The 78K0/Kx2 is provided with a function-reinforced version of a conventional watchdog timer. The following totally new functions have been added for reinforcement. These functions need not be specially set as the watchdog timer.
- Generating reset if an instruction is fetched from an address from which it cannot be fetched
- Generating reset if an address from/to which data cannot be accessed is accessed
In addition, the following feature is also available.
- Generating reset if an attempt is made to clear the watchdog timer during a period other than that specified (window function)
For the basic features of the watchdog timer, refer to Basics of Watchdog Timer.
It is difficult to accurately grasp whether the program is correctly operating. To use the watchdog timer, it is necessary to first define how the program should be to operate correctly.
It is therefore necessary to grasp by what processing flow the program operates when it operates correctly. This may be cumbersome if there are many situations of program execution, but unless it is accurately grasped, it may be difficult to set items to be evaluated if it is necessary to add specifications. A program can be normally developed without having to consider to this extent. Conversely, if you are caught in this stage, the method of program development may have a problem and, even if the program is completed (at least, if you think so), there is a large possibility of numerous problems occurring in the debugging stage.
Next, the processing time and timing during normal operation are estimated. If interrupt processing is generated asynchronously, the utmost care must be exercised because the total processing time may change. If the percentage of the asynchronous interrupt processing is large, it is better to think that the window function of the watchdog timer cannot be used.
[Processing time analysis]
Here is an example of analyzing the processing time.
List of processing contents
|Processing No.||Processing||Processing Time|
|1||Initialization processing||100 μs|
|2||Main common processing||1ms / 100μs|
|3||Main processing 1||20ms|
|4||Main processing 2||30ms|
|6||Subroutine of main processing 1||200μs|
|7||Subroutine of main processing 2||300μs|
|8||Serial reception interrupt||10μs|
|9||Serial transmission end interrupt||5μs|
|10||Timer interrupt (1 ms period)||50μs|
|11||A/D end interrupt||5μs|
When initialization is completed, the main common processing is started, a timer is activated, and its interrupt is enabled. In addition, the interrupt of serial communication is also enabled.
The main common processing is a part having a request for the subsequent processing. This processing is usually started by a timer interrupt. After the timer interrupt processing, it checks the processing request of main processing 1 and timing of starting main processing 2. If no request is issued and after 100 μs of processing, the main common processing enters the HALT mode and waits for the timer interrupt. The processing request is sent by serial communication. The serial reception interrupt only saves the sent data to a ring buffer. During serial communication, the reception interrupt may be generated at an interval of 520 μs (equivalent to 19.2 kbps) minimum. If the HALT mode is released by this interrupt while the main common processing is in the HALT mode, it enters the HALT mode again. A processing request is recognized and analyzed when the main common processing is started by the timer interrupt, followed by processing of 1 ms and a branch to main processing 1 or 2. To analyze the processin g request, a subroutine is called twice.
Main processing 1 performs the necessary processing and transmits the result as a 10-byte status by serial communication. Main processing 1 calls the subroutine 10 times and serial transmission can be executed in parallel with main processing 1, by using the interrupt.
Main processing 2 is started at a specific interval, reads analog signals of eight channels and calls a subroutine eight times to perform A/D conversion. The subroutine takes a processing time of 300 μs, including the interrupt processing time of the A/D converter. The A/D converter is not started by anything other than this subroutine.
In this example, three main operations are exclusively performed.
(1) Waiting for processing request
This is waiting by the main common processing for a processing request and is started by a timer interrupt of 1 ms. Processing, including the timer interrupt processing, is performed for 150 μs, and the main common processing stops in the HALT mode for the rest of the period.
If a processing request is issued, the main common processing that has been started by the timer interrupt takes 1 ms. Processing of the subroutine that is executed twice takes 100 μs and the next timer interrupt processing takes 50 μs. Including the processing time of the first timer interrupt, therefore, the total processing time is 1.3 ms. Since the serial reception interrupt may occur 0 to 3 times at maximum during this time period, the maximum processing time, including the serial reception interrupt processing time, may be 1.33 ms. Because the time required for the serial processing is very short, if it is ignored, the timeline from checking the processing request to the actual start of the processing is as follows.
(2) Executing main processing 1
The total processing time of the main processing 1 is 22.05 ms, including the processing time of 20 ms of the main processing 1 itself, the processing time of the subroutine (that is executed 10 times, 200 μs each), and that of the serial transmission end interrupt processing (10 times, 5 μs each). The timer interrupt occurs 22 times during this time period, extending the total processing time by 1.1 ms. Because the timer interrupt occurs once again during this 1.1 ms period, the total processing time increases to 23.2 ms. This means that the main processing 1 is completed 24.5 ms after the timer interrupt that checks the processing request occurs. Even if the serial reception interrupt, which occurs up to 47 times and takes 0.47 ms each time, occurs during this time period, the main processing 1 can still be completed before occurrence of the next timer interrupt.
(3) Executing main processing 2
The processing time of main processing 2 is 30 ms, which increases to 32.4 ms if the processing time of the subroutine (that is executed eight times, 300 μs each) is included. During this period, the timer interrupt occurs 32 times, increasing the execution time 1.6 ms. Consequently, the timer interrupt occurs two more times, extending the total processing time to 34.1 ms. This means that main processing 2 is completed 35.4 ms after the timer interrupt that checks the processing request. If the serial reception interrupt occurs during this period, it may occur up to 69 times and take 0.69 ms. If the serial reception processing takes 0.6 ms or longer, the next timer interrupt will be generated. In the worst case, therefore, the total processing time of main processing 2 will be 36.14 ms.
In summary, the execution time in the above three cases is as follows.
(1) 150 to 160 μs for each 1 ms of waiting for processing request
(2) 24.5 to 24.97 ms to execute main processing 1
(3) 35.4 to 36.14 ms to execute main processing 2
The execution time of each processing is estimated above. In the above discussion, calculation is made on the assumption that the processing time of each processing block is given. It is difficult, however, to actually calculate processing time from the execution time of instructions. Consequently, the processing time is calculated by using the time measurement function of an in-circuit emulator during debugging. What must be noted at this time is that only the processing time during which a specific pattern operates can be measured. It must be checked what operation is to be performed and how the processing time is affected by interrupts that occur synchronously or asynchronously. Therefore, calculate the processing time, taking factors of fluctuation considered necessary into account.
This is part of the information necessary for evaluating a watchdog timer and, if anything, is evaluation of processing performance. On some occasions, conditions may be given as required system specifications, for example, main processing 1 should be completed in 20 to 30 ms and main processing 2 should be completed in 25 to 50 ms. These values, however, have a wide range in most cases, and in some cases, only the maximum value is given. Therefore, the above information may not be used for evaluating a watchdog timer.
In addition, the reference clock used for operation of the watchdog timer has variations. If processing time is calculated with an accuracy that takes these variations into consideration, it is usually meaningless. An accuracy of 10% or so is sufficient (calculating the processing time of complicated processing is very difficult, though that of the processing in this example can be calculated relatively easily). A high accuracy is required for calculating processing time when the window function of a watchdog timer is used. Under a more stringent condition, there is only about 8% of the period during which the watchdog timer can be cleared. Therefore, the processing time must be calculated with a maximum error of 4%.
[Operation pattern and detection condition]
For actual evaluation, it is necessary to clarify how often and at what timing a request for main processing 1 or 2 is generated. In what condition the request is to be detected must therefore be determined. For example, consider the following requirements.
- Main processing 2 is started once every 100 ms.
- Main processing 1 is requested 20 times every 200 ms for 1 hour.
(Execution of main processing 1 takes precedence over main processing 2.)
In this case, it is necessary to specify what status is considered to be normal. The following three conditions are considered in this example.
(1) Normal if main processing 2 or 1 is executed
(2) Normal if main processing 2 or 1 is executed within a specified time
(3) Normal if main processing 2 or 1 is executed within a specified time range
In (1), the watchdog timer should be cleared only by main processing 2 or 1. The loop of the processing takes at least 100 ms. Therefore, the time until the watchdog timer overflows should be set to at least 100 ms and main processing 1 and 2 should clear the watchdog timer. The overflow time of the 78K0/Kx2 that satisfies this condition is 215/fRL (124.12 ms minimum), 216/fRL (248.24 ms minimum), or 217/fRL (489.48 ms minimum). If condition (2) is also taken into consideration, 215/fRL (124.12 ms) is the choice. If this overflow time is selected and if main processing 1 and main processing 2 conflict and execution of main processing 2 is delayed, the interval is extended by main processing 1 to at least 124.5 ms and overflow will occur when the watchdog timer is cleared only by main processing 2. It is therefore necessary to clear the watchdog timer by main processing 1 as well.
Next, as an example of (3), a case where the window function of the watchdog timer is used is considered. The shortest clearing time is as shown in Example 1 below if the watchdog timer is to be cleared at the end of main processing 1 and main processing 2. If the clock of the watchdog timer is slow, the overflow time will be 151.7 ms. This means that even when a window is fully open, it will be closed for a period 25% (about 38 ms) of the overflow time. In Example 1, below, the shortest interval is 34.5 ms. As it is, the watchdog timer is cleared while the window is closed. If the timing of clearing the watchdog timer is changed to the beginning of main processing 1, the shortest interval will increase to 59 ms, making the clearing timing fit into the period during which all the windows are open.
In the above Example 1, main processing 1 is started every 200 ms. What will happen if this is changed to every 100 ms? The time since the watchdog timer has been cleared by main processing 2 until it is cleared by main processing 1 is shortened to about 38.9 ms, as shown in Example 3, below.
In this case, the watchdog timer is cleared while a window is open, so this timing is all right. If the margin is to be increased, however, clear the watchdog timer in about 10 ms from the beginning of main processing 1. In this way, when the window function is used, the timing of clearing the watchdog timer changes if the condition is changed even slightly, and therefore, care must be exercised.
The important points in this example are
- The maximum frequency of the count clock must be used to calculate the overflow time.
- The minimum frequency of the count clock must be used to estimate the window period.
The rated count clock of the watchdog timer varies from -10% to +10%. To simplify evaluation, the period during which the window is closed must be multiplied by 1.22 when estimating the timing of clearing the watchdog timer by using only the maximum frequency of the count clock. Therefore, the period during which the window is open for sure is as follows.
- The window is closed about 30% and open 70% of the time if it is set to be closed 25% (open 75%).
- The window is closed about 61% and open 39% if it is set to be closed 50%.
- The window is closed about 92% and open 8% if it is set to be closed 75%.
Take this into consideration when determining the worst-case combination of processing time.
[High-level detection condition setting]
So far, only the timing of clearing the watchdog timer has been evaluated. In the above example, even if main processing 1 is not executed at all, it cannot be detected by the watchdog timer (the problem lies in whether watchdog timer processing is designed, taking into consideration the processing that is executed only several times in 1 hour). Therefore, a flag that is set depending on the situation of processing of the program is used to monitor execution of main processing 1. Specifically, the following flag is used.
- Main processing 1 interval flag (counter)
The main processing 1 interval flag counts time from execution of main processing 1 in units of 100 ms. Main processing 1 clears this counter and main processing 2 performs counting processing. Main processing 2 checks this counter and does not clear the watchdog timer if the count value is more than that of 1 hour. (The actual value is 1 hour/100 ms = 36,000 counts from which the number of times of executing main processing 1 x interval of repetition is subtracted. In Example 1, above, 20 x 2 is subtracted from 36,000 every 200 ms, and 20 is subtracted from 36,000 every 100 ms in Example 2.) In this way, it can be detected that main processing 1 is not executed for at least 1 hour. (Although no timing example is shown, the timing is the same as in Examples 2 and 3, above.)
Main processing 1 can be considered to clear the watchdog timer always at the end of the processing and that main processing 2 does not clear the watchdog timer when this flag is 0. An example of clearing timing in this case is shown below. The maximum interval of clearing at this time is 111.64 ms, and the minimum interval is 88.36 ms. Therefore, there is no problem even if the period during which the window is open is narrowed to 50% (in this case, the window is open for sure about 80 ms later) if the overflow time is set to 215/fRL (124.12 ms minimum).
(Whether main processing 2 is executed immediately after main processing 1 cannot be checked, however.)
If the watchdog timer is cleared at the beginning of processing, the influence of the variations of the processing time can be further reduced. As a result, the period during which the window is open can be set to 25% (in this case, it also cannot be checked whether main processing 2 is executed immediately after main processing 1). Determine the processing method depending on which check takes precedence.
This is insufficient for checking whether main processing is executed 20 times in 1 hour, however, so the following main processing 1 execution flag is added.
- Main processing 1 execution flag (counter)
Main processing 1 counts up this flag. Main processing 2 counts up the value of the main processing 1 interval flag. It checks this flag when the value of the flag reaches to 2 or 3 (depending on the interval of main processing 1), so that the watchdog timer is not cleared if the flag value is other than 0 or 20 (the number of times the main processing 1 is consecutively executed). In this way, the number of times the main processing 1 has been executed can also be checked.
By adding conditions when the watchdog timer is cleared as described above, a more delicate check can be performed. Nevertheless, if the processing becomes too complicated, problems, such as the restriction of the processing originally to be executed becoming severe or an error occurring if the processing is complicated, may arise.