22.3.3 System States
- CONFIG: The timeout timer starts if enabled, and Error Source Control x
(ERRCTRL.ESCx) registers can be written. Error Status Flags (ESF) will be set upon receiving signals from the system,
but no error action or state transition is performed. The Error Controller will transition to a NORMAL state when
writing the ERRCTRL State (STATE) bit field in the Control A (ERRCTRL.CTRLA) register to Normal State (NORMAL). If the
Timeout Counter (ERRCTRL.TIMECNT) register value exceeds the value in the Timeout Value (ERRCTRL.TIMEOUT) register, a
Machine Check Reset is automatically triggered. Any active I/O Float, INT, NMI or Machine Check Reset when the ERRCTRL
entered the CONFIG state is left unchanged while in the CONFIG state. New errors will not be serviced when in the CONFIG
state. Any new error will set their ESF, but no I/O Float, INT, NMI or Machine Check Reset will occur.
The expected error handling (I/O float, INT/NMI, or Machine Check Reset, depending on the severity of the error) will be postponed until transitioning from the CONFIG to NORMAL state. This may increase the Fault Detection Time Interval (FDTI), depending on how long the ERRCTRL is in the CONFIG state.
Any heartbeat is paused while in the CONFIG state, i.e., no transitions will occur on the heartbeat signal. It is possible to transition to CONFIG by writing the STATE bit field in ERRCTRL.CTRLA to CONFIG. This is only allowed from the NORMAL state, an attempt to transition from any other state will be discarded and will result in a Bus Error. The Force I/O Float (FORCEFLOAT) bit in the ERRCTRL.CTRLA register and external float requests will float I/Os even in the CONFIG state. - NORMAL: ERRCTRL.ESCx registers cannot be written, but bits in the Error Status Flag (ESF) register can be set. It is possible to transition to CONFIG by writing the STATE bit field in ERRCTRL.CTRLA to CONFIG. CRITICAL errors detected while in NORMAL state will automatically transition to FAULT state, and noncritical errors will automatically transition to ALARM state.
- ALARM: ERRCTRL.ESCx registers cannot be written. Once entering the ALARM state, the
timeout timer starts if the feature is enabled. The state will automatically transition to FAULT if the ERRCTRL.TIMECNT
value exceeds the value in ERRCTRL.TIMEOUT and will automatically transition to NORMAL when all noncritical errors have
been cleared in the ERRCTRL.ESF register.
This state allows the system to possibly fix the fault and return to normal operation instead of going directly to FAULT state. This timeout is a safety mechanism in case the ALARM interrupt is never serviced, e.g., due to a software or Interrupt Controller (INTCTRL) error. A CRITICAL error received in the ALARM state will automatically transit to FAULT.
- FAULT: An Error Controller Reset is requested immediately. The Error Controller Reset Flag (ECRF) in the Reset Flag Register (RSTCTRL.RSTFR) becomes set. Any heartbeat will stop. The Float I/O Pins (FLOAT) bit in the Status A (ERRCTRL.STATUSA) register is set, and all I/O pins are floated.