A watchdog timer is a hardware timer that resets a system if the running software fails to periodically reassure it. The software is expected to “kick” or “refresh” the watchdog at regular intervals; as long as it does so, the system runs normally. If the software hangs, crashes, or enters an infinite loop and stops refreshing the timer, the watchdog times out and forces a hardware reset, returning the device to a known starting state. This makes the watchdog the last line of defense for unattended embedded devices — sensors, controllers, and appliances that have no operator present to power-cycle them when the firmware locks up.
The mechanism is a countdown. STMicroelectronics describes its Independent Watchdog (IWDG) peripheral as based on a downcounter that, once started, counts down from a reset value; software must write a specific key value to a refresh register to reload the counter before it reaches zero. If the counter is allowed to reach the end of its count, the hardware “generates a system reset.” Refreshing the counter in time is the act of telling the watchdog that the software is still alive and making progress.
A defining feature of a robust watchdog is independence from the rest of the system it is guarding. ST documents that the IWDG is “clocked by its own dedicated low-speed clock (LSI) and thus stays active even if the main clock fails,” and that once the watchdog is started it “cannot be disabled” except by a complete device reset. This isolation is deliberate: a watchdog that shared the failing component it was meant to detect would be useless, so it is given its own clock and made impossible for buggy code to switch off.
Watchdogs come in simple and windowed forms. A basic watchdog resets the system only if it is refreshed too late. A windowed watchdog also resets the system if it is refreshed too early, catching code that is looping and kicking the timer too often — another sign that the program is not executing its intended sequence. Both designs verify not merely that the software is running, but that it is running on schedule.
The watchdog embodies a hard truth of embedded engineering: complex software will occasionally enter states its designers did not anticipate, and an unattended device must recover on its own. Rather than trying to prevent every possible hang, the watchdog accepts that hangs happen and guarantees that the system will not stay hung. Pairing careful software with a watchdog that can always reclaim the machine is a standard pattern in reliable firmware.