Watchdog Timer IC for SBC

[davegravy]

I'm thinking about how to implement a hardware watchdog for my SBC.  I'm looking at this IC: https://www.ti.com/lit/ds/symlink/ucc2946.pdf?ts=1730493673460

The SBC lacks a RESET input on the pin headers (it only has a physical button) so my idea is to use the *WDO signal to drive the gate of a high side MOSFET load switch to cycle power to the SBC.

I'd need a fairly large timing capacitor to allow the SBC a decent amount of time to boot and launch the code that sends the heartbeat signal. Is this a reasonable approach?

[selcuk]

I can recommend another approach. The attached image is from an old circuit having a similar problem of yours. The watchdog chip is MAX6369. There are three voltage supervisors but those may not be necessary for your case. The regulator is not important but the output of the 555 goes to regulator's enable input. The purpose is to power down the SBC for about 10 seconds when a watchdog event occurs. 10 second time is to empty the capacitors of SBC. 3.3VA is different from 3.3V of the SBC since it is powered down in the duration of the WDT power down event. Watchdog reset period is about 2 minutes. That gives enough time to SBC to boot.

[Benta]

As the type of SBC and the pin header is a big secret, it's hard to say.
But "cycling power" seems a bit heavy-handed to me.

[davegravy]

As the type of SBC and the pin header is a big secret, it's hard to say.
But "cycling power" seems a bit heavy-handed to me.

Sorry in my head I linked it:

https://conclusive.pl/static/docs/kstr-sama5d27/DS_020100_20220401_kstr-sama5d27.pdf

Pinheader on Page 28.

[davegravy]

I did just discover the MPU has a watchdog feature

https://ww1.microchip.com/downloads/aemDocuments/documents/MPU32/ApplicationNotes/ApplicationNotes/AN_3264-How-to-Use-SAMA5D2-Watchdog-Under-Linux-00003264a.pdf

but:

a) it seems to depend on the application to enable it - so it's susceptible to software bugs
b) I'm not sure if failure modes where the MPU hangs will trigger the watchdog

[Monotoba]

Watchdogs usually work by requiring a "reset" action. The timer starts and counts down. If it is not interrupted before reaching its critical count, the watchdog fires and causes an interrupt or system reset. So the system has to be working as expected to keep the watchdog from firing.

a) it seems to depend on the application to enable it - so it's susceptible to software bugs
   Perhaps, usually setting up the watchdog is part of the initialization of the system. If the system fails during boot, you have other issues. If this is not the case, then you may be correct.

b) I'm not sure if failure modes where the MPU hangs will trigger the watchdog, For a typical watchdog this is exactly how the watchdog is triggered. Since a major error in the system causes the system to fail to reset the watchdog before it times out. (See WDI on your wd device).

Your watchdog device also provides a reset function that keeps the watchdog timer from ticking while the system is reset. (See RTH and /RES).

Hope this helps

[SteveThackery]

One easy mistake is to put the watchdog kick in an interrupt service routine (ISR).  When your main loop has crashed for some reason, ISRs will most likely continue to operate just fine. So watchdog kicks need to be at strategic places in your main loop.

Another approach when using complex code comprising several parallel tasks is for each task to set an "I'm running OK" flag. The watchdog kick routine then checks that all the "OK" flags are set before kicking the watchdog and clearing all the flags.

It's quite easy to distinguish in your code between watchdog-initiated resets and power cycles. I select a digital input port, connect a capacitor to 0V and a resistor to Vcc. I set the values such that it takes a few seconds for the voltage at the port to reach a logic 1. Early on in my code I check the value of the port: if it is logic 0, then the chip has just powered up; if it is logic 1 then it must have been a watchdog reset.

If you are concerned about instability as the voltage on this digital input port slowly ramps up you can add a Schmitt trigger, or alternatively use an analogue input port. So far in my projects it has never been necessary.

Finally, another thing you can do is move the watchdog function off the chip completely.  I used a 556 timer chip connected to the reset line of the chip. The code kicks the external watchdog chip via a digital output port (resetting the timer).  When the first 555 (there are two 555s in a 556) times out it triggers the second 555 set up as a monostable, which creates a reset pulse lasting (say) 500ms or so.

[ArdWar]

If you're using external watchdog, don't forget to account for the additional delay caused by the initial boot sequence. Especially if you're using window watchdog.

[davegravy]

I did just discover the MPU has a watchdog feature

https://ww1.microchip.com/downloads/aemDocuments/documents/MPU32/ApplicationNotes/ApplicationNotes/AN_3264-How-to-Use-SAMA5D2-Watchdog-Under-Linux-00003264a.pdf

but:

a) it seems to depend on the application to enable it - so it's susceptible to software bugs
b) I'm not sure if failure modes where the MPU hangs will trigger the watchdog

Looks like systemd already has integration with it

https://0pointer.de/blog/projects/watchdog.html