Watchdog

from Wikipedia, the free encyclopedia

The term watchdog (English for watchdog ; also called watchdog timer ) describes a function for failure detection of a digital system , mainly in control applications. If a possible malfunction is detected, this is either signaled to other components in accordance with the system agreement (e.g. switching to a redundant system ), a suitable jump instruction or a reset is initiated to automatically rectify the failure, or a safe shutdown is initiated.

Use in electrical engineering and computer science

Watchdogs are mostly used in electrical devices or machines controlled by microcontrollers in order to remedy a failure of the device due to software failure by means of a reset or to avoid dangers in disrupted safety systems by forced shutdown. For this purpose, software components inform the watchdog as a sign of life at specified intervals that they are still being called up and functioning properly. The important thing here is that the watchdog is independent of the hardware of the microcontroller, especially when there is a higher risk of danger from malfunction.

In general, the device is not capable of real-time reactions during a restart (after a reset) and therefore cannot process any data or react to queries. In some applications it is absolutely necessary for the control to continue the program sequence at the point where it was interrupted after a restart. B. in a washing machine . Internal system states and, if necessary, system data of a sequence control must be saved so that they are available for a restart or in the event of a power failure. The restoration of a previously saved state is also necessary during data processing for data restoration , if necessary by means of rollback .

Hardware watchdog

The message for resetting the hardware watchdog (i.e. triggering ) occurs through simple commands or the switching of binary outputs. The hardware watchdog can be integrated into the microcontroller or implemented using a microelectronic component built into the circuit board . It usually works with its own clock generator that is independent of the system clock of the processor. The watchdog can also be implemented on the basis of analog RC circuits .

Timeout watchdog

With the timeout watchdog, the microcontroller must report to the watchdog before a specified time has elapsed (comparable to the dead man's device on the train). In the event of a fault, the microcontroller and possibly some peripheral components are reset. If the watchdog is integrated in the microcontroller or if the controller has an input for an NMI , a so-called trap can also be triggered by an interrupt . It is then the task of the software module assigned to the trap to carry out an adapted reaction (e.g. to save that there has been a watchdog problem, to bring the system into a safe state and then to carry out a partial or complete restart).

Window watchdog

With the window watchdog, the microcontroller must report to the watchdog within a specified time window. For this purpose, time intervals for messages that are too early and too late are specified and the message is only permitted and required within the time window. This is particularly useful when a digital controller executes control loops with fixed sampling times and instabilities can occur if the behavior deviates. The reaction to the absence of a message corresponds to the reaction to the timeout watchdog.

Intelligent watchdog

The message to reset the intelligent watchdog is no longer given by triggering a simple command or trigger signal, but by complex commands or complex responses. Dynamic calculations must be carried out here and, if necessary, questions about authentication must be answered correctly (see challenge-response authentication ). In this way, higher security requirement levels can be achieved and the risk of undetected malfunctions can be reduced.

The PRBS watchdog is a comparatively simple implementation of this intelligence . A shift register that is independent of the microcontroller generates a PRBS sequence of deterministic random numbers through feedback . The microcontroller has to calculate the same sequence of numbers and can use complex command sequences with internal registers and memory cells to calculate the next key to trigger the external watchdog. The command sequence can be distributed over the entire program sequence and if the arithmetic operations are skilfully selected, the CPU-internal modules ( ALU , program memory, main memory and register) can be monitored with a continuous self-test.

In the automotive sector, there are high requirements for the control of the drive (engine and transmission), the steering, the brakes and the assistance systems. They have to react in a fault-tolerant manner and bring the entire system into a safe state - regardless of a faulty microcontroller. Example: The three-level concept with an intelligent watchdog for the electronic accelerator pedal (e-gas) in the car. In very critical applications, multi-channel redundant systems with fault-tolerant behavior are required, which are made up of identical or diverse components.

Software watchdog

The software watchdog is checking software in the microcontroller. The watchdog software module checks whether all important program modules are being executed correctly within a specified time frame or whether a module is taking an inadmissibly long time to process. This does not necessarily have to be caused by incorrect processing, but can also be caused by a deadlock . The software watchdog can in turn be monitored by a hardware watchdog.

If a microcontroller does not have a special watchdog circuit, the software interrupt of a normal timer can be used, provided the system clock is not deactivated in energy-saving mode. Such a timeout monitoring can be implemented by a counter that is set to a certain value by the software at regular intervals. This counter is continuously decremented by the system clock of the microcontroller and delivers an internal failure signal when it reaches zero. Such simple integrated watchdog circuits, however, are not sufficient for higher-quality security requirements.

Mutual monitoring can be implemented in distributed computer systems or networks, e.g. B. by monitoring timeouts in the response behavior of the task distribution or communication (see Timeout (network technology) ). The intelligent platform management system specifies an interface between the computer and the watchdog as an IPMI standard, so that no additional hardware is required for standard server motherboards.

Further use

The term is now used synonymously in other contexts, for example in the discourse on investigative journalism as a watch dog in the sense of a “fourth power” or in the debate about good governance and the corrective function of a vital civil society.

Individual evidence

  1. ^ Niall Murphy: Watchdog Timers. November 1, 2000, accessed August 29, 2019 .
  2. ^ Alfred Schmidt, Rainer Faller, Wolfram Pöttig: Redundant safe control of the electronically track- guided bus . Conference on electronics in motor vehicles in Baden-Baden. In: VDI reports . No. 515 . VDI-Verlag, March 23, 1984, p. 117-123 .
  3. Walter Kuntz, D. Ruppert: Intelligent, word-oriented watchdog circuit. Safety through "mutually monitoring" switching paths . In: Electronics . No. 11/1990 , May 25, 1990, pp. 92-94 (based on patent DE325712C2 from April 11, 1984, inventors Wolfram Pöttig and Alfred Schmidt).
  4. M. Baumeister, P. Fuhrmann, R. Mariani: A single-channel, fail-safe microcontroller to simplify SIL3 architectures in vehicles . (PDF; 208 kB; English)
  5. ^ Alfred Schmidt, Rainer Faller, Wolfram Pöttig: Electronically steered bus. Prime example of fault-tolerant control . In: Electronics . tape 15/1984 . Franzis-Verlag, July 27, 1984, p. 41-46 .