.. _fsd319: FSD319: Software Safety Requirements Specification #################################################### Motivations ************* .. motivation:: EN-61508-3 clause 7.2.2.1 :id: MOTIVATION_319_001 :tags: fsd319 :status: PASS Not applicable: requirements have not already been specified. .. motivation:: EN-61508-3 clause 7.2.2.2 :id: MOTIVATION_319_002 :tags: fsd319 :status: PASS Software safety requirements specification is specified in :ref:`FSD319`. They are derived from :ref:`FSD114` and :ref:`FSD120`. There is no software developed without taking into account the safety requirements in :ref:`FSD114`. .. motivation:: EN-61508-3 clause 7.2.2.3 :id: MOTIVATION_319_003 :tags: fsd319 :status: PASS In addition to :need:`MOTIVATION_319_010`, :ref:`FSD303` specifies techniques and measures applied to achieve SIL3. .. motivation:: EN-61508-3 clause 7.2.2.4 :id: MOTIVATION_319_004 :tags: fsd319 :status: PASS The safety software runs on dedicated CPUs, with dedicated memory and watchdog. Flow control and RAM/Flash memory tests are used and data to and between safety CPUs are sent through black channel. The safety CPUs are not the same type nor has the same software. Accidental “DOS” behaviour on the interface between the CPUs and the safety CPU shall also be considered. Software executing in the safety CPUs shall be split in modules that have clearly defined interfaces. The functionality in one module shall have high cohesion. Global data that is not passed as a parameter to a method/function shall be avoided. .. motivation:: EN-61508-3 clause 7.2.2.5 :id: MOTIVATION_319_005 :tags: fsd319 :status: PASS The software developers have thoroughly discussed safety functions with the hardware designers. Different hardware modules (such as watchdogs) shall be used to fulfil the safety requirements. Capacity and timing on the safety CPUs shall be considered during software development, in particular, no blocking functions or tight loops will be allowed in the software design. .. motivation:: EN-61508-3 clause 7.2.2.6 :id: MOTIVATION_319_006 :tags: fsd319 :status: PASS See :ref:`FSD114`. .. motivation:: EN-61508-3 clause 7.2.2.7 :id: MOTIVATION_319_007 :tags: fsd319 :status: PASS The hardware and software together need to have enough performance to meet the requirement of the response time to all faults that require deactivation of the radio module (described in 7.2.2.10 below). CPU integrated hardware timers are used in interrupts to make sure that the unit goes into safe state if CPU time is not enough. .. motivation:: EN-61508-3 clause 7.2.2.8 :id: MOTIVATION_319_008 :tags: fsd319 :status: PASS \a) A number of fault detection mechanisms shall be used, some in software and some assisted by hardware: * checksum of safety software code is verified at each start-up * flow control check of execution in combination with a watchdog (described in EN 61508-7:2010, A.9.4) * RAM memory test * exception on access of illegal memory * shutdown during under-voltage \b) See Software safety requirements in this document. \c) See Software safety requirements in this document. \d) Safe functions are continously tested. \e) See Software safety requirements in this document. .. motivation:: EN-61508-3 clause 7.2.2.9 :id: MOTIVATION_319_009 :tags: fsd319 :status: PASS The safety related software executes on CPUs where no non-safety related software executes. .. motivation:: EN-61508-3 clause 7.2.2.10 :id: MOTIVATION_319_010 :tags: fsd319 :status: PASS \a) - \b) See Software safety requirements in this document. .. motivation:: EN-61508-3 clause 7.2.2.11 :id: MOTIVATION_319_011 :tags: fsd319 :status: PASS \a) Range and invalid value checks in software and all safety settings are protected by CRC. \b) Range and invalid value checks in software. \c) Range and invalid value checks in software. .. motivation:: EN-61508-3 clause 7.2.2.12 :id: MOTIVATION_319_012 :tags: fsd319 :status: PASS \a) Consistency in the radio and CAN protocol. Software version and configuration is included in CRC/hash calculations, to ensure mismatch between units that communicate with each other results in no communication. \b) Covered in software integration tests. \c) Covered in :ref:`FSD150` and :ref:`FSD322`. \d) Covered in E/E/PE system safety validation tests. \e) Covered in :ref:`FSD124`. .. motivation:: EN-61508-3 clause 7.2.2.13 :id: MOTIVATION_319_013 :tags: fsd319 :status: PASS \a) Range and invalid value checks in software and all safety settings are protected by CRC. \b) Only authorized personal have access to change safety settings (password). \c) All safety settings are protected by CRC. .. motivation:: EN-61508-3 clause 7.3 :id: MOTIVATION_319_100 :tags: fsd319 :status: N/A Not applicable: no separate validation of software. Requirements ************ .. needtable:: :tags: swsreq :columns: id, title, source, status, derived :sort: lineno .. req:: RAM test :id: SWSREQ_001A :derived: TEST_300_016, TEST_300_017, TEST_300_114, TEST_300_115 :tags: fsd319, swsreq RAM tests shall be performed in both CPUs continuously during operation. .. req:: RAM test :id: SWSREQ_001B :derived: TEST_300_016, TEST_300_017, TEST_300_114, TEST_300_115 :tags: fsd319, swsreq The time to test the whole RAM shall be less than 60 seconds. .. req:: RAM test :id: SWSREQ_001C :derived: TEST_300_016, TEST_300_017, TEST_300_114, TEST_300_115 :tags: fsd319, swsreq The complete RAM shall be tested at start up in both CPUs. .. req:: RAM test :id: SWSREQ_001D :derived: MOTIVATION_300_311 :tags: fsd319, swsreq The algorithm for testing the RAM shall be documented and motivated. .. req:: Flash test :id: SWSREQ_002A :derived: TEST_300_042, TEST_300_052, TEST_300_128 :tags: fsd319, swsreq Flash tests shall be performed in both CPUs continuously during operation. .. req:: Flash test :id: SWSREQ_002B :derived: TEST_300_042, TEST_300_052, TEST_300_128 :tags: fsd319, swsreq The complete flash memory shall be tested at start up in both CPUs. .. req:: Loss of power safe state :id: SWSREQ_003A :derived: TEST_150_003 :tags: fsd319, swsreq Loss of power shall result in safe state. .. req:: Minimum voltage :id: SWSREQ_004A :derived: MOTIVATION_124_003, TEST_150_004 :tags: fsd319, swsreq The minimum power supply voltage shall be configurable between 7V and 30V. .. req:: Minimum voltage :id: SWSREQ_004B :derived: TEST_150_004 :tags: fsd319, swsreq If the power supply voltage is below the configured minimum voltage for longer than 500ms, the system shall go into safe state. .. req:: Maximum voltage :id: SWSREQ_005A :derived: MOTIVATION_124_003, TEST_150_005 :tags: fsd319, swsreq The maximum power supply voltage shall be configurable between 8V and 33V. .. req:: Maximum voltage :id: SWSREQ_005B :derived: TEST_150_005 :tags: fsd319, swsreq If the power supply voltage is above the configured maximum voltage for longer than 500ms, the system shall go into safe state. .. req:: Logic calculation interval :id: SWSREQ_007A :derived: TEST_300_021, TEST_300_022, TEST_300_023, TEST_300_119, TEST_300_120, TEST_300_121 :tags: fsd319, swsreq The logic shall be calculated once every millisecond. .. req:: Logic calculation interval :id: SWSREQ_007B :derived: TEST_300_021, TEST_300_022, TEST_300_119, TEST_300_120 :tags: fsd319, swsreq The logic calculation interval shall not deviate more than 0.1%. .. req:: Logic calculation interval :id: SWSREQ_007C :derived: TEST_300_023, TEST_300_121 :tags: fsd319, swsreq The logic shall complete execution within 812.5 us in both CPUs. If the logic takes longer than 812.5 us to execute, the unit shall enter safe state. .. req:: Block diagram :id: SWSREQ_008A :derived: MOTIVATION_124_001 :tags: fsd319, swsreq The configuration shall be programmed by means of a block diagram language. .. req:: Selectable maximum reaction time :id: SWSREQ_009A :derived: MOTIVATION_124_002 :tags: fsd319, swsreq The maximum reaction time from detecting a stop condition from an input until the stop condition is achieved (outputs set to zero/OFF) shall be selectable. .. req:: CPU-CPU communication :id: SWSREQ_010A :derived: TEST_300_002, TEST_300_003, TEST_300_004, TEST_300_006, TEST_300_007, TEST_300_008, TEST_300_009, TEST_300_047, TEST_300_048, TEST_300_053, TEST_300_054, TEST_300_056 :tags: fsd319, swsreq Both CPUs shall send a message to the other CPU every millisecond. .. req:: CPU-CPU communication :id: SWSREQ_010B :derived: TEST_300_003, TEST_300_103 :tags: fsd319, swsreq The CPU-CPU packets shall be protected by a 32bit CRC. .. req:: CPU-CPU communication :id: SWSREQ_010C :derived: TEST_300_002, TEST_300_003, TEST_300_004, TEST_300_006, TEST_300_007, TEST_300_008, TEST_300_009, TEST_300_047, TEST_300_048, TEST_300_053, TEST_300_054, TEST_300_056 :tags: fsd319, swsreq The C2C communication channel shall be implemented as a white channel. .. req:: CPU-CPU communication :id: SWSREQ_010D :derived: TEST_300_002, TEST_300_003, TEST_300_004, TEST_300_006, TEST_300_007, TEST_300_008, TEST_300_009, TEST_300_047, TEST_300_048, TEST_300_053, TEST_300_054, TEST_300_056 :tags: fsd319, swsreq The CPU2CPU communication shall be resistant to packet errors. .. req:: CPU-CPU communication :id: SWSREQ_010E :derived: TEST_300_006 :tags: fsd319, swsreq If any CPU does not receive a packet from the other CPU for 20ms, the unit shall enter safe state. .. req:: CPU-CPU communication :id: SWSREQ_010G :derived: TEST_300_006 :tags: fsd319, swsreq The CPU-CPU communication shall be implemented as a duplex communication channel. .. req:: IO ON/OFF states :id: SWSREQ_011A :derived: TEST_SINGLE_INPUT_1, TEST_SINGLE_OUTPUT_1, TEST_GUI_ADVANCED_INPUT_1, TEST_GUI_ADVANCED_OUTPUT_1 :tags: fsd319, swsreq All inputs and outputs shall have a defined ON and OFF state. .. req:: IO ON/OFF states :id: SWSREQ_011B :derived: TEST_SINGLE_INPUT_1, TEST_SINGLE_OUTPUT_1, TEST_GUI_ADVANCED_INPUT_1, TEST_GUI_ADVANCED_OUTPUT_1 :tags: fsd319, swsreq Transistor outputs shall be configurable with static and pulsed signal types according to FSD209 and FSD210. .. req:: IO ON/OFF states :id: SWSREQ_011C :derived: TEST_SINGLE_INPUT_1, TEST_SINGLE_OUTPUT_1, TEST_GUI_ADVANCED_INPUT_1, TEST_GUI_ADVANCED_OUTPUT_1 :tags: fsd319, swsreq Transistor inputs shall be configurable to handle all required input types according to FSD209 and FSD210. .. req:: IO ON/OFF states :id: SWSREQ_011D :derived: TEST_SINGLE_INPUT_1, TEST_GUI_ADVANCED_INPUT_1 :tags: fsd319, swsreq Transistor inputs shall be able to distinguish between different pulsed signals specified in FSD209 and FSD210. .. req:: Combined inputs OFF/ON signal combinations :id: SWSREQ_011E :derived: TEST_SINGLE_INPUT_1, TEST_GUI_ADVANCED_INPUT_1 :tags: fsd319, swsreq A combination of ON and OFF conditions from inputs shall be able to be used for input logic conditions. .. req:: Redundant inputs :id: SWSREQ_012A :derived: TEST_GUI_ADVANCED_INPUT_1 :tags: fsd319, swsreq Redundant inputs shall be configurable with: * 2-8 input pins with defined ON/OFF states, * Simultaneity * Debounce .. req:: Redundant outputs :id: SWSREQ_013A :derived: TEST_GUI_ADVANCED_OUTPUT_1 :tags: fsd319, swsreq Redundant outputs shall be configurable with 2-8 output pins with defined ON/OFF states. .. req:: Input voltage range :id: SWSREQ_014A :derived: TEST_GUI_ADVANCED_INPUT_1 :tags: fsd319, swsreq Transistor inputs shall be able to detect voltage levels between 0V and 33V. .. req:: Transistor IO :id: SWSREQ_015A :derived: TEST_SINGLE_INPUT_2, TEST_SINGLE_OUTPUT_2 :tags: fsd319, swsreq All transistor IOs shall be configurable as an input or output. .. req:: Transistor inputs monitored by both CPUs :id: SWSREQ_015B :derived: TEST_300_216 :tags: fsd319, swsreq Each input shall be monitored by both CPUs. .. req:: Analog mismatch check :id: SWSREQ_016A :derived: TEST_300_216 :tags: fsd319, swsreq The measured analog values for all inputs and outputs by each CPU shall be compared against the measured analog values of the other CPU. If either CPU detects a mismatch between the measured voltage on an input or an output and the received measured voltage from the other CPU, the unit shall enter safe state. .. TODO: Define mismatch! Do when implementing analogure. .. req:: Input startup test :id: SWSREQ_017A :derived: TEST_GUI_SYNC_INPUTS_1 :tags: fsd319, swsreq A start-up test condition shall be configurable for all inputs. If start-up test is enabled the input must be in OFF state to be able to go to ON state. .. req:: Internal output failure :id: SWSREQ_018A :derived: TEST_300_202, TEST_300_205, TEST_300_206, TEST_300_207, TEST_300_208, TEST_300_209 :tags: fsd319, swsreq If an internal output failure is detected, the unit shall enter safe state. .. req:: External output failure :id: SWSREQ_019A :derived: RESULT_SINGLE_OUTPUT_1, TEST_CFB_OSSD_1, TEST_CFB_OSSD_2, TEST_CFB_OSSD_3 :tags: fsd319, swsreq If an external output failure is detected, the relevant outputs shall go to safe state. .. req:: Both CPUs control outputs :id: SWSREQ_019B :derived: MOTIVATION_220_007 :tags: fsd319, swsreq CPU1 shall directly control every individual output. CPU2 shall control the main transistor for all outputs. .. req:: No user interface to control safety outputs :id: SWSREQ_020A :derived: TEST_150_002 :tags: fsd319, swsreq There shall be no user interface to control safety outputs from any user interface, which include: * Configuration messages via CAN, * Configuration messages via radio, * Configuration messages via USB, * Push buttons on PCB/display module. .. req:: Combined IO function :id: SWSREQ_021A :derived: TEST_CFB_COMBO_1 :tags: fsd319, swsreq For the special I/O type “combined I/O”, the logic shall be able to use the I/O as both input and output within 4 ms. I.e., the input part shall be read at least every 4 ms. .. req:: OSSD :id: SWSREQ_022A :derived: TEST_CFB_OSSD_1, TEST_CFB_OSSD_2, TEST_CFB_OSSD_3 :tags: fsd319, swsreq Every OSSD output from a unit shall be able to detect short circuits between any other OSSD output from the same unit. .. req:: Relay outputs :id: SWSREQ_023A :derived: TEST_300_041, TEST_300_126, TEST_300_201 :tags: fsd319, swsreq All relay outputs shall be continuously monitored by both CPUs. .. req:: Safe state :id: SWSREQ_024A :derived: TEST_150_010 :tags: fsd319, swsreq Safe state shall be achieved by turning off all outputs (relays, transistor outputs, radio, CAN). No continuous control is needed. .. req:: Safe state non returning function :id: SWSREQ_024B :derived: TEST_150_010 :tags: fsd319, swsreq The safe state shall be implemented as a non returning function. The only way to leave shall be to restart the CPU. .. req:: Fault reaction time :id: SWSREQ_026A :derived: TEST_150_008 :tags: fsd319, swsreq When a dangerous fault is detected, the maximum delay until all affected outputs in the complete system have reached the safe state shall be the response time (DREQ7.3 and DREQ108.1) + 500ms. .. req:: Operation modes :id: SWSREQ_027A :derived: TEST_150_010, TEST_150_001, TEST_150_002 :tags: fsd319, swsreq The following modes of operation shall be implemented: * Normal operation: see :need:`DREQ_NORMALMODE_1`, * Safe state: see :need:`DREQ_SAFESTAE_1` and :need:`DREQ_SAFESTAE_2`, * Configuration mode: see requirements :need:`DREQ_LOGIC_200A`. .. req:: Normal operation mode :id: SWSREQ_028A :derived: TEST_150_002 :tags: fsd319, swsreq In the normal mode of operation, the unit can communicate safety information via the different interfaces, and controls outputs based on inputs according to the user configuration. .. req:: Safe state mode :id: SWSREQ_029A :derived: TEST_150_010 :tags: fsd319, swsreq In the safe state all outputs shall be monitored and contiuously set to safe state. No safety communication shall be possible. .. req:: Configuration mode :id: SWSREQ_030A :derived: TEST_150_001 :tags: fsd319, swsreq The configuration mode shall be implemented as a non returning function. The only way to leave configuration mode is by a software reset or power cycle. .. req:: Configuration mode :id: SWSREQ_030B :derived: TEST_150_001 :tags: fsd319, swsreq In the configuration mode all outputs shall be continuously monitored and turned off. .. req:: Configuration mode :id: SWSREQ_030C :derived: TEST_150_001 :tags: fsd319, swsreq The configuration mode shall only be possible to enter at startup by a software reset. .. req:: Configuration mode :id: SWSREQ_030D :derived: TEST_150_001 :tags: fsd319, swsreq Code which handles configuration shall only be reachable in configuration mode. .. req:: Configuration mode :id: SWSREQ_030E :derived: TEST_150_014 :tags: fsd319, swsreq The configuration mode shall be protected by a password. If the password is incorrect, the unit shall ignore the request to enter configuration mode. .. req:: Configuration mode :id: SWSREQ_030F :derived: TEST_150_011 :tags: fsd319, swsreq If the configuration tool is connected but does not activate the configuration state, the Safety Simplifier shall work as normal. .. req:: Configuration mode :id: SWSREQ_030G :derived: TEST_150_002 :tags: fsd319, swsreq All configuration attempts when not in configuration mode shall be rejected. .. req:: Configuration mode interfaces :id: SWSREQ_030H :derived: TEST_150_015 :tags: fsd319, swsreq The unit shall be able to enter configuration mode and be configured via the following interfaces: * USB, * CAN, * Radio. .. req:: Configuration correct addressing :id: SWSREQ_031A :derived: TEST_150_016 :tags: fsd319, swsreq The PC tool shall verify that the destination unit is the correct unit specified by the user. .. req:: Configuration correct addressing :id: SWSREQ_031B :derived: TEST_150_017 :tags: fsd319, swsreq The PC tool shall allow the user to visually identify units via radio and CAN. .. req:: Configuration success or failure :id: SWSREQ_031C :derived: TEST_150_018 :tags: fsd319, swsreq After downloading a configuration to one or more units, the PC software shall present the the success or failure to the user. .. req:: No user interface for unit setup :id: SWSREQ_031D :derived: TEST_150_019 :tags: fsd319, swsreq There shall be no code that implements a user interface to setup or replace a unit from scratch, except that which is defined in :need:`DREQ_10B`. .. req:: Memory card replacement :id: SWSREQ_031E :derived: TEST_150_020 :tags: fsd319, swsreq There shall be a means to replace a unit by transferring its memory card to a new unit and following a replacement procedure. .. TODO: A requirement for the replacement procedure should be added. .. req:: Start-up firmware check :id: SWSREQ_032A :derived: TEST_150_006 :tags: fsd319, swsreq The firmware data in flash shall be protected by a 32bit CRC which shall be checked at start-up. If the CRC does not match, the unit shall not start. .. req:: Start-up firmware version check :id: SWSREQ_032B :derived: TEST_150_006 :tags: fsd319, swsreq Both CPUs shall check each others SW version at start-up. If either CPU detects that the other CPU has a different SW version, the unit shall enter safe state. .. req:: Start-up configuration check :id: SWSREQ_032C :derived: TEST_150_009, TEST_150_012 :tags: fsd319, swsreq Both CPUs shall check at start up that the configuration is * Available (configuration header magic value matches expected), * Valid (CRC matches), * Compatible with firmware (compiler version same as what firmware expects), * Same hash in both CPUs. .. req:: Start-up check production data :id: SWSREQ_032D :derived: TEST_300_029 :tags: fsd319, swsreq Production data shall be protected by a 32bit CRC and checked at start-up. .. req:: Start-up always safe :id: SWSREQ_032E :derived: TEST_300_029, TEST_300_031 :tags: fsd319, swsreq The software shall be designed so that there are no safety issues if it is restarted, no matter in what manner the restart was performed. .. req:: Valid ID numbers :id: SWSREQ_033A :derived: TEST_300_031 :tags: fsd319, swsreq If the ID number in the production data is equal to 0x00000000 or 0xFFFFFFFF, the unit shall enter safe state. .. req:: Valid ID numbers :id: SWSREQ_033B :derived: TEST_300_031 :tags: fsd319, swsreq The validity of the configured serial numbers shall be checked at start-up. The serial numbers settings are invalid if the network ID = 0, or if the serial number setting for the node itself does not match the serial number in its production data. .. req:: Radio black channel :id: SWSREQ_034A :derived: BLCH0001 :tags: fsd319, swsreq The radio communication shall be implemented as a black channel. .. req:: Radio sequence counter :id: SWSREQ_034B :derived: BLCH0001 :tags: fsd319, swsreq A sequence counter shall be used to protect from repeated packets. Receiving nodes shall discard packets with bad sequence counter. .. req:: Radio CRC :id: SWSREQ_034C :derived: BLCH0001 :tags: fsd319, swsreq All radio messages shall be protected by 24 bits CRC over the complete radio packet. .. req:: Safe data hash :id: SWSREQ_034D :derived: BLCH0001 :tags: fsd319, swsreq All radio messages shall include a 32 bit hash of all the safety information in the packet, and shall additionally be seeded with the following information: * Serial numbers of all nodes in the system * Serial number of the transmitting unit (of the unit or installed memory card, see :need:`SREQ_29B`) * Hash of the configuration * Firmware version of both CPUs of the transmitting unit .. note:: This guarantees that all nodes in a radio network agree on the information above. .. req:: Stateless safety information :id: SWSREQ_034E :derived: BLCH0001 :tags: fsd319, swsreq No state information shall be used between packets. Every packet shall contain all safety related information. .. req:: Timeout :id: SWSREQ_034F :derived: BLCH0001 :tags: fsd319, swsreq All failure indications shall be implemented by detecting absence of safety packets (timeout). .. req:: Global memories (safety information) :id: SWSREQ_035A :derived: BLCH0001 :tags: fsd319, swsreq Each node in a network shall have a configurable number of global memories, in multiples of 16, between 0 and 256. .. req:: Global memories (safety information) :id: SWSREQ_035B :derived: BLCH0001 :tags: fsd319, swsreq Each node in a network shall be able to use the global memories of any other node in the network. .. req:: Global memories (safety information) :id: SWSREQ_035C :derived: BLCH0001 :tags: fsd319, swsreq If a node in a network does not receive the global memories from another node within the specified radio timeout, the memories shall be set to zero. .. req:: Radio timeout :id: SWSREQ_035D :derived: BLCH0001, :tags: fsd319, swsreq The radio timeout shall be configurable between 4ms up to 60000ms. .. req:: Network same configuration :id: SWSREQ_037A :derived: TEST_150_012 :tags: fsd319, swsreq All nodes in a network shall verify that they are running the same configuration. This shall be implemented by seeding the communication checksum/hash with the configuration hash. .. req:: Network same firmware :id: SWSREQ_037B :derived: TEST_150_006 :tags: fsd319, swsreq All nodes in a network shall verify that they are running the same firmware. This shall be implemented by seeding the communication checksum/hash with the firmware hash. .. req:: SimpleCAN :id: SWSREQ_038A :derived: SIMPLECAN_ALL_REQS :tags: fsd319, swsreq The CAN communication shall be implemented as SimpleCAN. All requirements of SimpleCAN shall be fulfilled. .. req:: All code is safety code :id: SWSREQ_100A :derived: MOTIVATION_320_001 :tags: fsd319, swsreq All code shall be considered safety code/safety related. This means all techniques and measures, code standards, and verification methods shall be applied to all code. .. req:: Internal voltages monitoring :id: SWSREQ_101A :derived: TEST_300_214 :tags: fsd319, swsreq The CPU1 3.3V (3V3A) voltage shall be monitored by CPU2. .. req:: Internal voltages monitoring :id: SWSREQ_101B :derived: TEST_300_214 :tags: fsd319, swsreq The CPU2 3.3V (3V3B) voltage shall be monitored by CPU1. .. req:: Internal voltages monitoring :id: SWSREQ_101C :derived: TEST_300_213 :tags: fsd319, swsreq The SIO_PWR voltage shall be monitored by both CPUs.