Michael, the basic idea is such:

The processor is used to perform a limited number of simple tasks. This
uses a certain set of its instructions (or all of them). Then you write a
test program that uses all the same instructions (each at least once) in a
way that generates a check number. The check number (a hash) is then used
to index into a table of jumps (calculated goto as in string
implementation) where there is only one 'good' jump, which jumps to the
real code. There are also other ways to decide whether the hash is what it
should be.

Then your code structure becomes:

reset -> test algorythm -> (pass) -> usefull code (do things) -> reset \
  watchdog -> goto test algorythm

Whenever the test algorythm fails the watchdog is not reset.

The way it works out for me is, that I have say 100 free words in a
12C508A etc after the application runs, and I write a test program in
there. The test program is different every time depending on the
application and sometimes shares subroutines with it. I always reload the
tris and option registers exactly at the beginning of the 'do things' code
and there is exactly one clrwdt at the end of the usefull code.

I think that you can calculate how 'safe' this is by assuming that error
events are random, knowing code size, etc. I did not do that, it was
enough to know that if the CPU just did something now it will be able to
do it again 100 usec later in the real code.

In a timesharing arrangement (e.g. 16F84) the test algorythm could run as
an interrupt-only task but I've never tried this.

Peter

--
http://www.piclist.com hint: PICList Posts must start with ONE topic:
[PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads