Autosar 系列教程:小柴带你学 AutoSar 总目录
# 小柴带你学 AutoSar 系列三、标准和规范篇(2)BSWGeneral
只要坚持下去就可以打败 99.99% 的人了✌️
# BSWDistributionGuide
# BSW 在 AUTOSAR 架构中的这里哦
# BSW Distribution in Multi-Core Systems
BSW Functional Clusters
BSW 功能集群是一组相关功能的模块
BSW functional clusters are groups of functionally coherent BSW modules.
The following types of clusters might be standardized in a later release:
- Communication cluster 通信集群
- Memory cluster 内存集群
- I/O cluster I/O 集群
- Watchdog cluster 看门狗集群
# Parallel Execution of BSW modules
# Core-Dependent Branching
It is possible for example to use the core id for this, i.e. branch the control flow depending on the return value of the OS APIs GetCoreID, or also GetApplicationID.
BSW 模块的并行处理,可以通过获取 Core ID 来进行分支处理
# Using Shared Buffers (in systems without memory protection)
使用共享的 buffer,所以需要防止并发访问哦,保持数据一致性
# Concurrency safe implementation of modules
并发,可重入 / 不可重入都是需要考虑的事情
# Kernel based Master-Satellite Realization
# Atomic Operations Library
# SchM Interfaces for Parallel BSW execution
用于并行执行的 SchM 接口
The Basic Software Scheduler (SchM) is responsible for handling the inter-partition communication between BSW modules.
SchM 负责 BSW 分区间的通信
For the distribution of BSW modules across several partitions, the SchM shall implement the methods SchM_Call, SchM_Result, SchM_Send and SchM_Receive
SchM 要实现多种方法
- SchM_Call
- SchM_Result
- SchM_Send
- SchM_Receive
The SchM can use IocSend (a direct call to the OS) to send data in inter-partition communication. Other RTE internal mechanism might not be available during startup.
SchM 可以使用 IOC 去做分区间通信
# Configuration of Basic Software in Partitioned Systems
# Task Mapping
The parallelization of BSW modules introduces several new subclasses of BswEvent to the AUTOSAR metamodel. These classes are shown in Figure 2.5. Each BswEvent (including instances of subclasses of BswEvent) is assigned to a BswSchedulableEntity, which is started upon occurrence of the event.
# General Configuration of Master and Satellites
Modules that shall be available in multiple partitions can be implemented as masters and satellites. In this case, the master and all satellites of the same module share the same code (which may implement core-dependent behavior however) and the same configuration. Hence, a master and its satellites are treated as one module entity w.r.t. their configuration.
The communication between master and satellites is not to be standardized. It is considered to be module-internal and it is not visible to other modules. However, since it is recommended to use SchM mechanisms for internal communication, the nonstandardized client-server entries and data accesses in the BSWMD to connect master and satellite need to be configured.
# Configuring the BswM (per Partition)
On systems with distributed BSW there is one BSW Mode Manager (BswM) per partition (but one OS and EcuM per core, which is the same as long as we have one BSW partition per core). Each of these BswMs can be configured independently. A BswM mainly interacts with the state managers (ECU state manager and bus state managers, for instance) on the same partition.
每个部分的 BswM 可以被单独配置
The BswM is also responsible for the initialization and shutdown of BSW modules running in the same partition. Therefore, its configuration depends on the mapping of BSW modules to partitions.
BswM 可以响应同分区的 initialization 和 shutdown
# Configuring the EcuM (per Core)
On systems with distributed BSW there is one EcuM per core (even if there are multiple BSW partitions on that core). In other words, on every core there shall be one and only one partition that runs the EcuM. The partition running the EcuM is determined by the EcuMFlexEcucPartitionRef, which is specified in the container EcuMFlexUser Config of the EcuM configuration.
每个核都应该只要有一个 EcuM,即使这个核上有多个 BswM 的不同分区。
On architectures with a sequential start of cores, there is one designated master core in which the boot loader starts the master EcuM via EcuM_Init. The EcuM in the master core starts some drivers, determines the Post Build configuration and starts all remaining cores with all their satellite EcuMs
引导程序 -> EcuM_Init -> master core -> remaining cores
# MCAL Distribution
# Introduction
It shall be noted that the introduction of the multi-core MCAL requires the introduction of asynchronously behaving interfaces to enable non-blocking parallel execution on multiple cores.
Furthermore it is assumed that a multi-core microcontroller is used however this is not mandatory as the concept provides an identical set of service API’s regardless whether it is a single- or multi-core implementation. Additionally it is possible to realize mixed ASIL systems with segregation in space and time where the mappable MCAL elements are assigned to the different partitions respecting the safety integrity level of the resulting MCAL implementation.
多核并发 + 硬件分离解耦
# Criteria
- 1 - APIs Availability
- 1a: Local service API’s (executable on one core only)
- 1b: Global (distributed /shared) service API’s (executable on any core)
- 2 - MCAL Kernel Execution Context
- 2a: One Local kernel (executable on one core only)
- 2b: Global (distributed /shared) kernel (executable on any core)
- HW Elements Mapping
- 3a: One HW element mappable to one core only
- 3b: One HW element mappable to several cores
# Com-Stack Distribution
In general, one major job of the PduR is to take care of PDU routings between different networks.
PduR 来处理不同的网络间的路由
# BSW Distribution in Safety Systems
the main safety mechanisms:
- Partitioning of SWCs to support the isolation in space.
- Timing and control flow supervision to monitor executing entities and to detectfaults caused by blocking or wrong execution. In AUTOSAR the Os and the WdgM take care of this issue.
- A safe communication via end-to-end protection is possible between ECUs (and even inside an ECU). This guarantees e.g. that the data which is send is not modified between the sender and the receiver(s). The responsible module is the E2Elibrary.
简单来说呢三件事:空间隔离、定时保护、E2E 端到端
# BSWGeneral
# Requirements Specification
This chapter describes all requirements driving the work to define the General Requirements on Basic Software Modules.
# Functional Overview
BSW 涵盖了以下几个区域
The requirements on Basic Software cover the following domains:
- Body
- Powertrain
- Chassis
- Safety (assumption: covered, because hardware and system infrastructure are similar to the domains above)
有下面几种 ECU
The ECU application experience is taken from the following concrete applications:
- Sunroof and power window ECU
- Diesel engine ECU
- BMW, DC and VW standard software packages (’Standard Core’, ’Standard Software Platform’, ’Standard Software Core’) including ISO 17356-3 OS [3], communication modules, bootloader, basic diagnostic functions for the domains listed above
- Infotainment control ECU
# Functional Requirements
# Configuration
[SRS_BSW_00344] BSW Modules shall support link-time configuration
[SRS_BSW_00404] BSW Modules shall support post-build configuration
[SRS_BSW_00405] BSW Modules shall support multiple configuration sets
[SRS_BSW_00345] BSW Modules shall support pre-compile configuration
[SRS_BSW_00159] All modules of the AUTOSAR Basic Software shall support a tool based configuration
[SRS_BSW_00167] All AUTOSAR Basic Software Modules shall provide configuration rules and constraints to enable plausibility checks
[SRS_BSW_00171] Optional functionality of a Basic-SW component that is not required in the ECU shall be configurable at pre-compile-time
[SRS_BSW_00170] The AUTOSAR SW Components shall provide information about their dependency from faults, signal qualities, driver demands
SWC 应该提供有关故障、信号质量、驱动的依赖
[SRS_BSW_00380] Configuration parameters being stored in memory shall be placed into separate c-files
配置的参数应该在一个单独的 c 文件中
[SRS_BSW_00419] If a pre-compile time configuration parameter is implemented as const it should be placed into a separate c-file
如果是 const 类型,也需要单独放在一个 c 文件中
[SRS_BSW_00383] The Basic Software Module specifications shall specify which other configuration files from other modules they use at least in the description
[SRS_BSW_00384] The Basic Software Module specifications shall specify at least in the description which other modules they require
[SRS_BSW_00388] Containers shall be used to group configuration parameters that are defined for the same object
[SRS_BSW_00389] Containers shall have names
[SRS_BSW_00390] Parameter content shall be unique within the module
[SRS_BSW_00392] Parameters shall have a type
[SRS_BSW_00393] Parameters shall have a range
[SRS_BSW_00394] The Basic Software Module specifications shall specify the scope of the configuration parameters
[SRS_BSW_00395] The Basic Software Module specifications shall list all configuration parameter dependencies
[SRS_BSW_00396] The Basic Software Module specifications shall specify the supported configuration classes for changing values and multiplicities for each parameter/container
[SRS_BSW_00403] The Basic Software Module specifications shall specify foreach parameter/container whether it supports different values or multiplicity indifferent configuration sets
[SRS_BSW_00397] The configuration parameters in pre-compile time are fixed before compilation starts
[SRS_BSW_00398] The link-time configuration is achieved on object code basis in the stage after compiling and before linking
[SRS_BSW_00399] Parameter-sets shall be located in a separate segment and shall be loaded after the code
[SRS_BSW_00400] Parameter shall be selected from multiple sets of parameters after code has been loaded and started
[SRS_BSW_00438] Configuration data shall be defined in a structure
[SRS_BSW_00402] Each module shall provide version information
# Wake-Up
[SRS_BSW_00375] Basic Software Modules shall report wake-up reasons
# Initialization
[SRS_BSW_00101] The Basic Software Module shall be able to initialize variables and hardware in a separate initialization function
[SRS_BSW_00416] The sequence of modules to be initialized shall be configurable
[SRS_BSW_00406] A static status variable denoting if a BSW module is initialized shall be initialized with value 0 before any APIs of the BSW module is called
静态状态变量应该被初始化为 0 在调用任何 API 之前
[SRS_BSW_00467] The init / deinit services shall only be called by BswM or EcuM
初始化函数只能由 BswM 或 EcuM 调用
[SRS_BSW_00437] Memory mapping shall provide the possibility to define RAM segments which are not to be initialized during startup
支持定义地址映射中的 RAM 段是否要初始化
# Normal Operation
[SRS_BSW_00168] SW components shall be tested by a function defined in a common API in the Basis-SW
[SRS_BSW_00407] Each BSW module shall provide a function to read out the version information of a dedicated module implementation
[SRS_BSW_00423] BSW modules with AUTOSAR interfaces shall be describable with the means of the SW-C Template
不知道啥意思,应该是有一些对 SWC 的适配和依赖
[SRS_BSW_00424] BSW module main processing functions shall not be allowed to enter a wait state
Bsw 模块的主处理函数不允许进入等待状态
[SRS_BSW_00425] The BSW module description template shall provide means to model the defined trigger conditions of schedulable objects
[SRS_BSW_00426] BSW Modules shall ensure data consistency of data which is shared between BSW modules
There are two possible scenarios
- Scenario 1: the data is defined and managed within one BSW Module. In this case, Exclusive Areas shall be defined and documented in the BSW module description template of the managing module and used in the implementation. The exclusive areas shall be defined with a name and the accessing maifunctions, API services, callback functions and ISR functions.
- Scenario 2: the data is not managed by a BSW Module. This is only possible in case of special hardware resources like registers. In this case, the accessing modules need to disable and enable interrupts to ensure data consistency
[SRS_BSW_00427] ISR functions shall be defined and documented in the BSW module description template
[SRS_BSW_00428] A BSW module shall state if its main processing function(s) has to be executed in a specific order or sequence
[SRS_BSW_00429] Access to OS is restricted
BSW modules shall only be allowed to use certain OS services.
The services and their access shall be defined in SWS_BSW_General.
BSW 应该只能访问特定的 OS 服务
[SRS_BSW_00432] Modules should have separate main processing functions for read/receive and write/transmit data path
BSW 模块要有自己的专门的读写发送接收函数
[SRS_BSW_00433] Main processing functions are only allowed to be called from task bodies provided by the BSW Scheduler
主处理函数只允许在 BSW 调度器调用
[SRS_BSW_00450] A Main function of a un-initialized module shall return immediately
[SRS_BSW_00461] Modules called by generic modules shall satisfy all interfaces requested by the generic module
[SRS_BSW_00451] Hardware registers shall be protected if concurrent access to these registers occur
[SRS_BSW_00478] Timing limits of main functions
# Shutdown Operation
[SRS_BSW_00336] Basic SW module shall be able to shutdown
# Fault Operation and Error Detection
[SRS_BSW_00337] Classification of development errors
[SRS_BSW_00369] All AUTOSAR Basic Software Modules shall not return specific development error codes via the API
[SRS_BSW_00339] Reporting of production relevant error status
AUTOSAR Basic Software Modules shall report all production errors and extended production errors to the Dem (Diagnostic Event Manager)
报给 DEM 去集中处理错误
[SRS_BSW_00422] Pre-de-bouncing of error status information is done within the Dem
[SRS_BSW_00417] Software which is not part of the SW-C shall report error events only after the Dem is fully operational.
为了简化处理,除了 SWC 其他的软件在 DEM 完全运行之后才进行处理
[SRS_BSW_00323] All AUTOSAR Basic Software Modules shall check passed API parameters for validity
[SRS_BSW_00004] All Basic SW Modules shall perform a pre-processor check of the versions of all imported include files
[SRS_BSW_00409] All production code error ID symbols are defined by the Dem module and shall be retrieved by the other BSW modules from Dem configuration
错误码在 DEM 中定义
[SRS_BSW_00385] List possible error notifications
[SRS_BSW_00386] The BSW shall specify the configuration and conditions for detecting an error
[SRS_BSW_00452] Classification of runtime errors
[SRS_BSW_00458] Classification of production errors
[SRS_BSW_00466] Classification of extended production errors
[SRS_BSW_00488] Classification of security events
[SRS_BSW_00489] Reporting of security events
AUTOSAR Basic Software Modules shall report the configured security events to the IdsM (Intrusion Detection System Manager).
[SRS_BSW_00490] List possible security events
[SRS_BSW_00491] Specification of trigger conditions and context data
[SRS_BSW_00492] Reporting of security events during startup
[SRS_BSW_00493] Definition of security event ID symbols
[SRS_BSW_00469] Fault detection and healing of production errors and extended production errors
[SRS_BSW_00470] Execution frequency of production error detection
[SRS_BSW_00471] Do not cause dead-locks on detection of production errors - the ability to heal from previously detected production errors
[SRS_BSW_00472] Avoid detection of two production errors with the same root cause
[SRS_BSW_00473] Classification of transient faults
# Non-Functional Requirements (Qualities)
# Software Architecture Requirements
[SRS_BSW_00161] The AUTOSAR Basic Software shall provide a microcontroller abstraction layer which provides a standardized interface to higher software layers
要提供标准的 MCAL 接口给上层
[SRS_BSW_00162] The AUTOSAR Basic Software shall provide a hardware abstraction layer
[SRS_BSW_00005] Modules of the µC Abstraction Layer (MCAL) may not have hard coded horizontal interfaces
Necessary interactions (e.g. GPT triggered ADC conversion) shall be implemented by using statically configurable notifications (callbacks).
MCAL 不推荐硬编码,必要的接口用回调函数实现
[SRS_BSW_00415] Interfaces which are provided exclusively for one module shall be separated into a dedicated header file
# Software Integration Requirements
[SRS_BSW_00164] The Implementation of interrupt service routines shall be done by the Operating System, complex drivers or modules
[SRS_BSW_00325] The runtime of interrupt service routines and functions that are running in interrupt context shall be kept short
中断应该占用时间短,如果用时较长就使用 OS Task 来替代
[SRS_BSW_00342] It shall be possible to create an AUTOSAR ECU out of modules provided as source code and modules provided as object code, even mixed
Some simple drivers could be provided as object code. More complex and configurable modules could be provided as source code or even generated code.
[SRS_BSW_00343] The unit of time for specification and configuration of Basic SW modules shall be preferably in physical time unit
[SRS_BSW_00160] Configuration files of AUTOSAR Basic SW module shall be readable for human beings
[SRS_BSW_00453] BSW Modules shall be harmonized
[SRS_BSW_00456] A Header file shall be defined in order to harmonize BSW Modules
那需要在 <Module Abbreviation>_GeneralTypes.h 头文件中声明
[SRS_BSW_00457] Callback functions of Application software components shall be invoked by the Basis SW
ASW 的回调是被 BSW 调用
[SRS_BSW_00479] Interfaces for handling request from external devices
[SRS_BSW_00483] BSW Modules shall handle buffer alignments internally
BSW 模块应该在内部处理 Buffer 对齐
# Software Module Design Requirements
[SRS_BSW_00007] All Basic SW Modules written in C language shall conform to the MISRA C 2012 Standard.
要符合 MISRA C 规范,违反规范要注明
[SRS_BSW_00413] An index-based accessing of the instances of BSW modules shall be done
基于索引的 BSW 模块
[SRS_BSW_00347] A Naming seperation of different instances of BSW drivers shall be in place
Driver modules shall be named according to the following rules (only for implementation, not for the software specification):
- First the module name has to be listed: <Module Abbreviation>
- After that the vendor Id defined in the AUTOSAR vendor list has to be given <Vendor Id
- At last a vendor specific name (the vendor API infix) follows <Vendor APIinfix>
- Only for API names, last name shall be <API Service name>
- All parts shall be separated by underscores "_".
- This naming extension applies to the following externally visible elements of the module:
- File names
- API names
- Published parameters
- Memory allocation keyword
- For API names, <Vendor specific name> should be followed by "_" and the <API Service Name>.
- For the creation of file names, no trailing underscore shall be added.
- For Published parameters and Memory allocation keyword names, <Vendor Specific name> shall have a trailing underscores.
- EEPROM (LD): Eep_21_LDExtEepDriver.c
- Published parameters: EEP_21_LDEXT_SW_MAJOR_VERSION
- API: Eep_21_LDExt_Init
[SRS_BSW_00441] Naming convention for type, macro and function
All AUTOSAR Basic Software Modules shall label enumeration literals and
#defines according to the following scheme:
- Composition: <Module Abbreviation>_<Specific name>
- <Module Abbreviation> shall be written in UPPERCASE
- <Specific name> shall be written in UPPERCAS
- <Module Abbreviation> and <Specific name> shall be separated by underscore
- If <Specific name> consists of several words, they shall be separated by underscore
The #define E_OK and E_NOT_OK are exceptions to this.
Example #define:
#define EEP_PARAM_CONFIG | |
#define EEP_SIZE |
Example enumeration literals:
typedef enum | |
{ | |
EEP_ARE = 1, | |
EEP_EV = 2 | |
} Eep_NotificationType; |
[SRS_BSW_00305] Data types naming convention
All AUTOSAR Basic Software Modules shall label data types according to the following scheme:
- Composition of type: <Module name>_<Type name>Type
- Only one underscore between module name and type name
- < Type name > shall be written in UpperCamelCase.
[SRS_BSW_00307] Global variables naming convention
- All AUTOSAR Basic Software Modules shall label global variables according to the following scheme:
- Composition of name: <Module name>_<Variable name>
- Only one underscore between module name and variable name
- Spelling of name: First letter of each word upper case, consecutive letters lower case
[SRS_BSW_00310] API naming convention
All AUTOSAR Basic Software Modules shall implement an API based on the following naming rules:
- Composition of API: <Module name>_ServiceName()
- Where <Mip> is the Module implementation prefix and <Sn> is the API Service name Module name: 2..8 letters, derived from [7]
- Only one underscore between module name and service name
- Spelling of API: First letter of each word upper case, consecutive letter lower case
- Can_TransmitFrame()
- Nm_RequestBusCommunication()
- Adc_Init()
- Eep_Write(
- Nvm_GetState()
[SRS_BSW_00494] ServiceInterface argument with a pointer datatype
A ServiceInterface argument with a pointer datatype (DATA_REFERENCE) shall have a Ptr postfix in its argument type and -name. No other argument type shall use this postfix in its argument type or -name. The argument direction of a pointer datatype is always IN.
[SRS_BSW_00373] The main processing function of each AUTOSAR Basic Software Module shall be named according the defined convention
The main processing function of each AUTOSAR Basic Software Module shall be named according to the following rule:
<Module name>_MainFunction_<module specific extension> ()
Module specific extension shall be used to distinguish between multiple mainprocessing functions of one module (e.g. Cluster index, Rx /Tx . . . ). If only one main processing function exists in one module no module specific extension is required.
It is responsibility of the modules to either define one main processing function and handle all the processing internally or define multiple main processing functions with appropriate module specific extensions.
This depends on Module requirements.
Main processing functions shall have no parameters and no return value.
Main processing functions shall not be re-entrant.
Possible main processing function of EEPROM driver: | |
void Eep_MainFunction(void) | |
Possible main processing functions of FlexRay driver: | |
void Fr_MainFunction_TxClst1(void) | |
void Fr_MainFunction_TxClst2(void) | |
void Fr_MainFunction_RxClst1(void) | |
void Fr_MainFunction_RxClst2(void) | |
Please Note: The Use case is no recommendation for the particular Module, it just illustrates Main processing function possibilities. |
[SRS_BSW_00327] Error values naming convention
All AUTOSAR Basic Software Modules shall apply the following naming rules for all error values:
- Error values shall have only CAPITAL LETTERS
- Naming convention: <MODULENAME>E<ERRORNAME>
- If <ERRORNAME> consists of several words, they shall be separated by underscores
The EEPROM driver has the following error values: | |
• EEP_E_BUSY | |
[SRS_BSW_00335] Status values naming convention
All AUTOSAR Basic Software Modules shall apply the following naming rules for status values that are visible outside of the module:
- Status values shall have only CAPITAL LETTERS
- If <STATUSNAME> consists of several words, they shall be separated by underscores
The Eeprom driver has the following status values: | |
• EEP_IDLE | |
[SRS_BSW_00350] All AUTOSAR Basic Software Modules shall allow the enabling/disabling of detection and reporting of development errors.
In Eep.h: | |
#define EEP_DEV_ERROR_DETECT STD_ON /* detection module | |
wide enabled */ | |
In source Eep.c: | |
#include "Eep.h" | |
. . . | |
.. | |
.. development errors to be detected | |
.. | |
#endif /* EEP_DEV_ERROR_DETECT */ |
可以用使能 / 使能检测和报告开发错误
[SRS_BSW_00408] All AUTOSAR Basic Software Modules configuration parameters shall be named according to a specific naming rule
All AUTOSAR Basic Software Modules configuration parameters shall be named according to the following naming rules:
- Naming convention: <Module Abbreviation><ParameterName>
< Module Abbreviation > is the prefix derived from [7].
< ParameterName > may consist of several words which may or may not be separated by underscore.
The configuration parameter name can either be in UpperCamelCase or Uppercase
Example: CanIfTxConfirmation
[SRS_BSW_00410] Compiler switches shall have defined values
Example: | |
Do : | |
.. | |
Don’t: | |
.. |
[SRS_BSW_00411] All AUTOSAR Basic Software Modules shall apply a naming rule for enabling/disabling the existence of the API
所有 AUTOSAR 的 API 都应该用宏定义来开关
[SRS_BSW_00463] Naming convention of callout prototypes
Each callout function shall be mapped to its own memory section and memory class. These memory classes will then be mapped to the actually implemented memory classes at integration time. | |
The following naming convention shall be used: | |
— Start section definition: — | |
— Stop section definition: — | |
\#define MSN_STOP_SEC_CBN_CODE | |
— Function prototype definition: — | |
void MSN_Cbn (void); | |
Where: | |
MSN: Module Short Name as officially defined in AUTOSAR (see supporting material). | |
CBN: Call Back Name, which shall have the same spelling of the Callback name including module reference but using only capital letters. | |
Cbn: Callback name using the conventional Camel Case notation for API names. |
Callback 的命名约定
[SRS_BSW_00464] File names shall be considered case sensitive regardless of the filesystem in which they are used
[SRS_BSW_00465] It shall not be allowed to name any two files so that they only differ by the cases of their letters
[SRS_BSW_00480] Null pointer errors shall follow a naming rule <MIP>_E_PARAM_POINTER
[SRS_BSW_00487] Errors for module initialization shall follow a naming rule <MIP>_E_UNINIT
[SRS_BSW_00481] Invalid configuration set selection errors shall follow a naming rule
[SRS_BSW_00482] Get version information function shall follow a naming rule
[SRS_BSW_00346] All AUTOSAR Basic Software Modules shall provide at least a basic set of module files
[SRS_BSW_00314] All internal driver modules shall separate the interrupt frame definition from the service routine
All internal driver modules shall separate the interrupt frame definition from the service routine in the following way:
- <Module name>_Irq.c: implementation of interrupt frame
- <Module name>.c: implementation of service routine called from interrupt frame
[SRS_BSW_00447] Standardizing Include file structure of BSW Modules Implementing Autosar Service
[SRS_BSW_00348] All AUTOSAR standard types and constants shall be placed and organized in a standard type header file
[SRS_BSW_00353] All integer type definitions of target and compiler specific scope shall be placed and organized in a single type header
[SRS_BSW_00301] All AUTOSAR Basic Software Modules shall only import the necessary information
[SRS_BSW_00302] All AUTOSAR Basic Software Modules shall only export information needed by other modules
[SRS_BSW_00328] All AUTOSAR Basic Software Modules shall avoid the duplication of code
[SRS_BSW_00312] Shared code shall be reentrant
[SRS_BSW_00006] The source code of software modules above the µC Abstraction Layer (MCAL) shall not be processor and compiler dependent.
[SRS_BSW_00439] Enable BSW modules to handle interrupts
[SRS_BSW_00448] Module SWS shall not contain requirements from other modules
[SRS_BSW_00449] BSW Service APIs used by Autosar Application Software shall return a Std_ReturnType
[SRS_BSW_00357] For success/failure of an API call a standard return type shall be defined
[SRS_BSW_00377] A Basic Software Module can return a module specific types
[SRS_BSW_00304] All AUTOSAR Basic Software Modules shall use only AUTOSAR data types instead of native C data types
要使用 AUTOSAR 定义的类型来代替原生 C 数据类型
[SRS_BSW_00378] AUTOSAR shall provide a boolean type
bool 类型
[SRS_BSW_00306] AUTOSAR Basic Software Modules shall be compiler and platform independent
[SRS_BSW_00308] AUTOSAR Basic Software Modules shall not define global data in their header files, but in the C file
不要在头文件中定义全局数据,在 C 文件中定义
[SRS_BSW_00309] All AUTOSAR Basic Software Modules shall indicate all global data with read-only purposes by explicitly assigning the const keyword
只读的要加 const
[SRS_BSW_00484] Input parameters of scalar and enum types shall be passed as a value.
[SRS_BSW_00485] Input parameters of structure type shall be passed as a reference to a constant structure
[SRS_BSW_00486] Input parameters of array type shall be passed as a reference to the constant array base type
[SRS_BSW_00358] The return type of init() functions implemented by AUTOSAR Basic Software Modules shall be void
init 函数返回值为空
[SRS_BSW_00414] Init functions shall have a pointer to a configuration structure as single parameter
init 函数应有单一一个指向配置的指针传入
[SRS_BSW_00359] All AUTOSAR Basic Software Modules callback functions shall avoid return types other than void if possible
回调函数的返回值都是 void
[SRS_BSW_00360] AUTOSAR Basic Software Modules callback functions are allowed to have parameters
[SRS_BSW_00440] The callback function invocation by the BSW module shall follow the signature provided by RTE to invoke servers via Rte_Call API
[SRS_BSW_00330] It shall be allowed to use macros instead of functions where source code is used and runtime is critical
It shall be allowed to use macros instead of functions where source code is used and runtime is critical.
It shall be allowed to use inline functions for the same purpose. Inline functions have the advantage (compared to macros) that the compiler can do type checking of function parameters and return values.
[SRS_BSW_00331] All Basic Software Modules shall strictly separate error and status information
[SRS_BSW_00462] All Standardized Autosar Interfaces shall have unique requirement Id / number
[SRS_BSW_00454] An alternative interface without a parameter of category DATA_REFERENCE shall be available.
[SRS_BSW_00477] The functional interfaces of AUTOSAR BSW modules shall be specified in C99
[SRS_BSW_00459] It shall be possible to concurrently execute a service offered by a BSW module in different partitions
[SRS_BSW_00460] Reentrancy Levels
# Software Documentation Requirements
[SRS_BSW_00009] All Basic SW Modules shall be documented according to a common standard.
The module documentation shall contain at least the following items: | |
• Cover sheet with title, version number, date, author, document status, | |
document name | |
• Change history with version number, date, author, change description, | |
document status | |
• Table of contents (navigable) | |
• Functional overview | |
• Source file list and description | |
• Module requirements | |
• Used resources (interrupts, µC peripherals etc.) | |
• Integration description (OS, interface to other modules etc.) | |
• Configuration description with parameter, description, unit, validrange, | |
default value, relation to other parameters | |
The module documentation shall also contain examples for | |
• the correct usage of the API | |
• the configuration of the module |
[SRS_BSW_00401] Documentation of multiple instances of configuration parameters shall be available
[SRS_BSW_00172] The scheduling strategy that is built inside the Basic Software Modules shall be compatible with the strategy used in the system
[SRS_BSW_00010] The memory consumption of all Basic SW Modules shall be documented for a defined configuration for all supported platforms.
文档记录参数配置还有 ROM/RAM 的消耗
[SRS_BSW_00333] For each callback function it shall be specified if it is called from interrupt context or not
[SRS_BSW_00374] All Basic Software Modules shall provide a readable module vendor identification
[SRS_BSW_00379] All software modules shall provide a module identifier in the header file and in the module XML description file.
头文件中有模块 ID
[SRS_BSW_00003] All software modules shall provide version and identification information
[SRS_BSW_00318] Each AUTOSAR Basic Software Module file shall provide version numbers in the header file
[SRS_BSW_00321] The version numbers of AUTOSAR Basic Software Modules shall be enumerated according specific rules
[SRS_BSW_00341] Module documentation shall contains all needed informations
[SRS_BSW_00334] All Basic Software Modules shall provide an XML file that contains the meta data
[SRS_BSW_00351] Encapsulation of compiler specific methods to map objects
# ErrorDescription
# Generic Mechanisms
# Report to the Diagnostic Event Manager (DEM)
# Diagnostic Event Manager
The DET (Default Error Tracer) provides access to the DEM and RTE(SW-C) over integrator specific code. The occurrence of a runtime error (signaled by calling Det_ReportRuntimeError API) or transient fault (signaled by calling the Det_ReportTransientFault API) triggers the execution of a corresponding error handler which may be implemented as callout within the Det by an integrator of a particular ECU and may only include the storage of the corresponding error event to a memory, a call to the module Dem or the execution of short and reasonable actions.
# Function Inhibition Manager
The RTE provides access to the DEM and FIM operations for the SWCs. It executes the runnables associated to the DEM monitors (DEM callbacks) when information is required from a SWC or when a SWC must be notified. No specific functionalities are provided for the DEM by the RTE.
RTE 为上层 SWC 提供了这些接口
# Communication related errors
# Overview
# Error handling mechanisms
# Error list for CAN stack
# Mappings of EH mechanisms to hardware failure modes
# Loss of communication channel
# CAN Bus Off
# Summary
Note: The AUTOSAR COM module (or other modules like CANNM or CANTP) will react on a BusOff indirectly because of the loss of the communication channel, but it is not aware of the specific kind of error. For this reason, these modules are not considered in this section.
COM 模块将会间接反应在 BussOff,因此不考虑
# Roles of the modules
CAN controller (peripheral)
CAN Driver
CAN Interface
CAN State Manager
Communication Manager
BSW State Manager
# CAN Controller Hardware Timeout
# Roles of the modules
CAN Driver
CAN Interface
CAN State Manager
Communication Manager
BSW State Manager
# Signal error
# CAN Transmission buffer full
# Roles of the modules
CAN Driver
CAN Interface
See also the COM TX Deadline Monitoring, which provide a mechanism to detect and react (from SWC) in case of such an error.
This error may also impact a TP (Transport Protocol) communication; in that case, this will be detected as a CAN Transport Protocol error during transmission.
# CAN Reception DLC error
Note: the CAN Reception DLC error can be used in combination with the COM RX Deadline Monitoring mechanism.
Also, the reception of a wrong DLC does not necessarily indicate a malfunction in the ECU, but can be caused by the ECU’s environment.
# Roles of the modules
CAN Interface
See also theCOM RX Deadline Monitoring, which provide a mechanism to detect and react (from SWC) in case of such an error.
This error may also affect the CAN Transport or Network Management protocols; in these cases, the error will also be detected by the CAN Transport Protocol error during reception mechanism or by the Network Management protocol.
# COM RX Deadline Monitoring
# Roles of the modules
COM TX Deadline Monitoring
# CAN Transport Protocol error during transmission
Note: In the figure above, the DCM represents the CANTP user. Other users of CANTP should react similarly (they will receive the indication of failures, and are responsible for initiating a recovery). Another user could be a SWC, with the communication routed to AUTOSAR COM by the PDU Router, or a Complex Driver.
# CAN Transport Protocol error during reception
Note: In the figure above, the DCM represent the CANTP user. Other users of CANTP should react similarly (they will receive the indication of failures, and are responsible for initiating a recovery). Another user could be a SWC, with the communication routed to AUTOSAR COM by the PDU Router, or a Complex Driver.
# Client / Server timeout
# NVRAM related errors
# Overview
# Error handling mechanisms
On the lower levels of the NVRAM stack, mechanisms are implemented in the drivers to detect hardware access problems. Detection mechanisms are harmonized between EEPROM and Flash drivers.
在 NVRAM 中驱动实现了检测硬件的机制
On the upper layers of the NVRAM stack (mainly in the NVRAM manager), mechanisms are implemented to detect data corruption, memory address corruption and loss of redundancy. All the recovery mechanisms for the detected errors in the NVRAM stack are handled by the NVRAM Manager.
在 NVRAM 堆栈的上层 (主要在 NVRAM 管理器中),实现了检测数据损坏、内存地址损坏和冗余丢失的机制。NVRAM 堆栈中检测到的所有错误恢复机制都由 NVRAM 管理器处理。
The error can be reported in polling or interrupt mode. The whole memory stack must be configured consistently with the usage done by SWC and BSW users.
# Driver level errors
# Flash write job error
Write job error is detected by HW (1). Flash Driver is the first SW module involved, and is responsible for the report to the DEM and to upper layers (2). Upper layers have to reset some internal states in order to accept new requests. A recovery mechanism is present in the NVM module which permits to retry a write job in case of failure (3). If the recovery also fails (4), the NVRAM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NOK (5), see NVM API request failure.
# Flash erase job error
Erase job error is detected by HW (1). Flash Driver is the first SW module involved, and is responsible for the report to the DEM and to upper layers (2). Upper layers have to reset some internal states in order to accept new requests. If the erase driver job is part of a write operation, write retries are initiated by the NVRAM manager (3) as soon as the error is reported to this layer. If the recovery also fails (4), the NVRAM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NOK (5), see NVM API request failure.
# Flash read job error
Read job error is detected by HW (1). Flash Driver is the first SW module involved, and is responsible for the report to the DEM and to upper layers (2). Upper layers have to reset some internal states in order to accept new requests. Recovery is initiated by the NVRAM manager (3): one or more read attempts shall be made before continuing to read the redundant block or ROM data. If recovery actions imply a loss of redundancy or the use of ROM data, the NVRAM manager reports the loss of data quality via the job result. A DEM error is reported for the loss of redundancy (see Loss of redundancy). If the recovery also fails (4), the NVRAM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NOK (5), see NVM API request failure.
# Flash compare job error
Note: Flash compare function is an internal mechanism for the Flash EEPROM Emulation to determine whether erasing / writing is needed or not. Compare job error is detected by HW (1). Flash Driver is the first SW module involved, and is responsible for the report to the DEM and to the Flash EEPROM Emulation (2) which have to reset some internal states in order to accept new requests.
# External Flash Hardware ID Mismatch
During the initialization of the external flash driver, the FLS module checks if there is a mismatch between the hardware ID of the external flash device and the corresponding published parameter (1). If there is a mismatch, the module stays uninitialized. An error is reported to the DEM and error status can also be forwarded to upper layers via
polling (2). No further reaction is described (error not taken into account at the NVRAM manager level). There is no recovery action.
# EEPROM write job error
Write job error is detected by HW (1). EEPROM Driver is the first SW module involved, and is responsible for the report to the DEM and to upper layers (2). Upper layers have to reset some internal states in order to accept new requests. A recovery mechanism is present in the NVM module which permits to retry a write job in case of failure (3). If the recovery also fails (4), the NVRAM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NOK (5), see NVM API request failure.
# EEPROM erase job error
Erase job error is detected by HW (1). EEPROM Driver is the first SW module involved, and is responsible for the report to the DEM and to upper layers (2). Upper layers have to reset some internal states in order to accept new requests. If the erase driver job is part of a write operation, write retries are initiated by the NVRAM manager (3) as soon as the error is reported to this layer. If the recovery also fails (4), the NVRAM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NOK (5),see NVM API request failure.
# EEPROM read job error
Read job error is detected by HW (1). EEPROM Driver is the first SW module involved, and is responsible for the report to the DEM and to upper layers (2). Upper layers have to reset some internal states in order to accept new requests. Recovery is initiated by the NVRAM manager (3): one or more read attempts shall be made before continuing to read the redundant block or ROM data. If recovery actions imply a loss of redundancy or the use of ROM data, the NVRAM manager reports the loss of data quality via the job result. A DEM error is reported for the loss of redundancy (see Loss of redundancy). If the recovery also fails (4), the NVRAM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NOK (5), see NVM API request failure.
# EEPROM compare job error
Note: EEPROM compare function is an internal mechanism for the EEPROM Abstrac tion to determine whether erasing / writing is needed or not. Compare job error is detected by HW (1). EEPROM Driver is the first SW module involved, and is responsible for the report to the DEM and to the Flash EEPROM Emulation (2) which have to reset some internal states in order to accept new requests.
# EEPROM Abstraction / Flash Emulation level errors
# FEE consistency check error
The Flash EEPROM Emulation checks the consistency of the read data (1). If a con sistency error is detected, error status is forwarded to the NVRAM manager (2). The NVRAM manager reports NVM_E_INTEGRITY_FAILED to the DEM (3). Recovery is also initiated: "read retry", "read redundant block" and "read ROM block", if configured (4).If recovery actions imply a loss of redundancy or the use of ROM data, the NVRAM manager reports the loss of data quality via the job result. A DEM error is reported for the loss of redundancy (see Loss of redundancy). If the recovery fails (5), the job result is set to NVM_REQ_INTEGRITY_FAILED (6).
# EA consistency check error
The EEPROM Abstraction checks the consistency of the read data (1). If a consistency error is detected, error status is forwarded to the NVRAM manager (2). The NVRAM manager reports NVM_E_INTEGRITY_FAILED to the DEM and recovery is initiated: "read retry", "read redundant block" and "read ROM block", if configured (3). If recovery actions imply a loss of redundancy or the use of ROM data, the NVRAM manager reports the loss of data quality via the job result. A DEM error is reported for the loss of redundancy (see Loss of redundancy). If the recovery fails (4), the job result is set to NVM_REQ_INTEGRITY_FAILED (5).
# NVRAM manager level errors
# NVM CRC check
If the NV block is configured with CRC, the NVRAM Manager checks if there is a CRC mismatch on the RAM block at the end of the reading operation (1). If so, NVM_E_INTEGRITY_FAILED error is reported to the DEM. Recovery is also initiated: "read retry", "read redundant block" and "read ROM block", if configured (2). If recovery actions imply a loss of redundancy or the use of ROM data, the NVRAM manager reports the loss of data quality via the job result. A DEM error is reported for the loss of redundancy (see Loss of redundancy). If the recovery fails (3), the job result is set to NVM_REQ_INTEGRITY_FAILED (4).
# NVM write verification error
The NVRAM Block written to NV memory is immediately read back and compared with the original content in RAM (1). If the verification fails, NVM_E_VERIFY_FAILED error is reported to the DEM, and recovery is initiated with write retries if configured (2). If the recovery fails (3), the NVRAM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NVM_REQ_NOT_OK (4), see NVM API request failure.
# Static block check error
The Static Block ID check mechanism located in the NVRAM manager provides means to detect if the wrong block has been read from the NV memory due to an addressing problem. The NVRAM Manager stores the NV Block Header including the Static Block ID in the NV Block each time the block is written to NV memory. During read operation, the NV header is compared to the requested block ID (1). If the static block ID check fails then the failure NVM_E_WRONG_BLOCK_ID is reported to DEM and read recovery is initiated ("read retry", "read redundant block" and "read ROM block" if configured) (1). If recovery actions imply a loss of redundancy or the use of ROM data, the NVRAM manager reports the loss of data quality via the job result. A DEM error is reported for the loss of redundancy (see Loss of redundancy). If the recovery also fails (3), the NVRAM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NVM_REQ_NOT_OK (4), see NVM API request failure.
# Loss of redundancy
In case one redundant block is invalid during read or write (1), an attempt is made by the NVRAM manager to immediately recover the NV Block using data from the incorrupt NV Block (2). If the recovery fails (3), the error code NVM_E_LOSS_OF_REDUNDANCY is reported to the DEM and the NVRAM manager sets the job result to NVM_REQ_REDUNDANCY_FAILED (4).
# NVM API request failure
The NVRAM manager is notified of an error detected by the subsequent layers during the process of a NVM function or by an internal detection mechanism, write verification static block check, or config ID mismatch (1). Different recovery mechanisms are available at the NVRAM manager level de pending on the type of function involved, writing or reading (2). If the available recovery mechanisms fail (3), the NVM manager reports NVM_E_REQ_FAILED error to the DEM and sets the job result to NVM_REQ_NOT_OK (4).
# ApplicationLevelErrorHandling
# Error model
Design of dependable systems is based on a systematic analysis of potential faults (fault models) i.e., a set of postulated faults, derived from the operating environment of the system, which helps the designer or user to predict the consequences of these fault and define mechanisms for handling (detect, recover from etc.) those particular faults.
# Error handling mechanisms
- Plausibility checks
- 合理性检查,变量的值的合理性
- Substitute Values
- 替代值
- Voting
- 构建冗余,去 3 选 2
- Agreement
- The difference between agreement and voting mechanisms is that when using agreement components interact to reach a decision, whereas in voting it is left to the voter to decide. Agreement protocols could be compared with closed loop systems, where the feedback consists of the sent messages received by all other parties.
- 闭环有 feedback
- Voting 开环
- Checksums/Codes
- 校验和
- Execution sequence monitoring
- 执行顺序监控
- Aliveness monitoring
- 活力监测
- Status and Mode Management
- 状态和模式管理
- Status and mode management deals with meta information for signals, applications, devices, etc. This meta information can be used to analyse the state of the system in order to isolate a faulty subsystem/component and modify its behaviour accordingly.
- 状态和模式管理用来处理信号、应用、设备等的元信息。
- Signal status: In addition to the value, a signal may have meta information as sociated with it, such as
- Signal quality: This indicates the quality of the value, such as nominal value, modelled value, replacement value, and default value. The receiver of the signal may react differently depending on the quality of the signal.
- Signal timestamp: This indicates when the value was created and can be used to check the age of a signal. If a calculation uses several input signals, one can check that all input signals are created within a tolerable time window.
- Signal sequence number: It may be of interest to check that signal values are received in a certain order, and that no values or lost between reads. Also, sequence numbers can be used in a similar fashion as timestamps in that they allow a check that all values in a group are from a particular creation window (same sequence number, or with a minimum/maximum deviation).
- Update information: A consumer of a signal may want to know whether a signal has been updated since the last read or not.
- Device status: An application may want to know the status of the devices it uses, such as sensors and actuators. If a device is not in normal operation, applications may want to choose to deliver some form of degraded service.
- Application status/mode: An application can also have a status, or a mode, which indicates the overall health or operating situation of the application. This status/mode can be used for recovery purposes, both internally in the said application and externally by other application.
- Vehicle mode: A vehicle may be in a number of different modes (e.g. normal operation, parked, limp-home) and the applications will have to behave accordingly.
- ECU Mode: An ECU may be in different states, such as sleeping, running, powered down, and transitional states between such states.
- 信号状态
- 信号质量
- 信号时间戳
- 信号序列号
- 更新信息
- 设备状态
- 应用状态 / 模式
- 车辆模式
- ECU 模式
- Reconfiguration
- A technique for building fault-tolerant systems is to detect and isolate faults and then reconfigure the system to no longer use the faulty component, or to reconfigure to provide only a degraded set of services (or level of service).
- Reset
- Error Filtering
- Memory Protection
- Memory protection is used to protect against errors propagating from one protection domain (partition) to another.
- 内存保护防止了从一个内存保护区传播到另一个内存保护区。不同的功能有不同不内存,不能使用不是本功能的内存。
- Timing Protection
- Timing protection refers to protecting the system against activities requiring too much time to complete, such as an executing component taking too much execution time on the processor and thereby hindering the execution of other components, communication delays, peripheral units not responding in time, etc.
- For activities, one may define time budgets providing an upper limit on how much time a given acitivy may use. For example, one may choose to set execution time budgets for components, or a maximum response times for communication.
- 对于活跃的任务,设定时间预算。
# Terminating and restarting partitions
The main focus is on handling faults which lead to one of the following:
- Protection violation caused by erroneous memory access. This is detected by the OS (with support from an MMU).
- Protection violation caused by exceeding of allocated execution time budget. This is detected by the OS.
- Detection of application states which do not trigger a protection violation but require termination or restart of a partition.
- 内存访问错误
- 超出时间预算
- 检测不触发保护但需要终止或重启的冲突
# Rationale - Use Cases
Terminating and restarting an application is a basic approach to minimizing error propagation and performing error recovery (mainly the restart functionality). Two main usecases have been identified for AUTOSAR error handling and are presented in this section.
# Use Case 1: Software Partitioning [UC1]
# Use Case 2: Application-level Error Handling [UC2]
# Error handling of distributed automotive applications
An application-level error manager (ALEM) would deal with issues that arise from such distribution. For example, if the termination of a partition leads to a need to terminate other partitions (not necessarily on the same ECU), this would be triggered by the ALEM.
# OEM-specific error handling
# Application-level Error Managers
# Approach for Terminating and Restarting Partitions
In the subsequent sections, the text describes the support in AUTOSAR OS, BSW and RTE.
# OS features
An OS Application is a set of OS objects, such as
- tasks,
- interrupt service routines,
- alarms,
- schedule tables
For instance application specific hook functions can be defined, such as startup and shutdown hook functions.
可以定义 startup 或 shutdown 的钩子函数
For OS controlled objects, there are a number of protection mechanisms available (see[14]). The mechanisms relevant for the termination/restart approach are memory protection and timing protection.
Memory protection covers stack and data and, optionally,code of OS-Applications.
Timing protection is based on execution time budgets and arrival rates.
对于 OS 控制的对象
保护类型 | 保护内容 |
内存保护 | 栈,数据,代码(可选) |
时间保护 | 时间预算,到达率 |
OS-Applications are divided into i) trusted OS-Applications and ii) non-trusted OSApplications (see [14]).
OS App | 类型 | |
Trusted OS-Applications | 信任 | 特权模式(不受监控) |
Non-trusted OS-Applications | 不信任 | 非特权模式(被内存保护和时间保护监控) |
Protection Hook
The system has a single global Protection Hook.
- 这个钩子如果没有配置就 ShutdownOS ();
- 配置了的话根据返回值来处理(函数的实现是可自行决定如何处理的)
- PRO_IGNORE: Do nothing
- PRO_TERMINATETASK: Forcibly terminate the faulty Task/Category 2 OsIsr
- PRO_TERMINATEAPPL: Forcibly terminate the faulty OS-Application
- PRO_TERMINATEAPPL_RESTART: Forcibly terminate the faulty OS-Application and trigger the execution of the OSRestartTask.
- PRO_SHUTDOWN: Call ShutdownOS().
TerminateApplication() API
有这么一个函数可以终止 OS-Application
这个函数执行时他会是当前分区的唯一任务,也有一个决策决定终止 / 重启 OS-Application
OS-Application state machine
Partition state machine
Error handling strategy in the Protection Hook
当 OS 发现违反保护时,一下信息需要要收集
- Partition ID
- Error type
- Partition restart counter
- OS-Application State
Based on the input the Protection Hook needs to decide what to do:
- Do nothing
- Restart the partition
- Terminate the partition
- Shutdown OS/ECU
Clean-up activities in the OSRestartTask
当发生 OSRestartTask 时,各个模块有一些必要的处理。
【AUTOSAR_CP_EXP_ApplicationLevelErrorHandling.pdf】P61 页
# Support for Use Cases
UC1: SW Partitioning
By placing each application requiring protection in an OS-Application, partitioning between applications is achieved. Possible reactions to errors include terminating and restarting of the affected partition. UC1 is therefore fully covered.
把 SW 放在不同的 OS-Application 可以实现软件分区
# Integrator Responsibility
大白话就是拆分 sw-c 分不同的区,设定好保护的规则和钩子,设定好 cleanup 的行为。
# CDDDesignAndIntegrationGuideline
# Introduction to CDD
- A CDD may need to interface to modules of the layered software architecture
- A module of the layered software architecture may need to interface to a CDD
- A CDD may need to interface SW-Cs via Rte
- 都是简单的单词,很好理解,我就懒得翻译了略略略
# CDD design recommendations
CDD 的设计建议
# Documentations
User’s Manual
CDD designer shall provide a User’s Manual to ease the integration and provide information to customers:
- CDD introduction and overviewCDD
- 简介和概述
- Description of the functional operations (initialisation, normal, shutdown, fault operation...)
- 功能操作描述
- Description of the relationship with and need from other BSW Modules, SchM and Rte; e.g. memory blocks from NvM, critical sections to configure.
- 描述与其他 BSW 模块、SchM 和 Rte 的关系
- Files structure and dependencies
- 文件结构和依赖关系
- Description of the interfaces (including services): name, description, re-entrancy, parameters (names, types, ranges, values), return value (name, type, range, values), configuration class.
- Description of the non-functional requirements: timing and behaviour requirements, resource usage, behaviour with other BSW modules or SW-C...
- 描述时间啊行为的要求、资源使用情况、与其他 BSW 模块或 SWC 的行为
- Description of the Dem errors, optionally Det errors, debug variables
- 描述 Dem 错误
- Description of the configuration parameters (names, types, ranges, values).
- 配置参数的描述
- Description of the memory mapping needs (Flash, RAM)
- 描述内存映射需求
- Usage limitations and open issues
- 使用限制和未解决的问题
- Integration constraints and requirements to other modules
- 集成的制约因素和对其他模块的要求
- Examples
- 例子
Module ID
# Implementation
- CDD shall respect the input specifications [2], [3], [5], [6], [7], [8], [9], [10].
- CDD shall protect its critical resources defining critical sections which can be handled by SchM or OS mechanisms.
- CDD 应保护其关键资源,界定可由 SchM 或 OS 机制处理的关键部分。
- CDD mode may be manageable by EcuM and BswM modules.
- CDD 模式可通过 EcuM 和 BswM 模块进行管理
- CDD may handle its memory sections using the memory mapping mechanisms.
- CDD 可以使用内存映射机制来处理其内存部分
- CDD may report its errors using Det or Dem modules.
- CDD 可使用 Det 或 Dem 模块报告其错误
# CDD Files
Code file(s)
- CDD_<MODULENAME>_Callout.c
Header file(s)
CDD module may include Det.h and/or Dem.h header files to report errors.
CDD module may include <Mip>_MemMap.h header file if some memory mapping area have to be defined where <Mip> is the Module Implementation Prefix.
CDD module may include Rte_CDD_<MODULENAME>.h header file if interfaces to the Rte are configured.
# Behaviour and Interfaces description
Some CDD not only have interfaces to other BSW modules or clusters, but have also more abstract interfaces accessed from application SW-Cs via the Rte.
一些 CDD 不仅具有与其他 BSW 模块或集群的接口,而且还具有通过 Rte 从应用程序 SWC 访问的更抽象的接口。
- Description of the CDD services
- Types and ports interfaces
- Description of internal behaviour and runnable Entities
- Description of the required triggered events of runnable Entities
- Description of exclusive Areas for shared resources protection
- Memory mapping
# Interfacing to other modules
- Interfacing to Rte and SW-C
- Interfacing to libraries
- Interfacing to standard BSW modules
- CDD shall provide all configuration parameters which are necessary to satisfy other AUTOSAR modules which rely on the information,
- 依赖注入
# Interfacing to standard BSW modules
Interfacing with BSW Mode Manager & ECU State Manager
ECU State Manager should be used for:
- Init and De-Init functions shall be exclusively called by the EcuM and/or the BswM modules.
- If a CDD handles a wakeup source, it must follow the protocol for handling wakeup events specified in the document [11] Specification of ECU State Manager.
BSW Mode Manager should be used for:
- CDD modes changed management
Interfacing with Memory Stack
Interfacing with Watchdog Stack
Interfacing with Communication Stack
Several access points are possible:
- It is possible to interface to the PDU Router module to handle IPDU.
- It is possible to interface to the <Bus> Interface.
- It is possible to interface to the NM module.
- It is possible to interface the TcpIp module.
- It is possible to directly interface to Com module as it is possible to have signal interface.
Interfacing with XCP module
Interfacing with Diagnostic Log and Trace
Interfacing with Default Error Tracer and Diagnostic Event Manager
Interfacing with OS
Interfacing with StbM module
CDD in multi-cores system
CDD module of the MCAL
# StandardTypes
Type definitions
[SWS_Std_00005] Definition of datatype Std_ReturnType
Layout of the Std_ReturnType shall be as stated in the RTE specification. Bit 7 and Bit 8 are reserved and defined by the RTE specification.
返回值类型 Std_ReturnType
也就是说这两个是 RTE 的哦
# PlatformTypes
Byte Ordering (Memory)
Big Endian byte ordering 大端
Little Endian byte ordering 小端
# CommunicationStackTypes
# API specification Type definitions
- [SWS_COMTYPE_00005] Definition of datatype PduIdType
- This type is used within the entire AUTOSAR Com Stack except for bus drivers.
- [SWS_COMTYPE_00008] Definition of datatype PduLengthType
- This type shall be used within the entire AUTOSAR Com Stack of an ECU except for bus drivers.
- [SWS_COMTYPE_00011] Definition of datatype PduInfoType
- Variables of this type shall be used to store the basic information about a PDU of any type, namely a pointer variable pointing to its SDU (payload), a pointer to Meta Data of the PDU, and the corresponding length of the SDU in bytes.
- [SWS_COMTYPE_00036] Definition of datatype PNCHandleType
- Used to store the identifier of a partial network cluster.
- [SWS_COMTYPE_00031] Definition of datatype TPParameterType
- Specify the parameter to which the value has to be changed (BS or STmin).
- [SWS_COMTYPE_00012] Definition of datatype BufReq_ReturnType
- Variables of this type shall be used to store the result of a buffer request.
- [SWS_COMTYPE_00027] Definition of datatype TpDataStateType
- Variables of this type shall be used to store the state of TP buffer
- [SWS_COMTYPE_00037] Definition of datatype RetryInfoType
- Variables of this type shall be used to store the information about Tp buffer handling.
- [SWS_COMTYPE_00037] Definition of datatype RetryInfoType
- Variables of this type shall be used to store the information about Tp buffer handling.
- [SWS_COMTYPE_91001] Definition of datatype CbkHandleIdType
- Used for the handle Ids of Com and LdCom user callbacks.
[SWS_COMTYPE_91002] Definition of datatype TimeTupleType
The Time Tuple represents the clock values of two related HW clocks
- the value of the clock used for timestamping of frame
- and the corresponding value of the adjustable HW clock, derived by cross-timestamping
- [SWS_COMTYPE_91003] Definition of datatype TimeStampType
- [SWS_COMTYPE_91004] Definition of datatype TimeStampQualType
- Depending on the HW, quality information regarding the evaluated timestamp might be supported. If not supported, the value shall be always Valid. For Uncertain and Invalid values, the upper layer shall discard the time stamp.
- [SWS_COMTYPE_91005] Definition of datatype ListElemStructType