Necessity of an external watchdog timer











up vote
15
down vote

favorite












What is the need for an external watchdog timer for a microcontroller?



Most of the microcontrollers are designed with an internal watchdog timer. However, in some of the circuits they are using an external watchdog timer (such as PIC16F1824).










share|improve this question




























    up vote
    15
    down vote

    favorite












    What is the need for an external watchdog timer for a microcontroller?



    Most of the microcontrollers are designed with an internal watchdog timer. However, in some of the circuits they are using an external watchdog timer (such as PIC16F1824).










    share|improve this question


























      up vote
      15
      down vote

      favorite









      up vote
      15
      down vote

      favorite











      What is the need for an external watchdog timer for a microcontroller?



      Most of the microcontrollers are designed with an internal watchdog timer. However, in some of the circuits they are using an external watchdog timer (such as PIC16F1824).










      share|improve this question















      What is the need for an external watchdog timer for a microcontroller?



      Most of the microcontrollers are designed with an internal watchdog timer. However, in some of the circuits they are using an external watchdog timer (such as PIC16F1824).







      microcontroller embedded reset watchdog






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited yesterday









      Peter Mortensen

      1,58031422




      1,58031422










      asked 2 days ago









      Photon001

      607413




      607413






















          7 Answers
          7






          active

          oldest

          votes

















          up vote
          29
          down vote













          A watchdog timer can guard against hardware bugs in buggy piece of ... cutting edge microcontrollers. One that we recently used, from a famous brand, had I/O pins that occasionally missed their interrupts, sometimes did not start up correctly, and where the integrated watchdog sometimes failed to reset the system in a known-good state.



          This did not show up until we started with long time reliability testing, and it was easier to add an external watchdog than to change the microcontroller.



          If you have more than one IC on the PCB you may also need an external reset-IC or voltage monitor to make everything boot up reliably. Many of these can also serve as a watchdog.






          share|improve this answer

















          • 8




            "integrated watchdog sometimes failed to reset the system in a known-good state" - this is functionally equivalent to "there is no internal watchdog".
            – Dmitry Grigoryev
            yesterday


















          up vote
          26
          down vote













          It is hard to argue, that the internal clock of the internal watchdog is actually independent of all the other clocks and always running like it should.



          So for certification it is usually much easier to place an external watchdog on the board and say: look there is our watchdog, it must be triggered by the MCU at that interval, which is shorter than our time to failure, so our device is safe as we defined it.





          To address some of the comments:




          "and always running like it should" - Good point. It may be harder to
          prove that your software correctly initializes the internal watchdog
          under all circumstances than just employing a watchdog chip and refer
          to its datasheet.




          This is usually proven by a fault insertion test, which you present to a body of the certification. So you show them the code where your initialization happens, and where the triggering of the watchdog happens. They usually ask you to modify the code in such a way that the triggering of the watchdog is stopped after a certain time has elapsed and check whether the controller is reset correctly.




          Or to prove that your code doesn't contain a bug that accidentally
          disables the internal watchdog.




          At least on some controllers the watchdog is called independent and has its own clock source and cannot be disabled by software means, only a reset of the controller will disable the watchdog. At least in theory - it's easy to show that you cannot stop it by software but hard to prove that the clock is truly independent and will not stop under EMI.




          Or to prove that your code doesn't run wild continuously resetting the
          external watchdog as fast as it can. Problem solved. ;-)




          For that case you use a window watchdog which has to be triggered at certain intervals and if you fail to do so (trigger it too often or too less) will reset the circuit. The STM32 I'm working with have an internal window watchdog, but it runs from PCLK1 which is derived from the main clock, so I don't think it is as useful as an external watchdog with its own clock source.




          Or that some genius doesn't put the watchdog service routine inside a
          timer ISR, so the main code can crash but the interrupt keeps firing &
          servicing the watchdog perfectly...




          That certainly is true, but hopefully a review will put that genius back on his chair - but hey when I started out, that was my first idea as well :D. During the certification processes I've been part in, they always had a look at the watchdog part of the software.






          share|improve this answer



















          • 4




            "and always running like it should" - Good point. It may be harder to prove that your software correctly initializes the internal watchdog under all circumstances than just employing a watchdog chip and refer to its datasheet.
            – JimmyB
            2 days ago






          • 4




            @JimmyB Or to prove that your code doesn't contain a bug that accidentally disables the internal watchdog.
            – TripeHound
            2 days ago






          • 2




            @TripeHound Or to prove that your code doesn't run wild continuously resetting the external watchdog as fast as it can. Problem solved. ;-)
            – JimmyB
            2 days ago






          • 2




            Or that some genius doesn't put the watchdog service routine inside a timer ISR, so the main code can crash but the interrupt keeps firing & servicing the watchdog perfectly...
            – John U
            2 days ago










          • @JohnU, that, however, would not seem like something an external IC would help with.
            – ilkkachu
            2 days ago


















          up vote
          11
          down vote













          The watchdogs built in to microcontrollers have particular properties that mean they themselves can fail in ways that a different external watchdog might not.



          For example, a common design is to use a watchdog timer running from a low power RC oscillator. That oscillator can fail. An external watchdog based on capacitor discharge rather than an oscillator could still reset the microcontroller in many cases.



          Another reason is that the external watchdog can be more robust. A microcontroller might only operate reliably over a certain voltage range, and being a complex device may be subject to latching up in a way that makes its own internal watchdog ineffective. An external watchdog may have a wider acceptable supply range and be less prone to problems when subjected to electrical noise.



          External watchdogs often offer a much wider range of time-out values too. A microcontroller I use often, the XMEGA, has a maximum time-out of around 7 seconds. For one product I added an additional external watchdog with time-out of 2 hours. That allowed me to wake the microcontroller once an hour rather than once every few seconds, reducing power consumption in a battery powered device.



          External watchdogs sometimes have multiple functions, such as a timer and a voltage monitor/reset control. Again, these can be lower power than a microcontroller's built-in system too.



          One other interesting advantage of an external watchdog is that it can be used to reset devices other than the microcontroller. For example, it might control the enable pin of a voltage regulator, de-powering an entire circuit to reset multiple devices at once. Using some simple logic the watchdog reset signal from multiple sources can be combined, allowing the watchdog to require several devices to be continually resetting it.






          share|improve this answer






























            up vote
            7
            down vote













            Some products must meet safety requirements, either determined by the manufacturer or to meet international safety standards such as IEC 60730-1, or the older UL1998 which is still in use in the US. The internal watchdog functionality in any given microcontroller may or may not be adequate to be used. An external WDT may be used in combination with the internal WDT in some cases.



            Certain microcontrollers such as TI's Hercules series take safety critical system applications very seriously and are more likely to meet strict requirements, however they may not be appropriate for cost-sensitive applications.



            Typically the WDT is one of a number of ways to reduce the likelihood of a failure causing catastrophic damage to property or injury to life. Other things such as memory protection to detect unexpected access to MCU memory or program fetches from unused memory are usually used in conjunction with a WDT.



            Examples of inexpensive products that perform safety-critical functions are automotive subsystems, garage door controllers and gas (natural gas or propane) ignition controllers used in furnaces, dryers and water heaters . Of course many medical and aerospace products are also safety-critical but there may be sufficient room for redundancy and other approaches. In some cases, there may be no easily reachable safe state- for example, in an aircraft.



            Ideally the watchdog timer is very simple, independent of the MCU (for example, it should have its own clock source and perhaps a clock monitor), cannot be set (by software) to a longer time than would cause damage by any software error, and will render the system into a safe state if it is not "petted" on time, either with a time-out or in a windowed fashion so too frequent resets can be detected. For example, a WDT in a thermal control application might be set to a few seconds because no damage is possible if the microcontroller locks up for that length of time.



            The WDT is most useful as a part of a system-level approach to reliability and safety.






            share|improve this answer




























              up vote
              3
              down vote













              Certain certifications, such as UL, may require protection from two points of failure. An external watchdog timer would be considered protection from a first point of failure, the microcontroller.






              share|improve this answer










              New contributor




              da66en is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
              Check out our Code of Conduct.

























                up vote
                2
                down vote













                A watchdog is really no different in this regard from any other built-in peripheral you find in an MCU. MCUs come with timers, RTCs, ADCs, EEPROM and reset controllers, yet all these functions also exist as separate ICs. If available built-in blocks don't meet your requirements, you have to use external ones. Or you can try to find an MCU with all the right blocks, which may not exist or be too expensive or hard to port your code to.






                share|improve this answer




























                  up vote
                  1
                  down vote













                  A watchdog is a timer and activates its output when the IC lost an input pulse for a period.



                  It is a building block and can be used for any application.



                  So, they can be used in any application, for example, change data routing in fail-safe mode. When the microcontroller clock fails, we can't disable some critical outputs.



                  An external watchdog is not related to the complex clock domain of the microcontroller, and some of them have their analog RC charge timing or internal clock.



                  Digital circuits in radiation may trigger the outputs when charge hits their flip-flops. But some analog circuit is safer because they integrate charge in a capacitor, and it is safe when we integrate it.






                  share|improve this answer























                    Your Answer





                    StackExchange.ifUsing("editor", function () {
                    return StackExchange.using("mathjaxEditing", function () {
                    StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
                    StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
                    });
                    });
                    }, "mathjax-editing");

                    StackExchange.ifUsing("editor", function () {
                    return StackExchange.using("schematics", function () {
                    StackExchange.schematics.init();
                    });
                    }, "cicuitlab");

                    StackExchange.ready(function() {
                    var channelOptions = {
                    tags: "".split(" "),
                    id: "135"
                    };
                    initTagRenderer("".split(" "), "".split(" "), channelOptions);

                    StackExchange.using("externalEditor", function() {
                    // Have to fire editor after snippets, if snippets enabled
                    if (StackExchange.settings.snippets.snippetsEnabled) {
                    StackExchange.using("snippets", function() {
                    createEditor();
                    });
                    }
                    else {
                    createEditor();
                    }
                    });

                    function createEditor() {
                    StackExchange.prepareEditor({
                    heartbeatType: 'answer',
                    convertImagesToLinks: false,
                    noModals: true,
                    showLowRepImageUploadWarning: true,
                    reputationToPostImages: null,
                    bindNavPrevention: true,
                    postfix: "",
                    imageUploader: {
                    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                    allowUrls: true
                    },
                    onDemand: true,
                    discardSelector: ".discard-answer"
                    ,immediatelyShowMarkdownHelp:true
                    });


                    }
                    });














                     

                    draft saved


                    draft discarded


















                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2felectronics.stackexchange.com%2fquestions%2f406925%2fnecessity-of-an-external-watchdog-timer%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown

























                    7 Answers
                    7






                    active

                    oldest

                    votes








                    7 Answers
                    7






                    active

                    oldest

                    votes









                    active

                    oldest

                    votes






                    active

                    oldest

                    votes








                    up vote
                    29
                    down vote













                    A watchdog timer can guard against hardware bugs in buggy piece of ... cutting edge microcontrollers. One that we recently used, from a famous brand, had I/O pins that occasionally missed their interrupts, sometimes did not start up correctly, and where the integrated watchdog sometimes failed to reset the system in a known-good state.



                    This did not show up until we started with long time reliability testing, and it was easier to add an external watchdog than to change the microcontroller.



                    If you have more than one IC on the PCB you may also need an external reset-IC or voltage monitor to make everything boot up reliably. Many of these can also serve as a watchdog.






                    share|improve this answer

















                    • 8




                      "integrated watchdog sometimes failed to reset the system in a known-good state" - this is functionally equivalent to "there is no internal watchdog".
                      – Dmitry Grigoryev
                      yesterday















                    up vote
                    29
                    down vote













                    A watchdog timer can guard against hardware bugs in buggy piece of ... cutting edge microcontrollers. One that we recently used, from a famous brand, had I/O pins that occasionally missed their interrupts, sometimes did not start up correctly, and where the integrated watchdog sometimes failed to reset the system in a known-good state.



                    This did not show up until we started with long time reliability testing, and it was easier to add an external watchdog than to change the microcontroller.



                    If you have more than one IC on the PCB you may also need an external reset-IC or voltage monitor to make everything boot up reliably. Many of these can also serve as a watchdog.






                    share|improve this answer

















                    • 8




                      "integrated watchdog sometimes failed to reset the system in a known-good state" - this is functionally equivalent to "there is no internal watchdog".
                      – Dmitry Grigoryev
                      yesterday













                    up vote
                    29
                    down vote










                    up vote
                    29
                    down vote









                    A watchdog timer can guard against hardware bugs in buggy piece of ... cutting edge microcontrollers. One that we recently used, from a famous brand, had I/O pins that occasionally missed their interrupts, sometimes did not start up correctly, and where the integrated watchdog sometimes failed to reset the system in a known-good state.



                    This did not show up until we started with long time reliability testing, and it was easier to add an external watchdog than to change the microcontroller.



                    If you have more than one IC on the PCB you may also need an external reset-IC or voltage monitor to make everything boot up reliably. Many of these can also serve as a watchdog.






                    share|improve this answer












                    A watchdog timer can guard against hardware bugs in buggy piece of ... cutting edge microcontrollers. One that we recently used, from a famous brand, had I/O pins that occasionally missed their interrupts, sometimes did not start up correctly, and where the integrated watchdog sometimes failed to reset the system in a known-good state.



                    This did not show up until we started with long time reliability testing, and it was easier to add an external watchdog than to change the microcontroller.



                    If you have more than one IC on the PCB you may also need an external reset-IC or voltage monitor to make everything boot up reliably. Many of these can also serve as a watchdog.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered 2 days ago









                    pipe

                    9,71642252




                    9,71642252








                    • 8




                      "integrated watchdog sometimes failed to reset the system in a known-good state" - this is functionally equivalent to "there is no internal watchdog".
                      – Dmitry Grigoryev
                      yesterday














                    • 8




                      "integrated watchdog sometimes failed to reset the system in a known-good state" - this is functionally equivalent to "there is no internal watchdog".
                      – Dmitry Grigoryev
                      yesterday








                    8




                    8




                    "integrated watchdog sometimes failed to reset the system in a known-good state" - this is functionally equivalent to "there is no internal watchdog".
                    – Dmitry Grigoryev
                    yesterday




                    "integrated watchdog sometimes failed to reset the system in a known-good state" - this is functionally equivalent to "there is no internal watchdog".
                    – Dmitry Grigoryev
                    yesterday












                    up vote
                    26
                    down vote













                    It is hard to argue, that the internal clock of the internal watchdog is actually independent of all the other clocks and always running like it should.



                    So for certification it is usually much easier to place an external watchdog on the board and say: look there is our watchdog, it must be triggered by the MCU at that interval, which is shorter than our time to failure, so our device is safe as we defined it.





                    To address some of the comments:




                    "and always running like it should" - Good point. It may be harder to
                    prove that your software correctly initializes the internal watchdog
                    under all circumstances than just employing a watchdog chip and refer
                    to its datasheet.




                    This is usually proven by a fault insertion test, which you present to a body of the certification. So you show them the code where your initialization happens, and where the triggering of the watchdog happens. They usually ask you to modify the code in such a way that the triggering of the watchdog is stopped after a certain time has elapsed and check whether the controller is reset correctly.




                    Or to prove that your code doesn't contain a bug that accidentally
                    disables the internal watchdog.




                    At least on some controllers the watchdog is called independent and has its own clock source and cannot be disabled by software means, only a reset of the controller will disable the watchdog. At least in theory - it's easy to show that you cannot stop it by software but hard to prove that the clock is truly independent and will not stop under EMI.




                    Or to prove that your code doesn't run wild continuously resetting the
                    external watchdog as fast as it can. Problem solved. ;-)




                    For that case you use a window watchdog which has to be triggered at certain intervals and if you fail to do so (trigger it too often or too less) will reset the circuit. The STM32 I'm working with have an internal window watchdog, but it runs from PCLK1 which is derived from the main clock, so I don't think it is as useful as an external watchdog with its own clock source.




                    Or that some genius doesn't put the watchdog service routine inside a
                    timer ISR, so the main code can crash but the interrupt keeps firing &
                    servicing the watchdog perfectly...




                    That certainly is true, but hopefully a review will put that genius back on his chair - but hey when I started out, that was my first idea as well :D. During the certification processes I've been part in, they always had a look at the watchdog part of the software.






                    share|improve this answer



















                    • 4




                      "and always running like it should" - Good point. It may be harder to prove that your software correctly initializes the internal watchdog under all circumstances than just employing a watchdog chip and refer to its datasheet.
                      – JimmyB
                      2 days ago






                    • 4




                      @JimmyB Or to prove that your code doesn't contain a bug that accidentally disables the internal watchdog.
                      – TripeHound
                      2 days ago






                    • 2




                      @TripeHound Or to prove that your code doesn't run wild continuously resetting the external watchdog as fast as it can. Problem solved. ;-)
                      – JimmyB
                      2 days ago






                    • 2




                      Or that some genius doesn't put the watchdog service routine inside a timer ISR, so the main code can crash but the interrupt keeps firing & servicing the watchdog perfectly...
                      – John U
                      2 days ago










                    • @JohnU, that, however, would not seem like something an external IC would help with.
                      – ilkkachu
                      2 days ago















                    up vote
                    26
                    down vote













                    It is hard to argue, that the internal clock of the internal watchdog is actually independent of all the other clocks and always running like it should.



                    So for certification it is usually much easier to place an external watchdog on the board and say: look there is our watchdog, it must be triggered by the MCU at that interval, which is shorter than our time to failure, so our device is safe as we defined it.





                    To address some of the comments:




                    "and always running like it should" - Good point. It may be harder to
                    prove that your software correctly initializes the internal watchdog
                    under all circumstances than just employing a watchdog chip and refer
                    to its datasheet.




                    This is usually proven by a fault insertion test, which you present to a body of the certification. So you show them the code where your initialization happens, and where the triggering of the watchdog happens. They usually ask you to modify the code in such a way that the triggering of the watchdog is stopped after a certain time has elapsed and check whether the controller is reset correctly.




                    Or to prove that your code doesn't contain a bug that accidentally
                    disables the internal watchdog.




                    At least on some controllers the watchdog is called independent and has its own clock source and cannot be disabled by software means, only a reset of the controller will disable the watchdog. At least in theory - it's easy to show that you cannot stop it by software but hard to prove that the clock is truly independent and will not stop under EMI.




                    Or to prove that your code doesn't run wild continuously resetting the
                    external watchdog as fast as it can. Problem solved. ;-)




                    For that case you use a window watchdog which has to be triggered at certain intervals and if you fail to do so (trigger it too often or too less) will reset the circuit. The STM32 I'm working with have an internal window watchdog, but it runs from PCLK1 which is derived from the main clock, so I don't think it is as useful as an external watchdog with its own clock source.




                    Or that some genius doesn't put the watchdog service routine inside a
                    timer ISR, so the main code can crash but the interrupt keeps firing &
                    servicing the watchdog perfectly...




                    That certainly is true, but hopefully a review will put that genius back on his chair - but hey when I started out, that was my first idea as well :D. During the certification processes I've been part in, they always had a look at the watchdog part of the software.






                    share|improve this answer



















                    • 4




                      "and always running like it should" - Good point. It may be harder to prove that your software correctly initializes the internal watchdog under all circumstances than just employing a watchdog chip and refer to its datasheet.
                      – JimmyB
                      2 days ago






                    • 4




                      @JimmyB Or to prove that your code doesn't contain a bug that accidentally disables the internal watchdog.
                      – TripeHound
                      2 days ago






                    • 2




                      @TripeHound Or to prove that your code doesn't run wild continuously resetting the external watchdog as fast as it can. Problem solved. ;-)
                      – JimmyB
                      2 days ago






                    • 2




                      Or that some genius doesn't put the watchdog service routine inside a timer ISR, so the main code can crash but the interrupt keeps firing & servicing the watchdog perfectly...
                      – John U
                      2 days ago










                    • @JohnU, that, however, would not seem like something an external IC would help with.
                      – ilkkachu
                      2 days ago













                    up vote
                    26
                    down vote










                    up vote
                    26
                    down vote









                    It is hard to argue, that the internal clock of the internal watchdog is actually independent of all the other clocks and always running like it should.



                    So for certification it is usually much easier to place an external watchdog on the board and say: look there is our watchdog, it must be triggered by the MCU at that interval, which is shorter than our time to failure, so our device is safe as we defined it.





                    To address some of the comments:




                    "and always running like it should" - Good point. It may be harder to
                    prove that your software correctly initializes the internal watchdog
                    under all circumstances than just employing a watchdog chip and refer
                    to its datasheet.




                    This is usually proven by a fault insertion test, which you present to a body of the certification. So you show them the code where your initialization happens, and where the triggering of the watchdog happens. They usually ask you to modify the code in such a way that the triggering of the watchdog is stopped after a certain time has elapsed and check whether the controller is reset correctly.




                    Or to prove that your code doesn't contain a bug that accidentally
                    disables the internal watchdog.




                    At least on some controllers the watchdog is called independent and has its own clock source and cannot be disabled by software means, only a reset of the controller will disable the watchdog. At least in theory - it's easy to show that you cannot stop it by software but hard to prove that the clock is truly independent and will not stop under EMI.




                    Or to prove that your code doesn't run wild continuously resetting the
                    external watchdog as fast as it can. Problem solved. ;-)




                    For that case you use a window watchdog which has to be triggered at certain intervals and if you fail to do so (trigger it too often or too less) will reset the circuit. The STM32 I'm working with have an internal window watchdog, but it runs from PCLK1 which is derived from the main clock, so I don't think it is as useful as an external watchdog with its own clock source.




                    Or that some genius doesn't put the watchdog service routine inside a
                    timer ISR, so the main code can crash but the interrupt keeps firing &
                    servicing the watchdog perfectly...




                    That certainly is true, but hopefully a review will put that genius back on his chair - but hey when I started out, that was my first idea as well :D. During the certification processes I've been part in, they always had a look at the watchdog part of the software.






                    share|improve this answer














                    It is hard to argue, that the internal clock of the internal watchdog is actually independent of all the other clocks and always running like it should.



                    So for certification it is usually much easier to place an external watchdog on the board and say: look there is our watchdog, it must be triggered by the MCU at that interval, which is shorter than our time to failure, so our device is safe as we defined it.





                    To address some of the comments:




                    "and always running like it should" - Good point. It may be harder to
                    prove that your software correctly initializes the internal watchdog
                    under all circumstances than just employing a watchdog chip and refer
                    to its datasheet.




                    This is usually proven by a fault insertion test, which you present to a body of the certification. So you show them the code where your initialization happens, and where the triggering of the watchdog happens. They usually ask you to modify the code in such a way that the triggering of the watchdog is stopped after a certain time has elapsed and check whether the controller is reset correctly.




                    Or to prove that your code doesn't contain a bug that accidentally
                    disables the internal watchdog.




                    At least on some controllers the watchdog is called independent and has its own clock source and cannot be disabled by software means, only a reset of the controller will disable the watchdog. At least in theory - it's easy to show that you cannot stop it by software but hard to prove that the clock is truly independent and will not stop under EMI.




                    Or to prove that your code doesn't run wild continuously resetting the
                    external watchdog as fast as it can. Problem solved. ;-)




                    For that case you use a window watchdog which has to be triggered at certain intervals and if you fail to do so (trigger it too often or too less) will reset the circuit. The STM32 I'm working with have an internal window watchdog, but it runs from PCLK1 which is derived from the main clock, so I don't think it is as useful as an external watchdog with its own clock source.




                    Or that some genius doesn't put the watchdog service routine inside a
                    timer ISR, so the main code can crash but the interrupt keeps firing &
                    servicing the watchdog perfectly...




                    That certainly is true, but hopefully a review will put that genius back on his chair - but hey when I started out, that was my first idea as well :D. During the certification processes I've been part in, they always had a look at the watchdog part of the software.







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited yesterday

























                    answered 2 days ago









                    Arsenal

                    12.3k11342




                    12.3k11342








                    • 4




                      "and always running like it should" - Good point. It may be harder to prove that your software correctly initializes the internal watchdog under all circumstances than just employing a watchdog chip and refer to its datasheet.
                      – JimmyB
                      2 days ago






                    • 4




                      @JimmyB Or to prove that your code doesn't contain a bug that accidentally disables the internal watchdog.
                      – TripeHound
                      2 days ago






                    • 2




                      @TripeHound Or to prove that your code doesn't run wild continuously resetting the external watchdog as fast as it can. Problem solved. ;-)
                      – JimmyB
                      2 days ago






                    • 2




                      Or that some genius doesn't put the watchdog service routine inside a timer ISR, so the main code can crash but the interrupt keeps firing & servicing the watchdog perfectly...
                      – John U
                      2 days ago










                    • @JohnU, that, however, would not seem like something an external IC would help with.
                      – ilkkachu
                      2 days ago














                    • 4




                      "and always running like it should" - Good point. It may be harder to prove that your software correctly initializes the internal watchdog under all circumstances than just employing a watchdog chip and refer to its datasheet.
                      – JimmyB
                      2 days ago






                    • 4




                      @JimmyB Or to prove that your code doesn't contain a bug that accidentally disables the internal watchdog.
                      – TripeHound
                      2 days ago






                    • 2




                      @TripeHound Or to prove that your code doesn't run wild continuously resetting the external watchdog as fast as it can. Problem solved. ;-)
                      – JimmyB
                      2 days ago






                    • 2




                      Or that some genius doesn't put the watchdog service routine inside a timer ISR, so the main code can crash but the interrupt keeps firing & servicing the watchdog perfectly...
                      – John U
                      2 days ago










                    • @JohnU, that, however, would not seem like something an external IC would help with.
                      – ilkkachu
                      2 days ago








                    4




                    4




                    "and always running like it should" - Good point. It may be harder to prove that your software correctly initializes the internal watchdog under all circumstances than just employing a watchdog chip and refer to its datasheet.
                    – JimmyB
                    2 days ago




                    "and always running like it should" - Good point. It may be harder to prove that your software correctly initializes the internal watchdog under all circumstances than just employing a watchdog chip and refer to its datasheet.
                    – JimmyB
                    2 days ago




                    4




                    4




                    @JimmyB Or to prove that your code doesn't contain a bug that accidentally disables the internal watchdog.
                    – TripeHound
                    2 days ago




                    @JimmyB Or to prove that your code doesn't contain a bug that accidentally disables the internal watchdog.
                    – TripeHound
                    2 days ago




                    2




                    2




                    @TripeHound Or to prove that your code doesn't run wild continuously resetting the external watchdog as fast as it can. Problem solved. ;-)
                    – JimmyB
                    2 days ago




                    @TripeHound Or to prove that your code doesn't run wild continuously resetting the external watchdog as fast as it can. Problem solved. ;-)
                    – JimmyB
                    2 days ago




                    2




                    2




                    Or that some genius doesn't put the watchdog service routine inside a timer ISR, so the main code can crash but the interrupt keeps firing & servicing the watchdog perfectly...
                    – John U
                    2 days ago




                    Or that some genius doesn't put the watchdog service routine inside a timer ISR, so the main code can crash but the interrupt keeps firing & servicing the watchdog perfectly...
                    – John U
                    2 days ago












                    @JohnU, that, however, would not seem like something an external IC would help with.
                    – ilkkachu
                    2 days ago




                    @JohnU, that, however, would not seem like something an external IC would help with.
                    – ilkkachu
                    2 days ago










                    up vote
                    11
                    down vote













                    The watchdogs built in to microcontrollers have particular properties that mean they themselves can fail in ways that a different external watchdog might not.



                    For example, a common design is to use a watchdog timer running from a low power RC oscillator. That oscillator can fail. An external watchdog based on capacitor discharge rather than an oscillator could still reset the microcontroller in many cases.



                    Another reason is that the external watchdog can be more robust. A microcontroller might only operate reliably over a certain voltage range, and being a complex device may be subject to latching up in a way that makes its own internal watchdog ineffective. An external watchdog may have a wider acceptable supply range and be less prone to problems when subjected to electrical noise.



                    External watchdogs often offer a much wider range of time-out values too. A microcontroller I use often, the XMEGA, has a maximum time-out of around 7 seconds. For one product I added an additional external watchdog with time-out of 2 hours. That allowed me to wake the microcontroller once an hour rather than once every few seconds, reducing power consumption in a battery powered device.



                    External watchdogs sometimes have multiple functions, such as a timer and a voltage monitor/reset control. Again, these can be lower power than a microcontroller's built-in system too.



                    One other interesting advantage of an external watchdog is that it can be used to reset devices other than the microcontroller. For example, it might control the enable pin of a voltage regulator, de-powering an entire circuit to reset multiple devices at once. Using some simple logic the watchdog reset signal from multiple sources can be combined, allowing the watchdog to require several devices to be continually resetting it.






                    share|improve this answer



























                      up vote
                      11
                      down vote













                      The watchdogs built in to microcontrollers have particular properties that mean they themselves can fail in ways that a different external watchdog might not.



                      For example, a common design is to use a watchdog timer running from a low power RC oscillator. That oscillator can fail. An external watchdog based on capacitor discharge rather than an oscillator could still reset the microcontroller in many cases.



                      Another reason is that the external watchdog can be more robust. A microcontroller might only operate reliably over a certain voltage range, and being a complex device may be subject to latching up in a way that makes its own internal watchdog ineffective. An external watchdog may have a wider acceptable supply range and be less prone to problems when subjected to electrical noise.



                      External watchdogs often offer a much wider range of time-out values too. A microcontroller I use often, the XMEGA, has a maximum time-out of around 7 seconds. For one product I added an additional external watchdog with time-out of 2 hours. That allowed me to wake the microcontroller once an hour rather than once every few seconds, reducing power consumption in a battery powered device.



                      External watchdogs sometimes have multiple functions, such as a timer and a voltage monitor/reset control. Again, these can be lower power than a microcontroller's built-in system too.



                      One other interesting advantage of an external watchdog is that it can be used to reset devices other than the microcontroller. For example, it might control the enable pin of a voltage regulator, de-powering an entire circuit to reset multiple devices at once. Using some simple logic the watchdog reset signal from multiple sources can be combined, allowing the watchdog to require several devices to be continually resetting it.






                      share|improve this answer

























                        up vote
                        11
                        down vote










                        up vote
                        11
                        down vote









                        The watchdogs built in to microcontrollers have particular properties that mean they themselves can fail in ways that a different external watchdog might not.



                        For example, a common design is to use a watchdog timer running from a low power RC oscillator. That oscillator can fail. An external watchdog based on capacitor discharge rather than an oscillator could still reset the microcontroller in many cases.



                        Another reason is that the external watchdog can be more robust. A microcontroller might only operate reliably over a certain voltage range, and being a complex device may be subject to latching up in a way that makes its own internal watchdog ineffective. An external watchdog may have a wider acceptable supply range and be less prone to problems when subjected to electrical noise.



                        External watchdogs often offer a much wider range of time-out values too. A microcontroller I use often, the XMEGA, has a maximum time-out of around 7 seconds. For one product I added an additional external watchdog with time-out of 2 hours. That allowed me to wake the microcontroller once an hour rather than once every few seconds, reducing power consumption in a battery powered device.



                        External watchdogs sometimes have multiple functions, such as a timer and a voltage monitor/reset control. Again, these can be lower power than a microcontroller's built-in system too.



                        One other interesting advantage of an external watchdog is that it can be used to reset devices other than the microcontroller. For example, it might control the enable pin of a voltage regulator, de-powering an entire circuit to reset multiple devices at once. Using some simple logic the watchdog reset signal from multiple sources can be combined, allowing the watchdog to require several devices to be continually resetting it.






                        share|improve this answer














                        The watchdogs built in to microcontrollers have particular properties that mean they themselves can fail in ways that a different external watchdog might not.



                        For example, a common design is to use a watchdog timer running from a low power RC oscillator. That oscillator can fail. An external watchdog based on capacitor discharge rather than an oscillator could still reset the microcontroller in many cases.



                        Another reason is that the external watchdog can be more robust. A microcontroller might only operate reliably over a certain voltage range, and being a complex device may be subject to latching up in a way that makes its own internal watchdog ineffective. An external watchdog may have a wider acceptable supply range and be less prone to problems when subjected to electrical noise.



                        External watchdogs often offer a much wider range of time-out values too. A microcontroller I use often, the XMEGA, has a maximum time-out of around 7 seconds. For one product I added an additional external watchdog with time-out of 2 hours. That allowed me to wake the microcontroller once an hour rather than once every few seconds, reducing power consumption in a battery powered device.



                        External watchdogs sometimes have multiple functions, such as a timer and a voltage monitor/reset control. Again, these can be lower power than a microcontroller's built-in system too.



                        One other interesting advantage of an external watchdog is that it can be used to reset devices other than the microcontroller. For example, it might control the enable pin of a voltage regulator, de-powering an entire circuit to reset multiple devices at once. Using some simple logic the watchdog reset signal from multiple sources can be combined, allowing the watchdog to require several devices to be continually resetting it.







                        share|improve this answer














                        share|improve this answer



                        share|improve this answer








                        edited yesterday









                        Peter Mortensen

                        1,58031422




                        1,58031422










                        answered 2 days ago









                        user

                        1,204615




                        1,204615






















                            up vote
                            7
                            down vote













                            Some products must meet safety requirements, either determined by the manufacturer or to meet international safety standards such as IEC 60730-1, or the older UL1998 which is still in use in the US. The internal watchdog functionality in any given microcontroller may or may not be adequate to be used. An external WDT may be used in combination with the internal WDT in some cases.



                            Certain microcontrollers such as TI's Hercules series take safety critical system applications very seriously and are more likely to meet strict requirements, however they may not be appropriate for cost-sensitive applications.



                            Typically the WDT is one of a number of ways to reduce the likelihood of a failure causing catastrophic damage to property or injury to life. Other things such as memory protection to detect unexpected access to MCU memory or program fetches from unused memory are usually used in conjunction with a WDT.



                            Examples of inexpensive products that perform safety-critical functions are automotive subsystems, garage door controllers and gas (natural gas or propane) ignition controllers used in furnaces, dryers and water heaters . Of course many medical and aerospace products are also safety-critical but there may be sufficient room for redundancy and other approaches. In some cases, there may be no easily reachable safe state- for example, in an aircraft.



                            Ideally the watchdog timer is very simple, independent of the MCU (for example, it should have its own clock source and perhaps a clock monitor), cannot be set (by software) to a longer time than would cause damage by any software error, and will render the system into a safe state if it is not "petted" on time, either with a time-out or in a windowed fashion so too frequent resets can be detected. For example, a WDT in a thermal control application might be set to a few seconds because no damage is possible if the microcontroller locks up for that length of time.



                            The WDT is most useful as a part of a system-level approach to reliability and safety.






                            share|improve this answer

























                              up vote
                              7
                              down vote













                              Some products must meet safety requirements, either determined by the manufacturer or to meet international safety standards such as IEC 60730-1, or the older UL1998 which is still in use in the US. The internal watchdog functionality in any given microcontroller may or may not be adequate to be used. An external WDT may be used in combination with the internal WDT in some cases.



                              Certain microcontrollers such as TI's Hercules series take safety critical system applications very seriously and are more likely to meet strict requirements, however they may not be appropriate for cost-sensitive applications.



                              Typically the WDT is one of a number of ways to reduce the likelihood of a failure causing catastrophic damage to property or injury to life. Other things such as memory protection to detect unexpected access to MCU memory or program fetches from unused memory are usually used in conjunction with a WDT.



                              Examples of inexpensive products that perform safety-critical functions are automotive subsystems, garage door controllers and gas (natural gas or propane) ignition controllers used in furnaces, dryers and water heaters . Of course many medical and aerospace products are also safety-critical but there may be sufficient room for redundancy and other approaches. In some cases, there may be no easily reachable safe state- for example, in an aircraft.



                              Ideally the watchdog timer is very simple, independent of the MCU (for example, it should have its own clock source and perhaps a clock monitor), cannot be set (by software) to a longer time than would cause damage by any software error, and will render the system into a safe state if it is not "petted" on time, either with a time-out or in a windowed fashion so too frequent resets can be detected. For example, a WDT in a thermal control application might be set to a few seconds because no damage is possible if the microcontroller locks up for that length of time.



                              The WDT is most useful as a part of a system-level approach to reliability and safety.






                              share|improve this answer























                                up vote
                                7
                                down vote










                                up vote
                                7
                                down vote









                                Some products must meet safety requirements, either determined by the manufacturer or to meet international safety standards such as IEC 60730-1, or the older UL1998 which is still in use in the US. The internal watchdog functionality in any given microcontroller may or may not be adequate to be used. An external WDT may be used in combination with the internal WDT in some cases.



                                Certain microcontrollers such as TI's Hercules series take safety critical system applications very seriously and are more likely to meet strict requirements, however they may not be appropriate for cost-sensitive applications.



                                Typically the WDT is one of a number of ways to reduce the likelihood of a failure causing catastrophic damage to property or injury to life. Other things such as memory protection to detect unexpected access to MCU memory or program fetches from unused memory are usually used in conjunction with a WDT.



                                Examples of inexpensive products that perform safety-critical functions are automotive subsystems, garage door controllers and gas (natural gas or propane) ignition controllers used in furnaces, dryers and water heaters . Of course many medical and aerospace products are also safety-critical but there may be sufficient room for redundancy and other approaches. In some cases, there may be no easily reachable safe state- for example, in an aircraft.



                                Ideally the watchdog timer is very simple, independent of the MCU (for example, it should have its own clock source and perhaps a clock monitor), cannot be set (by software) to a longer time than would cause damage by any software error, and will render the system into a safe state if it is not "petted" on time, either with a time-out or in a windowed fashion so too frequent resets can be detected. For example, a WDT in a thermal control application might be set to a few seconds because no damage is possible if the microcontroller locks up for that length of time.



                                The WDT is most useful as a part of a system-level approach to reliability and safety.






                                share|improve this answer












                                Some products must meet safety requirements, either determined by the manufacturer or to meet international safety standards such as IEC 60730-1, or the older UL1998 which is still in use in the US. The internal watchdog functionality in any given microcontroller may or may not be adequate to be used. An external WDT may be used in combination with the internal WDT in some cases.



                                Certain microcontrollers such as TI's Hercules series take safety critical system applications very seriously and are more likely to meet strict requirements, however they may not be appropriate for cost-sensitive applications.



                                Typically the WDT is one of a number of ways to reduce the likelihood of a failure causing catastrophic damage to property or injury to life. Other things such as memory protection to detect unexpected access to MCU memory or program fetches from unused memory are usually used in conjunction with a WDT.



                                Examples of inexpensive products that perform safety-critical functions are automotive subsystems, garage door controllers and gas (natural gas or propane) ignition controllers used in furnaces, dryers and water heaters . Of course many medical and aerospace products are also safety-critical but there may be sufficient room for redundancy and other approaches. In some cases, there may be no easily reachable safe state- for example, in an aircraft.



                                Ideally the watchdog timer is very simple, independent of the MCU (for example, it should have its own clock source and perhaps a clock monitor), cannot be set (by software) to a longer time than would cause damage by any software error, and will render the system into a safe state if it is not "petted" on time, either with a time-out or in a windowed fashion so too frequent resets can be detected. For example, a WDT in a thermal control application might be set to a few seconds because no damage is possible if the microcontroller locks up for that length of time.



                                The WDT is most useful as a part of a system-level approach to reliability and safety.







                                share|improve this answer












                                share|improve this answer



                                share|improve this answer










                                answered yesterday









                                Spehro Pefhany

                                199k4143397




                                199k4143397






















                                    up vote
                                    3
                                    down vote













                                    Certain certifications, such as UL, may require protection from two points of failure. An external watchdog timer would be considered protection from a first point of failure, the microcontroller.






                                    share|improve this answer










                                    New contributor




                                    da66en is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                    Check out our Code of Conduct.






















                                      up vote
                                      3
                                      down vote













                                      Certain certifications, such as UL, may require protection from two points of failure. An external watchdog timer would be considered protection from a first point of failure, the microcontroller.






                                      share|improve this answer










                                      New contributor




                                      da66en is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                      Check out our Code of Conduct.




















                                        up vote
                                        3
                                        down vote










                                        up vote
                                        3
                                        down vote









                                        Certain certifications, such as UL, may require protection from two points of failure. An external watchdog timer would be considered protection from a first point of failure, the microcontroller.






                                        share|improve this answer










                                        New contributor




                                        da66en is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                        Check out our Code of Conduct.









                                        Certain certifications, such as UL, may require protection from two points of failure. An external watchdog timer would be considered protection from a first point of failure, the microcontroller.







                                        share|improve this answer










                                        New contributor




                                        da66en is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                        Check out our Code of Conduct.









                                        share|improve this answer



                                        share|improve this answer








                                        edited yesterday









                                        Peter Mortensen

                                        1,58031422




                                        1,58031422






                                        New contributor




                                        da66en is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                        Check out our Code of Conduct.









                                        answered yesterday









                                        da66en

                                        312




                                        312




                                        New contributor




                                        da66en is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                        Check out our Code of Conduct.





                                        New contributor





                                        da66en is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                        Check out our Code of Conduct.






                                        da66en is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                        Check out our Code of Conduct.






















                                            up vote
                                            2
                                            down vote













                                            A watchdog is really no different in this regard from any other built-in peripheral you find in an MCU. MCUs come with timers, RTCs, ADCs, EEPROM and reset controllers, yet all these functions also exist as separate ICs. If available built-in blocks don't meet your requirements, you have to use external ones. Or you can try to find an MCU with all the right blocks, which may not exist or be too expensive or hard to port your code to.






                                            share|improve this answer

























                                              up vote
                                              2
                                              down vote













                                              A watchdog is really no different in this regard from any other built-in peripheral you find in an MCU. MCUs come with timers, RTCs, ADCs, EEPROM and reset controllers, yet all these functions also exist as separate ICs. If available built-in blocks don't meet your requirements, you have to use external ones. Or you can try to find an MCU with all the right blocks, which may not exist or be too expensive or hard to port your code to.






                                              share|improve this answer























                                                up vote
                                                2
                                                down vote










                                                up vote
                                                2
                                                down vote









                                                A watchdog is really no different in this regard from any other built-in peripheral you find in an MCU. MCUs come with timers, RTCs, ADCs, EEPROM and reset controllers, yet all these functions also exist as separate ICs. If available built-in blocks don't meet your requirements, you have to use external ones. Or you can try to find an MCU with all the right blocks, which may not exist or be too expensive or hard to port your code to.






                                                share|improve this answer












                                                A watchdog is really no different in this regard from any other built-in peripheral you find in an MCU. MCUs come with timers, RTCs, ADCs, EEPROM and reset controllers, yet all these functions also exist as separate ICs. If available built-in blocks don't meet your requirements, you have to use external ones. Or you can try to find an MCU with all the right blocks, which may not exist or be too expensive or hard to port your code to.







                                                share|improve this answer












                                                share|improve this answer



                                                share|improve this answer










                                                answered yesterday









                                                Dmitry Grigoryev

                                                17.4k22773




                                                17.4k22773






















                                                    up vote
                                                    1
                                                    down vote













                                                    A watchdog is a timer and activates its output when the IC lost an input pulse for a period.



                                                    It is a building block and can be used for any application.



                                                    So, they can be used in any application, for example, change data routing in fail-safe mode. When the microcontroller clock fails, we can't disable some critical outputs.



                                                    An external watchdog is not related to the complex clock domain of the microcontroller, and some of them have their analog RC charge timing or internal clock.



                                                    Digital circuits in radiation may trigger the outputs when charge hits their flip-flops. But some analog circuit is safer because they integrate charge in a capacitor, and it is safe when we integrate it.






                                                    share|improve this answer



























                                                      up vote
                                                      1
                                                      down vote













                                                      A watchdog is a timer and activates its output when the IC lost an input pulse for a period.



                                                      It is a building block and can be used for any application.



                                                      So, they can be used in any application, for example, change data routing in fail-safe mode. When the microcontroller clock fails, we can't disable some critical outputs.



                                                      An external watchdog is not related to the complex clock domain of the microcontroller, and some of them have their analog RC charge timing or internal clock.



                                                      Digital circuits in radiation may trigger the outputs when charge hits their flip-flops. But some analog circuit is safer because they integrate charge in a capacitor, and it is safe when we integrate it.






                                                      share|improve this answer

























                                                        up vote
                                                        1
                                                        down vote










                                                        up vote
                                                        1
                                                        down vote









                                                        A watchdog is a timer and activates its output when the IC lost an input pulse for a period.



                                                        It is a building block and can be used for any application.



                                                        So, they can be used in any application, for example, change data routing in fail-safe mode. When the microcontroller clock fails, we can't disable some critical outputs.



                                                        An external watchdog is not related to the complex clock domain of the microcontroller, and some of them have their analog RC charge timing or internal clock.



                                                        Digital circuits in radiation may trigger the outputs when charge hits their flip-flops. But some analog circuit is safer because they integrate charge in a capacitor, and it is safe when we integrate it.






                                                        share|improve this answer














                                                        A watchdog is a timer and activates its output when the IC lost an input pulse for a period.



                                                        It is a building block and can be used for any application.



                                                        So, they can be used in any application, for example, change data routing in fail-safe mode. When the microcontroller clock fails, we can't disable some critical outputs.



                                                        An external watchdog is not related to the complex clock domain of the microcontroller, and some of them have their analog RC charge timing or internal clock.



                                                        Digital circuits in radiation may trigger the outputs when charge hits their flip-flops. But some analog circuit is safer because they integrate charge in a capacitor, and it is safe when we integrate it.







                                                        share|improve this answer














                                                        share|improve this answer



                                                        share|improve this answer








                                                        edited yesterday









                                                        Peter Mortensen

                                                        1,58031422




                                                        1,58031422










                                                        answered 2 days ago









                                                        M KS

                                                        768




                                                        768






























                                                             

                                                            draft saved


                                                            draft discarded



















































                                                             


                                                            draft saved


                                                            draft discarded














                                                            StackExchange.ready(
                                                            function () {
                                                            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2felectronics.stackexchange.com%2fquestions%2f406925%2fnecessity-of-an-external-watchdog-timer%23new-answer', 'question_page');
                                                            }
                                                            );

                                                            Post as a guest















                                                            Required, but never shown





















































                                                            Required, but never shown














                                                            Required, but never shown












                                                            Required, but never shown







                                                            Required, but never shown

































                                                            Required, but never shown














                                                            Required, but never shown












                                                            Required, but never shown







                                                            Required, but never shown







                                                            Popular posts from this blog

                                                            "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

                                                            Alcedinidae

                                                            RAC Tourist Trophy