 10 µF capacitor can be discharged back to the 4 V line without causing latch-up in the ZXCL300.
I am guessing about the latch-up. The ZXCL300 data sheet says that 5 mA continuous and 30 mA peak is what is allowed backwards through the regulator. I am exceeding that, but I had thought that the energy stored in a 10 µF capacitor at 3 V wouldn't do any damage. However, I hadn't considered latch-up. The data sheet for a competitor's product, the
**broken link removed** doesn't allow any reverse current and mentions latch-up, so I think that is what is happening.