Tasks Config

Defines and declares configurations for Tasks. More...

Topics
	Tasks Defines
	Defines macros used to configure Tasks in the tasks_config.h file.

Files
file	tasks_config.c
	Defines and initializes configurations for Tasks.

Macros
#define	STRICT_SAFE_STATE   DISABLED
	Configures whether to use a strict Safe State to Mission Mode transition in TM_PreStartup and TM_Startup.
#define	HEARTBEAT_OUTPUT   ENABLED
	Enables the heartbeat output signal on an I/O pin before entering Mission Mode.
#define	SWDT_OPEN_WINDOW   1000U
	Configures the open window size used for the Synchronous Watchdog (SWDT).
#define	WWDT_CLOSED_WINDOW   WDT_TIMEOUT_CLK8
	Configures the Windowed Watchdog Timer (WWDT) closed window duration in Mission Mode.
#define	WWDT_OPEN_WINDOW   WDT_TIMEOUT_CLK128
	Configures the Windowed Watchdog Timer (WWDT) Open Window duration in Mission Mode.
#define	INIT_WDT_DURATION   WDT_TIMEOUT_CLK128
	Configures the timeout period, from executing T_InitSafetySystem to the first T_HandleWatchdog call, in OSC32K clock cycles.
#define	INIT_SWDT_DURATION   4000UL
	Configures the run-time duration between executing T_InitSafetySystem and the first T_HandleSyncWatchdog call in main clock cycles.
#define	INIT_CLOCK_FRQ   CLK_FRQ_20_MHZ
	Configures the clock frequency for the device.
#define	INIT_CLOCK_DIV   CLK_FRQ_DIV_OFF
	Configures the clock division for the device.
#define	INIT_REDUNDANT_CFD   ENABLED
	Enables or disables redundant CFD initialization.
#define	INIT_CFM0_WIN_REF   20U
	Configures the reference value for the Clock Frequency Measure 0 (CFM0) window.
#define	INIT_CFM0_WIN_HIGH   13427U
	Configures the high value of the Clock Frequency Measure 0 (CFM0) window.
#define	INIT_CFM0_WIN_LOW   10986U
	Configures the low value of the Clock Frequency Measure 0 (CFM0) window.
#define	INIT_REDUNDANT_CFM   DISABLED
	Enables or disables redundant CFM initialization.
#define	INIT_ERRCTRL_TIMEOUT   255U
	Configures the ALARM and CONFIG state timeout period for the Error Controller.
#define	INIT_FLOAT_NONCRITICAL   DISABLED
	Configures whether all I/O pins should be floated (tri-stated) when an error controller channel, errCh_t, with errCrit_t of NON_CRITICAL is set.
#define	INIT_FLOAT_NOTIFICATION   DISABLED
	Configures whether all I/O pins should be floated (tri-stated) when an error controller channel, errCh_t, with errCrit_t of NOTIFICATION is set.
#define	INIT_INT_ROUND_ROBIN   DISABLED
	Configures round robin schedule scheme for level 0 interrupts.
#define	INIT_INT_ALT_VECTOR_LOC   DISABLED
	Configures alternative interrupt vector location when using a bootloader.
#define	INIT_INT_LVL0_START   0U
	Configures the execution priority order of level 0 (normal priority) interrupt vectors.
#define	INIT_INT_LVL1   0U
	Configures which interrupt vector should have the level 1 (highest) priority.
#define	INIT_VMON_ALWAYS_ON   ENABLED
	Configures whether the Voltage Regulator Monitor (VMON) is enabled in deep sleep modes.
#define	INIT_VMON_FULL_POWER_MODE   DISABLED
	Configures the Voltage Regulator Monitor (VMON) power mode.
#define	INIT_VLM_THRESHOLD   VLM_THRESHOLD_PCT_15
	Configures the Voltage Level Monitor threshold.
#define	INIT_VLM_TRIGGER   VLM_TRIGGER_FALLING
	Configures the Voltage Level Monitor trigger condition.
#define	INIT_NVM_ECC_ALL_ONES   ECC_ALL_ONES_ALL
	Configures the "ECC all ones" scheme in Non-Volatile Memory.
#define	INIT_STACK_LIMIT   0x7E6FU
	Configures the max depth of the hardware call stack by setting the Stack Pointer limit address.
#define	INIT_STACK_LIMIT_LOCK   ENABLED
	Configures whether the Stack Pointer Limit (SPLIM) LOCK should be enabled or disabled.
#define	DIAG_STARTUP_CFD0   DISABLED
	Enables or disables execution of the CFD0 diagnostic in T_RunStartupDiagnostics.
#define	DIAG_STARTUP_CFD1   DISABLED
	Enables or disables execution of the CFD1 diagnostic in T_RunStartupDiagnostics.
#define	DIAG_STARTUP_CFM0   ENABLED
	Enables or disables execution of the CFM0 diagnostic in T_RunStartupDiagnostics.
#define	DIAG_STARTUP_CFM1   DISABLED
	Enables or disables execution of the CFM1 diagnostic in T_RunStartupDiagnostics.
#define	DIAG_STARTUP_ECC_EEPROM   DISABLED
	Enables or disables execution of the EEPROM diagnostic in T_RunStartupDiagnostics.
#define	DIAG_STARTUP_ERRCH_SPLIM   ENABLED
	Enables or disables execution of the SPLIM error channel diagnostic in T_RunStartupDiagnostics.
#define	DIAG_STARTUP_ERRCH_CFD0   ENABLED
	Enables or disables execution of the CFD0 error channel diagnostic in T_RunStartupDiagnostics.
#define	DIAG_STARTUP_ERRCH_CFD1   ENABLED
	Enables or disables execution of the CFD1 error channel diagnostic in T_RunStartupDiagnostics.
#define	DIAG_STARTUP_ERRCH_CFM0   DISABLED
	Enables or disables execution of the CFM0 error channel diagnostic in T_RunStartupDiagnostics.
#define	DIAG_STARTUP_ERRCH_CFM1   DISABLED
	Enables or disables execution of the CFM1 error channel diagnostic in T_RunStartupDiagnostics.
#define	DIAG_STARTUP_ERRCH_EEPROM   ENABLED
	Enables or disables execution of the EEPROM error channel diagnostic in T_RunStartupDiagnostics.
#define	DIAG_STARTUP_ERRCH_EVSYS0   DISABLED
	Enables or disables execution of the EVSYS0 error channel diagnostic in T_RunStartupDiagnostics.
#define	DIAG_STARTUP_ERRCH_EVSYS1   DISABLED
	Enables or disables execution of the EVSYS1 error channel diagnostic in T_RunStartupDiagnostics.
#define	DIAG_PERIODIC_SWDT_COUNT   ENABLED
	Enables or disables execution of the SWDT count diagnostic in T_HandleSyncWatchdog.
#define	DIAG_PERIODIC_WDT_COUNT   DISABLED
	Enables or disables periodic completion of the WDT Count diagnostic in T_HandleWatchdog.
#define	DIAG_PERIODIC_CFD0   DISABLED
	Enables or disables execution of the CFD0 diagnostic in T_RunNextLatentFaultDiag.
#define	DIAG_PERIODIC_CFD1   DISABLED
	Enables or disables execution of the CFD1 diagnostic in T_RunNextLatentFaultDiag.
#define	DIAG_PERIODIC_CFM0   ENABLED
	Enables or disables execution of the CFM0 diagnostic in T_RunNextLatentFaultDiag.
#define	DIAG_PERIODIC_CFM1   DISABLED
	Enables or disables execution of the CFM1 diagnostic in T_RunNextLatentFaultDiag.
#define	DIAG_PERIODIC_VMON   DISABLED
	Enables or disables execution of the VMON diagnostic in T_RunNextLatentFaultDiag.
#define	DIAG_PERIODIC_SWDT_EXPIRE   DISABLED
	Enables or disables execution of the SWDT expire diagnostic in T_RunNextLatentFaultDiag.
#define	DIAG_PERIODIC_ECC_EEPROM   DISABLED
	Enables or disables execution of the EEPROM parity error diagnostic in T_RunNextLatentFaultDiag.
#define	DIAG_PERIODIC_ERRCH_SPLIM   ENABLED
	Enables or disables execution of the SPLIM error channel diagnostic in T_RunNextLatentFaultDiag.
#define	DIAG_PERIODIC_ERRCH_CFD0   DISABLED
	Enables or disables execution of the CFD0 error channel diagnostic in T_RunNextLatentFaultDiag.
#define	DIAG_PERIODIC_ERRCH_CFD1   ENABLED
	Enables or disables execution of the CFD1 error channel diagnostic in T_RunNextLatentFaultDiag.
#define	DIAG_PERIODIC_ERRCH_CFM0   ENABLED
	Enables or disables execution of the CFM0 error channel diagnostic in T_RunNextLatentFaultDiag.
#define	DIAG_PERIODIC_ERRCH_CFM1   DISABLED
	Enables or disables execution of the CFM1 error channel diagnostic in T_RunNextLatentFaultDiag.
#define	DIAG_PERIODIC_ERRCH_EEPROM   DISABLED
	Enables or disables execution of the EEPROM error channel diagnostic in T_RunNextLatentFaultDiag.
#define	DIAG_PERIODIC_ERRCH_EVSYS0   DISABLED
	Enables or disables execution of the EVSYS0 error channel diagnostic in T_RunNextLatentFaultDiag.
#define	DIAG_PERIODIC_ERRCH_EVSYS1   DISABLED
	Enables or disables execution of the EVSYS1 error channel diagnostic in T_RunNextLatentFaultDiag.
#define	DUR_RUN_STARTUP_DIAGNOSTICS   35000UL
	Configures the run-time duration for T_RunStartupDiagnostics in system clock cycles.
#define	DUR_START_MISSION_MODE   1500UL
	Configures the run-time duration for T_StartMissionMode in system clock cycles.
#define	DUR_UNTIL_FIRST_SCHEDULE   200UL
	Configures the run-time duration between exiting TM_Startup and the first T_HandleSyncWatchdog call in system clock cycles.
#define	DUR_RUN_NEXT_LATENT_FAULT_DIAG   2500UL
	Configures the run-time duration for T_RunNextLatentFaultDiag in system clock cycles.
#define	DUR_HANDLE_NOTIFICATION_ERRORS   9000UL
	Configures the run-time duration for T_HandleNotificationErrors in system clock cycles.
#define	DUR_HANDLE_RESET_REASON   2000UL
	Configures the run-time duration for T_HandleResetReason in system clock cycles.
#define	DUR_INITIATE_IDLE_SLEEP   1000UL
	Configures the run-time duration for T_InitiateIdleSleep in system clock cycles.
#define	PRE_STARTUP_SWDT_RESET_VAL   4000UL
	Configures the new SWDT reset value after performing the SWDT Expire diagnostic in T_RunResetDiagnosticFsm.
#define	DIAG_PERIODIC_SWDT_RESET_VAL   2400UL
	Configures the new SWDT reset value after performing the SWDT Expire diagnostic in T_RunNextLatentFaultDiag.

Variables
const rstCallback_t	resetReasonCallback = &T_ResetReasonExampleCallback
	Configures the user-configurable callback function used for application specific reset handling in T_HandleResetReason.
const rstCallback_t	resetReasonCallback
	Configures the user-configurable callback function used for application specific reset handling in T_HandleResetReason.

Detailed Description

Defines and declares configurations for Tasks.

Version

1.0.0-alpha.1

This file declares the global defines and external constants used by Tasks. The constants are defined and initialized in tasks_config.c to ensure a single instance across all translation units using the configuration.

Copyright

© 2024 Microchip Technology Inc. and its subsidiaries.

Subject to your compliance with these terms, you may use Microchip software and any derivatives exclusively with Microchip products. It is your responsibility to comply with third party license terms applicable to your use of third party software (including open source software) that may accompany Microchip software.

THIS SOFTWARE IS SUPPLIED BY MICROCHIP "AS IS". NO WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, APPLY TO THIS SOFTWARE, INCLUDING ANY IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A PARTICULAR PURPOSE.

IN NO EVENT WILL MICROCHIP BE LIABLE FOR ANY INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL LOSS, DAMAGE, COST OR EXPENSE OF ANY KIND WHATSOEVER RELATED TO THE SOFTWARE, HOWEVER CAUSED, EVEN IF MICROCHIP HAS BEEN ADVISED OF THE POSSIBILITY OR THE DAMAGES ARE FORESEEABLE. TO THE FULLEST EXTENT ALLOWED BY LAW, MICROCHIP'S TOTAL LIABILITY ON ALL CLAIMS IN ANY WAY RELATED TO THIS SOFTWARE WILL NOT EXCEED THE AMOUNT OF FEES, IF ANY, THAT YOU HAVE PAID DIRECTLY TO MICROCHIP FOR THIS SOFTWARE.

Macro Definition Documentation

DIAG_PERIODIC_CFD0

#define DIAG_PERIODIC_CFD0   DISABLED

Enables or disables execution of the CFD0 diagnostic in T_RunNextLatentFaultDiag.

This macro configures, at compile-time, whether to include the Clock Failure Detection channel 0 (CFD0) diagnostic in the T_RunNextLatentFaultDiag function. This diagnostic should be enabled if INIT_REDUNDANT_CFM is disabled and the application requires Latent Fault detection during Mission Mode. See tips_and_tricks for more information on how this can be implemented.

Warning

This configuration only ensures that T_RunNextLatentFaultDiag initiates the diagnostic. The end diagnostics are not called as part of the Run Startup Diagnostics function and must be scheduled as part of the TM_Startup schedule. It is the user's responsibility to determine when to call the end diagnostic to avoid calling it before the diagnostic is complete.

This diagnostic temporarily disables the safety mechanism in Mission Mode, potentially masking true faults during execution. It also disables global interrupt during execution, which may delay the servicing of other error-handling interrupts. The global interrupts are only disabled for the duration of the begin or end functions and are restored for the duration between the start and completion of this diagnostic.

Note

This diagnostic is disabled by default since the redundant CFD monitor is enabled by default in INIT_REDUNDANT_CFD.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 857 of file tasks_config.h.

DIAG_PERIODIC_CFD1

#define DIAG_PERIODIC_CFD1   DISABLED

Enables or disables execution of the CFD1 diagnostic in T_RunNextLatentFaultDiag.

This macro configures, at compile-time, whether to include the Clock Failure Detection channel 1 (CFD1) diagnostic in the T_RunNextLatentFaultDiag function. This diagnostic should be enabled if CFD1 is used by the application while INIT_REDUNDANT_CFD is disabled and the application requires Latent Fault detection during Mission Mode. See tips_and_tricks for more information on how this can be implemented.

Warning

This diagnostic temporarily disables the safety mechanism in Mission Mode, potentially masking true faults during execution. It also disables global interrupt during execution, which may delay the servicing of other error-handling interrupts. The global interrupts are only disabled for the duration of the begin or end functions and are restored for the duration between the start and completion of this diagnostic.

Note

This diagnostic is disabled by default since the redundant CFD monitor is enabled by default in INIT_REDUNDANT_CFD.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 882 of file tasks_config.h.

DIAG_PERIODIC_CFM0

#define DIAG_PERIODIC_CFM0   ENABLED

Enables or disables execution of the CFM0 diagnostic in T_RunNextLatentFaultDiag.

This macro configures, at compile-time, whether to include the Clock Frequency Monitor channel 0 (CFM0) diagnostic in the T_RunNextLatentFaultDiag function. This diagnostic should be enabled if INIT_REDUNDANT_CFM is disabled and the application requires Latent Fault detection during Mission Mode.

Warning

This diagnostic temporarily disables the safety mechanism in Mission Mode, potentially masking true faults during execution. It also disables global interrupt during execution, which may delay the servicing of other error-handling interrupts.

Note

This diagnostic is enabled by default since the redundant CFD monitor is disabled by default in INIT_REDUNDANT_CFD.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 904 of file tasks_config.h.

DIAG_PERIODIC_CFM1

#define DIAG_PERIODIC_CFM1   DISABLED

Enables or disables execution of the CFM1 diagnostic in T_RunNextLatentFaultDiag.

This macro configures, at compile-time, whether to include the Clock Frequency Monitor channel 1 (CFM1) diagnostic in the T_RunNextLatentFaultDiag function. This diagnostic should be enabled if CFM1 is used by the application while INIT_REDUNDANT_CFM is disabled and the application requires Latent Fault detection during Mission Mode and CFM1 is used.

Warning

This diagnostic temporarily disables the safety mechanism in Mission Mode, potentially masking true faults during execution. It also disables global interrupt during execution, which may delay the servicing of other error-handling interrupts.

Note

This diagnostic is disabled by default since the usage of the CFM1 is application specific.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 925 of file tasks_config.h.

DIAG_PERIODIC_ECC_EEPROM

#define DIAG_PERIODIC_ECC_EEPROM   DISABLED

Enables or disables execution of the EEPROM parity error diagnostic in T_RunNextLatentFaultDiag.

This macro configures, at compile-time, whether to include the EEPROM parity error diagnostic in the T_RunNextLatentFaultDiag function. This diagnostic should be enabled if the application requires Latent Fault detection during Mission Mode and EEPROM is used.

Note

This diagnostic is disabled by default since it's a redundant test of the NVM ECC checkers and since DIAG_STARTUP_ERRCH_EEPROM is enabled by default testing the EEPROM error channel.

Warning

This diagnostic can not be replaced with the MW_DiagNvmFlashEcc diagnostic since it only tests the ECC1 and ECC2 checkers and not the ECC comparator.

This diagnostic temporarily disables global interrupt during execution, which may delay the servicing of other error-handling interrupts.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 995 of file tasks_config.h.

DIAG_PERIODIC_ERRCH_CFD0

#define DIAG_PERIODIC_ERRCH_CFD0   DISABLED

Enables or disables execution of the CFD0 error channel diagnostic in T_RunNextLatentFaultDiag.

This macro configures, at compile-time, whether to include the CFD0 error channel diagnostic in the T_RunNextLatentFaultDiag function. This diagnostic should be enabled if DIAG_PERIODIC_CFD0 is disabled and the application requires Latent Fault detection during Mission Mode.

Warning

This diagnostic temporarily disables global interrupt during execution, which may delay the servicing of other error-handling interrupts.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 1033 of file tasks_config.h.

DIAG_PERIODIC_ERRCH_CFD1

#define DIAG_PERIODIC_ERRCH_CFD1   ENABLED

Enables or disables execution of the CFD1 error channel diagnostic in T_RunNextLatentFaultDiag.

This macro configures, at compile-time, whether to include the CFD1 error channel diagnostic in the T_RunNextLatentFaultDiag function. The diagnostic should be enabled if the CFD1 error channel is in use while the DIAG_PERIODIC_CFD1 is disabled and the application requires Latent Fault detection during Mission Mode and the DIAG_PERIODIC_CFD1 is disabled.

Warning

This diagnostic temporarily disables global interrupt during execution, which may delay the servicing of other error-handling interrupts.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 1052 of file tasks_config.h.

DIAG_PERIODIC_ERRCH_CFM0

#define DIAG_PERIODIC_ERRCH_CFM0   ENABLED

Enables or disables execution of the CFM0 error channel diagnostic in T_RunNextLatentFaultDiag.

This macro configures, at compile-time, whether to include the CFM0 error channel diagnostic in the T_RunNextLatentFaultDiag function. This diagnostic should be if the DIAG_PERIODIC_CFM0 is disabled and the application requires Latent Fault detection during Mission Mode.

Warning

This diagnostic temporarily disables global interrupt during execution, which may delay the servicing of other error-handling interrupts.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 1071 of file tasks_config.h.

DIAG_PERIODIC_ERRCH_CFM1

#define DIAG_PERIODIC_ERRCH_CFM1   DISABLED

Enables or disables execution of the CFM1 error channel diagnostic in T_RunNextLatentFaultDiag.

This macro configures, at compile-time, whether to include the CFM1 error channel diagnostic in the T_RunNextLatentFaultDiag function. This diagnostic should be if the CFM1 is in use while the DIAG_PERIODIC_CFM1 is disabled and the application requires Latent Fault detection during Mission Mode.

Warning

This diagnostic temporarily disables global interrupt during execution, which may delay the servicing of other error-handling interrupts.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 1090 of file tasks_config.h.

DIAG_PERIODIC_ERRCH_EEPROM

#define DIAG_PERIODIC_ERRCH_EEPROM   DISABLED

Enables or disables execution of the EEPROM error channel diagnostic in T_RunNextLatentFaultDiag.

This macro configures, at compile-time, whether to include the EEPROM error channel diagnostic in the T_RunNextLatentFaultDiag function. The diagnostic should be enabled if the EEPROM is used while the DIAG_PERIODIC_ECC_EEPROM macro is not enabled and the application requires Latent Fault detection during Mission Mode and a more application specific error injection diagnostic is not implemented.

Warning

This diagnostic temporarily disables global interrupt during execution, which may delay the servicing of other error-handling interrupts.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 1110 of file tasks_config.h.

DIAG_PERIODIC_ERRCH_EVSYS0

#define DIAG_PERIODIC_ERRCH_EVSYS0   DISABLED

Enables or disables execution of the EVSYS0 error channel diagnostic in T_RunNextLatentFaultDiag.

This macro configures, at compile-time, whether to include the EVSYS0 error channel diagnostic in the T_RunNextLatentFaultDiag function. The diagnostic should be enabled if the EVSYS0 error channel is used and the application requires Latent Fault detection during Mission Mode and a more application specific error injection diagnostic is not implemented.

Warning

This diagnostic temporarily disables global interrupt during execution, which may delay the servicing of other error-handling interrupts.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 1129 of file tasks_config.h.

DIAG_PERIODIC_ERRCH_EVSYS1

#define DIAG_PERIODIC_ERRCH_EVSYS1   DISABLED

Enables or disables execution of the EVSYS1 error channel diagnostic in T_RunNextLatentFaultDiag.

This macro configures, at compile-time, whether to include the EVSYS1 error channel diagnostic in the T_RunNextLatentFaultDiag function. The diagnostic should be enabled if the EVSYS1 error channel is used and the application requires Latent Fault detection during Mission Mode and a more application specific error injection diagnostic is not implemented.

Warning

This diagnostic temporarily disables global interrupt during execution, which may delay the servicing of other error-handling interrupts.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 1148 of file tasks_config.h.

DIAG_PERIODIC_ERRCH_SPLIM

#define DIAG_PERIODIC_ERRCH_SPLIM   ENABLED

Enables or disables execution of the SPLIM error channel diagnostic in T_RunNextLatentFaultDiag.

This macro configures, at compile-time, whether to include the Stack Pointer Limit (SPLIM) error channel diagnostic in the T_RunNextLatentFaultDiag function. The diagnostic should be enabled if the application requires Latent Fault detection during Mission Mode and an actual SPLIM error injection diagnostic is not implemented.

Warning

This diagnostic temporarily disables global interrupt during execution, which may delay the servicing of other error-handling interrupts.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 1014 of file tasks_config.h.

DIAG_PERIODIC_SWDT_COUNT

#define DIAG_PERIODIC_SWDT_COUNT   ENABLED

Enables or disables execution of the SWDT count diagnostic in T_HandleSyncWatchdog.

This macro configures, at compile-time, whether to include the Synchronous Watchdog Timer (SWDT) count diagnostic in the T_HandleSyncWatchdog function. This diagnostic should be enabled if the application requires Latent Fault detection during Mission Mode.

Valid configurations:

• DISABLED
• ENABLED

Definition at line 801 of file tasks_config.h.

DIAG_PERIODIC_SWDT_EXPIRE

#define DIAG_PERIODIC_SWDT_EXPIRE   DISABLED

Enables or disables execution of the SWDT expire diagnostic in T_RunNextLatentFaultDiag.

This macro configures, at compile-time, whether to include the Synchronous Watchdog Timer (SWDT) expire diagnostic in the T_RunNextLatentFaultDiag function. This diagnostic should be enabled if the application requires Latent Fault detection during Mission Mode.

Warning

The diagnostic is disabled by default as it requires special scheduling considerations. Since this diagnostic forces the SWDT to expire immediately, regardless of current count value, it must also set a new duration for the next SWDT period. This duration is configured using DIAG_PERIODIC_SWDT_RESET_VAL, and should be configured to account for the remaining SWDT period that was skipped.

This diagnostic temporarily disables the safety mechanism in Mission Mode, potentially masking true faults during execution. It also disables global interrupt during execution, which may delay the servicing of other error-handling interrupts.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 971 of file tasks_config.h.

DIAG_PERIODIC_SWDT_RESET_VAL

#define DIAG_PERIODIC_SWDT_RESET_VAL   2400UL

Configures the new SWDT reset value after performing the SWDT Expire diagnostic in T_RunNextLatentFaultDiag.

Since the diagnostic skips the remaining duration of the current SWDT period, this value should be configured such that the original SWDT duration is maintained, avoiding side effects of running the diagnostic. This value can be measured and configured compile-time if T_RunNextLatentFaultDiag is run in TM_Scheduler, where the task has a fixed SWDT duration, by looking at the SWDT count value before the error injection bit is set. Another option is to read the SWDT count value run-time before calling the diagnostic function directly. See MW_DiagSwdtExpire for more details.

Note

This macro is only used if DIAG_PERIODIC_SWDT_EXPIRE is ENABLED.

Default value assumes DUR_RUN_NEXT_LATENT_FAULT_DIAG of 2500 and 100 cycles until the diagnostic is executed. Measured WCET with no errors: TODO: Default value: TODO:

Todo

Set the correct value

Definition at line 1324 of file tasks_config.h.

DIAG_PERIODIC_VMON

#define DIAG_PERIODIC_VMON   DISABLED

Enables or disables execution of the VMON diagnostic in T_RunNextLatentFaultDiag.

This macro configures, at compile-time, whether to include the Voltage Regulator Monitor (VMON) Over and Under diagnostics in the T_RunNextLatentFaultDiag function. This diagnostic should be enabled if the application requires Latent Fault detection during Mission Mode.

Warning

VMON diagnostics takes considerably longer time to execute compared to the other error injection diagnostics (up to 50-200 microseconds). This is because of how it interfaces with analog circuitry. Thus, T_RunNextLatentFaultDiag starts the diagnostic in interrupt mode, and relies on T_HandlePowerInterrupt to complete the diagnostic and report the result. This diagnostic will temporarily disable the VMON safety mechanism during Mission Mode and can mask a true fault from being detected during execution.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 946 of file tasks_config.h.

DIAG_PERIODIC_WDT_COUNT

#define DIAG_PERIODIC_WDT_COUNT   DISABLED

Enables or disables periodic completion of the WDT Count diagnostic in T_HandleWatchdog.

Warning

When enabling this diagnostic, it is assumed that MW_DiagWdtCountBegin is called before each call to T_HandleWatchdog with sufficient time separation, otherwise this diagnostic will always result in an error.

It is crucial to ensure a separation of at least 4 WDT Clock cycles between the start of the diagnostic and end, accounting for clock source frequency variations. This is because the synchronized count register is only updated every 4th WDT clock cycle. Instead of busy-waiting for the count register to be updated, a separate begin and end API is provided. See MW_DiagWdtCountEnd for more information.

Note

The Watchdog Timer (WDT) counter diagnostic is disabled by default since its execution depends on application specific schedules to start the diagnostic with sufficient time separation. See tips_and_tricks for information on whether to enable this diagnostic and how to use it.

Valid configurations:

• DISABLED
• ENABLED

Definition at line 827 of file tasks_config.h.

DIAG_STARTUP_CFD0

#define DIAG_STARTUP_CFD0   DISABLED

Enables or disables execution of the CFD0 diagnostic in T_RunStartupDiagnostics.

This macro configures, at compile-time, whether to include the Clock Failure Detection channel 0 (CFD0) diagnostic in the T_RunStartupDiagnostics function. The diagnostic should be enabled if INIT_REDUNDANT_CFD is disabled.

Warning

This configuration only ensures that T_RunStartupDiagnostics initiates the diagnostic. The end diagnostics are not called as part of the Run Startup Diagnostics function and must be scheduled as part of the TM_Startup schedule. It is the user's responsibility to determine when to call the end diagnostic to avoid calling it before the diagnostic is complete.

Note

This diagnostic is disabled by default since the redundant CFD monitor is enabled by default in INIT_REDUNDANT_CFD.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 566 of file tasks_config.h.

DIAG_STARTUP_CFD1

#define DIAG_STARTUP_CFD1   DISABLED

Enables or disables execution of the CFD1 diagnostic in T_RunStartupDiagnostics.

This macro configures, at compile-time, whether to include the Clock Failure Detection channel 1 (CFD1) diagnostic in the T_RunStartupDiagnostics function. The diagnostic should be enabled if CFD1 is used by the application and the INIT_REDUNDANT_CFD is Disabled. See tips_and_tricks for more information on how this can be implemented.

Note

This diagnostic is disabled by default since the redundant CFD monitor is enabled by default in INIT_REDUNDANT_CFD.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 584 of file tasks_config.h.

DIAG_STARTUP_CFM0

#define DIAG_STARTUP_CFM0   ENABLED

Enables or disables execution of the CFM0 diagnostic in T_RunStartupDiagnostics.

This macro configures, at compile-time, whether to include the Clock Frequency Monitor channel 0 (CFM0) diagnostic in the T_RunStartupDiagnostics function. The diagnostic should be enabled if the INIT_REDUNDANT_CFM is disabled.

Note

This diagnostic is enabled by default since the redundant CFM monitor is disabled by default in INIT_REDUNDANT_CFM

Valid configurations:

• ENABLED
• DISABLED

Definition at line 601 of file tasks_config.h.

DIAG_STARTUP_CFM1

#define DIAG_STARTUP_CFM1   DISABLED

Enables or disables execution of the CFM1 diagnostic in T_RunStartupDiagnostics.

This macro configures, at compile-time, whether to include the Clock Frequency Monitor channel 1 (CFD1) diagnostic in the T_RunStartupDiagnostics function. The diagnostic should be enabled if CFM1 is used by the application and the INIT_REDUNDANT_CFM is Disabled.

Note

This diagnostic is disabled by default since the usage of the CFM1 is application specific.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 617 of file tasks_config.h.

DIAG_STARTUP_ECC_EEPROM

#define DIAG_STARTUP_ECC_EEPROM   DISABLED

Enables or disables execution of the EEPROM diagnostic in T_RunStartupDiagnostics.

This macro configures, at compile-time, whether to include the EEPROM ECC diagnostic in the T_RunStartupDiagnostics function. The EEPROM ECC diagnostic is redundant to the Flash ECC diagnostic due to testing the same ECC checkers located in the NVM controller. This diagnostic can be enabled if a check of the entire chain from injection to Error Controller channel on EEPROM is desired. If enabled, the DIAG_STARTUP_ERRCH_EEPROM can be disabled as it only tests the EEPROM error channel in the Error Controller. This diagnostic is not needed if the application does not use EEPROM.

Warning

This diagnostic can not be replaced with the MW_DiagNvmFlashEcc diagnostic since it only tests the ECC1 and ECC2 checkers and not the ECC comparator.

Note

This diagnostic is disabled by default since it's a redundant test of the NVM ECC checkers and since DIAG_STARTUP_ERRCH_EEPROM is enabled by default testing the EEPROM error channel.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 641 of file tasks_config.h.

DIAG_STARTUP_ERRCH_CFD0

#define DIAG_STARTUP_ERRCH_CFD0   ENABLED

Enables or disables execution of the CFD0 error channel diagnostic in T_RunStartupDiagnostics.

This macro configures, at compile-time, whether to include the CFD0 error channel diagnostic in the T_RunStartupDiagnostics function. The diagnostic should be enabled if DIAG_STARTUP_CFD0 is disabled.

Note

This diagnostic is enabled by default since the redundant CFD monitor is enabled by default by INIT_REDUNDANT_CFD. Testing the only channel makes sure that the Error Controller works as intended.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 677 of file tasks_config.h.

DIAG_STARTUP_ERRCH_CFD1

#define DIAG_STARTUP_ERRCH_CFD1   ENABLED

Enables or disables execution of the CFD1 error channel diagnostic in T_RunStartupDiagnostics.

This macro configures, at compile-time, whether to include the CFD1 error channel diagnostic in the T_RunStartupDiagnostics function. The diagnostic should be enabled if the CFD1 is in use by the application while the DIAG_STARTUP_CFD1 is disabled.

Note

This diagnostic is enabled by default since the redundant CFD monitor is enabled by default by INIT_REDUNDANT_CFD. Testing the only channel makes sure that the Error Controller works as intended.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 696 of file tasks_config.h.

DIAG_STARTUP_ERRCH_CFM0

#define DIAG_STARTUP_ERRCH_CFM0   DISABLED

Enables or disables execution of the CFM0 error channel diagnostic in T_RunStartupDiagnostics.

This macro configures, at compile-time, whether to include the CFM0 error channel diagnostic in the T_RunStartupDiagnostics function. The diagnostic should be enabled if if DIAG_STARTUP_CFM0 is disabled.

Note

This diagnostic is disabled by default since the full CFD0 diagnostic is enabled by default in DIAG_STARTUP_CFM0.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 714 of file tasks_config.h.

DIAG_STARTUP_ERRCH_CFM1

#define DIAG_STARTUP_ERRCH_CFM1   DISABLED

Enables or disables execution of the CFM1 error channel diagnostic in T_RunStartupDiagnostics.

This macro configures, at compile-time, whether to include the CFM1 error channel diagnostic in the T_RunStartupDiagnostics function. The diagnostic should be enabled the CFM1 is in use by the application while the DIAG_STARTUP_CFM1 is disabled.

Note

This diagnostic is disabled by default since the usage of the CFM is application specific.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 731 of file tasks_config.h.

DIAG_STARTUP_ERRCH_EEPROM

#define DIAG_STARTUP_ERRCH_EEPROM   ENABLED

Enables or disables execution of the EEPROM error channel diagnostic in T_RunStartupDiagnostics.

This macro configures, at compile-time, whether to include the EEPROM error channel diagnostic in the T_RunStartupDiagnostics function. The diagnostic should be enabled if the EEPROM is used by the application and the more thorough DIAG_STARTUP_ECC_EEPROM diagnostic is not enabled.

Note

This diagnostic is enabled by default since the full EEPROM ECC diagnostic is disabled by default in DIAG_STARTUP_ECC_EEPROM.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 749 of file tasks_config.h.

DIAG_STARTUP_ERRCH_EVSYS0

#define DIAG_STARTUP_ERRCH_EVSYS0   DISABLED

Enables or disables execution of the EVSYS0 error channel diagnostic in T_RunStartupDiagnostics.

This macro configures, at compile-time, whether to include the EVSYS0 error channel diagnostic in the T_RunStartupDiagnostics function. The diagnostic should be enabled if the EVSYS0 error channel is used by the application and a more application specific error injection diagnostic is not implemented.

Note

This diagnostic is enabled by default since the usage of the event system is application specific.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 768 of file tasks_config.h.

DIAG_STARTUP_ERRCH_EVSYS1

#define DIAG_STARTUP_ERRCH_EVSYS1   DISABLED

Enables or disables execution of the EVSYS1 error channel diagnostic in T_RunStartupDiagnostics.

This macro configures, at compile-time, whether to include the EVSYS1 error channel diagnostic in the T_RunStartupDiagnostics function. The diagnostic should be enabled if the EVSYS1 error channel is used by the application and a more application specific error injection diagnostic is not implemented.

Note

This diagnostic is enabled by default since the usage of the event system is application specific.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 787 of file tasks_config.h.

DIAG_STARTUP_ERRCH_SPLIM

#define DIAG_STARTUP_ERRCH_SPLIM   ENABLED

Enables or disables execution of the SPLIM error channel diagnostic in T_RunStartupDiagnostics.

This macro configures, at compile-time, whether to include the SPLIM error channel diagnostic in the T_RunStartupDiagnostics function. The diagnostic should be enabled unless an actual SPLIM error injection diagnostic is implemented.

Note

This diagnostic is enabled by default since no other diagnostic is currently implemented.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 658 of file tasks_config.h.

DUR_HANDLE_NOTIFICATION_ERRORS

#define DUR_HANDLE_NOTIFICATION_ERRORS   9000UL

Configures the run-time duration for T_HandleNotificationErrors in system clock cycles.

This macro is used to ensure a fixed run-time duration of the function call in TM_Scheduler. See task_duration_measurement page for more information.

Measured WCET with no errors: TODO: Default with tolerance: TODO:

Todo

Set the correct values

Definition at line 1233 of file tasks_config.h.

DUR_HANDLE_RESET_REASON

#define DUR_HANDLE_RESET_REASON   2000UL

Configures the run-time duration for T_HandleResetReason in system clock cycles.

This macro is used to ensure a fixed run-time duration of the function call in TM_Startup. See task_duration_measurement page for more information.

Measured WCET with no errors: TODO: Default with tolerance: TODO:

Todo

Set the correct values

Definition at line 1247 of file tasks_config.h.

DUR_INITIATE_IDLE_SLEEP

#define DUR_INITIATE_IDLE_SLEEP   1000UL

Configures the run-time duration for T_InitiateIdleSleep in system clock cycles.

Todo

The T_InitiateIdleSleep function has not yet been implemented. Instead, a function prototype is provided to give an indication of how it will behave. Thus, this macro has no effect.

This macro is used to ensure a fixed run-time duration of the function call in TM_Scheduler. See task_duration_measurement page for more information.

Warning

The Synchronous Watchdog (SWDT) stops counting while in Idle sleep. The selected duration should thus only account for the execution time when not sleeping, but should add a tolerance for executing the interrupt handler of the wakeup source.

Measured WCET with no errors: TODO: Default with tolerance: TODO:

Todo

Set the correct values

Definition at line 1269 of file tasks_config.h.

DUR_RUN_NEXT_LATENT_FAULT_DIAG

#define DUR_RUN_NEXT_LATENT_FAULT_DIAG   2500UL

Configures the run-time duration for T_RunNextLatentFaultDiag in system clock cycles.

This macro is used to ensure a fixed run-time duration of the function call in TM_Scheduler. See task_duration_measurement page for more information.

Measured WCET with no errors: TODO: Default with tolerance: TODO:

Todo

Set the correct values

Definition at line 1219 of file tasks_config.h.

DUR_RUN_STARTUP_DIAGNOSTICS

#define DUR_RUN_STARTUP_DIAGNOSTICS   35000UL

Configures the run-time duration for T_RunStartupDiagnostics in system clock cycles.

This macro is used to ensure a fixed run-time duration of the function call in TM_Startup. See task_duration_measurement page for more information.

Measured WCET with no errors: TODO: Default with tolerance: TODO:

Todo

Set the correct values

Definition at line 1178 of file tasks_config.h.

DUR_START_MISSION_MODE

#define DUR_START_MISSION_MODE   1500UL

Configures the run-time duration for T_StartMissionMode in system clock cycles.

This macro is used to ensure a fixed run-time duration of the function call in TM_Startup. See task_duration_measurement page for more information.

Measured WCET with no errors: TODO: Default with tolerance: TODO:

Todo

Set the correct values

Definition at line 1191 of file tasks_config.h.

DUR_UNTIL_FIRST_SCHEDULE

#define DUR_UNTIL_FIRST_SCHEDULE   200UL

Configures the run-time duration between exiting TM_Startup and the first T_HandleSyncWatchdog call in system clock cycles.

This macro is used to ensure a fixed run-time duration of the application after TM_Startup. By default, this is the duration until the first TM_Scheduler call. See task_duration_measurement page for more information.

Measured WCET with no errors: TODO: Default with tolerance: TODO:

Todo

Set the correct values

Definition at line 1206 of file tasks_config.h.

HEARTBEAT_OUTPUT

#define HEARTBEAT_OUTPUT   ENABLED

Enables the heartbeat output signal on an I/O pin before entering Mission Mode.

This macro is used by T_StartMissionMode to configure whether the heartbeat functionality will be enabled or not for the device. If enabled, a 1 kHz square wave heartbeat signal is output on a configured I/O pin. When enabled, the error controller will tri-state the signal when it enters the FAULT state, and force it low when entering the CONFIG state.

Note

The heartbeat signal output is manually disabled when initiating a Safe State transition in software using the Error Handler.

The heartbeat signal output I/O pin must be configured using PORTMUX depending on application requirements.

Definition at line 83 of file tasks_config.h.

INIT_CFM0_WIN_HIGH

#define INIT_CFM0_WIN_HIGH   13427U

Configures the high value of the Clock Frequency Measure 0 (CFM0) window.

This macro is used by T_InitSafetySystem to configure the upper limit of the tolerance window of measured main clock ticks. This macro together with the INIT_CFM0_WIN_LOW macro determines the frequency error tolerance window. The CFM0 is configured to monitor the main clock with the internal 32K oscillator as the reference clock.

Warning

If changing the main clock frequency or source, the CFM0 configuration must also be updated.

Valid configurations is between 1 and UINT16_MAX. See cfmWindow_t.

Note

CFM1 is expected to be configured by the application.

Default value assuming 20 MHz main clock with +10% tolerance: 13427

Definition at line 283 of file tasks_config.h.

INIT_CFM0_WIN_LOW

#define INIT_CFM0_WIN_LOW   10986U

Configures the low value of the Clock Frequency Measure 0 (CFM0) window.

This macro is used by T_InitSafetySystem to configure the lower limit of the tolerance window of measured main clock ticks. This macro together with the INIT_CFM0_WIN_HIGH macro determines the frequency error tolerance window. The CFM0 is configured to monitor the main clock with the internal 32K oscillator as the reference clock.

Warning

If changing the main clock frequency or source, the CFM0 configuration must also be updated.

Valid configurations is between 1 and UINT16_MAX. See cfmWindow_t.

Note

CFM1 is expected to be configured by the application.

Default value assuming 20 MHz main clock with -10% tolerance: 10986

Definition at line 303 of file tasks_config.h.

INIT_CFM0_WIN_REF

#define INIT_CFM0_WIN_REF   20U

Configures the reference value for the Clock Frequency Measure 0 (CFM0) window.

This macro is used by T_InitSafetySystem to configure the duration of reference clock cycles to wait when measuring the number of main clock source ticks. The CFM0 is configured to monitor the main clock with the internal 32K oscillator as the reference clock.

This value should be configured depending on the application FDTI and the acceptable resolution of the tolerance window (see INIT_CFM0_WIN_HIGH and INIT_CFM0_WIN_LOW) and the selected main clock frequency (see INIT_CLOCK_FRQ). A longer measurement time will allow for higher resolution of the tolerance window, but at the cost of a longer FDTI and vice versa.

Warning

If changing the main clock frequency or source, the CFM0 configuration must also be updated. See tips_and_tricks for how to schedule an application startup task to configure external oscillators and clocks.

Valid configurations is between 1 and UINT16_MAX. See cfmWindow_t.

Note

CFM1 is expected to be configured by the application.

Default value assuming 20 MHz main clock: 20

Definition at line 263 of file tasks_config.h.

INIT_CLOCK_DIV

#define INIT_CLOCK_DIV   CLK_FRQ_DIV_OFF

Configures the clock division for the device.

This macro is used by T_InitSafetySystem to initialize the division of the main clock in the startup sequence by choosing one of the available clock divisions defined by the clkFrqDiv_t. This macro in combination with INIT_CLOCK_FRQ, configures the initial main clock frequency of the device. Setting this macro to CLK_FRQ_DIV_OFF disables the clock divider.

Definition at line 212 of file tasks_config.h.

INIT_CLOCK_FRQ

#define INIT_CLOCK_FRQ   CLK_FRQ_20_MHZ

Configures the clock frequency for the device.

This macro is used by T_InitSafetySystem to set the frequency output of the internal high-frequency oscillator (OSCHF) by choosing one of the available frequencies defined by the clkFrq_t. This macro in combination with INIT_CLOCK_DIV, configures the initial main clock frequency of the device.

Note

If the application requires usage of a different clock source such as an external clocks or oscillator as main clock, it can be re-configured in the application specific startup schedule. See tips_and_tricks for how to schedule an application startup task to configure external oscillators and clocks.

Definition at line 200 of file tasks_config.h.

INIT_ERRCTRL_TIMEOUT

#define INIT_ERRCTRL_TIMEOUT   255U

Configures the ALARM and CONFIG state timeout period for the Error Controller.

This macro is used by T_InitSafetySystem to configure the deadline for clearing any triggered error channels with a NONCRITICAL severity before the Error Controller automatically transitions into the FAULT state and issues a machine check reset. The timeout value is also used when entering the CONFIG state to avoid getting stuck and will also issue a machine check reset if not entering NORMAL state within the deadline. The value should be configured according to FDTI requirements and the WCET of the application specific nonCriticalErrorCallback in the Error Handler and the configured main clock frequency (see INIT_CLOCK_FRQ).

The timeout value is INIT_ERRCTRL_TIMEOUT * 4 clock cycles for a maximum of 1020 main clock cycles.

Valid configurations is between 1 and UINT8_MAX.

Warning

Minimum timeout value needs to be larger than the maximum expect time spent in config state. For example, the Worst-Case Execution Time (WCET) of the diagnostic which configures the most error channels.

Todo

Set the correct value

Definition at line 356 of file tasks_config.h.

INIT_FLOAT_NONCRITICAL

#define INIT_FLOAT_NONCRITICAL   DISABLED

Configures whether all I/O pins should be floated (tri-stated) when an error controller channel, errCh_t, with errCrit_t of NON_CRITICAL is set.

This macro is used by T_InitSafetySystem to enable or disable floating of I/O pins for all NON_CRITICAL errors.

Note

CRITICAL error criticality will always float the I/O pins.

Definition at line 368 of file tasks_config.h.

INIT_FLOAT_NOTIFICATION

#define INIT_FLOAT_NOTIFICATION   DISABLED

Configures whether all I/O pins should be floated (tri-stated) when an error controller channel, errCh_t, with errCrit_t of NOTIFICATION is set.

This macro is used by T_InitSafetySystem to enable or disable floating of I/O pins for all NOTIFICATION errors.

Note

CRITICAL error criticality will always float the I/O pins.

Definition at line 380 of file tasks_config.h.

INIT_INT_ALT_VECTOR_LOC

#define INIT_INT_ALT_VECTOR_LOC   DISABLED

Configures alternative interrupt vector location when using a bootloader.

This macro is used by T_InitSafetySystem to configure whether to use an alternative interrupt vector location when using a bootloader. See the description of the IVSEL bit in CPUINT.CTRLA for more information.

Definition at line 399 of file tasks_config.h.

INIT_INT_LVL0_START

#define INIT_INT_LVL0_START   0U

Configures the execution priority order of level 0 (normal priority) interrupt vectors.

This macro is used by T_InitSafetySystem to configure the execution order of simultaneous level 0 (normal) priority interrupts, by specifying which interrupt vector has the lowest priority. An interrupt vector number value of 0 will disable the level 0 priority feature. If setting a interrupt vector value of X, the level 0 interrupt with highest priority is vector X+1, followed by X+2 and so on, making X the lowest priority vector.

Valid configurations is between 0 (Disabled) and the highest interrupt vector available to the device (see 'Interrupt Vector Mapping Table' in the data sheet) except for interrupt vector number 1 as this is the vector for Non-Maskable Interrupts (NMI) and always has the highest priority. Setting this macro to 1 has no effect.

Definition at line 416 of file tasks_config.h.

INIT_INT_LVL1

#define INIT_INT_LVL1   0U

Configures which interrupt vector should have the level 1 (highest) priority.

This macro is used by T_InitSafetySystem to configure the level 1 priority interrupt, and accepts a interrupt vector number as value. The priority level 1 interrupts will interrupt any level 0 interrupt handler already executing. An interrupt vector number value of 0 will disable the level 1 priority feature.

Note

It is recommended to not use this feature unless the level 1 interrupt is more safety critical than all other error handling for the application, as it may abort error handling performed by the Error Controller. If the level 1 interrupt always returns from the Interrupt Service Routine (ISR), it should not have any adverse impact on other ISRs.

Warning

This macro should not be set to any of the Error Controller channel sources, as it will lead to data hazards due to all error channel sources having redundant interrupt handling.

Valid configurations is between 0 (Disabled) and the highest interrupt vector available to the device (see 'Interrupt Vector Mapping Table' in the data sheet) except for interrupt vector number 1 as this is the vector for Non-Maskable Interrupts (NMI) and always has the highest priority. Setting this macro to 1 has no effect.

Definition at line 440 of file tasks_config.h.

INIT_INT_ROUND_ROBIN

#define INIT_INT_ROUND_ROBIN   DISABLED

Configures round robin schedule scheme for level 0 interrupts.

This macro is used by T_InitSafetySystem to enable or disable round robin scheduling of level 0 interrupts.

Definition at line 389 of file tasks_config.h.

INIT_NVM_ECC_ALL_ONES

#define INIT_NVM_ECC_ALL_ONES   ECC_ALL_ONES_ALL

Configures the "ECC all ones" scheme in Non-Volatile Memory.

This macro is used by T_InitSafetySystem to configure how to perform ECC-check when reading all ‘1’s (empty memory) from non-volatile memory sections. Reading empty memory can lead to false ECC errors which in turn triggers error handling that can transition the device to a safe state. Available options are defined in the eccAllOnes_t.

Note

It is recommended to fill the empty memory sections with data, such as NOP instructions, to mitigate the chance of having false ECC errors.

Definition at line 515 of file tasks_config.h.

INIT_REDUNDANT_CFD

#define INIT_REDUNDANT_CFD   ENABLED

Enables or disables redundant CFD initialization.

This macro configures, at compile-time, whether to initialize CFD1 to mirror the configuration of CFD0 in T_InitSafetySystem, in order to have redundant operation. This approach eliminates the need for performing error injection diagnostics, which have a varying execution time and can take several hundreds of microseconds.

Note

If the CFDs are not configured with redundant operation, it is recommended to enable error injection diagnostics for the used CFDs. See the following configurations:

• DIAG_STARTUP_CFD0
• DIAG_STARTUP_CFD1
• DIAG_PERIODIC_CFD0
• DIAG_PERIODIC_CFD1

If the CFDs are configured with redundant operation the corresponding error channel diagnostic should be enabled. This is also the case if redundant CFD is disabled and the DIAG_STARTUP_CFD1 or the DIAG_PERIODIC_CFD1 is disabled:

• DIAG_STARTUP_ERRCH_CFD0
• DIAG_STARTUP_ERRCH_CFD1
• DIAG_PERIODIC_ERRCH_CFD0
• DIAG_PERIODIC_ERRCH_CFD1

Definition at line 238 of file tasks_config.h.

INIT_REDUNDANT_CFM

#define INIT_REDUNDANT_CFM   DISABLED

Enables or disables redundant CFM initialization.

This macro configures, at compile-time, whether to initialize CFM1 to mirror the configuration of CFM0 in T_InitSafetySystem.

Note

If the CFMs are not configured with redundant operation, it is recommended to enable error injection diagnostics. See the following configurations:

• DIAG_STARTUP_CFM0
• DIAG_STARTUP_CFM1
• DIAG_PERIODIC_CFM0
• DIAG_PERIODIC_CFM1

If the CFMs are configured with redundant operation the corresponding error channel diagnostic should be enabled. This is also the case if redundant CFM is disabled and the DIAG_STARTUP_CFM1 or the DIAG_PERIODIC_CFM1 is disabled:

• DIAG_STARTUP_ERRCH_CFM0
• DIAG_STARTUP_ERRCH_CFM1
• DIAG_PERIODIC_ERRCH_CFM0
• DIAG_PERIODIC_ERRCH_CFM1

This diagnostic is disabled by default since running the CFM diagnostics is fast compared to the CFD diagnostics. The configuration is included to reduce the number of diagnostics to run if CFM1 is not needed to monitor other clocks.

Definition at line 331 of file tasks_config.h.

INIT_STACK_LIMIT

#define INIT_STACK_LIMIT   0x7E6FU

Configures the max depth of the hardware call stack by setting the Stack Pointer limit address.

This macro is used by T_InitSafetySystem to configure the Stack Pointer Limit (SPLIM) SRAM address. This address marks the limit of the stack. If the stack pointer has a value lower than the configured stack limit, an error flag is set and reported to the error controller. This macro accepts an unsigned 16-bit integer value. The stack limit value can be protected from change by enabling the INIT_STACK_LIMIT_LOCK.

Note

Valid stack pointer limit address is between 'INTERNAL_SRAM_START' and 'INTERNAL_SRAM_END', as defined in the device specific header file (avr/io.h). For example, if the desired max stack depth is 200, the value should be set equal to 'INTERNAL_SRAM_END' - 200. Setting the value to 'INTERNAL_SRAM_START' will effectively disable this feature.

Default value is set to a max Stack depth of 300, assuming AVR32SD ram start address and size:

Definition at line 535 of file tasks_config.h.

INIT_STACK_LIMIT_LOCK

#define INIT_STACK_LIMIT_LOCK   ENABLED

Configures whether the Stack Pointer Limit (SPLIM) LOCK should be enabled or disabled.

This macro is used by T_InitSafetySystem to configure whether the specified SPLIM address INIT_STACK_LIMIT will be locked and protected from change.

Definition at line 544 of file tasks_config.h.

INIT_SWDT_DURATION

#define INIT_SWDT_DURATION   4000UL

Configures the run-time duration between executing T_InitSafetySystem and the first T_HandleSyncWatchdog call in main clock cycles.

This macro is used by T_InitSafetySystem to set the initial Synchronous Watchdog timeout period in the startup sequence. The value can be configured up to a 24-bit value minus the configured SWDT_OPEN_WINDOW value in main clock cycles (see INIT_CLOCK_FRQ). The specified duration ensures a fixed execution time between the SWDT being enabled in T_InitSafetySystem and the first T_HandleSyncWatchdog call, and should be set to be larger than the Worst-Case Execution Time (WCET) of T_InitSafetySystem. The first call to T_HandleSyncWatchdog is right after T_InitSafetySystem in TM_Startup.

Measured WCET of T_InitSafetySystem with no errors: TODO: Default with tolerance: TODO:

Todo

Set the correct value

Definition at line 184 of file tasks_config.h.

INIT_VLM_THRESHOLD

#define INIT_VLM_THRESHOLD   VLM_THRESHOLD_PCT_15

Configures the Voltage Level Monitor threshold.

This macro is used by T_InitSafetySystem to configure the Voltage Level Monitor threshold relative to the Brown-Out Detector (BOD) threshold. Available thresholds are defined in the vlmThreshold_t. This macro together with INIT_VLM_TRIGGER configures the conditions for when a VLM interrupt will trigger.

A value of VLM_THRESHOLD_OFF disables the feature.

Warning

Using the VLM feature requires the Brown-out Detector (BOD) to be configured and enabled by the application. It is assumed that this is done through fuses.

Definition at line 488 of file tasks_config.h.

INIT_VLM_TRIGGER

#define INIT_VLM_TRIGGER   VLM_TRIGGER_FALLING

Configures the Voltage Level Monitor trigger condition.

This macro is used by T_InitSafetySystem to configure which condition should trigger a VLM interrupt. Available triggers are defined in the vlmTrigger_t. This macro together with INIT_VLM_THRESHOLD configures the conditions for when a VLM interrupt will trigger.

Warning

Using the VLM feature requires the Brown-out Detector (BOD) to be configured and enabled by the application. It is assumed that this is done through user fuses.

Definition at line 501 of file tasks_config.h.

INIT_VMON_ALWAYS_ON

#define INIT_VMON_ALWAYS_ON   ENABLED

Configures whether the Voltage Regulator Monitor (VMON) is enabled in deep sleep modes.

This macro is used by T_InitSafetySystem to enable or disable VMON operation in Standby and Power-Down sleep modes.

Note

The VMON is intended to be active in all sleep modes, and should only be disabled for low-power applications.

Warning

Disabling this feature requires the application to also disable the VSLP (VMON is in Sleep Mode) interrupt and reconfigure the connected VREGWARN error channel to NOTIFICATION severity before entering Standby or Power-Down sleep mode to prevent being immediately interrupted when issuing the sleep instruction (SLEEP). See tips_and_tricks for a suggestion on how to achieve this.

Definition at line 458 of file tasks_config.h.

INIT_VMON_FULL_POWER_MODE

#define INIT_VMON_FULL_POWER_MODE   DISABLED

Configures the Voltage Regulator Monitor (VMON) power mode.

This macro is used by T_InitSafetySystem to enable or disable full power mode operation of VMON in sleep mode. Writing this macro to ENABLED will enable the VMON to operate with full speed even when the device is in sleep mode and reduce the start-up time of the VMON when waking up from sleep. Writing this macro to DISABLED will set the VMON in power-saving mode when the device is in sleep mode and increase the start-up time of the VMON when waking up from sleep.

Note

This configuration has no effect unless INIT_VMON_ALWAYS_ON is enabled.

Definition at line 472 of file tasks_config.h.

INIT_WDT_DURATION

#define INIT_WDT_DURATION   WDT_TIMEOUT_CLK128

Configures the timeout period, from executing T_InitSafetySystem to the first T_HandleWatchdog call, in OSC32K clock cycles.

This macro is used by T_InitSafetySystem to set the initial Watchdog timeout period in the startup sequence by choosing one of the available clock cycle durations defined by the wdtTimeout_t. The watchdog is configured to not use window mode while in the Safe State. The value should be configured such that it times out if the startup function takes longer time than expected. Normally, the first watchdog clear will happen when calling T_HandleWatchdog in the first TM_Scheduler call. See WWDT_CLOSED_WINDOW and WWDT_OPEN_WINDOW for configuration of the windowed watchdog used in Mission Mode.

Note

If the maximum available duration is too short, see tips_and_tricks section for how to increase the Watchdog Timer resolution.

Definition at line 164 of file tasks_config.h.

PRE_STARTUP_SWDT_RESET_VAL

#define PRE_STARTUP_SWDT_RESET_VAL   4000UL

Configures the new SWDT reset value after performing the SWDT Expire diagnostic in T_RunResetDiagnosticFsm.

The MW_DiagSwdtExpire diagnostic requires the SWDT to be enabled, and thus has a side-effect of enabling the SWDT, which cannot be disabled again without a reset. For this reason, the diagnostic is included in T_RunResetDiagnosticFsm, since the subsequent diagnostic, MW_DiagWdtExpire, will normally reset the device and disable the SWDT. However, should the WDT diagnostic fail, the SWDT will be enabled with a certain duration. This macro specifies that duration, and should be configured to be equal to the desired timeout period in such a scenario.

A small value can be configured to intentionally let it expire and trigger an error (which will set the Error Controller in the ALARM state), or the timeout can be set such that it is cleared in time to perform error handling. Note that this scenario only occurs when the device has a defective WDT that cannot reset the device, and the SWDT is the only functioning watchdog.

The Task responsible for clearing the SWDT, T_HandleSyncWatchdog, will wait until reaching the open window. If using TM_Startup, consider that the first SWDT clear normally occurs during execution of the Startup sequence, after completing T_InitSafetySystem where the SWDT is initialized.

The default value is the measured amount of clock cycles between exiting the pre-startup sequence due to a failing WDT diagnostic and running the first T_HandleSyncWatchdog in TM_Startup with an added tolerance.

Measured WCET with no errors: TODO: Default value: TODO:

Todo

Set the correct values

Definition at line 1301 of file tasks_config.h.

STRICT_SAFE_STATE

#define STRICT_SAFE_STATE   DISABLED

Configures whether to use a strict Safe State to Mission Mode transition in TM_PreStartup and TM_Startup.

This macro configures, at compile-time, whether to enable the Strict Safe State mode in the T_EnsureSafeState Task. If enabled, all I/O-pins are force floated (tri-stated) at the beginning of the pre-startup sequence of TM_PreStartup. This ensures that the system maintains a strict safe state even if application tasks, in the TM_Startup schedule, initializes peripherals and I/O-pins before officially entering Mission Mode. The T_StartMissionMode Task is responsible for disabling force-float after running the Startup schedule, to have a strict transition from safe state to mission mode.

Warning

Depending on the peripheral and PORT configuration on the device, as well as the surrounding circuitry, disabling force floating of all I/O-pins simultaneously might result in a power surge. For this reason, this feature is disabled by default and should be thoroughly tested for the specific application when enabled.

Valid configurations:

• ENABLED
• DISABLED

Definition at line 66 of file tasks_config.h.

SWDT_OPEN_WINDOW

#define SWDT_OPEN_WINDOW   1000U

Configures the open window size used for the Synchronous Watchdog (SWDT).

This macro is used by T_InitSafetySystem and configures the open window used for the SWDT. The configured value allocates the number of clock cycles at the end of the total duration of the SWDT period where it is allowed to send a clear command. The T_HandleSyncWatchdog task, responsible for clearing the SWDT, will wait until reaching the open window before clearing immediately. For this reason, it treats the closed window period as the real SWDT timeout and thus assumes that the open window is configured to a small value.

Todo

Set the default value

Valid configurations:

• Any unsigned 16 bit integer.

Definition at line 101 of file tasks_config.h.

WWDT_CLOSED_WINDOW

#define WWDT_CLOSED_WINDOW   WDT_TIMEOUT_CLK8

Configures the Windowed Watchdog Timer (WWDT) closed window duration in Mission Mode.

This macro, together with WWDT_OPEN_WINDOW, is used to set the total timeout period of the WWDT in T_StartMissionMode. The timeout is intended to be configured equal to or smaller than the device Fault Detection Time Interval (FDTI), accounting for WDT clock tolerances.

The closed window is the period in which the watchdog cannot be cleared. A premature clear attempt will result in a hardware error. For this reason, it is recommended to set the closed window to a much larger value than the open window, within the limitations of the WDT granularity settings, to ensure clearing is only done at the end of the period. See the watchdog sections in tips_and_tricks for methods to increase the effective granularity and length of the WWDT timeout.

Valid configurations: see wdtTimeout_t.

Warning

Setting this macro to WDT_TIMEOUT_OFF will result in configuring the WDT to run in Normal mode instead of Window mode. This is not recommended.

Todo

Set default values

Explain what the FDTI will be with the default value here and WWDT_OPEN_WINDOW

Definition at line 126 of file tasks_config.h.

WWDT_OPEN_WINDOW

#define WWDT_OPEN_WINDOW   WDT_TIMEOUT_CLK128

Configures the Windowed Watchdog Timer (WWDT) Open Window duration in Mission Mode.

This macro, together with WWDT_CLOSED_WINDOW, is used to set the total timeout period of the WWDT in T_StartMissionMode. The timeout is intended to be configured equal to or smaller than the device Fault Detection Time Interval (FDTI), accounting for WDT clock tolerances.

The open window is the period in which the watchdog can be cleared without an error. For this reason, it is recommended to set the open window to a much smaller value than the closed window, within the limitations of the WDT granularity settings, to ensure clearing is only done at the end of the period. See the watchdog sections in tips_and_tricks for methods to increase the effective granularity and length of the WWDT timeout.

Todo

Set default value

Explain what the FDTI will be with the default value here and WWDT_CLOSED_WINDOW

Definition at line 145 of file tasks_config.h.

Variable Documentation

resetReasonCallback [1/2]

const rstCallback_t resetReasonCallback = &T_ResetReasonExampleCallback

Configures the user-configurable callback function used for application specific reset handling in T_HandleResetReason.

This callback setting is configured in the tasks_config.c file and should be set to point to a function with a rstCallback_t type signature in order to implement application-specific handling of the identified device reset reason.

The callback passes a resetInfo_t input parameter, which is a structure containing the reset reason determined in T_DetermineResetReason and an Error ID. The values are validated in T_HandleResetReason before the callback is called. The Error ID is set to ERRID_NONE as long as the Reset Reason is not a software reset. If a software reset has occurred, the Error ID is set to the value stored by EH_InitiateSafeState before issuing the software reset.

Definition at line 39 of file tasks_config.c.

resetReasonCallback [2/2]

const rstCallback_t resetReasonCallback

extern

Configures the user-configurable callback function used for application specific reset handling in T_HandleResetReason.

This callback setting is configured in the tasks_config.c file and should be set to point to a function with a rstCallback_t type signature in order to implement application-specific handling of the identified device reset reason.

The callback passes a resetInfo_t input parameter, which is a structure containing the reset reason determined in T_DetermineResetReason and an Error ID. The values are validated in T_HandleResetReason before the callback is called. The Error ID is set to ERRID_NONE as long as the Reset Reason is not a software reset. If a software reset has occurred, the Error ID is set to the value stored by EH_InitiateSafeState before issuing the software reset.

Definition at line 39 of file tasks_config.c.