The global objective of the logical and temporal program flow monitoring is given in the safety standard IEC 61508-7, Annex A.9:
Temporal and logical program sequence monitoring
To detect a defective program sequence. A defective program sequence exists if the individual elements of a program (for example software modules, subprograms, or commands) are processed in the wrong sequence or period of time, or if the clock of the processor is faulty.
The following video gives an introduction to the Safety Add-Ons:
We allow monitoring and checking each of the objectives (logical sequence and timing) individually. If we want to achieve the highest diagnostic coverage levels, the combination is compelling in detecting potential defective program sequences.
Logical Program Flow
Program Flow Control
The program flow safety measure is a measure that is classified "highly recommended" in all safety standards. The logical program flow control performs logical checks for system functionalities. Such a system functionality can be a single function, a group of operations, or RTOS tasks.
The program flow control detects the following failure scenarios:
Wrong execution order - e.g. the function or task execution order is different than the expectation
Missing function execution - e.g. an expected function or task execution is skipped or suppressed
Additional function execution - e.g. a function or task execution is executed without expectation
Temporal Program Flow
Time Budget Monitoring
We combine the temporal program flow monitoring most often with the logical program flow control to achieve the program flow safety measure's completeness. The temporal program flow monitoring performs timing-related checks in systems the static function scheduling.
The time budget monitor detects the following scenarios:
Runtime is out of range - e.g. function or task runs faster or slower than expected
Cycle time is out of range - e.g. time between function calls or task activations is faster or slower than expected
Interrupt load is out of range - e.g. the number of interrupt activations since the last check is higher than expected
The end-to-end protected communication (E2E) is an additional method that comes in place when you need to transfer safe data via unsafe communication channels. The data protection is added directly into the transferred data enabling the receiver to identify any communication problem.
The E2E protection detects all possible communication faults:
Repeated Message - e.g., the standard stack delivers always the same message
Losing a Message - e.g., too much traffic, so standard communication overflows
Inserting a Message - e.g., manipulation attack on standard communication (see note)
Message Sequence - e.g., the standard stack delivers messages in the wrong order
Corrupted Message - e.g., problem in data transfers
Distinguish Message Sender - e.g., for supporting N senders communicate with 1 receiver
Note: the communication is protected for safety issues. When you need to address cyberattacks, the envelope needs a signature and encryption. Please contact us in case of interest in such a feature.
Ready to Use
Since the requirements for these modules are originated from a safety standard, it is a natural choice that we perform a pre-certification for these modules.
Program Flow Monitor
The program flow monitor checks the logical program sequence.
Unlimited length of execution flow
Execution of functions
Execution of ISR handlers
Execution of RTOS tasks
Unlimited number of execution flows
Time Budget Watchdog
The time budget watchdog provides checking of the actual runtime consumption.
Integrated into Flexible Safety RTOS
Monitor of functions
Monitor of RTOS tasks
Monitor of IRQ requests
Any time base for measurement
This module provides the calculation for cyclic redundancy checksums.
Define multiple algorithms
Supports hardware CRC modules
Performance optimized design
This module provides the communication protection of safety data.
Individual strength for each channel
Autonomous synchronization after startup
Integrated into Flexible Safety RTOS
Protect your Investment
The Safety AddOns are designed to provide standard conform safety measures for any hardware with any modern cross-compiler. The integration into the Flexible Safety RTOS is part of this component. The usage in other operating systems is simple and examples are prepared when using the E2E communication between multiple cores with different safety capabilities.
You get proven algorithms as part of the Safety AddOns, ready for use with a pre-certification for multiple use cases:
Industrial: IEC 61508 - SIL3
Medical: IEC 62304 - Class C
Automotive: ISO 26262 - ASIL D
The delivered Safety AddOns are independent in many ways. This allows maximum possible flexibility in your project design:
Use any ANSI C99 compliant Compiler
Already integrated into Flexible Safety RTOS
Use the Safety AddOns on any hardware
The Safety AddOns comes with guidance on how to achieve the target diagnostic coverage in extensive documentation.
Detailed Safety Manual
Users Guide and API Reference Manual
Explained demo projects
Let's talk about your use-cases and potential benefits from this module in your system architecture.