Embedded electronic control units are finding their way into more and more complex safety critical and mission critical applications. Many of these applications operate in adverse conditions, which can cause code runaway in the embedded control units, putting them into unknown states. A watchdog timer is the best way to bring the system out of an unknown state into a safe state. Given its importance, the watchdog has to be carefully designed, so as to reduce the chances of its operation being compromised by runaway code. This paper outlines the need for robust Watchdog and the guidelines that must be considered while designing a fault tolerant system monitor aka Watchdog. New methods for refreshing a watchdog, write protection mechanism, early detection of code runaway and a quick self-test of the watchdog have been described herein.