The global objective of the logical and temporal program flow monitoring is given in the safety standard IEC 61508-7, Annex A.9 as "Temporal and logical program sequence monitoring":
"To detect a defective program sequence. A defective program sequence exists if the individual elements of a program (for example software modules, subprograms, or commands) are processed in the wrong sequence or period of time, or if the clock of the processor is faulty."
This common safety requirement is the purpose of the product Safety Add-Ons. The following video gives you an introduction to the Safety Add-Ons:
The Safety Add-Ons allow monitoring and checking each of the objectives (logical sequence and timing) individually. To achieve the highest diagnostic coverage levels, the combination is compelling in detecting potential defective program sequences.
Logical Program Flow
Program Flow Control
The program flow safety measure is a measure that is classified "highly recommended" in all safety standards. The logical program flow control performs logical checks for system functionalities. Such a system functionality can be a single function, a group of operations, or RTOS tasks.
The program flow control detects the following failure scenarios:
- Wrong execution order - the function or task execution order is different than the expectation
- Missing function execution - an expected function or task execution is skipped or suppressed
- Additional function execution - a function or task execution is executed without expectation
Temporal Program Flow
Time Budget Monitoring
We combine the temporal program flow monitoring most often with the logical program flow control to achieve the program flow safety measure's completeness. The temporal program flow monitoring performs timing-related checks in systems the static function scheduling.
The time budget monitor detects the following scenarios:
- Runtime is out of range - function or task runs faster or slower than expected
- Cycle time is out of range - the time between function calls or task activations is faster or slower than expected
- Interrupt load is out of range - the number of interrupt activations since the last check is higher than expected
The end-to-end protected communication (E2E) is an additional method that comes in place when you need to transfer safe data via unsafe communication channels. The data protection is added directly into the transferred data enabling the receiver to identify any communication problem.
The E2E protection detects all possible communication faults:
- Repeated Message - the standard stack delivers always the same message
- Losing a Message - too much traffic, so standard communication overflows
- Inserting a Message - manipulation attack on standard communication (see note)Note: the communication is protected for safety issues. When you need to address cyberattacks, the envelope needs a signature and encryption. Please contact us in case of interest in such a feature.
- Message Sequence - the standard stack delivers messages in the wrong order
- Corrupted Message - a problem in data transfers
- Distinguish Message Sender - for supporting N senders communicate with 1 receiver
Ready to Use
Since the requirements for these modules are originated from a safety standard, it is a natural choice that we perform a pre-certification for these modules.
Program Flow Monitor
The program flow monitor checks the logical program sequence.
- Unlimited length of execution flow
- Execution of functions
- Execution of ISR handlers
- Execution of RTOS tasks
- Unlimited number of execution flows
Time Budget Watchdog
The time budget watchdog provides checking of the actual runtime consumption.
- Integrated into Flexible Safety RTOS
- Monitor of functions
- Monitor of RTOS tasks
- Monitor of IRQ requests
- Any time base for measurement
This module provides the calculation for cyclic redundancy checksums.
- Define multiple algorithms
- Supports hardware CRC modules
- Performance optimized design
This module provides the communication protection of safety data.
- Individual strength for each channel
- Autonomous synchronization after startup
- Integrated into Flexible Safety RTOS
Protect your Investment
The Safety AddOns are designed to provide standard conform safety measures for any hardware with any modern cross-compiler. The integration into the Flexible Safety RTOS is part of this component. The usage in other operating systems is simple and examples are prepared when using the E2E communication between multiple cores with different safety capabilities.
You get proven algorithms as part of the Safety AddOns, ready for use with a pre-certification for multiple use cases:
- Industrial : IEC 61508 - SIL3
- Medical : IEC 62304 - Class C
- Automotive : ISO 26262 - ASIL D
The delivered Safety AddOns are independent in many ways. This allows maximum possible flexibility in your project design:
- Use any ANSI C99 compliant Compiler
- Already integrated into Flexible Safety RTOS
- Use the Safety AddOns on any hardware
The Safety AddOns comes with guidance on how to achieve the target diagnostic coverage in the extensive documentation.
- Detailed Safety Manual
- Users Guide and API Reference Manual
- Explained demo projects
Let's talk about your use-cases and potential benefits from this module in your system architecture.