• Definition: lock-up events / denominator
• Denominator options: per 1k transactions · per hour · per boot
• Window: rolling W minutes (e.g., 10/60/1440) + aggregation by build version
• Pass criteria: < X / 1k (placeholder)

• Definition: accepted recoveries / recovery attempts
• Accepted recovery: traffic resumes and post-check passes (health probe / sanity read / loopback)
• Bucket by: recovery level (soft-unwedge → block reset → domain reset → isolate/bypass)
• Pass criteria: > Y% (placeholder)

• Start timestamp: first detection trigger (timeout / stuck-line / watchdog pre-timeout)
• Stop timestamp: recovery verification pass (not merely “bus active”)
• Report: median + p95 (tail behavior matters for field stability)
• Pass criteria: < Z ms (placeholder)

• Goal: no partial commit across lock-up/recovery boundaries
• Hook: idempotent transactions / journaled writes / write-protect on brown-out
• Evidence: commit markers + recovery replay logs + error injection results
• Pass criteria: “no partial writes” under fault injection (placeholder)

State-machine stalls, FIFO/DMA starvation, missed IRQs, clock/reset domain races, or bus logic stuck in BUSY/WAIT.

Enable/UVLO behaviors, direction-control mistakes (especially with open-drain), delay skew, or failure-domain coupling across segments.

Intermittent contact, common-mode rise with long returns, hot-plug transients, and ESD/surge aftermath that shifts thresholds.

Busy cycles, incomplete resets, brown-out “half-alive” states, or internal write/commit phases that stop responding.

Brown-out and ghost-powering create “logic anomalies”: lines driven unexpectedly, pins clamped, or reset not fully asserted.

• SLO definitions and measurement windows (what “good” means).
• Lock-up taxonomy + minimal evidence points (fast classification).
• Detection hooks, recovery escalation logic, watchdog layering, and redundancy/bypass concepts.
• Verification acceptance rules and production/field logging requirements.

• I²C rise-time/pull-up math and mode-specific timing tables.
• SPI CPOL/CPHA mode-by-mode sampling window derivations.
• UART baud-error budgeting derivations and clock-selection deep dive.
• Full EMC/edge-control theory and topology planning deep detail.

• Trigger: no forward progress beyond a timeout window.
• Boundary: from first detection to entering the recovery state machine.
• De-dup rule: repeated triggers inside one continuous stall are merged into a single event (same bus + same class + same window).

• Unit: one execution of a recovery level (soft → block reset → domain reset → isolate/bypass).
• Must record: level, step-id, and per-step duration.
• Purpose: measures escalation pressure and pinpoints the first effective step.

• Definition: traffic resumes and a post-recovery health check passes.
• MTTR stop: the verification pass timestamp, not “first activity”.
• Reason: avoids counting fragile recoveries as “success”.

• Per 1k transactions: best when load varies widely (throughput changes).
• Per hour: best for steady-duty systems (trend and alarms).
• Per boot: best when boot/enum phases dominate risk.

• Rolling window: W minutes for real-time detection and regression (e.g., 10/60).
• Aggregate window: 24h/7d for build-to-build comparisons.
• Rule: all dashboards must show the denominator and window explicitly.

bus-id · segment-id · role · endpoint (addr/device/port) · speed/mode

line snapshot (level/hold/edge) · controller state (BUSY/FIFO/DMA/IRQ) · error code

reset cause (WDT/BOR/POR) · power flags · last-success token

recovery step/level · result · duration (step + total) · verification outcome

• Recovery success rate by bucket (endpoint/speed/temp/version).
• MTTR distribution (median + p95 tail).
• Average recovery level (soft vs reset vs isolate share).
• Retry anomaly ratio (excess retries over threshold X).
• Recurrence rate within rolling window (same bucket repeats).

The health score is a triage tool: it highlights the worst buckets to prioritize fixes, verification, and production gating.

One command/transfer fails to complete. Best default detector, but must tolerate legitimate slow endpoints.

Wait-for-response exceeds a bound. Useful when endpoints have known response envelopes and busy phases.

Detects “busy forever”. Requires progress evidence to avoid false alarms under heavy traffic.

High-throughput detector: distinguishes electrical errors from starvation artifacts using underrun/latency counters.

• Detect: held-low duration, release failures, edge disappearance.
• Evidence: SDA/SCL low > T, edge counter stalled.
• Guard: slow edges are not lock-up if progress is present.

• Detect: activity disappearance, burst error patterns, framing error runs.
• Evidence: missing toggles, repeated framing/parity bursts, persistent abnormal idle.
• Guard: avoid turning EMI noise into false “stalls” without progress checks.

• Goal: stop new transactions to prevent damage amplification and queue churn.
• Evidence: queue depth, last-success token, active endpoint identifiers.
• Pass: isolation mode entered; critical writes are blocked during recovery.

• Goal: capture minimal evidence to classify the stall and compare across versions.
• Evidence: line snapshot, controller state, counters, and reset-cause flags (if present).
• Pass: schema-complete snapshot persisted to ring buffer or stable storage.

• Goal: recover with minimal intrusion and without losing broader system context.
• Evidence: progress counters resume, error bursts stop, bus transitions return.
• Pass: health check passes within T; else escalate.

• Goal: clear stuck state machines and “half-alive” peripherals deterministically.
• Evidence: record reset level (controller / peripheral / domain), and reset-cause attribution.
• Pass: reset completes cleanly; proceed to re-init. Repeated resets indicate the need for isolation/bypass.

• Goal: restore stable operation, not just “first activity”.
• Evidence: re-enumeration (if applicable), baseline transfer, and verification checks.
• Pass: VERIFY gate meets thresholds (error rate < X, no re-stall for Y).

Repeat execution must not amplify damage. Design writes so retries are safe or detectable.

Either commit fully or remain at the previous state. Partial commits must be prevented or recoverable.

When the state machine enters SUSPECT/RECOVER, block critical writes until VERIFY gates pass.

Window watchdog prevents “feed loops” by requiring feeds to occur within a valid timing window.

• critical task ticks advanced (scheduler progress)
• event queues not saturated (no persistent backlog)
• latency budget not exceeded for T window

• transaction completion counter increments
• heartbeat probe passes (isolated queue)
• error burst stays under threshold X

If progress exists, treat the system as slow-not-dead. Avoid hard resets driven only by slow endpoints or bursty traffic.

Timeout = T_queue(worst) + T_transfer(worst) + T_peer(worst) + T_verify(worst) + T_margin

• T_queue: RTOS scheduling, DMA service latency, lock contention, queue backlog.
• T_transfer: worst-case payload and framing overhead at the selected bus speed.
• T_peer: endpoint busy time and response delay (device internal work), plus jitter.
• T_verify: health checks required to accept completion and resume safely.
• T_margin: safety headroom for drift, temperature, and bursty contention.

Use for first-line detection. Response is soft retry with rate limiting.

When progress counters stop, upgrade to re-init or soft-unwedge.

Reserved for hard failures. Response is recovery ladder escalation (reset or isolate).

Prefer exponential or capped backoff to prevent retry storms during bursts, noise, or shared-bus contention.

• max retries: N
• max retry time: T_total
• rate limit: R retries per window

Escalate from soft retry → re-init → recovery ladder when caps are exceeded or risk gates are raised.

Protects against wiring, connector, transceiver, and segment faults by maintaining an alternate physical path.

Protects against controller hang and software deadlocks by transferring ownership under controlled gating.

Keeps core service available by reducing speed, write rate, or optional features when health degrades.

Routes around bad endpoints or segments using a selector, mux, or bridge for containment and continued operation.

Use sequence IDs or tokens to de-duplicate retries and switchovers across A/B paths.

Ensure writes either commit fully or remain unchanged; switching during critical writes must be gated.

Block critical writes until the selected path passes VERIFY gates and the hold window is satisfied.

Controller/software faults must not take down all endpoints; recovery control must remain alive.

Switch/mux elements must support safe disconnect/reconnect and report their selected state.

Long traces/cables and connectors are frequent fault sources; segment isolation prevents “one bad branch kills all”.

Misbehaving peripherals must be quarantinable; critical resets and straps must be reachable for forced recovery.

Prevent external faults (cable, ground shift, ESD aftermath) from propagating into the host domain.

Isolation/extension latency must be included in timeout budgets and verified under worst-case conditions.

Enable status and fault flags must be loggable to reconstruct isolation state during recovery.

• controller reset
• endpoint reset / boot strap
• mux/switch enable (disconnect/reconnect)
• domain power gate (off → on)

Each control point must be reachable via test pads, GPIO, or debug interfaces, and must produce an action receipt in logs.

Gate bus enable using power-good/reset-cause; avoid half-reset domains joining the bus.

Check that lines are not clamped before enabling traffic; isolate suspicious domains early.

Run lightweight loopback/BIST and health probes; only then lift write gates.

Use re-enumeration + re-initialization + VERIFY gates as a mandatory post hot-plug recovery sequence.