Simple Watchdog Timer (SWT) Guide
← Back to: Supervisors & Reset
What It Solves
An external Simple Watchdog Timer (SWT) provides a second line of defense when the on-chip WDT can be disabled by firmware, feed paths stall, cores hang, or clocks fail. It improves MTTR and protects data integrity by coordinating TWD, tRST and reboot sequencing.
Problem Snapshot
Failure roots: dead loop / priority inversion, feed path blocked, clock halt. Consequences: uncontrolled MTTR, FS/DB corruption, peripheral lockup.
Why External SWT
Independent timebase and enable chain not governed by firmware. Schmitt input and min pulse width reduce false feeds from EMI/glitches/RC drift.
MTTR & Data Consistency
Align TWD + tRST_MIN + power-up order to storage protection windows. Policy: IRQ soft-degrade (flush/throttle) → on failure after N tries, perform hard reset.
Procurement Checklist
- Low Iq (standby friendly)
- TWD tolerance & temp drift
- Output type: OD / PP, polarity
- tRST_MIN ≥ MCU requirement
- VIL/VIH compatibility across domains
BOM Remark (Copy-Ready)
“WDT timeout = 200 ms ±10%; RESET = OD/active-low; tRST ≥ 100 ms; Feed pulse ≥ 40 µs (Schmitt); No windowed behavior; AEC-Q100 Grade 1; Pin-compatible family required.”
Principles & Timing
Key Terms
- TWD: timeout to action after missed feed
- tKICK: min feed pulse width / edge
- tRST_MIN: guaranteed reset width
- tPD: SWT-to-system propagation delay
Tolerance Model
TWD_tol = ±(Initial + Temp Drift×ΔT + Aging). Budget across lifetime and full temperature range for automotive/industrial targets.
Feeding Mechanism
Prefer edge + min width with Schmitt input; avoid RC-only emulation which drifts across temp/aging. Add series R (22–100 Ω) + C (10–100 nF) after timing check.
Reset & Power Behavior
- tRST_MIN ≥ 50–150 ms (depends on MCU)
- Internal P0R & brown-out keep RESET asserted
- Block feeds during power dips to avoid false recovery
Engineering Rules
- TWD ≈ main-loop period × (3–5) + I/O flush budget
- Start with ±10% full-temp timing goal
- Validate jitter tolerance (±1% → ±10%)
Reset vs IRQ Policies
Choose between IRQ-first soft recovery and direct RESET to balance data integrity and shortest service interruption. Guard decisions with brown-out/POR interlocks and domain-safe output stages.
Decision Goals
Minimize MTTR while preserving data. Scope is Simple WDT; windowed behavior, multi-rail thresholds and reset trees are covered in sibling pages.
IRQ-First Policy
Use when system still responds to interrupts. Perform flush/WAL, unmount or snapshot; enforce deadline and a bounded retry count N.
Direct RESET
Use for unrecoverable hangs, unknown peripheral state, or when storage can safely power down. Guarantee tRST_MIN and boot into a safe self-check mode.
Retry & Backoff
- N = 2–3 attempts
- Backoff: linear or exponential
- MaxRetryTime ≤ min(SLA, 2×TWD)
Output Stage
Open-drain + pull-up to target domain is the default for multi-voltage systems. Push-pull fits same-domain timing-critical resets.
BOD/POR Interlocks
Brown-out has priority: hold RESET when VDD is unstable. Gate reset release with PWR Good and avoid releases on supply ramps.
Integration Topologies
Layer the external SWT above the MCU’s internal WDT, select domain-safe output stages, and interlock with power-good/enable signals. Keep feed lines short and well-referenced to ground to reduce coupling.
Dual-WDT Layering
External TWD > internal TWD to form a safety backstop. Internal WDT handles quick local recovery; external cannot be disabled by firmware.
Feed Input Chain
Prefer Schmitt input; add R=22–100 Ω and C=10–100 nF for noise filtering after tKICK checks. RC is for deglitching, not for pulse generation.
RESET Output & Domains
Use open-drain + pull-up to the target domain by default for multi-voltage systems. Push-pull suits same-domain timing-critical resets.
PG/EN Interlocks
- Hold RESET during dips/brown-out
- Gate release with Power Good
- Avoid RESET↔EN feedback loops
Layout & EMC
Short feed trace with close return path; place series R near the SWT pin; keep RESET away from noisy switching nodes; add test points off the most sensitive segments.
Power & Reliability
Balance ultra-low Iq with timing stability. Model TWD drift across temperature and aging, and harden the feed path against EMI/glitches using Schmitt input, series-R and RC deglitching with a digital tKICK_min.
Iq Budget
Target ≤ 1–5 µA for battery/standby rails (device + pull-ups). Longer TWD reduces feed rate but increases MTTR—tune per wake policy.
Timing Stability
TWD_tol = ±(Initial + Temp Drift×ΔT + Aging). Design for −40~125 °C; baseline goal ±10% over full temp.
EMI & False Feed
Prefer Schmitt input. Add R=22–100 Ω series and C=10–100 nF to ground; enforce a digital tKICK_min to reject narrow spikes.
Aging & Maintenance
Track ppm/khr drift; forecast 5–10 year windows. Re-verify TWD and tKICK at cold and hot corners; re-size pull-ups if rise-time degrades.
Engineering Rules
- Iq ≤ 3 µA (battery) / ≤ 5 µA (always-on)
- TWD ≈ main-loop × (3–5) + flush budget
- Full-temp TWD tolerance ≤ ±10%
- tKICK_min ≥ 40 µs (Schmitt)
- RESET pull-up 4.7–100 kΩ per bus capacitance
Validation & Fault Injection
Prove missed-feed recovery and jitter tolerance with a reproducible matrix across temperature and voltage. Combine software fault injection with hardware pulse/EMI, supply droops and environmental corners. Log waveforms and reset factors.
Fault Models
- Main loop hang / priority inversion
- Timer/clock halt, PLL unlock
- Task congestion → feed delay
- Random jitter / narrow glitches
Software Injection
Mask feed API; insert controlled delay (±1–10% of TWD); randomize jitter (Gaussian/Uniform). Count soft-recovery success and RESET fallbacks.
Hardware & Environment
Function generator pulse/EMI on feed; temperature chamber −40/25/85/125 °C; supply droop/recovery (depth, dV/dt). Capture logic analyzer traces.
Pass Criteria
- MTTR ≤ 2×TWD (includes boot checks)
- 0 false resets / 24 h steady state
- Full-temp/full-voltage TWD bias ≤ ±10%
Logging & Traceability
Record reset-factor registers, GPIO event stamps (IRQ/RESET) and annotated waveforms with absolute timestamps. Retain failing specimens for review.
Layout & EMC
Route feed and RESET with the shortest return loop, place series-R and RC for deglitching, and choose pull-ups that meet VIH without creating excessive rise-time edges. Keep away from noisy switching nodes and high-speed differential pairs.
Shortest Loop & Return
Keep feed/RESET on inner layers with a solid reference plane. Stitch vias to give a symmetric return within 10 mm after layer changes.
Schmitt + R/C Deglitch
Place R=22–100 Ω near the SWT pin and C=10–100 nF to ground. RC is for deglitching, not for pulse forming.
RESET Pull-up & Edge
Use OD + pull-up to the target domain. Select 4.7–100 kΩ by bus C and VIH margin. Avoid edges that trigger receiver glitches.
Keep-out vs Noisy Nodes
Keep distance from DC/DC switch nodes, H-bridges and high-speed pairs (USB/Ethernet/PCIe). Add ground guard traces and stitch vias where needed.
Testability
Put test pads on non-sensitive nodes or behind the series-R. Leave grab-space for logic probes without hanging directly on feed/RESET.
Copy-Ready Rules
- Post-RC pulse width ≥ tKICK_min
- RESET 10–90% rise ≈ 1–5 µs
- Ring margin < ±10% of VIH/VIL
- Stitch via within 10 mm after any plane cross
Compliance & Environment
Select device qualifications for the target temperature grade and keep regulatory documents ready (RoHS/REACH, PPAP). SWT is not a system ESD/surge protector, yet feed/RESET robustness impacts the system pass rate.
AEC-Q100 Grades
- G0: −40~150 °C
- G1: −40~125 °C
- G2: −40~105 °C
Regulatory & Lifecycle
Maintain RoHS/REACH, optional halogen-free, and PPAP (e.g., Level 3). Track supply status (Active/NRND/EOL) and second-source maps.
System Compliance Context
SWT does not replace IEC-61000-4-2/-5 protection. Robust feed/RESET routing and domain-correct pull-ups materially raise pass probability.
Design Levers for Pass Rate
- PG-gated reset release on ramps
- OD reset pulled to target VIH domain
- RC/Schmitt hardening raises EMI threshold
Copy-Paste Statement
Device: AEC-Q100 G1, RoHS/REACH compliant; PPAP Level 3 on request. SWT is not intended as a system ESD/surge protector; layout per EMC guide. Supply: Active, second source mapped.
Cross-Brand Selection Matrix
Scope limited to Simple Watchdog Timer (SWT) and close “supervisor + WDT” devices for behavioral fallback. Sibling topics (Windowed WDT, multi-rail supervisors, reset trees, RTC combos) are out of scope here. Badge meanings: P2P Behavioral Out-of-scope
| Core | Accuracy | System | Quality | Notes |
|---|---|---|---|---|
|
Brand: TI Series/PN: TPS3435 P2P* AEC-Q100: (check PN variant) VDD: 1.8–5.5 V (family) Iq(typ): low-µA class TWD: fixed / selectable (family options) tRST_MIN: family-defined Output: OD/PP (by option) Polarity: active-low /RESET Package: SOT/SC70 family |
TWD Tol @25 °C: family spec Temp Drift: ppm/°C class Aging: ppm/khr class Hysteresis: Y (family) |
Reset Level: VIH/VIL per domain Brown-Out Hold: Y (via supervisor family) Disable: TEST/EN (per PN) Diag Pins: WDI/WDO (per PN) |
Op Temp: −40~125 °C (typ variants) Qualification: AEC (per PN) RoHS/REACH: Yes PPAP: On request |
Pin-to-Pin: with STWD/Microchip/onsemi (check pins) Second-Source: STWD100, MCP131x, CAT823/824 Layout: OD to target domain; tKICK ≥ 40 µs |
|
Brand: ST Series/PN: STWD100 P2P* AEC-Q100: (check PN variant) VDD: 1.2–5.5 V (family) Iq(typ): low-µA class TWD: fixed options tRST_MIN: family-defined Output: OD/PP (per option) Polarity: active-low Package: SOT-23, SOT-323, etc. |
TWD Tol @25 °C: family spec Temp Drift: ppm/°C class Aging: ppm/khr class Hysteresis: Y |
Reset Level: VIH/VIL per IO Brown-Out Hold: — Disable: TEST/EN (per PN) Diag Pins: WDI/WDO (per PN) |
Op Temp: −40~125 °C Qualification: AEC (per PN) RoHS/REACH: Yes PPAP: On request |
Pin-to-Pin: often with TPS3435 subtypes Second-Source: TI/Microchip/onsemi families Layout: RC near pin; return path short |
|
Brand: NXP Series/PN: N/A — no discrete Simple WDT Out-of-scope (SBC) Closest: FS45xx / TJA1028 (SBC with WDT) |
— | — | — | Note: Use TI/ST/Microchip simple WDT when a discrete part is required; SBC belongs to other pages. |
|
Brand: Renesas Series/PN: ISL88002 / ISL88003 / ISL88004 Behavioral AEC-Q100: (per PN) VDD: family range Iq(typ): low-µA class TWD: fixed options tRST_MIN: family-defined Output: OD/PP (per PN) Package: SOT/SC70 family |
TWD tolerance/drift per DS; hysteresis Y | Reset level per family; disable via TEST/EN (per PN) | Op temp −40~125 °C; AEC variants; RoHS/REACH; PPAP on request | Notes: Good behavioral alternative to TI/ST/onsemi; check TWD tolerance & tRST_MIN before swap. |
|
Brand: onsemi Series/PN: CAT823 / CAT824 Behavioral AEC-Q100: (NCV prefix variants) VDD: family range Iq(typ): low-µA class TWD: fixed options tRST_MIN: family-defined Output: OD/PP Package: SOT-23 / SC70 |
Family tolerance/drift; hysteresis Y | Reset level per IO; disable pin (per PN); WDI/WDO options | Industrial/automotive options; RoHS/REACH; PPAP by request | Often P2P with Microchip MCP13xx subtypes (check pins); verify polarity and pull-up domain. |
|
Brand: Microchip Series/PN: MCP1316 / MCP1317 / MCP1318 / MCP1319 Behavioral Alt: MIC803 (supervisor+WDT) / MIC809 (reset-only) AEC-Q100: (per PN) VDD: family range Iq(typ): low-µA class TWD: fixed/selectable (per PN) Output: OD/PP Package: SOT/SC70 variants |
TWD tol/drift per DS; hysteresis Y | Reset thresholds per variant; TEST/EN availability per PN | Industrial/auto options; RoHS/REACH; PPAP on request | Good second-source path to TI/ST/onsemi; check tRST_MIN & polarity. |
|
Brand: Melexis Series/PN: N/A — no discrete SWT Out-of-scope |
— | — | — | Use TI/ST/Microchip discrete SWT around Melexis sensor ECUs when needed. |
P2P & Behavioral Mapping (quick view)
- P2P* candidates: ST STWD100 ↔ TI TPS3435 subtypes (check pinout), onsemi CAT823/824 ↔ Microchip MCP131x (specific packages).
- Behavioral: TI TPS3813 ↔ onsemi CAT823 ↔ Microchip MCP131x ↔ Renesas ISL8800x with timing/window/polarity reconciliation.
- NXP & Melexis: discrete SWT not typical; use other brands’ SWT alongside their ecosystems.
BOM Remark Templates
Copy-ready clauses to reduce cross-brand risk. Keep remarks device-agnostic but precise on timing, polarity, and grade.
Mandatory
Watchdog timeout = 200 ms ±10%; RESET = OD/active-low; tRST ≥ 100 ms; Disable via TEST pin high; AEC-Q100 Grade 1; Pin-compatible family required; No windowed behavior.
Why: guarantees timing window, domain-safe reset, automotive temp range, and avoids accidental windowed devices.
Optional
Feed pulse ≥ 40 µs (Schmitt input); No RC-only feeding; Brown-Out Hold = Y; Reset release gated by PG; Iq ≤ 3 µA (battery domain); VDD 1.8–5.5 V.
Why: blocks false feed, avoids supply-ramp glitches, fits standby rails and multi-domain IO levels.
Quality & Traceability
Provide RoHS/REACH CoC; PPAP Level 3 on request; maintain second source pin-compatible where available; lifecycle status = Active.
Why: lifecycle and automotive-readiness; ensures a fallback if supply changes.
Request a Quote
Frequently Asked Questions — Simple Watchdog Timer
Why use an external simple watchdog when the MCU already includes a WDT?
An external watchdog runs from an independent timebase and cannot be disabled or “accidentally fed” by a stalled task. It protects against software bugs that mask the internal WDT, priority inversions, clock anomalies, and peripheral deadlocks. Think of it as a second safety layer that enforces recovery even when firmware and the internal WDT both misbehave.
How should I set the watchdog timeout to avoid nuisance resets while meeting MTTR targets?
Choose TWD > worst-case service interval (max loop latency + I/O flush) plus tolerance: TWD ≥ (latency_max × margin) + tolerance budget. Then verify MTTR: MTTR ≈ TWD + tRST + reboot_time. If nuisance resets occur, profile latency spikes, reduce jitter, or add IRQ-first soft recovery before escalating to a hard reset.
When is raising an IRQ before issuing RESET safer for data integrity?
Use IRQ-first when a graceful path exists to flush write-ahead logs, dismount storage, park actuators, or drop load. Limit attempts (N tries with bounded backoff) and promote to hard RESET on repeated failures or if brown-out occurs. This policy minimizes corruption and shortens service interruption while preserving deterministic worst-case recovery time.
Can an RC network reliably emulate watchdog feed pulses across temperature and aging?
No. RC time constants drift with tolerance, temperature, supply, and aging, producing marginal or spurious pulses. RC components are effective as input deglitch filters, not as deterministic pulse generators. Always drive feed edges from firmware or a stable hardware timer, and specify a minimum feed width to reject narrow, RC-shaped glitches.
How can I prevent false watchdog feeds caused by EMI or glitches on the feed pin (WDI)?
Prefer Schmitt-trigger input, add a close series resistor (22–100 Ω), and place a small RC to ground for deglitching. Enforce a firmware minimum feed width (tKICK_min) and avoid long parallel runs near switching nodes or high-speed pairs. Keep return paths short and provide guard traces with stitched ground vias around WDI.
What minimum reset pulse width (tRST_MIN) do MCUs/SoCs typically require?
Most MCUs need tens to hundreds of milliseconds; a common safe range is 50–150 ms. Check the target device’s datasheet and include margin for supply ramp, clock start, and peripheral reinitialization. If unexplained boot failures occur, increase tRST, gate release with power-good, and ensure the reset edge rate does not create receiver threshold glitches.
How does brown-out detection interact with the watchdog during power dips?
Brown-out should dominate: hold the system in reset while the rail is unstable, and only release after PG indicates a valid voltage. Prevent feeds during dips with input hysteresis and RC deglitching. If repeated dips occur, the watchdog may escalate recovery; prioritize power integrity fixes and gate reset release on power-good conditions.
What watchdog timing tolerance should be budgeted over temperature and lifetime drift?
Budget total error as: TWD_tol = initial tolerance + (temp drift × ΔT) + aging drift. Validate across −40 to 125 °C (or your grade), with supply extremes and load. Choose TWD so the worst-case slow watchdog still meets MTTR, while the fastest watchdog does not spuriously reset under legitimate peak-latency conditions.
Open-drain vs push-pull watchdog outputs—how to choose for multi-voltage domains?
Open-drain is safest across domains: pull up to the target logic rail, level-compatible by design, and easy to wire-OR. Push-pull offers faster edges but must match voltage and polarity; misuse risks back-powering. When in doubt, choose open-drain with a calculated pull-up that meets VIH and rise-time without creating receiver glitches.
How do I layer an external SWT over an internal WDT without race conditions?
Set the external SWT timeout longer than the internal WDT (outer safety layer). Feed both from the same health point, not from different tasks. On failure, attempt IRQ-first recovery N times; if feeds are absent, the internal WDT trips first, and the external SWT guarantees eventual recovery if firmware masking occurs.
What PCB layout practices minimize coupling into watchdog feed (WDI) and RESET lines?
Route over a continuous ground plane, keep the loop short, and avoid long parallels with switching nodes or high-speed pairs. Place series-R at the pin, RC to ground nearby, and use guard traces with stitched ground vias. Do not cross plane splits; if layer changes are required, provide symmetrical, low-inductance returns.
Which production tests demonstrate missed-feed recovery and zero false resets?
Run scripted missed-feed tests, jitter injection, and EMI/EFT susceptibility while logging WDI, RESET, and PG on a logic analyzer. Sweep temperature and supply limits, verify 24-hour zero-false-reset at steady state, and confirm MTTR within budget. Record reset cause, event timestamps, and waveform evidence for traceability across units and firmware versions.
