| ??? 02/22/12 13:48 Read: times |
#186135 - Less complex does not mean less probable to fail! Responding to: ???'s previous message |
Christoph said:
Well, the watchdog should be simpler than the uC. That means that its failure modes are easier to examine, and that it's easier to design it to be fail-safe, i.e. that failures will lead to the watchdog triggering a reset instead of the watchdog locking up. This would be true, if the watchdog and the µC would be totally separate parts. But in reality the internal watchdog is embedded in an extremely complex, sophisticated and highly dynamically working thing called µC. It's very easy to upset the µC by giving a glitch on any of the port lines. This can be the watchdog, the reset circuitry, the flash programming section, one of the many internal charge pumps creating auxiliary potentials, the programm counter and so on. Only because a certain section is less complex than any other does not mean, that it is less probable to become upset by this glitch. The only way to make the watchdog more immune is to keep it outside of the µC, to remove it from the same die, and to use additional and separate filters to suppress glitches. That is the reason why I take the MAX1232 in many of my applications. But even external watchdogs are not very safe. Do you remember the thread: "Do we need a watchdog for the watchdog?" In this thread members reported on lock-ups of external watchdogs, which became upset by too fast power-ups or -downs. They quitted this by suddenly becoming hot and refusing to work. Only a full power-down followed by a power-up could make them work properly again. Some of them even were destroyed. If I remember correctly it was the DS1232 and similar parts that showed these problems. Afterwards I had very intense testings of the MAX1232 to find out whether it also shows this behaviour but found it ok. My conclusion from all this is NOT to trust the watchdog. But I DO trust the extense filtering, protecting, grounding and shielding. Kai Klaas |
