Be careful of the possibility that the device's internal program counter might fail. If it jumps to some invalid place in the program or jumps into a function before the stack has been initialized, really unpredictable stuff can happen! Power surges and many difficult to predict circumstances can cause the program counter to glitch, this is a real world problem especially for high performance requiring systems like in automotive and medical fields... and more expensively in space exploration ( I think this is what happened to one of the Mars robots)...
If the program counter jumps into a loop that contains an if and then based break sequence and if the conditions of that if and then statement were not loaded (because the program counter jumped into the function by malfunction) then it is totally possible that an infinite loop can occur... and if a clear wdt is inside that loop the program will lock up indefinitely and the watch dog timer will have absolutely no ability to correct the problem, since it will never overflow and generate a reset pulse.
External watch dog timers can be implemented, specially designed code, and redunancy can be incorporated to ensure your design has the desired stability.
Good luck with you projects!
Best Regards,
Jesse Randall
Electronics Engineer
**broken link removed**