associated modules) integrate an internal watchdog timer to prevent code
execution errors. The watchdog timer uses the high precision crystal oscillator that
is also used by the microcontroller. This eliminates the need for a RC oscillator
while providing greater accuracy.
interference (EMI), and electrostatic discharge (ESD) are abundant. Program corruption caused by bus
corruption and electromagnetic discharges can cause a microprocessor to execute erroneous
instructions. In these environments, a watchdog timer is a useful peripheral that can help catch and
reset a microcontroller that has gone "out of control."
interval of time. In a properly operating system, software will periodically "pet" or restart the watchdog
timer. After being restarted, the watchdog will begin timing another predetermined interval. When
software or the device is not functioning correctly, software will not restart the watchdog timer before it
times out. When the watchdog timer times out, it will cause a reset of the microcontroller. If the system
software has been designed correctly and there has been no hardware failure, the reset will cause the
system to operate properly again. The reset condition must be a "safe" state. For instance, it would not
be wise to have the reset state of a magnetic stripe card reader enabling the write head.
eliminates the need for external components by incorporating an internal watchdog timer. By moving the
watchdog timer inside the microcontroller, the number of devices in the system is reduced, increasing
the overall system reliability. The watchdog timer can take advantage of the high-precision crystal
oscillator used by the microcontroller, rather than the imprecise RC oscillator used by most independent
watchdog timers. The operation of the watchdog timer is independent of the microcontroller, unless
specifically addressed via the Timed Access procedure. The possibility of an out-of-control
microcontroller accidentally disabling the watchdog timer is less than 1 in 7.2 X 10
control" microprocessor. When program execution goes awry it will not properly execute the code that
In a properly designed system, the reset will correct the error.
corrected by a reset. For instance, a watchdog timer cannot prevent or detect the corruption of data
memory. Unless corruption of data affects program flow, or some extra measures are taken, data
corruption will not cause a watchdog timeout. Of course, self-diagnostic software can be written in such
a way as to make restarting the watchdog contingent on verification of data memory. While many
applications implement such a data verification scheme, it is beyond the scope of this document.
watchdog timer must reach the end of its timeout interval before it resets the processor. The system
designer should be aware of the maximum time interval that can occur between the execution of a bad
instruction and the watchdog timer reset.
interval is fixed at 122,800 machine cycles (1,473,600 external clock cycles). When the timeout is
reached a reset will occur. Table 1 shows the reset time intervals associated with different crystal
software. The most desirable approach is to have a single location within the main loop of the system
software that restarts the watchdog timer periodically. The time required to pass through the main
program loop must be less than the timeout interval or the device will reset itself during normal
operation. In some systems, however, the program flow is not linear enough to allow the placement of a
single watchdog timer reset function. Multiple reset functions should be placed in the code,
corresponding to the longest software paths.
set whenever this occurs, and software can test for this early in the reset sequence if a system fault has
occurred. If so, the system may decide to go into a "safe" mode and alert the user to an error condition.
illustrates the Timed Access feature, which prevents the accidental modification of the watchdog control
bits. A Timed Access operation is a sequence of steps that must be executed together, in sequence;
otherwise, the access fails. The example program shows the timed access being used for restarting the
watchdog and enabling its reset. Further details on Timed Access operation may be found in the Secure
Microcontroller User's Guide. The watchdog timer bits that are protected by the Timed Access
procedure are the Enable Watchdog Timer Reset (EWT;PCON.2) and Restart Watchdog
;Watchdog timer initialization sequence
MOV TA, #0AAh ;Next enable the Watchdog timer reset
INC P1 ;Increment counter.
timeout period is determined, the system software must be analyzed to determine where to locate the
watchdog restart instructions. For an effective design, the number of watchdog restarts should be kept to
a minimum, and some consideration should be given to the likelihood of incorrectly executing a restart.
As mentioned previously, some system software is too convoluted or data-dependent to ensure that all
software flow paths are covered by a watchdog restart. This may dictate that a self-diagnostic software
approach might be required. If there is an expected failure mechanism such as a periodic EMI burst or
power supply glitch, the watchdog timeout should consider this period.