Embedded Office Products

Safety AddOns

The global objective of the logical and temporal program flow monitoring is given in the safety standard IEC 61508-7, Annex A.9 as "Temporal and logical program sequence monitoring":

"To detect a defective program sequence. A defective program sequence exists if the individual elements of a program (for example software modules, subprograms, or commands) are processed in the wrong sequence or period of time, or if the clock of the processor is faulty."

This common safety requirement is the purpose of the product Safety Add-Ons. The following video gives you an introduction to the Safety Add-Ons:

Introduction to Safety AddOns

The Safety Add-Ons allow monitoring and checking each of the objectives (logical sequence and timing) individually. To achieve the highest diagnostic coverage levels, the combination is compelling in detecting potential defective program sequences.

Logical Program Flow

Program Flow Control

The program flow safety measure is a measure that is classified "highly recommended" in all safety standards. The logical program flow control performs logical checks for system functionalities. Such a system functionality can be a single function, a group of operations, or RTOS tasks.

Some program flow monitor scenarios
Program Flow Monitor Scenarios

The program flow control detects the following failure scenarios:

  • Wrong execution order  -  the function or task execution order is different than the expectation
  • Missing function execution  -  an expected function or task execution is skipped or suppressed
  • Additional function execution  -  a function or task execution is executed without expectation

Temporal Program Flow

Time Budget Monitoring

We combine the temporal program flow monitoring most often with the logical program flow control to achieve the program flow safety measure's completeness. The temporal program flow monitoring performs timing-related checks in systems the static function scheduling.

Some time budget monitor scenarios
Time Budget Monitor Scenarios

The time budget monitor detects the following scenarios:

  • Runtime is out of range  -  function or task runs faster or slower than expected
  • Cycle time is out of range  -  the time between function calls or task activations is faster or slower than expected
  • Interrupt load is out of range  -  the number of interrupt activations since the last check is higher than expected

E2E Communication

Black-channel Communication

The end-to-end protected communication (E2E) is an additional method that comes in place when you need to transfer safe data via unsafe communication channels. The data protection is added directly into the transferred data enabling the receiver to identify any communication problem.

Black-channel communication scenario
Black-channel Communication Scenario

The E2E protection detects all possible communication faults:

  • Repeated Message  -  the standard stack delivers always the same message
  • Losing a Message  -  too much traffic, so standard communication overflows
  • Inserting a Message  -  manipulation attack on standard communication (see note)
    Note: the communication is protected for safety issues. When you need to address cyberattacks, the envelope needs a signature and encryption. Please contact us in case of interest in such a feature.
  • Message Sequence  -  the standard stack delivers messages in the wrong order
  • Corrupted Message  -  a problem in data transfers
  • Distinguish Message Sender  -  for supporting N senders communicate with 1 receiver

Pre-certified Modules

Ready to Use

Since the requirements for these modules are originated from a safety standard, it is a natural choice that we perform a pre-certification for these modules.

Program Flow Monitor

The program flow monitor checks the logical program sequence.

  • Unlimited length of execution flow
  • Execution of functions
  • Execution of ISR handlers
  • Execution of RTOS tasks
  • Unlimited number of execution flows

Time Budget Watchdog

The time budget watchdog provides checking of the actual runtime consumption.

  • Integrated into Flexible Safety RTOS
  • Monitor of functions
  • Monitor of RTOS tasks
  • Monitor of IRQ requests
  • Any time base for measurement

CRC Module

This module provides the calculation for cyclic redundancy checksums.

  • Define multiple algorithms
  • Supports hardware CRC modules
  • Performance optimized design

End-To-End Protection

This module provides the communication protection of safety data.

  • Individual strength for each channel
  • Autonomous synchronization after startup
  • Integrated into Flexible Safety RTOS

Flexible Usage

Protect your Investment

The Safety AddOns are designed to provide standard conform safety measures for any hardware with any modern cross-compiler. The integration into the Flexible Safety RTOS is part of this component. The usage in other operating systems is simple and examples are prepared when using the E2E communication between multiple cores with different safety capabilities.

Pre-certified solution

You get proven algorithms as part of the Safety AddOns, ready for use with a pre-certification for multiple use cases:

  • Industrial IEC 61508 - SIL3
  • Medical IEC 62304 - Class C
  • Automotive ISO 26262 - ASIL D

Independent component

The delivered Safety AddOns are independent in many ways. This allows maximum possible flexibility in your project design:

  • Use any ANSI C99 compliant Compiler
  • Already integrated into Flexible Safety RTOS
  • Use the Safety AddOns on any hardware

Safety Guidance

The Safety AddOns comes with guidance on how to achieve the target diagnostic coverage in the extensive documentation.

  • Detailed Safety Manual
  • Users Guide and API Reference Manual
  • Explained demo projects

Contact us

Let's talk about your use-cases and potential benefits from this module in your system architecture.