[ISO 26262] #7. Safety Mechanisms for Temporal monitoring and logical programme sequence monitoring

Safety Mechanisms for Temporal monitoring and logical programme sequence monitoring

In this post, we will learn about Safety Mechanisms used in Temporal monitoring and logical programme sequence monitoring. The Safety Mechanisms described in this post are based on ISO 26262-5:2018 Annex D.

This image is generated by GPT using  key word Safety Mechanisms for Temporal monitoring and logical programme sequence monitoring


D.2.7.1 Watchdog with separate time base without time-window

The Watchdog with Separate Time Base Without Time-Window is a safety mechanism used to monitor the behavior and plausibility of program sequences in embedded systems. This technique employs external timing elements, such as watchdog timers, with a separate time base to ensure that the system operates correctly within specified time constraints. Unlike traditional watchdogs that rely on fixed intervals, this approach specifies a maximum allowable interval, offering flexibility in monitoring program execution.

Aim

  • Monitoring the Behavior and Plausibility of Program Sequences: Monitors the correct execution of program sequences in the system to maintain stability and reliability.

Description

1. Setting Timers:

    • Establish a separate time base by setting up external timing elements, such as a watchdog timer.

    2. Setting Program Trigger Points:

      • Set trigger points at appropriate locations within the program.
      • Each trigger point resets the timer within the maximum allowable interval.

      3. Monitoring and fault detection:

      • Timer operation monitoring: The timer must be reset within the program before it exceeds the maximum allowable interval.
      • Fault detection: If the timer is not reset and the maximum interval is exceeded, it is considered a system fault.

      4. Fault response and system recovery:

        • Fault response: If a fault is detected, the system automatically executes protective measures.
        • System recovery: If necessary, the system is rebooted or the fault condition is recovered to ensure normal operation.

        Example

        Example 1: Watchdog usage in an automotive control unit (ECU)

        • Configuration: The program sequence is monitored using a watchdog timer with a separate time base in the automotive ECU.
        • Operation principle:
          • Set a trigger point within the ECU program to periodically reset the watchdog timer.
          • If the program sequence does not reset the timer in time, the timer exceeds the maximum allowable interval and a fault is detected.
          • If a fault is detected, the ECU issues a warning and, if necessary, reboots the system.
        • Advantages:
          • Reliably monitors the program sequence of the ECU to prevent abnormal behavior.

        Example 2: Watchdog implementation in an industrial PLC (Programmable Logic Controller)

        • Configuration: Monitors the behavior of the processor using a watchdog timer with a separate time base in the PLC of an industrial automation system.
          • Operating principle:
          • Place a trigger point in the PLC program to periodically reset the watchdog timer.
          • If the program does not execute normally, the timer is not reset and the error is detected.
          • If an error occurs, the PLC issues a warning and restarts the system if necessary.
        • Advantages:
          • Reliably monitors the program sequence of the PLC to detect and respond to abnormal conditions.

        Limitations and challenges

        1. Increased design complexity

        • Complex trigger point settings: Setting trigger points for various program sequences can be complicated and can add additional burden to the system design.

        2. Performance Overhead

        • Additional Timer Management Requirements: Performance overhead may occur due to timer management and periodic resets, and optimizations are required to minimize this.

        3. Limited Error Detection

        • Timer Malfunction: Malfunctions of the timer itself can interfere with accurate error detection, and additional countermeasures are required to cope with this.


        D.2.7.2 Watchdog with separate time base and time-window

        The Watchdog with Separate Time Base and Time-Window is a sophisticated safety mechanism used to monitor the behavior and plausibility of program sequences in embedded systems. This technique enhances the traditional watchdog timer by incorporating both lower and upper time limits, creating a time window that the system must operate within. By doing so, it ensures that the system not only executes tasks but does so within a specified time frame, allowing for the detection of both excessive delays and premature executions.

        Aim

        • Monitoring the Behavior and Plausibility of Program Sequences: Maintains the stability and reliability of the system by monitoring whether program sequences execute correctly and within expected times.

        Description

        • Use External Timing Elements:
          • Separate Time Base: Periodically monitors the behavior of the system using an external timing element (e.g., a watchdog timer).
          • Monitoring Processor Operation: Verify the processor operation and the validity of the program sequence.
        • Time Window Limits:
          • Lower and Upper Time Limits: Set lower and upper limits for the program execution time to ensure that the program is executed within the specified time window.
          • Correct Placement of Triggering Points: Triggering points must be placed at appropriate locations within the program and must not be placed within interrupt service routines.
        • Error Detection:
          • Delay or Early Execution Detection: If the program is executed beyond or within the specified time window, it is considered an error.
          • Immediate Action: If program execution is detected outside the expected time window, immediate protective action is taken.

        Example

        Example 1: Watchdog Usage in Automotive Engine Control Systems

        • Configuration: Monitor the program sequence using a watchdog timer with a separate time base and time window in the engine control system of an automobile.
        • Operation Principle:
          • Set a trigger point within the engine control program to reset the watchdog timer periodically.
          • If the program does not reset the timer within the set time window, the timer detects an error by exceeding or falling below the set lower or upper limit.
          • If an error is detected, the engine control system issues a warning and, if necessary, reboots the system.
        • Advantages:
          • Reliably monitors the program sequence of the engine control system to prevent abnormal behavior.

        Example 2: Watchdog Implementation in Industrial Automation Systems

        • Configuration: Monitors the behavior of the processor using a watchdog timer with a separate time base and time window in the PLC (Programmable Logic Controller) of an industrial automation system.
        • Operating Principle:
          • Periodically resets the watchdog timer by placing a trigger point in the PLC program.
          • If the program does not reset the timer within the set time window, the timer detects an error.
          • If an error occurs, the PLC issues a warning and, if necessary, restarts the system.
        • Advantages:
          • Reliably monitors the program sequence of the PLC to detect and respond to abnormal conditions.

        Limitations and Challenges

        1. Increased Design Complexity

        • Complex Trigger Point and Time Window Setting: Setting trigger points and time windows for various program sequences can be complex and can add additional burden to the system design.

        2. Performance Overhead

        • Additional Timer Management Requirements: Performance overhead may occur due to timer management and periodic resets, and optimization is required to minimize this.

        3. Limited Error Detection

        • Timer Malfunction: Malfunction of the timer itself can interfere with accurate error detection, and additional countermeasures are required to cope with this.


        D.2.7.3 Logical monitoring of programme sequence

        Logical Monitoring of Programme Sequence is a safety technique used in embedded systems to ensure that individual program sections are executed in the correct order. By monitoring the logical flow of program execution, this technique can detect sequence errors that could lead to system hazards. The monitoring is implemented using software techniques or external facilities and is especially critical for detecting faults that could result in the incorrect execution of safety-critical functions.

        Aim

        • Monitoring the correct order of individual program sections: Ensures the safety and reliability of the system by ensuring that each section of the program is executed in the correct order.

        Description

        • Define program sections and set checkpoints:
          • Define critical sections within the program and set checkpoints to monitor their order.
        • Implement monitoring procedures:
          • Software monitoring: Implement counting procedures or key procedures to track the program sequence.
          • External device monitoring: Use external monitoring devices to verify the consistency of the program sequence.
        • Sequence Consistency Assessment:
          • Monitors whether the program is executed in the expected order, assessing whether there are any sections that are out of order or missing.
        • Placement of Critical Checkpoints:
          • Critical Path Monitoring: Monitors paths that could be unfinished or executed in the wrong order due to single or multiple point faults, resulting in a hazard.
          • Updating the Sequence Between Function Calls: The program sequence can be updated between each function call, or more tightly integrated into the program execution.

        Example

        Example 1: Program Sequence Monitoring in Automotive Safety Systems

        • Configuration: Program sequence monitoring is used in automotive safety systems to ensure the correct execution of safety-related functions.
        • Operational Principle:
          • Set checkpoints in program sections for safety functions to monitor whether each section is executed in the correct order.
          • Use a software counting procedure to check the sequence consistency between each function call.
          • If the sequence is incorrect, the system issues a warning and corrects the error.
        • Benefits:
          • Reliably monitors the program execution sequence in automotive safety systems to prevent abnormal behavior.

        Example 2: Implementing External Monitoring in Industrial Control Systems

        • Configuration: Use external monitoring devices in industrial control systems to verify the sequence of critical control functions.
        • Operational Principle:
          • Use external monitoring devices to track the sequence of control programs and evaluate whether each step is executed.
          • If the expected sequence is not executed, the system issues an alert and stops the process if necessary.
        • Advantages:
          • Reliably monitor the program sequence of industrial control systems to detect and respond to errors early.

        Limitations and Challenges

        1. Increased Design Complexity

        • Complex Sequence Monitoring Configuration: Monitoring the sequence of various program sections can be complex and can add additional burden to the system design.

        2. Performance Overhead

        • Additional Monitoring Requirements: Performance overhead due to sequence monitoring can occur and optimizations are needed to minimize this.

        3. Limitations of External Monitoring

        • Dependency on External Devices: If you rely on external monitoring devices, malfunctions in those devices may affect the system’s ability to detect errors.


        D.2.7.4 Combination of temporal and logical monitoring of programme sequences

        The Combination of Temporal and Logical Monitoring of Programme Sequences is an advanced safety mechanism used in embedded systems. This technique combines both temporal and logical monitoring to ensure that program sections execute in the correct sequence and within the specified time constraints. By integrating these two monitoring approaches, the system can detect both timing errors and sequence errors, enhancing the overall reliability and safety of the system.

        Aim

        • Monitoring the operation and correct sequence of individual program sections: Ensures the stability and reliability of the system by verifying that the program executes in the correct sequence within the expected time.

        Description

        • Integrated Monitoring:
          • Temporal Monitoring: A timing device (e.g., a watchdog timer) is used to monitor the program sequence.
          • Logical Monitoring: Verify that the correct sequence of program sections is executed.
        • Triggering Conditions:
          • Conditional Retriggering: The timer is retriggered only when the program sections are executed in the correct order.
          • Combination with D.2.7.1 or D.2.7.2: Comprehensive monitoring is implemented using a combination of time-based monitoring (D.2.7.1 or D.2.7.2) and logical monitoring (D.2.7.3).

        Example

        Example 1: Integrated monitoring in an automotive control system

        • Configuration: Ensure the correct execution of safety-related functions in an automotive control system using time and logical monitoring.
        • Operating Principle:
          • Set checkpoints within the control program to monitor whether each section is executed in the correct order and within the correct time.
          • The timer is retriggered only when the program sections are executed correctly.
          • If the order is incorrect or the time is exceeded, the system issues a warning and corrects the error.
        • Advantages:
          • Reliably monitors the program execution of the control system, preventing abnormal behavior.

        Example 2: Implementing Integrated Monitoring in Industrial Automation Systems

        • Configuration: Use temporal and logical monitoring to verify the sequence of critical control functions in a PLC (Programmable Logic Controller) in an industrial automation system.
        • Operation Principle:
          • Use an external timing device to track the timing and sequence of the program and evaluate whether each step is executed.
          • If the execution is not in the expected sequence or is out of time, the system issues an alert and stops the process if necessary.
        • Advantages:
          • Reliably monitor the program sequence in an industrial automation system to detect and respond to errors early.

        Limitations and Challenges

        1. Increased Design Complexity

        • Complex Sequence and Time Monitoring Configuration: Monitoring the sequence and time of various program sections can be complex and can add additional burden to the system design.

        2. Performance Overhead

        • Additional Monitoring Requirements: Performance overhead due to sequence and time monitoring can occur and optimization is required to minimize this.

        3. Limitations of External Monitoring

        • Dependency on External Devices: If you rely on external monitoring devices, malfunctions in those devices may affect the system’s ability to detect errors.


        D.2.7.5 Combination of temporal and logical monitoring of programme sequences with time dependency

        The Combination of Temporal and Logical Monitoring of Programme Sequences with Time Dependency is an advanced safety mechanism used in embedded systems to monitor the behavior, correct sequencing, and execution time intervals of individual program sections. This technique integrates temporal and logical monitoring with time dependencies, ensuring that program sections execute not only in the correct sequence but also within specified time windows, thus providing comprehensive coverage against sequence and timing errors.

        Aim

        • Monitoring the Behavior, Correct Sequencing, and Execution Time Intervals of Program Sections: Ensures that each section of a program executes in the correct sequence and completes within the expected time windows, thereby maintaining the safety and reliability of the system.

        Description

        1. Define Program Sections and Set Checkpoints:

          • Define critical sections within a program and set checkpoints to monitor sequence and time dependencies.

          2. Implementation of Monitoring Procedures:

          • Temporal Monitoring: Monitors program execution time by setting up an external timing device (e.g., a watchdog timer).
          • Logical Monitoring: Uses software-based procedures to verify the correct order of program sections.
          • Time Dependency Monitoring: Verify that each program section is executed within a set time window.

          3. Program Flow Monitoring (PFM) Sequence:

            • The PFM sequence completes successfully only when the program executes in the expected order and time.
            • Any out-of-order or out-of-time occurrence is considered an error.

            4. Error Detection and Response:

              • Error Detection: The system detects and reports errors when the program is out of order or out of time.
              • Protective Action Execution: When an error is detected, the system automatically executes protective actions to prevent further damage.

              5. Automatic Correction and Recovery:

                • Automatically recovers from detected errors or corrects erroneous program execution to maintain the integrity of the system.

                Example

                Example 1: Integrated Monitoring in Automotive Safety Systems

                • Configuration: Integrates temporal and logical monitoring and time dependencies in automotive safety systems to ensure the correct execution of safety-related functions.
                • Operational Principle:
                  • Set checkpoints in program sections for safety functions to monitor whether each section is executed in the correct order and time.
                  • Program Flow Monitoring (PFM) sequences are successfully completed only when the program is executed in the expected order and time.
                  • If the order is incorrect or time is exceeded, the system issues a warning and corrects the error.
                • Advantages:
                  • Reliably monitors program execution in automotive safety systems to prevent abnormal behavior.

                Example 2: Implementation of Integrated Monitoring in Industrial Automation Systems

                • Configuration: Integrates temporal and logical monitoring and time dependencies in PLCs (Programmable Logic Controllers) of industrial automation systems to ensure the correct execution of critical control functions.
                • Operational Principle:
                  • Uses an external monitoring device to track the time and order of the program and evaluates whether each step is executed. – If the program does not execute in the expected order or is out of time, the system issues a warning and stops the process if necessary.
                • Advantages:
                  • Reliably monitors the program sequence of an industrial automation system to detect and respond to errors early.

                Limitations and Challenges

                1. Increased design complexity

                • Complex sequence and timing monitoring setup: Monitoring the sequence and timing of various program sections can be complex and can add additional burden to the system design.

                2. Performance overhead

                • Additional monitoring requirements: Performance overhead due to sequence and timing monitoring can occur and optimizations are needed to minimize this.

                3. Limitations of external monitoring

                • Dependency on external devices: If you rely on external monitoring devices, malfunctions of those devices can affect the system’s ability to detect errors.


                [ISO 26262] #1. Part4-6 Technical Safety Concept (TSC)

                [ISO 26262] #2. Safety Mechanisms for Electrical and Electronic

                [ISO 26262] #3. Safety Mechanism for Processing Unit

                [ISO 26262] #4. Safety Mechanisms for IO units and Interfaces

                [ISO 26262] #5. Safety Mechanisms for Communication Bus

                [ISO 26262] #6. Safety Mechanisms for Power Supply

                Leave a Comment