The QHS supports two Design Safe States (DSSs).
Since the QHS comprises the QOS microkernel plus its virtualization extension, it implements the DSS specified for the QOS. The same states that cause the QOS to move to its DSS cause the hypervisor to move to its DSS. Since guest OSs run inside hypervisor host processes, monitoring these processes for transgressions also monitors the guests for transgressions.
If an internal or external detection mechanism alerts the hypervisor of a condition it is not designed to handle in any other way (e.g., missing safety component; see “QHS components” in this chapter), the QHS will do one of the following:
If an undefined condition is confined to a VM (a qvm process instance), the hypervisor terminates that qvm process instance, (e.g., with a SIGSEGV signal). Terminating the hosting qvm process instance terminates its guest.
The hypervisor continues to run normally after it terminates a qvm process instance. You can design your system to take appropriate action after moving a guest its local DSS; for example, reconstruct the VM and reboot the guest.
The QHS is composed of the QNX Neutrino OS for Safety (QOS) with a virtualization extension (safety-variant); the same conditions that cause the QOS to move to its DSS cause the hypervisor host to move to its DSS. That is, if the undefined condition isn't confined to a VM, the QHS shuts down. This DSS is the same as the QOS DSS.