A safety system monitors faults in an embedded control system. The embedded control system is modeled to produce one or more model check values by calculating how many clock cycles will pass between an initialization time point and at least one event time point for a specific event. The initialization time point is a certain point in an initialization function of a scheduler in the embedded control system. The at least one event time point is an expected number of clock cycles to pass before a specific event occurs. In operation, the embedded control system is initialized, a current clock cycle counter value is retrieved at a certain point in the initialization, and either an occurrence or an absence of an occurrence of a scheduled event is recognized. A current clock cycle value is recorded upon the recognition, and a mathematic check value is produced from the clock cycle value stored at the certain point in the initialization and the clock cycle value recorded upon the recognition. Subsequently, the model check value is compared to the mathematic check value, and action is taken based on the comparison.