SC profile shall specify API functionality for at least two modes of operation: 1) non-safe and 2) safe.
Rationale: The API implementation typically goes through two phases during its operation in safety-critical environment: 1) non-safe, initialization phase, during which operations which are not appropriate for safety-critical execution are performed, such as allocation of resources, and 2) safe, steady-state phase, during which operations designated for safety-critical execution are performed, such as using the allocated resources. Terms non-safe and safe mode of operation can be used to describe this usage model: the API implementation is in non-safe mode of operation during the first phase, and it is in safe mode during the second. If this typical usage model is not addressed by the profile, the profile may inadvertently define functions, data structures or procedures which are infeasible to implement in a mode or in both modes of operation.
Example: SC profile can include comment of the form “all described functionality pertains to safe mode of operation, except where indicated otherwise”; functionality which differs between the two modes should be indicated, as in:
Function: Handle getObject(unit16_t i)
during safe mode: returns value INVALID and does not reserve any object;
during non-safe mode: returns handle to an object and reserves the object.
SC profile shall specify API functionality for at least two modes of operation: 1) non-safe and 2) safe.
Rationale: The API implementation typically goes through two phases during its operation in safety-critical environment: 1) non-safe, initialization phase, during which operations which are not appropriate for safety-critical execution are performed, such as allocation of resources, and 2) safe, steady-state phase, during which operations designated for safety-critical execution are performed, such as using the allocated resources. Terms non-safe and safe mode of operation can be used to describe this usage model: the API implementation is in non-safe mode of operation during the first phase, and it is in safe mode during the second. If this typical usage model is not addressed by the profile, the profile may inadvertently define functions, data structures or procedures which are infeasible to implement in a mode or in both modes of operation.
Example: SC profile can include comment of the form “all described functionality pertains to safe mode of operation, except where indicated otherwise”; functionality which differs between the two modes should be indicated, as in: