Picking apart a watchdog circuit

[metertech58761]

So here's the watchdog circuit from a board used in a load management terminal / field configuration terminal.

WD_In is the Watchdog input, and is fed from the CA2 pin on a 6821 PIA (and there are places throughout the load management terminal code where the pin is bumped high or low).

Reset is obviously the main reset line, and obviously gets driven low if this circuit doesn't see WD_In change within a given interval.

WD_Out is tied to one of the two IRQ lines on the microprocessor, and there is code that gets run whenever it sees activity on the IRQ lines.

Two questions:

What components are responsible for setting the watchdog timeout interval?

In the field configuration unit, the two indicated components are omitted from the circuit.
The code for the field configuration unit does NOT manipulate WD_In, and there is no code servicing the IRQ generated from WD_Out.
What exactly is the effect of removing those resistors?

[moffy]

This is a severely overcomplicated circuit to perform such a simple function. It is quite difficult to follow the line of thinking behind its implementation. The LM2901 is an open collector comparator so without a pull up resistor you get at most 0V. Removing R6 and R5 stops the circuit responding to the WD_IN as the outputs of U1a and U1d are always low. The rest just gives me a headache.

[srb1954]

This is excessively complicated for a WDT and seems to have been designed for every imaginable mode of failure. I wouldn't be surprised if the designer used both belt and braces to hold up his trousers along with some extra string just in case both his belt and braces fail.

The basic operation seems to be that U1A and U1D respond to high and low levels of the WD_In signal periodically discharging C3 and C4. If the WD_In gets stuck at one logic level for an excessively long period then one of the capacitors will charge up, determined by their respective time constants with pull-up resistors R5 and R6, and trigger the reset pulse generator through either U1B or U1C. The WDT timeouts would therefore be determined by those time constants, which are quite asymmetric with the circuit values shown. Rather than spending a lot of time hand calculating the timeout periods I would just simulate the whole circuit in LTSpice or similar.

If you are building a new design I would just throw the whole circuit out and replace it with a WDT chip. There seems to be some power supply voltage sensing going on around U2A and U2C so you might need one of the more sophisticated WDT chips with additional voltage monitoring inputs built in.

[metertech58761]

I definitely agree that this is a ridiculously over-engineered circuit (but not the worst I've seen).

Thanks for the information on which parts would be responsible for the timeouts and that removing the two resistors disables the watchdog.

I would definitely agree that replacing this mess with a modern watchdog / voltage supervisor IC would be the way to go were I to make a more modern equivalent!

There is one part of the code where under certain conditions, the load management unit intentionally goes into an infinite loop to wait out the watchdog timer before restarting! (this is why I wanted to get an idea as to the interval; will see about making a model for LTSpice).

[NiHaoMike]

Looks like it was designed by an intern having a bit of fun with a breadboard.

[DBecker]

I don't see this circuit as excessively complicated or over-engineered.

It's explicit.

That matches its purpose.

It's a watchdog circuit, intended for meeting a requirement for reliability in the face of subtle-but-serious mistakes.  It's not going to be cost-optimized, because the cost-optimized solution is not having one.

Each requirement or specification detail for the watchdog is handled by a individual section of the circuit, and each circuit element can be tied back to a requirement.  You can see the circuit elements for the two R-C timers, one for high time and another for low.  Each has a warning threshold and a reset threshold.  Each has a reset diode to start at zero.  Voltage rails have their own sense circuit.

A few extra components to implement this is going to less expensive than documenting how a clever circuit covers all of the conditions and corner cases. 

 

[metertech58761]

Sorry for the 'necromancer bump'...

If there was a brief outage, would there be any chance the output would 'ride through' an outage of 2-3 seconds or would it drop out quickly?

The documentation I've managed to scrape together suggests that there are two outage counters in the code - one to capture blinks, and one to capture longer outages (> 2 minutes).

So I'm wondering if part of this circuit is for detecting those 'blink' outages?

The code I now suspect handles blink outages performs a quick checksum of the NVRAM contents (which gets checked on startup) and then forces the unit into a restart by waiting out the watchdog.