Watchdog monitoring for multi microcontroller - Embedded Systems

Thread Starter

amatuer_rtw

Joined Apr 27, 2015
5
Hi, am using 3 micro-controller on a board. Main micro, gateway micro and safety micro; name suggest the associated applications. Internal watchdog exist for all three, but I need to have an external supervision so as not to have a buggy timer code nullifying the effect of internal watchdog. Also to keep the BOM cost low, so can use just 1 external watchdog.

Propose to use the following strategy:
1. Main microcontroller: We plan to have the internal watchdog and as well an external watchdog for this.
2. Safety Microcontroller: We plan to have internal watchdog and as well monitoring over SPI by Main microcontroller.
3. Gateway Microcontroller: We plan to have internal watchdog and as well monitoring over SPI by Main microcontroller.


One issue with this is - EMI or noise issues over line causing SPI corruption and hence false RESET from main micro.

Has anybody faced similar challenge? Any suggestions for this?

Many Thanks for your time and help!!!!
 

Papabravo

Joined Feb 24, 2006
21,159
I think the benefits of multiple watchdog timers in the same system might be overrated. I certainly think using an external watchdog as the solution for "buggy timer code" is foolish in the extreme. The correct solution is to debug the timer code. The real purpose of a watchdog timer is to recover from unknown or unanticipated events. There are some guidelines you should follow in implementing them. Foremost among those is don't "kick the dog" in an interrupt routine. Almost important is choosing an interval for the watchdog so you can guarantee one pass through your main loop before "kicking the dog" is required.

Careful design and layout of your PCB will minimize EMI and noise issues. If you think it is a problem you can always use a lower clock rate, or slow down the fast edges. Both SPI and I2C are versatile and reliable onboard interfaces.
 

Thread Starter

amatuer_rtw

Joined Apr 27, 2015
5
Hi Papabravo, and nsaspook, thanks for your suggestions. Yes, CRC will be part of SPI frame. The reason for using external watchdog is because, the 'Clock' base can deviate due to auto-correction used for temperature and other factors, for example the 'Oscillator Calibration factor' is modified using LIN as source of clock reference (SYNC field). It is very hard to test a huge code for all possible combination, and hence safety measures needs to be in place so that there is a fail-safe mechanism to recover, and hence need for an external watchdog. Hope am able to clear my requirement?
 

nsaspook

Joined Aug 27, 2009
13,085
Hi Papabravo, and nsaspook, thanks for your suggestions. Yes, CRC will be part of SPI frame. The reason for using external watchdog is because, the 'Clock' base can deviate due to auto-correction used for temperature and other factors, for example the 'Oscillator Calibration factor' is modified using LIN as source of clock reference (SYNC field). It is very hard to test a huge code for all possible combination, and hence safety measures needs to be in place so that there is a fail-safe mechanism to recover, and hence need for an external watchdog. Hope am able to clear my requirement?
What you describe is not really a 'watchdog', it's more of a process monitor/bounds interlock.
 

Thread Starter

amatuer_rtw

Joined Apr 27, 2015
5
I made a mistake in my description. Its not exactly an external watchdog, but a watchdog in same silicon but with a dedicated clock only for this purpose. System clock derives its clock from a separate clock source. This ensures that the Clock is not tampered with and hence a reliable clock source for the watchdog. Sorry for the troubles.
 

Thread Starter

amatuer_rtw

Joined Apr 27, 2015
5
Hi, when you asked specifically, it rung a bell and I immediately checked the TOS.

Restricted topics. The following topics are regularly raised however are considered "off-topic" at all times and will result in Your thread being closed without question:
  • Any kind of over-unity devices and systems
  • Automotive modifications
  • Devices designed to electrocute or shock another person
  • LEDs to mains
  • Phone jammers
  • Rail guns and high-energy projectile devices
  • Transformer-less power supplies

Well, though the application is for Automotive, it definitely is not 'Automotive modification', but I guess this is a gray area and will leave it to the members to decide if the concept can be discussed or close this thread.
 

Papabravo

Joined Feb 24, 2006
21,159
I agree that this might be a gray area. If you are working for an auto company or auto supplier there is a presumption of risk on their part. Since the subject of watchdog timers is of general interest and not specifically related to vehicles, it might be worthy of an exception. There was the recent case of the Onan generator that used a distributor with points. It sounded like automotive, but it wasn't. The problem is, this is not a democracy and my vote doesn't count.
 
Top