Separation of Safety-Critical Concerns
Purpose
Define architectural partitioning to contain failures, simplify verification, and align safety classes with appropriate isolation.
When to Apply
- •Designing or refactoring architecture for mixed-criticality systems.
- •Introducing new subsystems with different safety impacts (e.g., UI vs control).
- •Adding third-party/SOUP modules or connectivity stacks near safety logic.
Requirements (testable)
- •Partitioning: Separate safety-critical from non-critical components using process/MPU/MMU or language-level isolation; document boundaries. Rationale: fault containment.
- •Minimal Interfaces: Keep interfaces between partitions minimal and typed; avoid shared mutable state. Rationale: reduce coupling and fault vectors.
- •Validation at Boundaries: Validate all data crossing partitions (lengths, ranges, CRC/MAC); enforce timeouts and error handling. Rationale: prevent propagation.
- •Principle of Least Privilege: Assign minimal privileges to non-critical partitions; restrict syscalls/IO where possible. Rationale: limit impact of compromise.
- •Monitoring: Add health monitoring/heartbeats for critical partitions; safe fallback on failure. Rationale: detect and react to partition failure.
- •Testability: Provide mocks/stubs for non-critical partitions to test critical logic deterministically. Rationale: reliable verification.
Recommended Practices
- •Use message queues or well-defined RPC instead of shared globals.
- •Define data transfer objects (DTOs) with explicit versioning and size fields.
- •Apply static analysis to enforce layering (no upward dependencies).
- •Consider dual-core separation if hardware supports, with strict comms.
Patterns
DTO with size and CRC:
c
// REQ-SEP-IF-01; TEST-SEP-04
typedef struct {
uint16_t len;
uint16_t crc;
uint8_t payload[48];
} msg_t;
bool validate_msg(const msg_t *m) {
if (m->len > sizeof(m->payload)) return false;
return crc16(m->payload, m->len) == m->crc;
}
Partition watchdog:
c
// REQ-SEP-MON-02; TEST-SEP-09
void monitor_control_partition(void) {
if (!heartbeat_ok()) {
enter_safe_state(); // stop outputs, alarm
}
}
Anti-Patterns (risks)
- •Shared global buffers between UI and control logic -> risk: corruption.
- •Unbounded/unvalidated IPC -> risk: DoS or malformed data affecting safety.
- •Broad privileges for non-critical services -> risk: escalation into safety domain.
- •Hidden backdoors (debug UART) bridging partitions -> risk: bypassing controls.
Verification Checklist
- • Partitions defined; safety-critical isolated from non-critical.
- • Interfaces documented and minimal; no shared mutable state across classes.
- • Boundary validation implemented (size/range/CRC/MAC, timeouts).
- • Privileges for non-critical partitions minimized.
- • Monitoring/heartbeat for critical partition with safe fallback.
- • Mocks/stubs available for testing critical logic without non-critical code.
Traceability
- •Map partitions to safety classes and hazards; link interface validation tests (
TEST-SEP-###). - •Maintain an interface contract document; tie to architecture diagrams.
References
- •IEC 62304 segregation intent (5.3).
- •ISO 26262 Part 6 (informative for mixed-criticality partitioning concepts).
- •SEI CERT C and MISRA guidance on shared state avoidance (informative).
Changelog
- •1.0.0 (2026-01-04): Initial partitioning guidance with boundary validation and monitoring.
Audit History
- •2026-01-04: Audit performed. Verified:
- •IEC 62304 segregation intent correctly referenced to clause 5.3
- •ISO 26262 Part 6 reference appropriate as informative for mixed-criticality concepts
- •SEI CERT C and MISRA guidance correctly marked as informative