This invention relates to a watchdog timer included in a data processing unit, such as a central processing unit (CPU) or microprocessor unit (MPU).
A CPU or MPU is generally designed to run correctly if programmed correctly, but such devices occasionally malfunction due to external noise, aging of circuit elements, and other causes. For that reason they are provided with watchdog timers.
Examples of the prior art in this field are given on (1) page 31 of the Shin Maikon Yogo Jiten (New Microcomputer Dictionary) published by the Electronic Device Group of Nippon Electric Co., Ltd. (1984-3-30) and (2) page 2-21 to page 2-22 of the Microcontroller Handbook published by Intel Corp. (1985). The prior art is explained below with reference to these two examples.
The example of the prior art watchdog timer described in the literature (1) comprises a presettable counter with an overflow function, the counter being built in the CPU. The CPU is programmed so as to execute processing for a given time, then preset the counter, so if the program is executed normally the timer will not overflow. If the CPU malfunctions, the counter is not preset before the expiration of the given time, so that an overflow occurs. Detection of the overflow can be made to cause a nonmaskable interrupt (an interrupt that is always enabled) to notify the outside world (the outside of the CPU) of an error in the CPU, and a suitable interrupt routine can be programmed to handle the error, thereby improving the reliability of the CPU.
The watchdog timer described in the literature (2) comprises a 16-bit up-counter that prevents the CPU from running out of control. The watchdog timer is initialized by writing the data 1EH to it. Next the 1's complement of 1EH, which is OE1H, is written to enable the counter, which commences free-run counting. During operation, if the 1EH and 0E1H data are successively written to the watchdog timer within 16ms (at 12 MHz), the watchdog timer resets and starts counting again from 0. To reset the watchdog timer, in other words, a combination of fixed data must be written in succession to the watchdog timer within a fixed time.
If the combination of the data to reset the watchdog timer is not written within the fixed time, the watchdog timer generates a carry signal. The carry signal resets the CPU, causing it to restart program execution from address O. This prevents "runaway" of the CPU, i.e., prevents the CPU from continuing to execute a program that has gone out of control.
A problem with the above watchdog timers is their inability to prevent program runaway accurately. This is because there is a certain probability that a runaway program resets the watchdog timer by writing the data identical (by chance) to those defined for resetting, so that the runaway is not detected.