Embedded Office Products

Safety AddOns

The global objective of the logical and temporal program flow monitoring is given in the safety standard IEC 61508-7, Annex A.9 as "Temporal and logical program sequence monitoring":

"To detect a defective program sequence. A defective program sequence exists if the individual elements of a program (for example software modules, subprograms, or commands) are processed in the wrong sequence or period of time, or if the clock of the processor is faulty."

This common safety requirement is the purpose of the product Safety Add-Ons. The following video gives you an introduction to the Safety Add-Ons:

Introduction to Safety AddOns

The Safety Add-Ons allow monitoring and checking each of the objectives (logical sequence and timing) individually. To achieve the highest diagnostic coverage levels, the combination is compelling in detecting potential defective program sequences.

Logical Program Flow

Program Flow Control

The program flow safety measure is a measure that is classified "highly recommended" in all safety standards. The logical program flow control performs logical checks for system functionalities. Such a system functionality can be a single function, a group of operations, or RTOS tasks.

Some program flow monitor scenarios
Program Flow Monitor Scenarios

The program flow control detects the following failure scenarios:

  • Wrong execution order  -  the function or task execution order is different than the expectation
  • Missing function execution  -  an expected function or task execution is skipped or suppressed
  • Additional function execution  -  a function or task execution is executed without expectation
  • Temporal Program Flow

    Time Budget Monitoring

    We combine the temporal program flow monitoring most often with the logical program flow control to achieve the program flow safety measure's completeness. The temporal program flow monitoring performs timing-related checks in systems the static function scheduling.

    Some time budget monitor scenarios
    Time Budget Monitor Scenarios

    The time budget monitor detects the following scenarios:

  • Runtime is out of range  -  function or task runs faster or slower than expected
  • Cycle time is out of range  -  the time between function calls or task activations is faster or slower than expected
  • Interrupt load is out of range  -  the number of interrupt activations since the last check is higher than expected
  • E2E Communication

    Black-channel Communication

    The end-to-end protected communication (E2E) is an additional method that comes in place when you need to transfer safe data via unsafe communication channels. The data protection is added directly into the transferred data enabling the receiver to identify any communication problem.

    Black-channel communication scenario
    Black-channel Communication Scenario

    The E2E protection detects all possible communication faults:

  • Repeated Message  -  the standard stack delivers always the same message
  • Losing a Message  -  too much traffic, so standard communication overflows
  • Inserting a Message  -  manipulation attack on standard communication (see note)
  • Note: the communication is protected for safety issues. When you need to address cyberattacks, the envelope needs a signature and encryption. Please contact us in case of interest in such a feature.
  • Message Sequence  -  the standard stack delivers messages in the wrong order
  • Corrupted Message  -  a problem in data transfers
  • Distinguish Message Sender  -  for supporting N senders communicate with 1 receiver
  • Pre-certified Modules

    Ready to Use

    Since the requirements for these modules are originated from a safety standard, it is a natural choice that we perform a pre-certification for these modules.

    Program Flow Monitor

    The program flow monitor checks the logical program sequence.

  • Unlimited length of execution flow
  • Execution of functions
  • Execution of ISR handlers
  • Execution of RTOS tasks
  • Unlimited number of execution flows
  • Time Budget Watchdog

    The time budget watchdog provides checking of the actual runtime consumption.

  • Integrated into Flexible Safety RTOS
  • Monitor of functions
  • Monitor of RTOS tasks
  • Monitor of IRQ requests
  • Any time base for measurement
  • CRC Module

    This module provides the calculation for cyclic redundancy checksums.

  • Define multiple algorithms
  • Supports hardware CRC modules
  • Performance optimized design
  • End-To-End Protection

    This module provides the communication protection of safety data.

  • Individual strength for each channel
  • Autonomous synchronization after startup
  • Integrated into Flexible Safety RTOS
  • Flexible Usage

    Protect your Investment

    The Safety AddOns are designed to provide standard conform safety measures for any hardware with any modern cross-compiler. The integration into the Flexible Safety RTOS is part of this component. The usage in other operating systems is simple and examples are prepared when using the E2E communication between multiple cores with different safety capabilities.

    Pre-certified solution

    You get proven algorithms as part of the Safety AddOns, ready for use with a pre-certification for multiple use cases:

  • Industrial IEC 61508 - SIL3
  • Medical IEC 62304 - Class C
  • Automotive ISO 26262 - ASIL D
  • Independent component

    The delivered Safety AddOns are independent in many ways. This allows maximum possible flexibility in your project design:

  • Use any ANSI C99 compliant Compiler
  • Already integrated into Flexible Safety RTOS
  • Use the Safety AddOns on any hardware
  • Safety Guidance

    The Safety AddOns comes with guidance on how to achieve the target diagnostic coverage in the extensive documentation.

  • Detailed Safety Manual
  • Users Guide and API Reference Manual
  • Explained demo projects
  • Contact us

    Let's talk about your use-cases and potential benefits from this module in your system architecture.