Non-Functional Requirements

Preemptive Non-Blocking KernelAnnex A: Concepts & Definitions

This section lists and explains non-functional requirements (a.k.a., quality attributes) of the QP/C++ Framework component.

Reliability

---

SRS_QP_NF_01

QP/C++ Framework component shall have the systematic capabilities required by functional safety standards.

Description
QP/C++ Framework component shall be certifiable to the international functional safety standards such as IEC 61508, ISO 26262, and IEC 62304.

Regulatory background

The following table summarizes the Systematic Capability (SC) of the QP/C++ Framework component required for compliance:

Aspect	IEC 61508 (baseline FS)	ISO 26262 (automotive)	IEC 62304  (medical)
Systematic Capability (SC) concept	SC concept introduced in Edition 2	SC concept present, term not used	No SC concept
Primary focus	Capability of an element to meet SIL wrt systematic faults	Avoidance & control of systematic faults through ASIL-based lifecycle	Control of software faults through risk-based lifecycle & safety Class (A/B/C)
Quantified SC levels	SC 1-4, aligned with SIL 1-4	ASIL A-D, mapping similar to SIL rigor in IEC 61508	Classes A-C (C most critical) - no numeric SC
Typical use	Reuse/selection of pre-existing HW/SW elements with defined SC in Part-3	Demonstrating ASIL-compliant software process and reuse arguments	Showing process completeness for software items; reuse via risk management
Main mechanism	Techniques/measures + assessment of elements development process	ASIL-based dev process, safety analysis, tool confidence, reuse criteria	62304 lifecycle processes + integration with ISO 14971 risk management

The specific systematic capabilities of QP/C++ Framework component and QP/C++ Application for the desired safety integrity level are elaborated in the downstream documents, such as:

• Software Architecture Specification (DOC_QP_SAS),
• Software Design Specification (DOC_QP_SDS), and

Forward Traceability (truncated to 2 level(s))

• SSRS_QP_SSC_01A: QP/C++ software component shall apply and support semi-formal methods listed in [IEC 61508-3:2010] Table B.7.
  • SAS_QP_SSC_11B: Semi-formal methods in QP/C++ Framework component.
  • SDS_QP_TECH_01B: QP/C++ Framework shall apply semi-formal methods.
  • CSOU_QP_SC_11B: Semi-formal methods in QP/C++ Application in form of hierarchical state machines.
  • SDS_QA_TECH_01B: QP/C++ Application shall apply semi-formal methods.
  • SDS_QA_SFM_01: QP/C++ Application specification shall apply semi-formal method: logic/function block diagrams.
  • SDS_QA_SFM_02: QP/C++ Application specification shall apply semi-formal method: sequence diagrams.
  • SDS_QA_SFM_04A: QP/C++ Application specification shall apply semi-formal method: state machine diagrams.
  • SDS_QA_SFM_07: QP/C++ Application specification shall apply semi-formal method: decision trees.
  • SDS_QA_SFM_08: QP/C++ Application specification shall apply semi-formal method: UML.
• SAS_QP_SSC_01: Fault detection: QP/C++ Framework component shall apply assertion-based fault detection policy.
• SAS_QP_SSC_02: Error detecting codes: QP/C++ Framework component shall apply error detection based on Duplicate Inverse Storage and Duplicate Storage.
• SAS_QP_SSC_04B: Mechanisms for graceful degradation in QP/C++ Framework component.
• SAS_QP_SSC_05: NO use of artificial intelligence for fault correction in QP/C++ Framework component.
• SAS_QP_SSC_06: NO dynamic reconfiguration for fault correction in QP/C++ Framework component.
• SAS_QP_SSC_07: Modular approach in QP/C++ Framework component.
• SAS_QP_SSC_08: Only trusted/verified software elements in QP/C++ Framework component.
• SAS_QP_SSC_10: Consistent backward traceability between Safety Requirements and Software Architecture in QP/C++ Framework component.
• SAS_QP_SSC_11B: Semi-formal methods in QP/C++ Framework component.
• SAS_QP_SSC_11D: Automatic code generation in QP/C++ Framework component.
  • CSOU_QP_SSC_11D: Automatic code generation in QP/C++ Application.
• SAS_QP_SSC_12: Computer-aided specification and design tools use in QP/C++ Framework component.
• SAS_QP_SSC_13C: Event-driven architecture with guaranteed maximum response time in QP/C++ Framework component.
• SAS_QP_SSC_15: Static synchronization of access to shared resources in QP/C++ Framework component.
• CSOU_QP_SSC_09: Consistent forward traceability between Safety Requirements and Software Architecture in QP/C++ Application.
• CSOU_QP_SSC_11A: Structured diagrammatic methods in QP/C++ Application.
• CSOU_QP_SSC_14: Static resource allocation in QP/C++ Application.
• CSOU_QP_SC_02: Error detecting codes: QP/C++ Application shall apply error detection based on Duplicate (Inverse) Storage.
• SAS_QP_SSC_03A: Failure assertion programming: in QP/C++ Framework.

---

SRS_QP_NF_02

QP/C++ Framework component shall be implemented in a programming language recommended for safety-critical software.

Description
Functional safety standards require the implementation programming language to have certain features and properties.

Regulatory background

The following table summarizes the general requirements for the appropriate implementation programming language across the standards IEC 61508,ISO 26262, and IEC 62304:

Aspect	IEC 61508 (baseline FS)	ISO 26262 (automotive)	IEC 62304 (medical)
Domain	Generic E/E/PE functional safety	Road vehicles, based on IEC 61508	Medical device software lifecycle
Direct language requirements	Explicit measures/tables in Part3, SIL-based	Derived from IEC 61508, ASIL-based	No explicit per-language rules; process-focused
Emphasis	Language choice, subsets, avoidance of unsafe features	Language subsets, coding guidelines (e.g., MISRA), ASIL-based rigor	Having and applying coding standards; tool & environment control
Safety level driver	SIL 1-4	ASIL A-D	Classes A-C (C most critical)
Typical practice	Strongly typed, restricted subset, structured	Same as IEC 61508 plus automotive specifics	Any language, but with documented rules, reviews, tests proportional to the safety class

Remarks

The specific properties of the programming language required for the desired safety integrity level are elaborated in the downstream documents, such as:

• Software Architecture Specification (DOC_QP_SAS),
• Software Design Specification (DOC_QP_SDS), and
• MISRA Compliance Report (DOC_QPC_MISRA).

Forward Traceability (truncated to 2 level(s))

• SAS_QP_PL_01: Suitable programming language for QP/C++ Framework component.
  • SAS_QP_PL_03: Safe language subset for QP/C++ Framework component.
  • COU_QA_SSC_11: QP Application shall use suitable programming language.
• SAS_QP_PL_02: Strongly typed programming language for QP/C++ Framework component.
  • SAS_QP_PL_03: Safe language subset for QP/C++ Framework component.
  • COU_QA_SSC_11: QP Application shall use suitable programming language.
• SAS_QP_PL_03: Safe language subset for QP/C++ Framework component.
  • DOC_QPCPP_MISRA: QP/C++ MISRA-C++:2023 Compliance Report
  • COU_QA_SSC_11: QP Application shall use suitable programming language.

Independence

---

SRS_QP_NF_10

QP/C++ Framework component implementation shall NOT depend on any standard libraries.

Description

Forward Traceability (truncated to 1 level(s))

---

SRS_QP_NF_11

QP/C++ Framework component implementation shall NOT use floating point.

Description

Forward Traceability (truncated to 2 level(s))

---

SRS_QP_NF_12

All services provided by QP must NOT use the standard heap.

Description
QP/C++ Framework component must not force Applications to use potentially unsafe and indeterministic memory allocation policies, like the standard heap. In other words, the QP/C++ Framework component should internally use only static memory with worst-case memory consumption known at compile-time.

---

SRS_QP_NF_13

QP/C++ Framework component shall NOT internally pre-allocate memory for application-specific objects such as event-queue buffers; event-pool buffers; tracing-buffers etc.

Description

Forward Traceability (truncated to 2 level(s))

• SAS_QP_MEM_00: General QP/C++ Framework component memory allocation policy
  • SDS_QP_START: QP/C++ Framework startup sequence
  • SSM_QA_CSOU_41: Mandate: QP/C++ Application must allocate all objects statically.

Determinism

---

SRS_QP_NF_20

QP/C++ Framework component shall be free of non-deterministic concurrency hazards.

Description
The QP/C++ Framework component shall adequately protect its internal state from concurrency hazards, such as race conditions, data races, and any other form of internal state corruption due to concurrent operation. The QP/C++ Framework component shall also avoid any shared but unprotected resources (such as the standard heap).

Rationale
QP/C++ Framework component shall be certifiable to the international functional standards, which require determinism.

Forward Traceability (truncated to 2 level(s))

---

SRS_QP_NF_21

QP/C++ Framework component shall be deterministic in CPU utilization.

Description
Deterministic CPU utilization means that all QP/C++ Framework component services have a well-defined upper bound on the CPU utilization. It also means that the QP/C++ Framework component does not use non-deterministic constructs or services, such as the standard, dynamic memory allocation, which might behave non-deterministically.

Rationale
QP/C++ Framework component shall be certifiable to the international functional standards, which require determinism.

Forward Traceability (truncated to 2 level(s))

• SAS_QP_EDA: View: Event-Driven Architecture

---

SRS_QP_NF_22

QP/C++ Framework component shall be deterministic in memory (RAM) utilization.

Description
Deterministic memory utilization means that all QP/C++ Framework component services have a well-defined upper bound on the memory utilization. It also means that the QP/C++ Framework component does not use non-deterministic constructs or services (such as the standard, dynamic memory allocation, which is subject to fragmentation).

Rationale
QP/C++ Framework component shall be certifiable to the international functional standards, which require determinism.

Forward Traceability (truncated to 2 level(s))

• SRS_QP_NF_23: All services provided by QP shall use a limited and known amount of call stack.
• SSRS_QP_MEM_10: QP/C++ software component shall support static memory isolation of the critical system memory regions.
• SSRS_QP_MEM_20: QP/C++ software component should support dynamic memory isolation between Active Objects.

---

SRS_QP_NF_23

All services provided by QP shall use a limited and known amount of call stack.

Description
This requirement is a special case of deterministic memory (RAM) utilization. However, specifically the call stack (or multiple call stacks, if used) is a critical resource taking up a significant portion of the precious RAM in deeply embedded applications targeted by the QP/C++ Framework component.

Rationale
The stack exhaustion (a.k.a. stack overflow) represents a system failure, rather than merely some degradation of performance. Therefore, it is imperative for the QP/C++ Framework component (and the QP/C++ Application by extension) to use the call stack efficiently and deterministically.

Backward Traceability

• SRS_QP_NF_22: QP/C++ Framework component shall be deterministic in memory (RAM) utilization.

Forward Traceability (truncated to 2 level(s))

---

SRS_QP_NF_24

QP/C++ Framework component shall facilitate deterministic real-time performance analysis (such as Rate-Monotonic Scheduling/Analysis).

Description
Facilitating deterministic real-time performance analysis (such as Rate-Monotonic Scheduling/Analysis) means that the QP/C++ Framework component shall be compatible with the methods of real-time analysis. For example, QP/C++ Framework component shall provide a compatible real-time kernel with deterministic real-time performance (e.g., preemptive, priority-based kernel for RMS/RMA). Additionally, QP/C++ Applications shall be easier to analyze than traditional RTOS applications due to the avoidance of blocking, which is known to immensely complicate CPU utilization calculations.

Rationale
QP/C++ Framework component shall be certifiable to the international functional standards, which require determinism.

Forward Traceability (truncated to 2 level(s))

• SAS_QP_EDA: View: Event-Driven Architecture

Portability

---

SRS_QP_NF_40

QP/C++ Framework component shall be portable to 16-/32-/64-bit CPUs.

Description
QP/C++ Framework component shall be implemented such that it operates correctly on 16-bit, 32-bit, and 64-bit CPUs.

Rationale
QP/C++ Framework component shall internally be implemented without implicit assumptions about the CPU register size for the correctness of the internal algorithms. Among others, the bit-widths of integer variables must be specified in the implementation, so that they provide adequate dynamic range. Also, integer overflow and underflow (e.g., "wrap-around"), if relevant for a given algorithm, need to be handled without assumptions on the CPU register size.

Forward Traceability (truncated to 2 level(s))

• SAS_QP_OS: OS layer
• SAS_OSAL_API: OSAL API
  • SSRS_QP_DFM_20: QP/C++ software component shall apply data flow self-monitoring to the interface between QP/C++ software component and the underlying operating system (QP OSAL-API).

---

SRS_QP_NF_41

QP/C++ Framework component shall be portable to a wide range of real-time kernels.

Description
As an implementation of the Active Object model of computation, QP/C++ Framework component shall preserve the inherent ability of Active Objects to work with a variety of real-time kernels. This includes traditional blocking RTOS kernels, special non-blocking kernels (e.g., QV, QK, QXK), and general-purpose operating systems (POSIX, Windows).

Rationale
Portability of the QP/C++ Framework component (and QP/C++ Applications based on the framework) to a wide range of kernels allows applications to use the most appropriate kernel for the job at hand. Additionally, portability to GP-OS allows running, developing, and testing QP/C++ Applications on the host computers.

Forward Traceability (truncated to 2 level(s))

• SAS_QP_OSAL: OS abstraction layer (OSAL)
• SAS_QP_OS: OS layer
• SAS_OSAL_API: OSAL API
  • SSRS_QP_DFM_20: QP/C++ software component shall apply data flow self-monitoring to the interface between QP/C++ software component and the underlying operating system (QP OSAL-API).

Ease of Development

---

SRS_QP_NF_50

All State Machine Implementation Strategies provided by the QP/C++ Framework component shall be bidirectionally traceable to the basic state machine elements.

Description
"Bidirectionally traceable to the basic state machine elements" means that every element in the state machine implementation shall correspond one-to-one to the state machine element. For example, every state entry, exit, transition, and guard condition should be represented only once in the implementation. The implication of this requirement for the ease of development is that it is always possible to set a single debugger breakpoint in the code to stop upon the execution of a given state machine element, such as a state transition or entry to a given state, exit from a given state, a given guard condition, etc.

In contrast, an example of a hard-to-debug implementation would be one in which a given transition or entry to a state would be represented more than once in the code. A single breakpoint would not necessarily be sufficient to guarantee that the breakpoint is reached when that element is executed. Hard-to-debug state machine implementations are often the result of "flattening" the hierarchical state machine to a non-hierarchical representation, which causes repetitions.

Rationale
The ease of debugging is essential for the effective development and maintenance of the state machine code.

Forward Traceability (truncated to 2 level(s))

---

SRS_QP_NF_51

The QP/C++ Framework component should support a debug build configuration that would facilitate QP/C++ Application development.

Description
The debug build configuration should allow applying low-optimization compilation and single-step debuggers to easily step through the application code and correlate it with the generated disassembly. If the system supports hardware-based memory isolation (e.g., by means of a Memory Protection Unit), the debug configuration should allow compile-time switching of the memory protection on and off.

Rationale
The ease of debugging is essential for the effective development and maintenance of the state machine code.

Forward Traceability (truncated to 2 level(s))

• SSRS_QP_MEM_30: The memory isolation shall be compile-time configurable.

Preemptive Non-Blocking KernelAnnex A: Concepts & Definitions