Use safety-certified components in systems that will require safety-certification.
When implementing a system that will be certified to a safety standard, you should:
Packages for the QHS and supporting safety-certified components are available from the QNX Software Center just like other QNX software packages (see the “Building a Hypervisor System” chapter). The packages of safety-certified components are are identified by the .safety suffix (e.g., target.hypervisor.kernel_module.safety).
The safety-certification document issued to you when you purchase the QHS lists the safety-certified components you must use.
When both non-safety and safety variants of a component are available, the files for the safety-certified components made available in these packages include -safety as the last part of the component name before the suffix (e.g., vdev-shmem-safety.so, smmuman-safety, rather than vdev-shmem.so, smmuman).
You can use the uname utility's -a option to get information about the hypervisor host's microkernel (procnto-*), and the use utility's -i option to display a load module's build properties (see uname and use in the QNX Neutrino Utilities Reference).
The name, release, and version (timestamp) must all match the information on the corresponding safety-certificates for each component you are using. See the QNX Hypervisor for Safety 2.0 Safety Manual, as well as the Safety Manuals for the other safety components you are using.
If you build your own safety components, you should identify them in the same manner that the QNX components are identified, get them safety-certified to the appropriate standard, and confirm that the variants you have implemented in your system are indeed the safety-certified variants of these components.
For more information, contact your QNX representative.
On startup, the QHS default behavior is to check that all the required safety-related components are present and operational. These components include but are not limited to:
If any of these components is missing or not running as expected, the QHS default behavior is to move to its DSS (see “Design Safe States” in this chapter).
When you configure your VM, you can use the qvm safety option to change this default (see safety in the “VM Component Reference” chapter). The table below lists QHS components and the actions the safety variant of a qvm process instance will take if the safety variant of a required component isn't available on startup, or if it fails:
| Component safety status | Behavior of the qvm process instance | ||
|---|---|---|---|
| safety=required (default) | safety=warn | safety=none | |
| The microkernel (procnto) isn't safety-certified. | Terminate | Issue warning to log output, but continue. | Continue |
| A vdev that the VM configuration specifies must be safety-certified isn't safety-certified. | Terminate | Issue warning to log output, but continue. | Continue |
| SMMUMAN components aren't safety-certified (smmuman service is already running). | Terminate | Issue warning to log output, but continue. | Continue |
| SMMUMAN components aren't safety-certified, but this qvm process instance doesn't use the smmuman service (no pass-through devices are specified in the VM configuration). | Continue | Continue | Continue |
| The pci-server is running and PCI pass-through devices are specified in the VM configuration, but no pci_server-qvm_support.so library was loaded. | Terminate | Issue warning to log output, but continue. | Continue |
| No pci-server is running, and no PCI pass-through devices are specified in the VM configuration. | Continue | Continue | Continue |
As required by your safety-certification, you should configure your safety-related guest OSs to move to their DSSs if safety-related components on which they rely aren't present and running correctly. These components may include, but are not limited to: