Electronics Design AU
ComponentsFirmware

What Is an External Voltage Supervisor/Watchdog IC?

Last updated 4 July 2026 · 7 min read

Direct Answer

An external voltage supervisor/watchdog IC is a small, independent piece of silicon — separate from the microcontroller — that monitors the MCU's supply rail for brownout conditions and, optionally, monitors firmware activity through a watchdog input pin, asserting a hardware reset if either check fails. Unlike the MCU's built-in power-on reset and internal watchdog peripheral, an external supervisor's reset threshold and timing are independent of the MCU's own silicon, clock tree, and firmware — making it the standard way to add a second, diverse layer of fault detection where a single on-chip mechanism is not considered sufficient. Common examples include the Texas Instruments TPS3813, Analog Devices/Maxim MAX6369/MAX6370, and Microchip MCP130x families.

Detailed Explanation

An MCU's own power-on reset circuit and internal watchdog peripheral (see What Is a Watchdog Timer? for the STM32 IWDG/WWDG implementation) handle the great majority of reset and fault-recovery needs in embedded designs. An external supervisor IC exists for the cases where a second, physically independent layer of protection is worth its added board space and BOM cost: functional-safety-driven diverse redundancy, a rail whose brownout behaviour needs tighter or more specific control than the MCU's own BOR provides, or a manual reset button that needs clean debouncing without relying on MCU firmware being alive to process it.

What a Supervisor IC Actually Monitors

A typical supervisor/watchdog IC combines two independent functions in one small package:

  • Voltage supervision — continuously compares the monitored supply rail against an internal (or externally set) reference threshold. If the rail drops below threshold, the IC immediately asserts its reset output, and holds it asserted for a defined reset pulse width after the rail recovers above threshold — ensuring the MCU doesn't come out of reset into a still-marginal supply.
  • Watchdog timing — a watchdog input (WDI) pin that firmware must toggle periodically, entirely analogous to kicking an internal IWDG. If the WDI pin doesn't transition within the configured timeout, the supervisor asserts reset exactly as if a brownout had occurred.

Because these two checks live in a separate IC on a separate silicon process, a failure mode that somehow disables the MCU's own BOR or watchdog logic — a manufacturing defect, an unanticipated silicon errata, or (in the diverse-redundancy safety-standard sense) any single-point failure in that one design's supervisory logic — does not simultaneously disable the external check.

Reset Threshold Accuracy and Hysteresis

MCU-internal brownout detectors are typically specified with fairly wide accuracy tolerances and a limited number of selectable trip points. Dedicated external supervisor ICs are built specifically to monitor voltage precisely, and typically specify threshold accuracy in the region of 1–3% (verify the exact figure against the selected part's datasheet — accuracy varies by family and grade), considerably tighter than most MCU BOR specifications.

Supervisors also build in hysteresis — the voltage must rise a small amount above the trip threshold before the reset is released, not merely return to exactly the trip point — to prevent the reset output from chattering on and off if the supply rail is noisy or hovering near the threshold. Datasheets specify this as a hysteresis voltage or percentage; confirm it's adequate for your rail's expected ripple before finalising a threshold selection.

Manual Reset Input Debouncing

Many supervisor ICs include a dedicated manual reset (MR) input pin with internal debouncing, intended to be wired directly to a physical reset button with no external RC debounce network required. This is a common secondary reason to add a supervisor IC even in designs that don't need diverse watchdog redundancy: a clean, bounce-free manual reset button without an extra R and C on the schematic, and without relying on the MCU's own GPIO/NRST debounce behaviour (which, if the MCU itself is misbehaving, may not be trustworthy).

Reset Output Configuration

Supervisor ICs are offered with different reset output polarities and drive types, and the correct choice depends on the MCU's reset pin requirements:

Output typeBehaviourTypical use
Push-pull, active-low (RESET)Actively drives low on fault, high otherwiseMost common; direct connection to an MCU's active-low reset pin
Push-pull, active-high (RESET)Actively drives high on faultMCUs or logic requiring an active-high reset input
Open-drain, active-lowPulls low on fault, requires external pull-upAllows multiple supervisors or reset sources to be wire-ORed onto a single shared reset line

The open-drain option matters in multi-rail or multi-supervisor systems: several supervisor ICs (one per monitored rail, for example) can share a single reset line to the MCU, with any one of them able to assert reset without conflicting drive from the others.

Selecting Between Common Families

FamilyThreshold optionsWatchdogNotable feature
TI TPS3813Adjustable via external resistor dividerSimple timeout, adjustable via external capacitorWide input voltage range; adjustable watchdog timeout without a fixed-option part change
Maxim/ADI MAX6369/MAX6370Factory-fixed, multiple trip-point optionsPin-selectable timeout (7 preset options)No external timing components needed; timeout set entirely by pin strapping
Microchip MCP130xFactory-fixed, multiple trip-point optionsNot included on all variants in the family — check the specific part numberVery small package options; simple three-terminal voltage-only variants available for pure brownout-detection use cases

Choosing between them is largely a question of how much external configurability is needed (adjustable vs pin/factory-fixed thresholds and timeouts) against BOM simplicity — a fixed-threshold, pin-strapped part like the MAX6369 needs no external timing components at all, while an adjustable part like the TPS3813 trades a couple of passive components for threshold and timeout values that don't require ordering a different factory-trimmed part number if the design changes.

Integrating With the MCU's Internal Watchdog

For designs pursuing diverse redundancy under a functional safety standard, the external supervisor's watchdog input and the MCU's internal IWDG are typically kicked from the same firmware health-check logic but wired to genuinely independent reset paths — both must be satisfied for the system to keep running, and either one alone is capable of forcing a reset. This differs from simply using a longer or shorter timeout on one versus the other; the value is in the independence of the two implementations, not in layering two timers with different periods.

For firmware architecture that incorporates this kind of layered supervisory design, Zeus Design's electronics engineering team designs both the reset/supervisory circuit and the firmware health-check logic that drives it.

Design Considerations

  • Set the reset pulse width to cover the MCU's full power-up sequence. The reset output must stay asserted long enough for the MCU's internal power rails, oscillator startup, and any PLL lock time to complete before release — check the reset IC's pulse-width specification against the MCU's documented startup timing, not just its own default value.
  • Confirm hysteresis is adequate for your rail's actual ripple, not just the nominal supply. A supervisor with too little hysteresis on a rail with switching-regulator ripple close to the threshold can chatter the reset line repeatedly rather than resetting cleanly once.
  • Decide reset output polarity and drive type before finalising the MCU's reset pin design, particularly if multiple supervisors or reset sources need to share one reset line via open-drain wire-OR.
  • Treat threshold selection as a system-level decision, not just an MCU spec lookup. Other ICs sharing the same rail (sensors, radios, memory) may have their own minimum operating voltage requirements that are more restrictive than the MCU's — the supervisor threshold should protect the most voltage-sensitive device on that rail, not just the MCU.

Common Mistakes

  • Choosing a threshold too close to the nominal rail voltage. A 3.3 V rail with a 3.2 V supervisor threshold will trigger nuisance resets from entirely normal regulator tolerance and ripple. Leave adequate margin between nominal voltage and the reset threshold.
  • Assuming every supervisor IC includes a watchdog function. Some parts in these families are voltage-supervisor-only, with no WDI pin at all — a straightforward mistake when swapping between package/family variants without re-checking the specific part number's feature set.
  • Wiring the watchdog input from an interrupt handler, mirroring the same mistake as an internal watchdog. Exactly as with an internal IWDG (see the Common Mistakes section of What Is a Watchdog Timer?), toggling the external WDI pin from an ISR that keeps running even while the main application is hung defeats the entire purpose of adding the external supervisor.
  • Not accounting for reset pulse width in fast power-cycle testing. Products that are power-cycled rapidly during production test can trigger a supervisor's undervoltage lockout or minimum reset pulse timing in ways that don't occur during normal single power-up — validate supervisor behaviour under the actual production test power-cycling profile, not just a single clean power-up.

Frequently Asked Questions

Why add an external supervisor if the MCU already has a built-in watchdog and brownout detector?
Because both the MCU's power-on reset/brownout detector (BOR) and its internal watchdog peripheral (see What Is a Watchdog Timer?) are implemented on the same silicon die and, for the watchdog, depend on the MCU's own reset-generation logic being intact. For most designs this is entirely adequate. Where it isn't — designs targeting a specific functional safety standard (IEC 61508, ISO 26262), or products where a single point of failure in the MCU's own supervisory logic is judged unacceptable — an external, physically separate IC provides diverse redundancy: a second, independently-designed piece of silicon checking the same conditions through an entirely different implementation. It also frequently gives finer or more application-specific control over reset threshold accuracy and timing than an MCU's on-chip BOR, which is often a coarse, fixed set of trip points.
How do I choose a reset threshold voltage for a supervisor IC?
Set the threshold above the MCU's minimum guaranteed operating voltage (from its datasheet's recommended operating conditions) plus margin for the supervisor's own threshold accuracy and any ripple or transient sag expected on the rail. For a 3.3 V rail powering an MCU specified for 2.7–3.6 V operation, a supervisor threshold around 2.9–3.0 V is typical — low enough to avoid nuisance resets from normal ripple, high enough to guarantee a reset well before the MCU's behaviour becomes undefined. Many supervisor families are offered in several fixed-threshold factory trim options (e.g. 2.63 V, 2.93 V, 3.08 V) precisely so a threshold close to the target rail can be selected without external threshold-setting components; adjustable-threshold parts use an external resistor divider instead, at the cost of tolerance stacking from the resistors themselves.
What is a windowed external watchdog, and is it different from an STM32 WWDG?
The concept is the same as the window watchdog peripheral built into many MCUs (see What Is a Watchdog Timer? for STM32's WWDG): the watchdog input pin must be toggled within a defined time window, not merely before a single timeout — both an early kick and a late kick trigger a reset. Some external supervisor families support this windowed mode on their watchdog input, giving the same 'loop running too fast or too slow' detection as an internal WWDG, but implemented in physically separate silicon. Not every external supervisor supports windowed operation — many simpler parts (including several in the MAX6369/6370 and MCP130x families) implement only a simple, non-windowed watchdog timeout; check the specific part's datasheet before assuming windowed behaviour is available.

References

Related Questions

Related Forum Discussions