Internal watchdog timers, while quite simple in theory, require a fair amount of thought to implement properly. For example, the software that is developed for the watchdog cannot simply clear the watchdog timer blindly. The software should perform a check on the system to ensure that all tasks and hardware are operating properly before clearing the watchdog.
When developing an internal watchdog solution, there are several tips that developers should attempt to adhere to:
- Never disable the watchdog for any reason. In fact, in selecting a microcontroller, make sure that the watchdog once enabled can never be disabled.
- Never clear the watchdog in a periodic interrupt independent from software functionality checks.
- Verify that the watchdog timer is an independent watchdog. Independent watchdogs have a separate clock that allows them to detect if the system clock has halted.
- Use a watchdog that has a windowed watchdog feature. These watchdogs require a minimum time before the watchdog can be cleared. If an attempt is made prior to the start of the window, the watchdog will reset the system. This prevents runaway software from overriding the watchdog timer.
Internal watchdogs are a good step towards building a robust embedded system, but on their own they don’t provide a very robust solution. In order to really up the ante with respect to robustness, developers need to consider external watchdogs.
Increase robustness with external watchdogs
No matter how careful developers are in their internal watchdog implementation, internal watchdogs can’t always save the day. Many implementations have flaws, two examples of which are sharing the system clock, and having a disable option.
When a system needs to operate on its own in the field, using an external watchdog has many advantages, such as:
- Performing a hard system reset that ensures the microcontroller is power cycled, which in turn power cycles the internal peripherals.
- Separating the watchdog from the microcontrollers oscillator circuit.
- Providing a completely independent process for monitoring the system.
