1. Field of the Invention
The invention is related to microprocessor supervisory circuits and, in particular, to microprocessor "watchdog" circuits.
2. Description of the Related Art
Digital controllers such as microprocessors control instrumentation, computers, and automotive systems, to name just a few areas of application. Proper operation of the microprocessors in control of these applications is imperative. Improper operation could cause costly and, in some cases, life-threatening mistakes. If, for example, a system "glitch" causes a microprocessor to jump to an improper address, the microprocessor could interpret data as instructions and proceed to haphazardly overwrite critical life support data in an instrumentation application, to miscue an automatic braking system in an automotive application, or to destroy valuable stock-trading information in a computer application.
A microprocessor may be misdirected, as in the above examples, by a hardware failure initiated by radio frequency interference, by an electrostatic discharge, by mechanical failure such as a "cold" solder joint, or by a momentary power loss which corrupts the microprocessor's instructions. Software errors may also cause a microprocessor to "go south", getting stuck in an infinite loop (repeatedly executing the same instructions), for example. Because of the hazards associated with such microprocessor errors and the very real threat of their occurrence, supervisory circuits which include "watchdogs" have been developed and are widely employed within microprocessor-based circuits. Much as a referee might ask a boxer "how many fingers", a watchdog requires an associated microprocessor to occasionally assert a signal in order to assure the watchdog that the microprocessor has not entered an infinite loop, or is otherwise operating incoherently. Watchdogs are discussed in Stephen Savitsky, Real-Time Microprocessor Systems, Van Nostrand Reinhold, New York, 1989, page 80.
The block diagram of FIG. 1 illustrates a conventional watchdog 10. The watchdog 10 includes a counter 12 that is connected to count pulses from a clock 14. The counter 12 includes a reset input 16 which resets the counter to zero when asserted. The watchdog includes an input 18 connected to receive a signal, here labeled WDIN, from a microprocessor that is being monitored by the watchdog 10. During normal operation, i.e., after a system which employs the watchdog 10 has completed a power-up sequence and all inputs and outputs are generally assumed to be valid, the counter 12 begins to count output pulses from the clock 14. Should the counter reach a preset count, which corresponds with a prescribed maximum time interval, the counter asserts the watchdog output 20, labeled ALARM. The assertion of this signal by the watchdog may be employed by other circuitry, including the monitored microprocessor, to initiate a system reset (either hardware or software), for example. Therefore, in order to maintain its operational sequence, the microprocessor must regularly assert WDIN, thereby resetting the counter 12 preventing assertion of the ALARM signal. This provides some assurance that the microprocessor is not executing an infinite loop or is otherwise "distracted".
Watchdog circuits such as the one described in relation to FIG. 1 are sometimes combined with other circuits to form a supervisory circuit such as the supervisory circuit 22 of FIG. 2. As discussed in relation to FIG. 1, the watchdog circuit 10 monitors the input 18 and asserts the ALARM signal at output 20, which is connected to a reset generator 21, whenever the maximum prescribed interval between assertions of WDIN is exceeded. A comparator 24 compares a voltage V1 at its inverting input to a signal PWRFLI at its noninverting input and produces a power failure output signal PWRFLO. The signal PWRFLI represents the circuit's positive supply voltage and, whenever it falls below the level of V1, the comparator asserts the power failure output signal PWRFLO, indicating that the positive supply has fallen below a preset value. Another comparator 26 is connected at its inverting and noninverting inputs to positive supply voltage VCC and battery voltage VBATT, respectively. The comparator 26 controls a switch 28 which connects either VBATT or VCC to a power output VOUT. Whenever VBATT is greater than VCC, VBATT is connected, through the switch 28, to VOUT. Conversely, whenever VCC is greater than VBATT, VCC is connected through the switch 28 to VOUT.
Additionally, a comparator 30 is connected to a voltage reference V2 and to the positive supply voltage VCC at its inverting and noninverting inputs, respectively. Whenever the positive supply voltage drops below the level of V2, the comparator 30 sends a negative signal to the reset generator 21. In this case, the reset generator 21 may activate the signal RESET available at an output 32, to reset the system because, even though VOUT has been switched to VBATT, there may have been some disruption to the circuit when VCC fell below V2. The reset generator 21 may also include power-on-reset circuitry to ensure that circuitry which relies upon the RESET signal is not permitted to commence operation until after the positive power supply voltage VCC has reached a prescribed safe operating level.
Although the watchdog 20 ensures that an associated microprocessor is sufficiently operational to assert the WDIN signal periodically, there are failure mechanisms that would allow the microprocessor to assert WDIN signal with sufficient frequency to satisfy the watchdog requirement, even though the microprocessor is "lost". For example, the microprocessor may, through random operation or by virtue of being stuck in a loop, continuously assert WDIN every instruction cycle.