Selecting watchdog timers for networking apps
Watchdog timers, both internal and external, are critical in ensuring systems never freeze or get caught in an endless loop
BY ERIC SCHLAEPFER
Maxim Integrated Products
Sunnyvale, CA
http://maxim.com
A watchdog timer’s job is to force an embedded processor or microcontroller to reset in response to an invalid software state. Such states can be as simple as a toggled register bit caused by a software bug, a cosmic ray fault, or an EMI event. In networking applications, where system operation must be nonstop, watchdog timers can play a critical role in ensuring systems never freeze or get caught in an endless loop.
Watchdog timers such as Maxim’s MAX6746 can play a critical role in ensuring systems never freeze or get caught in an endless loop.
The problem with higher-level network functions (such as socket or connect timeouts and ARP table timeouts) is that systems often need many, many timers. A single watchdog would not be enough. So when it’s impractical to implement a large array of hardware-based timers, an array of network timers can be coordinated using a timer interrupt signal, with all the timers maintained in software. Nevertheless, in many applications hardware timers provide the most trusted solution.
Generally, embedded software has a “main loop” that calls various subroutines, and the watchdog is reset once at the top of the loop. If for any reason the loop fails to execute properly, the watchdog will fire and the device will be reset. A lot of network appliances (especially ones without a graphical user interface) can be made more reliable with a watchdog.
A watchdog timer cannot detect a fault instantaneously. By definition, the watchdog must reach the end of a predetermined time interval before it resets the processor. A minimum possible timeout interval should always be selected.
Watchdogs can be internal to a microcontroller, such as in the MAXQ2000, or external in a standalone IC or embedded as part of a support ASIC. The internal timer saves money, but can be affected by runaway code. External watchdogs have a separate clock source that gives them better reliability, and if properly configured, they cannot be bypassed or disabled by runaway code.
A common advanced timer feature is the “windowed” or “min/max,” which enhances the validation of proper operation by signaling a reset when the watchdog is serviced either too slowly or too quickly. If a signal to clear the counter register arrives while the number in the counter register is below some threshold, the device triggers a system reset. It not only protects against software failure; it can also reset the MPU if the crystal oscillator begins to run the wrong frequency. Another feature disables the watchdog via a logic input (external) or register bit (internal).
Watchdog timers internal to the MCU
By way of example, we will look at the watchdog internal to the MAXQ2000 MCU. If not serviced, this watchdog triggers an interrupt, counts for 512 additional system-clock cycles, and then resets itself.
That interrupt provides a last chance to save debugging information, which can be a useful capability during circuit development and troubleshooting. Instead of saving debugging information, the interrupt could be used to recover from the error and clear the watchdog.
Like other internal watchdogs, the MAXQ2000’s can be disabled via software. That ability is a double-edged sword, because runaway code can disable the watchdog and then continue its rampage.
Some microcontrollers connect their watchdog to an internal oscillator separate from the system clock. Although the clock for the MAXQ2000 watchdog is derived from the system clock, the circuit will switch to a backup RC oscillator in the event of a failure in the main oscillator.
Watchdog timers external to the MCU
Dedicated watchdog-timer ICs offering a wide range of features are available from many manufacturers. Some, like the MAX6752, have the “window” capability. It also lets you adjust the watchdog timeout period and the width of the reset pulse using external capacitors.
Logic input pins on the MAX6369 watchdog can disable the timer and prevent resets. Though it is tempting to connect the logic pins to the microprocessor, doing so risks a compromise in system reliability, because runaway code could accidentally disable the watchdog. Often, the watchdog needs to be disabled during startup, while the microprocessor boots. The MAX6369 provides an extra-long watchdog period after coming out of reset. The normal-duration timeout then returns after the watchdog is serviced for the first time. Some timers provide a debounced and ESD-protected reset-switch input. ■
| Benefits and drawbacks of internal and external watchdog timer methods | |||
| External Watchdog Timer ICs | Internal Watchdog Timers | ||
| Pros | • Cannot be disabled from software accidentally, if properly designed.• Clock source separate from system clock.• Available with min/max watchdog-timeout period.• Reset output can be connected to other ICs in the system needing a reset.• Monitors one or more power-supply rails (the internal brownout circuit found in some µPs is not very accurate).• Timeout period is fully adjustable, using capacitors. | • Cost is essentially zero.• To save debugging information, it can trigger an interrupt before resetting.• Convenient to use.• Sometimes a bidirectional reset pin can be connected to other ICs in the system needing reset.• Can modify timeout when the processor changes from high speed to low speed or sleep mode.• Watchdog timeout period may vary less with temperature. | |
| Cons | • Not free.• Timeout period over temperature can vary substantially.• Requires one microprocessor I/O line.• Timeout must be calculated to match both high-speed and low-speed clock modes, due to µP power-save feature. | • Almost all can be disabled by software (not as reliable). | |
For more on watchdog timers, visit http://electronicproducts-com-develop.go-vip.net/digital.asp.
Advertisement
Learn more about Maxim Integrated
