controls the rudder on a passenger jet, the results can be disastrous. To prevent
                  this scenario, many embedded systems use a watchdog timer (WDT). The WDT  is
                  a circuit that must be triggered by  the microprocessor on a regular basis. If  that
                  does not happen, the WDT resets the microprocessor. In most cases, if motors or
                  other potentially dangerous equipment are connected, these are turned off at the
                  same time.
                    The simplest WDT is a retriggerable monostable multivibrator, or one-shot. This
                  flip-flop is latched by  a trigger and stays in the latched state until some time has
                  elapsed (determined by  external timing components); the output then goes inac-
                  tive. As long as the trigger keeps occurring before the circuit times out, the output
                  stays active.
                    While many designers still design their own WDT circuits, several manufactur-
                  ers make ICs that contain a WDT circuit. These parts also frequently contain other
                  logic, such as power-on resets. Maxim, for example, makes a number of these parts.
                  Many WDT circuits include circuitry that will generate a reset on power-up or if the
                  logic voltage goes too low.
                    Watchdog timers are straightforward to use. The time constant is usually around
                  0.5 to 2 seconds. The WDT can be triggered by  a port pin or a write to a particu-
                  lar address. The time constant can be a resistorcapacitor combination (on ordi-
                  nary one-shots) or a digital delay from a constant clock.
                    One  danger  in  using  a WDT  involves making  sure the  processor  is  actually
                  running correctly. For example, a software bug may leave the processor executing
                  a very tight loop, doing nothing but still servicing interrupts. If the WDT trigger is
                  put in an interrupt routine, it does not generate a reset even though the proces-
                  sor essentially is locked up. If the WDT trigger is put in the polling loop, a software
                  bug could disable interrupts, but the processor continues to go through the polling
                  loop and still there is no WDT timeout.
                    In systems where safety or reliability concerns make it essential that the WDT
                  reset the system any time a fault occurs, a more sophisticated WDT is needed. One
                  method to make sure that both interrupts and the polling loop are running is to
                  have one process set a flag location in memory each time that it executes (say, each
                  time the interrupt occurs). The other routine (in our case, the polling loop) does
                  not trigger the WDT unless the flag is set. Each time it does trigger the WDT, it resets
                  the flag.
                    In  systems where even this is not  enough, a more sophisticated WDT  can be
                  designed in which each key process must write a particular value to the hardware
                  before the WDT will trigger.
                     Some microcontrollers, such as the PIC17Cxx series, have a built-in WDT.  On
                  some other processors, you can wire a timer to generate a reset when it times out.
                  The processor, instead of toggling a port or an 1/0 strobe, resets the timer count
                  periodically.




                  82                                              Embedded Micropromsor Systems