Monitors CPU execution. More...
Classes | |
| struct | sl_iec60730_watchdog_t |
| Watchdog component configuration structure. More... | |
Macros | |
| #define | SL_IEC60730_WDOGINST_NUMB 1 |
| Default configuration number of enabled watchdog. | |
| #define | SL_IEC60730_WDOG_WAIT_TIMEOUT (uint32_t) 0x0000FFFFUL |
| Timeout time to wait for wachdog to reset. | |
| #define | SL_IEC60730_WDOG_INST(n) WDOG##n |
| Define gets the default value of watchdog(n). | |
| #define | SL_IEC60730_RST RMU |
| Hardware manages the reset cause of the device. With series 2 is EMU. | |
| #define | SL_IEC60730_RSTCAUSE_POR RMU_RSTCAUSE_PORST |
| The reset cause of the device is power on reset. | |
| #define | SL_IEC60730_RSTCAUSE_EM4 RMU_RSTCAUSE_EM4RST |
| The reset cause of the device is em4 reset. | |
| #define | SL_IEC60730_RSTCAUSE_WDOG0 RMU_RSTCAUSE_WDOGRST |
| The reset cause of the device is watchdog reset. | |
| #define | SL_IEC60730_RSTCAUSE_WDOG1 RMU_RSTCAUSE_WDOGRST |
| The reset cause of the device is watchdog reset. | |
| #define | SL_IEC60730_RSTCAUSES_CLEAR() |
| Function macro clear hardware reset cause bit SL_IEC60730_RST. | |
| #define | SL_IEC60730_RSTCAUSE (SL_IEC60730_RST->RSTCAUSE) |
| Enable bit flag clear causes reset. | |
| #define | SL_IEC60730_RSTCAUSE (SL_IEC60730_RST->RSTCAUSE) |
| Enable bit flag clear causes reset. | |
| #define | SL_IEC60730_RST_POR (SL_IEC60730_RSTCAUSE & SL_IEC60730_RSTCAUSE_POR) |
| #define | SL_IEC60730_RST_EM4 (SL_IEC60730_RSTCAUSE & SL_IEC60730_RSTCAUSE_EM4) |
| #define | SL_IEC60730_RST_WDOG0 (SL_IEC60730_RSTCAUSE & SL_IEC60730_RSTCAUSE_WDOG0) |
| #define | SL_IEC60730_RST_WDOG1 (SL_IEC60730_RSTCAUSE & SL_IEC60730_RSTCAUSE_WDOG1) |
| #define | SL_IEC60730_RST_WDOGS (SL_IEC60730_RST_WDOG0 || SL_IEC60730_RST_WDOG1) |
| #define | SL_IEC60730_BURAM_IDX 0UL |
| index buram to store the value | |
| #define | SL_IEC60730_WDOG0_ENABLE 1 |
| Enable Watchdog 0. | |
| #define | SL_IEC60730_WDOG1_ENABLE 0 |
| Enable Watchdog 1. | |
| #define | SL_IEC60730_SAVE_STAGE_ENABLE 0 |
| Enable saving iec60730_watchdog_state to backup RAM on Series 2. | |
| #define | SL_IEC60730_RSTCAUSES_CLEAR_ENABLE 1 |
| Reset cause flags in the RSTCASUES register. | |
Enumerations | |
| enum | sl_iec60730_test_watchdog_t { SL_IEC60730_WATCHDOG_INVALID = 0, SL_IEC60730_WATCHDOG_TESTING = 1, SL_IEC60730_WATCHDOG_VALID = 2 } |
| State of watchdog testing. More... | |
Functions | |
| void | sl_iec60730_restart_watchdogs (void) |
| sl_iec60730_test_result_t | sl_iec60730_watchdog_post (void) |
Variables | |
| volatile sl_iec60730_test_watchdog_t | iec60730_watchdog_state |
Detailed Description
Monitors CPU execution.
For IEC60730, a watchdog timer must be enabled to validate proper operation of the Program Counter. A watchdog timer resets the device if it has not been restarted.
Hardware Architecture
The second implementation has a dedicated watchdog peripheral WDOG0, WDOG1 watchdog timers in the EFR32 family.
- Warning
- - The watchdog timer must be disabled during flash page erase.
Failure Risks
The watchdog timer will force entry into Safe State if the firmware program execution does not return to the BIST quick enough. This will detect a failure that causes the CPU to halt or enter an infinite loop. The watchdog timer POST verifies that a watchdog timer reset is possible.
OEMs must ensure that their system works reliably in all modes of operation using the watchdog timeout. Insufficient testing may allow for firmware states that inadvertently trigger a watchdog reset.
Software Architecture
For the EFR32 IEC60730 implementation, Figure 1 shows the logic flow chart of the Watchdog Timer during POST. The POST test determines if the reset source was a power-on, and if so, validates that a watchdog reset can occur. If the reset source was a watchdog reset, it determines if the watchdog reset was expected as part of POST testing, or unexpected. An unexpected reset causes immediate sl_iec60730_safe_state() entry. Otherwise normal operation continues.
The main loop must execute sl_iec60730_bist() faster than the nominal timeout, or call sl_iec60730_restart_watchdogs(). After sl_iec60730_bist() has confirmed all modules are operating correctly it restarts the Watchdog Timer with sl_iec60730_restart_watchdogs(). If a module is not operating correctly, sl_iec60730_bist() calls sl_iec60730_safe_state(). sl_iec60730_safe_state() will call sl_iec60730_restart_watchdogs() continuously. The system must be powered down and restarted to resume normal operation.
The function sl_iec60730_watchdog_post() will set the timeout period (PERSEL) to minimum when check watchdog units to avoid wasting time.
Software Configuration
The number of watchdog units that are tested by lib is defined by config code by defining the macros "#SL_IEC60730_WDOGINST_NUMB" and SL_IEC60730_WDOGx_ENABLE (x = 0, 1). The number of Watchdog unit depends on target EFR32 series. Example for series 1:
- #define SL_IEC60730_WDOGINST_NUMB 1
- #define SL_IEC60730_WDOG0_ENABLE 1
User can define macro SL_IEC60730_WDOG_INST(n) to select appropriate watchdog peripheral. User can define macro SL_IEC60730_RST to select appropriate reset peripheral.
If these macros are not defined then the default configuration will be used.
To clear reset cause flags in the RSTCASUES register after watchdog testing completed -> Enable the definition of macro SL_IEC60730_RSTCAUSES_CLEAR_ENABLE on file sl_iec60730_config.h. By default this feature is disabled.
If the Watchdog module is build in secure mode then the macro must not be defined SL_IEC60730_NON_SECURE_ENABLE and defined SL_TRUSTZONE_SECURE to enable the lib using secure address of the watchdog peripheral.
- Warning
- The static variable iec60730_watchdog_count must be located at memory location that is not cleared when system startup (section ".ram_no_clear").
- The global variable iec60730_watchdog_state must be located at memory location that is not cleared when system startup. And it should be located at section ram_no_clear in RAM block that is available on EFR32 Series 1 devices (section ".ram_no_clear"). This will avoid the missing contain of the variable when device returns from the power saving mode EM4.
On EFR32 Series 2 devices, they have backup RAM (BURAM) that could be used to save value of the variable. To enable saving iec60730_watchdog_state to backup RAM on Series 2, enable the macro SL_IEC60730_SAVE_STAGE_ENABLE on file sl_iec60730_config.h. By default it will be disabled. Define macro SL_IEC60730_BURAM_IDX to select which register of the BURAM will be used. The default value is 0x0.
Enumeration Type Documentation
◆ sl_iec60730_test_watchdog_t
Function Documentation
◆ sl_iec60730_restart_watchdogs()
| void sl_iec60730_restart_watchdogs | ( | void | ) |
public IEC60730 Watchdog Restart
- Returns
- None.
This function abstracts the differences between the EFR32 family watchdog timers. OEMs can call it during long duration executions to restart the watchdog timer.
◆ sl_iec60730_watchdog_post()
| sl_iec60730_test_result_t sl_iec60730_watchdog_post | ( | void | ) |
public IEC60730 Watchdog Power On Self Test
- Returns
- sl_iec60730_test_result_t If a non-watchdog reset occurred, test watchdog (will not return). Otherwise determine if watchdog reset was planned or unplanned. Unplanned watchdog resets result in failure and entry to Safe State. Planned watchdog resets return SL_IEC60730_TEST_PASSED.
This function will test the watchdog timer by forcing a watchdog reset on the first power-up. Any subsequent watchdog reset forces entry into sl_iec60730_safe_state().
- Warning
- Remove all accesses to Watchdog Timer hardware from init device. Reset state of pins must be safe for the device. During POST test, device pins will be kept in reset state while validating watchdog reset.
Variable Documentation
◆ iec60730_watchdog_state
| volatile sl_iec60730_test_watchdog_t iec60730_watchdog_state |
Global variable used to track watchdog testing state.
- Warning
- Must be placed in a memory area not cleared to 0x0 on start!
