QP/C 8.1.4
Real-Time Event Framework
Loading...
Searching...
No Matches
Functional Safety Viewpoint

IntroductionTechnology Viewpoint

Viewpoint

SAS_QP_FUSA_VP

Functional Safety Viewpoint

Purpose
This Functional Safety Viewpoint defines how the QP/C Framework architecture applies the techniques and measures required to achieve the desired systematic capability, defined as the measure of the confidence that the systematic safety integrity of the software meets the requirements of the specified SIL (IEC 61508 SIL-3, IEC 62304 Class-C, and ISO 26262 ASIL-D). This architectural viewpoint cross-checks the architecture and design against the recommended techniques and measures specified in [IEC 61508-3] Annexes A-C, [IEC 62304] Class-C expectations, and [ISO 26262-6] software development guidance, ensuring that:

  • All "highly recommended" techniques and measures are either applied or replaced by justified equivalents.
  • All "not recommended" techniques and measures are avoided or explicitly justified.
  • The same rationale can be reused by integrators when building QP/C-based applications to the same integrity levels (see Safety Manual DOC_QP_SSM).
Regulatory background
Functional safety standards make recommendations about techniques and measures to be applied at different safety integrity levels. The following table harmonizes the recommendation levels across standards: IEC 61508, ISO 26262, and IEC 62303:
Recommendation Level IEC 61508 ISO 26262 IEC 62304
Highly recommended HR "++" Advised for Class B, Mandatory for Class-C
Recommended R "+" Advised for Classes B/C
Neutral / optional "o" Optional for Classes B/C
Noth recommended NR "-" Discouraged for Class B, Not allowed for Class-C

To harmonize the three standards, the following recommendation levels are used consistently across this architectural viewpoint:
  • HR (Highly Recommended): Expected to be applied for IEC 61508 SIL-3, IEC 62304 Class-C, and ISO 26262 ASIL-D. If not used, a documented and justified rationale is required and must be agreed with the assessor.
  • R (Recommended): Strongly advised; may be replaced by an equivalent technique if justified.
  • — (Neutral/Optional): No specific recommendation for or against use.
  • NR (Not Recommended): Generally not suitable at the target integrity levels; if used, a strong justification is required to show that safety integrity is not compromised.
Attention
In functional safety standards, such as IEC 61508, the designations HR (highly recommended) and NR (not recommended) have a specific technical meaning. For a given SIL, techniques marked as HR are expected to be applied unless a documented and justified rationale demonstrates that they are unnecessary or that an alternative measure provides equivalent risk reduction.


Architectural Views
This architectural viewpoint frames the following views:

View: Functional Safety Architecture

QP/C functional safety management is architecturally separated from the nominal functional behavior of the QP/C Framework component. This separation ensures that safety mechanisms remain easily identifiable, reviewable, and traceable, and that they can be assessed independently of the application-specific logic built on top of the framework.

Note
The system integrator is responsible for configuring and using these mechanisms according to the QP/C Safety Manual (DOC_QP_SSM).

SAS_QP_FUSA_00

QP/C Functional Safety Subsystem (fault management).

Description
The QP/C Functional Safety Subsystem (QP/C FuSa) defines the general internal safety mechanisms applied consistently throughout the QP/C Framework component. The QP/C Functional Safety Subsystem provides the following mechanisms:

  • fault detection and management
  • data flow self-monitoring
  • data integrity self-monitoring
  • control flow self-monitoring
  • memory isolation
  • architectural constraints that support non-interference between software elements
Remarks
Functional safety is a cross-cutting aspect of software architecture because safety must be considered at multiple levels and Safety Functions must be present in virtually every software component. Therefore, the QP/C Functional Safety Subsystem (QP/C FuSa) cannot be collocated in a cleanly separated software module, but instead must be necessarily distributed among the software components. Still, the safety aspects of the design and implementation can and should be clearly identifiable, which is the goal in the specification of the QP/C FuSa.

Backward Traceability

  • SSRS_QP_FDM_00: QP/C Framework shall provide mechanisms to detect faults within its own code and in the QP/C Applications.
  • SSRS_QP_FDM_02: QP/C fault detection mechanisms shall be used exclusively for detecting faults.
  • SSRS_QP_FDM_03: QP/C fault management shall be based on the Crash-Only model.
  • SSRS_QP_FDM_04: QP/C fault management mechanisms shall be protected from concurrency hazards.
  • SSRS_QP_FDM_10: QP/C Framework component shall apply defensive programming to proactively detect faults in the QP/C Application.

Forward Traceability (truncated to 2 level(s))

  • ASR_QA_FDM_01: QP/C Application shall apply the fault detection & management mechanisms provided in the QP/C Framework.
    • AOU_QA_SCT_03A: Recommendation: QP/C Application should apply failure assertion programming.
  • qsafe.h: QP Functional Safety (FuSa) Subsystem (fault detection)
  • Q_onError(): Custom Error Handler (fault management)
  • #Q_NORETURN: No-return specifier for the Q_onError() callback function.


SAS_QP_FUSA_10

State-machine support for QP/C Applications (semi-formal methods).

Description

  1. The QP/C Framework shall internally use semi-formal methods (SAS_QP_SCT_11B) where appropriate.
  2. The Framework shall provide first-class architectural support for hierarchical state machines, guard conditions, and decision trees in applications, including:
    • A state-machine execution model integrated with the event-driven kernel.
    • Tool-supported modeling and automatic code generation (SAS_QP_SCT_11D, SAS_QP_SCT_12).
    • Clear Assumed Safety Requirements (ASRs) in the Safety Manual (DOC_QP_SSM) that require state-machine-based modeling for safety-critical application behavior.
Remarks
This architectural specification recognizes that the primary safety value of state machines lies in applications, not in the internal Framework logic. The Frameworks role is to provide a robust, analyzable execution platform and modeling/tooling support so that integrators can meet IEC 61508 SIL-3, IEC 62304 Class-C, and ISO 26262 ASIL-D expectations for semi-formal behavioral specifications.

Backward Traceability

  • SAS_QP_SCT_11B: Semi-formal methods in QP/C Framework component.
  • SAS_QP_SCT_11D: Automatic code generation in QP/C Framework component.
  • SAS_QP_SCT_12: Computer-aided specification and design tools use in QP/C Framework component.

Forward Traceability (truncated to 2 level(s))


View: Systematic Capability Techniques

This view defines the architectural techniques and measures (SAS_QP_SCT_xx) that implement the systematic capability expectations of:

  • IEC 61508-3:2010 Table A.2 (SIL-3)
  • IEC 62304:2015 Class-C design and architecture expectations
  • ISO 26262-6:2018 ASIL-D software architectural design and safety mechanisms
Regulatory background
The following Table SAS-TBL-A2 lists the systematic capability techniques and measures for software architecture required by [IEC 61508-3:2010] Table A.2 to achieve SIL-3. The last columns defines which of the selectable techniques are chosen in the QP/C Framework component and how they are addressed.
Table SAS-TBL-A2: Systematic capability techniques and measures ([IEC 61508-3:2010] Table A.2, SIL-3 only).
Technique/Measure(*) IEC 61508
Ref. 		SIL 3 Specs for
QP framework
1 Fault detection C.3.1 HR SAS_QP_SCT_01
2 Error detecting codes C.3.2 R SAS_QP_SCT_02
3a Failure assertion programming (*) C.3.3 R SAS_QP_SCT_03A
3b Diverse monitor techniques (*) (with independence between the monitor and the monitored function in the same computer) C.3.4 R see choice 3a(*)
3c Diverse monitor techniques (*) (with separation between the monitor computer and the monitored computer) C.3.5 R see choice 3a(*)
3d Diverse redundancy, implementing the same software safety requirement specification (*) C.3.5 see choice 3a(*)
3e Functionally diverse redundancy, implementing different software safety requirement specifications (*) C.3.5 R see choice 3a(*)
3f Backward recovery C.3.6 see choice 3a(*)
3g Stateless software design (or limited state design) C.2.12 R see choice 3a(*)
4a Re-try fault recovery mechanism C.3.7 see choice 4b(*)
4b Graceful degradation C.3.8 HR SAS_QP_SCT_04B
5 Artificial intelligence - fault correction C.3.9 NR SAS_QP_SCT_05
6 Dynamic reconfiguration C.3.10 NR SAS_QP_SCT_06
7 Modular approach Table B.9 HR SAS_QP_SCT_07
8 Use of trusted/verified software elements (if available) C.2.10 HR SAS_QP_SCT_08
9 Forward traceability between the software safety requirements specification and software architecture C.2.11 HR SAS_QP_SCT_09
10 Backward traceability between the software safety requirements specification and software architecture C.2.11 HR SAS_QP_SCT_10
11a Structured diagrammatic methods (*) C.2.1 HR SAS_QP_SCT_11A
11b Semi-formal methods (*) Table B.7 HR SAS_QP_SCT_11B
11c Formal design and refinement methods (*) B.2.2, C.2.4 R see choice 11b(*)
11d Automatic software generation (*) C.4.6 R SAS_QP_SCT_11D
12 Computer-aided specification and design tools B.2.4 HR SAS_QP_SCT_12
13a Cyclic behavior, with guaranteed maximum cycle time (*) C.3.11 HR see choice 13c(*)
13b Time-triggered architecture (*) C.3.11 HR see choice 13c(*)
13c Event-driven, with guaranteed maximum response time (*)C.3.11 HR SAS_QP_SCT_13C
14 Static resource allocation C.2.6.3 HR SAS_QP_SCT_14
15 Static synchronization of access to shared resources C.2.6.3 R SAS_QP_SCT_15
(*) Alternative or equivalent techniques/measures are indicated by a letter following the number. It is intended that only one of the alternative or equivalent techniques/measures should be satisfied. The choice of alternative technique should be justified by the properties, given in [IEC 61508-3:2010] Annex C, desirable in the particular application.

In the reference columns (entitled Ref), the informative references "B.x.x.x", "C.x.x.x" refer to descriptions of techniques in [IEC 61508-7:2010] Annexes B and C, while "Table A.x", "Table B.x" refer to tables of techniques in [IEC 61508-3:2010] Annexes A and B.
Remarks
Each SAS_QP_SCT_xx item is implemented in the QP/C Framework and has a corresponding Assumed Safety Requirements (ASRs) in the Safety Manual (DOC_QP_SSM), so that applications can adopt the same techniques where required.

SAS_QP_SCT_01

QP/C fault detection shall be based on assertion programming and failure assertion programming

Description
Fault detection shall be implemented in the QP/C Functional Safety Subsystem (SAS_QP_FUSA_00) using assertion programming and failure assertion programming techniques. The support for failure-assertion programming means that QP/C fault-detection mechanisms must not only detect the presence of a fault but also provide information indicating which subsystem is the likely source. To achieve this, the framework shall supply specialized assertions for :

  • Preconditions (indicate a fault in the caller of a function rather than the function itself)
  • Postconditions (indicate a fault in the function)
  • Invariants (indicate data corruption)
  • All assertions shall be easily identifiable in the source code, including preconditions, postconditions, invariants, and erroneous paths through the code (failure assertion programming)

Backward Traceability

  • SSRS_QP_FDM_00: QP/C Framework shall provide mechanisms to detect faults within its own code and in the QP/C Applications.

Forward Traceability (truncated to 1 level(s))

  • ASR_QA_FDM_01: QP/C Application shall apply the fault detection & management mechanisms provided in the QP/C Framework.
  • AOU_QA_SCT_01: Recommendation: QP/C Application should apply defensive programming based on assertion programming and failure assertion programming to proactively detect faults in its own code.


SAS_QP_SCT_02

QP/C Framework component shall apply error detection codes based on Duplicate Inverse Storage and Duplicate Storage.

Description
Error-detecting codes are software techniques that add redundant information to data so that accidental corruption can be detected before the data is used. Techniques like Duplicate Sotrage or Duplicate Inverse Storage are capable of detecting data corruption caused by software (e.g., runaway pointer or buffer overflow), which are not detectable by hardware mechanisms (e.g., Error-Correcting Codes.)

QP/C Framework component shall implement the following error-detecting code techniques in the indicated contexts:

Duplicate Inverse Storage (DIS)

  • Event instances (DIS covering event signal, reference-count, and pool-ID)
  • Current-state variable in the state machine instances
  • Event queue (head/tail/free-entries counters)
  • Event queue ring buffer (event pointers)
  • Event/memory pool (head/free-entries counters)
  • Time event (linked-list links, counters)
  • Publish-subscribe lists
  • Internal variables of the non-preemptive real-time kernel
  • Internal variables of the preemptive non-blocking real-time kernel

Duplicate Storage (no bitwise inversion)

  • Event pool buffers (free-block linked-list links)

Backward Traceability

  • SSRS_QP_DIM_01: QP/C software component shall apply self-monitoring SSFs based on "Duplicate Inverse Storage" to critical variables.
  • SAS_QP_MEM_02: Event queue allocation policy and responsibilities
  • SAS_QP_MEM_04: Event pool allocation policy and responsibilities
  • SAS_QP_MEM_05: Subscription lists allocation policy and responsibilities
  • SAS_QP_EVT_00: Event management policy

Forward Traceability (truncated to 1 level(s))

  • AOU_QA_SCT_02: Recommendation: QP/C Application should preserve QP/C Framework's Error-Detecting Codes.
  • AOU_QA_SCT_02A: Recommendation: QP/C Application should apply Error-Detecting Codes for its own safety-critical data.


SAS_QP_SCT_03A

QP/C Framework shall apply failure assertion programming free of side effects on normal functionality.

Description
QP/C software component shall apply assertion programming and failure assertion programming, as the recommended fault detection techniques (IEC 61508-7 C.3). The assertion facilities shall be defined in the QP Functional Safety (FuSa) Subsystem with the following safety specifications:

  • All software Safety Functions involved in fault detection shall be implemented with assertions
  • All assertions shall be applied correctly, meaning to diagnose errors and never to implement operational situations
  • All assertions shall have no side effects
  • All assertions shall be protected from concurrency hazards
  • Upon failure, all assertions shall invoke the user-defined Custom Error Handler
  • The Custom Error Handler shall be invoked correctly (within a critical section)

Backward Traceability

  • SSRS_QP_FDM_00: QP/C Framework shall provide mechanisms to detect faults within its own code and in the QP/C Applications.
  • SSRS_QP_FDM_05: QP/C fault management shall be free of side effects on normal functionality.

Forward Traceability (truncated to 1 level(s))

  • ASR_QA_FDM_01: QP/C Application shall apply the fault detection & management mechanisms provided in the QP/C Framework.
  • AOU_QA_SCT_03A: Recommendation: QP/C Application should apply failure assertion programming.


SAS_QP_SCT_04B

Mechanisms for graceful degradation in QP/C Framework component.

Description
Graceful degradation aims to maintain more critical system functions available, despite failures, by dropping the less critical functions. QP/C Framework component supports graceful degradation by providing mechanisms to protect the more critical functions from interference by the less critical ones. The main such mechanisms are:

  • reliable event posting with delivery guarantee for critical system functions (traceability: SRS_QP_EDG-10)
  • best-effort-only event delivery (for less critical functions) but with the mechanism to ensure non-interference with reliable event delivery (traceability: SRS_QP_EDG-10). This non-interference mechanism shall work as follows:
    • When allocating a dynamic event, QP/C API shall provide a safety margin of the event pool from which the event is allocated. In case the safety margin is reached, the best-effort allocation should fail and convey this failure to the caller (see Safety Manual DOC_QP_SSM for application-level responsibilities). That way, some space in the pool remains available to the reliable (default) event allocation mechanism.
    • When using the best-effort direct event posting mechanism, QP/C Framework accepts a safety margin of the event queue to which it posts events that can be lost. In case the safety margin is reached, the best-effort posting should fail and convey this failure to the caller (see Safety Manual DOC_QP_SSM for application-level responsibilities). That way, some space in the queue remains available to the reliable (default) event posting mechanism.

Forward Traceability (truncated to 1 level(s))

  • AOU_QA_SCT_04B: Recommendation: QP/C Application should apply graceful degradation by means of mechanisms supplied in the QP/C Framework when appropriate.


SAS_QP_SCT_05

NO use of artificial intelligence for fault correction in QP/C Framework component.

Description
QP/C Framework shall avoid the NR recommendation for AI-based fault correction (IEC 61508-3 Table A.2 row 5) and aligns with conservative interpretations in ISO 26262 and IEC 62304 for non-deterministic techniques.

Forward Traceability (truncated to 1 level(s))

  • AOU_QP_SST_05: Mandate: QP/C Application shall NOT use of AI for fault correction.


SAS_QP_SCT_06

QP/C Framework shall avoid dynamic reconfiguration.

Description
Dynamic reconfiguration aims to maintain system functionality despite an internal fault by various recovery attempts. Unfortunately, fault-recovery often leads to hard-to-foresee complications and eventual failure, but in an unpredictable way (which contradicts the functional safety principle).

For these reasons, and for compliance with the NR (Not-Recommended) classification, QP/C Framework shall avoid dynamic reconfiguration and instead apply the simple Crash-Only Model

Forward Traceability (truncated to 1 level(s))

  • AOU_QP_SST_06: Mandate: QP/C Application shall NOT use dynamic reconfiguration for fault correction.


SAS_QP_SCT_07

Modular approach in QP/C Framework component.

Description
QP/C Framework component architecture shall apply the following rules for modularity:

  • Information hiding/encapsulation (see Object-Oriented Architecture Model)
  • Fully defined interface with explicit specification of function signatures
  • Fully documented interfaces
  • Modules shall guarantee correct use by preconditions and postconditions (see failure assertion programming)
  • All subprograms (functions) shall have a single entry and a single exit
  • All subprograms (functions) shall have several parameters limited to 4
  • All subprograms (functions) shall have complexity limited to 20 (cyclomatic complexity)
  • Global variables shall be limited to fewer than 10 for the whole QP/C Framework component

Forward Traceability (truncated to 1 level(s))

  • AOU_QA_SCT_07: Recommendation: QP/C Application should use a modular architecture.


SAS_QP_SCT_08

Only trusted/verified software elements in QP/C Framework component.

Description
QP/C Framework component implementation shall NOT use any 3rd-party software elements. The reliance on standard libraries shall be limited to header-only facilities (e.g., <stdint.h>), but not any standard library code. All dependencies on external components (such as real-time kernel) shall be abstracted and restricted to the well-defined Operating System Abstraction Layer (OSAL).

Forward Traceability (truncated to 1 level(s))

  • AOU_QP_SST_08: Recommendation: QP/C Application should use trusted/verified software elements.


SAS_QP_SCT_09

Consistent forward traceability between Safety Requirements and Software Architecture in QP/C Framework component.

Forward Traceability (truncated to 1 level(s))

  • AOU_QA_SCT_09: Recommendation: QP/C Application should apply forward traceability.


SAS_QP_SCT_10

Consistent backward traceability between Safety Requirements and Software Architecture in QP/C Framework component.

Forward Traceability (truncated to 1 level(s))

  • AOU_QA_SCT_10: Recommendation: QP/C Application shall apply backward traceability.


SAS_QP_SCT_11A

Structured diagrammatic methods in QP/C Framework component.

Description
QP/C Framework component documentation shall use the well-defined UML diagrams whenever applicable. Non-UML diagrams shall have legends explaining the symbols and semantics.

Forward Traceability (truncated to 1 level(s))

  • AOU_QA_SCT_11A: Recommendation: QP/C Application should apply structured diagrammatic methods.


SAS_QP_SCT_11B

Semi-formal methods in QP/C Framework component.

Description
QP/C Framework component shall use the following semi-formal methods (see [IEC 61508-7:2010] Table C.17)

Note
Finite state machines, as the highly recommended (HR) semi-formal technique by functional safety standards, are the principal mechanism for QP/C Applications to specify the behavior of the main software components (Active Objects). Internally, the Framework uses state machines where appropriate, but the primary safety value is enabling applications to model safety-critical behavior with hierarchical state machines, as described in the Safety Manual (DOC_QP_SSM).

Backward Traceability

  • SRS_QP_SM_00: QP/C Framework component shall provide support for hierarchical state machines for Active Objects and for passive stateful objects in the QP/C Application.

Forward Traceability (truncated to 1 level(s))

  • SAS_QP_FUSA_10: State-machine support for QP/C Applications (semi-formal methods).
  • SDS_QP_SFM_01: QP/C Framework specification shall apply semi-formal method: logic/function block diagrams (HR).
  • SDS_QP_SFM_02: QP/C Framework specification shall apply semi-formal method: sequence diagrams (HR).
  • SDS_QP_SFM_04A: QP/C Framework specification shall support semi-formal method: finite state machines (HR).
  • SDS_QP_SFM_07: QP/C Framework specification shall support semi-formal method: decision/truth tables (HR).
  • SDS_QP_SFM_08: QP/C Framework specification shall apply semi-formal method: UML (R).
  • AOU_QA_SCT_11B: Recommendation: QP/C Application should apply semi-formal methods.
  • AOU_QA_SFM_01: Recommendation: QP/C Application should apply semi-formal method logic/function block diagrams.
  • AOU_QA_SFM_02: Recommendation: QP/C Application should apply semi-formal method sequence diagrams.
  • AOU_QA_SFM_04A: Mandate: QP/C Application shall apply semi-formal method finite state machines.
  • AOU_QA_SFM_07: Mandate: QP/C Application shall apply semi-formal method decision/truth tables.
  • AOU_QA_SFM_08: Recommendation: QP/C Application should apply semi-formal method UML.


SAS_QP_SCT_11D

Automatic code generation in QP/C Framework component.

Description
QP/C Framework component does not take advantage of automatic code generation, but it supports automatic code generation, as the highly recommended (HR) semi-formal technique for QP/C Applications. Specifically, all state machine strategies supported by the framework are excellent targets for automatic code generation.

Backward Traceability

  • SRS_QP_SM_21: QP/C Framework component should provide a State Machine Implementation Strategy optimized for "automatic code generation"

Forward Traceability (truncated to 1 level(s))

  • SAS_QP_FUSA_10: State-machine support for QP/C Applications (semi-formal methods).
  • AOU_QA_SCT_11D: Recommendation: QP/C Application should apply automatic code generation.


SAS_QP_SCT_12

Computer-aided specification and design tools use in QP/C Framework component.

Description

  • QP/C Framework component shall be modeled with the QM model-based design tool [QM-Tool:2024].
  • QP/C Framework component shall be documented with Doxygen and Spexygen specification tools.

Forward Traceability (truncated to 1 level(s))

  • SAS_QP_FUSA_10: State-machine support for QP/C Applications (semi-formal methods).
  • AOU_QA_SCT_12: Recommendation: QP/C Application should apply computer-aided specification and design tools.


SAS_QP_SCT_13C

Event-driven architecture with guaranteed maximum response time in QP/C Framework component.

Description
QP/C Framework component implements precisely the highly recommended event-driven architecture. Moreover, the preemptive, non-blocking kernel is fully compliant with the requirements of the Rate-Monotonic Scheduling/Analysis (RMS/RMA) method, by which hard-real-time execution can be guaranteed.

Forward Traceability (truncated to 1 level(s))

  • AOU_QA_SCT_13C: QP/C Application should apply event-driven architecture with guaranteed response time.


SAS_QP_SCT_14

Static resource allocation in QP/C Framework component.

Description
QP/C Framework component shall apply exclusively static resource allocation and shall strictly avoid dynamic resource allocation.

Forward Traceability (truncated to 1 level(s))

  • AOU_QP_SST_14: Mandate: QP/C Application shall apply static resource allocation and avoid dynamic resource allocation.


SAS_QP_SCT_15

Static synchronization of access to shared resources in QP/C Framework component.

Description
QP/C Framework component shall apply only the non-blocking critical section mutual exclusion mechanism to protect its internal shared resources.

Backward Traceability

Forward Traceability (truncated to 1 level(s))

  • AOU_QP_SST_15: Mandate: QP/C Application shall apply static synchronization.


View: Programming Language & Support Tools

This architectural view frames the following concerns:

  • The choice of the programming language to support the production of software with the required properties
  • The programming language safe subset (coding standard) to achieve the required SIL-3
Regulatory background
The following Table SDS-A3 lists the techniques and measures for programming language and support tools required by [IEC 61508-3:2010] Table A.3 to achieve SIL-3. The last column of the table defines how these techniques are to be addressed in the architecture of QP/C Framework component.
Table SDS-A3: Programming language & support tools applied to QP/C Framework component ([IEC 61508-3:2010] Table A.3, SIL-3 only).
Technique/Measure(*) IEC 61508
Ref. 		SIL 3 Specs for
QP Framework
1 Suitable programming language C.4.5 HR SAS_QP_PL_01
2 Strongly typed programming language C.4.1 HR SAS_QP_PL_02
3 Language subset C.4.2 HR SAS_QP_PL_03
4a Certified tools and certified translators (*) C.4.3 HR see choice 4b(*)
4b Tools and translators: increased confidence from use (*) C.4.4 HR SAS_QP_PL_04B
NOTE1 [IEC 61508-3:2010] Table C.3

NOTE2 The references (which are informative, not normative) "B.x.x.x", "C.x.x.x" in column ("Ref.") indicate detailed descriptions of techniques given in Annexes B and C of [IEC 61508-3:2010].

(*) Alternative or equivalent techniques/measures are indicated by a letter following the number. It is intended that only one of the alternative or equivalent techniques/measures should be satisfied. The choice of alternative technique should be justified by the properties, given in [IEC 61508-3:2010] Annex C, desirable in the particular application.

SAS_QP_PL_01

Suitable programming language for QP/C Framework component.

Description
The QP/C Framework component shall be implemented in the ISO C11 programming language, which has the following properties recommended by [IEC 61508-3] C.4.5:

  • internationally standardized and widely used language
  • supports strong typing, structured programming, and assertions (see ssrs-qp_ap)
  • is verifiable, facilitates program development, verification, and maintenance
  • is general-purpose, user/problem-oriented rather than processor/platform machine-oriented
  • supports block structure, translation-time checking

However, at the same time, the full C programming language also includes many constructs classified as NR (Not Recommended) for SIL-3 (IEC 61508-3 Table C.1). Therefore, the QP/C Framework must use a restricted safe subset, enforced by coding standards and static analysis tools.

Regulatory background
Because of the undesired properties of the full ISO C standard, according to IEC 61508-3 Table C.1 reproduced below, the full C programming language is NR (not recommend) for SIL-3. However, C with subset, coding standard, and use of static analysis tools is HR (highly recommended). Therefore this architectural specification for the suitable programming language necessarily includes architectural specification SAS_QP_PL_03.
Table SDS-C1: Recommendations for specific programming languages ([IEC 61508-3:2010] Table C.1, SIL-3 only).
Programming language SIL 3
... ... ...
9 C NR
10 C with subset and coding standard, and use of static analysis tools HR
... ... ...

Backward Traceability

  • SAS_QP_PL_03: Safe language subset for QP/C Framework component.

Forward Traceability (truncated to 2 level(s))

  • SAS_QP_PL_03: Safe language subset for QP/C Framework component.
    • DOC_QPC_MISRA: QP/C MISRA-C:2025 Compliance Report
    • AOU_QA_PL_03: Mandate: QP/C Application shall apply safe language subset.
  • AOU_QA_PL_01: Recommendation: QP/C Application should apply the suitable programming language.


SAS_QP_PL_02

Strongly typed programming language for QP/C Framework component.

Description
QP/C Framework component shall be implemented in the ISO C11 programming language version, which supports many features to enforce type safety, but is not a strongly typed language as defined in IEC 61508 Annex C.4.5. To mitigate this, QP/C Framework component shall adopt a restricted subset of QP C11 (aligned with MISRA-C:2025, see SAS_QP_PL_03) and enforce coding guidelines that ensure type safety through explicit conversions, static analysis, and compiler diagnostics.

Backward Traceability

Forward Traceability (truncated to 2 level(s))

  • SAS_QP_PL_03: Safe language subset for QP/C Framework component.
    • SAS_QP_PL_01: Suitable programming language for QP/C Framework component.
    • DOC_QPC_MISRA: QP/C MISRA-C:2025 Compliance Report
    • AOU_QA_PL_03: Mandate: QP/C Application shall apply safe language subset.
  • AOU_QA_PL_02: Recommendation: QP/C Application should apply strongly typed programming language.


SAS_QP_PL_03

Safe language subset for QP/C Framework component.

Description
The QP/C Framework component shall comply with a safe ISO C11 subset, aligned with MISRA-C:2025 and the restrictions described in the MISRA Compliance Report.

These rules ensure compatibility with the QP/C Framework's infrastructure for static analysis described in the Guideline Enforcement Plan (GEP) and Deviation Permits of the MISRA Compliance Report.

Backward Traceability

  • SAS_QP_PL_01: Suitable programming language for QP/C Framework component.
  • SAS_QP_PL_02: Strongly typed programming language for QP/C Framework component.

Forward Traceability (truncated to 2 level(s))

  • SAS_QP_PL_01: Suitable programming language for QP/C Framework component.
    • AOU_QA_PL_01: Recommendation: QP/C Application should apply the suitable programming language.
  • DOC_QPC_MISRA: QP/C MISRA-C:2025 Compliance Report
    • AOU_QA_SDLC_04: Recommendation: QP/C Application should use a safe and analyzable coding standard.
  • AOU_QA_PL_03: Mandate: QP/C Application shall apply safe language subset.


SAS_QP_PL_04B

Tools and translators: increased confidence from use for QP/C Framework component.

Description
The QP/C Framework source code shall be compiled and statically analyzed using tools that provide Increased Confidence from Use (ICFU), as defined in IEC 61508-3 C.4.4.

Forward Traceability (truncated to 2 level(s))

  • AOU_QA_PL_04B: Recommendation: QP/C Application should apply tools and translators with increased confidence from use.


IntroductionTechnology Viewpoint