Improving Electron Reliability - External Watchdog Timer


#21

Does the example code work with Photons now or do we have to wait for a future Firmware release to take advantage of the Hardware watchdog?


#22

@gusgonnet, sleeping is an issue with watchdogs and there are no simple answers. It all depends on the application.

@RWB, the PR is an unmerged feature so the example will not work.


#23

The article talks about potential shortcomings of internal HW WDGs in general - they may or may not apply to specific silicons.
While it’s quite possible that there are silicon bugs in any µC the STM32F2 IWDG is quite deeply hard wired and not actually susceptible to some/many of the risks mentioned.
On the other hand, some of the potential issues risen in that article are not limited to internal WDGs. If you have a pin tickle your external WDG and the controller happens to get into a state where it just keeps on flipping that pin you are just as vulnerable to that with an external WDG.
Also the point about resetting external components in case of a WDG reset isn’t limited to internal ones. If you design a PCB you need to make sure to also reset these in case of a extWDG reset.

But being aware of the risk while designing firmware & PCB is key to being able to consciously make practical decisions to minimise risks - no matter which kind of WDG you are going to use.


#24

Agree. No matter if external or internal watchdog is chosen, reset of peripherals needs to be considered when designing the system. Not a weakness of either choice.

Internal watchdogs that directly HW reset the uC like the reset line was pulled are extremely reliable. Have AVR based products in numbers out in the field for years, none ever needed a reset.


#25

Thank you for the link. It sounds like a major challenge to do. On the other hand, without a built in watchdog, it can be a bit of a “hand grenade” for new business, that do not have the experience to stay away, or add an external watchdog to start with.

A [15] minute external watchdog to allow for remote sw update to finish etc., work with a limited scope of use cases ex. utility type of use cases where it is ok to miss a hourly reading from time to time.

An end user pushing buttons is not going to sit around and wait for even 5 minutes. It can take less time to return the product.

These modules have so much more potential. Perhaps the separate release scheme for the Boron, Argon and Xenon family is an opportunity to finally try out the watchdog code?