Watchdog timer

Last updated January 24, 2025

A watchdog timer (WDT, or simply a watchdog), sometimes called a computer operating properly timer (COP timer),^[1] is an electronic or software timer that is used to detect and recover from computer malfunctions. Watchdog timers are widely used in computers to facilitate automatic correction of temporary hardware faults, and to prevent errant or malevolent software from disrupting system operation.

During normal operation, the computer regularly restarts the watchdog timer to prevent it from elapsing, or "timing out". If, due to a hardware fault or program error, the computer fails to restart the watchdog, the timer will elapse and generate a timeout signal. The timeout signal is used to initiate corrective actions. The corrective actions typically include placing the computer and associated hardware in a safe state and invoking a computer reboot.

Microcontrollers often include an integrated, on-chip watchdog. In other computers the watchdog may reside in a nearby chip that connects directly to the CPU, or it may be located on an external expansion card in the computer's chassis.

Applications

Watchdog timers are commonly found in embedded systems and other computer-controlled equipment where humans cannot easily access the equipment or would be unable to react to faults in a timely manner. In such systems, the computer cannot depend on a human to invoke a reboot if it hangs; it must be self-reliant. For example, remote embedded systems such as space probes are not physically accessible to human operators; these could become permanently disabled if they were unable to autonomously recover from faults. In robots and other automated machines, a fault in the control computer could cause equipment damage or injuries before a human could react, even if the computer is easily accessed. A watchdog timer is usually employed in cases like these.

Watchdog timers are also used to monitor and limit software execution time on a normally functioning computer. For example, a watchdog timer may be used when running untrusted code in a sandbox, to limit the CPU time available to the code and thus prevent some types of denial-of-service attacks.^[2] In real-time operating systems, a watchdog timer may be used to monitor a time-critical task to ensure it completes within its maximum allotted time and, if it fails to do so, to terminate the task and report the failure.

Architecture and operation

Restarting

Some watchdog timers only allow kicks during a time window. Kicks occurring outside the window have no effect on the timer and may be treated as faults. WatchdogWindow.png — Some watchdog timers only allow kicks during a time window. Kicks occurring outside the window have no effect on the timer and may be treated as faults.

The act of restarting a watchdog timer is commonly referred to as kicking^[a] the watchdog.^[3]^[4] In electronic watchdogs, kicking is typically done by writing to a watchdog control port or by setting a particular bit in a register. Alternatively, some tightly coupled^[b] watchdog timers are kicked by executing a special machine language instruction. An example of this is the CLRWDT (clear watchdog timer) instruction found in the instruction set of some PIC microcontrollers.

In computers that are running operating systems, electronic watchdog restarts are usually invoked through a device driver. For example, in the Linux operating system, a user space program will kick the watchdog by interacting with the watchdog device driver, typically by writing a zero character to /dev/watchdog or by calling a KEEPALIVE ioctl.^[5] The device driver, which serves to abstract the watchdog hardware from user space programs, may also be used to configure the time-out period and start and stop the timer.

Some watchdog timers will only allow kicks during a specific time window. The window timing is usually relative to the previous kick or, if the watchdog has not yet been kicked, to the moment the watchdog was enabled. The window begins after a delay following the previous kick, and ends after a further delay. If the computer attempts to kick the watchdog before or after the window, the watchdog will not be restarted, and in some implementations this will be treated as a fault and trigger corrective action.

Enabling

A watchdog timer is said to be enabled when operating and disabled when idle. Upon power-up, a watchdog may be unconditionally enabled or it may be initially disabled and require an external signal to enable it. In the latter case, the enabling signal may be automatically generated by hardware or it may be generated under software control.

Unconditionally enabled watchdog
Watchdog with enable input signal

When automatically generated, the enabling signal is typically derived from the computer reset signal. In some systems the reset signal is directly used to enable the watchdog. In others, the reset signal is delayed so that the watchdog will become enabled at some later time following the reset. This delay allows time for the computer to boot before the watchdog is enabled. Without this delay, the watchdog would timeout and invoke a subsequent reset before the computer can run its application software — the software which kicks the watchdog — and the system would become stuck in an endless cycle of incomplete reboots.

Single-stage watchdog

Watchdog timers come in many configurations, and many allow their configurations to be altered. For example, the watchdog and CPU may share a common clock signal as shown in the block diagram below, or they may have independent clock signals or in some cases the watchdog may have no clock signal at all. A basic watchdog timer has a single timer which, upon timeout, typically will reset the CPU:

Multistage watchdog

Two or more timers are sometimes cascaded to form a multistage watchdog timer, where each timer is referred to as a timer stage, or simply a stage. For example, the block diagram below shows a three-stage watchdog. Depending on the design, this may be implemented with multiple timers, or by emulating multiple timers with a single timer and additional logic.

In a multistage watchdog, only the first stage is kicked by the processor. Upon first stage timeout, a corrective action is initiated and the next stage in the cascade is started. As each subsequent stage times out, it triggers a corrective action and starts the next stage. Upon final stage timeout, a corrective action is initiated, but no other stage is started because the end of the cascade has been reached. Typically, single-stage watchdog timers are used to simply restart the computer, whereas multistage watchdog timers will sequentially trigger a series of corrective actions, with the final stage triggering a computer restart.^[4]

Time intervals

Watchdog timers may have either fixed or programmable time intervals. Some watchdog timers allow the time interval to be programmed by selecting from among a few selectable, discrete values. In others, the interval can be programmed to arbitrary values. Typically, watchdog time intervals range from ten milliseconds to a minute or more. In a multistage watchdog, each timer may have its own, unique time interval.

Corrective actions

A watchdog timer may initiate any of several types of corrective action, including maskable interrupt, non-maskable interrupt, hardware reset, fail-safe state activation, power cycling, or combinations of these. Depending on its architecture, the type of corrective action or actions that a watchdog can trigger may be fixed or programmable. Some computers (e.g., PC compatibles) require a pulsed signal to invoke a hardware reset. In such cases, the watchdog typically triggers a hardware reset by activating an internal or external pulse generator, which in turn creates the required reset pulses.^[4]

In embedded systems and control systems, watchdog timers are often used to activate fail-safe circuitry. When activated, the fail-safe circuitry forces all control outputs to safe states (e.g., turns off motors, heaters, and high-voltages) to prevent injuries and equipment damage while the fault persists. In a two-stage watchdog, the first timer is often used to activate fail-safe outputs and start the second timer stage; the second stage will reset the computer if the fault cannot be corrected before the timer elapses.

Watchdog timers are sometimes used to trigger the recording of system state information—which may be useful during fault recovery^[4]—or debug information (which may be useful for determining the cause of the fault) onto a persistent medium. In such cases, a second timer—which is started when the first timer elapses—is typically used to reset the computer later, after allowing sufficient time for data recording to complete. This allows time for the information to be saved, but ensures that the computer will be reset even if the recording process fails.

For example, the above diagram shows a likely configuration for a two-stage watchdog timer. During normal operation the computer regularly kicks Stage1 to prevent a timeout. If the computer fails to kick Stage1 (e.g., due to a hardware fault or programming error), Stage1 will eventually timeout. This event will start the Stage2 timer and, simultaneously, notify the computer (by means of a non-maskable interrupt) that a reset is imminent. Until Stage2 times out, the computer may attempt to record state information, debug information, or both. As a last resort, the computer will be reset upon Stage2 timeout.

Fault detection

A watchdog timer provides automatic detection of catastrophic malfunctions that prevent the computer from kicking it. However, computers often have other, less-severe types of faults which do not interfere with kicking, but which still require watchdog oversight. To support these, a computer system is typically designed so that its watchdog timer will be kicked only if the computer deems the system functional. The computer determines whether the system is functional by conducting one or more fault detection tests and will kick the watchdog only if all tests have passed.^[6]

In computers that are running an operating system and multiple processes, a single, simple test might be insufficient to guarantee normal operation, as it could fail to detect a subtle fault condition and therefore allow the watchdog to be kicked even though a fault condition exists. For example, in the case of the Linux operating system, a user-space watchdog daemon may simply kick the watchdog periodically without performing any tests. As long as the daemon runs normally, the system will be protected against serious system crashes such as a kernel panic. To detect less severe faults, the daemon^[7] can be configured to perform tests that cover resource availability (e.g., sufficient memory and file handles, reasonable CPU time), evidence of expected process activity (e.g., system daemons running, specific files being present or updated), overheating, and network activity, and system-specific test scripts or programs can also be run.^[8]

Upon discovery of a failed test, the computer may attempt to perform a sequence of corrective actions under software control, culminating with a software-initiated reboot. If the software fails to invoke a reboot, the watchdog timer will timeout and invoke a hardware reset. In effect, this is a multistage watchdog timer in which the software comprises the first and intermediate timer stages and the hardware reset the final stage. In a Linux system, for example, the watchdog daemon could attempt to perform a software-initiated restart, which can be preferable to a hardware reset as the file systems will be safely unmounted and fault information will be logged. It is essential, however, to have the insurance provided by a hardware timer, since a software restart can fail under a number of fault conditions.^{[ citation needed ]}

Implementation

Watchdog timers are implemented in various ways. Some electronic WDTs (e.g., Analog Devices MAX6324) use linear timing circuits that operate without a digital clock signal. Other electronic WDTs, and software WDTs, typically employ digital counters as timers and rely on a clock signal for proper operation.

Electronic watchdogs

Electronic WDTs are usually implemented either as a stand-alone integrated circuit (IC) or as part of a more complex IC. Some stand-alone implementations contain only a WDT, whereas others bundle a WDT with other functions (e.g. supply voltage supervisors) in a common IC.

Many microcontrollers have a watchdog "module" consisting of a digital WDT and mechanisms for controlling and monitoring the WDT. Such modules typically include related control and status registers, circuitry for qualifying restart triggers ("kicks"), and routing control logic for the timeout signal. Some microcontrollers provide an analog WDT in lieu of a digital WDT. For example, Texas Instruments' TMS470 microcontroller has an analog WDT that employs an external capacitor and resistor to program the watchdog interval.^[9]

In microcontrollers and other complex digital ICs, a digital WDT is typically instantiated by synthesizing it from a description written in VHDL, Verilog or some other hardware description language. For example, the following VHDL code describes a simple WDT:

entitywatchdog_timerisport(CLK:instd_logic;-- clockINIT:instd_logic;-- initialize watchdogKICK:instd_logic;-- restart timerINTERVAL:inunsigned(31downto0);-- timer interval in clocksTIMEOUT:outstd_logic;-- timeout indicator);endwatchdog_timer;architecturebehavioralofwatchdog_timerisprocess(CLK)variableelapsed:std_logic;-- timeout registervariablecounter:unsigned(31downto0);-- remaining clocks until timeoutbeginifrising_edge(CLK)then-- upon rising clock edgeifINIT='1'then--   if watchdog is being initializedcounter<=INTERVAL;--     start timerelapsed<='0';--     reset timeout indicatorelsifcounter=0then--   else if watchdog interval has elapsedelapsed<='1';--     indicate timeout; timer is haltedelsifKICK='1'then--   else if watchdog is being kickedcounter<=INTERVAL;--     restart timerelse--   elsecounter<=counter-1;--     advance timerendif;endif;TIMEOUT<=elapsed;-- send register output to TIMEOUTendprocess;endbehavioral;

Notes

1 2 Various terms are used for the act of restarting a watchdog timer. Some (e.g. kick, pet, feed, tickle) draw a connection to guard dogs, whereas others (e.g. tag, ping, reset) do not. This article uses kick for consistency.
↑ A tightly coupled watchdog timer is effectively a built-in extension of the processor and, as such, may be accessed by special machine language instructions which are specific to it.

Related Research Articles

In digital computers, an interrupt is a request for the processor to interrupt currently executing code, so that the event can be processed in a timely manner. If the request is accepted, the processor will suspend its current activities, save its state, and execute a function called an interrupt handler to deal with the event. This interruption is often temporary, allowing the software to resume normal activities after the interrupt handler finishes, although the interrupt could instead indicate a fatal error.

A microcontroller or microcontroller unit (MCU) is a small computer on a single integrated circuit. A microcontroller contains one or more CPUs along with memory and programmable input/output peripherals. Program memory in the form of NOR flash, OTP ROM, or ferroelectric RAM is also often included on the chip, as well as a small amount of RAM. Microcontrollers are designed for embedded applications, in contrast to the microprocessors used in personal computers or other general-purpose applications consisting of various discrete chips.

An embedded system is a specialized computer system—a combination of a computer processor, computer memory, and input/output peripheral devices—that has a dedicated function within a larger mechanical or electronic system. It is embedded as part of a complete device often including electrical or electronic hardware and mechanical parts. Because an embedded system typically controls physical operations of the machine that it is embedded within, it often has real-time computing constraints. Embedded systems control many devices in common use. In 2009, it was estimated that ninety-eight percent of all microprocessors manufactured were used in embedded systems.

AVR is a family of microcontrollers developed since 1996 by Atmel, acquired by Microchip Technology in 2016. These are modified Harvard architecture 8-bit RISC single-chip microcontrollers. AVR was one of the first microcontroller families to use on-chip flash memory for program storage, as opposed to one-time programmable ROM, EPROM, or EEPROM used by other microcontrollers at the time.

The MSP430 is a mixed-signal microcontroller family from Texas Instruments, first introduced on 14 February 1992. Built around a 16-bit CPU, the MSP430 was designed for low power consumption, embedded applications and low cost.

In-circuit emulation (ICE) is the use of a hardware device or in-circuit emulator used to debug the software of an embedded system. It operates by using a processor with the additional ability to support debugging operations, as well as to carry out the main function of the system. Particularly for older systems, with limited processors, this usually involved replacing the processor temporarily with a hardware emulator: a more powerful although more expensive version. It was historically in the form of bond-out processor which has many internal signals brought out for the purpose of debugging. These signals provide information about the state of the processor.

<span class="mw-page-title-main">Timer</span> Clock for measuring time duration

A timer or countdown timer is a type of clock that starts from a specified time duration and stops upon reaching 00:00. An example of a simple timer is an hourglass. Commonly, a timer triggers an alarm when it ends. A timer can be implemented through hardware or software. Stopwatches operate in the opposite direction, upwards from 00:00, measuring elapsed time since a given time instant. Time switches are timers that control an electric switch.

A real-time clock (RTC) is an electronic device that measures the passage of time.

JTAG is an industry standard for verifying designs of and testing printed circuit boards after manufacture.

In computing, a non-maskable interrupt (NMI) is a hardware interrupt that standard interrupt-masking techniques in the system cannot ignore. It typically occurs to signal attention for non-recoverable hardware errors. Some NMIs may be masked, but only by using proprietary methods specific to the particular NMI. With regard to SPARC, the non-maskable interrupt (NMI), despite having the highest priority among interrupts, can be prevented from occurring through the use of an interrupt mask.

A built-in self-test (BIST) or built-in test (BIT) is a mechanism that permits a machine to test itself. Engineers design BISTs to meet requirements such as:

<span class="mw-page-title-main">Intel 8253</span> Programmable interval timer IC

The Intel 8253 and 8254 are programmable interval timers (PITs), which perform timing and counting functions using three 16-bit counters.

In-system programming (ISP), or also called in-circuit serial programming (ICSP), is the ability of some programmable logic devices, microcontrollers, chipsets and other embedded devices to be programmed while installed in a complete system, rather than requiring the chip to be programmed prior to installing it into the system. It also allows firmware updates to be delivered to the on-chip memory of microcontrollers and related processors without requiring specialist programming circuitry on the circuit board, and simplifies design work.

In computing and in embedded systems, a programmable interval timer (PIT) is a counter that generates an output signal when it reaches a programmed count. The output signal may trigger an interrupt.

<span class="mw-page-title-main">WDC 65C134</span>

The Western Design Center (WDC) W65C134S is an 8-bit CMOS microcontroller based on a W65C02S processor core, which is a superset of the MOS Technology 6502 processor.

Nano-RK is a wireless sensor networking real-time operating system (RTOS) from Carnegie Mellon University, designed to run on microcontrollers for use in sensor networks. Nano-RK supports a fixed-priority fully preemptive scheduler with fine-grained timing primitives to support real-time task sets. "Nano" implies that the RTOS is small, using 2 KB of random-access memory (RAM) and using 18 KB of flash memory, while RK is short for resource kernel. A resource kernel provides reservations on how often system resources can be used. For example, a task might only be allowed to execute 10 ms every 150 ms, or a node might only be allowed to transmit 10 network packets per minute. These reservations form a virtual energy budget to ensure a node meets its designed battery lifetime and to prevent a failed node from generating excessive network traffic. Nano-RK is open-source software, is written in C and runs on the Atmel-based FireFly sensor networking platform, the MicaZ motes, and the MSP430 processor.

EFM32 Gecko MCUs are a family of mixed-signal 32-bit microcontroller integrated circuits from Energy Micro based on ARM Cortex-M CPUs, including the Cortex-M0+, Cortex-M3, and Cortex-M4.

In spacecraft, a Command-Loss Timer (CLT) is a software timer within the command and data system (CDS) which is restarted every time the spacecraft receives a command from Earth. If the CLT times out, it is assumed that the spacecraft's receiver has failed to reliably receive messages and, in response, the CDS will attempt to restore communication or perform safing procedures, or both. A Command Loss Timer is effectively a software watchdog timer which, upon timeout, initiates corrective actions that will in some cases swap to redundant communication hardware.

Software fault tolerance is the ability of computer software to continue its normal operation despite the presence of system or hardware faults. Fault-tolerant software has the ability to satisfy requirements despite failures.

In computer science, a heartbeat is a periodic signal generated by hardware or software to indicate normal operation or to synchronize other parts of a computer system. Heartbeat mechanism is one of the common techniques in mission critical systems for providing high availability and fault tolerance of network services by detecting the network or systems failures of nodes or daemons which belongs to a network cluster—administered by a master server—for the purpose of automatic adaptation and rebalancing of the system by using the remaining redundant nodes on the cluster to take over the load of failed nodes for providing constant services. Usually a heartbeat is sent between machines at a regular interval in the order of seconds; a heartbeat message. If the endpoint does not receive a heartbeat for a time—usually a few heartbeat intervals—the machine that should have sent the heartbeat is assumed to have failed. Heartbeat messages are typically sent non-stop on a periodic or recurring basis from the originator's start-up until the originator's shutdown. When the destination identifies a lack of heartbeat messages during an anticipated arrival period, the destination may determine that the originator has failed, shutdown, or is generally no longer available.

References

↑ "4.11 Dual Staged Watchdog Timer". Kontron User's Guide - COMe-cBTi6R. Document Revision 1.0. Kontron. 2021. Archived from the original on 2023-09-23. Retrieved 2023-09-23. p. 39: A watchdog timer (or computer operating properly (COP) timer) is a computer hardware or software timer that triggers a system reset or other corrective action if the main program, due to some fault condition, such as a hang, neglects to regularly service the watchdog (writing a "service pulse" to it, also referred to as "kicking the dog", "petting the dog", "feeding the watchdog" or "triggering the watchdog"). The intention is to bring the system back from the nonresponsive state into normal operation.
↑ "The Grenade Timer: Fortifying the Watchdog Timer Against Malicious Mobile Code" by Frank Stajano and Ross Anderson (2000).
↑ Murphy, Niall & Barr, Michael (October 2001). "Watchdog Timers". Embedded Systems Programming. Retrieved 18 February 2013.
1 2 3 4 Lamberson, Jim. "Single and Multistage Watchdog Timers" (PDF). Sensoray. Retrieved 10 September 2013.
↑ Weingel, Christer. "The Linux Watchdog driver API" . Retrieved 20 January 2021.
↑ Ganssle, Jack. "Great Watchdog Timers for Embedded Systems". The Ganssle Group. Retrieved 23 January 2025.
↑ "Watchdog 'man' page" . Retrieved 2013-09-10.
↑ Crawford, Paul (2013-09-05). "Linux Watchdog - General Tests". Archived from the original on 2013-09-14. Retrieved 2013-09-10.
↑ "TMS470R1x System Module Reference Guide" (PDF). Texas Instruments. Retrieved 15 January 2025.

External links

Arduino Watchdog Timer with Reset - Article by Adityapratap Singh

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[fn1-1] 1 2 Various terms are used for the act of restarting a watchdog timer. Some (e.g. kick, pet, feed, tickle) draw a connection to guard dogs, whereas others (e.g. tag, ping, reset) do not. This article uses kick for consistency.

[6] A tightly coupled watchdog timer is effectively a built-in extension of the processor and, as such, may be accessed by special machine language instructions which are specific to it.

[Kontron_2021-2] "4.11 Dual Staged Watchdog Timer". Kontron User's Guide - COMe-cBTi6R. Document Revision 1.0. Kontron. 2021. Archived from the original on 2023-09-23. Retrieved 2023-09-23. p. 39: A watchdog timer (or computer operating properly (COP) timer) is a computer hardware or software timer that triggers a system reset or other corrective action if the main program, due to some fault condition, such as a hang, neglects to regularly service the watchdog (writing a "service pulse" to it, also referred to as "kicking the dog", "petting the dog", "feeding the watchdog" or "triggering the watchdog"). The intention is to bring the system back from the nonresponsive state into normal operation.

[3] "The Grenade Timer: Fortifying the Watchdog Timer Against Malicious Mobile Code" by Frank Stajano and Ross Anderson (2000).

[ESD-4] Murphy, Niall & Barr, Michael (October 2001). "Watchdog Timers". Embedded Systems Programming. Retrieved 18 February 2013.

[SMSWT-5] 1 2 3 4 Lamberson, Jim. "Single and Multistage Watchdog Timers" (PDF). Sensoray. Retrieved 10 September 2013.

[7] Weingel, Christer. "The Linux Watchdog driver API" . Retrieved 20 January 2021.

[ganssle-8] Ganssle, Jack. "Great Watchdog Timers for Embedded Systems". The Ganssle Group. Retrieved 23 January 2025.

[9] "Watchdog 'man' page" . Retrieved 2013-09-10.

[10] Crawford, Paul (2013-09-05). "Linux Watchdog - General Tests". Archived from the original on 2013-09-14. Retrieved 2013-09-10.

[TMS470-11] "TMS470R1x System Module Reference Guide" (PDF). Texas Instruments. Retrieved 15 January 2025.

[1]

[2]

[a]

[3]

[4]

[b]

[5]

[6]

[7]

[8]

[9]