Qt Safe Renderer Monitor

Qt Safe Renderer Monitor: Verifying the Rendering Output

The Qt Safe Renderer is our solution for creating user interfaces (UI) for safety-critical systems. Since 2017 the Qt Safe Renderer has been used by multiple customers and certified for different functional safety standards. With the upcoming version 2.0, we are introducing a new approach for validating the correct rendering of safety-critical information – the Monitor.

Functional safety applies to many industries, such as automation, medical, railway, and automotive. Safety-critical information in the digital displays must be correct, even if some malfunction prevents rendering the other parts of the user interface. Qt Safe Renderer provides a solution for rendering the safety-critical information to achieve functional safety. It can be used with Qt or other user interface technologies – or even for creating the whole user interface in some cases.

The upcoming Qt Safe Renderer 2.0 release contains many new groundbreaking features. This blog illustrates the monitoring of the rendering output feature.

An extra layer of safety with monitoring

Created to meet strict functional safety requirements, the Qt Safe Renderer (QSR) ensures safe rendering by partitioning the safety-critical functionality into an independent subsystem run on its process. With the new Monitor component, Qt Safe Renderer can be used to create a safety-critical user interface to a broader set of different processors and allow more versatile system architectures.

After the safety-critical UI is rendered, the Monitor component verifies that it is displayed correctly. This approach also allows using the Qt Safe Renderer in environments that do not provide safety-certified rendering hardware. Using the Monitor, it is also possible in certain use cases to achieve higher levels of functional safety via the additional checking for correct rendering.

The block diagram below depicts the control and data flows at a high level. Customers want the optional Monitor for the rendered output in the safety-critical systems.

QSR_monitor_blog_diagram

Customers can mitigate the risks with the help of the new feature. And while doing so, more complex systems can be developed. These systems often contain many software and hardware components. Modern chipsets often contain a microcontroller that can run a separate monitor.

Now there is an automatic sort of watchdog checking for any unexpected errors. The application developers can define the actions in case of errors. The Monitor is an optional feature. You can also create safety applications without it.

See the Monitor in action!

The monitoring example is shown in action with the example of the indicator. The below screen capture shows the indicators on the top left corner. There are animations and state transitions ongoing. Different telltales (Safe Pictures) are either made visible or hidden and have a solid background fill color. The gear selection (Safe Images) is animated as well. 

The top right corner shows the monitor example in a separate application. In case of an error, the safe QML object identification code is shown, and the mismatching fingerprint is listed. The lower part shows the test harness used to stimulate different exceptional cases. The red battery icon is toggled off while it should be visible. The Monitor shows an error for it. Also, the position is set to overlap with another Safe Picture. Once the overlapping is removed, the error messages are no longer added.

QSR_Monitor

 

How the system works

You can enable monitoring for your safety application. Please see the detailed steps from the online documentation.

QSR_monitor_system_view

The tooling generates a unique digital fingerprint for each safe item in the design. These fingerprints are calculated using a cyclic redundancy check (CRC) algorithm. The safe assets can have animations.

The monitor checks that reference values match the actual content in the display. If the CRC codes match, then everything is working in the system. The Monitor detects the slightest possible deviation, even if it is invisible to the human eye.

If there are errors, the safety application developer decides what to do. Will the error disappear as soon as it appears without action? Or will it disappear after redrawing the screen in a split second? Or is there a need to restart the system and resume after a quick reboot?

Supported safe QML types, environments, and coding standards

The new release supports Snapdragon 6155P and 8155P hardware and QNX operating system. You can verify static information out of the box. If you need support for other platforms, please contact us.

The monitor and CRC data are compatible with AUTOSAR (AUTomotive Open System ARchitecture) tools  and MISRA (Motor Industry Software Reliability Association) C coding rules. You can use the data in a separate microcontroller without a file system.

You can verify static information with animations, such as safe images, icons, and text. Support for dynamic text verification is planned in later releases.

QSR 2.0 is expected to be available soon. The pre-release version is already available via the Qt installer. The QSR is part of the Qt for Device Creation Enterprise version. So, you get it as part of the bundle without needing a dedicated QSR license. Shall you have any questions, please don't hesitate to contact us.


Blog Topics:

Comments