123 Main Street, New York, NY 10001

Submit Your BOM

Reset Cause & Event Logger

Reset Cause & Event Logger

← Back to: Supervisors & Reset

What This Page Solves

We solve the full loop from symptom to root cause with a practical, small-batch-friendly reset logger: standardize reset semantics across brands (BOR/POR/WDT/EXT/SOFT/THERM/PG_FAIL/LOCKUP), tag each event with either a reliable timestamp or a monotonic seq_id plus Δt ticks, and guarantee “write-before-collapse” so the last event survives brownouts. This removes “intermittent reboot” guesswork, eliminates cause ambiguity (single flag vs concurrent bits), controls duplicate entries from button bounce or slow ramps with a programmable coalescing window, and enables consistent factory checklists (commit success rate ≥99% at rated load/holdup), field diagnosis (minimal export in time/seq order), and RMA analytics (CSV/JSON parity with the on-device schema), while budgeting NVM wear with log-structured writes (FRAM preferred; small-page EEPROM acceptable with double-buffer commit flags). We also map PG/FAULT to IRQ latency targets and define BOM notes so cross-brand migrations don’t break your diagnostic toolchain.

From Pain to Closed Loop: Tag → Commit → Export Cards for pain points and a loop showing Tag→Commit→Export feeding Factory, Field, and RMA swimlanes with holdup and NVM notes. Intermittent reboots no sequence, hard to reproduce Unclear causes single flag, no concurrency Last event lost collapse before commit Duplicates & chatter button/slow-ramp bounce Tag → Commit → Export cause_bits + timestamp/seq + CRC · holdup ≥ t_commit Factory ≥99% commit @ load wear budgeted Field human-readable order coalesced RMA CSV/JSON parity schema_ver

Reset Causes: Taxonomy & Semantics

Use a versioned bitmap/enum so concurrent sources are preserved and summarized predictably: BIT0 POR, BIT1 BOR, BIT2 WDT, BIT3 EXT, BIT4 SOFT, BIT5 THERM, BIT6 PG_FAIL, BIT7 LOCKUP, BIT8..11 rail-specific, BIT12..14 vendor-mapped, BIT15 custom. Define a short concurrency window (e.g., 10–20 ms) that sets all arriving bits in one event while the summary view orders priority as LOCKUP > THERM > BOR > PG_FAIL > WDT > EXT > SOFT > POR. Specify exposure semantics per device family (pins: OD/PP, polarity, built-in debounce; registers: latch/clear on read or write-1-to-clear, sticky across VBAT domains) and guard against false positives on power ramps. Pair timestamps with a monotonic seq_id so logs remain comparable when RTC is absent or backup power is depleted. Ensure SOFT never masks higher-priority hardware causes, and treat PG_FAIL→BOR sequences as one event with both bits set while preserving arrival order using Δt or subseq. Keep schema_ver in exports so field tools stay stable as brands and PMICs change.

Unified Bitmap, Concurrency Window, and Exposure Semantics Bitmap table for bits 0–7 with notes for 8–15; a dashed time window for concurrency; pin vs register exposure cards with debounce and clear rules. Cause bitmap (BIT → meaning) BIT0 POR — power-on reset BIT1 BOR — brown-out reset BIT2 WDT — watchdog timeout BIT3 EXT — external reset BIT4 SOFT — software request BIT5 THERM — thermal trip BIT6 PG_FAIL — power-good lost BIT7 LOCKUP — CPU hard fault BIT8..11 rail-specific · BIT12..14 vendor-mapped · BIT15 custom Concurrency window t→t+20 ms: set all arriving bits in one event Priority (summary) LOCKUP > THERM > BOR > PG_FAIL > WDT > EXT > SOFT > POR Exposure Pins: OD/PP, polarity, debounce · sticky across VBAT? Registers: latch/clear rules · read-clear / W1C

Event Record Schema (Logger Minimal Set)

Use a fixed, small event frame that survives brownouts and remains parsable across brands: schema_ver for compatibility; cause_bits (BOR/POR/WDT/EXT/SOFT/THERM/PG_FAIL/LOCKUP with concurrency window) as the primary meaning; seq_id as the monotonic anchor; ts holding absolute time or Δt ticks with ts_src to declare provenance; vbat_min to capture the lowest rail during the event; pf_flag for power-fail/fast-path markers; a compact aux nibble/byte for rail_id or zone; and crc8/16 to validate integrity; write with a pre-mark header on PG_FAIL IRQ, then finalize via double-buffer + commit_flag in a log-structured region so incomplete frames are skipped on read; target 16–20 B/frame (≤24 B with digest), little-endian fields, JSON/CSV export mirroring the exact on-device names.

Minimal event frame and holdup-safe commit flow Fields: schema_ver, cause_bits, seq_id, ts, ts_src, vbat_min, pf_flag, aux, crc; timing: pre-mark → fill → commit. Event frame (16–20 B) schema_ver · cause_bits · seq_id ts · ts_src · vbat_min pf_flag · aux · crc8/16 Little-endian · export keeps exact field names Write-before-collapse PG_FAIL → IRQpre-mark: cause_bits · seq_id · ts_src Fill fieldsts/vbat_min/pf_flag/aux + crc Commitdouble-buffer + commit_flag Holdup ≥ t_commit · skip bad/partial frames

Timebase & Monotonic Counters

Prefer absolute RTC when backup power exists; otherwise record Δt ticks and always anchor ordering with a monotonic seq_id that never rolls back; declare provenance via ts_src; when RTC is absent or uncertain, set ts to Δt since last event and expose optional boot_count; coalesce near-simultaneous causes with a small concurrency window; note RTC ppm over temperature for export-time calibration; UI sorts by seq_id, showing Δt/RTC side by side.

RTC timestamp vs Δt ticks vs seq-only Three paths (RTC / Δt / seq-only) all ordered by seq_id; helpers: boot_count, concurrency window. RTC path ts = absolute time ts_src = RTC Δt ticks ts = Δt since last unit e.g. 10 ms · ts_src = TICK Seq-only ts = 0 ts_src = NONE Monotonic ordering seq_id: … 00041 → 00042 → 00043 …UI sorts by seq_id; show Δt/RTC alongside boot_count (optional)segment long logs Concurrency windowcoalesce within 10–20 ms

Write-Before-Collapse: How to Not Lose the Last Event

Guarantee the last reset event is safely stored between PG_FAIL and rail collapse by using a priority write path and holdup budgeting: enter an ISR/NMI within tens of microseconds, pre-mark a minimal frame {cause_bits, seq_id, ts_src}, then fill ts/vbat_min/pf_flag/aux and commit via double-buffer+commit_flag; size holdup with C·ΔV/I (or energy ½·C·(V_hi²−V_min²)/P) so t_commit ≥ t_ISR+t_pre+t_prog+margin; prefer FRAM for µs-class writes, or align EEPROM page writes and reserve a P0 slot for ultra-short commits; use a log-structured region with block rotation for wear, CRC8/16 to reject torn frames, an optional digest8 for tamper hints, and enforce ≥99% commit success at rated load across −40~+85 °C with JSON/CSV fields mirroring on-device names for factory, field, and RMA tooling.

Write-Before-Collapse timeline and holdup budgeting Timeline PG_FAIL→ISR→pre-mark→fill→commit; right panel shows holdup estimates and media choices. PG_FAIL → Commit timeline ISR/NMI≤50–150 µs Pre-mark{cause,seq,src} Fillts/vbat/pf/aux+CRC Commitdouble buffer Holdup & media notes t_hold ≈ C·ΔV / I_load · E = ½·C·(V_hi²−V_min²) FRAMµs-class writes EEPROMpage-write · align P0 Targets≥99% commit · −40~+85 °C

Debounce, De-dup & Coalescing

Stabilize noisy edges and concurrent sources with one readable stream: debounce EXT and mechanical keys (10–30 ms) with long-press detect (≥1 s); apply enter/exit thresholds and hysteresis to PG/UV to prevent ping-pong on slow ramps; require minimum dwell for thermal trips (≥100 ms) and optional dT/dt gating; de-dup identical causes within a 50–100 ms suppression window by incrementing a repeat counter bound to the same frame; use a 10–20 ms concurrency window to merge multi-source arrivals into one event with multiple cause_bits while preserving order via Δt/subseq; prefer seq_id for ordering when ts_src≠RTC; verify with button-bounce injection, programmable-supply slow sweeps, and concurrent WDT+PG_FAIL tests across temperature so summary views retain low noise yet never hide lower-priority bits.

Debounce, suppression window, and concurrency coalescing Top: EXT debounce vs long-press; middle: PG hysteresis; bottom: concurrency window with repeat counter. EXT debounce & long-press Debounce 10–30 msfilter chatter Long-press ≥1 shard reset PG/UV window with hysteresis enter 9.5 V · exit 9.8 Vavoid ping-pong on slow ramps Concurrency window & repeat counter 10–20 ms window → one event, multiple bitsEXT×2 within 80 ms increments repeat

What This Page Solves

We solve the full loop from symptom to root cause with a practical, small-batch-friendly reset logger: standardize reset semantics across brands (BOR/POR/WDT/EXT/SOFT/THERM/PG_FAIL/LOCKUP), tag each event with either a reliable timestamp or a monotonic seq_id plus Δt ticks, and guarantee “write-before-collapse” so the last event survives brownouts. This removes “intermittent reboot” guesswork, eliminates cause ambiguity (single flag vs concurrent bits), controls duplicate entries from button bounce or slow ramps with a programmable coalescing window, and enables consistent factory checklists (commit success rate ≥99% at rated load/holdup), field diagnosis (minimal export in time/seq order), and RMA analytics (CSV/JSON parity with the on-device schema), while budgeting NVM wear with log-structured writes (FRAM preferred; small-page EEPROM acceptable with double-buffer commit flags). We also map PG/FAULT to IRQ latency targets and define BOM notes so cross-brand migrations don’t break your diagnostic toolchain.

From Pain to Closed Loop: Tag → Commit → Export Cards for pain points and a loop showing Tag→Commit→Export feeding Factory, Field, and RMA. Intermittent rebootsno sequence, hard to reproduce Unclear causessingle flag, no concurrency Last event lostcollapse before commit Duplicates & chatterbutton/slow-ramp bounce Tag → Commit → Export cause_bits + timestamp/seq + CRC · holdup ≥ t_commit Factory≥99% commit @ loadwear budgeted Fieldhuman-readable ordercoalesced RMACSV/JSON parityschema_ver

Reset Causes: Taxonomy & Semantics

Use a versioned bitmap/enum so concurrent sources are preserved and summarized predictably: BIT0 POR, BIT1 BOR, BIT2 WDT, BIT3 EXT, BIT4 SOFT, BIT5 THERM, BIT6 PG_FAIL, BIT7 LOCKUP, BIT8..11 rail-specific, BIT12..14 vendor-mapped, BIT15 custom. Define a short concurrency window (e.g., 10–20 ms) … keep schema_ver in exports so field tools stay stable as brands and PMICs change.

Unified Bitmap, Concurrency Window, and Exposure Semantics Bitmap table for bits 0–7 with notes for 8–15; dashed time window; pin vs register exposure cards. Cause bitmap (BIT → meaning) BIT0 POR — power-on reset BIT1 BOR — brown-out reset BIT2 WDT — watchdog timeout BIT3 EXT — external reset BIT4 SOFT — software request BIT5 THERM — thermal trip BIT6 PG_FAIL — power-good lost BIT7 LOCKUP — CPU hard fault BIT8..11 rail-specific · BIT12..14 vendor-mapped · BIT15 custom Concurrency window t→t+20 ms: set all arriving bits in one event Priority (summary) LOCKUP > THERM > BOR > PG_FAIL > WDT > EXT > SOFT > POR Exposure Pins: OD/PP, polarity,debounce · stickyacross VBAT? Registers: latch/clearrules · read-clear /W1C

Diagnostics Flow for Factory & Field

Build a repeatable loop from Factory bring-up → Prototype validation → Field swap/reset policy → RMA analysis using reset-event logs. In factory, snapshot cause_bits before clear and stamp a factory anchor (seq_id=0); inject EXT/PG edges to verify debounce, hysteresis, and same-second coalescing. In prototypes, combine WDT/THERM/PG_FAIL to measure P0→P1→commit coverage ≥99% and capture vbat_min/bus-error rates. In the field, prefer SOFT reset for minor faults, escalate to limited-current/derate after ≥3 repeats, and always export the log before replacing Supervisors/PMIC/RTC. For RMA, sort by seq_id, align Δt/RTC, bucket same-second arrivals, and triage root causes (threshold drift, pre-thermal signatures by dT/dt, slow supply ramps). Recommended parts: TI TPS3850-Q1, TPS3890-Q1, BQ32002; ST STWD100, STM706/708, M41T82; NXP FS6523/FS6500, PCF8523; Renesas ISL88014, RAA271000, ISL12022M; onsemi NCP301/NCP302, NCP308, (supply note) RV-3028-C7; Microchip MCP1316/18/19, MIC841/842, MCP79410; Melexis MLX81116/81113.

Diagnostics loop: Factory → Prototype → Field → RMA Four swimlanes with key checkpoints: snapshot cause bits, debounce/hysteresis test, P0→P1→commit coverage, field export-before-replace, RMA same-second bucketing and root-cause triage. Factory Prototype Field RMA Snapshot cause_bits Factory anchor seq_id=0 Debounce/Hysteresis EXT/PG slow ramps WDT/THERM/PG_FAIL P0→P1→commit ≥99% vbat_min & bus_error rate profiling SOFT → limit/derate ≥3 repeats escalate Export before replace Sup/PMIC/RTC swap Sort by seq_id RTC & Δt align Root-cause triage drift · dT/dt · slow ramps

Procurement Hooks (Small-Batch Ready)

Unify vendor semantics to accelerate small-batch swaps: map each PN to {vendor,family,part,aec_grade,cause_bitmap_reg,clear(W1C/RC),wdt_type,reset_out(type/pol/delay),pg_mask,i2c_addr,ts_capability}; annotate BOM lines with threshold/delay and ALT choices; keep at least two cross-brand alternates per function so 48-hour validation remains on schedule.

Tip: Swipe horizontally to view all columns. The page itself won’t scroll sideways.

Cross-brand mapping of supervisors/RTC/PMIC parts for small-batch readiness.
Vendor Part Number Why Chosen (Semantics & Field Fit) Alternates (Cross-brand)
TI TPS3850-Q1 (window WDT + reset) Windowed WDT resists mis-feeds; precise thresholds for slow ramps; OD/PP selectable reset eases mixed-voltage domains. ST STWD100 (basic WDT), ST STM706/708 (monitor)
TI TPS3890-Q1 (threshold monitor) Low Iq, accurate Vth, programmable delay; solid BOR/brown-out characterization on long bring-ups. onsemi NCP308, Renesas ISL88014
TI BQ32002 (RTC) Cost-effective absolute timestamps; simple I²C integration; keeps factory↔field alignment. NXP PCF8523, Microchip MCP79410
ST STWD100 (watchdog) Easy add-on WDT for prototypes; isolates MCU lockups with minimal firmware changes. TI TPS3850-Q1, Microchip MCP1316/1318/1319
ST STM706/708 (supervisor) Rich threshold/delay options; robust on brown-out and jittery rails. Renesas ISL88014, onsemi NCP301/NCP302
ST M41T82 (RTC) Main/backup switchover; stable timestamps for coalescing and RMA timelines. Renesas ISL12022M, TI BQ32002
NXP FS6523/FS6500 (automotive PMIC) Readable cause bitmap, W1C clear, PG aggregation; ideal for “register snapshot” integration. Renesas RAA271000, TI PMIC families*
NXP PCF8523 (RTC) Low power, widely available; good for small-batch builds across MCU ecosystems. Microchip MCP79410, TI BQ32002
Renesas ISL88014 (supervisor) High-accuracy threshold & hysteresis; excellent for slow ramp/decay and brown-out windows. TI TPS3890-Q1, onsemi NCP308
Renesas ISL12022M (RTC, temp-assist) Temperature-assisted accuracy keeps drift bounded without heavy BOM impact. ST M41T82, Microchip MCP79410
onsemi NCP301/NCP302 (supervisor) Fixed/adjustable thresholds; rugged drop-in for many boards and service swaps. TI TPS3890-Q1, Renesas ISL88014
onsemi NCP308 (adjustable monitor) Adjustable delay & polarity; clean PG/RESET behavior across mixed domains. TI TPS3890-Q1, ST STM706/708
Microchip MCP1316/1318/1319 (supervisors) Wide threshold coverage, automotive docs; friendly pricing/lead time for small-batch. onsemi NCP301, TI TPS3890-Q1
Microchip MIC841/842 (low-Iq monitors) Very low quiescent draw; ideal for battery-backed units keeping long local logs. onsemi NCP301, Renesas ISL88014
Microchip MCP79410 (RTC + NVM) RTC plus small NVM for event headers; simplifies same-second coalescing. NXP PCF8523, TI BQ32002
Melexis MLX81116 / MLX81113 (LIN nodes) On-node diagnostic flags via LIN; Δt timelines viable without a battery RTC in body-domain nodes. NXP UJA-series SBC* (if SBC path is chosen) 
BOM REMARK (COPY & ADAPT)
Reset/WDG      : BRAND/PN
Vth / Tol      : VTH_VOLTS  (±TOL_PCT %)
Delay          : DELAY_MS  ms
Output         : OUTPUT_TYPE  (OD|PP), POLARITY
AEC Grade      : AEC_GRADE
Alternates     : BRAND1/PN1 ; BRAND2/PN2
Holdup Cap     : C_HOLDUP_mF  (t_commit ≥ T_COMMIT_ms)
Logger Schema  : SCHEMA_VER
Cause Map      : { BOR:BIT , POR:BIT , WDT:BIT , EXT:BIT , THERM:BIT , PG_FAIL:BIT , LOCKUP:BIT }
Clear Method   : CLEAR_MODE  (RC | W1C)
I²C Address    : 0xADDR
Supply Notes   : CUT-TAPE OK ; PARTIAL-REEL OK ; TRACEABILITY=ON

Request a Quote

Accepted Formats

pdf, csv, xls, xlsx, zip

Attachment

Drag & drop files here or use the button below.

Security & Tamper-Evidence (Minimal)

Use a log frame that is verifiable after power loss without heavy crypto. Provide cheap integrity, anti-replay, and export parity so factory/field/RMA tools trust the data across brands and RTC states.

  • Cheap integrity: crc8/16 + digest8 (LFSR over device_id ⊕ seq_id ⊕ cause_bits ⊕ ts) to flag edits/bit flips.
  • Anti-replay: accept only strictly increasing (boot_count, seq_id); store boot_count in a domain that can’t roll back.
  • Write-before-collapse: pre-mark then commit; torn frames are skipped by CRC; exports mirror on-device names.
  • Low-cost signing (optional): append 4–8-byte HMAC tag computed offboard during factory provisioning; devices verify tag with a shared secret if available.
  • Privacy: avoid PII; keep only cause/timing/voltage flags; mask vendor-unique test registers in exports.

FAQs

How do I prove a log wasn’t edited after power loss?

Each frame carries crc8/16 plus a lightweight digest8 derived from device_id, seq_id, cause_bits, and ts. Tools recompute both and reject frames that fail either check. Because seq_id is monotonic, any removal or re-order becomes detectable during import and timeline reconstruction.

What prevents replaying an old, “good” event sequence?

Import logic enforces strict growth of the tuple (boot_count, seq_id). If either value does not increase, the frame is dropped and a replay is recorded. Optional offboard HMAC on batch exports adds another barrier if logs are moved between devices or sites.

Can I keep authenticity without adding a crypto chip?

Yes. Use CRC + digest for cheap integrity and add an export-time HMAC over the file with a backend key. Devices verify structure; your server signs the bundle before it leaves the factory. Field tools verify the HMAC, giving authenticity without per-device secure elements.

How do I stop logs from going backward after brownouts?

Store boot_count in a domain that increments early in boot and never decrements. Pair it with seq_id that always increases before commit. If a commit tears, CRC fails and the reader skips it, preserving a strictly forward timeline across resets and brownouts.

Do I need real timestamps if RTC is unreliable?

No. Use ts_src to declare provenance. If RTC is absent, set ts to Δt ticks and always anchor order with seq_id. Exporters display both Δt and any available wall time, so factory, field, and RMA views stay comparable without trusting absolute time.

What’s the smallest frame that still catches tampering?

Keep 16–20 bytes: {schema_ver,cause_bits,seq_id,ts,ts_src,vbat_min,pf_flag,aux,crc8,digest8}. CRC catches tears; digest flags edits. It’s not cryptography, but it’s enough to make silent modifications detectable and to keep wear within budget on EEPROM/FRAM.

How do I safely clear cause bits during production?

Snapshot to the logger first, then clear with the vendor’s method (W1C or read-clear). The logger frame remains immutable due to CRC. Tools record the factory anchor (seq_id=0) so later frames are always greater, preventing resets from erasing audit history.

What if someone swaps the RTC module to spoof dates?

Ordering never relies solely on RTC. Importers sort primarily by seq_id, with RTC/Δt shown for human context. When RTC provenance changes, ts_src indicates the switch, and digest/CRC still protect integrity even if human-readable dates are misleading.

How are multi-source, same-second resets handled?

Use a 10–20 ms concurrency window. All causes within the window set multiple cause_bits in a single frame, preserving arrival hints with Δt/subsequence if present. This avoids duplicate entries while preventing low-priority causes from masking higher-priority ones.

Can logs be validated offline after a total power loss?

Yes. The combination of CRC, digest, and strictly increasing (boot_count,seq_id) permits full offline validation. Readers skip torn frames, reject replays, and rebuild a monotonic sequence without needing connectivity, secrets, or wall power on the device.

How do I keep privacy while exporting diagnostics?

Export only event semantics and timing (cause_bits, seq_id, ts/Δt, vbat_min, flags). Strip manufacturing IDs unless traceability is contractually required. If needed, hash device identifiers in exports while keeping raw values on secure factory servers.

When should I move from digest to real cryptography?

Adopt HMAC or signature when adversaries are motivated and have physical access, or when regulatory evidence is required. Start with digest+CRC for cost and wear, then add per-batch HMAC at export. For highest assurance, add a secure element and per-frame MAC keys.

icnavigator

ICNavigator helps engineers find verified ICs, alternatives, and fast quotes.

Explore
Categories
  • Power Management
  • MCU
  • Automotive ICs
  • Sensors
  • Interface & Transceivers
  • Analog Front-End
Get in Touch
  • Email: hello@icnavigator.com
  • WeChat/WhatsApp: +86-xxxx

© 2025 ICNavigator. All rights reserved.