QP/C  8.0.0
Real-Time Embedded Framework
Loading...
Searching...
No Matches
Safety Viewpoint

Resource Viewpoint

The architectural Safety Viewpoint consists of various aspects of the software systematic capability defined as the measure of the confidence that the systematic safety integrity of the software meets the requirements of the specified SIL 3, in respect of the specified software safety function, when the software is applied in accordance with the instructions specified in the compliant item Safety Manual [DOC_SSM_QP] for the software ([IEC 61508-4:2010] 3.5.9). This viewpoint is intended as a cross-check of all techniques and measures required by [IEC 61508-3:2010] against the architecture of QP/C Framework. The Safety Viewpoint frames the following concerns:

  • functional safety
  • software systematic capability
  • addressing all "highly recommended" techniques and measures
  • selecting the "alternative or equivalent" techniques/measures
  • avoiding all "not recommended" techniques and measures

The rigor of the required design process and control measures are a function of a Safety Integrity Level (SIL). This is evaluated through a detailed assessment of the design and the quality and safety management system against the requirements in [IEC 61508:2010]. The following Table SAS-FUSA lists the systematic capability techniques and measures for software architecture required by [IEC 61508-3:2010] Table A.2 to achieve SIL 3. The last two columns of the table define how these techniques are to be addressed in the architecture of QP/C Framework and QP/C Applications, respectively.

Note
Achieving the systematic capability for SIL 3 requires the specified architecture to be applied not just in QP/C Framework but also in QP/C Application. Therefore, the following Table SAS-FUSA lists the architecture specifications for both QP/C Framework (SAS_QP_FUSA_xx) and QP/C Application (SAS_QA_FUSA_xx).

Table SAS-FUSA: Systematic capability techniques and measures applied to QP/C Framework and QP/C Applications.
Technique/Measure(*) IEC 61508
Ref.
SIL 3
(#)
Specs for
QP Framework
Specs for
QP Application
1 Fault detection C.3.1 HR SAS_QP_FUSA_01 SAS_QA_FUSA_01
2 Error detecting codes C.3.2 R SAS_QP_FUSA_02
3a Failure assertion programming C.3.3 R SAS_QP_FUSA_03A
3b Diverse monitor techniques (with independence between the monitor and the monitored function in the same computer) C.3.4 R
3c Diverse monitor techniques (with separation between the monitor computer and the monitored computer) C.3.5 R
3d Diverse redundancy, implementing the same software safety requirement specification C.3.5
3e Functionally diverse redundancy, implementing different software safety requirement specification C.3.5 R
3f Backward recovery C.3.6
3g Stateless software design (or limited state design) C.2.12 R
4a Re-try fault recovery mechanism C.3.7
4b Graceful degradation C.3.8 HR SAS_QP_FUSA_04B SAS_QA_FUSA_04B
5 Artificial intelligence - fault correction C.3.9 NR SAS_QP_FUSA_05 SAS_QA_FUSA_05
6 Dynamic reconfiguration C.3.10 NR SAS_QP_FUSA_06 SAS_QA_FUSA_06
7 Modular approach Table B.9 HR SAS_QP_FUSA_07 SAS_QA_FUSA_07
8 Use of trusted/verified software elements (if available) C.2.10 HR SAS_QP_FUSA_08 SAS_QA_FUSA_08
9 Forward traceability between the software safety requirements specification and software architecture C.2.11 HR SAS_QP_FUSA_09
10 Backward traceability between the software safety requirements specification and software architecture C.2.11 HR SAS_QP_FUSA_10
11a Structured diagrammatic methods C.2.1 HR SAS_QP_FUSA_11A
11b Semi-formal methods Table B.7 HR SAS_QP_FUSA_11B SAS_QA_FUSA_11B
11c Formal design and refinement methods B.2.2, C.2.4 R
11d Automatic software generation C.4.6 R SAS_QP_FUSA_11D SAS_QA_FUSA_11D
12 Computer-aided specification and design tools B.2.4 HR SAS_QP_FUSA_12 SAS_QA_FUSA_12
13a Cyclic behavior, with guaranteed maximum cycle time C.3.11 HR
13b Time-triggered architecture C.3.11 HR SAS_QP_FUSA_13B SAS_QA_FUSA_13B
13c Event-driven, with guaranteed maximum response time C.3.11 HR SAS_QP_FUSA_13C SAS_QA_FUSA_13C
14 Static resource allocation C.2.6.3 HR SAS_QP_FUSA_14 SAS_QA_FUSA_14
15 Static synchronization of access to shared resources C.2.6.3 R SAS_QP_FUSA_15 SAS_QA_FUSA_15
(#) Acronym Description
HR (Highly Recommended) — the technique or measure is highly recommended for this safety integrity level. If this technique or measure is not used then the rationale behind not using it should be detailed with reference to [IEC 61508-3:2010] Annex C during the safety planning and agreed with the assessor.
R (Recommended) — the technique or measure is recommended for this safety integrity level as a lower recommendation to a HR recommendation.
(Neutral) — the technique or measure has no recommendation for or against being used.
NR (NOT Recommended) — the technique or measure is positively not recommended for this safety integrity level. If this technique or measure is used then the rationale behind using it should be detailed with reference to [IEC 61508-3:2010] Annex C during the safety planning and agreed with the assessor.
Remarks
In the reference columns (entitled Ref), the informative references "B.x.x.x", "C.x.x.x" refer to descriptions of techniques in [IEC 61508-7:2010] Annexes B and C, while "Table A.x", "Table B.x" refer to tables of techniques in [IEC 61508-3:2010] Annexes A and B.
Note
(*) Alternative or equivalent techniques/measures are indicated by a letter following the number. It is intended that only one of the alternative or equivalent techniques/measures should be satisfied. The choice of alternative technique should be justified in accordance with the properties, given in [IEC 61508-3:2010] Annex C, desirable in the particular application.

Views

SAS_QP_FUSA_01

SAS_QP_FUSA_01 : Fault detection based on assertion programming in QP/C Framework.
Backward Traceability
QP/C Framework implements assertion-based fault detection as part of the QP Functional Safety (FuSa) Subsystem. The assertion facilities have the following architectural specifications:
  • the general fault detection policy is based on assertion programming:
    • SSR_QP_FDM_00 : QP/C Framework shall provide fault detection and management mechanisms based on assertion programming.
  • all assertions shall be easily identifiable in the source code
    • SSR_QP_FDM_00 : QP/C Framework shall provide fault detection and management mechanisms based on assertion programming.
  • all assertions shall be checked inside a critical section to protect them from concurrency hazards
    • SSR_QP_FDM_40 : The fault detection mechanisms provided in QP/C Framework shall be protected from concurrency hazards.
  • all assertions shall invoke a custom error handler defined in QP/C Application
    • SSR_QP_FDM_20 : The assertion-based mechanisms provided in QP/C Framework shall manage the detected faults by passing control to the custom error handler defined in QP/C Application.
  • all assertions shall have no side effects
    • SSR_QP_FDM_10 : The Boolean expressions checked in assertions shall have no side effects.
Example
The following pseudocode shows the use of the general-purpose assertion as well as specialized assertion facilities, illustrating the compact, idiomatic, and easily identifiable format:
void foo(void *ptr,...) {
. . .
Q_REQUIRE(ptr != nullptr); // <=== precondition assertion
// the following code can safely assume that 'ptr' is not nullptr
ptr->foo = ...
. . .
Q_ASSERT(y != 0); // <=== general-purpose assertion
// the following code can safely assume that 'y' is not 0
r = x / y;
. . .
}
#define Q_ASSERT(expr_)
Definition qsafe.h:116
#define Q_REQUIRE(expr_)
Definition qsafe.h:125
Forward Traceability

SAS_QA_FUSA_01

SAS_QA_FUSA_01 : Fault detection based on assertion programming in QP/C Application.
Backward Traceability
  • QP/C Application shall not disable assertions, especially in the final production release:
    • SSR_QA_FDM_00 : QP/C Application shall not disable the fault detection and management mechanisms.
  • QP/C Application shall use the assertion mechanisms provided in QP/C Framework:
    • SSR_QA_FDM_01 : QP/C Application should use the fault detection and management mechanisms provided in QP/C Framework.
  • Assertions in QP/C Application shall have no side effects:
    • SSR_QA_FDM_10 : The Boolean expressions checked in assertions shall have no side effects.
Example
The following pseudocode illustrates a no-return custom error handler defined in QP/C Application:
// NOTE: the following error handler executes within a critical section
// (preemption disabled).
[[noretrun]] void Q_onError(char const * const module, int const id) {
// place the system in a safe state
// log the error
// perform system reset (possibly into a different mode)
}
Q_NORETURN Q_onError(char const *const module, int_t const id)
Example
The following pseudocode illustrates a non-compliant assertion with side effects:
void foo(...) {
. . .
Q_ASSERT(ptr = &event123); // <=== assertion with side effect NON-COMPLIANT!
. . .
}
Forward Traceability

SAS_QP_FUSA_02

SAS_QP_FUSA_02 : Error detecting codes mechanisms to protect critical variables.
Backward Traceability
QP/C Framework shall implement the following error detecting code techniques in the indicated contexts:
  • Duplicate Inverse Storage, SSR_QP_DIM_10 : QP/C Framework shall apply self-monitoring SSFs based on "Duplicate Inverse Storage" to critical variables.
    • Event instances, see:
      • SSR_QP_DIM_10 : QP/C Framework shall apply self-monitoring SSFs based on "Duplicate Inverse Storage" to critical variables.
    • Current-state variable in the state machine implementations
      • SSR_QP_DIM_10 : QP/C Framework shall apply self-monitoring SSFs based on "Duplicate Inverse Storage" to critical variables.
    • Event queue buffers, see:
    • Event pool buffers, see:
    • Publish-subscribe lists, see:
    • Internal variables of the non-preemptive real-time kernel
    • Internal variables of the preemptive non-blocking real-time kernel
    • Internal variables of the preemptive dual-mode kernel
Forward Traceability

SAS_QP_FUSA_03A

SAS_QP_FUSA_03A : Failure assertion programming.
Backward Traceability
Failure assertion programming is a specialized form of assertion programming aimed at detecting faulty interfacing between components (preconditions, postconditions) as well as data corruption (invariants). QP/C Framework implements failure assertion programming as part of the QP Functional Safety (FuSa) Subsystem. The following assertion types are implemented (traceability:
  • SSR_QP_FDM_30 : The assertion-based fault detection mechanisms provided in QP/C Framework shall support failure assertion programming.
    • precondition
    • postcondition
    • invariant
    • error
Example
The following pseudocode illustrates precondition, invariant, error, and postcondition:
void FooClass_bar(FooClass * const me, uint8_t x) {
. . .
Q_REQUIRE((me != NULL) && (0U < x)); // <=== precondition
. . .
Q_INVARIANT(FooClass_verify(me)); // <=== invariant
. . .
switch (...) {
. . .
default:
Q_ERROR(); // <=== error
break;
}
// traverse a linked-list of Elements...
int_fast8_t lbound = 10; // fixed upper loop bound
for (Element el = list_head;
(el != nullptr) && (lbound > 0);
el = el->next, --lbound)
{
. . .
}
Q_ENSURE(lbound > 0); // <=== postcondition
}
#define Q_INVARIANT(expr_)
Definition qsafe.h:143
#define Q_ERROR()
Definition qsafe.h:119
#define Q_ENSURE(expr_)
Definition qsafe.h:134
Forward Traceability

SAS_QP_FUSA_04B

SAS_QP_FUSA_04B : Mechanisms for graceful degradation in QP/C Application.
Description
Graceful degradation aims to maintain more critical system functions available, despite failures, by dropping the less critical functions. QP/C Framework supports graceful degradation by providing mechanisms to protect the more critical functions from interference by the less critical ones. The main such mechanisms are:
  • reliable event posting with delivery guarantee for critical system functions (traceability: SSR_QP_EDG_10 )
  • unreliable event delivery (for less critical functions) but with the mechanism to ensure non-interference with reliable event delivery (traceability: SSR_QP_EDG_21 ). This non-interference mechanism shall work as follows:
    • When allocating a dynamic event, QP/C API shall provide a safety margin of the event pool from which the event is allocated. The unreliable allocation should fail (and convey this failure to QP/C Application) when the safety margin is reached. That way some space in the pool remains available to the reliable (default) event allocation mechanism.
    • When using the unreliable direct event posting mechanism, QP/C Application shall specify a safety margin of the event queue to which it posts events that can be lost. The unreliable posting should fail (and convey this failure to QP/C Application) when the safety margin is reached. That way some space in the queue remains available to the reliable (default) event posting mechanism.
Example
The following pseudocode illustrates unreliable event allocation and delivery to a less-important functionality:
QEvt const *echoEvt = Q_NEW_X(QEvt, 3U, ECHO_SIG, 0U); //<== unreliable allocation (margin==3)
if (echoEvt != (QEvt *)0) { // event allocated successfully?
QACTIVE_POST_X((QActive *)&l_cruncher, echoEvt, 2U, (void *)0); // unreliable posting (margin==2)
}
#define QACTIVE_POST_X(me_, e_, margin_, sender_)
Invoke the direct event posting facility QActive_post_() without delivery guarantee.
Definition qp.h:1211
#define Q_NEW_X(evtT_, margin_, sig_,...)
Non-asserting allocate a mutable (dynamic) event.
Definition qp.h:1182
Active object class (based on the QHsm implementation strategy)
Definition qp.h:779
Event class.
Definition qp.h:131
Forward Traceability

SAS_QA_FUSA_04B

SAS_QA_FUSA_04B : Safe graceful degradation in QP/C Application.
Description
QP/C Applications shall implement system-specific graceful degradation by applying the following mechanisms provided by QP/C Framework:
  • hierarchical state machines – as a mechanism to model and implement complex behavior, including special modes (e.g., "limp-home" mode).
  • unreliable event allocation and posting described in SAS_QP_FUSA_04B .
Forward Traceability

SAS_QP_FUSA_05

SAS_QP_FUSA_05 : NO use of artificial intelligence for fault correction in QP/C Framework.
Forward Traceability

SAS_QA_FUSA_05

SAS_QA_FUSA_05 : NO use of artificial intelligence for fault correction in QP/C Application.
Description
QP/C Application can use artificial intelligence, but NOT for fault correction.
Forward Traceability

SAS_QP_FUSA_06

SAS_QP_FUSA_06 : NO dynamic reconfiguration for fault correction in QP/C Framework.
Forward Traceability

SAS_QA_FUSA_06

SAS_QA_FUSA_06 : NO dynamic reconfiguration for fault correction in QP/C Application.
Description
Avoiding dynamic reconfiguration for fault correction means, among others, that QP/C Application shall not dynamically stop and start Active Objects at runtime. Instead, of changing the identity of Active Objects, the recommended method is for the QP/C Application to design and implement change of Active Object behavior by changing its state.
Forward Traceability

SAS_QP_FUSA_07

SAS_QP_FUSA_07 : Modular approach in QP/C Framework.
Description
QP/C Framework architecture shall apply the following rules for modularity (traceability: SRS_QP_NF_03 ):
  • information hiding/encapsulation (see Object-Oriented Architecture Model)
  • fully defined interface with explicit specification of function signatures
  • fully documented interfaces
  • modules shall guarantee correct use by preconditions and postconditions (see failure assertion programming)
  • all subprograms (functions) shall have a single entry and a single exit
  • all subprograms (functions) shall have number of parameters limited to 4
  • all subprograms (functions) shall have complexity limited to 20 (cyclomatic complexity)
  • global variables shall be limited to less than 10 for the whole QP/C Framework
Forward Traceability

SAS_QA_FUSA_07

SAS_QA_FUSA_07 : Modular approach in QP/C Application.
Description
Safety-related QP/C Application shall follow rules similar to SAS_QP_FUSA_07 .
Forward Traceability

SAS_QP_FUSA_08

SAS_QP_FUSA_08 : Only trusted/verified software elements in QP/C Framework.
Description
QP Framewrok implementation shall NOT use any 3rd-party software elements. The reliance on standard libraries shall be limited to header-only facilities (e.g., <stdint.h>), but any standard library code. All dependencies on external components (such as real-time kernel) shall be abstracted and restricted to the well-defined Operating System Abstraction Layer (OSAL).
Forward Traceability

SAS_QA_FUSA_08

SAS_QA_FUSA_08 : Only trusted/verified software elements in QP/C Application.
Description
QP/C Application shall combine QP/C Framework only with trusted/verified software elements, such as:
Forward Traceability

SAS_QP_FUSA_09

SAS_QP_FUSA_09 : Consistent forward traceability between Safety Requirements and Software Architecture in QP/C Framework.
Forward Traceability

SAS_QP_FUSA_10

SAS_QP_FUSA_10 : Consistent backward traceability between Safety Requirements and Software Architecture in QP/C Framework.
Forward Traceability

SAS_QP_FUSA_11A

SAS_QP_FUSA_11A : Structured diagrammatic methods in QP/C Framework.
Description
QP/C Framework documentation shall use the well-defined UML diagrams, whenever applicable. Non-UML diagrams shall have legends explaining the symbols.
Forward Traceability

SAS_QP_FUSA_11B

SAS_QP_FUSA_11B : Semi-formal methods in QP/C Framework.
Description
QP/C Framework shall use the following semi-formal methods (see [IEC 61508-7:2010] Table C.17)
Forward Traceability

SAS_QA_FUSA_11B

SAS_QA_FUSA_11B : Semi-formal methods in QP/C Application in form of hierarchical state machines.

Description
While QP/C Application is highly encouraged to use all recommended semi-formal methods ([IEC 61508-7:2010] Table C.17), QP/C Framework specifically enables QP/C Application to use of highly recommended finite state machines, and here the most powerful variant hierarchical state machines (traceability: SRS_QP_SM_00 )

Attention
Finite state machines, as the highly recommended technique by functional safety standards, are the primary mechanism for QP/C Applications to specify the behavior of the primary software components (Active Objects).
Forward Traceability

SAS_QP_FUSA_11D

SAS_QP_FUSA_11D : Automatic code generation in QP/C Framework.
Description
QP/C Framework source code shall be automatically generated from the QP/C Framework model (see also SAS_QP_FUSA_12 ). This eliminates large classes of human error, enforces coding conventions, and ensures consistency.
Forward Traceability

SAS_QA_FUSA_11D

SAS_QA_FUSA_11D : Automatic code generation in QP/C Application.
Description
QP/C Application shall apply automatic code generation, especially from state diagrams (see also SAS_QA_FUSA_12 ). This eliminates large classes of human error, enforces coding conventions, and ensures consistency.
Forward Traceability

SAS_QP_FUSA_12

SAS_QP_FUSA_12 : Computer-aided specification and design tools use in QP/C Framework.
Description
QP/C Framework source code shall be modeled with the QM model-based design tool [QM-Tool:2024].
Forward Traceability

SAS_QA_FUSA_12

SAS_QA_FUSA_12 : Computer-aided specification and design tools use in QP/C Application.
Description
QP/C Application shall leverage the QM model-based design tool [QM-Tool:2024] to model the application components, especially the hierarchical state machines of Active Objects.
Forward Traceability

SAS_QP_FUSA_13B

SAS_QP_FUSA_13B : Time-triggered architecture in QP/C Framework.
Description
While the QP/C Framework architecture is inherently event-driven (see SAS_QA_FUSA_13C ), the non-preemptive kernel built into QP/C Framework can be used to implement many aspects of time-triggered architecture (see SAS_QA_FUSA_13B ).
Forward Traceability

SAS_QA_FUSA_13B

SAS_QA_FUSA_13B : Time-triggered architecture in QP/C Application.
Description
It is highly recommended for QP/C Application to restrict the use of interrupts to just a single, periodic, system clock-tick interrupt. With this restriction plus the use of the non-preemptive kernel built into QP/C Framework, the execution profile of QP/C Application acquires many characteristics of time-triggered architecture.
Forward Traceability

SAS_QP_FUSA_13C

SAS_QP_FUSA_13C : Event-driven architecture with guaranteed maximum response time in QP/C Framework.
Description
QP/C Framework implements precisely the highly recommended event-driven architecture. Moreover, the preemptive, non-blocking kernel is fully compliant with the requirements of Rate-Monotonic Scheduling/Analysis (RMS/RMA) method, by which hard-real time execution can be guaranteed.
Forward Traceability

SAS_QA_FUSA_13C

SAS_QA_FUSA_13C : Event-driven architecture with guaranteed maximum response time in QP/C Application.
Description
QP/C Application shall apply event-driven architecture with guaranteed maximum response time. Specifically, QP/C Application should use the preemptive, non-blocking kernel and apply the Rate-Monotonic Scheduling/Analysis (RMS/RMA) method to quantify the CPU utilization and keep it under the schedulability bound.
Forward Traceability

SAS_QP_FUSA_14

SAS_QP_FUSA_14 : Static resource allocation in QP/C Framework.
Description
QP/C Framework shall apply exclusively static resource allocation and shall strictly avoid dynamic resource allocation.
Forward Traceability

SAS_QA_FUSA_14

SAS_QA_FUSA_14 : Static resource allocation in QP/C Application.
Description
The memory allocation policy of QP/C Framework requires QP/C Applications to provide the memory for all application-specific objects to the framework (traceability: SAS_QP_MEM ). QP/C Application can apply any policy to allocate such memory, but safety-related application shall apply exclusively static resource allocation and shall avoid dynamic resource allocation.
Note
The only resources that QP/C Application is allowed to allocate dynamically (at runtime) are mutable event instances, which are specifically designed for sharing, but only by obeying the strict ownership rules.
Forward Traceability

SAS_QP_FUSA_15

SAS_QP_FUSA_15 : Static synchronization of access to shared resources in QP/C Framework.
Description
QP/C Framework shall apply only the non-blocking critical section mutual exclusion mechanism to protect its internal shared resources.
Forward Traceability

SAS_QA_FUSA_15

SAS_QA_FUSA_15 : Static synchronization of access to shared resources in QP/C Application.
Description
QP/C Application shall strictly follow the shared-nothing principle, in which case QP/C Application does not need to use any shared resources. The only allowed form is sharing of events.
Note
The only resources that QP/C Application is allowed to share are events, which includes both immutable and mutable event instances. Mutable events are specifically designed for sharing, but only by obeying the strict ownership rules. These rules replace the need for any explict mechanism of synchronizing access to shared events.
Forward Traceability

Resource Viewpoint