Some parameters that can be set in a device via the EmCan interface are defined as non-volatile. This means they must persist even if the device has been reset or powered down since these parameters were set. Most non-volatile settings are optional, so a device is not forced to include non-volatile memory. However, the utility of the device and the user experience in configuring and using the overall system can be significantly enhanced by providing for some non-volatile settings.
The non-volatile parameters are not intended to be set frequently or as part of normal operation. These are generally values that will be set when the overall system is first configured, when the configuration is changed, when devices are added or replaced, connections changed, etc. It is therefore permissible for devices to temporarily cease normal operation while parameters are written to non-volatile memory. If writing to non-volatile memory can cause a device to loose state, miss state-dependent communications, etc, then the device must reset itself to the extent necessary so that the rest of the system should no longer rely on any part of its operation that may be incorrect afterwards. It may completely reset itself, as if powered down and back up again, for example, which may include whatever the normal delay is in starting normal operation from power up.
System implementers must be aware that some non-volatile memory technologies allow for only a limited number of write operations. For example, some microcontroller flash memories are only rated for 1000 lifetime writes. Care must be taken to only change a non-volatile value when necessary, not as part of some regular process that makes the setting whether needed or not.
For their part, device implementors are encouraged to detect redundant settings and only perform true writes when values are actually being changed, if the device's implementation of non-volatile memory only supports a finite number of write operations. For example, re-writes of the same value should be detected and silently eliminated if the non-volatile memory is flash memory (which has a limited number of lifetime writes), but this is not necessary if the non-volatile memory is a battery-backed static RAM (since those have no practical limit on the number of times they can be written).
Devices must ignore attempts to change non-volatile settings unless they are in configuration state. Devices always power up not in configuration state. A CONFIG frame with the right values must be received to enter configuration state, but the device may also require other device-dependent conditions to be met. For example, a user button may need to be pressed to allow configuration state. See the CONFIG extended frame node-specific command for more information.
The purpose of the special configuration state is to prevent accidental or possibly malicious changes to be made to important settings during normal operation. For example, accidental operation of a program on a bus controller could erase all device usage strings, set them all the same, or even set them to different values in a loop such that the non-volatile memory is worn out quickly and the device becomes inoperable. Systems that have a connection to a network or other open access to bus frames could even suffer malicious attacks.