Essential PCB Design Tips: How to Implement a Watchdog Timer in Your PCB Design
When you work from home there are some perks of the job. You can make your own meals, slot in some laundry over lunch, and drink all the tea you want. I use a stove-top kettle to boil water for my tea, so when I get in the writing zone, I rely on its high pitched whistle to tell me when it’s done.
Except sometimes when I’m careless, I don’t fit the lid on properly. As a result, the kettle remains silent despite the fact that the liquid water inside of it is rapidly becoming a gas. My careless behavior in this scenario only means that I’ll be drinking less tea, in embedded systems, the consequences are much higher if you don’t know how to operate a Watchdog Timer (WDT). When your timer fails to operate, a stalled microcontroller will remain stalled and cause your embedded system remain down. Let’s look at how you can get them to function correctly on the first try so that you can avoid this scenario.
Why Embedded Systems Failed To Recover Despite Having A WDT
The Watchdog Timer is a simple fail-safe feature in electronics that helps to reboot a microcontroller in the event of a hardware or software watchdog crash. The Watchdog Timers are available as a separate integrated circuit (IC) or as a built-in feature within the microcontroller itself. Not using a WDT In embedded systems design is often an unpardonable sin.
The way Watchdog Timers operate is simple. It is programmed to countdown over a set Watchdog timeout interval. Under normal operation, the microcontroller periodically refreshes the countdown timer of the timer to prevent it from expiring. If the microcontroller is unresponsive then it will not refresh the Watchdog Timer. As a result, the when Watchdog Timers expire, it will trigger a pulse or signal to Watchdog Timer reset the microcontroller. This simple feature compensates for design errors or environmental factors that may cause a microcontroller to crash.
Yet, if your WDT fails, then it is unlikely that your embedded system will recover from its erroneous state. This is why it is important to pinpoint the cause of why a Watchdog Timer might fail to reset the microcontroller. The most obvious answer is that the Watchdog Timers are faulty. However, if you repeatedly have embedded systems in multiple units failing to recover, then there could be something up with your designs.
Actually, in my many years of designing and deploying hundreds of microcontroller-based devices, I’ve never encountered a single case of a failed Watchdog Timer. The root cause is often simply human error.
Why a WDT Might Not Operate Properly
For embedded systems using an internal WDT, runaways code can deactivate the Watchdog Timer if the configuration bits are unintentionally overwritten. External Watchdog Timers suffer from entirely different problems. In this case, it is common to have a jumper pin that can disconnect the reset signal from the external Watchdog Timer when firmware engineers are developing and debugging a program. Often these jumper pins need to be manually connected before the units are deployed on site. If they’re not, then the WDT reset signals will remain disconnected fail to reset the microcontroller.
A more common reason why Watchdog Timers fail to function is because of coding errors. If the functions that refresh the WDT timers are placed in the wrong part of the program, they won’t operate when they’re supposed to. Firmware for microcontrollers get complicated when there are multiple tasks with different priorities in a Real Time Operating System (RTOS). Higher priority Watchdog task may continue to execute even when lower priority tasks are in an abnormal infinite loop. If refreshing the Watchdog Timer the highest priority task, then the microcontroller will not be refreshed when it is not functioning correctly.
How To Ensure The WDT Is Functioning Reliably
Ensuring that the WDT does its job involves the firmware developer, system installer, and the hardware watchdog designer. Firmware developers should apply the best practices in programming to avoid code overruns that switch off internal WDT. Firmware developers must have a good understanding of the memory architecture of the microcontroller and how to correctly use memory pointers and allocation in the code.
Besides that, the structure of the program should be drafted out so that the Watchdog Timers are refreshed at appropriate locations in the program. This means that the program will trigger a Watchdog reset if an infinite loop develops at any point in the program. You can also develop a test utility to check the functionality of the WDT on-site. This also eliminates the risk of missing any disconnected jumper pins between an external Watchdog Timer and the microcontroller.
Last but not least, proper PCB design is required to ensure that the Watchdog Timers behave reliably. When designing with external Watchdog Timers, you’ll want to ensure the refresh signal is kept away from other high-speed signals. This is to prevent cross-coupled electrical interference from refreshing the WDT. You can set up precise clearance rule using PCB design software like Altium Designer’s CircuitStudio to ensure the signal integrity of the Watchdog Timer.
Having doubts about your WDT design? Talk to an expert at Altium Designer.