100/317
5 - Peripherals
foreseen event, the program may be fooled and the whole application may fail to work or even
produce harmful actions.
To prevent this, two actions may be taken.
Write better code. Check what happens if a neglected condition arises. Lead the execution to
a recovery routine in such an event. In short, take all precautions to prevent the program from
crashing in any event. This is actually a requirement, not a choice. But still, things may happen
that are totally out of the control of the author of the program. For example, an electromagnetic
aggression or a power brownout to the product that is controlled by the microcontroller. Then,
the proper working of the microcontroller may not be guaranteed and the system fails. This is
when the watchdog can play its part.
Methods of detecting processor failure by electronic means are virtually non-existant. A pop-
ular method relies on a timer that acts like an alarm-clock. The clock is wound up for a certain
delay. If it has not been rewound before the expiration of this delay, the clock perform a hard-
ware reset to the microcontroller.
It is up to the program to periodically rewind the clock (the watchdog timer) to indicate that it is
still alive. Actually, it is not a full protection, since some parts of the program may crash while
the part that has been elected to rewind the timer still functions. It is up to the wise pro-
grammer to find the program segment that is very unlikely to still work while some other part
has crashed. Well implemented, this method gives rather good results. Of course, resetting
the program is not a good way to recover from a fault, since the crash may have sent com-
mands to the external world that are themselves faulty. The watchdog timer is actually a last
ditch safety device, somewhat like a lifeboat in a shipwreck.
5.4.2 Watchdog Description
The ST7 watchdog timer is controlled by a register that includes two control bits (bits 7 and 6)
and six time-setting bits.
The general control bit, bit 7, starts the watchdog activity if it is set to one. From that time on,
it continues to work, even if one tries to reset it to zero. This is a safety measure that prevents
the program from accidentally stopping it. The presence of this bit corresponds to what is com-
mercially known as the “software activated watchdog”. This is the only option available for the
72251.