Electronic equipment is often utilized in a remote location, either an indoor or outdoor environment, which subjects the equipment to harsh electrical conditions, such as electrical disturbances or transient power surges induced by a heavy electrical storm or nearby electrical equipment. In particular, the energy management industry and the telecommunications industry utilize microprocessor-based electronic equipment that is required to properly and reliably operate during and after exposure to such harsh electrical conditions. However, electrical disturbances or power surges may induce an error or fault during software operation in a microprocessor-based electronic system. Specifically, upon exposure to an electrical transient or other power "glitch", a microprocessor will often discontinue proper code execution and begin conducting unexpected operations or simply fail to properly operate. Consequently, it is well known to utilize a circuit described as a "watchdog timer" circuit to insure proper operation of a microprocessor that operates within a harsh electrical environment.
A watchdog timer circuit is a circuit that resets the operation of a microprocessor, typically causing it to clear internal registers and timers and to start-up operation of its software program from an initial power-up sequence, to insure normal operation of the microprocessor and to maintain proper execution of the microprocessor program. A common watchdog timer circuit is an external counter or timer that must be periodically reset by the microprocessor to prevent the counter from reaching a maximum or minimum count or time interval. If the counter reaches its maximum or minimum count, the watchdog timer circuit assumes that the microprocessor is operating erroneously or is otherwise confused and thereby resets or "reboots" the microprocessor with a hardware reset signal. However, the microprocessor is reset by this watchdog timer circuit only when the microprocessor fails to prevent the counter or timer from reaching the maximum or minimum count or time interval. Many current microprocessor devices include an internal watchdog timer circuit that does not require any external circuitry for implementation of the microprocessor protection system.
A well known watchdog timer circuit includes an external counter that is reset by a pulse stream generated by the microprocessor to prevent initialization of the processor during proper code execution. U.S. Pat. No. 4,855,922 to Huddleston et al., entitled "Apparatus and Method for Monitoring an Energy Management System", assigned to the same assignee as the present invention, describes a more complex implementation of this watchdog timer circuit. In this patent, the microprocessor must generate a square wave having a predetermined frequency of 416 Hertz to prevent the watchdog timer from reaching its maximum or minimum count and resetting the processor. When the square wave is absent, indicating that the program for the microprocessor has stopped or is in an endless loop, a comparator oscillates at a low frequency of approximately 100 Hertz, which resets the microprocessor.
This class of watchdog timer circuits resets the microprocessor only when the timer circuit fails to detect the reset signal that is normally provided to the watchdog timer circuit during proper operation of the microprocessor or upon detection of erroneous data supplied by the microprocessor to the watchdog timer circuit. However, in response to an electrical transient, a microprocessor may enter a non-recoverable error state for the processor software program and yet continue to accurately stimulate the external or internal monitoring circuit of the watchdog timer circuit, thereby preventing the watchdog timer circuit from resetting the microprocessor. Despite the improper operating state of the processor, the watchdog timer circuit does not reset the microprocessor because the watchdog timer circuit does not recognize that the microprocessor has entered the error or fault state. Indeed, microprocessor-based equipment may operate within the fault state for an extended period of time without providing the watchdog timer circuit with any indication that the microprocessor has failed. In the event of such a fault state, a service person is often required to travel to the equipment location and repair the equipment by rebooting the microprocessor. Consequently, there is a need for a watchdog timer circuit that periodically resets the microprocessor regardless of the stimulus applied by the processor to the watchdog timer circuit to insure proper operation of the microprocessor.
U.S. Pat. No. 4,282,574 to Yoshida et al. describes a fail-safe system that prevents erroneous operation of a vehicle control computer system by periodic initialization of the vehicle control microprocessor. If an inhibit signal is not supplied to a refresh circuit by the microprocessor, the refresh circuit sends an initialization signal to the processor at a constant rate, thereby periodically initializing the processor. A temporary memory stores the initialization signal for a predetermined period of time in response to the microprocessor sending the inhibit signal to the refresh circuit, and enables the processor to complete certain vehicle control program instructions prior to the inevitable initialization by the delayed initialization signal. Upon initialization of the microprocessor-based system, all of the internal elements of the microprocessor are reinitialized and the program starts from the sequence when the system power supply is initially powered by the user.
While the Yoshida et al. patent describes a watchdog timer circuit that periodically resets the microprocessor during both normal and fault operations, this watchdog timer circuit does not provide the microprocessor with any indication of an impending initialization. Assuming that the microprocessor is operating properly, the watchdog timer circuit described by the Yoshida et al. patent forces the microprocessor to clear critical data not previously stored within a memory storage device upon the periodic initialization of the processor. After initialization, the microprocessor is forced to start operation at the beginning of the operating program with a new set of data.
Consequently, it will be understood that it would be highly desirable to provide a watchdog timer system which would send a warning of impending initialization prior to periodically resetting the microprocessor to insure proper operation. By sending a notice of warning of impending initialization, the microprocessor may complete its current operating tasks and save critical operating data prior to initialization, thereby enabling the microprocessor to begin operation after initialization in the same operating state as the time interval just prior to initialization. In this manner, the microprocessor maintains normal processor code execution after initialization by using critical data saved prior to initialization.
Microprocessor operations are generally reset either by toggling the logic state of the reset pin provided by typical microprocessor designs or by interrupting or 37 cycling" the electrical power supplied to the microprocessor. In response to a reset signal applied to the reset port, the microprocessor typically reboots and enters a known initial state by clearing data contained in certain internal registers and predesignated sections of internal memory, resetting the count state of selected internal timers, and setting the states of microprocessor ports. In contrast, a power reset initiated by cycling a power source connected to the microprocessor operates to reset all processor operations that are normally powered by the power source. Although processor operations are cleared by power cycling, the microprocessor may not initially enter a known state after the restoration of power.
For isolated microprocessor failures induced by a harsh electrical environment, particularly microprocessor hardware failures, a reset operation conducted by toggling the reset pin does not permit the complete recovery of proper operations by the microprocessor because only certain sections of the microprocessor are actually reset or cleared by this type of reset operation. Therefore, it will be understood that it would be extremely useful to provide a watchdog timer system which intentionally resets the microprocessor by momentarily interrupting processor power in the event that the microprocessor fails to properly respond to a warning of impending initialization. This watchdog timer system would be connected to a memory storage device that remains powered during a momentary interruption of electrical power to the microprocessor to enable the use of any critical data stored after the warning and prior to the power reset.