Lpc2000

> Jack Ganssle's paper gives one way out of this (a supervisory 
> task monitoring the health of all other tasks). There are 
> alternatives. 

I have done something like this in the past for a multi-tasking system.

The supervisory task was responsible for feeding the hardware watchdog.
It was one of the first tasks started up in the system. As other tasks
are started, they each "register" with the supervisory task with a
requested watchdog time. This means different tasks can register at
different software pat rates (how often they promise to keep telling the
supervisory task they're all ok), allowing for slow low priority tasks
or tasks that know they can take longer times to get around their
"loops". Though it could be considered a slight hole, I also allowed
tasks to adjust their pat time dynamically, or de-register because they
were just about to close. The advantages outweighed the risk in my
instance, allowing coverage of all tasks, whether transitory or not.
(Perhaps when a task first registers, it could specify whether it can
later deregister or not, makeing that hole a little more secure.)

I have no idea if this sort of thing has been documented before; it was
just my own design that rose from a requirement. It's a little bit
"INIT" like, but prompting a full system restart on failure rather than
a single task restart. 

Cheers,
Bruce