A watchdog timer and reset control circuit has been designed for use with a microprocessor or microcontroller (hereafter "microcontroller" for short) that would otherwise lack the protection afforded by such a circuit. The circuit also has a register to remember the cause of a reset.

A watchdog timer is a safety feature that prevents runaway software; when it times out, it stops a microcontroller from executing meaningless code, a situation that arises from an electrical or programming error. More specifically, if the software is not being executed properly, it fails to clear the watchdog timer; if the watchdog timer is not cleared for a specified interval, the watchdog timer causes the microcontroller to reboot and execute software from a known place.

This Watchdog Timer and Reset Control Circuit includes a register that the microcontroller can read to determine the cause of a reset. The durations of reset pulses are precise because these pulses are generated by digital circuitry, in contradistinction to analog circuitry, which generates pulses with imprecise durations.

The circuit (see figure) is implemented mostly as a field-programmable gate array. In operation, the FPGA receives signals from the microcontroller and from address-decoding logic circuitry. The outputs of the FPGA are fed to the microcontroller and to a data bus. For simplicity, in the figure, all signals are represented in positive logic. Inasmuch as microcontroller input signals (e.g., the master reset input signal) are often asserted negatively, inverters can be added as needed, within or without the FPGA.

The watchdog timer consists of a ripple counter and enabling circuitry. The enabling circuitry makes it possible for software to decide when to put the watchdog timer into operation. The software can enable and disable the watchdog timer by writing to the "enable" and "disable" memory addresses. At bootup and master reset of the system that includes the microprocessor and all associated circuits, the watchdog is disabled; that is, periodic software writes to the "clear" memory address are not necessary to prevent reboot.

The interval between "clears" to keep the enabled timer from expiring is set by the clock frequency and the number of flip-flops in the ripple counter. For example, if the clock frequency is 12 MHz and 24 flip-flops are strung together in the watchdog timer, then the software must cause the microcontroller to write to the "clear" memory address at intervals of no more than (224 -1)/(12 MHz) = 699 ms, or else the watchdog timer will expire.

When the watchdog timer expires, the reset control circuitry generates a pulse that becomes the master reset pulse. The pulse generator should be designed so that the duration of the pulse satisfies the reset-pulse-duration requirements of the microcontroller and all other circuits in the system. The master reset pulse also resets and disables the watchdog timer.

Other pulse generators in the FPGA create a master reset pulse for reasons other than watchdog timer expiration: A master reset pulse can be caused by software writing to a reset address or by a push on a reset button on test equipment. In addition, when power for the system is first turned on, the subcircuit comprising the resistor, capacitor, and inverter depicted at the lower left corner of the illustration generates a pulse that becomes the master reset pulse.

The circuit includes a register that records status bits. The microcontroller can read the status bits to determine the cause of a master reset. All the status bits are cleared when software writes to a "clear status bits" address. All status bits except the power-on-reset status bit are cleared by a power-on reset.

This work was done by Kenneth W. Wagner of Goddard Space Flight Center. No further documentation is available. GSC-13925