Embedded Expertise

Embedded Notes newsletter >>

Watchdogs: One Concept, Many Meanings

A watchdog in embedded systems is much more than a timer that occasionally forces a reset.
From K9 style hardware supervision to software health checks and crash forensics, it is the silent guardian of system integrity.

Ask a hardware engineer what a watchdog is and you will probably hear about a timer that resets the system if it is not periodically refreshed.

Ask a software engineer and you will likely hear about a low priority routine that must run regularly to prove that the scheduler is still alive.

Both answers are correct. Both are incomplete.

The term watchdog is used to describe several different supervision mechanisms that operate at different levels of an embedded system. Some ensure that the CPU is still executing instructions. Others ensure that the scheduler is still functioning. Others verify that specific parts of the application are making progress. In safety critical industries, the watchdog may even be a mandatory, independently certified device.

A robust design does not rely on a single watchdog. It builds a supervision architecture, a kind of layered K9 supervision system where each level keeps an eye on the one below it.

This article revisits the different meanings of watchdog, clarifies what each type actually guarantees, and explores more advanced uses such as staged recovery, crash diagnostics, reset cause tracing, and centralized health monitoring.

The Core Idea: Detecting Loss of Progress

At its heart, a watchdog is a liveness detector.

It answers a simple question: is the system still making forward progress?

Depending on where it is implemented, progress may mean:

  • The CPU is still executing instructions

  • The scheduler is still switching tasks

  • Critical tasks are still running

  • The application is still doing meaningful work

If progress stops, the watchdog stops receiving its periodic kibble. And like any disciplined guard dog, it eventually reacts.

No single mechanism can cover all aspects of system health. That is why watchdog strategies are often layered.

The Hardware View: The Classic Watchdog Timer

From a hardware perspective, a watchdog is typically a countdown timer integrated into a microcontroller or SoC. Its behavior is simple:

  1. The timer starts from a configured value.

  2. Software must periodically refresh it.

  3. If the timer reaches zero, a recovery action is triggered.

Refreshing the watchdog is often called feeding it. The metaphor is accurate: if you forget to feed it, it bites.

Typical recovery actions include:

  • System reset

  • CPU reset

  • Interrupt generation

  • Assertion of an external pin

The essential property is independence. Once enabled, the watchdog continues running even if the software enters an invalid state.

What it protects against

A hardware watchdog is effective at detecting:

  • Infinite loops

  • Deadlocks

  • Corrupted program flow

  • Complete loss of code execution

What it does not guarantee

A hardware watchdog only proves that something is running, not that it is correct.

The system can be:

  • Running the wrong code

  • Stuck in a logical loop

  • Producing invalid outputs

and still diligently feed the dog on schedule.

Advanced Hardware Mechanisms

Once the basic concept is understood, hardware watchdogs can be extended in important ways.

Windowed Watchdogs

A windowed watchdog defines a valid refresh window:

  • Refresh too late triggers a reset.

  • Refresh too early also triggers a reset.

This prevents a faulty system from refreshing the watchdog continuously in a tight loop.

In canine terms, you are not allowed to dump a truckload of kibble at once and claim the dog is fed for the week. Timing matters.

External Watchdogs and Independence

In more demanding systems, an external watchdog device is added. This is less a pet and more a trained security dog posted outside the house.

It is typically supervised through:

  • A toggled GPIO

  • A periodic pulse, possibly from the hardware itself, e.g. monitoring traffic on a backplane bus

  • A coded heartbeat signal

An external watchdog:

  • Has its own clock source

  • Is electrically independent

  • Can reset or power cycle the entire board

If the processor freezes completely, the external watchdog does not care. It simply notices the absence of its expected signal and takes action.

When Reset Is Not the Correct Response

In some systems, a watchdog timeout must not lead to automatic restart. Instead, the system may:

  • Power down the faulty subsystem

  • Force outputs into a safe state

  • Prevent restart

  • Signal a supervisory controller

  • Allow a redundant unit to take over

Here, the watchdog acts less like a simple guard dog and more like a trained safety officer that removes a malfunctioning unit from service.

The Software Watchdog

Hardware ensures that something is running. Software supervision ensures that the right things are running.

Scheduler-Level Watchdog

From a software perspective, a watchdog is often implemented as a low priority task in an RTOS system In a priority-based scheduler:

  • High priority tasks execute first.

  • Low priority tasks run only if higher priority tasks are not blocking the CPU.

If a low priority watchdog task still executes regularly, it proves that:

  • The scheduler is running

  • No task is monopolizing the processor

  • Interrupt load is not preventing scheduling

A common design is:

  • The watchdog task runs periodically.

  • It verifies system health.

  • It then refreshes the hardware watchdog.

This forms a supervision chain:

Scheduler health -> software watchdog -> hardware watchdog

If the chain breaks, the hardware watchdog eventually reacts.

Task Level Supervision

More advanced systems monitor individual tasks explicitly. Each critical task periodically reports that it is alive by:

  • Updating a timestamp

  • Incrementing a counter

  • Setting a heartbeat flag

A supervisory component verifies that each task reports within its allocated time window. If a task fails to report, the system may:

  • Attempt to restart that task

  • Enter a degraded mode

  • Escalate by withholding the watchdog refresh

This prevents one misbehaving task from quietly starving the rest of the system while the dog remains happily fed.

Hybrid Mechanisms: Mixing Hardware and Software

The most interesting watchdog features combine hardware and software behavior.

Pre-timeout Interrupts and Crash Diagnostics

Many watchdogs provide an early warning interrupt before the final timeout. This enables a two stage response:

  1. Early interrupt for diagnostics and safe state handling.

  2. Final timeout for reset or power removal.

Capturing crash data

Crash data may include:

  • CPU registers

  • Program counter

  • Stack contents

  • Fault status registers

  • Selected system state

In order to be useful, the crash context needs to be both integrous and persistent against reboot. This leaves two major options.

Flash storage

Flash ensures persistence but is slow and potentially unreliable in a crash context.

The no-cache, no-init RAM technique

A widely adopted technique is to reserve a dedicated RAM section with:

  1. No cache or, more precisely, no write buffer

  2. No initialization at boot

These properties are explicitly defined in the linker script and enforced through memory attributes.

Few developers modify linker scripts because the default configuration works well enough. Yet defining a custom no-init crash section is one of the most effective diagnostic tools available.

Placing crash buffers in a no-init section ensures that the startup code does not erase them: data survives reboot.

By mapping the region as non cacheable, writes reach physical RAM immediately without requiring explicit write-buffer flush.

During early startup, the system can:

  • Check reset cause

  • Validate crash buffer signature

  • Extract diagnostics

  • Later store them persistently

This approach preserves evidence before the watchdog performs its final duty.

Checking the Reason for the Last Reset

A good practice during startup is to determine the reason for the last reset. Most processors provide reset cause registers indicating:

  • Power on reset

  • External reset

  • Power failure

  • Software initiated reboot

  • Watchdog timeout

  • Brown out detection

Early in the startup sequence, the system should:

  • Read and preserve the reset cause

  • Log or transmit it if appropriate

Repeated watchdog resets tell a very different story from occasional power cycling. Combined with crash buffer data, reset cause tracing transforms the watchdog from a silent enforcer into a valuable diagnostic witness.

Watchdogs as a Central Health Supervisor

In well designed systems, the periodic watchdog refresh routine does more than simply toggle a register. It becomes a central aggregation point for general health indicators.

Before delivering its periodic kibble to the hardware watchdog, the software routine may check:

  • Heap watermark or remaining heap margin

  • Stack high watermarks for critical tasks

  • Task execution timestamps

  • Communication timeouts

  • Sensor update freshness

  • Internal error counters

  • Memory corruption guards

If any of these indicators exceed defined thresholds, the routine may:

  • Log a warning

  • Enter a degraded mode

  • Refuse to refresh the watchdog

At that point, the dog is not merely being fed on a timer. It is being fed conditionally, based on verified system health.

Indirectly, the watchdog becomes a central organ of supervision. It enforces discipline. Subsystems must prove they are healthy before the system is allowed to continue running.

Watchdogs as a Compliance Requirement

In some industries, a watchdog is not optional. It is required.

Safety-related standards often mandate an independent supervision mechanism capable of recovering the system from defined failure classes.

This frequently leads to an external watchdog that is:

  • Clocked independently

  • Electrically isolated

  • Capable of forcing a reset or removing power

The key concept is independence. If the guard dog lives in the same silicon kennel as the application processor, a single fault could silence both. Certification authorities tend not to like that.

In these systems, the watchdog is part of a documented safety architecture with traceable behavior and validated timing constraints.

Side Note: Linux-Based Systems

In embedded Linux systems, watchdog supervision spans multiple layers:

  • A hardware watchdog driver in the kernel

  • A user space watchdog daemon

The daemon periodically writes to /dev/watchdog. If it crashes or the system hangs, the hardware watchdog resets the board.

More elaborate setups monitor:

  • Service availability

  • System load

  • Specific processes

Even in Linux, the principle remains the same: regular feeding is allowed only if the system is behaving.

Common Mistakes

When engineering a watchdog-based supervision system, typical errors include:

  • Refreshing the watchdog from a timer interrupt without health checks

  • Allowing arbitrary code to refresh it

  • Ignoring reset causes

  • Not capturing crash data

  • Disabling the watchdog during development

A watchdog should validate health, not merely activity.

Key Takeaways

The watchdog is not a single mechanism. It is a family of supervision strategies operating at different system levels.

Hardware engineers see timers. Software engineers see scheduling. Safety engineers see independence and compliance.

A well designed embedded system sees all of these at once.

The most reliable embedded systems combine:

  • Task supervision

  • Scheduler supervision

  • Internal hardware watchdog

  • External independent watchdog

Each layer supervises the one below it. It is a hierarchy of increasingly serious guardians. If the inner layer fails, the next one intervenes.

Used properly, the watchdog subsystem:

  • Detects loss of progress

  • Aggregates health indicators

  • Captures diagnostic evidence

  • Enforces architectural discipline

  • Supports safe shutdown strategies

  • Meets compliance requirements

It is not merely guarding the system. It is continuously deciding whether the system is still healthy enough to keep running, and if not, when it is time to growl.

Enjoyed this article?
Embedded Notes is an occasional, curated selection of similar content, delivered to you by email. No strings attached, no marketing noise.

Contact