30.3.3.2 Step 2 (CLEAR)

After a PRECLEAR command has been accepted by the SWDT without errors, the software must perform a CLEAR action by writing CLEAR to the COMMAND register. The CLEAR command is accepted only if one and only one PRECLEAR command has already been received and the window is open, meaning that the CNT value is less than the WINDOW value. The CLEAR bit in the INTFLAGS register indicates when a CLEAR command can legally be received. If the CLEAR command is successful, the CLEAR bit in the INTFLAGS register is cleared, and the value in the RESET register is loaded into the counter (CNT).

If the CLEAR command was written to COMMAND without a prior PRECLEAR command, the BADPC and ERROR flags are set in the INTFLAGS register, indicating that a non-PRECLEAR command was received while expecting a PRECLEAR.

If the CLEAR command was written to COMMAND after a PRECLEAR command, but the window was not open when writing the CLEAR command, the UC (Unexpected Command) and ERROR flags are set in the INTFLAGS register.

The two-step clearing sequence of the SWDT depends upon the appropriate code placement of each action of the two-step sequence. The code placement of the PRECLEAR action will typically be part way through the initial portion of the application’s main loop, while the code placement of the CLEAR action will be near the end of the application’s main loop just before it returns to the start of the loop.

The reasoning for this placement and the requirement for a two-step action to clear the SWDT are based on the single-point fault model. In this model, the failure of the software is assumed to be caused by a single fault under the assumption that the software was designed correctly.

One fault pattern that might occur would be the repeated clearing of the SWDT counter in a tight loop. For example, a response input may be required for the application. If that response does not occur, the counter should expire, yet a single fault could defeat that detection if that fault caused a loop of just a single action that clears the SWDT counter.

A second separate action is required to clear the counter to overcome this potential failure. Separating the second action spatially and temporally reduces the possibility that the two sequential actions could occur because of a single fault.

The second action is further constrained to occur during a window interval so that it may not happen too early.