Necessity of an external watchdog timer

A watchdog timer can guard against hardware bugs in buggy piece of ... cutting edge microcontrollers. One that we recently used, from a famous brand, had I/O pins that occasionally missed their interrupts, sometimes did not start up correctly, and where the integrated watchdog sometimes failed to reset the system in a known-good state.

This did not show up until we started with long time reliability testing, and it was easier to add an external watchdog than to change the microcontroller.

If you have more than one IC on the PCB you may also need an external reset-IC or voltage monitor to make everything boot up reliably. Many of these can also serve as a watchdog.


It is hard to argue, that the internal clock of the internal watchdog is actually independent of all the other clocks and always running like it should.

So for certification it is usually much easier to place an external watchdog on the board and say: look there is our watchdog, it must be triggered by the MCU at that interval, which is shorter than our time to failure, so our device is safe as we defined it.

To address some of the comments:

"and always running like it should" - Good point. It may be harder to prove that your software correctly initializes the internal watchdog under all circumstances than just employing a watchdog chip and refer to its datasheet.

This is usually proven by a fault insertion test, which you present to a body of the certification. So you show them the code where your initialization happens, and where the triggering of the watchdog happens. They usually ask you to modify the code in such a way that the triggering of the watchdog is stopped after a certain time has elapsed and check whether the controller is reset correctly.

Or to prove that your code doesn't contain a bug that accidentally disables the internal watchdog.

At least on some controllers the watchdog is called independent and has its own clock source and cannot be disabled by software means, only a reset of the controller will disable the watchdog. At least in theory - it's easy to show that you cannot stop it by software but hard to prove that the clock is truly independent and will not stop under EMI.

Or to prove that your code doesn't run wild continuously resetting the external watchdog as fast as it can. Problem solved. ;-)

For that case you use a window watchdog which has to be triggered at certain intervals and if you fail to do so (trigger it too often or too less) will reset the circuit. The STM32 I'm working with have an internal window watchdog, but it runs from PCLK1 which is derived from the main clock, so I don't think it is as useful as an external watchdog with its own clock source.

Or that some genius doesn't put the watchdog service routine inside a timer ISR, so the main code can crash but the interrupt keeps firing & servicing the watchdog perfectly...

That certainly is true, but hopefully a review will put that genius back on his chair - but hey when I started out, that was my first idea as well :D. During the certification processes I've been part in, they always had a look at the watchdog part of the software.


The watchdogs built in to microcontrollers have particular properties that mean they themselves can fail in ways that a different external watchdog might not.

For example, a common design is to use a watchdog timer running from a low power RC oscillator. That oscillator can fail. An external watchdog based on capacitor discharge rather than an oscillator could still reset the microcontroller in many cases.

Another reason is that the external watchdog can be more robust. A microcontroller might only operate reliably over a certain voltage range, and being a complex device may be subject to latching up in a way that makes its own internal watchdog ineffective. An external watchdog may have a wider acceptable supply range and be less prone to problems when subjected to electrical noise.

External watchdogs often offer a much wider range of time-out values too. A microcontroller I use often, the XMEGA, has a maximum time-out of around 7 seconds. For one product I added an additional external watchdog with time-out of 2 hours. That allowed me to wake the microcontroller once an hour rather than once every few seconds, reducing power consumption in a battery powered device.

External watchdogs sometimes have multiple functions, such as a timer and a voltage monitor/reset control. Again, these can be lower power than a microcontroller's built-in system too.

One other interesting advantage of an external watchdog is that it can be used to reset devices other than the microcontroller. For example, it might control the enable pin of a voltage regulator, de-powering an entire circuit to reset multiple devices at once. Using some simple logic the watchdog reset signal from multiple sources can be combined, allowing the watchdog to require several devices to be continually resetting it.

Tags:

Embedded

Watchdog

Microcontroller

Reset

Related

Expected and actual unity gain bandwidth LM324N Power Transformer: 110V and 220V input, with two 15V outputs 180 degrees out of phase AND Gate Stays Open What is the name of these little plastic things that protect wires from being cut into by the sharp edges of a drilled hole? High-side vs low-side reverse polarity protection Will these two transistors (BC558A and BC558B) function in the same way? Relationship between I2C drawn energy / power consumption and data rate What Reference-Potential does an Operational Amplifier use as "Ground"-Potential? PCB enclosure tolerances If you have two identical but oppositely wound inductors does the inductance effectively cancel? How do I fix the speed of a generator? Does this experiment show that Kirchhoff's Law hold when there's a changing magnetic field involved in a circuit?

Recent Posts