FS Work Package: Invalid signals¶
Background¶
Some logic functions (in particular the “Reset” and “sync_inputs” blocks) require valid signals to perform the function correctly. An invalid signal is for example a radio memory which has timed out, so the real value at the transmitter side is unknown at the receiver side.
In this case, the receiver will set the bit to 0 at point ‘a’ due to a timeout in the communication. However, in the logic in the receiver it is not clear if the bit is actually 0 or if it is just invalid.
In the case of a reset function block, the pulse at point ‘e’ would be interpreted as a valid reset, potentially creating a safety hazard.
In the case of a sync_inputs block, the invalid signal would be interpreted as a valid 0, which makes the block believe that it got a valid 0 (i.e., the inputs were deactivated), and could then allow the function to activate again when the communication is restored. This would be perceived as the output of the function going to 0 for a while, then back to 1.
The solution to this is to introduce a new concept of “invalid signals”. For example, a boolean signal can be 0, 1, or invalid. Integers can be 0, 1, 2, …, or invalid. This means another bit is required for every signal that can be invalid.
The compiler will calculate the “is_invalid” bit for all signals in the background, which is the logical OR between the “is_invalid” signals of all inputs to that function. Physical inputs may have different critera for being invalid, such as specific voltages or pulse signatures.
Affected components¶
Source code¶
SRC200-001 (Simplifier Manager)
SRC002-104 (Logic Compiler)
Hardware designs¶
No hardware designs are affected by this change.
Mechanical designs¶
No mechanical designs are affected by this change.
Manuals/Documentation¶
The safety manual needs to be updated to include information about how this affects programming.
How to implement reset functions when the reset signals is sent via a communication channel.
How to implement sync_inputs functions when the inputs are sent via a communication channel.
Approvals¶
No changes to approvals.
Products¶
Simplifier Manager, logic compiler.
Impact analysis (non safety)¶
No non-safety impact is expected from this change.
Impact analysis (functional safety)¶
Compiler¶
The logic compiler needs to be updated to handle invalid signals correctly. This includes the following changes:
Calculate an “is_invalid” signal for all logic function outputs in the background, which is the logical OR between the “is_invalid” signals of all inputs to that function.
Use the “is_invalid” signal in blocks which require valid signals:
Reset block: If the “is_invalid” signal is true during reset, a new reset has to be made. This corresponds to the function of the current “allow_reset” input.
Sync inputs block: If the “is_invalid” signal is true, the “off” condition cannot be met. For a valid off condition, all inputs must be valid and equal to 0.
Radio¶
No changes to the radio protocol in the first step.
SimpleCAN¶
No changes to the SimpleCAN protocol in the first step.
Knapp1/2/General black channel¶
No changes to the black channel protocols in the first step.
Affected requirements¶
Requirements for the compiler need to be updated to include the handling of invalid signals.