Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob

AURIX™ MCU: TC3xx and different watchdogs - KBA236454

AURIX™ MCU: TC3xx and different watchdogs - KBA236454

50 replies posted 25 likes received 25 replies posted

Community Translation: コミュニティ翻訳 - AURIX™ MCU: TC3xx およびさまざまなウォッチドッグ - KBA236454

Version: **

In general, watchdogs provide a highly reliable and secure way of detecting and recovering from software or hardware failure. Internal watchdogs in AURIX™ TC3xx protect against unintended register write accesses (ENDINIT). According to the Infineon safety concept, an external watchdog is required because all hardware failures are not covered by the internal watchdogs.

Following are the three types of internal and external watchdogs.

Safety watchdog

The safety watchdog is a timeout counter that ensures the protection of critical system registers and memories are not disabled for a longer time to avoid accidental and unauthorized write accesses.

When enabled, the safety watchdog timer (WDT) can trigger an SMU alarm request if it is not correctly serviced within a user-programmable time period. Periodic servicing of the safety WDT confirms the correct functioning of the system.

Individual CPU watchdogs

The individual CPU’s watchdogs have similar functionalities as the safety watchdog, acting as a timeout counter when specific CPU registers protection is disabled by ENDINIT.

Each CPUx WDT incorporates ENDINIT feature, which protects critical local CPU registers. A few system registers are not protected by safety ENDINIT, to avoid accidental and unauthorized write accesses.

When enabled, the CPUx WDT can trigger an SMU alarm request if it is not correctly serviced within the user-defined time period. Otherwise, a device reset is triggered.

After a reset, CPU0 is in RUN mode, and CPU0 WDT starts automatically. Other CPUs are initially in a HALT state and their corresponding WDTs are therefore disabled. A CPU watchdog may only be configured, enabled, or disabled by its corresponding CPU.

The CPU individual timers, if activated, offer the ability to monitor separate CPU execution threads (Program Flow Monitoring) without the need for software to coordinate the shared use of a common watchdog. To use Program Flow Monitoring each WDT service requires a different password (Fibonacci series). In addition, in this case, the Time Flow Monitoring feature could be used to ensure that a certain action is executed within a certain time frame.

External watchdog

Besides, AURIX™ TC3xx requires an external watchdog to monitor situations where the microcontroller is not responding. This external watchdog has high coverage for the failure modes such as Permanent reset of the microcontroller, No Clock, and unintended power save mode.

In the Infineon safety concept, the external watchdog is an off-chip watchdog that intervenes and leads the system to a safe state whenever the microcontroller fails to serve the external watchdog in time.

Infineon provides a solution for external watchdog when implementing power supply and supervision using TLF35584.

An internal clock source clocks the PMIC watchdogs. This clock source is independent of the external MCU. Two independent types of watchdogs are implemented in the TLF35584:

  • A standalone window watchdog (WWD) with a programmable input trigger signal that can be either the WDI pin or a trigger via SPI command to the WWDSCMD register.
  • A standalone functional or question/answer watchdog (FWD).

Apart from the specific purposes of the customers, window watchdog is considered sufficient to cover the needs of AURIX™ TC3xx safety philosophy.


Figure 1 TLF35584 window watchdog and functional watchdog

For more details, see the TLF35584 datasheet and the sub-section “9.4 Watchdog timers (WDT)” in “9. System Control Units” of the AURIX™ TC3xx family User’s manual.

Note: This KBA applies to the following series of AURIX™ MCU:

  • AURIX™ TC3xx series