Category Archives: Development Phase

Is watchdog always mandatory in the functional safety project?

Generally, a watchdog in system design seems to be considered as design for the purpose of safety. What do you think? Is it essential?

Assume that tester1 performs testing for 100 days, and tester2 performs testing for 10 days. They tested same product. Then can you determine that tester1 is better than tester2?

You will say “No”, because test criteria should be considered when evaluating quality of test.

It is similar. Is a system design with watchdog safer than system design without watchdog?

Why watchdog is required? Is it a problem if a system do not have a watchdog?

It surely helps for you to feel that it is safe. It is no more than that.

Before adapting watchdog, please consider what is safe state in your system. If a watchdog is necessary to enter safe state when something is wrong, it is mandatory. If not, it is a psychological remedy.

“Doing Nothing” is better than “Doing Wrong”


Why are you born? Meaning of safety requirement existence

If some requirement are regarded as safety attribute, it means that in-achievement of safety requirement leads to threaten safety.

The rationale is explained in the somewhere. I believe that system FTA or system FMEA are proper means of why they are born.

After they are identified, safety engineers shall suggest methods how to handle them. Their suggestions are called safety mechanisms in ISO standard.

Sometimes, engineers forget this simple principle. So non-safety related requirements are mis-perceived as safety requirements.

All safety requirements have birth-registered? Unregistered has a potential to threat safety. Don’t forget to register. It is natural like happened in our society.

“Doing Nothing” is better than “Doing Wrong”

It is related to identify safety requirement. For safety related systems, to avoid unintended function is essential. But I sometimes find that some engineers have a rule that watchdog function shall be regarded as a safety function.

Is it really true?

It will be critical for company’s financial profit because of quality problem. It surely might be a problem but in safety aspect watchdog is not always related to safety.

Let’s assume that there is a system(sys_A) that report some information to other system(sys_B) which controls vehicle’s movement. A requirement allocated to sys_B is determined as ASIL C, while sys_A is determined as ASIL A or B.

Let assume that sys_B can perceive Sys_A’s liveness by monitoring message that Sys_A sent.

In safety aspect, Sys_A’s safe state might be dead state. It means that when Sys_A detect a fault that leads to violate safety function that is allocated to Sys_A, it is better to do nothing than do wrong.

In this case, what do you think that watchdog fault is safety related or non-safety related ?

In some cases, I found that watchdog function is not a safety function. It is just a general function.

Identifying safety requirement is so important for functional safety manager. Functional safety engineer or functional safety manager have to consider it carefully.

It surely leads to engineers confusing when they regard non-safety functions as safety function. All safety activities after requirement phase will be messed up because there will not be consistent in their work products. Their safety arguments will be no longer convincing.