

# Generated Specification Document

## INTRODUCTION

### -- Purpose --

Provide a Wishbone-attached watchdog/COP peripheral that software can configure to enforce system liveness: program a timeout and modes, enable optional early-warning interrupts, and safely service the watchdog via a two-key sequence. On missed service it asserts a reset and latches an event for diagnostics. The design includes lockable configuration to prevent unintended changes, pause behavior in debug/low-power modes, safe operation across bus and counter clock domains with robust clock-domain crossings, and software-readable status and counter snapshots for observability.

### -- Key Features --

- Wishbone slave watchdog peripheral with selectable 8- or 16-bit data width and proper byte/halfword enables.
- Configurable bus timing: single-cycle combinational ACK/data or one-wait-state registered responses.
- Compact register space: 48-bit readback, 40-bit writable; top byte reserved/read-only.
- Width-aware access mapping and write adaptation, including 8-bit bus duplication and byte-specific timeout writes.
- Programmable down-counter (parameterized width) clocked by startup oscillator or bus clock in scan/test.
- Robust control: main enable (cop\_ena), two-stage configuration lock (clk → cwp → cop\_ena), and timeout write-protect while enabled.
- Low-power/debug: counter pause support in debug/wait/stop; expiry holds reset if reached while paused.
- Early-warning interrupt with selectable thresholds ( $\leq 16/\leq 32/\leq 64$ ), two-stage IRQ pipeline, and a separate sticky event latch for expiry diagnostics.
- Safe service (reload) via two-key sequence (SERV\_WD\_0 then SERV\_WD\_1) producing a one-cycle reload pulse that clears cop\_RST\_O and reloads timeout.
- Clean clock-domain crossing: level-based reload handshake (bus→counter) and bus-domain snapshot of the live counter on each cop clock edge.
- Flexible reset: asynchronous reset with polarity control (ARST\_LVL), synchronous bus reset, and power-on reset domain for expiry/event paths; parameterized initial enable (INIT\_ENA).
- Explicit event clear pulse; event auto-clears on reload.
- Integration-ready partitioning: cop\_wb\_bus (bus interface), cop\_regs (configuration/validation), cop\_count (counter/outputs).
- Top-level outputs: cop\_RST\_O (watchdog reset) and cop\_IRQ\_O (early interrupt).

### -- Block Composition --

cop\_top is composed of three tightly-coupled blocks:

- cop\_wb\_bus: Wishbone slave front-end that performs bus handshake (SINGLE\_CYCLE combinational or 1-wait-state registered), address decoding, byte/halfword select handling via wb\_sel\_i, and read-data multiplexing from a 48-bit internal readback bus (read\_regs). It produces a

5-bit write strobe vector (write\_regs[4:0]) aligned to the decoded write regions and gates writes with wb\_wacc.

- cop\_regs: Control/status register file that implements configuration and safety/lock rules. It holds cop\_ena, debug\_ena, stop\_ena, wait\_ena, cop\_irq\_en[1:0], cwp, clck (write-once), and clear\_event pulse; programs timeout\_value[COUNT\_SIZE-1:0] with byte/halfword granularity (writes only when cop\_ena==0; DWIDTH==8 duplicates control bytes as needed); and generates a one-cycle reload\_count pulse from a two-key service write sequence. It assembles bus-domain readback fields together with cop\_count status into read\_regs[47:0] (topmost byte read-only) and enforces that mode changes occur only when the COP is disabled or being disabled by the same write; clck freezes cwp, and cwp blocks changes to cop\_ena.

- cop\_count: Watchdog down-counter running in the counter clock domain (cop\_clk), selectable from startup\_osc\_i or wb\_clk\_i (scan/test). It supports pause modes driven by debug\_ena/wait\_ena/stop\_ena, reload via a two-flop CDC handshake (reload\_1 asserted in bus domain by reload\_count or cop\_ena deassert; reload\_2 in cop\_clk domain performs load of timeout\_value and clears cop\_rst\_o), and bus-stable counter capture for software readback. Outputs include cop\_rst\_o on expiry (held until reload, even if paused), cop\_irq\_o early-warning interrupt with programmable thresholds (cop\_irq\_en=00 disable; 01/10/11 map to <=16/32/64), and an event latch (cop\_event) that records expiry until cleared by reload\_count or clear\_event; POR clears expiry-related state.

Composition and interconnects:

- Data/read path: cop\_regs and cop\_count populate read\_regs[47:0]; cop\_wb\_bus slices it to wb\_dat\_o per DWIDTH and wb\_adr\_i.
- Write path: cop\_wb\_bus decodes writes to produce write\_regs[4:0]; cop\_regs consumes these strobes to update control/status and timeout fields or trigger pulses.
- Clocks/resets: Bus domain (wb\_clk\_i) hosts cop\_wb\_bus and cop\_regs and bus-side IRQ/event/capture logic; counter domain (cop\_clk) hosts cop\_count. Resets include asynchronous reset (ARST\_LVL polarity) for bus/counter init, synchronous bus reset (wb\_RST\_i) for bus-side state, and POR (por\_reset\_i) for expiry/event clearing.
- Parameters: DWIDTH (8/16), SINGLE\_CYCLE, ARST\_LVL, COUNT\_SIZE, INIT\_ENA (default cop\_ena), SERV\_WD\_0/SERV\_WD\_1 (service keys) configure interfaces and behavior.

-- Typical Use Cases --

- Basic system liveness supervision: firmware periodically services the watchdog via the two-key sequence; early-warning IRQ signals imminent expiry; final expiry asserts reset and latches an event for fault recovery.
- Boot-time protection: enable INIT\_ENA to start the watchdog on POR using the startup oscillator so the system is protected before clocks/peripherals are configured; firmware services promptly during initialization.
- Low-power and debug modes: pause counting in wait/stop/debug to avoid unintended resets while the CPU sleeps or is halted; auto-resume on exit; if the counter reached zero while paused, reset remains asserted for clear fault indication.
- Safety-critical and production lockdown: use write-once cwp/clck locks to prevent post-bring-up changes to enable and configuration, supporting functional safety and anti-tamper requirements.
- Runtime reconfiguration with safeguards: temporarily disable COP, update timeout/mode bits using byte/halfword writes (8-/16-bit Wishbone), then re-enable; two-key servicing prevents spurious reloads.
- Post-mortem diagnostics: after a reset, software reads the sticky event flag and captured counter snapshot to confirm a watchdog cause and how close to expiry service occurred; clear the event after logging.
- Early-warning scheduling: select interrupt thresholds (<=16/32/64) to schedule timely servicing or initiate graceful recovery (state save, telemetry, fallback mode) before hard reset.
- DFT and verification: operate the counter from the bus clock in scantestmode; choose SINGLE\_CYCLE or registered Wishbone responses to meet timing; validate reload handshake and

readback paths.

- Flexible bus integration: deploy in 8-bit or 16-bit Wishbone systems with byte/halfword strobes; support partial updates to timeout; use registered ACK for deterministic wait states under stalls.
- Always-on monitoring: rely on the startup oscillator so the watchdog continues counting when the bus is inactive; maintain asserted reset if expiry occurs while paused, ensuring persistent fault signaling.
- Robust cross-domain deployments: use built-in CDC handshakes so reload requests and status cross between bus and watchdog clocks reliably, even with bus stalls or independent clock domains.

#### -- Safety and Reliability Mechanisms --

Safety and reliability mechanisms integrated across COP modules:

- Configuration protection and write locks: Two-stage lock chain (clk, cwp) prevents accidental enable changes; clk is write-once sticky high; cwp blocks writes to cop\_ena when set. Mode bits (debug\_ena, stop\_ena, wait\_ena) update only when COP is disabled or when the same write disables COP. Timeout\_value writes are ignored while COP is enabled; byte writes are supported on 8-bit buses but remain gated by cop\_ena=0. Servicing requires a validated two-key sequence (SERV\_WD\_0 then SERV\_WD\_1 at 5'b10000) to generate a one-cycle reload\_count pulse; spurious writes do not reload.
- Event integrity and diagnostics: cop\_event is a sticky latch recording watchdog expiry (cop\_rst\_o) and persists until cleared by a reload or an intentional clear\_event pulse generated via specific write addresses. Software reads use cop\_capture snapshots to avoid live counter CDC hazards.
- Reset and initialization robustness: Supports asynchronous reset with configurable polarity (ARST\_LVL) and synchronous bus reset. Power-on reset forces initial counter load and clears cop\_rst\_o. Disabling cop\_ena or successful service asserts a bus-to-counter reload request that clears cop\_rst\_o and reloads the counter, ensuring defined recovery. Conservative defaults on reset (timeout\_value=all 1s, cop\_irq\_en=00, mode bits=0); INIT\_ENA controls default enable.
- Clock-domain crossing safety: Level-sticky reload handshake (reload\_1 in bus\_clk, reload\_2 in cop\_clk) guarantees reliable delivery and self-clear after observation; POR forces reload\_2=1 for initial load. Double-flop resampling of cop\_clk provides a clean bus-domain capture trigger. The interrupt is pipelined in the bus domain for timing reliability.
- Watchdog operation safeguards: Early warning interrupt thresholds selectable (01→<=16, 10→<=32, 11→<=64); disabled when cop\_irq\_en=00. Counter pauses when debug/wait/stop modes are enabled, preventing unintended resets during those system states. Reset output asserts on expiry and remains asserted at zero if paused, providing fail-safe behavior.
- Bus interface safety mechanisms: Writes are accepted only on ACK (wb\_wacc) and are qualified by byte enables; optional registered ACK mode (SINGLE\_CYCLE=0) provides deterministic one-wait-state handshakes; deassert STB between transfers for clean protocol. Read/write mapping restricts the writable region (40/48 bits), with the topmost byte [47:40] read-only to reduce risk of unintended state changes. 8-bit bus adaptation duplicates payload internally to 16 bits while preserving gating semantics; address decoding separates writable control/timeout fields from read-only status.
- Test/scantest accommodation: Counter can run from the bus clock in scan/test mode to support DFT while retaining reload and CDC protections.

#### -- Design Assumptions and Limitations --

- Bus/protocol assumptions
- Wishbone classic slave; only DWIDTH=8 or 16 are supported.
- Internal read space is 48 bits; writes cover only 5 bytes (40 bits). The topmost byte [47:40] is reserved/read-only.
- SINGLE\_CYCLE=1: reads/writes complete in a single cycle when CYC/STB are asserted.
- SINGLE\_CYCLE=0: read data is registered and ACK pulses every other cycle if the master holds CYC/STB; writes take effect on ACK. Masters should deassert STB between transfers or tolerate wait states.
- Addressing requires proper alignment and wb\_sel\_i usage; the map assumes straightforward

byte/halfword slicing without endianness conversion.

- Clocking and reset assumptions
  - Two clock domains: bus\_clk (register/bus domain) and cop\_clk (counter domain). cop\_clk normally comes from startup\_osc\_i; when scantestmode=1, cop\_clk is sourced from bus\_clk for DFT.
  - Two independent asynchronous resets: async\_rst\_b (polarity selectable via ARST\_LVL) for bus-side logic, and a separate active-low POR reset for the counter/event path and initial reload (cop\_rst\_o side). wb\_rst\_i synchronously resets bus-domain state. POR drives the initial counter load via the reload handshake.
- Configuration and write-protection limitations
  - Timeout value writes are ignored while cop\_ena=1; software must disable the COP to change the timeout.
  - clk is a sticky write-one lock that permanently freezes cwp; when cwp=1, cop\_ena cannot be changed.
  - debug\_ena/wait\_ena/stop\_ena can change only when COP is disabled, or when the write transaction explicitly disables COP in the same accepted write.
  - Servicing (reload) requires two consecutive accepted writes to the same address with the exact key sequence SERV\_WD\_0 then SERV\_WD\_1; any deviation (wrong value, different address, or a gap without ACK acceptance) cancels the reload.
- Width and data-path constraints
  - The timeout/control path is built around a 16-bit payload. COUNT\_SIZE is parameterized, but only the lower 16 bits are software-programmable via the defined register map; higher bits (if any) are not writable via this interface.
  - For DWIDTH==8, the 8-bit bus write data is duplicated internally to 16 bits to preserve semantics; software should use byte-specific addresses for partial timeout writes. Due to duplication, certain control bits (e.g., clear\_event) may appear at mirrored positions and behave identically.
- Interrupt, reset, and event behavior
  - Early interrupt threshold is limited to three preset levels: counter <=16, <=32, or <=64 counts; arbitrary thresholds are not supported.
  - cop\_event is a latched indicator that sets on reset assertion and clears only on a successful service reload or an explicit clear\_event write. Disabling COP does not clear the event latch.
  - cop\_rst\_o asserts when the counter reaches zero and deasserts on the reload handshake completion. If the counter hits zero while counting is paused (due to debug/wait/stop with corresponding enables), cop\_rst\_o remains asserted until the counter is serviced or the pause is released.
- CDC and observability assumptions
  - Reloads cross from bus\_clk to cop\_clk via a level-sticky handshake (reload\_1/reload\_2); proper CDC constraints are required to avoid missed or duplicate reloads.
  - Early IRQ logic compares a live view of the counter in the bus domain, introducing CDC sensitivity. Software should use the captured snapshot (cop\_capture) for stable readback, and system timing closure should account for the comparator's CDC path.
- Addressability and mapping
  - Read mapping exposes six bytes (48 bits). Write mapping covers five bytes; the highest byte is read-only.
  - 8-bit map: reads at addresses 000..101; writes at 000..100. 16-bit map: reads at 000..010; writes at 000, 001, 010 with five effective write strobes. Masters must follow the documented address/sel conventions.
- Defaults and side effects

- On reset, timeout\_value defaults to all 1s; cop\_ena defaults per INIT\_ENA. Writes to timeout\_value are gated by cop\_ena==0. In SINGLE\_CYCLE=0, only ACKed writes take effect.
- Throughput under SINGLE\_CYCLE=0 is limited to one transfer per two cycles if CYC/STB remain asserted; system masters should plan for this handshake behavior.

## IO PORTS

-- Wishbone Interface Signals --

Wishbone B4 classic slave interface on wb\_clk\_i with parameterizable data width and single-/two-cycle timing.

### Parameters

- DWIDTH: 8 or 16. Sets wb\_dat\_i/o width and wb\_sel\_i width (DWIDTH/8).
- SINGLE\_CYCLE: 1 = zero wait state (ACK same cycle, read data combinational); 0 = one wait state (ACK next cycle, read data registered).

### Clock and Reset

- wb\_clk\_i (in): Wishbone clock.
- wb\_rst\_i (in): synchronous reset for bus-side handshake and data path.

### Master-to-Slave Signals

- wb\_cyc\_i (in): cycle valid; qualifies a bus cycle.
- wb\_stb\_i (in): strobe/select for this slave instance.
- wb\_we\_i (in): write enable; 1=write, 0=read.
- wb\_adr\_i (in): address; low-order bits select an 8-bit or 16-bit slice of a 48-bit register space (exact width is system-dependent; only low bits used here).
- wb\_sel\_i [DWIDTH/8-1:0] (in): byte enables; 1 bit when DWIDTH=8, 2 bits when DWIDTH=16. Gated into write updates.
- wb\_dat\_i [DWIDTH-1:0] (in): write data from master.

### Slave-to-Master Signals

- wb\_dat\_o [DWIDTH-1:0] (out): read data to master. Combinational when SINGLE\_CYCLE=1; registered when SINGLE\_CYCLE=0.
- wb\_ack\_o (out): acknowledge; sole handshake response (no ERR/RTY/STALL).

### Handshake and Timing

- Active transfer when module\_sel = (wb\_cyc\_i && wb\_stb\_i).
- SINGLE\_CYCLE=1: wb\_ack\_o asserts in the same cycle as module\_sel; wb\_dat\_o driven combinationally from selected read slice.
- SINGLE\_CYCLE=0: one wait state. For reads, data is captured on the first cycle (module\_sel && !wb\_we\_i) and wb\_ack\_o asserts the next cycle. If CYC/STB remain asserted, ACK pulses every other cycle.

### Read Data Mapping (from internal 48-bit read\_regs)

- DWIDTH=8: wb\_adr\_i 0..5 map to bytes [7:0], [15:8], [23:16], [31:24], [39:32], [47:40].
- DWIDTH=16: wb\_adr\_i 0..2 map to halfwords [15:0], [31:16], [47:32].

### Write Acceptance and Byte Enables

- A write is accepted when `wb_wacc = module_sel && wb_we_i && (SINGLE_CYCLE || wb_ack_o)`.
- `wb_sel_i` qualifies which byte(s)/halfword(s) update on write; only 40 of 48 bits are writable (topmost byte is read-only).
- Write strobe decode into a 5-bit `write_regs` vector:
  - DWIDTH=8: adr 0..4 -> 00001, 00010, 00100, 01000, 10000 respectively; adr 5 is read-only.
  - DWIDTH=16: adr 0 -> 00011 (lower two bytes), adr 1 -> 01100 (middle two bytes), adr 2 -> 10000 (top single byte).

### Protocol Notes

- No ERR/RTY/STALL signals are implemented; masters should deassert STB between transfers in `SINGLE_CYCLE=0` mode or expect ACK every other cycle.
- An additional asynchronous reset may exist internally (`rst_i` with `ARST_LVL`) but is not part of the Wishbone port.

### -- Data Width Configuration --

- DWIDTH parameter selects Wishbone data width: 8 or 16 bits (set in `cop_wb_bus` and mirrored in `cop_regs`). In DWIDTH=8, the 8-bit `write_bus` is duplicated internally to 16 bits to keep control-field positions consistent; in DWIDTH=16, `write_data` is passed through unchanged.
- Read mapping from internal 48-bit `read_regs` to `wb_dat_o`:
  - DWIDTH=8: `wb_adr_i` 000→[7:0], 001→[15:8], 002→[23:16], 003→[31:24], 004→[39:32], 005→[47:40].
  - DWIDTH=16: `wb_adr_i` 000→[15:0], 001→[31:16], 002→[47:32].
- Write decode and granularity (`wb_sel_i` honored in all cases):
  - DWIDTH=8: writes at 000 (control), 001 (event clear), 010 (timeout low byte), 011 (timeout high byte), 100 (service). Address 101 (top byte [47:40]) is read-only. Multi-byte fields require multiple byte writes.
  - DWIDTH=16: writes at 000 (control + clear), 001 (timeout, two bytes at once), 002 (service). Halfword accesses update two bytes at a time.
- Writable region excludes the topmost byte [47:40]; effective writable width is 40 of 48 bits in all modes.
- Address map consistency: decode uses {`eight_bit_bus`, `wb_adr_i`} so software-visible locations remain aligned across DWIDTH settings.
- Behavior unaffected: DWIDTH changes only bus presentation and write-strobe width; internal counter width (`COUNT_SIZE`) and `cop_count` operation are unchanged. Service keys and control compares use the adapted `write_data` so semantics are consistent across widths.

### -- Clock Inputs --

Two external clock inputs define the timing domains. `wb_clk_i` is the Wishbone bus clock and the primary bus-domain clock; it drives the bus front-end (`cop_wb_bus`), the register block (`cop_regs`), and the bus-clock portions of `cop_count` (IRQ pipeline, counter snapshot/capture logic, and the bus-side of the reload handshake). `startup_osc_i` is the watchdog/counter clock and the primary counter-domain clock; it drives the down-counter in `cop_count` during normal operation and is asynchronous to `wb_clk_i`. The counter domain clock (`cop_clk`) equals `startup_osc_i` by default; when `scantestmode=1` (DFT/test), `cop_clk` is taken from `wb_clk_i` so the design runs in a single clock domain. No internal clock division or gating is used; pause/stop behavior is implemented via enable logic inside `cop_count`. In normal mode treat `wb_clk_i` and `startup_osc_i` as fully asynchronous and constrain them independently; verify CDC paths (level-sticky reload handshake from bus→counter and `cop_clk` edge detection/counter snapshot from counter→bus). In scan/test mode both domains are synchronous to `wb_clk_i`; CDC structures remain but operate synchronously. Resets are not clock inputs; bus-domain synchronous resets align to `wb_clk_i` and POR/async resets are separate.

-- Reset Inputs --

- Reset signals and domains
  - arst\_i: External asynchronous reset; polarity selectable via parameter ARST\_LVL. Internally used as async\_rst\_b = arst\_i ^ ARST\_LVL (active-low) and affects both bus and watchdog logic where implemented as async clear.
  - wb\_rst\_i: Bus-domain synchronous reset (synchronous to wb\_clk\_i). Affects only bus-domain flops/state.
  - por\_reset\_i: Power-on reset, asynchronous active-low in the watchdog (cop) clock domain. Guarantees initial counter load and event/rst clearing.
- Effects by module/domain
  - cop\_wb\_bus (bus interface):
  - wb\_rst\_i: Synchronously clears bus\_wait\_state (affects ACK timing).
  - arst\_i (async\_rst\_b low): Asynchronously clears bus\_wait\_state.
  - cop\_regs (register file, bus domain):
  - wb\_rst\_i or arst\_i: Restores register defaults identically:
  - timeout\_value = all 1s
  - cop\_irq\_en = 2'b00
  - cop\_ena = INIT\_ENA
  - debug/stop/wait = 0
  - cwp = 0, clk = 0 (clk becomes sticky once set after reset)
  - reload\_count = 0, service\_cop = 0
  - cop\_count (watchdog counter, spans domains):
  - wb\_rst\_i (bus side): Clears bus-domain flops (reload\_1, capture pipeline, IRQ pipeline). Does not request or perform a counter reload.
  - arst\_i (async\_rst\_b low): Asynchronously sets the counter to all 1s and clears resync/capture/reload\_1/IRQ pipeline. Does not clear cop\_rst\_o.
  - por\_reset\_i (active-low, cop clock): Clears cop\_rst\_o and cop\_event; initializes reload\_2=1 so that on POR release the counter loads timeout\_value.
- Behavioral/reset interactions
  - Disabling cop\_ena or a valid service sequence asserts reload\_1 (bus domain), which handshakes to reload\_2 (cop clock) to reload the counter.
  - cop\_rst\_o is cleared by POR and by a counter reload; it is not cleared by arst\_i or wb\_rst\_i alone.
  - cop\_event (sticky event) is cleared by POR or by an event\_reset action (reload\_count or clear\_event). It is not cleared by wb\_rst\_i or arst\_i alone; software must clear it if needed.
  - POR is the only reset that guarantees both an initial counter load and clearing of cop\_rst\_o and the event latch.
- Clock/reset coherency notes
  - Two clock domains: bus\_clk (wb\_clk\_i) and cop\_clk (startup\_osc\_i; may be wb\_clk\_i in scan/test). Treat async\_rst\_b as active-low everywhere it is used.
  - sync\_reset referenced in submodules corresponds to wb\_rst\_i and only affects bus-domain logic.
  - Neither wb\_rst\_i nor arst\_i inherently triggers a counter reload; only POR or explicit reload/service does.

-- Mode/Power-State Inputs --

External mode/power-state inputs to cop\_top can pause the watchdog counter when corresponding enable bits are set in cop\_regs. Inputs: debug\_mode\_i, wait\_mode\_i, stop\_mode\_i (all level-sensitive,

active-high, effective immediately in the cop\_clk domain), and scantestmode (active-high). Enable bits: debug\_ena, wait\_ena, stop\_ena in cop\_regs. Pause gating: stop\_counter = (debug\_mode\_i & debug\_ena) | (wait\_mode\_i & wait\_ena) | (stop\_mode\_i & stop\_ena). While stop\_counter=1, the counter holds its current value and decrementing is halted. Pausing does not mask early interrupt generation; interrupts remain based on the live counter value. If the counter reaches 0 while paused, cop\_rst\_o stays asserted until a reload occurs (service sequence or disabling cop\_ena).

scantestmode selects wb\_clk\_i as the watchdog counter clock instead of the startup oscillator; it is orthogonal to pause modes and does not itself pause counting.

Configuration constraints: debug\_ena, wait\_ena, stop\_ena may be changed only when COP is disabled or when the write disables COP, preventing unsafe enable+relax in one step.

Clock-domain considerations: mode inputs are external to the bus domain and no explicit synchronizers are provided; they must be stable/synchronous to cop\_clk to avoid metastability.

#### -- Test/Scan Inputs --

- scantestmode (DFT/test-mode): Assert to collapse all logic onto wb\_clk\_i; forces cop\_count to use wb\_clk\_i and ignores startup\_osc\_i; simplifies reload handshake to a single clock domain.
- wb\_clk\_i (bus clock): Sole active clock in scan when scantestmode=1; drives bus-side logic and watchdog counter; ensure stable, deterministic frequency in test.
- startup\_osc\_i (watchdog oscillator): Normal functional clock; must be ignored during scan by asserting scantestmode=1 to avoid asynchronous domains.
- por\_reset\_i (active-low POR): Hold low during scan to keep outputs deterministic; releasing POR reloads the counter from timeout\_value; use for power-on sequencing, not routine bus-domain init.
- wb\_rst\_i (synchronous bus reset): Preferred reset in scan/ATPG for deterministic initialization of bus/register domain; avoid mixing with asynchronous resets mid-scan.
- arst\_i (async reset, polarity per ARST\_LVL): External asynchronous clear for bus-side FSMs/registers; use only when an async clear is required; honor ARST\_LVL polarity.
- debug\_mode\_i, wait\_mode\_i, stop\_mode\_i (mode holds): Can pause counting when corresponding enables are set in cop\_regs; keep deasserted for normal scan unless intentionally freezing activity; configure enables first or these inputs have no effect.
- SINGLE\_CYCLE (test parameter): Set to 0 in scan to register ACK/data and reduce combinational depth; set to 1 only for single-cycle functional testing.
- Scan operation guidance: Keep cop\_ena=0 for quiet scan or pause via mode inputs; avoid issuing the service key sequence unless testing reload behavior; constrain writes to avoid the read-only top byte in the 48-bit read space.

#### -- Outputs --

- wb\_dat\_o (bus\_clk): Wishbone read-data output, width DWIDTH (8 or 16). Drives a byte/halfword slice of the internal 48-bit readback space selected by address and DWIDTH. SINGLE\_CYCLE=0: data is registered and valid on the ACK cycle. SINGLE\_CYCLE=1: data is combinational. The topmost byte in the readback map is read-only (affects content only).
- wb\_ack\_o (bus\_clk): Wishbone acknowledge. SINGLE\_CYCLE=1: combinational, asserted in the same cycle as a valid CYC/STB access to this slave (module select true). SINGLE\_CYCLE=0: one-wait-state response; ACK pulses every other cycle when CYC/STB are held. Qualifies write acceptance and indicates when wb\_dat\_o is valid for reads.
- cop\_irq\_o (bus\_clk): Early-warning interrupt. Asserted when the live counter is <= threshold selected by cop\_irq\_en (00: disabled; 01: <=16; 10: <=32; 11: <=64); deasserted otherwise. Derived from the live counter (not the captured bus snapshot) and passed through a two-stage pipeline in bus\_clk for timing stability.
- cop\_rst\_o (cop\_clk): Watchdog reset. Asserted when the counter reaches zero; cleared on POR or any reload. If the counter hits zero while paused (debug/wait/stop), cop\_rst\_o remains asserted until a reload or POR. Generated in the cop\_clk domain.

Notes: wb\_dat\_o and wb\_ack\_o, as well as cop\_irq\_o, are in the bus\_clk domain; cop\_rst\_o is in the cop\_clk domain.

-- Signal Summary --

- Clocks and resets

- wb\_clk\_i (input): Wishbone bus clock; drives cop\_wb\_bus, cop\_regs, and bus-domain flops in cop\_count.
- wb\_RST\_i (input, active-high): Synchronous bus-domain reset.
- arst\_i (input, async): Asynchronous bus-side reset; active level is ARST\_LVL.
- startup\_osc\_i (input): External oscillator driving the watchdog counter clock.
- por\_reset\_i (input, active-low): Power-on reset for cop\_count reset/event path.
- scantestmode (input): When 1, selects wb\_clk\_i as cop\_count clock for scan/DFT.

- Mode inputs

- debug\_mode\_i, wait\_mode\_i, stop\_mode\_i (inputs): Pause the counter only when their corresponding enable bits (debug\_ena/wait\_ena/stop\_ena) are set.

- Wishbone interface

- wb\_cyc\_i, wb\_stb\_i (inputs): Cycle and strobe qualifiers.
- wb\_we\_i (input): Write enable.
- wb\_adr\_i (input): Address; low bits select slices of the 48-bit read space (6 byte addresses for DWIDTH=8; 3 halfword addresses for DWIDTH=16).
- wb\_sel\_i (input [(DWIDTH/8)-1:0]): Byte/halfword enables.
- wb\_dat\_i (input [DWIDTH-1:0]): Write data.
- wb\_dat\_o (output [DWIDTH-1:0]): Read data sourced from internal 48-bit readback bundle.
- wb\_ack\_o (output): Acknowledge; SINGLE\_CYCLE=1 combinational response, SINGLE\_CYCLE=0 one wait-state with registered data.

- System outputs

- cop\_RST\_o (output): Watchdog reset asserted when the counter reaches zero; cleared on reload or POR; remains asserted if zero occurs while paused until reload/POR.
- cop\_irq\_o (output): Early-warning interrupt; thresholds via cop\_irq\_en: 00 disabled, 01 -> count <=16, 10 -> <=32, 11 -> <=64.

- Internal interconnect

- read\_REGS (wire [47:0]): Aggregated control/status and snapshot readback from cop\_REGS/cop\_count to cop\_wb\_bus (topmost byte read-only; lower 40 bits writable via write\_REGS).
- write\_REGS (wire [4:0]): Write strobes from cop\_wb\_bus into cop\_REGS.
- timeout\_value (wire [COUNT\_SIZE-1:0]): Programmable reload value from cop\_REGS to cop\_count.
- cop\_ena, cwp, clk (wires, 1-bit): Enable and lock bits from cop\_REGS to cop\_count.
- debug\_ena, stop\_ena, wait\_ena (wires, 1-bit): Mode enables from cop\_REGS to cop\_count.
- cop\_irq\_en (wire [1:0]): Interrupt threshold selection from cop\_REGS to cop\_count.
- reload\_count (wire, bus-clock pulse): Service/reload request from cop\_REGS to cop\_count; crosses clock domains via reload handshake.
- clear\_event (wire, bus-clock pulse): Event clear request from cop\_REGS to cop\_count.
- cop\_capture (wire [COUNT\_SIZE-1:0]): Bus-domain snapshot of the counter from cop\_count for software readback.

- Notes impacting signals

- DWIDTH parameter (8 or 16) sets widths of wb\_dat\_i/o and wb\_sel\_i and affects slice decoding; in DWIDTH=8, some writes duplicate 8-bit data into 16 bits; timeout\_value supports byte-specific writes.

- CDC paths: reload\_count uses a two-flop handshake (reload\_1 bus, reload\_2 cop clock); cop\_capture provides a stable bus-clock snapshot.
- Reset polarities: por\_reset\_i active-low; arst\_i active level via ARST\_LVL; wb\_rst\_i active-high synchronous.

## ARCHITECTURE

-- Top-Level Data and Control Flow --

- Architectural flow
- cop\_top integrates a Wishbone slave front-end (cop\_wb\_bus), a register/configuration block (cop\_regs), and the watchdog counter engine (cop\_count) across two clock domains: wb\_clk\_i (bus/control, IRQ/event, capture) and cop\_clk (counter/reset generation).
  - Wishbone ingress and write acceptance (bus domain)
  - Transactions enter via wb\_cyc\_i/wb\_stb\_i with wb\_we\_i, wb\_adr\_i, wb\_dat\_i, and produce wb\_ack\_o and wb\_dat\_o.
  - SINGLE\_CYCLE=1: combinational read data and ACK (no wait state). SINGLE\_CYCLE=0: one-cycle latency; under continuous CYC/STB, ACK pulses every other cycle; writes qualify on wb\_wacc in the ACK cycle.
  - Write decode produces a 5-bit write\_regs strobe vector (only 5 of 6 bytes writable); the highest read\_regs byte is read-only. For DWIDTH=16, adr[2:0]=000/001/010 map to strobe bits 00011/01100/10000. For DWIDTH=8, adr[2:0]=000..100 map to 00001/00010/00100/01000/10000. On DWIDTH=8, wb\_dat\_i is byte-replicated to 16 bits; timeout low/high have byte-specific strobes.
  - Read mux slices a 48-bit read\_regs bus into wb\_dat\_o: DWIDTH=8 uses adr[2:0]=000..101 → [7:0]..[47:40]; DWIDTH=16 uses adr[2:0]=000..010 → [15:0],[31:16],[47:32].
- Register/config control (bus domain)
- cop\_regs latches configuration on write\_regs: cop\_ena, mode masks (debug\_ena, stop\_ena, wait\_ena), cop\_irq\_en, timeout\_value, and lock bits (cwp, clk).
- Protection rules: timeout\_value writes ignored while cop\_ena=1; mode bits change only when COP is disabled or in the same write that disables it; cop\_ena writable only if cwp=0; cwp writable only if clk=0; clk is sticky once set.
- Service sequence: two consecutive writes of SERV\_WD\_0 then SERV\_WD\_1 to the service address generate a one-cycle reload\_count pulse; any other write aborts the sequence.
- clear\_event is a write-1 pulse at specific decoded addresses; event can also be cleared by reload.
- Reload/enable handshake and CDC
  - In the bus domain, reload\_count and cop\_ena drive a level-sticky reload\_1 request. Disabling cop\_ena also requests reload. reload\_1 remains asserted until observed in cop\_clk.
  - In the counter domain, reload\_1 is synchronized as reload\_2 to load timeout\_value and clear cop\_rst\_o/event. Observation of reload\_2 auto-clears reload\_1 back in the bus domain.
- Counter and reset generation (counter domain)
  - cop\_count is a down-counter clocked by cop\_clk; on reload\_2 it loads timeout\_value, otherwise decrements when not paused.
  - Pausing is driven by stop\_counter gating derived from enabled modes

(debug\_ena/stop\_ena/wait\_ena) and their corresponding system states; if paused at 0, cop\_rst\_o stays asserted until a reload.

- cop\_rst\_o asserts when the counter reaches zero and is deasserted by reload\_2.

- Status, capture, and IRQ (bus domain)

- Counter capture: an edge-detect/synchronizer snapshots the live cop\_counter into cop\_capture for coherent software reads; read\_regs sources cop\_capture, not the asynchronous live counter.

- IRQ: a bus-domain comparator asserts cop\_irq\_o when the live counter is below an early-warning threshold selected by cop\_irq\_en (<=16/32/64); disabled when cop\_irq\_en==0.

- Event latch (cop\_event): sets when cop\_rst\_o asserts; cleared by reload\_count/reload\_2 or clear\_event writes; POR clears it.

- read\_regs composition includes configuration, status (locks, enable, mode), captured count, IRQ/event state, and any ancillary flags; the topmost byte is read-only.

- Reset behavior

- Bus side (cop\_wb\_bus FSM, cop\_regs): asynchronous arst\_i (polarity via ARST\_LVL) and synchronous wb\_RST\_i; defaults include timeout\_value=all 1s and cop\_ena=INIT\_ENA.

- Counter side: por\_reset\_i forces an initial reload (reload\_2=1) and clears cop\_rst\_o/event; async\_rst\_b resets the counter and clears capture/IRQ pipelines.

- Test/DFT

- In scantestmode, cop\_clk is sourced from wb\_clk\_i for test; CDC handshakes and synchronizers remain active.

- Parameters influencing flow

- COUNT\_SIZE (counter width), INIT\_ENA (default enable), ARST\_LVL (async reset polarity), SERV\_WD\_0/SERV\_WD\_1 (service keys), DWIDTH (8/16-bit bus), SINGLE\_CYCLE (ACK/data timing).

-- Wishbone Front-End --

Wishbone Front-End (cop\_wb\_bus) is a Wishbone Classic slave interface for the cop\_top watchdog block. It bridges the bus to internal registers via a 48-bit read\_regs input and a 5-bit write\_regs strobe output, supporting DWIDTH=8 or 16 and two handshake modes via SINGLE\_CYCLE. Parameters: DWIDTH ∈ {8,16}, SINGLE\_CYCLE ∈ {0,1}, ARST\_LVL for asynchronous reset polarity. Interface (typical Wishbone signals): wb\_clk\_i, wb\_RST\_i, arst\_i; wb\_cyc\_i, wb\_STB\_i, wb\_we\_i, wb\_adr\_i, wb\_dat\_i, wb\_sel\_i; wb\_dat\_o, wb\_ack\_o; plus read\_regs[47:0] (from back-end) and write\_regs[4:0] (to back-end). Handshake: module\_sel = wb\_cyc\_i && wb\_STB\_i. SINGLE\_CYCLE=1 provides combinational ACK (wb\_ack\_o=module\_sel) and rd\_data\_mux on the same cycle; writes are accepted immediately. SINGLE\_CYCLE=0 inserts one wait state: ACK asserts on the second cycle while STB is held; read data is captured on the first read cycle and presented on the ACK cycle; writes are qualified only on the ACK cycle. Guidance: deassert STB between transfers to receive single ACK pulses in two-cycle mode. Read mapping from read\_regs by DWIDTH and address: 8-bit mode adr 000→[7:0], 001→[15:8], 002→[23:16], 003→[31:24], 004→[39:32], 005→[47:40]; 16-bit mode adr 000→[15:0], 001→[31:16], 002→[47:32]. The topmost byte [47:40] is read-only/reserved. Write qualification: wb\_wacc = module\_sel && wb\_we\_i && (SINGLE\_CYCLE || wb\_ack\_o); write\_regs asserts only when wb\_wacc=1 and is decoded by DWIDTH/address. 8-bit mode: adr 000→00001, 001→00010, 002→00100, 003→01000, 004→10000 (adr 005 is read-only). 16-bit mode: adr 000→00011, 001→01100, 002→10000. This yields 40/48 bits writable. Byte/halfword enables (wb\_sel\_i) correctly qualify partial writes in both bus widths. Reset: asynchronous reset via arst\_i honoring ARST\_LVL; synchronous wb\_RST\_i clears the internal wait/ACK FSM and registered read datapath. All logic resides in the bus clock domain and presents a Wishbone-compliant front end that fans write\_regs to cop\_regs and multiplexes read\_regs (from cop\_regs/cop\_count) onto wb\_dat\_o according to DWIDTH

and address.

#### -- Register File --

##### Overview

- Register file implemented in cop\_regs and exposed via cop\_wb\_bus (Wishbone slave).
- 48-bit readback space with five writable byte lanes (one top byte is read-only).
- Identical semantics for 8-bit and 16-bit Wishbone data widths.

##### Reset defaults

- timeout\_value: all 1s.
- cop\_irq\_en: 00.
- debug\_ena, stop\_ena, wait\_ena: 0.
- cop\_ena: INIT\_ENA (parameter-controlled).
- cwp: 0; clk: 0 (clk is sticky write-1).
- reload\_count: 0; service\_cop: 0.

##### Access types and protections

- cop\_ena writable only when cwp == 0.
- cwp writable only when clk == 0.
- clk is write-once, sticky 1.
- debug\_ena/stop\_ena/wait\_ena writable only when COP is disabled, or when the same write also sets cop\_ena = 0.
- timeout\_value writable only when cop\_ena == 0; writes while enabled are ignored. Byte or halfword writes supported per bus width.
- clear\_event is a write-1 pulse: 8-bit mode uses a dedicated byte; 16-bit mode uses bit [8] in the CTRL+CLR halfword.
- SERVICE (reload) requires two consecutive writes of SERV\_WD\_0 then SERV\_WD\_1 to the SERVICE address; any other write clears the arm (service\_cop). Successful sequence generates a reload\_count pulse.

##### Readback

- Reads return slices of a 48-bit read\_regs vector containing control/status, a captured down-counter snapshot, and event/IRQ status.
- The topmost byte is read-only.
- The counter value is a snapshot captured on cop\_clk edges; not a live combinational value.

##### Address map

- 8-bit Wishbone (adr[2:0] = 000..101):
  - 000: CTRL (RW). Bits: [7:6]=cop\_irq\_en, [5]=debug\_ena, [4]=stop\_ena, [3]=wait\_ena, [2]=cop\_ena (gated by cwp), [1]=cwp (gated by clk), [0]=clk (sticky 1).
  - 001: EVT\_CLR (WO). write\_data[0]=1 generates clear\_event pulse.
  - 010: TIMEOUT\_LO (RW when disabled). timeout\_value[7:0].
  - 011: TIMEOUT\_HI (RW when disabled). timeout\_value[15:8].
  - 100: SERVICE (WO). Two-key service sequence target.
  - 101: Status (RO). Read-only byte.
- 16-bit Wishbone (adr[2:0] = 000..010):
  - 000: CTRL+CLR (RW/WO). Lower 8 bits as CTRL above; bit [8]=1 generates clear\_event pulse; upper bits otherwise reserved/ignored on write.
  - 001: TIMEOUT (RW when disabled). 16-bit write to timeout\_value[15:0].
  - 010: SERVICE (WO). Two-key service target in top 16-bit word; only one byte in this halfword is write-enabled for service; the other byte is read-only.

### Bus width adaptation

- On DWIDTH==8, write\_data is internally formed as {byte, byte} so common decode logic applies; byte-specific semantics preserved.

### Write acceptance

- Writes take effect only when wb\_wacc is true. In single-cycle mode this is the request cycle; in registered mode it is the ACK cycle.

### Effects

- A successful SERVICE two-key sequence or disabling cop\_ena issues a reload request to the counter domain.
- clear\_event or a successful reload clears the sticky event latch; expiry latches the event until cleared.

### Read slicing

- 8-bit reads: adr 000..101 map to bytes [7:0], [15:8], [23:16], [31:24], [39:32], [47:40].
- 16-bit reads: adr 000..010 map to [15:0], [31:16], [47:32].

### Notes

- Exact 48-bit read\_regs field ordering is integration-dependent; guaranteed to include control/status, captured counter, and event/IRQ status with top byte read-only.
- Write decode summary: 8-bit — 000: CTRL, 001: EVT\_CLR, 010: TIMEOUT\_LO, 011: TIMEOUT\_HI, 100: SERVICE, 101: RO. 16-bit — 000: CTRL+CLR, 001: TIMEOUT, 010: SERVICE (top word byte-enabled).

### -- Watchdog Counter --

- Purpose: Parameterizable (COUNT\_SIZE) down-counter watchdog that asserts a reset on expiry, provides an early warning interrupt, supports pause modes, and software servicing.
- Clocks: Runs in the cop\_clk domain (startup oscillator). In scantestmode=1, cop\_clk is sourced from the bus clock. IRQ and capture pipeline flops reside in the bus\_clk domain.
- Resets: POR (active-low) clears cop\_rst\_o, reload\_2, and the event latch; async\_rst\_b initializes the counter to all 1s; sync\_reset clears bus-domain capture/IRQ flops. On POR release, reload\_2 is preset to 1 to force the initial load of timeout\_value.
- Operation: When enabled and not paused, the counter decrements by 1 each cop\_clk. A reload loads timeout\_value; pausing holds the current count. stop\_counter is asserted when any of (debug\_mode\_i & debug\_ena), (wait\_mode\_i & wait\_ena), or (stop\_mode\_i & stop\_ena) are true.
- Service/Reload: Software services via a two-key sequence (SERV\_WD\_0 then SERV\_WD\_1) that generates a one-cycle reload\_count in the bus domain. Disabling cop\_ena also requests reload.
- Handshake: reload\_1 (bus\_clk) asserts on (reload\_count || !cop\_ena || (reload\_1 && !reload\_2)) and is cleared by async\_rst\_b or sync\_reset; reload\_2 (cop\_clk) samples reload\_1 and is POR-cleared to 1. Any reload deasserts cop\_rst\_o.
- Reset output: cop\_rst\_o asserts when the counter reaches 0; it remains asserted if the counter is held at 0 while paused; any reload deasserts cop\_rst\_o.
- Early IRQ: Programmable thresholds relative to the live counter value via cop\_irq\_en[1:0]: 00=disabled, 01=<=16, 10=<=32, 11=<=64. IRQ is generated from the cop\_clk condition and pipelined through two stages in the bus\_clk domain.
- Counter capture: cop\_capture is a stable snapshot of the counter in the bus\_clk domain, updated on each detected cop\_clk rising edge for software readback via Wishbone; software should use cop\_capture rather than the live counter.
- Event latch: cop\_event sets when cop\_rst\_o asserts and holds until event\_reset; event\_reset = (reload\_count || clear\_event). POR also clears cop\_event.
- Configuration/Access: timeout\_value, enable/pause mode bits, and IRQ enables are driven by

cop\_regs via Wishbone. Writes to timeout\_value are ignored while cop\_ena==1; low-power/debug pause bits change only when COP is disabled or the write disables it.

- Defaults: On reset, timeout\_value and cop\_capture initialize to all 1s; cop\_irq remains disabled until enabled via cop\_regs.

#### -- Address Decode and Data Muxing --

cop\_wb\_bus implements a DWIDTH-selectable Wishbone slave that decodes a word-aligned address index (adr) and multiplexes a 48-bit internal read\_regs bus onto wb\_dat\_o. Address decode is normalized with a key {eight\_bit\_bus, adr}, where eight\_bit\_bus = (DWIDTH == 8), so one mapping covers both widths. Read slice mapping: DWIDTH=8 (eight\_bit\_bus=1): adr 000 -> read\_regs[7:0], adr 001 -> read\_regs[15:8], adr 010 -> read\_regs[23:16], adr 011 -> read\_regs[31:24], adr 100 -> read\_regs[39:32], adr 101 -> read\_regs[47:40] (top byte is reserved/read-only). DWIDTH=16 (eight\_bit\_bus=0): adr 000 -> read\_regs[15:0], adr 001 -> read\_regs[31:16], adr 010 -> read\_regs[47:32]. The data mux output (rd\_data\_mux) is returned on wb\_dat\_o per SINGLE\_CYCLE: SINGLE\_CYCLE=1 drives rd\_data\_mux combinationally for same-cycle reads; SINGLE\_CYCLE=0 registers rd\_data\_mux on the first read cycle and presents it on the ACK cycle. wb\_sel\_i does not alter the read slice selection; the full DWIDTH slice is returned for each valid adr. The 48-bit read\_regs bundle is sourced by cop\_regs and cop\_count; cop\_wb\_bus only slices and presents the selected segment as software-visible data per the above address mapping.

#### -- Read/Write Path and Handshake --

##### Wishbone transfer detection and response

- A transfer to cop\_top is active when wb\_cyc\_i && wb\_stb\_i (module\_sel).
- ACK generation is controlled by SINGLE\_CYCLE:
  - SINGLE\_CYCLE=1: wb\_ack\_o asserts combinationally in the same cycle as module\_sel; read data is driven combinationally; writes are accepted immediately in that cycle.
  - SINGLE\_CYCLE=0: wb\_ack\_o asserts exactly one cycle after module\_sel; a 1-bit bus\_wait\_state FSM inserts one wait state. If CYC/STB are held continuously, ACK pulses every other cycle; masters should deassert STB between transfers for single-pulse ACKs.
- Write acceptance (wb\_wacc): writes assert only when module\_sel && wb\_we\_i && (SINGLE\_CYCLE || wb\_ack\_o), ensuring correct timing in both single- and two-cycle modes.
- Byte/halfword enables (wb\_sel\_i): write qualification honors wb\_sel\_i; only enabled lanes generate write strobes downstream.

##### Read path (bus -> internal)

- cop\_wb\_bus returns slices of a 48-bit read\_regs vector assembled from cop\_regs/cop\_count.
- DWIDTH-dependent mapping:
  - DWIDTH=8: address selects successive bytes: [7:0], [15:8], [23:16], [31:24], [39:32], [47:40].
  - DWIDTH=16: address selects successive halfwords: [15:0], [31:16], [47:32].
- Timing:
  - SINGLE\_CYCLE=1: rd\_data is combinational in the same cycle as ACK.
  - SINGLE\_CYCLE=0: rd\_data\_reg captures on the first cycle of a read (module\_sel && !wb\_we\_i); data is valid/stable on the ACK cycle.
- The topmost byte [47:40] is read-only and never mapped to a write strobe.
- cop\_count provides a coherent snapshot of the cop\_clk counter into bus\_clk; software reads it via read\_regs with data stability aligned to ACK.

##### Write path (bus -> cop\_regs)

- Address and DWIDTH decode into a 5-bit write\_regs vector; strobes assert only on wb\_wacc.
- DWIDTH=8 mapping when accepted:
- adr 000 -> 00001 (control base)

- adr 001 -> 00010 (event clear)
- adr 010 -> 00100 (timeout low byte)
- adr 011 -> 01000 (timeout high byte)
- adr 100 -> 10000 (service sequence)
- adr 101 -> no write strobe (read-only top byte)
- DWIDTH=16 mapping when accepted:
- adr 000 -> 00011 (control base + event clear)
- adr 001 -> 01100 (timeout full-width write)
- adr 010 -> 10000 (service sequence in the top word; only the writable lanes are honored; [47:40] remains read-only)
- Data adaptation:
- DWIDTH=8: write payload is duplicated internally to 16 bits ({byte, byte}) for shared decodes; timeout\_value also supports byte-specific updates.
- Field protections enforced by cop\_regs:
- timeout\_value updates only when cop\_ena==0 (byte or full-width).
- debug\_ena/stop\_ena/wait\_ena update only when COP is disabled or the same write disables it.
- cop\_ena updates only when cwp==0; cwp updates only when clck==0; clck is sticky set-only.
- clear\_event is a one-cycle write-1 pulse from either control+clear or event-clear decodes.

#### Reset and handshake robustness

- Asynchronous reset polarity (ARST\_LVL) applies to the wait-state FSM and CDC elements; synchronous wb\_rst\_i clears bus-domain flops and bus\_wait\_state.
- After reset, read data and write strobes revert to safe defaults; POR initializes the counter reload path.
- The overall bus behavior is deterministic and width-adaptive: acceptance, ACK timing, and data mapping remain consistent across SINGLE\_CYCLE modes and DWIDTH configurations.

#### -- Readback Bundle Mapping --

Readback Bundle (read\_regs) is a 48-bit unified bus assembled by cop\_regs and cop\_count and exposed to software via cop\_wb\_bus. The bus interface slices read\_regs onto the Wishbone data bus based on DWIDTH and the address.

#### Address-to-slice mapping (Wishbone read):

- DWIDTH == 8 (8-bit bus):
  - Address 000 -> read\_regs[7:0]
  - Address 001 -> read\_regs[15:8]
  - Address 010 -> read\_regs[23:16]
  - Address 011 -> read\_regs[31:24]
  - Address 100 -> read\_regs[39:32]
  - Address 101 -> read\_regs[47:40] (topmost byte; read-only)
- DWIDTH == 16 (16-bit bus):
  - Address 000 -> read\_regs[15:0]
  - Address 001 -> read\_regs[31:16]
  - Address 010 -> read\_regs[47:32] (topmost word; read path returns full 16 bits)

#### Writable vs read-only regions:

- read\_regs[47:40] (topmost byte) is read-only from the bus; software can read it but cannot write it.
- The remaining 40 bits [39:0] form the writable register space. For DWIDTH == 16 at Address 010, only bits [39:32] are writable; bits [47:40] remain read-only.

#### Counter readback:

- The watchdog counter value is a bus-clock-domain snapshot captured by cop\_count; the snapshot

bytes/halfword are included within read\_regs so software reads a stable counter value via the above slices.

Read timing:

- SINGLE\_CYCLE = 1: read data is combinational; wb\_ack\_o asserts in the same cycle as the request.
- SINGLE\_CYCLE = 0: read data is registered on the pre-ACK cycle and presented on the ACK cycle; wb\_ack\_o asserts one cycle after the request.

Programming note:

- Exact field placement within read\_regs (control/status, timeout, snapshot, event/IRQ status) is defined by cop\_regs and cop\_count; software should use those register definitions while relying on the slicing described above and the read-only nature of the top byte.

-- Writable vs Read-Only Regions --

Overview

- The register window is 48 bits wide and fully readable. The top byte [47:40] is reserved and read-only. Effective writable width is 40 bits.

DWIDTH=8 (8-bit bus)

- adr 000 → Writable: control fields (with protections); reads return [7:0].
- adr 001 → Writable as a write-1 pulse: clear\_event; no stored bit; reads return [15:8].
- adr 010 → Writable: timeout low byte [7:0], only when COP is disabled; reads return [23:16].
- adr 011 → Writable: timeout high byte [15:8], only when COP is disabled; reads return [31:24].
- adr 100 → Write-only effect: service key sequence; generates reload on valid keys; reads return [39:32].
- adr 101 → Read-only: top byte [47:40].

DWIDTH=16 (16-bit bus)

- adr 000 → Writable: lower two bytes [15:0] (control fields plus clear\_event pulse); reads return [15:0].
- adr 001 → Writable: timeout [15:0], only when COP is disabled; reads return [31:16].
- adr 010 → Partially writable: only byte [39:32]; byte [47:40] is read-only; reads return [47:32].

Write gating and lockouts

- cop\_ena is writable only if cwp==0.
- cwp is writable only if clk==0.
- clk is sticky set-only (can be set, not cleared), which can indirectly lock cwp and cop\_ena.
- debug\_ena, stop\_ena, wait\_ena can change only while COP is disabled, or when the same write disables it (cop\_ena=0).
- timeout\_value writes are ignored when cop\_ena==1.
- clear\_event and service keys are write-only effects; reads always return the mapped status slices, not the last write value.

Write acceptance

- Writes take effect only when the bus transfer is accepted (wb\_wacc per Wishbone handshake). In SINGLE\_CYCLE=0 mode, write strobes assert on the ACK cycle.

-- Clock Domain Crossing --

Clock domains and CDC strategy: The design spans two primary clock domains—wb\_clk\_i (bus/regs/IRQ/event latch) and cop\_clk (watchdog counter/reset). In scan/test mode (scantestmode=1), cop\_clk is tied to wb\_clk\_i, eliminating CDC during test. No CDC exists inside the Wishbone front-end.

Bus → cop\_clk crossings:

- Counter reload handshake: A bus-domain pulse (reload\_count) and level enable (cop\_ena) drive a sticky level (reload\_1) that persists until observed in cop\_clk as reload\_2. The counter loads when reload\_2 asserts, then reload\_1 auto-clears. POR forces reload\_2=1 for an initial load. This ensures no missed pulses and a clean, single load per request.
- Multi-bit timeout\_value: Resides in the bus domain and is only writable when cop\_ena=0. The counter samples it on reload\_2, guaranteeing stability at capture time.
- Mode/enables: cop\_ena, debug\_ena, stop\_ena, wait\_ena cross as level controls to the cop\_clk domain (e.g., for stop gating). Updates are restricted (e.g., while COP disabled) to minimize hazards and avoid metastability-sensitive edges.

cop\_clk → bus crossings:

- Counter snapshot for software reads: cop\_clk is resampled through two flops in the bus domain. A derived cop\_clk\_posedge pulse captures cop\_counter into cop\_capture for coherent, software-visible readback via read\_regs.
- Early IRQ generation: A threshold compare and two-stage pipeline run in the bus domain using the live counter value from cop\_clk. Pipelining plus coarse thresholds mitigate transient hazards, but software should prefer the synchronized cop\_capture for accurate reads.
- Reset/event signaling: cop\_rst\_o is generated in cop\_clk and treated as an asynchronous level that sets a sticky bus-domain event latch (cop\_event). The latch is cleared synchronously by reload\_count or clear\_event.

Reset and test considerations:

- POR (active-low) resets cop\_rst\_o, reload\_2, and cop\_event to establish safe startup and force an initial counter load.
- async\_rst\_b (active-low) resets bus-domain flops and initializes the counter to all 1s; wb\_rst\_i (synchronous) clears bus-domain state. The wait-state FSM uses ARST\_LVL for async behavior as appropriate.

CDC safety notes:

- Handshake semantics guarantee that reload requests are not lost and multi-bit data is sampled only when stable.
- Level controls crossing to cop\_clk are treated as quasi-static and constrained to change only when safe (e.g., COP disabled), reducing metastability risk.
- In test mode, tying cop\_clk to wb\_clk\_i collapses all crossings to single-domain behavior; handshake logic remains benign.

## OPERATION

-- Reset and Initialization --

Reset sources and domains: an internal active-low async reset (async\_rst\_b) is derived from (rst\_i ^ ARST\_LVL) to support either external polarity; a synchronous bus reset (wb\_rst\_i) is used for bus-facing logic; a dedicated active-low power-on reset (por\_reset\_i) is used in the counter/event domain. Domains: bus domain runs on wb\_clk\_i with resets async\_rst\_b and wb\_rst\_i; counter domain runs on cop\_clk with resets por\_reset\_i and async\_rst\_b. In scan/test (scantestmode=1), cop\_clk=wb\_clk\_i; partitioning/behavior unchanged. Bus/Wishbone interface: on async\_rst\_b or

wb\_rst\_i, the wait/ACK FSM is cleared to idle (bus\_wait\_state=0); ACKs only occur on valid cycles post-reset; no write strobes are retained across reset. Register defaults (on async\_rst\_b or wb\_rst\_i): timeout\_value=all 1s; cop\_irq\_en=00; debug\_ena=0; stop\_ena=0; wait\_ena=0; cop\_ena=INIT\_ENA; cwp=0; clck=0; service\_cop=0; reload\_count=0; clear\_event=0. Counter and outputs: por\_reset\_i clears cop\_rst\_o and cop\_event, and asynchronously forces reload\_2=1 to guarantee an initial load of timeout\_value on POR release; async\_rst\_b resets the counter value to all 1s and clears bus-domain flops (resynchronizers, capture, reload\_1, IRQ pipeline); wb\_rst\_i clears bus-domain flops/capture without requesting a reload; bus resets do not clear cop\_event. Initialization load and reload handshake: upon POR release, reload\_2=1 causes the counter to load timeout\_value; in the bus domain, reload\_1 asserts when cop\_ena=0 or a valid service occurs, remains level-sticky until observed (reload\_2), and is cleared by async\_rst\_b or wb\_rst\_i; reload\_2 is async-cleared to 1 by POR. Outputs and event: cop\_rst\_o is deasserted by POR and any reload; it asserts when the counter reaches 0 and remains asserted until a reload or POR; cop\_event latches high when cop\_rst\_o asserts and remains set until cleared by a service or clear\_event pulse. Capture: cop\_capture resets to all 1s in the bus domain and updates on the next detected cop\_clk edge. Polarity and CDC: async resets inside submodules are active-low; ARST\_LVL selects external reset polarity; reload\_1/reload\_2 form a CDC handshake between wb\_clk\_i and cop\_clk ensuring safe initialization and reload across domains.

-- Configuration and Locking Flow --

#### Overview

- Configuration occurs in the bus clock domain through cop\_wb\_bus into cop\_regs. cop\_regs enforces all write gating and the two-stage locking that controls whether cop\_ena and certain mode fields may change.

#### Reset defaults

- On reset: timeout\_value = all 1s; cop\_irq\_en = 00; debug\_ena = 0; stop\_ena = 0; wait\_ena = 0; cop\_ena = INIT\_ENA; cwp = 0; clck = 0.
- clck is not retained across reset (clears to 0). Both lock bits must be re-established after any reset.

#### Write acceptance and width

- Writes are accepted only when wb\_wacc qualifies them: SINGLE\_CYCLE mode accepts writes in the same cycle; two-cycle mode accepts writes on the ACK cycle. Masters must honor the handshake to avoid missed writes.
- Only 40 of 48 read\_REGS bits are writable; the topmost byte is read-only.
- For DWIDTH==8, the 8-bit payload is internally duplicated to 16 bits for uniform decode. Byte-specific timeout writes are supported on 8-bit buses.

#### Address map for configuration writes

- DWIDTH==8:
  - Control register: adr 000.
  - Event clear: adr 001.
  - Timeout low byte: adr 010.
  - Timeout high byte: adr 011.
  - Service (two-key): adr 100.
- DWIDTH==16:
  - Control + clear (clear\_event at bit [8]): adr 000.
  - Timeout full width: adr 001.
  - Service (two-key): adr 010.

#### Enable and mode write rules

- cop\_ena (enable) can be written only when cwp==0. If cwp==1, any attempt to change cop\_ena is ignored.

- Mode bits (debug\_ena, stop\_ena, wait\_ena) and timeout\_value can only change while the COP is disabled (`cop_ena==0`), or when the same control write drives `cop_ena` from 1 to 0 in that transaction (atomic disable+update). This prevents enabling while simultaneously relaxing pause behavior.
- `cop_irq_en` follows normal write acceptance; it is not additionally gated by `cwp/clck` and does not require COP to be disabled.

#### Timeout programming

- Any write to `timeout_value` (full width or byte slices) is ignored while `cop_ena==1`. Disable the COP first or perform an atomic disable+update write as described above.

#### Service (reload) operation

- The counter reload is issued via a two-write key sequence to the Service address: first write `SERV_WD_0` to arm, then immediately write `SERV_WD_1` to generate a one-cycle `reload_count` pulse.
- Service/reload is not gated by `cwp` or `clck` and remains functional regardless of lock state.

#### Two-stage locking flow

- Stage 1: `cwp` (config write-protect)
- Function: when `cwp==1`, `cop_ena` becomes immutable (cannot be changed).
- Constraint: `cwp` can only be modified while `clck==0`.
- Stage 2: `clck` (config lock)
- Write-once: `clck <= clck OR write_data[0]`; once set to 1, it cannot be cleared except by reset.
- Effect: when `clck==1`, `cwp` is frozen and cannot change.

#### Practical implications of locking

- With `clck==1`, you cannot change `cwp` until reset.
- With `cwp==1`, you cannot change `cop_ena`. If the COP is enabled in this state, you cannot disable it, which indirectly prevents changes to mode bits and `timeout_value` (because those require the COP to be disabled). `cop_irq_en` remains configurable.
- Service remains available under all lock states.

#### Recommended configuration and lock sequence

- If `INIT_ENA==1` and reconfiguration is needed, first disable the COP (while `cwp==0`).
- Program `timeout_value` (full width or byte-wise per DWIDTH).
- Set `debug_ena`, `stop_ena`, `wait_ena` as desired.
- Configure `cop_irq_en` as required.
- Enable the COP by writing `cop_ena=1` (only possible if `cwp==0`).
- Optional: Set `cwp=1` to freeze `cop_ena`.
- Optional: Set `clck=1` to permanently freeze `cwp` (and thereby the enable state) until reset.
- Periodically service using the two-key sequence.

#### Side effects and CDC

- Disabling `cop_ena` or issuing a service request generates a reload request into the counter clock domain via the reload handshake; a reload clears `cop_RST_O` and loads `timeout_value`.
- The sticky event latch (`cop_event`) clears on reload or on an explicit `clear_event` write (DWIDTH-dependent addressing).

#### Notes and caveats

- Lock bits reset to 0; reassess and reapply locks after any reset.
- Writes in two-cycle mode take effect on ACK; ensure masters do not issue back-to-back writes without respecting the handshake.
- Configuration writes target only decoded writable bits; the read-only top byte is unaffected.

#### -- Service (Reload) Sequence --

Servicing (reloading) the watchdog is performed via a protected two-key write sequence to the Service register decoded as `write_regs == 5'b10000`. A write is only considered accepted when the Wishbone slave asserts ACK; in registered (two-cycle) mode the effective write occurs on the ACK cycle. Sequence: (1) First accepted write with data == SERV\_WD\_0 sets the step-latch (`service_cop = 1`); no reload occurs yet. (2) A subsequent accepted write to the same Service register with data == SERV\_WD\_1 while `service_cop == 1` generates `reload_count` (a one bus\_clk cycle pulse) and clears `service_cop`. Any accepted write to the Service register whose data is not SERV\_WD\_0 clears `service_cop` and aborts the sequence; intervening writes to other addresses do not affect `service_cop`. The second key does not need to be in the immediately following cycle; `service_cop` is only updated on Service register writes. Bus width behavior: DWIDTH == 8 duplicates the 8-bit payload internally ({byte, byte}); therefore SERV\_WD\_\* constants must be repeated-byte values and software must write the specified 8-bit keys. DWIDTH == 16 requires writing the full 16-bit SERV\_WD\_\* constants. Address decode: Service register is selected when `write_regs == 5'b10000`; for DWIDTH == 8 the address slot `adr=100`, for DWIDTH == 16 `adr=010`. Effects of a successful service (`reload_count = 1`): `reload_1` asserts in the bus clock domain and, via CDC synchronization, `reload_2` asserts in the watchdog (`cop_clk`) domain to synchronously load the counter from `timeout_value`, clear the watchdog reset output (`cop_rst_o`), and clear the sticky event latch (`cop_event`) via `event_reset = reload_count || clear_event`. CDC handshake: `reload_1` is level-sticky until observed in `cop_clk` and auto-clears after `reload_2` is seen. Additional reload sources: disabling the watchdog (`cop_ena = 0`) asserts a reload via the same handshake path; on power-on reset, `reload_2` is forced high to guarantee an initial load. Constraints and recommendations: `timeout_value` may only be changed while the watchdog is disabled; service reload always loads the current `timeout_value`. Pause modes (debug/wait/stop when enabled) halt decrementing but do not block a reload; a service will load the counter and deassert `cop_rst_o` even if the counter was at 0 while paused. Perform the two-key writes as two distinct, acknowledged Wishbone transactions. Writing SERV\_WD\_1 without a valid prior SERV\_WD\_0 produces no reload. The Service register resides in the writable 5-byte region (byte [39:32]); unrelated read-only space does not affect service.

#### -- Countdown and Pause Modes --

The watchdog is a COUNT\_SIZE-wide down-counter (`cop_counter`) clocked by `cop_clk`. On power-on reset (POR) or on any reload request, `cop_counter` loads `timeout_value` and `cop_rst_o` is cleared. When COP is enabled (`cop_ena=1`) and not paused, `cop_counter` decrements by one each `cop_clk` tick; when it reaches zero, `cop_rst_o` asserts and remains asserted until a reload occurs. Early-warning interrupts are generated as the live counter value crosses programmable thresholds (`cop_irq_en=01/10/11` for  $<=16/<=32/<=64$ , 00 disables) and are not masked by pause. Pause behavior is controlled by three modes—debug, wait, and stop—with the gating function: `stop_counter = (debug_mode_i & debug_ena) | (wait_mode_i & wait_ena) | (stop_mode_i & stop_ena)`. When `stop_counter` is true, decrementing halts and `cop_counter` holds its current value; the clock is not gated. If held at zero, `cop_rst_o` remains asserted until a reload. The bus-domain capture of `cop_counter` remains constant while paused. Mode enable bits (debug\_ena/wait\_ena/stop\_ena) can only be changed when `cop_ena==0` or in a write that disables COP, and lock bits (cwp/clck) enforce protection. Disabling COP also requests a reload; after reload, counting resumes on the next `cop_clk` tick if not paused.

## REGISTERS

## **CORE CONFIGURATION**

### **CLOCKS**