What does a watchdog timer watch?

Watchdog timers (WDTs) watch MCU operations to ensure reliability, especially in embedded systems, robotics, medical devices, electric grid monitoring, deep space missions, and other critical applications. They are used to detect and correct MCU and software glitches without human intervention.

The WDT monitors system operation by listening to signals from the MCU. The system software periodically sends a signal, called a “kick,” to the WDT to restart the timing period, indicating that it’s still functioning properly.

If the kick is not received within the timing period, the WDT detects abnormal operation that triggers a “timeout.” It then issues a reset signal, interrupt, or other recovery action (Figure 1).

Figure 1. When the WDT detects abnormal operation, it triggers a “timeout.” It issues a reset signal, interrupt, or other recovery action. (Image: The Tech Blog)

WDTs can prevent crashes and downtime, boosting the reliability of the systems they monitor. Several types of WDTs are suited to specific operating requirements.

Watchdog timer types

Watchdog timers are available as hardware or software solutions. Hardware WDTs can be internal to the MCU or external in a separate IC. Each design involves performance and cost tradeoffs.

Internal WDTs minimize overall solution size and cost. However, they can have limitations related to design flexibility and system reliability.

External WDTs are more reliable and independent of internal MCU software errors. In most applications, internal WDTs provide an adequate level of reliability, but when maximum reliability is required, an external WDT may be the best choice.

External WDTs can also provide increased flexibility, but they result in larger and higher-cost solutions. Hardware-based WDTs use a dedicated counter, while software implementations use a timer interrupt based on the system clock.

Windowed or non-windowed

Standard WDTs are non-windowed designs that require the software to periodically kick the timer within a set period to monitor if the system has hung up. A windowed WDT uses a monitoring cycle split into CLOSED and OPEN durations called windows for more detailed monitoring of software execution.

That requires more precise timing for valid operation since OPEN and CLOSED windows are only valid at certain times in the cycle. A windowed design also enables it to monitor signals occurring outside a specific timing window and detect if software execution is taking longer or shorter than expected (Figure 2).

Figure 2. A windowed watchdog timer can reset the MCU if software execution occurs before or after a defined normal operation window. (Image: Microchip)

Multistage watchdogs

Multiple WDTs can be cascaded in a multistage structure. These are used when more complex corrective actions are required. They can be implemented with several individual devices or with a single WDT and additional logic to emulate the operation of multiple timers.

In a multistage WDT, the MCU only kicks the first stage. Each subsequent stage has a longer timeout period, supporting increasingly severe actions.

For example, the first stage may only issue a warning signal and provide time for automatic recovery, the next stage may log error data for use in any subsequent fault analysis, the next stage can issue a command to enter a safe operating stage, and the final stage could issue a full system restart (Figure 3).

Figure 3. In a multistage WDT, only the MCU kicks the first stage; subsequent stages have longer timeout periods and initiate increasingly severe corrective actions. (Image: Wikipedia)

Multistage WDTs can improve fault tolerance by allowing several recovery attempts before initiating a full system restart. This can be especially useful in systems subject to temporary glitches that can be recovered without a full restart.

Multistage WDTs can minimize system downtime in critical medical systems and continuous-process industrial applications by allowing multiple opportunities for controlled recovery.

Summary

WDTs watch MCU software execution to improve system reliability. They can be implemented in hardware or software, internal to the MCU, or use an external IC. There are several WDT architectures.

A basic WDT monitors if the system is hung and needs to be restarted. Windowed designs monitor software timing issues and can restart the MCU if software runs too early or too late. Multistage WDTs can issue a series of fault alarms to support fault tolerance, ultimately resulting in a restart if the error is not corrected.