How to design a watchdog circuit?

Designing a watchdog circuit is a crucial skill for creating reliable embedded systems. A watchdog is essentially a self-reset mechanism that detects when the software has hung and forces a microcontroller (MCU) restart.

There are two main approaches: using an internal watchdog timer (WDT) or an external watchdog circuit. I'll cover both in detail.

Method 1: Using an Internal Watchdog Timer (Common & Simple)

Most modern microcontrollers (like STM32, RP2040, AVR, ESP32) have a Watchdog Timer (WDT) peripheral built-in.

How it Works:

1. A dedicated hardware counter starts counting down from a predefined value.

2. If the counter reaches zero, it triggers a microcontroller reset.

3. The running software must periodically "feed" (or "kick" or "pet") the watchdog by resetting the counter before it times out.

4. If the software gets stuck in an infinite loop, crashes, or is blocked by a fault, it fails to feed the watchdog.

5. The watchdog times out and resets the MCU, restoring system operation.

Design Steps:

1. Initialization: At the start of your main() function, initialize the watchdog timer. You will configure its timeout period (e.g., 1 second, 2 seconds).
   Example (Pseudocode):

   c

   void main() {
     wdt_init(TIMEOUT_2S); // Initialize the WDT with a 2-second timeout
     // ... other init code

2. The Main Loop: Place the "feed" command inside your main loop. This proves the main loop is running.
   Example (Pseudocode):

   c

   while(1) {
     wdt_feed(); // "Pet" the dog
     read_sensors();
     control_actuators();
     // ... other tasks
   }

3. Critical Sections: If you have long-running but valid operations (e.g., a complex calculation or a delay), you may need to feed the watchdog during that operation.
   Example (Pseudocode):

   c

   void long_calculation() {
     for(int i=0; i < BIG_NUMBER; i++) {
       // ... do math ...
       if(i % 1000 == 0) {
         wdt_feed(); // Feed the dog periodically during a long task
       }
     }
   }

Advantages:

• Simple: Requires no external components.

• Cost-effective: Free to use.

• Integrated: Well-documented in the MCU's datasheet.

Disadvantages:

• Common Point of Failure: If the MCU is severely compromised (e.g., a clock failure, a software bug that disables the WDT, or code that runs amok but still accidentally feeds the WDT), the internal watchdog can fail.

• Limited Scope: It can only reset the MCU. It cannot monitor other parts of the system or handle a complete MCU power failure.

Method 2: Designing an External Watchdog Circuit (More Robust)

An external watchdog uses a separate IC or circuit to monitor the MCU. This is more robust because it's independent of the MCU's internal state.

Basic Design using a Timer IC (555 Timer)

A classic and simple external watchdog can be built with a 555 timer(NE555) in monostable mode.

Schematic Concept:

MCU GPIO Pin ---|R|---> TRIGGER (555 Pin 2)
               ---
               | |
               ---
                |
               GND

RESET (555 Pin 3) ----> MCU RESET Pin (Active Low)

• C and R set the timeout period (T ≈ 1.1 * R * C).

How it Works:

1. The MCU must regularly send a "heartbeat" pulse (toggle a GPIO pin from HIGH to LOW) before the 555's timeout period elapses.

2. This pulse triggers the 555, resetting its internal timer and holding its output (RESET) HIGH.

3. If the heartbeat stops (MCU is stuck), the 555 timer completes its cycle, and the output pin goes LOW.

4. This LOW signal is connected to the MCU's active-low reset pin, forcing a hardware reset.

Advanced Design using a Dedicated Supervisor IC

For professional products, a dedicated voltage supervisor / watchdog IC (like the TI TPS382x, MAX6316, or ADM811) is the best choice. These chips are designed specifically for this purpose and are very reliable.

Schematic Concept:

MCU GPIO Pin --------> WDI (Watchdog Input) of Supervisor IC
Supervisor IC WDO ----> MCU RESET Pin
Supervisor IC Vcc ----> MCU Vcc

How it Works:

1. The supervisor IC has a watchdog input (WDI) pin.

2. The MCU must toggle this pin (or pulse it) within a specific time window.

3. If the toggling stops, the supervisor's output (WDO) goes active, resetting the MCU.

4. Bonus: These ICs almost always include a Power-On Reset (POR) and Brown-Out Detection (BOD) function, which resets the MCU if the supply voltage sags, providing a complete system monitoring solution.

Key Design Considerations & Best Practices

1. Timeout Period:

   • Choose a period long enough to allow your main loop to complete at least one cycle under normal load, plus a safety margin.

   • Too short: May cause nuisance resets during temporary high-load events.

   • Too long: The system remains unresponsive for too long after a fault. A good starting point is 1-2 seconds.

2. Feeding Strategy:

   • Where to feed? The best place is typically at the end or beginning of the main loop. This proves the central control cycle is healthy.

   • What about interrupts? Be cautious! Feeding the dog inside a high-frequency interrupt service routine (ISR) is a classic anti-pattern. Your main loop could be dead, but the WDT would still be fed by the timer ISR, completely defeating its purpose.

3. Recovery Logic:

   • At startup, check the reset reason (many MCUs have a register for this). If the reset was caused by the watchdog, it indicates a previous software crash. You can log this event, increment a counter in non-volatile memory, or even implement a "safe mode" if crashes persist.

4. Testing:

   • You must test your watchdog! Introduce a software fault on purpose (e.g., add a "fault injection" command that jumps to an infinite loop). Verify that the system recovers automatically after the watchdog timeout.

Summary: Which Method to Choose?

Final Recommendation: For any serious project, use the internal watchdog as a minimum. For robust, commercial-grade reliability, combine the internal watchdog with an external watchdog/supervisor IC. This provides a robust, multi-layered defense against system hangs.