Qt Safe Renderer is our solution for the creation of user interfaces to safety critical systems. Available since 2017 the Qt Safe Renderer is used by multiple customers and certified for several different functional safety standards. With the upcoming version 2.0 we are introducing a new approach for validating the correct rendering of safety critical information – the Monitor.
Functional safety applies to many industries, such as automation, medical, railway and automotive. It is essential that safety-critical information in the digital displays is correct even if some malfunction prevents rendering the other parts of the user interface. Qt Safe Renderer provides a solution for rendering the safety critical information to achieve functional safety. It can be used with Qt or other user interface technologies – or even for creation of the whole user interface in some cases.
Created to meet strict functional safety requirements, the Qt Safe Renderer (QSR) ensures safe rendering by partitioning the safety critical functionality into an independent subsystem that is run on its own process. With the new Monitor component, Qt Safe Renderer can be used to create a safety critical user interface to a wider set of different processors and allow more versatile system architectures.
After the safety critical UI is rendered, the Monitor component verifies that it is displayed correctly. This approach also allows using the Qt Safe Renderer in environments that do not provide safety certified rendering hardware. Using the Monitor, it is also possible in certain use cases to achieve higher levels of functional safety via the additional checking for correct rendering.
Block diagram of using Qt Safe Renderer with the Monitor component:
After the safety critical content, for example a warning indicator or a gear selector, is drawn to the screen, the Renderer reads back the CRC (Cyclic Redundancy Check) checksum from the display interface. This checksum is provided to the Monitor, running in a separate process, to conduct an independent check for the correctness of the rendered output.
When using the Monitor, the correct checksums ‘Golden CRC values’ are calculated by the Qt Safe Renderer tooling during build time. The unique checksum is created for each of the safety critical elements, along with the needed identifiers. If there is any error or inconsistency in rendering the safety critical elements, the checksums will not match. The Qt Safe Renderer tooling handles creating the correct checksums during the build process, making it quick to change the safety critical user interface and eliminating the possibility of errors.
The Monitor is run in a separate process (than the rendering), allowing independent operation from the Renderer. When needed, it is possible to run the Monitor in a physically separate processor to achieve higher safety levels for the system. The Monitor is implemented in C language, according to the MISRA C 2012 specification. We have selected C language to ensure optimal portability also to those safety co-processors that do not provide a certified C++ compiler.
If you are interested in learning more about the new Monitor component or the upcoming Qt Safe Renderer 2.0, please Contact us. The development is currently reaching the final steps, and we can provide pre-release versions for evaluation. With the upcoming Qt Safe Renderer 2.0 we are also adding multiple other cool new features and functionality. We’ll talk about those during the coming months, so stay tuned!
